mirror of https://github.com/ivuorinen/actions.git synced 2026-01-26 11:34:00 +00:00

Files

Ismo Vuorinen 9aa16a8164 feat: use our own actions in our workflows (#377 )

* feat: use our own actions in our workflows

* fix: add missing inputs to validate-inputs, refactor node

* chore: cr comment fixes

* fix: update-validators formatting

* chore: update validators, add tests, conventions

* feat: validate severity with severity_enum

* feat: add 10 generic validators to improve input validation coverage

Add comprehensive validation system improvements across multiple phases:

Phase 2A - Quick Wins:
- Add multi_value_enum validator for 2-10 value enumerations
- Add exit_code_list validator for Unix/Linux exit codes (0-255)
- Refactor coverage_driver to use multi_value_enum

Phase 2B - High-Value Validators:
- Add key_value_list validator with shell injection prevention
- Add path_list validator with path traversal and glob support

Quick Wins - Additional Enums:
- Add network_mode validator for Docker network modes
- Add language_enum validator for language detection
- Add framework_mode validator for PHP framework modes
- Update boolean pattern to include 'push'

Phase 2C - Specialized Validators:
- Add json_format validator for JSON syntax validation
- Add cache_config validator for Docker BuildKit cache configs

Improvements:
- All validators include comprehensive security checks
- Pattern-based validation with clear error messages
- 23 new test methods with edge case coverage
- Update special case mappings for 20+ inputs
- Fix build-args mapping test expectation

Coverage impact: 22 actions now at 100% validation (88% → 92%)
Test suite: 762 → 785 tests (+23 tests, all passing)

* chore: regenerate rules.yml with improved validator coverage

Regenerate validation rules for all actions with new validators:

- compress-images: 86% → 100% (+1 input: ignore-paths)
- docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args)
- docker-publish: 73% → 100% (+1 input: build-args)
- language-version-detect: 67% → 100% (+1 input: language)
- php-tests: 89% (fixed framework→framework_mode mapping)
- prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins)
- security-scan: 86% (maintained coverage)

Overall: 23 of 25 actions now at 100% validation coverage (92%)

* fix: address PR #377 review comments

- Add | None type annotations to 6 optional parameters (PEP 604)
- Standardize injection pattern: remove @# from comma_separated_list validator
  (@ and # are not shell injection vectors, allows npm scoped packages)
- Remove dead code: unused value expression in key_value_list validator
- Update tests to reflect injection pattern changes

2025-11-25 23:51:03 +02:00

13 KiB

Raw Permalink Blame History

ivuorinen/actions/validate-inputs

Validate Inputs

Description

Centralized Python-based input validation for GitHub Actions with PCRE regex support

Inputs

name	description	required	default
`action`	Action name to validate (alias for action-type)	`false`	`""`
`action-type`	Type of action to validate (e.g., csharp-publish, docker-build, eslint-lint)	`false`	`""`
`rules-file`	Path to validation rules file	`false`	`""`
`fail-on-error`	Whether to fail on validation errors	`false`	`true`
`token`	GitHub token for authentication	`false`	`""`
`namespace`	Namespace/username for validation	`false`	`""`
`email`	Email address for validation	`false`	`""`
`username`	Username for validation	`false`	`""`
`dotnet-version`	.NET version string	`false`	`""`
`terraform-version`	Terraform version string	`false`	`""`
`tflint-version`	TFLint version string	`false`	`""`
`node-version`	Node.js version string	`false`	`""`
`force-version`	Force version override	`false`	`""`
`default-version`	Default version fallback	`false`	`""`
`image-name`	Docker image name	`false`	`""`
`tag`	Docker image tag	`false`	`""`
`architectures`	Target architectures	`false`	`""`
`dockerfile`	Dockerfile path	`false`	`""`
`context`	Docker build context	`false`	`""`
`build-args`	Docker build arguments	`false`	`""`
`buildx-version`	Docker Buildx version	`false`	`""`
`max-retries`	Maximum retry attempts	`false`	`""`
`image-quality`	Image quality percentage	`false`	`""`
`png-quality`	PNG quality percentage	`false`	`""`
`parallel-builds`	Number of parallel builds	`false`	`""`
`days-before-stale`	Number of days before marking as stale	`false`	`""`
`days-before-close`	Number of days before closing stale items	`false`	`""`
`pre-commit-config`	Pre-commit configuration file path	`false`	`""`
`base-branch`	Base branch name	`false`	`""`
`dry-run`	Dry run mode	`false`	`""`
`is_fiximus`	Use Fiximus bot	`false`	`""`
`prefix`	Release tag prefix	`false`	`""`
`language`	Language to analyze (for CodeQL)	`false`	`""`
`queries`	CodeQL queries to run	`false`	`""`
`packs`	CodeQL query packs	`false`	`""`
`config-file`	CodeQL configuration file path	`false`	`""`
`config`	CodeQL configuration YAML string	`false`	`""`
`build-mode`	Build mode for compiled languages	`false`	`""`
`source-root`	Source code root directory	`false`	`""`
`category`	Analysis category	`false`	`""`
`checkout-ref`	Git reference to checkout	`false`	`""`
`working-directory`	Working directory for analysis	`false`	`""`
`upload-results`	Upload results to GitHub Security	`false`	`""`
`ram`	Memory in MB for CodeQL	`false`	`""`
`threads`	Number of threads for CodeQL	`false`	`""`
`output`	Output path for SARIF results	`false`	`""`
`skip-queries`	Skip running queries	`false`	`""`
`add-snippets`	Add code snippets to SARIF	`false`	`""`
`gitleaks-license`	Gitleaks license key	`false`	`""`
`gitleaks-config`	Gitleaks configuration file path	`false`	`""`
`trivy-severity`	Trivy severity levels to scan	`false`	`""`
`trivy-scanners`	Trivy scanner types to run	`false`	`""`
`trivy-timeout`	Trivy scan timeout	`false`	`""`
`actionlint-enabled`	Enable actionlint scanning	`false`	`""`

Outputs

name	description
`validation-status`	Overall validation status (success/failure)
`error-message`	Validation error message if failed
`validation-result`	Detailed validation result
`errors-found`	Number of validation errors found
`rules-applied`	Number of validation rules applied

Runs

This action is a composite action.

