@codfish/actions 1.1.0

package/.github/codeql-config.yml

@@ -0,0 +1,21 @@
+name: GitHub Actions Security Analysis
+
+disable-default-queries: false
+
+queries:
+  - uses: security-and-quality
+  - uses: security-experimental
+
+paths-ignore:
+  - tests/
+  - '**/*.test.js'
+  - '**/*.spec.js'
+  - '**/node_modules'
+  - '**/dist'
+  - '**/build'
+
+paths:
+  - '**/*.js'
+  - '**/*.yml'
+  - '**/*.yaml'
+  - '**/*.json'

package/.github/dependabot.yml

@@ -0,0 +1,35 @@
+version: 2
+updates:
+  # Enable version updates for pnpm dependencies
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: '09:00'
+    open-pull-requests-limit: 3
+    reviewers:
+      - codfish
+    assignees:
+      - codfish
+    commit-message:
+      prefix: deps
+      include: scope
+    # Use pnpm for package management
+    versioning-strategy: increase
+
+  # Monitor GitHub Actions for updates
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: '09:00'
+    open-pull-requests-limit: 3
+    reviewers:
+      - codfish
+    assignees:
+      - codfish
+    commit-message:
+      prefix: ci
+      include: scope

package/.github/workflows/claude-code-review.yml

@@ -0,0 +1,43 @@
+name: Claude Code Review
+
+on: pull_request_target
+
+jobs:
+  claude-review:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: read
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@beta
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+
+          # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
+          # model: "claude-opus-4-20250514"
+
+          allowed_tools:
+            'mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr
+            view:*)'
+
+          # Direct prompt for automated review (no @claude mention needed)
+          direct_prompt: |
+            Please review this pull request and provide feedback on:
+            - Code quality and best practices
+            - Potential bugs or issues
+            - Performance considerations
+            - Security concerns
+            - Test coverage
+
+            Be constructive and helpful in your feedback.

package/.github/workflows/claude.yml

@@ -0,0 +1,39 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@beta
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

package/.github/workflows/release.yml

@@ -0,0 +1,48 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+      - alpha
+      - beta
+      - canary
+      - next
+      - next-major
+      - '[0-9]+.x'
+
+permissions:
+  issues: write
+  contents: write
+  pull-requests: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: false
+
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - uses: ./setup-node-and-install
+        with:
+          node-version: lts/*
+
+      - name: validate before release
+        run: |
+          pnpm install
+          pnpm lint
+          pnpm test
+        env:
+          CI: true
+
+      - name: semantic release
+        uses: docker://ghcr.io/codfish/semantic-release-action@sha256:5d5447090feb2f9252aac2825ef14e244ecf53528fbe87d585b459adb547b914
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.github/workflows/security.yml

@@ -0,0 +1,103 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+  pull_request_target:
+    branches: [main]
+  schedule:
+    # Run weekly security scan on Sundays at 2 AM UTC
+    - cron: '0 2 * * 0'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql-config.yml
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:${{matrix.language}}'
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request_target'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: moderate
+          allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-2-Clause-Views, BSD-3-Clause, ISC, AGPL-3.0
+
+  security-audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js and install dependencies
+        uses: ./setup-node-and-install
+        with:
+          node-version: 'lts/*'
+
+      - name: Run pnpm audit
+        run: |
+          echo "Running security audit..."
+          pnpm audit --audit-level=moderate
+
+      - name: Check for known vulnerabilities
+        run: |
+          echo "Checking for high/critical vulnerabilities..."
+          count=$(pnpm audit --audit-level=high --json | jq '.metadata.vulnerabilities.high + .metadata.vulnerabilities.critical')
+          if [ "$count" -gt 0 ]; then
+            echo "❌ High or critical vulnerabilities found!"
+            pnpm audit --audit-level=high
+            exit 1
+          else
+            echo "✅ No high or critical vulnerabilities found"
+          fi
+
+  secret-scan:
+    name: Secret Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Run TruffleHog OSS
+        uses: trufflesecurity/trufflehog@v3.90.8
+        with:
+          extra_args: --debug --only-verified

