ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-01-26 03:23:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9aa16a8164e87e23406e86564d6a19d51fc5d46a
actions/validate-inputs/action.yml
Ismo Vuorinen 9aa16a8164 feat: use our own actions in our workflows (#377) 
* feat: use our own actions in our workflows

* fix: add missing inputs to validate-inputs, refactor node

* chore: cr comment fixes

* fix: update-validators formatting

* chore: update validators, add tests, conventions

* feat: validate severity with severity_enum

* feat: add 10 generic validators to improve input validation coverage

Add comprehensive validation system improvements across multiple phases:

Phase 2A - Quick Wins:
- Add multi_value_enum validator for 2-10 value enumerations
- Add exit_code_list validator for Unix/Linux exit codes (0-255)
- Refactor coverage_driver to use multi_value_enum

Phase 2B - High-Value Validators:
- Add key_value_list validator with shell injection prevention
- Add path_list validator with path traversal and glob support

Quick Wins - Additional Enums:
- Add network_mode validator for Docker network modes
- Add language_enum validator for language detection
- Add framework_mode validator for PHP framework modes
- Update boolean pattern to include 'push'

Phase 2C - Specialized Validators:
- Add json_format validator for JSON syntax validation
- Add cache_config validator for Docker BuildKit cache configs

Improvements:
- All validators include comprehensive security checks
- Pattern-based validation with clear error messages
- 23 new test methods with edge case coverage
- Update special case mappings for 20+ inputs
- Fix build-args mapping test expectation

Coverage impact: 22 actions now at 100% validation (88% → 92%)
Test suite: 762 → 785 tests (+23 tests, all passing)

* chore: regenerate rules.yml with improved validator coverage

Regenerate validation rules for all actions with new validators:

- compress-images: 86% → 100% (+1 input: ignore-paths)
- docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args)
- docker-publish: 73% → 100% (+1 input: build-args)
- language-version-detect: 67% → 100% (+1 input: language)
- php-tests: 89% (fixed framework→framework_mode mapping)
- prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins)
- security-scan: 86% (maintained coverage)

Overall: 23 of 25 actions now at 100% validation coverage (92%)

* fix: address PR #377 review comments

- Add | None type annotations to 6 optional parameters (PEP 604)
- Standardize injection pattern: remove @# from comma_separated_list validator
  (@ and # are not shell injection vectors, allows npm scoped packages)
- Remove dead code: unused value expression in key_value_list validator
- Update tests to reflect injection pattern changes
2025-11-25 23:51:03 +02:00

