ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-03-09 18:57:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0fba4a9657e8119268f4157aa80d7e6c84664601
actions/.claude/agents/action-validator.md
Ismo Vuorinen f995f89a21 chore(claude): add hooks, skills, and agents for Claude Code (#496) 
* chore(claude): add hooks, skills, and agents for Claude Code

Add auto-formatting hooks (ruff, shfmt, prettier, actionlint),
rules.yml edit blocker, 5 skills (/release, /test-action,
/new-action, /validate, /check-pins), and 2 subagents
(action-validator, test-coverage-reviewer). Update CLAUDE.md
with hook documentation.

* fix(claude): add tool availability guards and fix skill docs

Add jq availability checks to hook scripts (block-rules-yml.sh,
post-edit-write.sh) and wrap actionlint call in command -v guard,
consistent with project rules #2 and #10. Fix validate skill to
reflect actual make all pipeline order and note that make test
runs separately.

* fix(claude): correct skill docs per PR review feedback

Fix validate skill description to say "precommit" instead of "test",
and fix check-pins SHA guidance to use origin/main instead of HEAD.

* feat(tools): add SHA-pinning enforcement to check-version-refs

The check-version-refs script previously only displayed existing
SHA-pinned refs but silently skipped non-SHA references. Add a
validation pass that detects and reports any ivuorinen/actions/*
references not using a 40-char hex SHA, exiting 1 on violations.

* fix(tools): fix temp file leak in check-version-refs.sh

Write find output directly to $violations_file instead of
$violations_file.all so the EXIT trap covers cleanup on all
exit paths, not just the happy path.
2026-03-08 04:22:02 +02:00

991 B
Raw Blame History

You review action.yml files against the repository's critical prevention rules.

Check each action.yml file for these violations:

  1. All external action refs are SHA-pinned (not @main/@v1)
  2. All internal action refs use ivuorinen/actions/name@SHA format
  3. Shell scripts use set -eu (POSIX, not bash)
  4. Steps with referenced outputs have id: fields
  5. Tool availability checked before use (command -v)
  6. Variables properly quoted ("$var")
  7. $GITHUB_OUTPUT uses printf, not echo
  8. No nested ${{ }} in quoted YAML strings
  9. Token inputs use ${{ github.token }} default
  10. Fallbacks provided for tools not on all runners

Run actionlint on each file. Report violations with file path, line, and fix suggestion.

To find all action.yml files:

find . -name "action.yml" -not -path "./.git/*"

For each file, read it and check against all 10 rules. Then run:

actionlint <file>

Output a summary table of violations found, grouped by action.