mirror of
https://github.com/ivuorinen/actions.git
synced 2026-01-26 03:23:59 +00:00
Ismo Vuorinen
9aa16a8164
* feat: use our own actions in our workflows * fix: add missing inputs to validate-inputs, refactor node * chore: cr comment fixes * fix: update-validators formatting * chore: update validators, add tests, conventions * feat: validate severity with severity_enum * feat: add 10 generic validators to improve input validation coverage Add comprehensive validation system improvements across multiple phases: Phase 2A - Quick Wins: - Add multi_value_enum validator for 2-10 value enumerations - Add exit_code_list validator for Unix/Linux exit codes (0-255) - Refactor coverage_driver to use multi_value_enum Phase 2B - High-Value Validators: - Add key_value_list validator with shell injection prevention - Add path_list validator with path traversal and glob support Quick Wins - Additional Enums: - Add network_mode validator for Docker network modes - Add language_enum validator for language detection - Add framework_mode validator for PHP framework modes - Update boolean pattern to include 'push' Phase 2C - Specialized Validators: - Add json_format validator for JSON syntax validation - Add cache_config validator for Docker BuildKit cache configs Improvements: - All validators include comprehensive security checks - Pattern-based validation with clear error messages - 23 new test methods with edge case coverage - Update special case mappings for 20+ inputs - Fix build-args mapping test expectation Coverage impact: 22 actions now at 100% validation (88% → 92%) Test suite: 762 → 785 tests (+23 tests, all passing) * chore: regenerate rules.yml with improved validator coverage Regenerate validation rules for all actions with new validators: - compress-images: 86% → 100% (+1 input: ignore-paths) - docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args) - docker-publish: 73% → 100% (+1 input: build-args) - language-version-detect: 67% → 100% (+1 input: language) - php-tests: 89% (fixed framework→framework_mode mapping) - prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins) - security-scan: 86% (maintained coverage) Overall: 23 of 25 actions now at 100% validation coverage (92%) * fix: address PR #377 review comments - Add | None type annotations to 6 optional parameters (PEP 604) - Standardize injection pattern: remove @# from comma_separated_list validator (@ and # are not shell injection vectors, allows npm scoped packages) - Remove dead code: unused value expression in key_value_list validator - Update tests to reflect injection pattern changes
ivuorinen/actions/validate-inputs
Validate Inputs
Description
Centralized Python-based input validation for GitHub Actions with PCRE regex support
Inputs
| name | description | required | default |
|---|---|---|---|
action |
Action name to validate (alias for action-type) |
false |
"" |
action-type |
Type of action to validate (e.g., csharp-publish, docker-build, eslint-lint) |
false |
"" |
rules-file |
Path to validation rules file |
false |
"" |
fail-on-error |
Whether to fail on validation errors |
false |
true |
token |
GitHub token for authentication |
false |
"" |
namespace |
Namespace/username for validation |
false |
"" |
email |
Email address for validation |
false |
"" |
username |
Username for validation |
false |
"" |
dotnet-version |
.NET version string |
false |
"" |
terraform-version |
Terraform version string |
false |
"" |
tflint-version |
TFLint version string |
false |
"" |
node-version |
Node.js version string |
false |
"" |
force-version |
Force version override |
false |
"" |
default-version |
Default version fallback |
false |
"" |
image-name |
Docker image name |
false |
"" |
tag |
Docker image tag |
false |
"" |
architectures |
Target architectures |
false |
"" |
dockerfile |
Dockerfile path |
false |
"" |
context |
Docker build context |
false |
"" |
build-args |
Docker build arguments |
false |
"" |
buildx-version |
Docker Buildx version |
false |
"" |
max-retries |
Maximum retry attempts |
false |
"" |
image-quality |
Image quality percentage |
false |
"" |
png-quality |
PNG quality percentage |
false |
"" |
parallel-builds |
Number of parallel builds |
false |
"" |
days-before-stale |
Number of days before marking as stale |
false |
"" |
days-before-close |
Number of days before closing stale items |
false |
"" |
pre-commit-config |
Pre-commit configuration file path |
false |
"" |
base-branch |
Base branch name |
false |
"" |
dry-run |
Dry run mode |
false |
"" |
is_fiximus |
Use Fiximus bot |
false |
"" |
prefix |
Release tag prefix |
false |
"" |
language |
Language to analyze (for CodeQL) |
false |
"" |
queries |
CodeQL queries to run |
false |
"" |
packs |
CodeQL query packs |
false |
"" |
config-file |
CodeQL configuration file path |
false |
"" |
config |
CodeQL configuration YAML string |
false |
"" |
build-mode |
Build mode for compiled languages |
false |
"" |
source-root |
Source code root directory |
false |
"" |
category |
Analysis category |
false |
"" |
checkout-ref |
Git reference to checkout |
false |
"" |
working-directory |
Working directory for analysis |
false |
"" |
upload-results |
Upload results to GitHub Security |
false |
"" |
ram |
Memory in MB for CodeQL |
false |
"" |
threads |
Number of threads for CodeQL |
false |
"" |
output |
Output path for SARIF results |
false |
"" |
skip-queries |
Skip running queries |
false |
"" |
add-snippets |
Add code snippets to SARIF |
false |
"" |
gitleaks-license |
Gitleaks license key |
false |
"" |
gitleaks-config |
Gitleaks configuration file path |
false |
"" |
trivy-severity |
Trivy severity levels to scan |
false |
"" |
trivy-scanners |
Trivy scanner types to run |
false |
"" |
trivy-timeout |
Trivy scan timeout |
false |
"" |
actionlint-enabled |
Enable actionlint scanning |
false |
"" |
Outputs
| name | description |
|---|---|
validation-status |
Overall validation status (success/failure) |
error-message |
Validation error message if failed |
validation-result |
Detailed validation result |
errors-found |
Number of validation errors found |
rules-applied |
Number of validation rules applied |
Runs
This action is a composite action.
