mirror of https://github.com/ivuorinen/actions.git synced 2026-01-26 11:34:00 +00:00

Files

Ismo Vuorinen 9aa16a8164 feat: use our own actions in our workflows (#377 )

* feat: use our own actions in our workflows

* fix: add missing inputs to validate-inputs, refactor node

* chore: cr comment fixes

* fix: update-validators formatting

* chore: update validators, add tests, conventions

* feat: validate severity with severity_enum

* feat: add 10 generic validators to improve input validation coverage

Add comprehensive validation system improvements across multiple phases:

Phase 2A - Quick Wins:
- Add multi_value_enum validator for 2-10 value enumerations
- Add exit_code_list validator for Unix/Linux exit codes (0-255)
- Refactor coverage_driver to use multi_value_enum

Phase 2B - High-Value Validators:
- Add key_value_list validator with shell injection prevention
- Add path_list validator with path traversal and glob support

Quick Wins - Additional Enums:
- Add network_mode validator for Docker network modes
- Add language_enum validator for language detection
- Add framework_mode validator for PHP framework modes
- Update boolean pattern to include 'push'

Phase 2C - Specialized Validators:
- Add json_format validator for JSON syntax validation
- Add cache_config validator for Docker BuildKit cache configs

Improvements:
- All validators include comprehensive security checks
- Pattern-based validation with clear error messages
- 23 new test methods with edge case coverage
- Update special case mappings for 20+ inputs
- Fix build-args mapping test expectation

Coverage impact: 22 actions now at 100% validation (88% → 92%)
Test suite: 762 → 785 tests (+23 tests, all passing)

* chore: regenerate rules.yml with improved validator coverage

Regenerate validation rules for all actions with new validators:

- compress-images: 86% → 100% (+1 input: ignore-paths)
- docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args)
- docker-publish: 73% → 100% (+1 input: build-args)
- language-version-detect: 67% → 100% (+1 input: language)
- php-tests: 89% (fixed framework→framework_mode mapping)
- prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins)
- security-scan: 86% (maintained coverage)

Overall: 23 of 25 actions now at 100% validation coverage (92%)

* fix: address PR #377 review comments

- Add | None type annotations to 6 optional parameters (PEP 604)
- Standardize injection pattern: remove @# from comma_separated_list validator
  (@ and # are not shell injection vectors, allows npm scoped packages)
- Remove dead code: unused value expression in key_value_list validator
- Update tests to reflect injection pattern changes

2025-11-25 23:51:03 +02:00

28 KiB

Raw Blame History

ivuorinen/actions - My Reusable GitHub Actions and Workflows

Overview

This repository contains a collection of reusable GitHub Actions designed to streamline CI/CD processes and ensure code quality.

Each action is fully self-contained and can be used independently in any GitHub repository.

Key Features

Production-Ready Actions covering setup, linting, building, testing, and deployment
Self-Contained Design - each action works independently without dependencies
External Usage Ready - use any action with pinned refs: ivuorinen/actions/action-name@2025-01-15 or @<commit-sha> for supply-chain security
Multi-Language Support including Node.js, PHP, Python, Go, C#, and more
Standardized Patterns with consistent error handling and input/output interfaces
Comprehensive Testing with dual testing framework (ShellSpec + pytest)
Modular Build System using Makefile for development and maintenance

📚 Action Catalog

This repository contains 26 reusable GitHub Actions for CI/CD automation.

Quick Reference (26 Actions)

