Skip to content

Audit: make shared actions repo visible and consumption-ready#2

Open
gambe94 wants to merge 4 commits into
developfrom
audit/consumability-hardening
Open

Audit: make shared actions repo visible and consumption-ready#2
gambe94 wants to merge 4 commits into
developfrom
audit/consumability-hardening

Conversation

@gambe94

@gambe94 gambe94 commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Why

Consumability audit of this repo as the org's shared uses: target: visibility, discoverability, caller-readiness, supply-chain safety, and versioning.

Already in good shape (no changes needed)

  • ✅ Repo is public → cross-repo uses: works without any org Actions "Access" setting
  • ✅ Description + topics set; MIT LICENSE, CONTRIBUTING, GETTING_STARTED, docs/
  • ✅ README lists every action/workflow with inputs/outputs/permissions; runnable callers in examples/
  • ✅ Least-privilege permissions: blocks; OIDC + JWT auth (no PATs); if: always() secret cleanup; dry-run: true defaults
  • ✅ actionlint already enforced in CI

Changes

  1. Canonical org name — every uses: path and doc referenced the renamed org gforceinnovation (now 404; only a repo redirect keeps it resolving). All references now use Gforce-Innovation-Kft, closing an org-name re-registration hijack vector. Reference snippets point at @v1.
  2. Supply-chain pinning — all third-party actions pinned to full commit SHAs with # vX.Y.Z comments (latest release within the currently-used major, so no behavior change); mixed checkout@v4/@v5 normalized; actionlint download pinned to v1.7.12; dependabot.yml added (github-actions + npm, weekly, grouped) to keep pins fresh.
  3. Release automation + versioning — new release.yml: pushing vX.Y.Z creates the GitHub Release and force-moves the floating major tag (v1). Strategy documented in README/GETTING_STARTED/CONTRIBUTING: pin @v1 (recommended), @v1.2.0, or a SHA — never @main in production.
  4. Injection hardening${{ inputs.* }} / step-output interpolations moved out of run: scripts into env: (salesforce-code-analyzer, test-simple, sf-jwt-login); fixed required: true inputs that carry defaults.
  5. Governance.github/CODEOWNERS (@gambe94) and SECURITY.md.

Verification

  • npm run all (format + lint + typecheck + bundle + test + dist:verify) ✅
  • actionlint 1.7.12 across .github/ — zero findings (fixed one pre-existing SC2086 in test-simple) ✅
  • Every pinned SHA resolved directly from its release tag via the GitHub API ✅

Manual follow-ups after merge

  1. Sync to main, then create the first release: git tag v1.0.0 && git push origin v1.0.0 (automation creates the Release + v1)
  2. Strongly consider re-registering the abandoned gforceinnovation org name as a placeholder
  3. Update caller repos to Gforce-Innovation-Kft/...@v1
  4. Optional: branch protection on main (require CI + code-owner review)

🤖 Generated with Claude Code

gambe94 and others added 4 commits July 6, 2026 22:26
… and docs

The org was renamed; the old gforceinnovation name 404s and only a repo
redirect keeps existing callers working. Referencing the canonical name
removes the risk of the abandoned name being re-registered and hijacking
action resolution. Reference snippets now point at @v1 instead of @main.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Pin every third-party action to a full commit SHA with a # vX.Y.Z
  comment (latest release within the currently-used major, so behavior
  is unchanged); normalize mixed checkout/setup-node versions to v5
- Pin the actionlint download in CI to v1.7.12 instead of main
- Move ${{ inputs.* }} / step outputs out of run: scripts into env:
  (script-injection hardening) in salesforce-code-analyzer, test-simple
  and sf-jwt-login
- Fix required:true inputs that carry defaults (now required:false)
- Add dependabot.yml (github-actions + npm, weekly, grouped)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Pushing vX.Y.Z creates the GitHub Release and force-moves the floating
major tag (vX). Callers pin @v1 (moving major), @v1.2.0 (immutable) or
a commit SHA; @main is development-only.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant