ci-cost-diff-action 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,92 @@
+# Changelog
+
+## 0.1.0
+
+- Initial implementation.
+- GitHub Action for current-vs-baseline workflow cost diff.
+- Dependency-free local CLI.
+- Markdown summary and optional PR comments.
+- Budget thresholds for total cost and cost increases.
+- Default GitHub-hosted runner rate table with custom overrides.
+- Official larger-runner workflow label inference for labels such as `ubuntu-24.04-16core`.
+- Exact larger-runner and self-hosted runner precedence over broad class overrides.
+- At-least-one-minute rounding for valid completed jobs with second-resolution timestamps.
+- Skips malformed or negative job intervals instead of counting them as zero-cost jobs.
+- Non-negative budget threshold validation with floating-point-safe comparisons.
+- Rerun-aware job fetching with `filter=all`.
+- Scoped update-mode PR comments per workflow/job.
+- Collision-resistant scoped PR comment markers with raw-scope hash suffixes.
+- Post-create duplicate cleanup for concurrent update-mode PR comments.
+- Baseline, job, and issue-comment pagination continue past old fixed page caps.
+- Malformed successful GitHub API list responses now fail closed, with a high pagination safety guard for malformed endless full pages.
+- Generic OS-plus-architecture labels, including `linux` plus `arm`, are treated as unknown to avoid charging self-hosted runners created without default labels.
+- Broad class rate overrides retain ambiguous-runner warnings for larger/custom-looking labels.
+- Non-finite analyzed costs are rejected instead of bypassing USD thresholds.
+- Update-mode PR comments require authenticated token ownership before updating or deleting existing marker comments.
+- Baseline pagination now uses the same high-page safety guard as jobs and comments.
+- Workflow job pagination no longer trusts `total_count` as an early stop signal; it waits for GitHub's final page.
+- Broad runner names/groups such as `linux` no longer receive GitHub-hosted defaults without explicit overrides.
+- Report fields are truncated defensively to keep comments and step summaries bounded.
+- Verification now checks package dry-run contents and the exact action metadata entrypoint.
+- Matrix-aware comment scoping when `current-job-id` identifies the reporting job.
+- Symmetric reporting-job exclusion for in-progress `include-current-job` and `run-id` override cases.
+- Markdown table escaping for PR-controlled job and runner fields.
+- Best-effort PR comments for fork pull requests, with custom-token opt-in.
+- GitHub Enterprise Server API URL support through `GITHUB_API_URL`.
+- Ambiguous runner-rate warnings for custom-looking labels.
+- Generic OS-plus-GPU labels are treated as unknown unless a known GPU SKU label or explicit override is provided.
+- Percentage budget gates fail closed for non-finite derived percentage values and reject non-finite threshold inputs.
+- Baseline lookup respects GitHub's 1,000-result cap for filtered workflow-run searches.
+- Retry handling supports HTTP-date `Retry-After` headers and honors server-provided retry waits above the fallback retry cap.
+- GitHub API path parameters are encoded or numerically validated before request paths are built.
+- GitHub API list responses now reject malformed array items, not just missing arrays.
+- Current-run baseline self-exclusion can fall back to `GITHUB_JOB` when the current jobs API has not exposed the reporting job yet.
+- CLI boolean flags accept explicit inline `true` or `false` values.
+- Action metadata verification validates `runs.using`, `runs.main`, and input/output names.
+- Current official standard labels such as `windows-2025-vs2026`, `macos-15-intel`, `macos-26-intel`, `macos-26`, and `ubuntu-22.04-arm` are recognized.
+- Split standard labels plus architecture labels such as `ubuntu-latest` plus `arm64` are treated as unknown instead of silently using x64 standard pricing.
+- Negated modifier labels such as `not-gpu` no longer trigger ambiguous-runner warnings.
+- Verification now runs the `npm test` script and package checks reject unexpected tarball files.
+- `SECURITY.md` is included in the npm package.