package/.github/workflows/update-docs.yml

@@ -0,0 +1,38 @@
+name: Update Documentation
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - '*/action.yml'
+      - bin/generate-docs.js
+
+permissions:
+  contents: write
+
+jobs:
+  update-docs:
+    name: Auto-update documentation
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Dogfood our own setup-node-and-install action
+      - name: Setup Node.js and install dependencies
+        uses: ./setup-node-and-install
+        with:
+          node-version: 'lts/*'
+
+      - name: Generate updated documentation
+        run: pnpm docs:generate
+
+      - name: Commit and push changes if any
+        uses: stefanzweifel/git-auto-commit-action@v6
+        with:
+          commit_options: --no-verify --signoff
+          commit_message: 'docs: auto-update documentation with latest action metadata'
+          file_pattern: 'README.md */README.md'

package/.github/workflows/validate.yml

@@ -0,0 +1,210 @@
+name: Validate
+
+on:
+  push:
+    branches:
+      - main
+  pull_request_target:
+
+jobs:
+  test:
+    name: Test Actions
+    runs-on: ubuntu-latest
+
+    permissions:
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      # Dogfood our own setup-node-and-install action
+      - name: Setup Node.js and install dependencies
+        uses: ./setup-node-and-install
+        with:
+          node-version: 'lts/*'
+
+      - name: Lint commits
+        if: github.event_name == 'pull_request_target'
+        run:
+          npx commitlint --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }}
+          --verbose
+
+      - name: Lint code
+        run: pnpm lint
+
+      - name: Run tests
+        run: pnpm test
+
+      # Dogfood our own comment action on PRs
+      - name: Comment test results
+        if: github.event_name == 'pull_request_target'
+        uses: ./comment
+        with:
+          message: |
+            ## 🧪 Test Results
+
+            ✅ All tests passed successfully!
+
+            - Linting: ✅ Passed
+            - Unit tests: ✅ Passed
+            - Integration tests: ✅ Passed
+          tag: test-results
+          upsert: true
+
+  test-matrix:
+    name: Test on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+        node-version: ['20', '24', 'lts/*']
+      fail-fast: false
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      # Test our setup-node-and-install action across different environments
+      - name: Setup Node.js and install dependencies
+        uses: ./setup-node-and-install
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Verify Node.js version
+        run: node --version
+
+      - name: Run basic tests
+        run: pnpm test
+
+  integration-test:
+    name: Integration Test - Publish PR Package
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request_target'
+
+    permissions:
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js and install dependencies
+        uses: ./setup-node-and-install
+        with:
+          node-version: 'lts/*'
+
+      # Create a test package to publish
+      - name: Create test package
+        run: |
+          mkdir -p test-package
+          cd test-package
+          cat > package.json <<EOF
+          {
+            "name": "@codfish/actions-test-package",
+            "version": "1.0.0",
+            "description": "Test package for GitHub Actions validation",
+            "main": "index.js",
+            "private": false
+          }
+          EOF
+          echo "module.exports = { test: true };" > index.js
+
+      # Test our npm-pr-version action (but don't actually publish to avoid spam)
+      - name: Test PR version generation
+        working-directory: test-package
+        env:
+          # Don't actually publish by not providing npm-token
+          PR: ${{ github.event.number }}
+          SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          # Test the version generation logic
+          version="0.0.0-PR-${PR}--$(echo ${SHA} | cut -c -7)"
+          echo "Generated version: $version"
+
+          # Test package.json update
+          npm version $version --no-git-tag-version
+
+          # Verify the version was set correctly
+          node -e "console.log('Package version:', require('./package.json').version)"
+
+          # Set output for comment
+          echo "version=$version" >> $GITHUB_OUTPUT
+        id: version-test
+
+      # Dogfood our comment action to report results
+      - name: Report integration test results
+        uses: ./comment
+        with:
+          message: |
+            ## 🚀 Integration Test Results
+
+            **npm-pr-version action test:**
+            - ✅ Version generation: ${{ steps.version-test.outputs.version }}
+            - ✅ package.json update: Successful
+            - ✅ Format validation: Passed
+
+            The action is working correctly! 🎉
+          tag: integration-test-results
+          upsert: true
+
+  validate-action-metadata:
+    name: Validate Action Metadata
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Validate action.yml files
+        run: |
+          echo "Validating action.yml files..."
+
+          for action_dir in */; do
+            if [ -f "${action_dir}action.yml" ]; then
+              echo "✅ Found action.yml in $action_dir"
+
+              # Basic YAML validation
+              if ! python3 -c "import yaml; yaml.safe_load(open('${action_dir}action.yml'))" 2>/dev/null; then
+                echo "❌ Invalid YAML in ${action_dir}action.yml"
+                exit 1
+              fi
+
+              # Check for required fields
+              if ! grep -q "^name:" "${action_dir}action.yml"; then
+                echo "❌ Missing 'name' field in ${action_dir}action.yml"
+                exit 1
+              fi
+
+              if ! grep -q "^description:" "${action_dir}action.yml"; then
+                echo "❌ Missing 'description' field in ${action_dir}action.yml"
+                exit 1
+              fi
+
+              echo "✅ ${action_dir}action.yml is valid"
+            else
+              echo "⚠️  No action.yml found in $action_dir"
+            fi
+          done
+
+      - name: Validate README files
+        run: |
+          echo "Validating README files..."
+
+          for action_dir in */; do
+            if [ -f "${action_dir}README.md" ]; then
+              echo "✅ Found README.md in $action_dir"
+
+              # Check for basic sections
+              if ! grep -q "# " "${action_dir}README.md"; then
+                echo "❌ Missing main heading in ${action_dir}README.md"
+                exit 1
+              fi
+
+              echo "✅ ${action_dir}README.md looks good"
+            else
+              echo "⚠️  No README.md found in $action_dir"
+            fi
+          done

