@codfish/actions 0.0.0-PR-58--24ced07

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/README.md +283 -0
  2. package/bin/generate-docs.js +432 -0
  3. package/comment/README.md +82 -0
  4. package/comment/action.yml +102 -0
  5. package/npm-publish-pr/README.md +424 -0
  6. package/npm-publish-pr/action.yml +362 -0
  7. package/package.json +57 -0
  8. package/setup-node-and-install/README.md +184 -0
  9. package/setup-node-and-install/action.yml +228 -0
package/README.md ADDED
@@ -0,0 +1,283 @@
1
+ # codfish/actions
2
+
3
+ A collection of reusable GitHub Actions for common development workflows. Each action is self-contained and designed for
4
+ maximum reusability across different projects.
5
+
6
+ <!-- eslint-disable -->
7
+ <!-- START doctoc generated TOC please keep comment here to allow auto update -->
8
+ <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
9
+ ## Table of Contents
10
+
11
+ - [Usage](#usage)
12
+ - [Available Actions](#available-actions)
13
+ - [comment](#comment)
14
+ - [npm-pr-version](#npm-pr-version)
15
+ - [setup-node-and-install](#setup-node-and-install)
16
+ - [Contributing](#contributing)
17
+ - [Example Workflow](#example-workflow)
18
+ - [Maintenance](#maintenance)
19
+ - [Test pull requests in downstream apps before merging](#test-pull-requests-in-downstream-apps-before-merging)
20
+
21
+ <!-- END doctoc generated TOC please keep comment here to allow auto update -->
22
+ <!-- eslint-enable -->
23
+
24
+ ## Usage
25
+
26
+ Reference actions using the following format:
27
+
28
+ ```yml
29
+ uses: codfish/actions/{action-name}@main
30
+ uses: codfish/actions/{action-name}@v3
31
+ uses: codfish/actions/{action-name}@v3.0.1
32
+ uses: codfish/actions/{action-name}@feature-branch
33
+ uses: codfish/actions/{action-name}@9f7cf1a3ff9f2838eff5ec9ac69b6ff277610bb2
34
+ ```
35
+
36
+ ## Available Actions
37
+
38
+ <!-- start action docs -->
39
+
40
+ ### [comment](./comment/)
41
+
42
+ Creates or updates a comment in a pull request with optional tagging for upsert functionality
43
+
44
+ **Inputs:**
45
+
46
+ | Input | Description | Required | Default |
47
+ | --------- | ------------------------------------------------------------------------------------- | -------- | ------- |
48
+ | `message` | The comment message content (supports markdown formatting) | Yes | - |
49
+ | `tag` | Unique identifier to find and update existing comments (required when upsert is true) | No | - |
50
+ | `upsert` | Update existing comment with matching tag instead of creating new comment | No | `false` |
51
+
52
+ **Usage:**
53
+
54
+ ```yml
55
+ - name: Comment on PR
56
+ uses: codfish/actions/comment@v3
57
+ with:
58
+ message: '✅ Build successful!'