Icon	Action	Category	Description	Key Features
🔀	`action-versioning`	Utilities	Automatically update SHA-pinned action references to match l...	Token auth, Outputs
📦	`ansible-lint-fix`	Linting	Lints and fixes Ansible playbooks, commits changes, and uplo...	Caching, Token auth, Outputs
✅	`biome-lint`	Linting	Run Biome linter in check or fix mode	Caching, Auto-detection, Token auth, Outputs
🛡️	`codeql-analysis`	Repository	Run CodeQL security analysis for a single language with conf...	Auto-detection, Token auth, Outputs
🖼️	`compress-images`	Repository	Compress images on demand (workflow_dispatch), and at 11pm e...	Token auth, Outputs
📝	`csharp-build`	Build	Builds and tests C# projects.	Caching, Auto-detection, Token auth, Outputs
📝	`csharp-lint-check`	Linting	Runs linters like StyleCop or dotnet-format for C# code styl...	Caching, Auto-detection, Token auth, Outputs
📦	`csharp-publish`	Publishing	Publishes a C# project to GitHub Packages.	Caching, Auto-detection, Token auth, Outputs
📦	`docker-build`	Build	Builds a Docker image for multiple architectures with enhanc...	Caching, Auto-detection, Token auth, Outputs
☁️	`docker-publish`	Publishing	Simple wrapper to publish Docker images to GitHub Packages a...	Token auth, Outputs
✅	`eslint-lint`	Linting	Run ESLint in check or fix mode with advanced configuration ...	Caching, Auto-detection, Token auth, Outputs
📦	`go-build`	Build	Builds the Go project.	Caching, Auto-detection, Token auth, Outputs
📝	`go-lint`	Linting	Run golangci-lint with advanced configuration, caching, and ...	Caching, Token auth, Outputs
📝	`language-version-detect`	Setup	DEPRECATED: This action is deprecated. Inline version detect...	Auto-detection, Token auth, Outputs
📦	`npm-publish`	Publishing	Publishes the package to the NPM registry with configurable ...	Caching, Auto-detection, Token auth, Outputs
✅	`php-tests`	Testing	Run PHPUnit tests with optional Laravel setup and Composer d...	Caching, Auto-detection, Token auth, Outputs
✅	`pr-lint`	Linting	Runs MegaLinter against pull requests	Caching, Auto-detection, Token auth, Outputs
📦	`pre-commit`	Linting	Runs pre-commit on the repository and pushes the fixes back ...	Auto-detection, Token auth, Outputs
✅	`prettier-lint`	Linting	Run Prettier in check or fix mode with advanced configuratio...	Caching, Auto-detection, Token auth, Outputs
📝	`python-lint-fix`	Linting	Lints and fixes Python files, commits changes, and uploads S...	Caching, Auto-detection, Token auth, Outputs
📦	`release-monthly`	Repository	Creates a release for the current month, incrementing patch ...	Token auth, Outputs
🛡️	`security-scan`	Security	Comprehensive security scanning for GitHub Actions including...	Caching, Token auth, Outputs
📦	`stale`	Repository	A GitHub Action to close stale issues and pull requests.	Token auth, Outputs
🏷️	`sync-labels`	Repository	Sync labels from a YAML file to a GitHub repository	Token auth, Outputs
🖥️	`terraform-lint-fix`	Linting	Lints and fixes Terraform files with advanced validation and...	Token auth, Outputs
🛡️	`validate-inputs`	Validation	Centralized Python-based input validation for GitHub Actions...	Token auth, Outputs

Actions by Category

🔧 Setup (1 action)

Action	Description	Languages	Features
📝 `language-version-detect`	DEPRECATED: This action is deprecated. Inline vers...	PHP, Python, Go, .NET, Node.js	Auto-detection, Token auth, Outputs

🛠️ Utilities (1 action)

Action	Description	Languages	Features
🔀 `action-versioning`	Automatically update SHA-pinned action references ...	GitHub Actions	Token auth, Outputs

📝 Linting (10 actions)

Action	Description	Languages	Features
📦 `ansible-lint-fix`	Lints and fixes Ansible playbooks, commits changes...	Ansible, YAML	Caching, Token auth, Outputs
✅ `biome-lint`	Run Biome linter in check or fix mode	JavaScript, TypeScript, JSON	Caching, Auto-detection, Token auth, Outputs
📝 `csharp-lint-check`	Runs linters like StyleCop or dotnet-format for C#...	C#, .NET	Caching, Auto-detection, Token auth, Outputs
✅ `eslint-lint`	Run ESLint in check or fix mode with advanced conf...	JavaScript, TypeScript	Caching, Auto-detection, Token auth, Outputs
📝 `go-lint`	Run golangci-lint with advanced configuration, cac...	Go	Caching, Token auth, Outputs
✅ `pr-lint`	Runs MegaLinter against pull requests	Conventional Commits	Caching, Auto-detection, Token auth, Outputs
📦 `pre-commit`	Runs pre-commit on the repository and pushes the f...	Python, Multiple Languages	Auto-detection, Token auth, Outputs
✅ `prettier-lint`	Run Prettier in check or fix mode with advanced co...	JavaScript, TypeScript, Markdown, YAML, JSON	Caching, Auto-detection, Token auth, Outputs
📝 `python-lint-fix`	Lints and fixes Python files, commits changes, and...	Python	Caching, Auto-detection, Token auth, Outputs
🖥️ `terraform-lint-fix`	Lints and fixes Terraform files with advanced vali...	Terraform, HCL	Token auth, Outputs

