From 7cdd1add0ac889b7971a50633a8410b5b5d3df6a Mon Sep 17 00:00:00 2001 From: Gabor Demeter Date: Mon, 6 Jul 2026 22:26:04 +0200 Subject: [PATCH 1/4] Fix: reference canonical org Gforce-Innovation-Kft in all uses: paths and docs The org was renamed; the old gforceinnovation name 404s and only a repo redirect keeps existing callers working. Referencing the canonical name removes the risk of the abandoned name being re-registered and hijacking action resolution. Reference snippets now point at @v1 instead of @main. Co-Authored-By: Claude Fable 5 --- .../create-release-pr.integration.test.ts | 2 +- .../sync-branches.integration.test.ts | 2 +- CLAUDE.md | 6 +-- GETTING_STARTED.md | 41 ++++++++----------- README.md | 34 ++++++++++++--- ...laude-ai-assisted-shared-actions-prompt.md | 6 +-- examples/create-release-pr.yml | 2 +- examples/sync-branches.yml | 2 +- 8 files changed, 54 insertions(+), 41 deletions(-) diff --git a/.github/actions/create-release-pr/__integration__/create-release-pr.integration.test.ts b/.github/actions/create-release-pr/__integration__/create-release-pr.integration.test.ts index 3f505c5..c0a24f5 100644 --- a/.github/actions/create-release-pr/__integration__/create-release-pr.integration.test.ts +++ b/.github/actions/create-release-pr/__integration__/create-release-pr.integration.test.ts @@ -12,7 +12,7 @@ import { run } from '../src/index'; jest.mock('@actions/core'); -const REPO = { owner: 'gforceinnovation', repo: 'demo' }; +const REPO = { owner: 'Gforce-Innovation-Kft', repo: 'demo' }; const LOGGER = { debug() {}, info() {}, warning() {}, error() {} }; function stubInputs(overrides: Record = {}): void { diff --git a/.github/actions/sync-branches/__integration__/sync-branches.integration.test.ts b/.github/actions/sync-branches/__integration__/sync-branches.integration.test.ts index 987a59c..6da14f6 100644 --- a/.github/actions/sync-branches/__integration__/sync-branches.integration.test.ts +++ b/.github/actions/sync-branches/__integration__/sync-branches.integration.test.ts @@ -12,7 +12,7 @@ import { run } from '../src/index'; jest.mock('@actions/core'); -const REPO = { owner: 'gforceinnovation', repo: 'demo' }; +const REPO = { owner: 'Gforce-Innovation-Kft', repo: 'demo' }; const LOGGER = { debug() {}, info() {}, warning() {}, error() {} }; function stubInputs(overrides: Record = {}): void { diff --git a/CLAUDE.md b/CLAUDE.md index 6ea9efb..fbcfee6 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -4,15 +4,15 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co ## Repository Overview -Reusable GitHub Actions for `gforceinnovation`: **TypeScript actions** (a portable +Reusable GitHub Actions for `Gforce-Innovation-Kft`: **TypeScript actions** (a portable core plus thin adapters), **composite actions**, and **callable workflows** for Salesforce CI/CD pipelines. ## Reference Pattern From other repos, reference items using: -- Composite / TypeScript actions: `gforceinnovation/shared-github-actions/.github/actions/@main` -- Reusable workflows: `gforceinnovation/shared-github-actions/.github/workflows/.yml@main` +- Composite / TypeScript actions: `Gforce-Innovation-Kft/shared-github-actions/.github/actions/@v1` +- Reusable workflows: `Gforce-Innovation-Kft/shared-github-actions/.github/workflows/.yml@v1` ## TypeScript Actions (npm-workspaces monorepo) diff --git a/GETTING_STARTED.md b/GETTING_STARTED.md index 1273f27..0a4b785 100644 --- a/GETTING_STARTED.md +++ b/GETTING_STARTED.md @@ -31,7 +31,7 @@ on: jobs: analyze: - uses: /shared-github-action/.github/workflows/salesforce-code-analyzer.yml@main + uses: Gforce-Innovation-Kft/shared-github-actions/.github/workflows/salesforce-code-analyzer.yml@v1 permissions: pull-requests: write contents: read @@ -64,49 +64,40 @@ For private repositories: ## Versioning Strategy -### Using Main Branch (Latest) +### Using the Major Tag (Recommended) ```yaml -uses: /shared-github-action/.github/workflows/salesforce-code-analyzer.yml@main +uses: Gforce-Innovation-Kft/shared-github-actions/.github/workflows/salesforce-code-analyzer.yml@v1 ``` -**Pros:** Always get the latest features and fixes -**Cons:** Breaking changes may affect your workflows +**Pros:** Fixes and non-breaking features arrive automatically; breaking changes never do (they bump the major) +**Cons:** The tag moves — behavior can change between runs within the major -### Using Release Tags (Recommended) +### Using Exact Release Tags ```yaml -uses: /shared-github-action/.github/workflows/salesforce-code-analyzer.yml@v1.0.0 +uses: Gforce-Innovation-Kft/shared-github-actions/.github/workflows/salesforce-code-analyzer.yml@v1.0.0 ``` -**Pros:** Stable, predictable behavior -**Cons:** Need to manually update to get new features +**Pros:** Immutable, fully predictable behavior +**Cons:** Need to manually update to get fixes and new features -### Using Branch References +### Using `@main` -```yaml -uses: /shared-github-action/.github/workflows/salesforce-code-analyzer.yml@release/v1 -``` - -**Pros:** Get patch updates automatically -**Cons:** May include minor breaking changes +Development and testing only — unreleased changes land here and may break at +any time. Never use `@main` in production callers. ## Creating a Release -To create a versioned release: +Push a semver tag from `main`; the [release workflow](.github/workflows/release.yml) +creates the GitHub Release and force-moves the major tag (`v1`) automatically: ```bash -git tag -a v1.0.0 -m "Release version 1.0.0" +git checkout main && git pull +git tag v1.0.0 git push origin v1.0.0 ``` -For major version tracking, create a moving tag: - -```bash -git tag -a v1 -m "Version 1.x" -git push origin v1 --force -``` - ## Testing Your Reusable Workflows Before using a workflow in production: diff --git a/README.md b/README.md index 2e91d73..f2d22c1 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,18 @@ # Shared GitHub Actions -Reusable GitHub Actions for `gforceinnovation`: **TypeScript actions** (a portable +Reusable GitHub Actions for `Gforce-Innovation-Kft`: **TypeScript actions** (a portable core + thin adapters), **composite actions**, and **callable workflows** for Salesforce CI/CD. Reference them from any repo in the org. ```text -TypeScript action: gforceinnovation/shared-github-actions/.github/actions/@main -Composite action: gforceinnovation/shared-github-actions/.github/actions/@main -Reusable workflow: gforceinnovation/shared-github-actions/.github/workflows/.yml@main +TypeScript action: Gforce-Innovation-Kft/shared-github-actions/.github/actions/@v1 +Composite action: Gforce-Innovation-Kft/shared-github-actions/.github/actions/@v1 +Reusable workflow: Gforce-Innovation-Kft/shared-github-actions/.github/workflows/.yml@v1 ``` +See [Versioning](#versioning) for how to pin (`@v1`, `@v1.2.0`, or a full +commit SHA — avoid `@main` in production callers). + ## TypeScript Actions Thin Node20 adapters over portable business logic in `packages/`. Each ships a @@ -53,6 +56,23 @@ title/body, labels, and reviewers. `actions: read`. - **`test-simple.yml`** — minimal echo workflow for verifying cross-repo calls. +## Versioning + +Releases follow semver, published as git tags with a floating major tag: + +| Pin | Example | Behavior | +|-----|---------|----------| +| Major tag | `@v1` | **Recommended.