Usage

- uses: ivuorinen/actions/validate-inputs@main
  with:
    action:
    # Action name to validate (alias for action-type)
    #
    # Required: false
    # Default: ""

    action-type:
    # Type of action to validate (e.g., csharp-publish, docker-build, eslint-lint)
    #
    # Required: false
    # Default: ""

    rules-file:
    # Path to validation rules file
    #
    # Required: false
    # Default: ""

    fail-on-error:
    # Whether to fail on validation errors
    #
    # Required: false
    # Default: true

    token:
    # GitHub token for authentication
    #
    # Required: false
    # Default: ""

    namespace:
    # Namespace/username for validation
    #
    # Required: false
    # Default: ""

    email:
    # Email address for validation
    #
    # Required: false
    # Default: ""

    username:
    # Username for validation
    #
    # Required: false
    # Default: ""

    dotnet-version:
    # .NET version string
    #
    # Required: false
    # Default: ""

    terraform-version:
    # Terraform version string
    #
    # Required: false
    # Default: ""

    tflint-version:
    # TFLint version string
    #
    # Required: false
    # Default: ""

    node-version:
    # Node.js version string
    #
    # Required: false
    # Default: ""

    force-version:
    # Force version override
    #
    # Required: false
    # Default: ""

    default-version:
    # Default version fallback
    #
    # Required: false
    # Default: ""

    image-name:
    # Docker image name
    #
    # Required: false
    # Default: ""

    tag:
    # Docker image tag
    #
    # Required: false
    # Default: ""

    architectures:
    # Target architectures
    #
    # Required: false
    # Default: ""

    dockerfile:
    # Dockerfile path
    #
    # Required: false
    # Default: ""

    context:
    # Docker build context
    #
    # Required: false
    # Default: ""

    build-args:
    # Docker build arguments
    #
    # Required: false
    # Default: ""

    buildx-version:
    # Docker Buildx version
    #
    # Required: false
    # Default: ""

    max-retries:
    # Maximum retry attempts
    #
    # Required: false
    # Default: ""

    image-quality:
    # Image quality percentage
    #
    # Required: false
    # Default: ""

    png-quality:
    # PNG quality percentage
    #
    # Required: false
    # Default: ""

    parallel-builds:
    # Number of parallel builds
    #
    # Required: false
    # Default: ""

    days-before-stale:
    # Number of days before marking as stale
    #
    # Required: false
    # Default: ""

    days-before-close:
    # Number of days before closing stale items
    #
    # Required: false
    # Default: ""

    pre-commit-config:
    # Pre-commit configuration file path
    #
    # Required: false
    # Default: ""

    base-branch:
    # Base branch name
    #
    # Required: false
    # Default: ""

    dry-run:
    # Dry run mode
    #
    # Required: false
    # Default: ""

    is_fiximus:
    # Use Fiximus bot
    #
    # Required: false
    # Default: ""

    prefix:
    # Release tag prefix
    #
    # Required: false
    # Default: ""

    language:
    # Language to analyze (for CodeQL)
    #
    # Required: false
    # Default: ""

    queries:
    # CodeQL queries to run
    #
    # Required: false
    # Default: ""

    packs:
    # CodeQL query packs
    #
    # Required: false
    # Default: ""

    config-file:
    # CodeQL configuration file path
    #
    # Required: false
    # Default: ""

    config:
    # CodeQL configuration YAML string
    #
    # Required: false
    # Default: ""

    build-mode:
    # Build mode for compiled languages
    #
    # Required: false
    # Default: ""

    source-root:
    # Source code root directory
    #
    # Required: false
    # Default: ""

    category:
    # Analysis category
    #
    # Required: false
    # Default: ""

    checkout-ref:
    # Git reference to checkout
    #
    # Required: false
    # Default: ""

    working-directory:
    # Working directory for analysis
    #
    # Required: false
    # Default: ""

    upload-results:
    # Upload results to GitHub Security
    #
    # Required: false
    # Default: ""

    ram:
    # Memory in MB for CodeQL
    #
    # Required: false
    # Default: ""

    threads:
    # Number of threads for CodeQL
    #
    # Required: false
    # Default: ""

    output:
    # Output path for SARIF results
    #
    # Required: false
    # Default: ""

    skip-queries:
    # Skip running queries
    #
    # Required: false
    # Default: ""

    add-snippets:
    # Add code snippets to SARIF
    #
    # Required: false
    # Default: ""

    gitleaks-license:
    # Gitleaks license key
    #
    # Required: false
    # Default: ""

    gitleaks-config:
    # Gitleaks configuration file path
    #
    # Required: false
    # Default: ""

    trivy-severity:
    # Trivy severity levels to scan
    #
    # Required: false
    # Default: ""

    trivy-scanners:
    # Trivy scanner types to run
    #
    # Required: false
    # Default: ""

    trivy-timeout:
    # Trivy scan timeout
    #
    # Required: false
    # Default: ""

    actionlint-enabled:
    # Enable actionlint scanning
    #
    # Required: false
    # Default: ""

13 KiB Raw Permalink Blame History