59
+ tag: 'build-status'
60
+ upsert: true
61
+ ```
62
+
63
+ ### [npm-pr-version](./npm-publish-pr/)
64
+
65
+ Publishes package with PR-specific version (0.0.0-PR-123--abc1234) using detected package manager (npm/yarn/pnpm) or
66
+ OIDC trusted publishing, and automatically comments on PR
67
+
68
+ **Inputs:**
69
+
70
+ | Input | Description | Required | Default |
71
+ | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ---------------- |
72
+ | `npm-token` | Registry authentication token with publish permissions. If not provided, OIDC trusted publishing will be used. | No | - |
73
+ | `tarball` | Path to pre-built tarball to publish (e.g., '\*.tgz'). When provided, publishes the tarball with --ignore-scripts for security. Recommended for pull_request_target workflows to prevent execution of malicious lifecycle scripts. | No | - |
74
+ | `comment` | Whether to comment on the PR with the published version (true/false) | No | `true` |
75
+ | `comment-tag` | Tag to use for PR comments (for comment identification and updates) | No | `npm-publish-pr` |
76
+
77
+ **Outputs:**
78
+
79
+ | Output | Description |
80
+ | --------------- | --------------------------------------------------------------------- |
81
+ | `version` | Generated PR-specific version number (0.0.0-PR-{number}--{short-sha}) |
82
+ | `package-name` | Package name from package.json |
83
+ | `error-message` | Error message if publish fails |
84
+
85
+ **Usage:**
86
+
87
+ ```yml
88
+ on: pull_request
89
+
90
+ jobs:
91
+ publish:
92
+ permissions:
93
+ id-token: write
94
+ pull-requests: write
95
+
96
+ steps:
97
+ - uses: actions/checkout@v6
98
+
99
+ - uses: codfish/actions/setup-node-and-install@v3
100
+ with:
101
+ node-version: lts/*
102
+
103
+ - run: npm run build
104
+
105
+ - uses: codfish/actions/npm-pr-version@v3
106
+ ```
107
+
108
+ ### [setup-node-and-install](./setup-node-and-install/)
109
+
110
+ Sets up Node.js environment and installs dependencies with automatic package manager detection (npm/pnpm/yarn),
111
+ intelligent caching, and version detection via input, .node-version, .nvmrc, or package.json volta.node
112
+
113
+ **Inputs:**
114
+
115
+ | Input | Description | Required | Default |
116
+ | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------- |
117
+ | `node-version` | Node.js version to install (e.g. "24", "lts/\*"). Precedence: node-version input > .node-version > .nvmrc > package.json volta.node. | No | - |
118
+ | `install-options` | Extra command-line options to pass to npm/pnpm/yarn install. | No | - |
119
+ | `working-directory` | Directory containing package.json and lockfile. | No | `.` |
120
+ | `registry-url` | Optional registry URL to configure for publishing (e.g. "https://registry.npmjs.org/"). Creates .npmrc with NODE_AUTH_TOKEN placeholder. NOT recommended if using semantic-release (it handles auth independently). Only needed for publishing with manual npm publish or other non-semantic-release workflows. | No | - |
121
+ | `upgrade-npm` | Whether to upgrade npm to v11.5.1. This is required for OIDC trusted publishing but can be disabled if you want to shave off some run time and you are still using token-based authentication. | No | `true` |
122
+
123
+ **Outputs:**
124
+
125
+ | Output | Description |
126
+ | --------------- | -------------------------------------------------- |
127
+ | `node-version` | The installed node version. |
128
+ | `cache-hit` | Whether the dependency cache was hit (true/false). |
129
+ | `pnpm-dest` | Expanded path of pnpm dest. |
130
+ | `pnpm-bin-dest` | Location of pnpm and pnpx command. |
131
+
132
+ **Usage:**
133
+
134
+ ```yml
135
+ steps:
136
+ - uses: actions/checkout@v6
137
+
138
+ # Will setup node, inferring node version from your codebase & installing your dependencies
139
+ - uses: codfish/actions/setup-node-and-install@v3
140
+
141
+ # Or if you want to be explicit
142
+ - uses: codfish/actions/setup-node-and-install@v3
143
+ with:
144
+ node-version: 24.4
145
+
146
+ - run: npm test
147
+ ```
148
+
149
+ <!-- end action docs -->
150
+
151