** Moves with every non-breaking release; you get fixes automatically. | +| Exact tag | `@v1.2.0` | Immutable; bump manually. | +| Commit SHA | `@93cb6ef…` | Strictest supply-chain pin; pair with Dependabot to stay current. | +| `@main` | — | Development only. Unreleased, may break at any time. | + +Pushing a `vX.Y.Z` tag triggers [`release.yml`](.github/workflows/release.yml), +which creates the GitHub Release and force-moves the `vX` major tag. Breaking +changes bump the major (callers on the old `@v1` are unaffected until they move +to `@v2`). The release procedure for maintainers is in +[CONTRIBUTING.md](CONTRIBUTING.md#release-process). + ## Repository Layout npm-workspaces monorepo: @@ -86,8 +106,10 @@ rebuilds and re-stages action bundles; CI's `dist:verify` fails on a stale bundl ## Conventions -- Reference actions/workflows by branch or tag (`@main`, `@v1`), never a moving - default in production. +- Reference actions/workflows by release tag (`@v1`, `@v1.2.0`) — see + [Versioning](#versioning); never `@main` in production. +- Third-party actions in this repo are pinned to full commit SHAs with a + `# vX.Y.Z` comment; Dependabot keeps them current. - Commit prefixes: `Add:`, `Fix:`, `Update:`, `Docs:`, `Test:`, `Refactor:`. - Composite actions use `using: "composite"` with `shell: bash`; always clean up secrets in an `if: always()` step. diff --git a/docs/claude-ai-assisted-shared-actions-prompt.md b/docs/claude-ai-assisted-shared-actions-prompt.md index ce9d8ab..c7afb26 100644 --- a/docs/claude-ai-assisted-shared-actions-prompt.md +++ b/docs/claude-ai-assisted-shared-actions-prompt.md @@ -71,7 +71,7 @@ If no dedicated GitHub Actions skill is available, continue with: ## Goal -Design and implement this repository as an AI-assisted shared GitHub Actions repository for `gforceinnovation`. +Design and implement this repository as an AI-assisted shared GitHub Actions repository for `Gforce-Innovation-Kft`. This repository must provide reusable GitHub Actions assets that other repositories can call: @@ -89,9 +89,9 @@ This repository is currently mostly documentation. Existing documentation references shared assets like this: - Reusable workflows: - `gforceinnovation/shared-github-actions/.github/workflows/.yml@main` + `Gforce-Innovation-Kft/shared-github-actions/.github/workflows/.yml@main` - Composite actions: - `gforceinnovation/shared-github-actions/.github/actions/@main` + `Gforce-Innovation-Kft/shared-github-actions/.github/actions/@main` Preserve this convention unless there is a strong reason to change it. diff --git a/examples/create-release-pr.yml b/examples/create-release-pr.yml index 0db85e3..71df876 100644 --- a/examples/create-release-pr.yml +++ b/examples/create-release-pr.yml @@ -26,7 +26,7 @@ jobs: steps: - name: Create or update the release PR id: release - uses: gforceinnovation/shared-github-actions/.github/actions/create-release-pr@main + uses: Gforce-Innovation-Kft/shared-github-actions/.github/actions/create-release-pr@v1 with: source-branch: develop target-branch: main diff --git a/examples/sync-branches.yml b/examples/sync-branches.yml index 194fd59..16a5503 100644 --- a/examples/sync-branches.yml +++ b/examples/sync-branches.yml @@ -21,7 +21,7 @@ jobs: steps: - name: Sync branches id: sync - uses: gforceinnovation/shared-github-actions/.github/actions/sync-branches@main + uses: Gforce-Innovation-Kft/shared-github-actions/.github/actions/sync-branches@v1 with: source-branch: develop target-branch: main From 5933bf2bc0bff13ba90d4d7322048d3f0f0b282b Mon Sep 17 00:00:00 2001 From: Gabor Demeter Date: Mon, 6 Jul 2026 22:26:04 +0200 Subject: [PATCH 2/4] Update: SHA-pin third-party actions, harden run blocks, add Dependabot - Pin every third-party action to a full commit SHA with a # vX.Y.Z comment (latest release within the currently-used major, so behavior is unchanged); normalize mixed checkout/setup-node versions to v5 - Pin the actionlint download in CI to v1.7.12 instead of main - Move ${{ inputs.