action-validator icon indicating copy to clipboard operation
action-validator copied to clipboard
verified publisher icon mpalmer

Provide a composite action in this repository

Open anttiharju opened this issue 3 months ago • 3 comments

Hi, thanks for the awesome tool.

I've been using it in GitHub Actions with this fairly simple composite action https://github.com/anttiharju/actions/blob/fbadff9c415c57e03eabe0d5273ad1f9b93ec43c/action-validator/action.yml:

name: action-validator
description: Runs action-validator with verbose output on files tracked by Git.
inputs:
  version:
    description: action-validator version to install
    required: false
    default: 0.6.0

runs:
  using: "composite"
  steps:
    - name: Cache
      id: cache
      uses: actions/cache@v4
      with:
        path: /usr/local/bin/action-validator
        key: action-validator-${{ inputs.version }}
    - if: steps.cache.outputs.cache-hit != 'true'
      name: Install
      shell: sh
      env:
        bin: https://github.com/mpalmer/action-validator/releases/download/v${{ inputs.version }}/action-validator_linux_amd64
        dest: /usr/local/bin/action-validator
      run: |
        curl -sSL "$bin" -o "$dest"
        chmod +x "$dest"
    - name: Run
      shell: sh
      run: |
        git ls-files -z ".github/*/*.yml" "*/action.yml" | xargs -0 action-validator --verbose

I think this would be useful for others as well, so I would like to contribute something very similar (could probably support more inputs for config, use gh cli to download the binaries instead of curl etc.) to this repository as under action/action.yml.

Given that CI is essentially remote code execution as a service, I would feel a lot more comfortable using the composite action in the official repository rather than a repackaged version like is done in the open pr:

  • https://github.com/mpalmer/action-validator/pull/88 which runs what's placed in the following repository:
  • https://github.com/jazzsequence/github-action-validator

I don't mean to discount the efforts in the open PR, I think that contributor has also recognized this need and I appreciate that.

Regarding versioning v1, v2, etc. I'm not sure we need to do that. Users can simply refer to main:

      - name: action-validator
        uses: mpalmer/action-validator/action@main

or the sha-locked version for hardened security

      - name: action-validator
        uses: mpalmer/action-validator/action@ef2c51e84f1c0773d30374133d061d131315f92c

the latter is what people should be doing anyway with 3rd-party actions.

I don't think the composite action could be released to the actions marketplace (which is a pro that the open pr has), but I imagine documenting its existence in the readme of this repo would be sufficient.

I think the composite action would be fairly low maintenance, mostly just the actions/cache@v4 would need major version bumped every few years when GitHub switches the node version the action uses. Happy to help with maintenance.

anttiharju avatar Oct 31 '25 12:10 anttiharju

Yep, I'd welcome a PR that provides an action that can be referred to in other workflows.

mpalmer avatar Nov 01 '25 03:11 mpalmer

Thanks for confirming, I'll submit a PR

anttiharju avatar Nov 01 '25 15:11 anttiharju

Here is the PR for review:

  • https://github.com/mpalmer/action-validator/pull/109

anttiharju avatar Nov 01 '25 20:11 anttiharju