Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Default owners for everything in the repo — required reviewers on PRs
# touching these paths (once branch protection enables "Require review from
# Code Owners").
* @gambe94

# The shared action/workflow surface consumed by other repos: any change here
# affects every caller.
/.github/actions/ @gambe94
/.github/workflows/ @gambe94
/packages/ @gambe94
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import { run } from '../src/index';

jest.mock('@actions/core');

const REPO = { owner: 'gforceinnovation', repo: 'demo' };
const REPO = { owner: 'Gforce-Innovation-Kft', repo: 'demo' };
const LOGGER = { debug() {}, info() {}, warning() {}, error() {} };

function stubInputs(overrides: Record<string, string> = {}): void {
Expand Down
6 changes: 3 additions & 3 deletions .github/actions/get-aws-secret/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ author: "GForce Innovation"
inputs:
aws-region:
description: "AWS region where the secret is stored"
required: true
required: false
default: "eu-central-1"
secret-name:
description: "Name of the secret in AWS Secrets Manager"
Expand All @@ -27,14 +27,14 @@ runs:
using: "composite"
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
role-to-assume: ${{ inputs.aws-role-arn }}
aws-region: ${{ inputs.aws-region }}
role-session-name: GitHubActions-${{ github.run_id }}

- name: Retrieve Secret from AWS Secrets Manager
uses: aws-actions/aws-secretsmanager-get-secrets@v2
uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 # v2.0.10
with:
secret-ids: |
,${{ inputs.secret-name }}
Expand Down
26 changes: 19 additions & 7 deletions .github/actions/sf-jwt-login/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@ author: "GForce Innovation"
inputs:
aws-region:
description: "AWS region where the secret is stored"
required: true
required: false
default: "eu-central-1"
secret-name:
description: "Name of the secret in AWS Secrets Manager containing Salesforce credentials"
required: true
required: false
default: "salesforce/gabor-devhub"
aws-role-arn:
description: "ARN of the AWS IAM role to assume (for OIDC authentication)"
Expand All @@ -34,8 +34,11 @@ outputs:
runs:
using: "composite"
steps:
# Own-repo ref: composite actions cannot use relative paths, so this
# resolves at runtime. Kept on @main — callers pinning sf-jwt-login to an
# old tag still get the current get-aws-secret (known version-skew caveat).
- name: Get Salesforce credentials from AWS Secrets Manager
uses: gforceinnovation/shared-github-actions/.github/actions/get-aws-secret@main
uses: Gforce-Innovation-Kft/shared-github-actions/.github/actions/get-aws-secret@main
with:
aws-region: ${{ inputs.aws-region }}
secret-name: ${{ inputs.secret-name }}
Expand Down Expand Up @@ -63,20 +66,29 @@ runs:

- name: Salesforce JWT Login
shell: bash
env:
ORG_ALIAS: ${{ inputs.org-alias }}
SET_DEFAULT_DEV_HUB: ${{ inputs.set-default-dev-hub }}
run: |
EXTRA_ARGS=()
if [ "$SET_DEFAULT_DEV_HUB" = "true" ]; then
EXTRA_ARGS+=(--set-default-dev-hub)
fi
sf org login jwt \
--username "$USERNAME" \
--jwt-key-file jwt-key.txt \
--client-id "$CLIENT_ID" \
--instance-url "$INSTANCE_URL" \
--alias ${{ inputs.org-alias }} \
${{ inputs.set-default-dev-hub == 'true' && '--set-default-dev-hub' || '' }}
--alias "$ORG_ALIAS" \
"${EXTRA_ARGS[@]}"

- name: Display org info
id: display-org
shell: bash
env:
ORG_ALIAS: ${{ inputs.org-alias }}
run: |
sf org display --target-org ${{ inputs.org-alias }} --json > org-info.json
sf org display --target-org "$ORG_ALIAS" --json > org-info.json

ORG_ID=$(jq -r '.result.id' org-info.json)
USERNAME=$(jq -r '.result.username' org-info.json)
Expand All @@ -87,7 +99,7 @@ runs:
echo "✅ Successfully authenticated to Salesforce"
echo " Org ID: $ORG_ID"
echo " Username: $USERNAME"
echo " Alias: ${{ inputs.org-alias }}"
echo " Alias: $ORG_ALIAS"

- name: Cleanup
if: always()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import { run } from '../src/index';

jest.mock('@actions/core');

const REPO = { owner: 'gforceinnovation', repo: 'demo' };
const REPO = { owner: 'Gforce-Innovation-Kft', repo: 'demo' };
const LOGGER = { debug() {}, info() {}, warning() {}, error() {} };

function stubInputs(overrides: Record<string, string> = {}): void {
Expand Down
27 changes: 27 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Keeps SHA-pinned actions and npm dependencies up to date.
# Third-party actions are pinned to full commit SHAs (with a version comment);
# Dependabot updates both the SHA and the comment.
version: 2
updates:
- package-ecosystem: "github-actions"
# "/" covers .github/workflows; composite action manifests need their
# directories listed explicitly.
directories:
- "/"
- "/.github/actions/get-aws-secret"
- "/.github/actions/sf-jwt-login"
schedule:
interval: "weekly"
groups:
actions:
patterns:
- "*"

- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
groups:
npm-dependencies:
patterns:
- "*"
8 changes: 4 additions & 4 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ jobs:
quality:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1

- uses: actions/setup-node@v4
- uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version: 20
cache: npm
Expand Down Expand Up @@ -45,12 +45,12 @@ jobs:
# broken workflow/action manifest must fail CI rather than ship.
- name: Lint workflows
run: |
bash <(curl -s https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
bash <(curl -s https://raw.githubusercontent.com/rhysd/actionlint/v1.7.12/scripts/download-actionlint.bash) 1.7.12
./actionlint -color

- name: Upload coverage
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: coverage
path: |
Expand Down
36 changes: 36 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: Release

# Pushing a semver tag (vX.Y.Z) creates the GitHub Release and moves the
# floating major tag (vX) to the same commit, so callers can pin either
# `@vX` (moving) or `@vX.Y.Z` (immutable). See CONTRIBUTING.md for the
# release procedure.
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"

permissions:
contents: write

jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1

- name: Create GitHub Release
env:
GH_TOKEN: ${{ github.token }}
TAG: ${{ github.ref_name }}
run: |
gh release create "$TAG" --title "$TAG" --generate-notes --verify-tag

- name: Move floating major tag
env:
TAG: ${{ github.ref_name }}
run: |
MAJOR="${TAG%%.*}"
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git tag -fa "$MAJOR" -m "Point $MAJOR at $TAG" "$TAG"
git push origin "$MAJOR" --force
48 changes: 27 additions & 21 deletions .github/workflows/salesforce-code-analyzer.yml
Original file line number Diff line number Diff line change
Expand Up @@ -95,12 +95,14 @@ jobs:
actions: read
steps:
- name: Check out files
uses: actions/checkout@v5
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1

- name: Verify workspace
env:
WORKSPACE: ${{ inputs.workspace }}
run: |
echo "Current directory: $PWD"
echo "Workspace input: ${{ inputs.workspace }}"
echo "Workspace input: $WORKSPACE"
ls -la
if [ -f "sfdx-project.json" ]; then
echo "✅ Found sfdx-project.json"
Expand All @@ -111,18 +113,18 @@ jobs:

# PREREQUISITES
- name: Setup Node.js
uses: actions/setup-node@v5
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version: ${{ inputs.node-version }}

- name: Setup Java
uses: actions/setup-java@v5
uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5.4.0
with:
java-version: ${{ inputs.java-version }}
distribution: "zulu"

- name: Setup Python
uses: actions/setup-python@v6
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: ${{ inputs.python-version }}

Expand All @@ -134,7 +136,7 @@ jobs:

- name: Run Salesforce Code Analyzer
id: run-code-analyzer
uses: forcedotcom/run-code-analyzer@v2
uses: forcedotcom/run-code-analyzer@38a9be7f2dd5b18cf0f03e05f6f7a38b8f2662f6 # v2.12.0
with:
run-arguments: --workspace ${{ inputs.workspace }} --view ${{ inputs.view }} --output-file ${{ inputs.output-file-html }} --output-file ${{ inputs.output-file-json }}
results-artifact-name: ${{ inputs.results-artifact-name }}
Expand All @@ -143,13 +145,15 @@ jobs:
# Quality gate on ALL files in the repository
- name: Check Violations (All Files)
if: ${{ !inputs.fail-on-changed-files-only }}
env:
EXIT_CODE: ${{ steps.run-code-analyzer.outputs.exit-code }}
SEV1: ${{ steps.run-code-analyzer.outputs.num-sev1-violations }}
SEV2: ${{ steps.run-code-analyzer.outputs.num-sev2-violations }}
TOTAL: ${{ steps.run-code-analyzer.outputs.num-violations }}
MAX: ${{ inputs.max-violations }}
FAIL_ON_SEV1: ${{ inputs.fail-on-sev1-violations }}
FAIL_ON_SEV2: ${{ inputs.fail-on-sev2-violations }}
run: |
EXIT_CODE=${{ steps.run-code-analyzer.outputs.exit-code }}
SEV1=${{ steps.run-code-analyzer.outputs.num-sev1-violations }}
SEV2=${{ steps.run-code-analyzer.outputs.num-sev2-violations }}
TOTAL=${{ steps.run-code-analyzer.outputs.num-violations }}
MAX=${{ inputs.max-violations }}

echo "Exit Code: $EXIT_CODE"
echo "Severity 1 Violations: $SEV1"
echo "Severity 2 Violations: $SEV2"
Expand All @@ -163,12 +167,12 @@ jobs:
SHOULD_FAIL=true
fi

