mirror of
https://github.com/ivuorinen/actions.git
synced 2026-01-26 03:23:59 +00:00
Ismo Vuorinen
9aa16a8164
* feat: use our own actions in our workflows * fix: add missing inputs to validate-inputs, refactor node * chore: cr comment fixes * fix: update-validators formatting * chore: update validators, add tests, conventions * feat: validate severity with severity_enum * feat: add 10 generic validators to improve input validation coverage Add comprehensive validation system improvements across multiple phases: Phase 2A - Quick Wins: - Add multi_value_enum validator for 2-10 value enumerations - Add exit_code_list validator for Unix/Linux exit codes (0-255) - Refactor coverage_driver to use multi_value_enum Phase 2B - High-Value Validators: - Add key_value_list validator with shell injection prevention - Add path_list validator with path traversal and glob support Quick Wins - Additional Enums: - Add network_mode validator for Docker network modes - Add language_enum validator for language detection - Add framework_mode validator for PHP framework modes - Update boolean pattern to include 'push' Phase 2C - Specialized Validators: - Add json_format validator for JSON syntax validation - Add cache_config validator for Docker BuildKit cache configs Improvements: - All validators include comprehensive security checks - Pattern-based validation with clear error messages - 23 new test methods with edge case coverage - Update special case mappings for 20+ inputs - Fix build-args mapping test expectation Coverage impact: 22 actions now at 100% validation (88% → 92%) Test suite: 762 → 785 tests (+23 tests, all passing) * chore: regenerate rules.yml with improved validator coverage Regenerate validation rules for all actions with new validators: - compress-images: 86% → 100% (+1 input: ignore-paths) - docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args) - docker-publish: 73% → 100% (+1 input: build-args) - language-version-detect: 67% → 100% (+1 input: language) - php-tests: 89% (fixed framework→framework_mode mapping) - prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins) - security-scan: 86% (maintained coverage) Overall: 23 of 25 actions now at 100% validation coverage (92%) * fix: address PR #377 review comments - Add | None type annotations to 6 optional parameters (PEP 604) - Standardize injection pattern: remove @# from comma_separated_list validator (@ and # are not shell injection vectors, allows npm scoped packages) - Remove dead code: unused value expression in key_value_list validator - Update tests to reflect injection pattern changes
ivuorinen/actions/codeql-analysis
CodeQL Analysis
Description
Run CodeQL security analysis for a single language with configurable query suites
Inputs
| name | description | required | default |
|---|---|---|---|
language |
Language to analyze (javascript, python, actions, java, csharp, cpp, ruby, go, etc.) |
true |
"" |
queries |
Comma-separated list of additional queries to run |
false |
"" |
packs |
Comma-separated list of CodeQL query packs to run |
false |
"" |
config-file |
Path to CodeQL configuration file |
false |
"" |
config |
Configuration passed as a YAML string |
false |
"" |
build-mode |
The build mode for compiled languages (none, manual, autobuild) |
false |
"" |
source-root |
Path of the root source code directory |
false |
"" |
category |
Analysis category (default: /language:) |
false |
"" |
checkout-ref |
Git reference to checkout (default: current ref) |
false |
"" |
token |
GitHub token for API access |
false |
${{ github.token }} |
working-directory |
Working directory for the analysis |
false |
. |
upload-results |
Upload results to GitHub Security tab |
false |
true |
ram |
Amount of memory in MB that can be used by CodeQL |
false |
"" |
threads |
Number of threads that can be used by CodeQL |
false |
"" |
output |
Path to save SARIF results |
false |
../results |
skip-queries |
Build database but skip running queries |
false |
false |
Outputs
| name | description |
|---|---|
language-analyzed |
Language that was analyzed |
analysis-category |
Category used for the analysis |
sarif-file |
Path to generated SARIF file |
Runs
This action is a composite action.
Usage
- uses: ivuorinen/actions/codeql-analysis@main
with:
language:
# Language to analyze (javascript, python, actions, java, csharp, cpp, ruby, go, etc.)
#
# Required: true
# Default: ""
queries:
# Comma-separated list of additional queries to run
#
# Required: false
# Default: ""
packs:
# Comma-separated list of CodeQL query packs to run
#
# Required: false
# Default: ""
config-file:
# Path to CodeQL configuration file
#
# Required: false
# Default: ""
config:
# Configuration passed as a YAML string
#
# Required: false
# Default: ""
build-mode:
# The build mode for compiled languages (none, manual, autobuild)
#
# Required: false
# Default: ""
source-root:
# Path of the root source code directory
#
# Required: false
# Default: ""
category:
# Analysis category (default: /language:<language>)
#
# Required: false
# Default: ""
checkout-ref:
# Git reference to checkout (default: current ref)
#
# Required: false
# Default: ""
token:
# GitHub token for API access
#
# Required: false
# Default: ${{ github.token }}
working-directory:
# Working directory for the analysis
#
# Required: false
# Default: .
upload-results:
# Upload results to GitHub Security tab
#
# Required: false
# Default: true
ram:
# Amount of memory in MB that can be used by CodeQL
#
# Required: false
# Default: ""
threads:
# Number of threads that can be used by CodeQL
#
# Required: false
# Default: ""
output:
# Path to save SARIF results
#
# Required: false
# Default: ../results
skip-queries:
# Build database but skip running queries
#
# Required: false
# Default: false