mirror of
https://github.com/ivuorinen/actions.git
synced 2026-03-06 03:55:16 +00:00
40f722ec18
Set `permissions: {}` at the top level of all workflow files to deny all
permissions by default, then grant only the minimum required permissions at
the job level. This fixes the Docker push failure caused by missing
`packages: write` permission being scoped incorrectly.
Changes per workflow:
- build-testing-image.yml: add contents: read + packages: write to job
- action-security.yml: consolidate contents: read, actions: read,
pull-requests: read into the analyze job
- codeql-new.yml: add actions: read to the analyze job
- dependency-review.yml: add contents: read to the dependency-review job
- issue-stats.yml: top-level only (no checkout, existing job perms sufficient)
- new-release.yml: was read-all; job already has contents: write
- pr-lint.yml: was contents: read + packages: read; job already has full perms
- release.yml: job already has contents: write
- security-suite.yml: move all perms to job level
- stale.yml: top-level only (no checkout, existing job perms sufficient)
- sync-labels.yml: was read-all; add contents: read to job for checkout
- version-maintenance.yml: move all perms to job level
Co-authored-by: ivuorinen <11024+ivuorinen@users.noreply.github.com>
ivuorinen/actions - My Reusable GitHub Actions and Workflows
Overview
This repository contains a collection of reusable GitHub Actions designed to streamline CI/CD processes and ensure code quality.
Each action is fully self-contained and can be used independently in any GitHub repository.
Key Features
- Production-Ready Actions covering setup, linting, building, testing, and deployment
- Self-Contained Design - each action works independently without dependencies
- External Usage Ready - use any action with pinned refs:
ivuorinen/actions/action-name@2025-01-15or@<commit-sha>for supply-chain security - Multi-Language Support including Node.js, PHP, Python, Go, C#, and more
- Standardized Patterns with consistent error handling and input/output interfaces
- Comprehensive Testing with dual testing framework (ShellSpec + pytest)
- Modular Build System using Makefile for development and maintenance
📚 Action Catalog
This repository contains 26 reusable GitHub Actions for CI/CD automation.
Quick Reference (26 Actions)
| Icon | Action | Category | Description | Key Features |
|---|---|---|---|---|
| 🔀 | action-versioning |
Utilities | Automatically update SHA-pinned action references to match l... | Token auth, Outputs |
| 📦 | ansible-lint-fix |
Linting | Lints and fixes Ansible playbooks, commits changes, and uplo... | Caching, Token auth, Outputs |
| ✅ | biome-lint |
Linting | Run Biome linter in check or fix mode | Caching, Auto-detection, Token auth, Outputs |
| 🛡️ | codeql-analysis |
Repository | Run CodeQL security analysis for a single language with conf... | Auto-detection, Token auth, Outputs |
| 🖼️ | compress-images |
Repository | Compress images on demand (workflow_dispatch), and at 11pm e... | Token auth, Outputs |
| 📝 | csharp-build |
Build | Builds and tests C# projects. | Caching, Auto-detection, Token auth, Outputs |
| 📝 | csharp-lint-check |
Linting | Runs linters like StyleCop or dotnet-format for C# code styl... | Caching, Auto-detection, Token auth, Outputs |
| 📦 | csharp-publish |
Publishing | Publishes a C# project to GitHub Packages. | Caching, Auto-detection, Token auth, Outputs |
| 📦 | docker-build |
Build | Builds a Docker image for multiple architectures with enhanc... | Caching, Auto-detection, Token auth, Outputs |
| ☁️ | docker-publish |
Publishing | Simple wrapper to publish Docker images to GitHub Packages a... | Token auth, Outputs |
| ✅ | eslint-lint |
Linting | Run ESLint in check or fix mode with advanced configuration ... | Caching, Auto-detection, Token auth, Outputs |
| 📦 | go-build |
Build | Builds the Go project. | Caching, Auto-detection, Token auth, Outputs |
| 📝 | go-lint |
Linting | Run golangci-lint with advanced configuration, caching, and ... | Caching, Token auth, Outputs |
| 📝 | language-version-detect |
Setup | DEPRECATED: This action is deprecated. Inline version detect... | Auto-detection, Token auth, Outputs |
| 📦 | npm-publish |
Publishing | Publishes the package to the NPM registry with configurable ... | Caching, Auto-detection, Token auth, Outputs |
| ✅ | php-tests |
Testing | Run PHPUnit tests with optional Laravel setup and Composer d... | Caching, Auto-detection, Token auth, Outputs |
| ✅ | pr-lint |
Linting | Runs MegaLinter against pull requests | Caching, Auto-detection, Token auth, Outputs |
| 📦 | pre-commit |
Linting | Runs pre-commit on the repository and pushes the fixes back ... | Auto-detection, Token auth, Outputs |
| ✅ | prettier-lint |
Linting | Run Prettier in check or fix mode with advanced configuratio... | Caching, Auto-detection, Token auth, Outputs |
| 📝 | python-lint-fix |
Linting | Lints and fixes Python files, commits changes, and uploads S... | Caching, Auto-detection, Token auth, Outputs |
| 📦 | release-monthly |
Repository | Creates a release for the current month, incrementing patch ... | Token auth, Outputs |
| 🛡️ | security-scan |
Security | Comprehensive security scanning for GitHub Actions including... | Caching, Token auth, Outputs |
| 📦 | stale |
Repository | A GitHub Action to close stale issues and pull requests. | Token auth, Outputs |
| 🏷️ | sync-labels |
Repository | Sync labels from a YAML file to a GitHub repository | Token auth, Outputs |
| 🖥️ | terraform-lint-fix |
Linting | Lints and fixes Terraform files with advanced validation and... | Token auth, Outputs |
| 🛡️ | validate-inputs |
Validation | Centralized Python-based input validation for GitHub Actions... | Token auth, Outputs |
Actions by Category
🔧 Setup (1 action)
| Action | Description | Languages | Features |
|---|---|---|---|
📝 language-version-detect |
DEPRECATED: This action is deprecated. Inline vers... | PHP, Python, Go, .NET, Node.js | Auto-detection, Token auth, Outputs |
🛠️ Utilities (1 action)
| Action | Description | Languages | Features |
|---|---|---|---|
🔀 action-versioning |
Automatically update SHA-pinned action references ... | GitHub Actions | Token auth, Outputs |
📝 Linting (10 actions)
| Action | Description | Languages | Features |
|---|---|---|---|
📦 ansible-lint-fix |
Lints and fixes Ansible playbooks, commits changes... | Ansible, YAML | Caching, Token auth, Outputs |
✅ biome-lint |
Run Biome linter in check or fix mode | JavaScript, TypeScript, JSON | Caching, Auto-detection, Token auth, Outputs |
📝 csharp-lint-check |
Runs linters like StyleCop or dotnet-format for C#... | C#, .NET | Caching, Auto-detection, Token auth, Outputs |
✅ eslint-lint |
Run ESLint in check or fix mode with advanced conf... | JavaScript, TypeScript | Caching, Auto-detection, Token auth, Outputs |
📝 go-lint |
Run golangci-lint with advanced configuration, cac... | Go | Caching, Token auth, Outputs |
✅ pr-lint |
Runs MegaLinter against pull requests | Conventional Commits | Caching, Auto-detection, Token auth, Outputs |
📦 pre-commit |
Runs pre-commit on the repository and pushes the f... | Python, Multiple Languages | Auto-detection, Token auth, Outputs |
✅ prettier-lint |
Run Prettier in check or fix mode with advanced co... | JavaScript, TypeScript, Markdown, YAML, JSON | Caching, Auto-detection, Token auth, Outputs |
📝 python-lint-fix |
Lints and fixes Python files, commits changes, and... | Python | Caching, Auto-detection, Token auth, Outputs |
🖥️ terraform-lint-fix |
Lints and fixes Terraform files with advanced vali... | Terraform, HCL | Token auth, Outputs |
🧪 Testing (1 action)
| Action | Description | Languages | Features |
|---|---|---|---|
✅ php-tests |
Run PHPUnit tests with optional Laravel setup and ... | PHP, Laravel | Caching, Auto-detection, Token auth, Outputs |
🏗️ Build (3 actions)
| Action | Description | Languages | Features |
|---|---|---|---|
📝 csharp-build |
Builds and tests C# projects. | C#, .NET | Caching, Auto-detection, Token auth, Outputs |
📦 docker-build |
Builds a Docker image for multiple architectures w... | Docker | Caching, Auto-detection, Token auth, Outputs |
📦 go-build |
Builds the Go project. | Go | Caching, Auto-detection, Token auth, Outputs |
🚀 Publishing (3 actions)
| Action | Description | Languages | Features |
|---|---|---|---|
📦 csharp-publish |
Publishes a C# project to GitHub Packages. | C#, .NET | Caching, Auto-detection, Token auth, Outputs |
☁️ docker-publish |
Simple wrapper to publish Docker images to GitHub ... | Docker | Token auth, Outputs |
📦 npm-publish |
Publishes the package to the NPM registry with con... | Node.js, npm | Caching, Auto-detection, Token auth, Outputs |
📦 Repository (5 actions)
| Action | Description | Languages | Features |
|---|---|---|---|
🛡️ codeql-analysis |
Run CodeQL security analysis for a single language... | JavaScript, TypeScript, Python, Java, C#, C++, Go, Ruby | Auto-detection, Token auth, Outputs |
🖼️ compress-images |
Compress images on demand (workflow_dispatch), and... | Images, PNG, JPEG | Token auth, Outputs |
📦 release-monthly |
Creates a release for the current month, increment... | GitHub Actions | Token auth, Outputs |
📦 stale |
A GitHub Action to close stale issues and pull req... | GitHub Actions | Token auth, Outputs |
🏷️ sync-labels |
Sync labels from a YAML file to a GitHub repositor... | YAML, GitHub | Token auth, Outputs |
🛡️ Security (1 action)
| Action | Description | Languages | Features |
|---|---|---|---|
🛡️ security-scan |
Comprehensive security scanning for GitHub Actions... | - | Caching, Token auth, Outputs |
✅ Validation (1 action)
| Action | Description | Languages | Features |
|---|---|---|---|
🛡️ validate-inputs |
Centralized Python-based input validation for GitH... | YAML, GitHub Actions | Token auth, Outputs |
Feature Matrix
| Action | Caching | Auto-detection | Token auth | Outputs |
|---|---|---|---|---|
action-versioning |
- | - | ✅ | ✅ |
ansible-lint-fix |
✅ | - | ✅ | ✅ |
biome-lint |
✅ | ✅ | ✅ | ✅ |
codeql-analysis |
- | ✅ | ✅ | ✅ |
compress-images |
- | - | ✅ | ✅ |
csharp-build |
✅ | ✅ | ✅ | ✅ |
csharp-lint-check |
✅ | ✅ | ✅ | ✅ |
csharp-publish |
✅ | ✅ | ✅ | ✅ |
docker-build |
✅ | ✅ | ✅ | ✅ |
docker-publish |
- | - | ✅ | ✅ |
eslint-lint |
✅ | ✅ | ✅ | ✅ |
go-build |
✅ | ✅ | ✅ | ✅ |
go-lint |
✅ | - | ✅ | ✅ |
language-version-detect |
- | ✅ | ✅ | ✅ |
npm-publish |
✅ | ✅ | ✅ | ✅ |
php-tests |
✅ | ✅ | ✅ | ✅ |
pr-lint |
✅ | ✅ | ✅ | ✅ |
pre-commit |
- | ✅ | ✅ | ✅ |
prettier-lint |
✅ | ✅ | ✅ | ✅ |
python-lint-fix |
✅ | ✅ | ✅ | ✅ |
release-monthly |
- | - | ✅ | ✅ |
security-scan |
✅ | - | ✅ | ✅ |
stale |
- | - | ✅ | ✅ |
sync-labels |
- | - | ✅ | ✅ |
terraform-lint-fix |
- | - | ✅ | ✅ |
validate-inputs |
- | - | ✅ | ✅ |
Language Support
Action Usage
All actions can be used independently in your workflows:
# Recommended: Use pinned refs for supply-chain security
- uses: ivuorinen/actions/action-name@vYYYY-MM-DD # Date-based tag (example)
with:
# action-specific inputs
# Alternative: Use commit SHA for immutability
- uses: ivuorinen/actions/action-name@abc123def456 # Full commit SHA
with:
# action-specific inputs
Security Note: Always pin to specific tags or commit SHAs instead of
@mainto ensure reproducible workflows and supply-chain integrity.