+ ## Contributing
152
+
153
+ Each action follows these conventions:
154
+
155
+ - **Directory structure**: Actions are in kebab-case directories at the repository root
156
+ - **Required files**: `action.yml`, `README.md`
157
+ - **Composite actions**: All actions use `composite` type for simplicity and transparency
158
+ - **Documentation**: Each action includes comprehensive usage examples and input/output documentation
159
+
160
+ ## Example Workflow
161
+
162
+ Complete workflow using multiple actions together with secure OIDC trusted publishing:
163
+
164
+ ```yml
165
+ name: Validate
166
+
167
+ on: pull_request_target
168
+
169
+ jobs:
170
+ # Build and test with untrusted PR code (no secrets)
171
+ build-and-test:
172
+ runs-on: ubuntu-latest
173
+
174
+ permissions:
175
+ contents: read
176
+ pull-requests: write
177
+
178
+ steps:
179
+ - uses: actions/checkout@v6
180
+ with:
181
+ ref: ${{ github.event.pull_request.head.sha }}
182
+
183
+ - uses: codfish/actions/setup-node-and-install@v3
184
+
185
+ - name: Run tests
186
+ id: test
187
+ run: |
188
+ pnpm test 2>&1 | tee test-output.txt
189
+ if grep -q "All tests passed" test-output.txt; then
190
+ echo "status=✅ passed" >> $GITHUB_OUTPUT
191
+ else
192
+ echo "status=❌ failed" >> $GITHUB_OUTPUT
193
+ fi
194
+ echo "count=$(grep -c "✓\|√\|PASS" test-output.txt || echo "unknown")" >> $GITHUB_OUTPUT
195
+
196
+ - name: Build package
197
+ id: build
198
+ run: |
199
+ pnpm build
200
+
201
+ if [ -d "dist" ]; then
202
+ size=$(du -sh dist | cut -f1)
203
+ elif [ -d "build" ]; then
204
+ size=$(du -sh build | cut -f1)
205
+ else
206
+ size="unknown"
207
+ fi
208
+ echo "size=$size" >> $GITHUB_OUTPUT
209
+
210
+ - uses: codfish/actions/comment@v3
211
+ with:
212
+ message: |
213
+ ## 🚀 **Build Summary**
214
+
215
+ **Tests**: ${{ steps.test.outputs.status }} (${{ steps.test.outputs.count }} tests)
216
+ **Build**: ✅ completed successfully
217
+ **Size**: ${{ steps.build.outputs.size }}
218
+
219
+ Ready for testing! 🎉
220
+ tag: 'build-summary'
221
+ upsert: true
222
+
223
+ - name: Create package tarball
224
+ run: pnpm pack
225
+
226
+ - uses: actions/upload-artifact@v4
227
+ with:
228
+ name: package-tarball
229
+ path: '*.tgz'
230
+ retention-days: 1
231
+
232
+ # Publish with secrets using only trusted base branch code
233
+ publish:
234
+ needs: build-and-test
235
+
236
+ runs-on: ubuntu-latest
237
+
238
+ permissions:
239
+ contents: read
240
+ id-token: write
241
+ pull-requests: write
242
+
243
+ steps:
244
+ - uses: actions/checkout@v6
245
+ # No ref = uses base branch (trusted code only)
246
+
247
+ - uses: codfish/actions/setup-node-and-install@v3
248
+
249
+ - uses: actions/download-artifact@v4
250
+ with:
251
+ name: package-tarball
252
+
253
+ - uses: codfish/actions/npm-pr-version@v3
254
+ with:
255
+ tarball: '*.tgz' # Secure: uses --ignore-scripts
256
+ comment-tag: 'pr-package'
257
+ ```
258
+
259
+ ## Maintenance
260
+
261
+ > The release workflow automatically updates the major version tag (v3, v4, v5, etc.) to point to the latest release for
262
+ > that major version. This allows users binding to the major version tag to automatically receive the most recent stable
263
+ > minor/patch releases.
264
+
265
+ This happens automatically in the [release workflow](.github/workflows/release.yml) after each successful release.
266
+
267
+ If you need to update the major version tag manually:
268
+
269
+ ```sh
270
+ git tag -fa v5 -m "Update v5 tag" && git push origin v5 --force
271
+ ```
272
+
273
+ **Reference**: https://github.com/actions/toolkit/blob/main/docs/action-versioning.md#recommendations
274
+
275
+ ### Test pull requests in downstream apps before merging
276
+
277
+ Our validation workflow builds and publishes a multi-arch Docker image to GitHub Container Registry for every pull
278
+ request, tagging the image with the PR's branch name. You can point downstream repositories at this branch-tagged image
279
+ to try changes before merging.
280
+
281
+ ```yml
282
+ - uses: codfish/actions:<branch-name>
283
+ ```