Skip to content

feat(action): Marketplace-readiness pipeline for the composite action#245

Closed
PhysShell wants to merge 2 commits into
mainfrom
claude/action-marketplace-readiness-2026-07-12
Closed

feat(action): Marketplace-readiness pipeline for the composite action#245
PhysShell wants to merge 2 commits into
mainfrom
claude/action-marketplace-readiness-2026-07-12

Conversation

@PhysShell

@PhysShell PhysShell commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Что и зачем

Phase 4 of a repository-state cleanup: prepares the composite GitHub Action (action.yml) for eventual Marketplace publication without publishing a listing (per the explicit boundary).

Metadata/branding auditname/description/author/branding were already present and Marketplace-compliant (icon: shield is a real Feather icon; color: purple is in the fixed 8-color allowlist). Fixed: the two nested uses: steps (actions/setup-python@v5, actions/setup-dotnet@v4) were floating tags, inconsistent with this repo's own stated convention (ci.yml: "every third-party uses: is pinned to a commit SHA"). Pinned to the exact SHAs already used elsewhere in this repo, and independently re-verified against upstream via git ls-remote --tags rather than trusted on faith.

Versioning policy — bare vX.Y.Z release tags (distinct namespace from the CLI's ownsharp-cli-v* established in #244, avoiding ambiguity about which artifact a tag names), immutable once pushed. The moving major tag (v0/v1) only ever repoints through a separate, explicit workflow_dispatch gated behind a protected action-major-tag-move GitHub Environment — never as a side effect of a patch tag push. Every tag-gated job checks both github.event_name == 'push' and the ref prefix from the start — the same class of gap independent review caught on PR #244's publish gate (workflow_dispatch --ref <tag> can satisfy a bare startsWith(github.ref, ...) check).

Consumer-simulation fixturefixtures/marketplace-consumer-demo/ (a minimal leak+clean pair, deliberately separate from frontend/roslyn/samples, the extractor's own precision-test corpus). The new workflow's consumer-simulation job references the action the way an external repo actually would — uses: PhysShell/Own.NET@${{ github.sha }}, resolved through the Actions runner's real action-fetch mechanism, not uses: ./ — against a sparse checkout containing only the fixture, so the job's own workspace has no other Own.NET source on disk either. Verifies the leak sample fails the step, the clean sample doesn't, and the SARIF output is accepted by github/codeql-action/upload-sarif. Documented honestly: a genuinely separate GitHub repo would be stronger proof but wasn't created — that's a visible action outside this session's call to make unilaterally.

README accuracy — fixed a PhysShell/own.netPhysShell/Own.NET casing drift in both README.md and README.ru.md, and added a pointer to the new versioning policy for post-release usage.

Full findings, the versioning policy, and a Marketplace publish checklist for whoever runs an actual release are in docs/notes/action-marketplace-readiness.md.

ci.yml's existing own-check-codescan job (dog-fooding via uses: ./ on every push/PR) is untouched — this workflow is the release-readiness path alongside it, not a replacement.

Тип изменения

  • feat — новая возможность (release infrastructure, packaging-only)

Как проверено

  • python tests/run_tests.py — 276/276
  • ruff check . / mypy — clean
  • All new/changed YAML (action.yml, action-marketplace-readiness.yml) parsed with python3 -c "import yaml; yaml.safe_load(...)" — caught and fixed one real syntax bug (an unquoted name: containing a literal uses: colon, which YAML misparsed as a nested mapping key)
  • actions/setup-python@v5 and actions/setup-dotnet@v4 SHA pins verified against git ls-remote --tags (already used elsewhere in this repo, re-verified independently)
  • Fixture sanity-checked locally: scripts/own-check.sh on Leaky.cs → exactly one OWN001 at the expected line; on Clean.cs → zero findings

Связанные issue

Refs P-013 gate B, the "Action distribution" open question in docs/proposals/P-013-distribution-surface.md. No issues closed (readiness infra, not a shipped release).