🧪 Testing (1 action)

Action	Description	Languages	Features
✅ `php-tests`	Run PHPUnit tests with optional Laravel setup and ...	PHP, Laravel	Caching, Auto-detection, Token auth, Outputs

🏗️ Build (3 actions)

Action	Description	Languages	Features
📝 `csharp-build`	Builds and tests C# projects.	C#, .NET	Caching, Auto-detection, Token auth, Outputs
📦 `docker-build`	Builds a Docker image for multiple architectures w...	Docker	Caching, Auto-detection, Token auth, Outputs
📦 `go-build`	Builds the Go project.	Go	Caching, Auto-detection, Token auth, Outputs

🚀 Publishing (3 actions)

Action	Description	Languages	Features
📦 `csharp-publish`	Publishes a C# project to GitHub Packages.	C#, .NET	Caching, Auto-detection, Token auth, Outputs
☁️ `docker-publish`	Simple wrapper to publish Docker images to GitHub ...	Docker	Token auth, Outputs
📦 `npm-publish`	Publishes the package to the NPM registry with con...	Node.js, npm	Caching, Auto-detection, Token auth, Outputs

📦 Repository (5 actions)

Action	Description	Languages	Features
🛡️ `codeql-analysis`	Run CodeQL security analysis for a single language...	JavaScript, TypeScript, Python, Java, C#, C++, Go, Ruby	Auto-detection, Token auth, Outputs
🖼️ `compress-images`	Compress images on demand (workflow_dispatch), and...	Images, PNG, JPEG	Token auth, Outputs
📦 `release-monthly`	Creates a release for the current month, increment...	GitHub Actions	Token auth, Outputs
📦 `stale`	A GitHub Action to close stale issues and pull req...	GitHub Actions	Token auth, Outputs
🏷️ `sync-labels`	Sync labels from a YAML file to a GitHub repositor...	YAML, GitHub	Token auth, Outputs

🛡️ Security (1 action)

Action	Description	Languages	Features
🛡️ `security-scan`	Comprehensive security scanning for GitHub Actions...	-	Caching, Token auth, Outputs

✅ Validation (1 action)

Action	Description	Languages	Features
🛡️ `validate-inputs`	Centralized Python-based input validation for GitH...	YAML, GitHub Actions	Token auth, Outputs

Feature Matrix

Action	Caching	Auto-detection	Token auth	Outputs
`action-versioning`	-	-	✅	✅
`ansible-lint-fix`	✅	-	✅	✅
`biome-lint`	✅	✅	✅	✅
`codeql-analysis`	-	✅	✅	✅
`compress-images`	-	-	✅	✅
`csharp-build`	✅	✅	✅	✅
`csharp-lint-check`	✅	✅	✅	✅
`csharp-publish`	✅	✅	✅	✅
`docker-build`	✅	✅	✅	✅
`docker-publish`	-	-	✅	✅
`eslint-lint`	✅	✅	✅	✅
`go-build`	✅	✅	✅	✅
`go-lint`	✅	-	✅	✅
`language-version-detect`	-	✅	✅	✅
`npm-publish`	✅	✅	✅	✅
`php-tests`	✅	✅	✅	✅
`pr-lint`	✅	✅	✅	✅
`pre-commit`	-	✅	✅	✅
`prettier-lint`	✅	✅	✅	✅
`python-lint-fix`	✅	✅	✅	✅
`release-monthly`	-	-	✅	✅
`security-scan`	✅	-	✅	✅
`stale`	-	-	✅	✅
`sync-labels`	-	-	✅	✅
`terraform-lint-fix`	-	-	✅	✅
`validate-inputs`	-	-	✅	✅