package/.husky/pre-commit

@@ -0,0 +1 @@
+npx lint-staged

package/.nvmrc

@@ -0,0 +1 @@
+24.8.0

package/AGENT.md

@@ -0,0 +1,129 @@
+# AGENT.md
+
+<!-- DOCTOC SKIP -->
+
+This file provides guidance to AI agents when working with code in this repository.
+
+## Project Overview
+
+This repository contains reusable GitHub Actions for use across multiple projects. Each action is self-contained in its
+own directory at the root level.
+
+## Package Manager
+
+This project uses **pnpm** as the package manager. All commands should use pnpm:
+
+- Install dependencies: `pnpm install`
+- Run tests: `pnpm test`
+- Run linting: `pnpm lint`
+- Format code: `pnpm format`
+- Generate documentation: `pnpm docs:generate`
+- Run specific test types: `pnpm test:integration`, `pnpm test:unit`
+
+## Code Quality Workflow
+
+**IMPORTANT**: Always run the appropriate command after making file changes:
+
+- **For JS/TS/TSX/JSX/YML/YAML files**: Run `pnpm fix` to apply ESLint fixes (CRITICAL for YAML files to prevent
+  formatting issues)
+- **For JSON/MD/CSS files**: Run `pnpm format` to apply Prettier formatting
+- **When in doubt**: Run both commands in sequence
+
+## Action Structure
+
+- Action names: lowercase kebab-case (e.g., `npm-publish-pr`)
+- Each action directory contains:
+  - `action.yml` - Action definition and metadata
+  - Implementation files (JavaScript/TypeScript as needed)
+  - `README.md` - Action-specific documentation
+
+## Development Guidelines
+
+- Actions should be standalone and reusable across different projects
+- Follow GitHub Actions best practices for inputs, outputs, and error handling
+- Use semantic action names that clearly describe their purpose
+- Each action should handle its own dependencies and setup requirements
+- All actions support multiple package managers (npm/yarn/pnpm) when applicable
+- Use comprehensive input validation with clear error messages
+- Include proper error handling and informative logging
+
+## Security Best Practices
+
+- **File Operations**: Use file descriptors (`fs.openSync()`, `fs.readSync()`, `fs.writeSync()`) instead of file names
+  (`fs.readFileSync()`, `fs.writeFileSync()`) to prevent TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities
+- **Resource Management**: Always close file descriptors in `finally` blocks to prevent resource leaks
+- **Atomic Operations**: Keep file descriptors open during entire read-modify-write operations to prevent race
+  conditions
+
+## Current Actions
+
+- `npm-pr-version` - Publishes packages with PR-specific version numbers using detected package manager (npm/yarn/pnpm)
+  for testing in downstream apps before merging
+- `comment` - Creates or updates pull request comments with intelligent upsert functionality using unique tags
+  - **IMPORTANT**: Any job using the comment action must include `permissions: pull-requests: write`
+- `setup-node-and-install` - Sets up Node.js environment and installs dependencies with automatic package manager
+  detection, intelligent caching, and .nvmrc/.node-version support
+
+## Testing
+
+The project includes comprehensive testing infrastructure:
+
+- **Integration tests**: Test full action workflows using bats
