mirror of https://github.com/ivuorinen/actions.git synced 2026-03-20 23:01:09 +00:00

Files

Ismo Vuorinen 900dd96797 feat: add action-validator and clean up CI workflows (#513 )

* chore(pre-commit): update hooks and add action-validator

Update uv-pre-commit 0.10.9→0.10.11 and checkov 3.2.508→3.2.510.
Normalize single quotes to double quotes in hook args.
Add action-validator v0.8.0 hook for GitHub Actions validation.

* fix(ci): clean up workflow path filters

Remove non-existent action.yaml paths from action-security workflow.
Fix glob patterns (**.md → **/*.md) in pr-lint workflow.
Remove unused trigger paths (yarn.lock, pnpm-lock.yaml,
requirements.txt, .github/labels.yml, docs/**) from security-suite
and sync-labels workflows.

* feat(make): add lint-actions target for action-validator

Add lint-actions target that runs action-validator via pre-commit.
Include it in the lint dependency list and .PHONY declaration.

* docs: add context-mode routing rules to CLAUDE.md

Add mandatory routing rules section for context-mode MCP plugin,
documenting blocked commands, redirected tools, tool selection
hierarchy, and output constraints.

* fix(lint): resolve action-validator failure on language-version-detect

- Remove unsupported `deprecated: true` from language-version-detect/action.yml
  (deprecation already communicated via description field)
- Scope action-validator pre-commit hook to workflow and action.yml files only
- Make missing pre-commit a hard error in lint-actions target

* fix(deps): update action pins and fix trivy-action version comment

Update SHA-pinned action references to latest versions:
- github/codeql-action v4.32.6 → v4.33.0
- nick-fields/retry v3.0.2 → v4.0.0
- actions/cache v5.0.3 → v5.0.4
- oven-sh/setup-bun v2.1.3 → v2.2.0
- softprops/action-gh-release v2.5.0 → v2.6.1
- github/issue-metrics v4.1.0 → v4.1.1
- shivammathur/setup-php 2.36.0 → 2.37.0
- astral-sh/setup-uv v7.5.0 → v7.6.0
- terraform-linters/setup-tflint v6.2.1 → v6.2.2
- aquasecurity/trivy-action: pin from master to v0.35.0

Fix pinact warning in docker-build by adding missing v prefix
to trivy-action version comment (0.35.0 → v0.35.0).

2026-03-20 13:01:24 +02:00

action.yml

feat: add action-validator and clean up CI workflows (#513 )

2026-03-20 13:01:24 +02:00

CustomValidator.py

refactor: centralize validation logic with validate_with helper (#412 )

2025-12-23 13:29:37 +02:00

README.md

feat: simplify actions (#353 )

2025-11-19 15:42:06 +02:00

rules.yml

feat: use our own actions in our workflows (#377 )

2025-11-25 23:51:03 +02:00

README.md

ivuorinen/actions/codeql-analysis

CodeQL Analysis

Description

Run CodeQL security analysis for a single language with configurable query suites

Inputs

name	description	required	default
`language`	Language to analyze (javascript, python, actions, java, csharp, cpp, ruby, go, etc.)	`true`	`""`
`queries`	Comma-separated list of additional queries to run	`false`	`""`
`packs`	Comma-separated list of CodeQL query packs to run	`false`	`""`
`config-file`	Path to CodeQL configuration file	`false`	`""`
`config`	Configuration passed as a YAML string	`false`	`""`
`build-mode`	The build mode for compiled languages (none, manual, autobuild)	`false`	`""`
`source-root`	Path of the root source code directory	`false`	`""`
`category`	Analysis category (default: /language:)	`false`	`""`
`checkout-ref`	Git reference to checkout (default: current ref)	`false`	`""`
`token`	GitHub token for API access	`false`	`${{ github.token }}`
`working-directory`	Working directory for the analysis	`false`	`.`
`upload-results`	Upload results to GitHub Security tab	`false`	`true`
`ram`	Amount of memory in MB that can be used by CodeQL	`false`	`""`
`threads`	Number of threads that can be used by CodeQL	`false`	`""`
`output`	Path to save SARIF results	`false`	`../results`
`skip-queries`	Build database but skip running queries	`false`	`false`

Outputs

name	description
`language-analyzed`	Language that was analyzed
`analysis-category`	Category used for the analysis
`sarif-file`	Path to generated SARIF file

Runs

This action is a composite action.

Usage

- uses: ivuorinen/actions/codeql-analysis@main
  with:
    language:
    # Language to analyze (javascript, python, actions, java, csharp, cpp, ruby, go, etc.)
    #
    # Required: true
    # Default: ""

    queries:
    # Comma-separated list of additional queries to run
    #
    # Required: false
    # Default: ""

    packs:
    # Comma-separated list of CodeQL query packs to run
    #
    # Required: false
    # Default: ""

    config-file:
    # Path to CodeQL configuration file
    #
    # Required: false
    # Default: ""

    config:
    # Configuration passed as a YAML string
    #
    # Required: false
    # Default: ""

    build-mode:
    # The build mode for compiled languages (none, manual, autobuild)
    #
    # Required: false
    # Default: ""

    source-root:
    # Path of the root source code directory
    #
    # Required: false
    # Default: ""

    category:
    # Analysis category (default: /language:<language>)
    #
    # Required: false
    # Default: ""

    checkout-ref:
    # Git reference to checkout (default: current ref)
    #
    # Required: false
    # Default: ""

    token:
    # GitHub token for API access
    #
    # Required: false
    # Default: ${{ github.token }}

    working-directory:
    # Working directory for the analysis
    #
    # Required: false
    # Default: .

    upload-results:
    # Upload results to GitHub Security tab
    #
    # Required: false
    # Default: true

    ram:
    # Amount of memory in MB that can be used by CodeQL
    #
    # Required: false
    # Default: ""

    threads:
    # Number of threads that can be used by CodeQL
    #
    # Required: false
    # Default: ""

    output:
    # Path to save SARIF results
    #
    # Required: false
    # Default: ../results

    skip-queries:
    # Build database but skip running queries
    #
    # Required: false
    # Default: false