Language Support

Language	Actions
.NET	`csharp-build`, `csharp-lint-check`, `csharp-publish`, `language-version-detect`
Ansible	`ansible-lint-fix`
C#	`codeql-analysis`, `csharp-build`, `csharp-lint-check`, `csharp-publish`
C++	`codeql-analysis`
Conventional Commits	`pr-lint`
Docker	`docker-build`, `docker-publish`
GitHub	`sync-labels`
GitHub Actions	`action-versioning`, `release-monthly`, `stale`, `validate-inputs`
Go	`codeql-analysis`, `go-build`, `go-lint`, `language-version-detect`
HCL	`terraform-lint-fix`
Images	`compress-images`
JPEG	`compress-images`
JSON	`biome-lint`, `prettier-lint`
Java	`codeql-analysis`
JavaScript	`biome-lint`, `codeql-analysis`, `eslint-lint`, `prettier-lint`
Laravel	`php-tests`
Markdown	`prettier-lint`
Multiple Languages	`pre-commit`
Node.js	`language-version-detect`, `npm-publish`
PHP	`language-version-detect`, `php-tests`
PNG	`compress-images`
Python	`codeql-analysis`, `language-version-detect`, `pre-commit`, `python-lint-fix`
Ruby	`codeql-analysis`
Terraform	`terraform-lint-fix`
TypeScript	`biome-lint`, `codeql-analysis`, `eslint-lint`, `prettier-lint`
YAML	`ansible-lint-fix`, `prettier-lint`, `sync-labels`, `validate-inputs`
npm	`npm-publish`

Action Usage

All actions can be used independently in your workflows:

# Recommended: Use pinned refs for supply-chain security
- uses: ivuorinen/actions/action-name@vYYYY-MM-DD # Date-based tag (example)
  with:
    # action-specific inputs

# Alternative: Use commit SHA for immutability
- uses: ivuorinen/actions/action-name@abc123def456 # Full commit SHA
  with:
    # action-specific inputs

Security Note: Always pin to specific tags or commit SHAs instead of @main to ensure reproducible workflows and supply-chain integrity.

Usage

Using Actions Externally

All actions in this repository can be used in your workflows like any other GitHub Action.

⚠️ Security Best Practice: Always pin actions to specific tags or commit SHAs instead of @main to ensure:

Reproducibility: Workflows behave consistently over time
Supply-chain integrity: Protection against unexpected changes or compromises
Immutability: Reference exact versions that cannot be modified

steps:
  - name: Setup Node.js with Auto-Detection
    uses: ivuorinen/actions/node-setup@2025-01-15 # Date-based tag
    with:
      default-version: '20'

  - name: Detect PHP Version
    uses: ivuorinen/actions/php-version-detect@abc123def456 # Commit SHA
    with:
      default-version: '8.2'

  - name: Universal Version Parser
    uses: ivuorinen/actions/version-file-parser@2025-01-15
    with:
      language: 'python'
      tool-versions-key: 'python'
      dockerfile-image: 'python'
      version-file: '.python-version'
      default-version: '3.12'

Actions achieve modularity through composition:

steps:
  - name: Parse Version
    id: parse-version
    uses: ivuorinen/actions/version-file-parser@2025-01-15
    with:
      language: 'node'
      tool-versions-key: 'nodejs'
      dockerfile-image: 'node'
      version-file: '.nvmrc'
      default-version: '20'

  - name: Setup Node.js
    uses: actions/setup-node@sha
    with:
      node-version: ${{ steps.parse-version.outputs.detected-version }}

Development

This repository uses a Makefile-based build system for development tasks:

# Full workflow - docs, format, and lint
make all

# Individual operations
make docs          # Generate documentation for all actions
make format        # Format all files (markdown, YAML, JSON)
make lint          # Run all linters
make check         # Quick syntax and tool checks

# Development workflow
make dev           # Format then lint (good for development)
make ci            # CI workflow - check, docs, lint

Python Development

For Python development (validation system), use these specialized commands:

# Python development workflow
make dev-python         # Format, lint, and test Python code
make test-python        # Run Python unit tests
make test-python-coverage  # Run tests with coverage reporting

# Individual Python operations
make format-python      # Format Python files with ruff
make lint-python        # Lint Python files with ruff

The Python validation system (validate-inputs/) includes:

CalVer and SemVer Support: Flexible version validation for different schemes
Comprehensive Test Suite: Extensive test cases covering all validation types
Security Features: Command injection and path traversal protection
Performance: Efficient Python regex engine vs multiple bash processes

Testing

# Run all tests (Python + GitHub Actions)
make test

# Run specific test types
make test-python           # Python validation tests only
make test-actions          # GitHub Actions tests only
make test-action ACTION=node-setup  # Test specific action

# Coverage reporting
make test-coverage         # All tests with coverage
make test-python-coverage  # Python tests with coverage

For detailed development guidelines, see CLAUDE.md.

License

This project is licensed under the MIT License. See the LICENSE file for details.

28 KiB Raw Blame History