+- Broad class overrides no longer price generic OS-plus-architecture/GPU labels such as `linux` plus `arm` or `linux` plus `gpu`.
+- Bare generic OS labels and combined non-official ARM aliases such as `linux-arm`, `ubuntu-arm`, or `windows-arm` are treated as unknown unless an exact override or known billing SKU is supplied.
+- Combined OS/GPU labels such as `linux-gpu`, `gpu-linux`, and `ubuntu-gpu`, and non-official Ubuntu-looking labels such as `ubuntu-cache`, are treated as unknown unless an exact override or known billing SKU is supplied.
+- macOS larger-runner default inference is limited to official workflow labels such as `macos-15-large` and `macos-26-xlarge`.
+- Update-mode PR comments create a replacement when a listed marker comment disappears before update.
+- `include-current-job` self-exclusion can fall back to `GITHUB_JOB` when the current jobs API has not exposed the reporting job yet.
+- Release and security docs now include versioning, publish, and private-disclosure fallback guidance.
+- CLI value parsing and package dry-run validation handle malformed edge cases more defensively.
+- CLI inline options with empty values now fail instead of silently disabling budget or runner-rate gates.
+- Empty job names no longer bypass invalid-interval or explicit-name exclusions.
+- CLI jobs-file validation now reports top-level `null` cleanly and help output lists `--help`.
+- Exact standard billing SKU overrides such as `actions-linux` now beat broad class overrides.
+- Current workflow-run API responses now fail closed when required run identifiers are missing.
+- Update-mode PR comments ignore malformed marker comments without numeric IDs and delete stale duplicates even while the newly created comment is not yet visible.
+- CLI whitespace-only numeric threshold values now fail instead of becoming zero.
+- Verification now asserts the published `ci-cost-diff` command maps to `bin/ci-cost-diff.js`.
+- Exact Linux slim SKU/alias labels such as `actions-linux-slim` and `linux-slim` now price as `actions_linux_slim` without ambiguous-runner warnings.
+- Reporting-job self-exclusion now removes previous same-name attempts from current-run analysis when `current-job-id` is provided and `job-filter: all` includes reruns.
+- Baseline workflow-run list items missing required IDs now fail closed before baseline job fetching.
+- GitHub API server retry delays are capped to avoid very long action sleeps.
+- CLI rates files must be non-empty JSON objects.
+- Verification now checks package-lock root metadata, exact package bin commands, CLI shebangs, and release workflow trusted-publishing guardrails.
+- Added a trusted npm publishing release workflow using current major GitHub action tags (`actions/checkout@v6`, `actions/setup-node@v6`) and `npm publish --provenance`.
+- Split standard labels plus GPU labels such as `ubuntu-latest` plus `gpu` are treated as unknown unless an exact GPU billing SKU or override is provided.
+- Official workflow labels are recognized when they appear as exact runner names or runner group names.
+- Secondary GitHub API rate-limit `403` responses are retried when the response body identifies a secondary limit.
+- Workflow job API items missing required IDs now fail closed.
+- Release publishing now validates that the release tag matches `package.json` before `npm publish --provenance`.
+- Fabricated actions-prefixed hosted-looking labels such as `actions-ubuntu-arm` are treated as unknown unless they are exact known billing SKU labels.
+- Update-mode PR comments now avoid creating another same-scope GitHub Actions comment when token identity cannot be resolved.
+- Manual release dispatch now checks out `refs/tags/<tag>` and requires the exact `v<package.version>` tag.
+- Documentation now clarifies older-baseline selection, bounded server retry waits, and empty `delta-percent` output for zero-cost baselines.
+- Current workflow-run API responses now fail closed when they lack usable baseline-ordering metadata.
+- Update-mode PR comments now avoid creating another same-scope GitHub App comment when token identity cannot be resolved.
+- Action metadata now documents runner group overrides and current-run-only runner-rate gates more precisely.
+- SKU overrides now apply when official workflow labels are exposed through runner names or runner groups.
+- Baseline workflow-run list items now fail closed when required conclusion or ordering metadata is missing.
+- Trusted publishing now validates the tag before dependency installation, disables release dependency caching, and uses `--ignore-scripts` for npm install, verify, and publish commands.
+- CLI value options now reject following `--...` tokens as missing values instead of treating unknown options as filenames.
+- Arbitrary `actions-linux-*`, `actions-windows-*`, or `actions-macos-*` custom labels no longer collide with non-`actions-*` custom override keys.
+- Ambiguous runner-rate warnings now distinguish broad class overrides from default-rate fallbacks.
+- Reports now have a final length cap in addition to field and row limits.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 CI Cost Diff contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,200 @@
+# CI Cost Diff Action
+
+Estimate the cost of a GitHub Actions workflow run, compare it with the nearest older successful run on the base branch, and publish a pull request report.
+
+CI Cost Diff is designed for teams that want a lightweight budget guard directly inside code review. It uses rounded job minutes, GitHub-hosted runner list prices, and optional runner-rate overrides for larger or custom runners.
+
+## Features
+
+- Pull request summary with current cost, baseline cost, and delta.
+- Largest per-job cost delta table to show the biggest changes.
+- Budget gates for total cost, absolute increase, and percentage increase.
+- No runtime npm dependencies.
+- Works as both a GitHub Action and local CLI.
+- Supports custom runner rates through JSON overrides.
+
+## Quick Start
+
+Add a reporting job after the CI jobs you want to measure:
+
+```yaml
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - run: npm ci
+      - run: npm test
+
+  cost:
+    if: always()
+    needs: [test]
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      issues: write
+    steps:
+      - uses: HupBaHa/cost-diff@<release-tag>
+        with:
+          current-job-id: ${{ job.check_run_id }}
+          fail-on-increase-percent: 25
+          fail-on-increase-usd: 1.00
+```
+
+The action compares the current workflow run with the nearest older successful run of the same workflow on the pull request base branch.
+
+For pull requests from forks, GitHub gives the default `GITHUB_TOKEN` read-only permissions on `pull_request` workflows. In that case the action skips the PR comment and still writes the report to the step summary. If you intentionally pass a write-capable PAT or GitHub App token, set `allow-fork-pr-comments: true` to opt in. This guard applies to `pull_request` events only; `pull_request_target` uses the base repository token permissions, so use it only when you intentionally want write-token behavior and avoid checking out or running untrusted fork code before this action.
+
+Update-mode PR comments are scoped by workflow id and reporting job, so separate workflows or reporting jobs keep separate comments on the same pull request. The marker includes a short hash of the raw scope to avoid collisions after normalization.
+
+When `current-job-id` is supplied, update-mode comments use the matched GitHub job name in the scope. This keeps matrix copies such as `cost (ubuntu)` and `cost (macos)` from overwriting each other.
+
+If concurrent update-mode runs create same-scope comments, the action keeps the newest matching comment from the authenticated token user and deletes older duplicates during update and post-create cleanup passes. If the token identity cannot be resolved, the action will not update marker comments from another bot; when an existing GitHub App marker comment is present, it also avoids creating another same-scope comment.
+
+Report fields are truncated defensively, and the final report is capped, so unusually long job names, labels, runner names, branches, or links do not make pull request comments exceed GitHub limits.
