Merge pull request #1 from step-security/setup-action

Setup Action

.github/workflows/echo-1.yaml

@@ -0,0 +1,16 @@
+name: Message Echo 1
+
+on: 
+  workflow_dispatch:
+    inputs:
+      message:
+        description: "Message to echo"
+        required: true
+        # No default
+
+jobs:
+  echo:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Echo message
+        run: echo '${{ inputs.message }}'

.github/workflows/echo-2.yaml

@@ -0,0 +1,16 @@
+name: Message Echo 2
+
+on: 
+  workflow_dispatch:
+    inputs:
+      message:
+        description: "Message to echo"
+        required: false
+        default: "this is echo 2"
+
+jobs:
+  echo:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Echo message
+        run: echo '${{ inputs.message }}'

.github/workflows/echo-3.yaml

@@ -0,0 +1,19 @@
+name: Message Echo 3
+
+# A version using workflow_call for investigation purposes
+
+on: 
+  workflow_call:
+    inputs:
+      message:
+        required: false
+        default: "this is echo 3"
+        type: string
+        description: "Message to echo"
+
+jobs:
+  echo:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Echo message
+        run: echo '${{ inputs.message }}'

.github/workflows/release.yml

@@ -0,0 +1,37 @@
+name: Release new action version
+on:
+  workflow_dispatch:
+    inputs:
+      TAG_NAME:
+        description: "Tag name that the major tag will point to"
+        required: true
+
+env:
+  TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }}
+defaults:
+  run:
+    shell: pwsh
+
+permissions:
+  contents: read
+
+jobs:
+  update_tag:
+    name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes
+    # Remember to configure the releaseNewActionVersion environment with required approvers in the repository settings
+    environment:
+      name: releaseNewActionVersion
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Update the ${{ env.TAG_NAME }} tag
+        uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
+        with:
+          source-tag: ${{ env.TAG_NAME }}

.github/workflows/test.yaml

@@ -0,0 +1,20 @@
+name: Workflow Tester
+
+on: 
+  workflow_dispatch:
+
+jobs:
+  testAction:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Invoke echo 1
+      uses: ./
+      with:
+        workflow: echo-1.yaml
+        inputs: '{"message": "blah blah this is a test"}'   
+    - name: Invoke echo 2
+      uses: ./
+      with:
+        workflow: Message Echo 2
+        inputs: '{"message": "mushrooms in the morning"}'           

.gitignore

@@ -0,0 +1,2 @@
+node_modules/
+.env

LICENSE

@@ -1,6 +1,7 @@
 MIT License
 
 Copyright (c) 2023 StepSecurity
+Copyright 2020 Ben Coleman
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -0,0 +1,79 @@
+# StepSecurity Maintained `workflow-dispatch` Action
+
+Forked from [benc-uk/workflow-dispatch](https://github.com/benc-uk/workflow-dispatch)
+
+This action triggers another GitHub Actions workflow, using the `workflow_dispatch` event.  
+The workflow must be configured for this event type e.g. `on: [workflow_dispatch]`
+
+This allows you to chain workflows, the classic use case is have a CI build workflow, trigger a CD release/deploy workflow when it completes. Allowing you to maintain separate workflows for CI and CD, and pass data between them as required.
+
+For details of the `workflow_dispatch` even see [this blog post introducing this type of trigger](https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/)
+
+_Note 1._ GitHub now has a native way to chain workflows called "reusable workflows". See the docs on [reusing workflows](https://docs.github.com/en/actions/using-workflows/reusing-workflows). This approach is somewhat different from workflow_dispatch but it's worth keeping in mind.
+
+_Note 2._ The GitHub UI will report flows triggered by this action as "manually triggered" even though they have been run programmatically via another workflow and the API.
+
+_Note 3._ If you want to reference the target workflow by ID, you will need to list them with the following REST API call `curl https://api.github.com/repos/{{owner}}/{{repo}}/actions/workflows -H "Authorization: token {{pat-token}}"`
+
+## Action Inputs
+
+### `workflow`
+
+**Required.** The name, filename or ID of the workflow to be triggered and run. All three possibilities are used when looking for the workflow. e.g.
+
+```yaml
+workflow: My Workflow
+# or
+workflow: my-workflow.yaml
+# or
+workflow: 1218419
+```
+
+### `inputs`
+
+**Optional.** The inputs to pass to the workflow (if any are configured), this must be a JSON encoded string, e.g. `{ "myInput": "foobar" }`
+
+### `ref`
+
+**Optional.** The Git reference used with the triggered workflow run. The reference can be a branch, tag, or a commit SHA. If omitted the context ref of the triggering workflow is used. If you want to trigger on pull requests and run the target workflow in the context of the pull request branch, set the ref to `${{ github.event.pull_request.head.ref }}`.
+
+### `repo`
+
+**Optional.** The default behavior is to trigger workflows in the same repo as the triggering workflow, if you wish to trigger in another GitHub repo "externally", then provide the owner + repo name with slash between them e.g. `microsoft/vscode`.
+
+- When triggering across repos like this, you **must** provide a `token` (see below), or you will get an _"Resource not accessible by integration"_ error.
+- If the default branch in the other repo is different from the calling repo, you must provide `ref` input also, or you will get a _"No ref found"_ error.
+
+### `token`
+
+**Optional.** By default the standard `github.token`/`GITHUB_TOKEN` will be used and you no longer need to provide your own token here. However when using the `repo` option, you must provide a token here, create a PAT token with repo rights, and pass it here via a secret. This options is also left for backwards compatibility reasons.
+
+## Action Outputs
+
+This Action emits a single output named `workflowId`.
+
+## Example usage
+
+```yaml
+- name: Invoke workflow without inputs
+  uses: step-security/workflow-dispatch@v1
+  with:
+    workflow: My Workflow
+```
+
+```yaml
+- name: Invoke workflow with inputs
+  uses: step-security/workflow-dispatch@v1
+  with:
+    workflow: Another Workflow
+    inputs: '{ "message": "blah blah", "something": true }'
+```
+
+```yaml
+- name: Invoke workflow in another repo with inputs
+  uses: step-security/workflow-dispatch@v1
+  with:
+    workflow: my-workflow.yaml
+    repo: step-security/example
+    inputs: '{ "message": "blah blah", "something": false }'
+```

SECURITY.md

@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities to [email protected]

action.yaml

@@ -0,0 +1,28 @@
+name: 'Workflow Dispatch'
+description: 'Trigger and chain GitHub Actions workflows with workflow_dispatch events'
+
+inputs:
+  workflow:
+    description: 'Name, filename or ID of workflow to run'
+    required: true
+  token:
+    description: 'GitHub token with repo write access, only required if the workflow is in a different repository'
+    required: false
+    default: ${{ github.token }}
+  inputs:
+    description: 'Inputs to pass to the workflow, must be a JSON string'
+    required: false
+  ref:
+    description: 'The reference can be a branch, tag, or a commit SHA'
+    required: false
+  repo:
+    description: 'Repo owner & name, slash separated, only set if invoking a workflow in a different repo'
+    required: false
+
+runs:
+  using: 'node16'
+  main: 'dist/index.js'
+
+branding:
+  color: purple
+  icon: send