+- **Test fixtures**: Reusable test data for different scenarios
+- **CI/CD validation**: Dogfooding actions in GitHub workflows
+- **Multi-platform testing**: Ubuntu, Windows, macOS support
+
+Run tests with: `pnpm test`
+
+**Cross-Platform Notes:**
+
+- Test scripts use `bash` prefix for Windows compatibility
+- All npm scripts should work on Windows, macOS, and Linux
+- Bats tests require bash to be available (included in Git for Windows)
+
+## Documentation System
+
+### Automated Documentation Generation
+
+- Run `pnpm docs:generate` to update all documentation
+- The script automatically:
+  1. Updates main README.md with action overview using `<!-- start action docs -->` / `<!-- end action docs -->` markers
+  2. Updates individual action README files with inputs/outputs tables using `<!-- start inputs -->` /
+     `<!-- end inputs -->` and `<!-- start outputs -->` / `<!-- end outputs -->` markers
+  3. Runs prettier formatting on all updated documentation
+
+### Documentation Markers
+
+- **Main README.md**: Uses `<!-- start action docs -->` and `<!-- end action docs -->` for the Available Actions section
+- **Action README files**: Uses `<!-- start inputs -->` / `<!-- end inputs -->` for inputs tables and
+  `<!-- start outputs -->` / `<!-- end outputs -->` for outputs tables
+- **CRITICAL: NEVER EDIT AUTO-GENERATED CONTENT**: Never modify content between ANY HTML comment markers in README
+  files:
+  - `<!-- START doctoc generated TOC please keep comment here to allow auto update -->` and
+    `<!-- END doctoc generated TOC please keep comment here to allow auto update -->` (doctoc table of contents)
+  - `<!-- start action docs -->` and `<!-- end action docs -->` (main README action documentation)
+  - `<!-- start inputs -->` and `<!-- end inputs -->` (action inputs tables)
+  - `<!-- start outputs -->` and `<!-- end outputs -->` (action outputs tables)
+  - Any other `<!-- ... -->` comment markers - they indicate auto-generated content
+- All content outside these markers is manually maintained and can be edited
+- **Prettier Protection**: Doctoc blocks are wrapped in `<!-- prettier-ignore-start -->` and
+  `<!-- prettier-ignore-end -->` to prevent formatting
+
+### Workflow Automation
+
+- `.github/workflows/update-docs.yml` automatically runs on changes to `*/action.yml` or `bin/generate-docs.js`
+- Uses `stefanzweifel/git-auto-commit-action` to commit documentation changes
+- Handles both main README.md and all action README files
+- Automatically formats all documentation using prettier
+
+## Security
+
+The project implements multiple security measures:
+
+- **Dependabot**: Automated dependency updates
+- **CodeQL**: Static security analysis
+- **Secret scanning**: TruffleHog for committed secrets (uses default behavior without base/head commits for better
+  compatibility)
+- **Vulnerability auditing**: Regular pnpm audit checks
+- **Note**: Dependency review requires GitHub Advanced Security (available free on public repos, paid feature for
+  private repos)

package/CLAUDE.md

@@ -0,0 +1,3 @@
+See [AGENT.md](AGENT.md).
+
+Do not use this file to generate documentation. Use [AGENT.md](AGENT.md) instead.