* }} / step outputs out of run: scripts into env: (script-injection hardening) in salesforce-code-analyzer, test-simple and sf-jwt-login - Fix required:true inputs that carry defaults (now required:false) - Add dependabot.yml (github-actions + npm, weekly, grouped) Co-Authored-By: Claude Fable 5 --- .github/actions/get-aws-secret/action.yml | 6 +-- .github/actions/sf-jwt-login/action.yml | 26 +++++++--- .github/dependabot.yml | 27 +++++++++++ .github/workflows/ci.yml | 8 ++-- .../workflows/salesforce-code-analyzer.yml | 48 +++++++++++-------- .github/workflows/test-simple.yml | 6 ++- 6 files changed, 84 insertions(+), 37 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/actions/get-aws-secret/action.yml b/.github/actions/get-aws-secret/action.yml index 9e3fcd2..e986a99 100644 --- a/.github/actions/get-aws-secret/action.yml +++ b/.github/actions/get-aws-secret/action.yml @@ -14,7 +14,7 @@ author: "GForce Innovation" inputs: aws-region: description: "AWS region where the secret is stored" - required: true + required: false default: "eu-central-1" secret-name: description: "Name of the secret in AWS Secrets Manager" @@ -27,14 +27,14 @@ runs: using: "composite" steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ inputs.aws-role-arn }} aws-region: ${{ inputs.aws-region }} role-session-name: GitHubActions-${{ github.run_id }} - name: Retrieve Secret from AWS Secrets Manager - uses: aws-actions/aws-secretsmanager-get-secrets@v2 + uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 # v2.0.10 with: secret-ids: | ,${{ inputs.secret-name }} diff --git a/.github/actions/sf-jwt-login/action.yml b/.github/actions/sf-jwt-login/action.yml index 69727b4..dcbb4bb 100644 --- a/.github/actions/sf-jwt-login/action.yml +++ b/.github/actions/sf-jwt-login/action.yml @@ -5,11 +5,11 @@ author: "GForce Innovation" inputs: aws-region: description: "AWS region where the secret is stored" - required: true + required: false default: "eu-central-1" secret-name: description: "Name of the secret in AWS Secrets Manager containing Salesforce credentials" - required: true + required: false default: "salesforce/gabor-devhub" aws-role-arn: description: "ARN of the AWS IAM role to assume (for OIDC authentication)" @@ -34,8 +34,11 @@ outputs: runs: using: "composite" steps: + # Own-repo ref: composite actions cannot use relative paths, so this + # resolves at runtime. Kept on @main — callers pinning sf-jwt-login to an + # old tag still get the current get-aws-secret (known version-skew caveat). - name: Get Salesforce credentials from AWS Secrets Manager - uses: gforceinnovation/shared-github-actions/.github/actions/get-aws-secret@main + uses: Gforce-Innovation-Kft/shared-github-actions/.github/actions/get-aws-secret@main with: aws-region: ${{ inputs.aws-region }} secret-name: ${{ inputs.secret-name }} @@ -63,20 +66,29 @@ runs: - name: Salesforce JWT Login shell: bash + env: + ORG_ALIAS: ${{ inputs.org-alias }} + SET_DEFAULT_DEV_HUB: ${{ inputs.set-default-dev-hub }} run: | + EXTRA_ARGS=() + if [ "$SET_DEFAULT_DEV_HUB" = "true" ]; then + EXTRA_ARGS+=(--set-default-dev-hub) + fi sf org login jwt \ --username "$USERNAME" \ --jwt-key-file jwt-key.txt \ --client-id "$CLIENT_ID" \ --instance-url "$INSTANCE_URL" \ - --alias ${{ inputs.org-alias }} \ - ${{ inputs.set-default-dev-hub == 'true' && '--set-default-dev-hub' || '' }} + --alias "$ORG_ALIAS" \ + "${EXTRA_ARGS[@]}" - name: Display org info id: display-org shell: bash + env: + ORG_ALIAS: ${{ inputs.org-alias }} run: | - sf org display --target-org ${{ inputs.org-alias }} --json > org-info.json + sf org display --target-org "$ORG_ALIAS" --json > org-info.json ORG_ID=$(jq -r '.result.id' org-info.json) USERNAME=$(jq -r '.result.username' org-info.json) @@ -87,7 +99,7 @@ runs: echo "✅ Successfully authenticated to Salesforce" echo " Org ID: $ORG_ID" echo " Username: $USERNAME" - echo " Alias: ${{ inputs.org-alias }}" + echo " Alias: $ORG_ALIAS" - name: Cleanup if: always() diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..021f03b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,27 @@ +# Keeps SHA-pinned actions and npm dependencies up to date. +# Third-party actions are pinned to full commit SHAs (with a version comment); +# Dependabot updates both the SHA and the comment. +version: 2 +updates: + - package-ecosystem: "github-actions" + # "/" covers .github/workflows; composite action manifests need their + # directories listed explicitly. + directories: + - "/" + - "/.github/actions/get-aws-secret" + - "/.github/actions/sf-jwt-login" + schedule: + interval: "weekly" + groups: + actions: + patterns: + - "*" + + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + groups: + npm-dependencies: + patterns: + - "*" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fc6a31f..ad1bab6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,9 +13,9 @@ jobs: quality: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: 20 cache: npm @@ -45,12 +45,12 @@ jobs: # broken workflow/action manifest must fail CI rather than ship. - name: Lint workflows run: | - bash <(curl -s https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) + bash <(curl -s https://raw.githubusercontent.com/rhysd/actionlint/v1.7.12/scripts/download-actionlint.bash) 1.7.12 ./actionlint -color - name: Upload coverage if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: coverage path: | diff --git a/.github/workflows/salesforce-code-analyzer.yml b/.github/workflows/salesforce-code-analyzer.yml index 9179ea7..ba7b564 100644 --- a/.github/workflows/salesforce-code-analyzer.yml +++ b/.github/workflows/salesforce-code-analyzer.yml @@ -95,12 +95,14 @@ jobs: actions: read steps: - name: Check out files - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Verify workspace + env: + WORKSPACE: ${{ inputs.workspace }} run: | echo "Current directory: $PWD" - echo "Workspace input: ${{ inputs.workspace }}" + echo "Workspace input: $WORKSPACE" ls -la if [ -f "sfdx-project.json" ]; then echo "✅ Found sfdx-project.json" @@ -111,18 +113,18 @@ jobs: # PREREQUISITES - name: Setup Node.js - uses: actions/setup-node@v5 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ inputs.node-version }} - name: Setup Java - uses: actions/setup-java@v5 + uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5.4.0 with: java-version: ${{ inputs.java-version }} distribution: "zulu" - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: ${{ inputs.python-version }} @@ -134,7 +136,7 @@ jobs: - name: Run Salesforce Code Analyzer id: run-code-analyzer - uses: forcedotcom/run-code-analyzer@v2 + uses: forcedotcom/run-code-analyzer@38a9be7f2dd5b18cf0f03e05f6f7a38b8f2662f6 # v2.12.0 with: run-arguments: --workspace ${{ inputs.workspace }} --view ${{ inputs.view }} --output-file ${{ inputs.output-file-html }} --output-file ${{ inputs.output-file-json }} results-artifact-name: ${{ inputs.results-artifact-name }} @@ -143,13 +145,15 @@ jobs: # Quality gate on ALL files in the repository - name: Check Violations (All Files) if: ${{ !inputs.fail-on-changed-files-only }} + env: + EXIT_CODE: ${{ steps.run-code-analyzer.outputs.exit-code }} + SEV1: ${{ steps.run-code-analyzer.outputs.num-sev1-violations }} + SEV2: ${{ steps.run-code-analyzer.outputs.num-sev2-violations }} + TOTAL: ${{ steps.run-code-analyzer.outputs.num-violations }} + MAX: ${{ inputs.max-violations }} + FAIL_ON_SEV1: ${{ inputs.fail-on-sev1-violations }} + FAIL_ON_SEV2: ${{ inputs.fail-on-sev2-violations }} run: | - EXIT_CODE=${{ steps.run-code-analyzer.outputs.exit-code }} - SEV1=${{ steps.run-code-analyzer.outputs.num-sev1-violations }} - SEV2=${{ steps.run-code-analyzer.outputs.num-sev2-violations }} - TOTAL=${{ steps.run-code-analyzer.outputs.num-violations }} - MAX=${{ inputs.max-violations }} - echo "Exit Code: $EXIT_CODE" echo "Severity 1 Violations: $SEV1" echo "Severity 2 Violations: $SEV2" @@ -163,12 +167,12 @@ jobs: SHOULD_FAIL=true fi - if [ "${{ inputs.fail-on-sev1-violations }}" == "true" ] && [ "$SEV1" -gt 0 ]; then + if [ "$FAIL_ON_SEV1" == "true" ] && [ "$SEV1" -gt 0 ]; then echo "❌ Found $SEV1 severity 1 violations" SHOULD_FAIL=true fi - - if [ "${{ inputs.fail-on-sev2-violations }}" == "true" ] && [ "$SEV2" -gt 0 ]; then + + if [ "$FAIL_ON_SEV2" == "true" ] && [ "$SEV2" -gt 0 ]; then echo "❌ Found $SEV2 severity 2 violations" SHOULD_FAIL=true fi @@ -187,21 +191,23 @@ jobs: # Quality gate on CHANGED files only - name: Check Violations (Changed Files Only) if: ${{ inputs.fail-on-changed-files-only }} + env: + SEV1_CHANGED: ${{ steps.run-code-analyzer.outputs.num-sev1-violations-in-changed-files }} + SEV2_CHANGED: ${{ steps.run-code-analyzer.outputs.num-sev2-violations-in-changed-files }} + FAIL_ON_SEV1: ${{ inputs.fail-on-sev1-violations }} + FAIL_ON_SEV2: ${{ inputs.fail-on-sev2-violations }} run: | - SEV1_CHANGED=${{ steps.run-code-analyzer.outputs.num-sev1-violations-in-changed-files }} - SEV2_CHANGED=${{ steps.run-code-analyzer.outputs.num-sev2-violations-in-changed-files }} - echo "Severity 1 Violations in Changed Files: $SEV1_CHANGED" echo "Severity 2 Violations in Changed Files: $SEV2_CHANGED" SHOULD_FAIL=false - if [ "${{ inputs.fail-on-sev1-violations }}" == "true" ] && [ "$SEV1_CHANGED" -gt 0 ]; then + if [ "$FAIL_ON_SEV1" == "true" ] && [ "$SEV1_CHANGED" -gt 0 ]; then echo "❌ Found $SEV1_CHANGED severity 1 violations in changed files" SHOULD_FAIL=true fi - - if [ "${{ inputs.fail-on-sev2-violations }}" == "true" ] && [ "$SEV2_CHANGED" -gt 0 ]; then + + if [ "$FAIL_ON_SEV2" == "true" ] && [ "$SEV2_CHANGED" -gt 0 ]; then echo "❌ Found $SEV2_CHANGED severity 2 violations in changed files" SHOULD_FAIL=true fi diff --git a/.github/workflows/test-simple.yml b/.github/workflows/test-simple.yml index 3e709c5..489c503 100644 --- a/.github/workflows/test-simple.yml +++ b/.github/workflows/test-simple.yml @@ -21,7 +21,9 @@ jobs: steps: - name: Echo message id: echo + env: + MESSAGE: ${{ inputs.message }} run: | - echo "Message: ${{ inputs.message }}" - echo "result=${{ inputs.message }}" >> $GITHUB_OUTPUT + echo "Message: $MESSAGE" + echo "result=$MESSAGE" >> "$GITHUB_OUTPUT" echo "✅ Shared workflow executed successfully!" From 6a6d3c8e11d93932f5d4096fdc39fbfdbafafeee Mon Sep 17 00:00:00 2001 From: Gabor Demeter Date: Mon, 6 Jul 2026 22:26:04 +0200 Subject: [PATCH 3/4] Add: tag-triggered release workflow and documented versioning strategy Pushing vX.Y.Z creates the GitHub Release and force-moves the floating major tag (vX). Callers pin @v1 (moving major), @v1.2.0 (immutable) or a commit SHA; @main is development-only. Co-Authored-By: Claude Fable 5 --- .github/workflows/release.yml | 36 +++++++++++++++++++++++++++++++++++ CONTRIBUTING.md | 19 ++++++++++++------ 2 files changed, 49 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..903f0b9 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,36 @@ +name: Release + +# Pushing a semver tag (vX.Y.Z) creates the GitHub Release and moves the +# floating major tag (vX) to the same commit, so callers can pin either +# `@vX` (moving) or `@vX.Y.Z` (immutable). See CONTRIBUTING.md for the +# release procedure. +on: + push: + tags: + - "v[0-9]+.