@codfish/actions 2.0.1 → 3.3.1

package/SECURITY.md

@@ -1,208 +0,0 @@
-# Security Policy
-
-<!-- prettier-ignore-start -->
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-## Table of Contents
-
-- [Supported Versions](#supported-versions)
-- [Reporting a Vulnerability](#reporting-a-vulnerability)
-  - [🔒 Private Disclosure](#-private-disclosure)
-  - [📋 What to Include](#-what-to-include)
-  - [🕐 Response Timeline](#-response-timeline)
-- [Security Best Practices for Users](#security-best-practices-for-users)
-  - [🔐 Secrets Management](#-secrets-management)
-  - [🏷️ Action Versioning](#-action-versioning)
-  - [🔍 Workflow Permissions](#-workflow-permissions)
-  - [🛡️ Input Validation](#-input-validation)
-- [Security Features](#security-features)
-  - [🔒 Automated Security Scanning](#-automated-security-scanning)
-  - [🛡️ Secure Development Practices](#-secure-development-practices)
-  - [🔍 Supply Chain Security](#-supply-chain-security)
-- [Known Security Considerations](#known-security-considerations)
-  - [GitHub Actions Environment](#github-actions-environment)
-  - [npm Publishing (npm-pr-version)](#npm-publishing-npm-pr-version)
-  - [Comment Actions](#comment-actions)
-- [Incident Response](#incident-response)
-- [Security Contact](#security-contact)
-- [Acknowledgments](#acknowledgments)
-
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
-<!-- prettier-ignore-end -->
-
-## Supported Versions
-
-This project follows a rolling release model. We provide security updates for:
-
-| Version             | Supported           |
-| ------------------- | ------------------- |
-| main                | ✅ Always supported |
-| Latest release tags | ✅ Supported        |
-| Older releases      | ❌ Not supported    |
-
-## Reporting a Vulnerability
-
-If you discover a security issue, please follow these steps:
-
-### 🔒 Private Disclosure
-
-**Do NOT create a public issue for security vulnerabilities.**
-
-Instead, please report security issues privately using one of these methods:
-
-1. **GitHub Security Advisories** (preferred)
-   - Go to the [Security tab](https://github.com/codfish/actions/security/advisories)
-   - Click "Report a vulnerability"
-   - Fill out the form with details
-
-2. **Email**
-   - Send details to: [chris@codfish.dev](mailto:chris@codfish.dev)
-   - Include "SECURITY" in the subject line
-
-### 📋 What to Include
-
-When reporting a vulnerability, please include:
-
-- **Description** of the vulnerability
-- **Steps to reproduce** the issue
-- **Potential impact** of the vulnerability
-- **Suggested fix** (if you have one)
-- **Your contact information** for follow-up
-
-### 🕐 Response Timeline
-
-We aim to respond to security reports within:
-
-- **Initial response**: 24-48 hours
-- **Confirmation/triage**: 2-5 business days
-- **Resolution**: Varies based on complexity
-
-## Security Best Practices for Users
-
-When using these GitHub Actions in your workflows:
-
-### 🔐 Secrets Management
-
-- **Never log secrets** in workflows that use these actions
-- Use **GitHub Secrets** for sensitive information
-- **Limit secret scope** to only necessary workflows
-- **Rotate secrets** regularly
-
-```yaml
-# ✅ Good - Using secrets properly
-- uses: codfish/actions/npm-pr-version@v2
-  with:
-    npm-token: ${{ secrets.NPM_TOKEN }}
-    github-token: ${{ secrets.GITHUB_TOKEN }}
-
-# ❌ Bad - Exposing secrets
-- name: Debug
-  run: echo "Token: ${{ secrets.NPM_TOKEN }}"
-```
-
-### 🏷️ Action Versioning
-
-- **Pin to specific versions or commit hashes** for production workflows
-- **Avoid using `@main`** in production (use for testing only)
-
-```yaml
-# ✅ Good - Pinned version
-- uses: codfish/actions/setup-node-and-install@v2.2.3
-
-# ⚠️ Caution - Latest main (testing only)
-- uses: codfish/actions/setup-node-and-install@main
-```
-
-### 🔍 Workflow Permissions
-
-- **Use minimal permissions** required
-- **Specify explicit permissions** when possible
-- **Avoid using `write-all`** permissions
-
-```yaml
-# ✅ Good - Minimal permissions
-permissions:
-  contents: read
-  issues: write
-  pull-requests: write
-
-# ❌ Bad - Excessive permissions
-permissions: write-all
-```
-
-### 🛡️ Input Validation
-
-- **Validate user inputs** before using them in actions
-- **Sanitize outputs** when displaying them
-- **Be cautious with dynamic expressions**
-
-## Security Features
-
-This project implements several security measures:
-
-### 🔒 Automated Security Scanning
-
-- **Dependabot** for dependency updates
-- **CodeQL** for static analysis
-- **Dependency Review** for PR security checks
-- **Secret scanning** with TruffleHog
-- **npm audit** for vulnerability detection
-
-### 🛡️ Secure Development Practices
-
-- **Input validation** in all actions
-- **Error handling** without information disclosure
-- **No secret logging** in any action
-- **Least privilege** principle in action permissions
-
-### 🔍 Supply Chain Security
-
-- **Minimal dependencies** to reduce attack surface
-- **Regular dependency updates** via Dependabot
-- **Verified action references** in workflows
-
-## Known Security Considerations
-
-### GitHub Actions Environment
-
-- **Actions run in GitHub's infrastructure** - we cannot control the runner environment
-- **Secrets are available** to all steps in a job that has access
-- **Workflow logs are visible** to users with read access to the repository
-
-### npm Publishing (npm-pr-version)
-
-- **NPM tokens have broad permissions** - ensure tokens are scoped appropriately
-- **Published packages are public** by default - review package contents
-- **Version immutability** - published versions cannot be unpublished
-
-### Comment Actions
-
-- **GitHub tokens can comment** on behalf of the workflow user
-- **Comment content is public** - avoid including sensitive information
-- **Rate limiting applies** - excessive commenting may be throttled
-
-## Incident Response
-
-In case of a confirmed security vulnerability:
-
-1. **Assessment** - Evaluate severity and impact
-2. **Mitigation** - Develop and test fixes
-3. **Disclosure** - Coordinate with reporter on disclosure timeline
-4. **Release** - Deploy security fixes
-5. **Communication** - Notify users through appropriate channels
-
-## Security Contact
-
-- **Primary**: [security@codfish.dev](mailto:security@codfish.dev)
-- **GitHub**: [@codfish](https://github.com/codfish)
-
-## Acknowledgments
-
-We appreciate security researchers and users who responsibly disclose vulnerabilities. Contributors who report valid
-security issues will be acknowledged (with permission) in:
-
-- Security advisories
-- Release notes
-- This security policy
-
-Thank you for helping keep this project secure! 🔒