+
+## Inputs
+
+| Input | Default | Description |
+| --- | --- | --- |
+| `github-token` | `${{ github.token }}` | Token for reading workflow runs/jobs and writing PR comments. |
+| `run-id` | current run | Workflow run id to analyze. |
+| `workflow-id` | current workflow | Workflow id or workflow file name for baseline lookup. |
+| `baseline-branch` | PR base branch, repository default branch, or current run branch | Branch used for baseline run lookup. |
+| `baseline-event` | empty | Optional event filter such as `push`. |
+| `lookback-runs` | `20` | Positive number of successful baseline runs to inspect, capped at GitHub's documented 1,000-result limit for filtered workflow-run searches. |
+| `job-filter` | `all` | GitHub jobs API filter. `all` includes old rerun attempts; `latest` uses only the latest attempt. Job pages are fetched until GitHub returns the final page. |
+| `exclude-jobs` | empty | Comma or newline separated job-name patterns. Supports `*`. |
+| `current-job-id` | empty | Check run id of the reporting job, used to exclude the action's own job from current and baseline runs. Pass `${{ job.check_run_id }}` from the workflow when available; it is matched through the jobs API `check_run_url`. |
+| `include-current-job` | `false` | Include the reporting job when it is already complete. In-progress jobs are skipped and their baseline counterpart is excluded to keep comparisons symmetric. |
+| `runner-rates` | `{}` | JSON object mapping runner labels/names/group names/SKUs to USD per minute. |
+| `fail-on-unknown-runner` | `false` | Fail if a current job has an unknown runner rate. |
+| `fail-on-ambiguous-runner-rate` | `false` | Fail if a current job uses an ambiguous standard-rate fallback. |
+| `fail-on-increase-percent` | empty | Fail if cost increase exceeds this non-negative percentage. |
+| `fail-on-increase-usd` | empty | Fail if cost increase exceeds this non-negative USD value. |
+| `fail-on-total-usd` | empty | Fail if current total cost exceeds this non-negative USD value. |
+| `comment-mode` | `update` | `off`, `update`, or `always`. |
+| `allow-fork-pr-comments` | `false` | Allow PR comments on fork `pull_request` events when `github-token` is a write-capable custom token; does not change `pull_request_target` behavior. |
+
+## Outputs
+
+| Output | Description |
+| --- | --- |
+| `current-cost` | Estimated current run cost in USD. |
+| `baseline-cost` | Estimated baseline run cost in USD. |
+| `delta-cost` | Current cost minus baseline cost in USD. |
+| `delta-percent` | Current cost delta as percentage of baseline cost, or an empty string when baseline cost is zero. |
+| `current-minutes` | Rounded billable minutes in the current run. |
+| `baseline-minutes` | Rounded billable minutes in the baseline run. |
+| `conclusion` | `pass` or `fail`. |
+
+## Custom Runner Rates
+
+Known GitHub billing SKU labels, official standard workflow labels such as `ubuntu-slim`, `macos-26`, and `windows-2025-vs2026`, and official larger-runner workflow labels such as `ubuntu-24.04-16core`, `windows-2022-16core`, `macos-15-large`, and `macos-26-xlarge` are priced by default. GitHub larger runners often use custom labels, so add `runner-rates` when your larger runners or private runner names do not expose a known SKU:
+
+```yaml
+- uses: HupBaHa/cost-diff@<release-tag>
+  with:
+    runner-rates: |
+      {
+        "ubuntu-8-core": 0.022,
+        "windows-16-core": 0.082,
+        "gpu-linux": 0.052
+      }
+```
+
+Replace `<release-tag>` with a published tag, for example `v1` after the v1 release is created.
+
+Keys are matched against runner labels, runner names, runner group names, and known GitHub billing SKUs after normalization. Exact runner labels, names, groups, and known billing SKUs take precedence over class keys. Class keys such as `linux`, `windows`, and `macos` apply only to jobs inferred to that standard runner SKU; they do not price self-hosted jobs, generic OS-plus-architecture labels, or exact larger-runner labels.
+
+Generic labels such as bare `linux`, `windows`, or `macos`, `linux` plus `arm`, `linux` plus `x64`, `linux` plus `gpu`, `windows` plus `gpu`, or combined labels such as `linux-gpu`, `gpu-linux`, or `ubuntu-gpu` are not priced as GitHub-hosted runners by default because self-hosted runners can use custom labels and can omit GitHub's default `self-hosted` label. Combined non-official ARM aliases such as `linux-arm`, `ubuntu-arm`, `windows-arm`, or actions-prefixed hosted-looking aliases such as `actions-ubuntu-arm` are also treated as unknown. Non-official Ubuntu-looking labels without a custom/larger-runner signal, such as `ubuntu-cache`, are treated as unknown rather than silently using a standard Linux hosted rate. Split standard labels plus architecture or GPU labels, such as `ubuntu-latest` plus `arm64` or `ubuntu-latest` plus `gpu`, are also treated as unknown; use an official hosted ARM label such as `ubuntu-24.04-arm` or `ubuntu-22.04-arm`, a known GPU billing SKU such as `linux-4-core-gpu`, or provide a `runner-rates` override.