[0-9]+.[0-9]+" + +permissions: + contents: write + +jobs: + release: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + + - name: Create GitHub Release + env: + GH_TOKEN: ${{ github.token }} + TAG: ${{ github.ref_name }} + run: | + gh release create "$TAG" --title "$TAG" --generate-notes --verify-tag + + - name: Move floating major tag + env: + TAG: ${{ github.ref_name }} + run: | + MAJOR="${TAG%%.*}" + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git tag -fa "$MAJOR" -m "Point $MAJOR at $TAG" "$TAG" + git push origin "$MAJOR" --force diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 21741e6..b7692ff 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -192,13 +192,20 @@ PRs will be reviewed for: ## Release Process -Maintainers will handle releases: +Maintainers release by pushing a semver tag from `main`; automation does the rest: -1. Update version in documentation -2. Update CHANGELOG.md -3. Create a git tag -4. Create a GitHub release -5. Update major version tag (e.g., v1) if needed +1. Make sure `main` is green and contains everything for the release +2. Tag and push: + ```bash + git checkout main && git pull + git tag v1.2.0 + git push origin v1.2.0 + ``` +3. `.github/workflows/release.yml` then: + - creates the GitHub Release with generated notes + - force-moves the floating major tag (`v1`) to the same commit +4. Breaking change? Bump the major (`v2.0.0`) — callers pinned to `@v1` keep + working until they opt in to `@v2` ## Questions? From 6030a3a3948dac6d3f02a9df0784f56633da54f9 Mon Sep 17 00:00:00 2001 From: Gabor Demeter Date: Mon, 6 Jul 2026 22:26:04 +0200 Subject: [PATCH 4/4] Add: CODEOWNERS and SECURITY.md Co-Authored-By: Claude Fable 5 --- .github/CODEOWNERS | 10 ++++++++++ SECURITY.md | 26 ++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 .github/CODEOWNERS create mode 100644 SECURITY.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..63a5e16 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,10 @@ +# Default owners for everything in the repo — required reviewers on PRs +# touching these paths (once branch protection enables "Require review from +# Code Owners"). +* @gambe94 + +# The shared action/workflow surface consumed by other repos: any change here +# affects every caller. +/.github/actions/ @gambe94 +/.github/workflows/ @gambe94 +/packages/ @gambe94 diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..ed7acd5 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,26 @@ +# Security Policy + +## Supported Versions + +Only the latest major release tag (currently `v1`) receives security fixes. +Callers pinned to `@main` or old tags should move to the newest `v1.x.y`. + +## Reporting a Vulnerability + +Please do **not** open a public issue for security problems. + +- Preferred: [GitHub private vulnerability reporting](../../security/advisories/new) +- Alternative: email gforceinnovation@gmail.com + +You should receive a response within 7 days. Please include a description of +the issue, steps to reproduce, and the affected action/workflow. + +## Hardening Notes for Callers + +- Pin these actions/workflows to a release tag (`@v1`) or commit SHA — never a + mutable branch. +- Grant callers only the permissions documented per action in the + [README](README.md) (`permissions:` blocks are least-privilege). +- Secrets consumed via `get-aws-secret` / `sf-jwt-login` come from AWS Secrets + Manager over OIDC; no long-lived credentials or PATs are used, and key files + are removed in `if: always()` cleanup steps.