270 lines
8.1 KiB
YAML
Raw Blame History

# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
# permissions:
# - (none required) # Validation-only action
---
name: 'Validate Inputs'
description: 'Centralized Python-based input validation for GitHub Actions with PCRE regex support'
author: 'Ismo Vuorinen'
branding:
icon: 'shield'
color: 'green'
inputs:
action:
description: 'Action name to validate (alias for action-type)'
required: false
action-type:
description: 'Type of action to validate (e.g., csharp-publish, docker-build, eslint-lint)'
required: false
rules-file:
description: 'Path to validation rules file'
required: false
fail-on-error:
description: 'Whether to fail on validation errors'
required: false
default: 'true'
# Common inputs that can be validated across actions
token:
description: 'GitHub token for authentication'
required: false
namespace:
description: 'Namespace/username for validation'
required: false
email:
description: 'Email address for validation'
required: false
username:
description: 'Username for validation'
required: false
# Version-related inputs
dotnet-version:
description: '.NET version string'
required: false
terraform-version:
description: 'Terraform version string'
required: false
tflint-version:
description: 'TFLint version string'
required: false
node-version:
description: 'Node.js version string'
required: false
force-version:
description: 'Force version override'
required: false
default-version:
description: 'Default version fallback'
required: false
# Docker-related inputs
image-name:
description: 'Docker image name'
required: false
tag:
description: 'Docker image tag'
required: false
architectures:
description: 'Target architectures'
required: false
dockerfile:
description: 'Dockerfile path'
required: false
context:
description: 'Docker build context'
required: false
build-args:
description: 'Docker build arguments'
required: false
buildx-version:
description: 'Docker Buildx version'
required: false
# Numeric inputs
max-retries:
description: 'Maximum retry attempts'
required: false
image-quality:
description: 'Image quality percentage'
required: false
png-quality:
description: 'PNG quality percentage'
required: false
parallel-builds:
description: 'Number of parallel builds'
required: false
days-before-stale:
description: 'Number of days before marking as stale'
required: false
days-before-close:
description: 'Number of days before closing stale items'
required: false
# File/path inputs
pre-commit-config:
description: 'Pre-commit configuration file path'
required: false
base-branch:
description: 'Base branch name'
required: false
# Boolean inputs
dry-run:
description: 'Dry run mode'
required: false
is_fiximus:
description: 'Use Fiximus bot'
required: false
# Release inputs
prefix:
description: 'Release tag prefix'
required: false
# CodeQL-specific inputs
language:
description: 'Language to analyze (for CodeQL)'
required: false
queries:
description: 'CodeQL queries to run'
required: false
packs:
description: 'CodeQL query packs'
required: false
config-file:
description: 'CodeQL configuration file path'
required: false
config:
description: 'CodeQL configuration YAML string'
required: false
build-mode:
description: 'Build mode for compiled languages'
required: false
source-root:
description: 'Source code root directory'
required: false
category:
description: 'Analysis category'
required: false
checkout-ref:
description: 'Git reference to checkout'
required: false
working-directory:
description: 'Working directory for analysis'
required: false
upload-results:
description: 'Upload results to GitHub Security'
required: false
ram:
description: 'Memory in MB for CodeQL'
required: false
threads:
description: 'Number of threads for CodeQL'
required: false
output:
description: 'Output path for SARIF results'
required: false
skip-queries:
description: 'Skip running queries'
required: false
add-snippets:
description: 'Add code snippets to SARIF'
required: false
# Security-scan specific inputs
gitleaks-license:
description: 'Gitleaks license key'
required: false
gitleaks-config:
description: 'Gitleaks configuration file path'
required: false
trivy-severity:
description: 'Trivy severity levels to scan'
required: false
trivy-scanners:
description: 'Trivy scanner types to run'
required: false
trivy-timeout:
description: 'Trivy scan timeout'
required: false
actionlint-enabled:
description: 'Enable actionlint scanning'
required: false
outputs:
validation-status:
description: 'Overall validation status (success/failure)'
value: ${{ steps.validate.outputs.status }}
error-message:
description: 'Validation error message if failed'
value: ${{ steps.validate.outputs.error }}
validation-result:
description: 'Detailed validation result'
value: ${{ steps.validate.outputs.result }}
errors-found:
description: 'Number of validation errors found'
value: ${{ steps.validate.outputs.errors }}
rules-applied:
description: 'Number of validation rules applied'
value: ${{ steps.validate.outputs.rules }}
runs:
using: composite
steps:
- name: Validate Action Inputs with Python
id: validate
shell: bash
working-directory: ${{ github.action_path }}
run: python3 validator.py
env:
INPUT_ACTION: ${{ inputs.action }}
INPUT_ACTION_TYPE: ${{ inputs.action-type }}
INPUT_RULES_FILE: ${{ inputs.rules-file }}
INPUT_FAIL_ON_ERROR: ${{ inputs.fail-on-error }}
INPUT_TOKEN: ${{ inputs.token }}
INPUT_NAMESPACE: ${{ inputs.namespace }}
INPUT_EMAIL: ${{ inputs.email }}
INPUT_USERNAME: ${{ inputs.username }}
INPUT_DOTNET_VERSION: ${{ inputs.dotnet-version }}
INPUT_TERRAFORM_VERSION: ${{ inputs.terraform-version }}
INPUT_TFLINT_VERSION: ${{ inputs.tflint-version }}
INPUT_NODE_VERSION: ${{ inputs.node-version }}
INPUT_FORCE_VERSION: ${{ inputs.force-version }}
INPUT_DEFAULT_VERSION: ${{ inputs.default-version }}
INPUT_IMAGE_NAME: ${{ inputs.image-name }}
INPUT_TAG: ${{ inputs.tag }}
INPUT_ARCHITECTURES: ${{ inputs.architectures }}
INPUT_DOCKERFILE: ${{ inputs.dockerfile }}
INPUT_CONTEXT: ${{ inputs.context }}
INPUT_BUILD_ARGS: ${{ inputs.build-args }}
INPUT_BUILDX_VERSION: ${{ inputs.buildx-version }}
INPUT_MAX_RETRIES: ${{ inputs.max-retries }}
INPUT_IMAGE_QUALITY: ${{ inputs.image-quality }}
INPUT_PNG_QUALITY: ${{ inputs.png-quality }}
INPUT_PARALLEL_BUILDS: ${{ inputs.parallel-builds }}
INPUT_DAYS_BEFORE_STALE: ${{ inputs.days-before-stale }}
INPUT_DAYS_BEFORE_CLOSE: ${{ inputs.days-before-close }}
INPUT_PRE_COMMIT_CONFIG: ${{ inputs.pre-commit-config }}
INPUT_BASE_BRANCH: ${{ inputs.base-branch }}
INPUT_DRY_RUN: ${{ inputs.dry-run }}
INPUT_IS_FIXIMUS: ${{ inputs.is_fiximus }}
INPUT_PREFIX: ${{ inputs.prefix }}
INPUT_LANGUAGE: ${{ inputs.language }}
INPUT_QUERIES: ${{ inputs.queries }}
INPUT_PACKS: ${{ inputs.packs }}
INPUT_CONFIG_FILE: ${{ inputs.config-file }}
INPUT_CONFIG: ${{ inputs.config }}
INPUT_BUILD_MODE: ${{ inputs.build-mode }}
INPUT_SOURCE_ROOT: ${{ inputs.source-root }}
INPUT_CATEGORY: ${{ inputs.category }}
INPUT_CHECKOUT_REF: ${{ inputs.checkout-ref }}
INPUT_WORKING_DIRECTORY: ${{ inputs.working-directory }}
INPUT_UPLOAD_RESULTS: ${{ inputs.upload-results }}
INPUT_RAM: ${{ inputs.ram }}
INPUT_THREADS: ${{ inputs.threads }}
INPUT_OUTPUT: ${{ inputs.output }}
INPUT_SKIP_QUERIES: ${{ inputs.skip-queries }}
INPUT_ADD_SNIPPETS: ${{ inputs.add-snippets }}
Reference in New Issue View Git Blame Copy Permalink