Чеклист

  • изменение покрыто тестом/селфтестом — the new workflow's consumer-simulation job is the test surface; the fixture was hand-verified locally first
  • README/docs обновлены — README.md/README.ru.md casing + pointer fix; docs/notes/action-marketplace-readiness.md is new
  • коммиты в conventional-commit стиле (feat:)

Boundaries honored

  • Not published to Marketplace.
  • No analyzer logic changed — action.yml step pins, a new workflow, a fixture, and doc/README accuracy only.
  • No failure hidden behind continue-on-error: the one use (consumer-simulation's leak-sample step) is immediately followed by an explicit assertion on steps.leak.outcome, documented inline as intentional (observing a specific expected failure, not swallowing an unexpected one).

Generated by Claude Code

Summary by CodeRabbit

  • New Features
    • Added automated “Action Marketplace readiness” validation with consumer-style simulations (including expected leak/clean behavior) and SARIF upload.
    • Added release tag validation and a protected, manual mechanism to move major tags.
  • Documentation
    • Updated README examples (correct action name) and guidance to pin immutable versions or use major tags after release.
    • Added marketplace readiness notes plus consumer fixture documentation.
  • Security & Reliability
    • Pinned workflow setup dependencies to fixed revisions for reproducible CI behavior.

Prepares action.yml for eventual GitHub Marketplace publication without
publishing a listing. No analyzer logic changed - action.yml, a new
workflow, a fixture, and doc/README accuracy only.

- Pinned action.yml's two nested `uses:` steps (actions/setup-python,
  actions/setup-dotnet) to commit SHAs, matching this repo's own
  stated convention (every third-party `uses:` pinned) that these two
  had drifted from. SHAs verified via `git ls-remote --tags`, not
  copied on faith.
- Validated branding/metadata against GitHub's actual Marketplace
  constraints: icon is a real Feather icon, color is in the fixed
  8-color allowlist - both already compliant.
- New .github/workflows/action-marketplace-readiness.yml:
  - consumer-simulation: references the action the way an external
    repo actually would (`uses: PhysShell/Own.NET@<sha>`, resolved by
    the Actions runner's action-fetch mechanism, not `uses: ./`)
    against a sparse checkout containing only a small dedicated
    fixture - no other Own.NET source on disk in that job. Verifies
    the leak sample fails the step, the clean sample doesn't, and the
    SARIF output is accepted by github/codeql-action/upload-sarif.
  - Versioning policy: immutable `vX.Y.Z` release tags (distinct
    namespace from the CLI's `ownsharp-cli-v*`), with the moving major
    tag (v0/v1) only ever repointed through a separate, explicit
    workflow_dispatch gated behind a protected GitHub Environment -
    never as a side effect of a patch-tag push. Both event_name and
    ref-prefix are checked on every tag-gated job from the start (the
    same class of gap independent review caught on the CLI's publish
    gate in PR #244).
- fixtures/marketplace-consumer-demo/: a minimal, clearly-separate
  leak+clean pair standing in for "an external consumer's repo" -
  distinct from frontend/roslyn/samples (the extractor's own
  precision-test corpus). Documented honestly as an approximation. A
  genuinely separate GitHub repo would be stronger proof but wasn't
  created without explicit authorization (a visible, user-facing
  action this session doesn't take unilaterally).
- README.md/README.ru.md: fixed `PhysShell/own.net` casing drift
  (-> `PhysShell/Own.NET`), added a pointer to the versioning policy
  for what to switch to once a release exists.
- docs/notes/action-marketplace-readiness.md: the audit findings, the
  versioning policy in full, the consumer-fixture rationale and its
  honest limitation, and the Marketplace publish checklist for
  whoever runs an actual release.

ci.yml's existing own-check-codescan job (uses: ./ dog-food on every
push/PR) is untouched - this workflow is the release-readiness path
alongside it, not a replacement.

Boundaries: not published to Marketplace; no analyzer logic touched;
no continue-on-error without an immediate, documented assertion on the
outcome.
@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 03c20727-ac88-4469-8e6d-64c9d871ea8a

📥 Commits

Reviewing files that changed from the base of the PR and between d08063c and 5106bad.

