feat: add comprehensive security scanning and EditorConfig integration

- Add govulncheck, Snyk, and Trivy vulnerability scanning - Create security workflow for automated scanning on push/PR/schedule - Add gitleaks for secrets detection and prevention - Implement EditorConfig linting with eclint and editorconfig-checker - Update Makefile with security and formatting targets - Create SECURITY.md with vulnerability reporting guidelines - Configure Dependabot for automated dependency updates - Fix all EditorConfig violations across codebase - Update Go version to 1.23.10 to address stdlib vulnerabilities - Add tests for internal/helpers package (80% coverage) - Remove deprecated functions and migrate to error-returning patterns - Fix YAML indentation in test fixtures to resolve test failures
2026-03-22 03:03:31 +00:00 · 2025-08-03 20:12:18 +03:00
parent e6c3e09a7f
commit ce02d36929
53 changed files with 2400 additions and 590 deletions
--- a/internal/validator.go
+++ b/internal/validator.go
@@ -2,6 +2,7 @@ package internal

 import (
 	"fmt"
+	"strings"
 )

 // ValidationResult holds the results of action.yml validation.
@@ -33,6 +34,23 @@ func ValidateActionYML(action *ActionYML) ValidationResult {
 			result.Suggestions,
 			"Add 'runs:' section with 'using: node20' or 'using: docker' and specify the main file",
 		)
+	} else {
+		// Validate the runs section content
+		if using, ok := action.Runs["using"].(string); ok {
+			if !isValidRuntime(using) {
+				result.MissingFields = append(result.MissingFields, "runs.using")
+				result.Suggestions = append(
+					result.Suggestions,
+					fmt.Sprintf("Invalid runtime '%s'. Valid runtimes: node12, node16, node20, docker, composite", using),
+				)
+			}
+		} else {
+			result.MissingFields = append(result.MissingFields, "runs.using")
+			result.Suggestions = append(
+				result.Suggestions,
+				"Missing 'using' field in runs section. Specify 'using: node20', 'using: docker', or 'using: composite'",
+			)
+		}
 	}

 	// Add warnings for optional but recommended fields
@@ -52,12 +70,24 @@ func ValidateActionYML(action *ActionYML) ValidationResult {
 		result.Suggestions = append(result.Suggestions, "Consider adding 'outputs:' if your action produces results")
 	}

-	// Validation feedback
-	if len(result.MissingFields) == 0 {
-		fmt.Println("Validation passed.")
-	} else {
-		fmt.Printf("Missing required fields: %v\n", result.MissingFields)
-	}
-
 	return result
 }
+
+// isValidRuntime checks if the given runtime is valid for GitHub Actions.
+func isValidRuntime(runtime string) bool {
+	validRuntimes := []string{
+		"node12",    // Legacy Node.js runtime (deprecated)
+		"node16",    // Legacy Node.js runtime (deprecated)
+		"node20",    // Current Node.js runtime
+		"docker",    // Docker container runtime
+		"composite", // Composite action runtime
+	}
+
+	runtime = strings.TrimSpace(strings.ToLower(runtime))
+	for _, valid := range validRuntimes {
+		if runtime == valid {
+			return true
+		}
+	}
+	return false
+}