if [ "${{ inputs.fail-on-sev1-violations }}" == "true" ] && [ "$SEV1" -gt 0 ]; then
if [ "$FAIL_ON_SEV1" == "true" ] && [ "$SEV1" -gt 0 ]; then
echo "❌ Found $SEV1 severity 1 violations"
SHOULD_FAIL=true
fi
if [ "${{ inputs.fail-on-sev2-violations }}" == "true" ] && [ "$SEV2" -gt 0 ]; then

if [ "$FAIL_ON_SEV2" == "true" ] && [ "$SEV2" -gt 0 ]; then
echo "❌ Found $SEV2 severity 2 violations"
SHOULD_FAIL=true
fi
Expand All @@ -187,21 +191,23 @@ jobs:
# Quality gate on CHANGED files only
- name: Check Violations (Changed Files Only)
if: ${{ inputs.fail-on-changed-files-only }}
env:
SEV1_CHANGED: ${{ steps.run-code-analyzer.outputs.num-sev1-violations-in-changed-files }}
SEV2_CHANGED: ${{ steps.run-code-analyzer.outputs.num-sev2-violations-in-changed-files }}
FAIL_ON_SEV1: ${{ inputs.fail-on-sev1-violations }}
FAIL_ON_SEV2: ${{ inputs.fail-on-sev2-violations }}
run: |
SEV1_CHANGED=${{ steps.run-code-analyzer.outputs.num-sev1-violations-in-changed-files }}
SEV2_CHANGED=${{ steps.run-code-analyzer.outputs.num-sev2-violations-in-changed-files }}

echo "Severity 1 Violations in Changed Files: $SEV1_CHANGED"
echo "Severity 2 Violations in Changed Files: $SEV2_CHANGED"

SHOULD_FAIL=false

if [ "${{ inputs.fail-on-sev1-violations }}" == "true" ] && [ "$SEV1_CHANGED" -gt 0 ]; then
if [ "$FAIL_ON_SEV1" == "true" ] && [ "$SEV1_CHANGED" -gt 0 ]; then
echo "❌ Found $SEV1_CHANGED severity 1 violations in changed files"
SHOULD_FAIL=true
fi
if [ "${{ inputs.fail-on-sev2-violations }}" == "true" ] && [ "$SEV2_CHANGED" -gt 0 ]; then

if [ "$FAIL_ON_SEV2" == "true" ] && [ "$SEV2_CHANGED" -gt 0 ]; then
echo "❌ Found $SEV2_CHANGED severity 2 violations in changed files"
SHOULD_FAIL=true
fi
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/test-simple.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@ jobs:
steps:
- name: Echo message
id: echo
env:
MESSAGE: ${{ inputs.message }}
run: |
echo "Message: ${{ inputs.message }}"
echo "result=${{ inputs.message }}" >> $GITHUB_OUTPUT
echo "Message: $MESSAGE"
echo "result=$MESSAGE" >> "$GITHUB_OUTPUT"
echo "✅ Shared workflow executed successfully!"
6 changes: 3 additions & 3 deletions CLAUDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co

## Repository Overview

Reusable GitHub Actions for `gforceinnovation`: **TypeScript actions** (a portable
Reusable GitHub Actions for `Gforce-Innovation-Kft`: **TypeScript actions** (a portable
core plus thin adapters), **composite actions**, and **callable workflows** for
Salesforce CI/CD pipelines.

## Reference Pattern

From other repos, reference items using:
- Composite / TypeScript actions: `gforceinnovation/shared-github-actions/.github/actions/<action-name>@main`
- Reusable workflows: `gforceinnovation/shared-github-actions/.github/workflows/<workflow-name>.yml@main`
- Composite / TypeScript actions: `Gforce-Innovation-Kft/shared-github-actions/.github/actions/<action-name>@v1`
- Reusable workflows: `Gforce-Innovation-Kft/shared-github-actions/.github/workflows/<workflow-name>.yml@v1`

## TypeScript Actions (npm-workspaces monorepo)

Expand Down
19 changes: 13 additions & 6 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -192,13 +192,20 @@ PRs will be reviewed for:

## Release Process

Maintainers will handle releases:
Maintainers release by pushing a semver tag from `main`; automation does the rest:

1. Update version in documentation
2. Update CHANGELOG.md
3. Create a git tag
4. Create a GitHub release
5. Update major version tag (e.g., v1) if needed
1. Make sure `main` is green and contains everything for the release
2. Tag and push:
```bash
git checkout main && git pull
git tag v1.2.0
git push origin v1.2.0
```
3. `.github/workflows/release.yml` then:
- creates the GitHub Release with generated notes
- force-moves the floating major tag (`v1`) to the same commit
4. Breaking change? Bump the major (`v2.0.0`) — callers pinned to `@v1` keep
working until they opt in to `@v2`

## Questions?

Expand Down
Loading
Loading