+
+Unknown and ambiguous runner-rate warnings include both current and baseline jobs so underpriced baselines are visible in the report.
+
+If labels look custom or larger-runner-like but map to a standard GitHub-hosted default or broad class override, the report shows an "Ambiguous Runner Rates" warning. For example, generic split labels such as `linux` plus `8-core` are treated as ambiguous unless you provide a specific override or use a known larger-runner label. Use `fail-on-ambiguous-runner-rate: true` when you want those cases to block the PR.
+
+Note: `job.check_run_id` is not available on GitHub Enterprise Server. In GHES workflows, or when you do not pass `current-job-id`, use `exclude-jobs` when the reporting job has a custom display name.
+
+## Local CLI
+
+You can compare saved GitHub jobs JSON locally from the repository checkout:
+
+```bash
+node ./bin/ci-cost-diff.js \
+  --current examples/current-jobs.json \
+  --baseline examples/baseline-jobs.json \
+  --exclude "docs*,lint" \
+  --fail-on-increase-percent 25
+```
+
+The CLI also supports `--fail-on-unknown-runner` and `--fail-on-ambiguous-runner-rate` for parity with the action's runner-rate gates.
+
+After installing the package, run the CLI as `ci-cost-diff`:
+
+```bash
+ci-cost-diff \
+  --current current-jobs.json \
+  --baseline baseline-jobs.json \
+  --fail-on-unknown-runner=false
+```
+
+You can also run it without installing globally:
+
+```bash
+npx ci-cost-diff-action \
+  --current current-jobs.json \
+  --baseline baseline-jobs.json
+```
+
+Boolean flags accept either the bare flag form, such as `--fail-on-unknown-runner`, or an explicit inline value, such as `--fail-on-unknown-runner=false`. Empty inline values such as `--fail-on-unknown-runner=` are rejected.
+
+Use `--rates runner-rates.json` to apply the same JSON object format as the action's `runner-rates` input. The file must contain a JSON object; empty files are rejected so a truncated rates file does not silently disable custom pricing.
+
+Each JSON file can be either:
+
+```json
+{ "jobs": [] }
+```
+
+or a raw jobs array:
+
+```json
+[]
+```
+
+## Cost Model
+
+The action estimates compute cost only. It does not query account billing, included minutes, private contracts, cache/storage billing, or public-repository free usage. By default it asks the GitHub jobs API for `filter=all`, so rerun attempts are included in the estimate. Percentage gates fail on any nonzero current cost when the baseline cost is zero. See [docs/RATE_MODEL.md](docs/RATE_MODEL.md) for details.
+
+## Development
+
+This project intentionally has no runtime dependencies.
+
+Use Node `20.9.0` or newer for local verification. The runtime source remains compatible with Node `>=20`, but the locked ESLint dev tooling requires Node `20.9.0+` on the Node 20 line.
+
+```bash
+npm ci
+npm run lint
+npm run verify
+```
+
+Optional local pre-commit hook:
+
+```bash
+git config core.hooksPath .githooks
+```
+
+## License
+
+MIT

package/SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security issues privately by opening a GitHub security advisory in the repository.
+
+If private vulnerability reporting is unavailable to you, contact the maintainer through the private contact listed on the maintainer's GitHub or npm profile. If no private contact is available, open a public issue asking for a private disclosure channel, but do not include vulnerability details in the public issue.
+
+Do not disclose vulnerabilities publicly until a fix is available.
+
+## Scope
+
+Security-sensitive areas include:
+
+- GitHub token handling.
