From df07a2bda2ef2aa7c04508b8f4a23b1fd6e7d5c3 Mon Sep 17 00:00:00 2001 From: Tim Pohlmann Date: Fri, 3 Jul 2026 22:56:28 +0000 Subject: [PATCH 1/4] fix: quote fail-on description in action.yml to fix YAML parse error The unquoted description "...non-zero exit: error, warning, or info" contains a colon, which YAML parses as a nested mapping key instead of plain scalar text, breaking the composite action. Co-Authored-By: Claude Sonnet 5 --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index b951fa7..d849207 100644 --- a/action.yml +++ b/action.yml @@ -12,7 +12,7 @@ inputs: required: false default: '' fail-on: - description: Lowest severity that causes a non-zero exit: error, warning, or info + description: "Lowest severity that causes a non-zero exit: error, warning, or info" required: false default: error runs: From a447f4d84f95dce6b10535ab3fb04844a0aac887 Mon Sep 17 00:00:00 2001 From: Tim Pohlmann Date: Fri, 3 Jul 2026 22:59:50 +0000 Subject: [PATCH 2/4] ci: validate action.yml and workflow files with action-validator Catches the class of bug fixed in this PR (a YAML parse error in action.yml) before merge, instead of only surfacing it once a broken action.yml is tagged and consumed via the floating v1 release tag. Co-Authored-By: Claude Sonnet 5 --- .github/workflows/ci.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7b0934d..4001a73 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -115,6 +115,22 @@ jobs: - uses: actions/checkout@v4 - uses: Tim-Pohlmann/Dolphin@v1 + validate-action: + name: Validate action.yml + runs-on: ubuntu-latest + permissions: + contents: read + + steps: + - uses: actions/checkout@v4 + - name: Install action-validator + run: | + curl -fsSL --proto '=https' --tlsv1.2 -o action-validator \ + "https://github.com/mpalmer/action-validator/releases/download/v0.9.0/action-validator_linux_amd64" + chmod +x action-validator + - name: Validate + run: ./action-validator action.yml .github/workflows/*.yml + analyze: name: Analyze runs-on: ubuntu-latest From 27c108adcca2cd793d4f7669949f1b850dd345e9 Mon Sep 17 00:00:00 2001 From: Tim Pohlmann Date: Fri, 3 Jul 2026 23:02:03 +0000 Subject: [PATCH 3/4] ci: dogfood the local action.yml instead of the published v1 tag Dolphin Check previously used Tim-Pohlmann/Dolphin@v1, which only reflects the last release, so a broken action.yml on a branch was invisible to CI until it was tagged. Using ./ exercises the PR's own action.yml on every run. Co-Authored-By: Claude Sonnet 5 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4001a73..595b1d8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -113,7 +113,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: Tim-Pohlmann/Dolphin@v1 + - uses: ./ validate-action: name: Validate action.yml From bbd09eacc2e019248ff391522abefa2db358caee Mon Sep 17 00:00:00 2001 From: Tim Pohlmann Date: Sat, 4 Jul 2026 06:34:51 +0000 Subject: [PATCH 4/4] ci: use mpalmer/action-validator's published composite action Copilot review flagged that downloading the raw action-validator binary via curl with no checksum verification is a supply-chain risk. Switch to the maintainer's own published GitHub Action, pinned to a commit SHA, and pin the binary version via its `version` input instead of hardcoding a release URL. Co-Authored-By: Claude Sonnet 5 --- .github/workflows/ci.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 595b1d8..55e3cea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -123,13 +123,13 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Install action-validator - run: | - curl -fsSL --proto '=https' --tlsv1.2 -o action-validator \ - "https://github.com/mpalmer/action-validator/releases/download/v0.9.0/action-validator_linux_amd64" - chmod +x action-validator - - name: Validate - run: ./action-validator action.yml .github/workflows/*.yml + - name: action-validator + uses: mpalmer/action-validator@c994f427b7c42cd5ecb1bc9315cb91c3d7d72e3d # main @ 2026-04-08 + with: + version: "0.9.0" + patterns: | + action.yml + .github/workflows/*.yml analyze: name: Analyze