package/eslint.config.js

@@ -1,8 +0,0 @@
-import codfish from '@codfish/eslint-config';
-import { defineConfig } from 'eslint/config';
-
-export default defineConfig(codfish, {
-  rules: {
-    'no-console': 'off',
-  },
-});

package/tests/fixtures/.node-version

@@ -1 +0,0 @@
-20.10.0

package/tests/fixtures/.nvmrc

@@ -1 +0,0 @@
-18.20.0

package/tests/fixtures/lockfiles/package-lock.json

@@ -1,12 +0,0 @@
-{
-  "name": "test-package",
-  "version": "1.0.0",
-  "lockfileVersion": 3,
-  "requires": true,
-  "packages": {
-    "": {
-      "name": "test-package",
-      "version": "1.0.0"
-    }
-  }
-}

package/tests/fixtures/lockfiles/pnpm-lock.yaml

@@ -1,9 +0,0 @@
-lockfileVersion: '6.0'
-
-settings:
-  autoInstallPeers: true
-  excludeLinksFromLockfile: false
-
-dependencies: {}
-
-packages: {}

package/tests/fixtures/lockfiles/yarn.lock

@@ -1,7 +0,0 @@
-# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
-# yarn lockfile v1
-
-
-"test-package@1.0.0":
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/test-package/-/test-package-1.0.0.tgz"

