Compare score to latest release if possible

Author: cadivus

.github/composite_actions/package_score/action.yaml

@@ -3,6 +3,9 @@ description: |
   Run pana (pub.dev package analyzer) to compute the package score,
   print a readable report to the workflow log, and upload an HTML
   report as a workflow artifact.
+  The score is compared against the currently published version on
+  pub.dev — the build fails if the score regresses. If the package
+  has never been published, no threshold is enforced.
 
 inputs:
   working-directory:
@@ -11,12 +14,6 @@ inputs:
   package-name:
     description: The name of the package being scored
     required: true
-  exit-code-threshold:
-    description: |
-      Fail the step if (maxPoints - grantedPoints) exceeds this value.
-      Set to -1 to never fail. Default 160 means score must be >= 0/160.
-    required: false
-    default: "160"
 
 runs:
   using: "composite"
@@ -25,18 +22,41 @@ runs:
       shell: bash
       run: dart pub global activate pana
 
+    - name: Fetch published score from pub.dev
+      id: published
+      shell: bash
+      run: |
+        PACKAGE_NAME="${{ inputs.package-name }}"
+        HTTP_CODE=$(curl -s -o "$RUNNER_TEMP/pubdev_score.json" -w "%{http_code}" \
+          "https://pub.dev/api/packages/${PACKAGE_NAME}/score")
+
+        if [ "$HTTP_CODE" = "200" ]; then
+          GRANTED=$(python3 -c "import json; d=json.load(open('$RUNNER_TEMP/pubdev_score.json')); print(d.get('grantedPoints', 0))")
+          MAX=$(python3 -c "import json; d=json.load(open('$RUNNER_TEMP/pubdev_score.json')); print(d.get('maxPoints', 160))")
+          THRESHOLD=$((MAX - GRANTED))
+          echo "published=true" >> "$GITHUB_OUTPUT"
+          echo "granted=$GRANTED" >> "$GITHUB_OUTPUT"
+          echo "max=$MAX" >> "$GITHUB_OUTPUT"
+          echo "threshold=$THRESHOLD" >> "$GITHUB_OUTPUT"
+          echo "Published score for ${PACKAGE_NAME}: ${GRANTED}/${MAX} (threshold: ${THRESHOLD})"
+        else
+          echo "published=false" >> "$GITHUB_OUTPUT"
+          echo "Package ${PACKAGE_NAME} not found on pub.dev (HTTP ${HTTP_CODE}) — skipping threshold enforcement"
+        fi
+
     - name: Run pana
       id: pana
       shell: bash
       working-directory: ${{ inputs.working-directory }}
       run: |
-        # Run pana with threshold; capture markdown output and exit code.
         set +e
-        if [ "${{ inputs.exit-code-threshold }}" != "-1" ]; then
+        if [ "${{ steps.published.outputs.published }}" = "true" ]; then
+          echo "Enforcing threshold: score must be at least ${{ steps.published.outputs.granted }}/${{ steps.published.outputs.max }} (published score)"
           dart pub global run pana \
-            --exit-code-threshold ${{ inputs.exit-code-threshold }} \
+            --exit-code-threshold ${{ steps.published.outputs.threshold }} \
             --no-warning . > "$RUNNER_TEMP/pana_score.md" 2>&1
         else
+          echo "No published score found — running pana without threshold"
           dart pub global run pana \
             --no-warning . > "$RUNNER_TEMP/pana_score.md" 2>&1
         fi
@@ -63,5 +83,5 @@ runs:
       if: steps.pana.outputs.pana_exit != '0'
       shell: bash
       run: |
-        echo "::error::Pana score is below the required threshold (exit-code-threshold: ${{ inputs.exit-code-threshold }})"
+        echo "::error::Pana score regressed below the published score (${{ steps.published.outputs.granted }}/${{ steps.published.outputs.max }}) on pub.dev"
         exit ${{ steps.pana.outputs.pana_exit }}