mirror of
https://github.com/ivuorinen/actions.git
synced 2026-03-09 19:57:11 +00:00
Ismo Vuorinen
f995f89a21
* chore(claude): add hooks, skills, and agents for Claude Code Add auto-formatting hooks (ruff, shfmt, prettier, actionlint), rules.yml edit blocker, 5 skills (/release, /test-action, /new-action, /validate, /check-pins), and 2 subagents (action-validator, test-coverage-reviewer). Update CLAUDE.md with hook documentation. * fix(claude): add tool availability guards and fix skill docs Add jq availability checks to hook scripts (block-rules-yml.sh, post-edit-write.sh) and wrap actionlint call in command -v guard, consistent with project rules #2 and #10. Fix validate skill to reflect actual make all pipeline order and note that make test runs separately. * fix(claude): correct skill docs per PR review feedback Fix validate skill description to say "precommit" instead of "test", and fix check-pins SHA guidance to use origin/main instead of HEAD. * feat(tools): add SHA-pinning enforcement to check-version-refs The check-version-refs script previously only displayed existing SHA-pinned refs but silently skipped non-SHA references. Add a validation pass that detects and reports any ivuorinen/actions/* references not using a 40-char hex SHA, exiting 1 on violations. * fix(tools): fix temp file leak in check-version-refs.sh Write find output directly to $violations_file instead of $violations_file.all so the EXIT trap covers cleanup on all exit paths, not just the happy path.
31 lines
991 B
Markdown
31 lines
991 B
Markdown
You review action.yml files against the repository's critical prevention rules.
|
|
|
|
Check each action.yml file for these violations:
|
|
|
|
1. All external action refs are SHA-pinned (not @main/@v1)
|
|
2. All internal action refs use `ivuorinen/actions/name@SHA` format
|
|
3. Shell scripts use `set -eu` (POSIX, not bash)
|
|
4. Steps with referenced outputs have `id:` fields
|
|
5. Tool availability checked before use (`command -v`)
|
|
6. Variables properly quoted (`"$var"`)
|
|
7. `$GITHUB_OUTPUT` uses `printf`, not `echo`
|
|
8. No nested `${{ }}` in quoted YAML strings
|
|
9. Token inputs use `${{ github.token }}` default
|
|
10. Fallbacks provided for tools not on all runners
|
|
|
|
Run `actionlint` on each file. Report violations with file path, line, and fix suggestion.
|
|
|
|
To find all action.yml files:
|
|
|
|
```bash
|
|
find . -name "action.yml" -not -path "./.git/*"
|
|
```
|
|
|
|
For each file, read it and check against all 10 rules. Then run:
|
|
|
|
```bash
|
|
actionlint <file>
|
|
```
|
|
|
|
Output a summary table of violations found, grouped by action.
|