package/tests/fixtures/package-json/minimal.json

@@ -1,4 +0,0 @@
-{
-  "name": "minimal-package",
-  "version": "0.1.0"
-}

package/tests/fixtures/package-json/scoped.json

@@ -1,6 +0,0 @@
-{
-  "name": "@test-org/scoped-package",
-  "version": "2.0.0",
-  "description": "Scoped package for testing",
-  "private": false
-}

package/tests/fixtures/package-json/valid.json

@@ -1,13 +0,0 @@
-{
-  "name": "test-package",
-  "version": "1.2.3",
-  "description": "Test package for action testing",
-  "main": "index.js",
-  "scripts": {
-    "build": "echo 'Building...'",
-    "test": "echo 'Testing...'"
-  },
-  "keywords": ["test"],
-  "author": "test",
-  "license": "MIT"
-}

package/tests/integration/comment/basic.bats

@@ -1,95 +0,0 @@
-#!/usr/bin/env bats
-
-load "../../scripts/test-helpers.sh"
-
-setup() {
-    setup_github_env
-    TEST_DIR=$(mktemp -d)
-    cd "$TEST_DIR"
-}
-
-teardown() {
-    cd /
-    cleanup_test_env "$TEST_DIR"
-}
-
-@test "comment: generates correct tag format" {
-    # Test tag generation logic from action
-    TAG_INPUT="test-tag"
-    MESSAGE_INPUT="Hello, World!"
-
-    bash -c "
-        tag=\"<!-- codfish/actions/comment $TAG_INPUT -->\"
-        echo \"Generated tag: \$tag\"
-        echo \"tag=\$tag\"
-    " > output.txt
-
-    assert_output_contains "tag=<!-- codfish/actions/comment test-tag -->" "$(cat output.txt)"
-}
-
-@test "comment: handles multi-line messages" {
-    # Test multi-line message handling
-    MESSAGE_INPUT="Line 1
-Line 2
-Line 3"
-
-    bash -c '
-        body=$(printf "$1")
-        echo "Processed message:"
-        echo "$body"
-    ' -- "$MESSAGE_INPUT" > output.txt
-
-    assert_output_contains "Line 1" "$(cat output.txt)"
-    assert_output_contains "Line 2" "$(cat output.txt)"
-    assert_output_contains "Line 3" "$(cat output.txt)"
-}
-
-@test "comment: handles markdown formatting" {
-    # Test markdown message
-    MESSAGE_INPUT="## Test Header
-
-- Item 1
-- Item 2
-
-**Bold text** and *italic text*"
-
-    bash -c '
-        body=$(printf "$1")
-        echo "Markdown message:"
-        echo "$body"
-    ' -- "$MESSAGE_INPUT" > output.txt
-
-    assert_output_contains "## Test Header" "$(cat output.txt)"
-    assert_output_contains "- Item 1" "$(cat output.txt)"
-    assert_output_contains "**Bold text**" "$(cat output.txt)"
-}
-
-@test "comment: combines message and tag correctly" {
-    # Test complete body generation
-    TAG_INPUT="build-status"
-    MESSAGE_INPUT="✅ Build successful!"
-
-    bash -c "
-        tag=\"<!-- codfish/actions/comment $TAG_INPUT -->\"
-        body=\$(printf '$MESSAGE_INPUT')
-        echo \"Complete body:\"
-        echo \"\$body\"
-        echo \"\$tag\"
-    " > output.txt
-
-    assert_output_contains "✅ Build successful!" "$(cat output.txt)"
-    assert_output_contains "<!-- codfish/actions/comment build-status -->" "$(cat output.txt)"
-}
-
-@test "comment: handles empty tag input" {
-    # Test with empty tag
-    TAG_INPUT=""
-    MESSAGE_INPUT="Message without tag"
-
-    bash -c "
-        tag=\"<!-- codfish/actions/comment $TAG_INPUT -->\"
-        echo \"Tag with empty input: \$tag\"
-    " > output.txt
-
-    assert_output_contains "<!-- codfish/actions/comment  -->" "$(cat output.txt)"
-}