Usage
Using Actions Externally
All actions in this repository can be used in your workflows like any other GitHub Action.
⚠️ Security Best Practice: Always pin actions to specific tags or commit SHAs instead of @main to ensure:
- Reproducibility: Workflows behave consistently over time
- Supply-chain integrity: Protection against unexpected changes or compromises
- Immutability: Reference exact versions that cannot be modified
steps:
- name: Setup Node.js with Auto-Detection
uses: ivuorinen/actions/node-setup@2025-01-15 # Date-based tag
with:
default-version: '20'
- name: Detect PHP Version
uses: ivuorinen/actions/php-version-detect@abc123def456 # Commit SHA
with:
default-version: '8.2'
- name: Universal Version Parser
uses: ivuorinen/actions/version-file-parser@2025-01-15
with:
language: 'python'
tool-versions-key: 'python'
dockerfile-image: 'python'
version-file: '.python-version'
default-version: '3.12'
Actions achieve modularity through composition:
steps:
- name: Parse Version
id: parse-version
uses: ivuorinen/actions/version-file-parser@2025-01-15
with:
language: 'node'
tool-versions-key: 'nodejs'
dockerfile-image: 'node'
version-file: '.nvmrc'
default-version: '20'
- name: Setup Node.js
uses: actions/setup-node@sha
with:
node-version: ${{ steps.parse-version.outputs.detected-version }}
Development
This repository uses a Makefile-based build system for development tasks:
# Full workflow - docs, format, and lint
make all
# Individual operations
make docs # Generate documentation for all actions
make format # Format all files (markdown, YAML, JSON)
make lint # Run all linters
make check # Quick syntax and tool checks
# Development workflow
make dev # Format then lint (good for development)
make ci # CI workflow - check, docs, lint
Python Development
For Python development (validation system), use these specialized commands:
# Python development workflow
make dev-python # Format, lint, and test Python code
make test-python # Run Python unit tests
make test-python-coverage # Run tests with coverage reporting
# Individual Python operations
make format-python # Format Python files with ruff
make lint-python # Lint Python files with ruff
The Python validation system (validate-inputs/) includes:
- CalVer and SemVer Support: Flexible version validation for different schemes
- Comprehensive Test Suite: Extensive test cases covering all validation types
- Security Features: Command injection and path traversal protection
- Performance: Efficient Python regex engine vs multiple bash processes
Testing
# Run all tests (Python + GitHub Actions)
make test
# Run specific test types
make test-python # Python validation tests only
make test-actions # GitHub Actions tests only
make test-action ACTION=node-setup # Test specific action
# Coverage reporting
make test-coverage # All tests with coverage
make test-python-coverage # Python tests with coverage
For detailed development guidelines, see CLAUDE.md.
License
This project is licensed under the MIT License. See the LICENSE file for details.