+- Pull request comment writing.
+- Runner-rate parsing.
+- Markdown generation from job names and runner labels.
+- GitHub API request handling.
+
+Pull request comments are best-effort because fork pull request workflows often receive read-only tokens. The step summary remains the source of truth when commenting is not allowed.
+
+## Runtime Dependencies
+
+The action has no runtime npm dependencies by design.

package/action.yml

@@ -0,0 +1,100 @@
+name: CI Cost Diff
+description: Estimate GitHub Actions cost for a workflow run and report deltas against the base branch.
+author: CI Cost Diff contributors
+branding:
+  icon: dollar-sign
+  color: green
+
+inputs:
+  github-token:
+    description: GitHub token used to read workflow runs/jobs and write pull request comments.
+    required: false
+    default: ${{ github.token }}
+  run-id:
+    description: Workflow run id to analyze. Defaults to the current run.
+    required: false
+    default: ""
+  workflow-id:
+    description: Workflow id or workflow file name to use for baseline lookup. Defaults to the current run workflow id.
+    required: false
+    default: ""
+  baseline-branch:
+    description: Branch used for baseline run lookup. Defaults to PR base branch, repository default branch, then current run branch.
+    required: false
+    default: ""
+  baseline-event:
+    description: Optional workflow event filter for baseline lookup, for example push. Leave empty to allow any event.
+    required: false
+    default: ""
+  lookback-runs:
+    description: Positive number of successful baseline workflow runs to inspect, capped at GitHub's 1,000 filtered-run search limit.
+    required: false
+    default: "20"
+  job-filter:
+    description: "GitHub jobs API filter: all includes old rerun attempts, latest uses only the latest attempt."
+    required: false
+    default: "all"
+  exclude-jobs:
+    description: Comma or newline separated job-name patterns to exclude. Supports * wildcards.
+    required: false
+    default: ""
+  current-job-id:
+    description: Current job check run id. Pass ${{ job.check_run_id }} from the workflow when available.
+    required: false
+    default: ""
+  include-current-job:
+    description: Include the reporting job when it is already complete. In-progress jobs are skipped and their baseline counterpart is excluded.
+    required: false
+    default: "false"
+  runner-rates:
+    description: JSON object mapping runner labels, runner names, runner group names, or billing SKUs to USD per minute.
+    required: false
+    default: "{}"
+  fail-on-unknown-runner:
+    description: Fail when a current job has an unknown runner rate.
+    required: false
+    default: "false"
+  fail-on-ambiguous-runner-rate:
+    description: Fail when a current job uses an ambiguous standard-rate fallback.
+    required: false
+    default: "false"
+  fail-on-increase-percent:
+    description: Fail if total estimated cost increases by more than this non-negative percentage.
+    required: false
+    default: ""
+  fail-on-increase-usd:
+    description: Fail if total estimated cost increases by more than this non-negative USD amount.
+    required: false
+    default: ""
+  fail-on-total-usd:
+    description: Fail if current total estimated cost is above this non-negative USD amount.
+    required: false
+    default: ""
+  comment-mode:
+    description: "Pull request comment mode: off, update, or always."
+    required: false
+    default: "update"
+  allow-fork-pr-comments:
+    description: Allow PR comments on fork pull_request events when github-token is a write-capable custom token. Does not change pull_request_target behavior.
+    required: false
+    default: "false"
+
+outputs:
+  current-cost:
+    description: Estimated current run cost in USD.
+  baseline-cost:
+    description: Estimated baseline run cost in USD.
+  delta-cost:
+    description: Current cost minus baseline cost in USD.
+  delta-percent:
+    description: Current cost delta as a percentage of baseline cost, or empty when baseline cost is zero.
+  current-minutes:
+    description: Rounded billable minutes in the current run.
+  baseline-minutes:
+    description: Rounded billable minutes in the baseline run.
+  conclusion:
+    description: pass or fail.
+
+runs:
+  using: node24
+  main: src/action.js