📒 Files selected for processing (3)
  • .github/workflows/action-marketplace-readiness.yml
  • docs/notes/action-marketplace-readiness.md
  • fixtures/marketplace-consumer-demo/README.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • fixtures/marketplace-consumer-demo/README.md

📝 Walkthrough

Walkthrough

Adds Marketplace readiness validation for the composite action, including consumer checks, SARIF upload, release-tag validation, gated major-tag movement, pinned dependencies, consumer fixtures, and updated release guidance.

Changes

Marketplace readiness

Layer / File(s) Summary
Action execution and consumer fixtures
action.yml, fixtures/marketplace-consumer-demo/*
Pins setup actions to commit SHAs and adds clean and intentionally leaky C# consumer examples with fixture documentation.
Remote-style consumer simulation
.github/workflows/action-marketplace-readiness.yml, fixtures/marketplace-consumer-demo/*
Runs expected-failure and clean checks, validates non-empty SARIF output, and uploads results to Code Scanning.
Release and major-tag management
.github/workflows/action-marketplace-readiness.yml
Validates required Marketplace metadata on version tags and provides an environment-gated workflow for force-updating major tags.
Release documentation and usage guidance
README.md, README.ru.md, docs/notes/action-marketplace-readiness.md
Documents versioning, publishing steps, Marketplace constraints, consumer simulation, pinned references, and corrected action naming.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant OwnNETAction
  participant ConsumerFixture
  participant CodeScanning
  GitHubActions->>ConsumerFixture: check out marketplace fixture
  GitHubActions->>OwnNETAction: invoke local composite action
  OwnNETAction->>ConsumerFixture: analyze Leaky.cs and Clean.cs
  OwnNETAction-->>GitHubActions: return outcomes and SARIF file
  GitHubActions->>CodeScanning: upload SARIF results
Loading

Possibly related PRs

  • PhysShell/Own.NET#10: Both changes modify the root composite action’s Python and .NET setup wiring.
  • PhysShell/Own.NET#48: This change reuses the SARIF and Code Scanning integration surface introduced there.
🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately reflects the Marketplace-readiness pipeline changes.
Description check ✅ Passed All required template sections are present and substantially filled with specific details.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/action-marketplace-readiness-2026-07-12

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d08063c414

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/action-marketplace-readiness.yml Outdated
Comment thread .github/workflows/action-marketplace-readiness.yml
Comment thread .github/workflows/action-marketplace-readiness.yml

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/action-marketplace-readiness.yml:
- Around line 51-52: Update the permissions block for the consumer-simulation
job to include security-events: write alongside contents: read, so its
upload-sarif step can publish code-scanning results while preserving the
existing permission settings.
- Around line 168-182: Update the “Resolve and validate the target release tag”
and “Force-move the major tag” steps to receive move_major_tag_to through step
environment variables instead of direct GitHub expression interpolation in shell
commands. Validate the target against the expected SemVer release-tag format
before using it, while preserving the existing tag existence check and major-tag
movement behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9eb4731d-7595-4c33-b7b8-c703eee4860c

📥 Commits

Reviewing files that changed from the base of the PR and between 4c5a86b and d08063c.

📒 Files selected for processing (8)
  • .github/workflows/action-marketplace-readiness.yml
  • README.md
  • README.ru.md
  • action.yml
  • docs/notes/action-marketplace-readiness.md
  • fixtures/marketplace-consumer-demo/Clean.cs
  • fixtures/marketplace-consumer-demo/Leaky.cs
  • fixtures/marketplace-consumer-demo/README.md

Comment thread .github/workflows/action-marketplace-readiness.yml
Comment thread .github/workflows/action-marketplace-readiness.yml Outdated
From independent review of PR #245 (Codex + CodeRabbit both caught the
permissions gap independently; each caught one issue the other missed):