Usage
- uses: ivuorinen/actions/validate-inputs@main
with:
action:
# Action name to validate (alias for action-type)
#
# Required: false
# Default: ""
action-type:
# Type of action to validate (e.g., csharp-publish, docker-build, eslint-lint)
#
# Required: false
# Default: ""
rules-file:
# Path to validation rules file
#
# Required: false
# Default: ""
fail-on-error:
# Whether to fail on validation errors
#
# Required: false
# Default: true
token:
# GitHub token for authentication
#
# Required: false
# Default: ""
namespace:
# Namespace/username for validation
#
# Required: false
# Default: ""
email:
# Email address for validation
#
# Required: false
# Default: ""
username:
# Username for validation
#
# Required: false
# Default: ""
dotnet-version:
# .NET version string
#
# Required: false
# Default: ""
terraform-version:
# Terraform version string
#
# Required: false
# Default: ""
tflint-version:
# TFLint version string
#
# Required: false
# Default: ""
node-version:
# Node.js version string
#
# Required: false
# Default: ""
force-version:
# Force version override
#
# Required: false
# Default: ""
default-version:
# Default version fallback
#
# Required: false
# Default: ""
image-name:
# Docker image name
#
# Required: false
# Default: ""
tag:
# Docker image tag
#
# Required: false
# Default: ""
architectures:
# Target architectures
#
# Required: false
# Default: ""
dockerfile:
# Dockerfile path
#
# Required: false
# Default: ""
context:
# Docker build context
#
# Required: false
# Default: ""
build-args:
# Docker build arguments
#
# Required: false
# Default: ""
buildx-version:
# Docker Buildx version
#
# Required: false
# Default: ""
max-retries:
# Maximum retry attempts
#
# Required: false
# Default: ""
image-quality:
# Image quality percentage
#
# Required: false
# Default: ""
png-quality:
# PNG quality percentage
#
# Required: false
# Default: ""
parallel-builds:
# Number of parallel builds
#
# Required: false
# Default: ""
days-before-stale:
# Number of days before marking as stale
#
# Required: false
# Default: ""
days-before-close:
# Number of days before closing stale items
#
# Required: false
# Default: ""
pre-commit-config:
# Pre-commit configuration file path
#
# Required: false
# Default: ""
base-branch:
# Base branch name
#
# Required: false
# Default: ""
dry-run:
# Dry run mode
#
# Required: false
# Default: ""
is_fiximus:
# Use Fiximus bot
#
# Required: false
# Default: ""
prefix:
# Release tag prefix
#
# Required: false
# Default: ""
language:
# Language to analyze (for CodeQL)
#
# Required: false
# Default: ""
queries:
# CodeQL queries to run
#
# Required: false
# Default: ""
packs:
# CodeQL query packs
#
# Required: false
# Default: ""
config-file:
# CodeQL configuration file path
#
# Required: false
# Default: ""
config:
# CodeQL configuration YAML string
#
# Required: false
# Default: ""
build-mode:
# Build mode for compiled languages
#
# Required: false
# Default: ""
source-root:
# Source code root directory
#
# Required: false
# Default: ""
category:
# Analysis category
#
# Required: false
# Default: ""
checkout-ref:
# Git reference to checkout
#
# Required: false
# Default: ""
working-directory:
# Working directory for analysis
#
# Required: false
# Default: ""
upload-results:
# Upload results to GitHub Security
#
# Required: false
# Default: ""
ram:
# Memory in MB for CodeQL
#
# Required: false
# Default: ""
threads:
# Number of threads for CodeQL
#
# Required: false
# Default: ""
output:
# Output path for SARIF results
#
# Required: false
# Default: ""
skip-queries:
# Skip running queries
#
# Required: false
# Default: ""
add-snippets:
# Add code snippets to SARIF
#
# Required: false
# Default: ""
gitleaks-license:
# Gitleaks license key
#
# Required: false
# Default: ""
gitleaks-config:
# Gitleaks configuration file path
#
# Required: false
# Default: ""
trivy-severity:
# Trivy severity levels to scan
#
# Required: false
# Default: ""
trivy-scanners:
# Trivy scanner types to run
#
# Required: false
# Default: ""
trivy-timeout:
# Trivy scan timeout
#
# Required: false
# Default: ""
actionlint-enabled:
# Enable actionlint scanning
#
# Required: false
# Default: ""