ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-03-09 16:57:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4360ea39c744dbd52bf1d624bf058ba4dd81245a
actions/CONTRIBUTING.md
Ismo Vuorinen a0cc32995f feat(security): add OpenSSF Scorecard workflow and maximize score (#498) 
* feat(security): add OpenSSF Scorecard workflow and maximize score

- Add scorecard.yml workflow (weekly + push to main) with SARIF upload
- Add CONTRIBUTING.md for contributor guidelines
- Add SLSA provenance attestation job to release workflow
- Add CycloneDX SBOM generation job to release workflow
- Pin Dockerfile base images to sha256 digests
- Enable Renovate pinDigests and platformAutomerge
- Add OpenSSF Scorecard badge to README

* fix(docs): address PR #498 review comments and remove .coderabbit.yaml

- Delete .coderabbit.yaml (falls back to shared org-level config)
- Add missing linter deps to CONTRIBUTING.md install step
- Separate make all and make test into distinct steps
- Fix line length note to match EditorConfig (200 chars, no MD override)
- Add yamllint/markdownlint to YAML/JSON/Markdown linter list
- Refine action references guidance
- Expand "Adding a New Action" section with action-docs and catalog info
2026-03-09 01:59:07 +02:00

2.2 KiB
Raw Blame History

Contributing to ivuorinen/actions

Thank you for your interest in contributing to this GitHub Actions monorepo.

Reporting Issues

  • Bugs: Open an issue using the bug report template.
  • Security vulnerabilities: See SECURITY.md for responsible disclosure.
  • Feature requests: Open an issue describing the use case.

Development Setup

  1. Clone the repository:

    git clone https://github.com/ivuorinen/actions.git
cd actions

  2. Install dependencies (Node.js, Python 3, ShellSpec, shellcheck, actionlint, ruff, prettier, markdownlint, yamllint).

  3. Run formatting, linting, and pre-commit checks:

    make all

  4. Run the test suite:

    make test

Code Style

  • EditorConfig: 2-space indentation, UTF-8, LF line endings, max 200 chars.
  • Shell scripts: POSIX sh with set -eu. No bash-only syntax.
  • Python: Formatted and linted with ruff.
  • YAML/JSON/Markdown: Formatted with prettier; linted with yamllint and markdownlint.
  • Action references: SHA-pinned in action.yml files. Date-based tags or commit SHAs for published refs.

Run make dev (format + lint) to check your changes.

Pull Request Process

  1. Branch from main.
  2. Make focused changes (one feature or fix per PR).
  3. Ensure all checks pass: make all and make test.
  4. Follow existing patterns in the codebase.
  5. Update documentation if adding or modifying actions.

Testing

make test              # All tests (ShellSpec + pytest)
make test-actions      # GitHub Actions tests only
make test-python       # Python validation tests only
make test-coverage     # All tests with coverage

See _tests/README.md for details on the ShellSpec testing framework.

Adding a New Action

Each action is a self-contained directory at the repository root containing:

  • action.yml with inputs, outputs, and runs definition
  • README.md generated via action-docs (make docs)
  • Tests in _tests/

Do not manually edit sections between <!--LISTING--> markers in the root README. Use npm run update-catalog to regenerate the catalog.

License

By contributing, you agree that your contributions will be licensed under the MIT License.