- consumer-simulation's `uses: PhysShell/Own.NET@${{ github.sha }}`
  cannot work at all: GitHub Actions does not evaluate expressions in
  `jobs.<job_id>.steps.uses` (not among the expression-capable fields
  the context-availability docs list, unlike with/env/if/run) - the
  job would never have resolved an action. There is no way to
  parameterize `uses:` with "the commit under test"; a genuinely
  dynamic remote-ref proof isn't automatable pre-tag. Switched to
  `uses: ./` (the same mechanism ci.yml's own-check-codescan dog-food
  job already relies on, correctly) - full checkout instead of a
  sparse one, since `./` needs the whole action definition present.
  docs/notes/action-marketplace-readiness.md and the fixture's own
  README corrected to match; the honest-limitation framing now
  matches what's actually achievable pre-tag.

- consumer-simulation's upload-sarif step needs security-events:write
  (required for every workflow that calls it, not just push events);
  the job only granted contents:read. Added the permission, and
  guarded the SARIF/upload steps with the same fork-PR check
  own-check-codescan already uses (a fork PR's GITHUB_TOKEN is
  read-only, so the upload would 403 through no fault of an external
  contributor) - the leak/clean checks still run for forks, only the
  SARIF steps are skipped there.

- move-major-tag's shell steps interpolated
  `${{ inputs.move_major_tag_to }}` and step outputs directly into
  `run:` bodies - a template-injection risk (flagged by zizmor via
  CodeRabbit), the same class of bug action.yml's own CodeRabbit #10
  fix already guards against elsewhere in this repo. Moved both
  through `env:` and added a SemVer-shape validation as a second,
  independent guard.

Copy link
Copy Markdown
Owner Author

Three issues fixed in 5106bad — Codex and CodeRabbit each independently caught the security-events: write gap, plus one each the other missed:

  1. uses: PhysShell/Own.NET@${{ github.sha }} doesn't work at all (Codex) — confirmed: GitHub Actions doesn't evaluate expressions in jobs.<job_id>.steps.uses, so this would never have resolved an action. There's no way to parameterize uses: with "the commit under test" — a genuinely dynamic remote-ref proof isn't automatable pre-tag. Switched to uses: ./ (same mechanism ci.yml's own-check-codescan already relies on); updated the doc and fixture README to match honestly.
  2. Missing security-events: write (Codex + CodeRabbit, same finding) — added, and added the fork-PR guard on the SARIF/upload steps specifically (mirroring own-check-codescan's existing guard) so external contributors don't get red CI from a permission a fork PR can never have.
  3. Template-injection risk in move-major-tag (CodeRabbit, via zizmor) — inputs.move_major_tag_to and step outputs were interpolated directly into run: bodies. Moved through env: and added a SemVer-shape validation as a second guard, matching the pattern action.yml itself already uses elsewhere in this repo.

Thanks both — #1 in particular meant the job would never have run at all, which local YAML parsing obviously couldn't catch.


Generated by Claude Code

{
public void Run()
{
var buffer = new MemoryStream();

Copy link
Copy Markdown
Owner Author

Pausing this PR per direction: a public-facade rebrand (product "Owen", Action display name "Owen lifetime/resource check") needs to land first. See #246.

Once #246 merges, this PR will be rebuilt against it — retargeting action.yml's display name and the consumer-simulation fixtures at the Owen identity. Not merging this PR as-is.


Generated by Claude Code

@github-actions

Copy link
Copy Markdown

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Copy link
Copy Markdown
Owner Author

Superseded by #248 — rebuilt against the merged Owen public facade (#246), and corrects a stale claim in this PR's own description (the consumer-simulation job's real, reviewed implementation has always used uses: ./, not the dynamic uses: PhysShell/Own.NET@${{ github.sha }} this PR's body described — GitHub Actions doesn't evaluate expressions in steps.uses). Closing this one in favor of #248, per the reviewer's instruction not to merge it in its current pre-Owen form.


Generated by Claude Code

@PhysShell PhysShell closed this Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants