dgenio
diff --git a/‎.github/problem-matchers/vibeguard.json‎
Lines changed: 40 additions & 0 deletions b/‎.github/problem-matchers/vibeguard.json‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎.github/workflows/test-action.yml‎
Lines changed: 34 additions & 0 deletions b/‎.github/workflows/test-action.yml‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎action.yml‎
Lines changed: 159 additions & 0 deletions b/‎action.yml‎
Lines changed: 159 additions & 0 deletions
diff --git a/‎docs/github-action-reference.md‎
Lines changed: 70 additions & 0 deletions b/‎docs/github-action-reference.md‎
Lines changed: 70 additions & 0 deletions
@@ -0,0 +1,40 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "vibeguard",
+      "severity": "error",
+      "pattern": [
+        {
+          "regexp": "^│\\s*(?:☠ CRITICAL|✗ HIGH)\\s*│\\s*(\\S+)\\s*│\\s*([^:│]+?)(?::(\\d+))?\\s*│\\s*(.+?)\\s*│$",
+          "file": 2,
+          "line": 3,
+          "message": 4
+        }
+      ]
+    },
+    {
+      "owner": "vibeguard-warning",
+      "severity": "warning",
+      "pattern": [
+        {
+          "regexp": "^│\\s*(?:⚠ MEDIUM)\\s*│\\s*(\\S+)\\s*│\\s*([^:│]+?)(?::(\\d+))?\\s*│\\s*(.+?)\\s*│$",
+          "file": 2,
+          "line": 3,
+          "message": 4
+        }
+      ]
+    },
+    {
+      "owner": "vibeguard-notice",
+      "severity": "notice",
+      "pattern": [
+        {
+          "regexp": "^│\\s*(?:↓ LOW|ℹ INFO)\\s*│\\s*(\\S+)\\s*│\\s*([^:│]+?)(?::(\\d+))?\\s*│\\s*(.+?)\\s*│$",
+          "file": 2,
+          "line": 3,
+          "message": 4
+        }
+      ]
+    }
+  ]
+}
@@ -0,0 +1,34 @@
+name: Test Action
+
+on:
+  pull_request:
+    paths:
+      - 'action.yml'
+      - 'vibeguard/**'
+
+permissions:
+  contents: read
+
+jobs:
+  test-action:
+    name: Test local action
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ./
+        id: vibeguard
+        with:
+          path: 'examples/vulnerable-node-package'
+          fail-on: 'critical'
+          output-format: 'json'
+          output-file: 'test-output.json'
+        continue-on-error: true
+
+      - name: Verify outputs
+        run: |
+          echo "Gate passed: ${{ steps.vibeguard.outputs.gate-passed }}"
+          echo "Findings: ${{ steps.vibeguard.outputs.findings-count }}"
+          test -f test-output.json
@@ -0,0 +1,159 @@
+name: 'VibeGuard'
+description: 'Deterministic pre-merge safety gate for AI-generated code'
+branding:
+  icon: shield
+  color: blue
+
+inputs:
+  path:
+    description: 'Directory to scan'
+    required: false
+    default: '.'
+  config:
+    description: 'Path to vibeguard.yaml'
+    required: false
+    default: ''
+  diff:
+    description: 'Scan only changed files'
+    required: false
+    default: 'false'
+  fail-on:
+    description: 'Severity threshold for gate failure (info|low|medium|high|critical)'
+    required: false
+    default: 'high'
+  output-format:
+    description: 'Output format: console, json, markdown, sarif, pr-comment'
+    required: false
+    default: 'console'
+  output-file:
+    description: 'Write output to this file path'
+    required: false
+    default: ''
+  baseline:
+    description: 'Path to baseline file'
+    required: false
+    default: ''
+  python-version:
+    description: 'Python version to use'
+    required: false
+    default: '3.11'
+
+outputs:
+  findings-count:
+    description: >-
+      Total number of findings. Accurate when output-format is json (parsed from
+      the JSON payload); otherwise the literal string "unknown".
+    value: ${{ steps.scan.outputs.findings-count }}
+  blocking-count:
+    description: >-
+      Number of findings at or above the fail-on threshold. Accurate when
+      output-format is json; otherwise "unknown". The boolean gate-passed
+      output is always accurate.
+    value: ${{ steps.scan.outputs.blocking-count }}
+  report-path:
+    description: 'Path to the output file (if output-file was set)'
+    value: ${{ steps.scan.outputs.report-path }}
+  gate-passed:
+    description: 'Whether the gate passed (true or false)'
+    value: ${{ steps.scan.outputs.gate-passed }}
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python-version }}
+        cache: pip
+
+    - name: Install VibeGuard
+      shell: bash
+      # Install from the checked-out action source so the CLI version matches
+      # the action ref (e.g. `uses: dgenio/vibeguard@v0.2`). Installing from
+      # PyPI here would let the CLI float independently of the action tag,
+      # which defeats the point of pinning.
+      run: pip install "${{ github.action_path }}"
+
+    - name: Run VibeGuard gate
+      id: scan
+      shell: bash
+      # Pipe each input through an intermediate env var rather than inlining
+      # `${{ inputs.* }}` into the shell command. See GitHub's security-
+      # hardening guidance for composite actions:
+      # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+      env:
+        INPUT_PATH: ${{ inputs.path }}
+        INPUT_FAIL_ON: ${{ inputs.fail-on }}
+        INPUT_DIFF: ${{ inputs.diff }}
+        INPUT_CONFIG: ${{ inputs.config }}
+        INPUT_BASELINE: ${{ inputs.baseline }}
+        INPUT_OUTPUT_FORMAT: ${{ inputs.output-format }}
+        INPUT_OUTPUT_FILE: ${{ inputs.output-file }}
+      run: |
+        set +e
+
+        # Build command using only env vars (quoted) — never inline templating.
+        CMD=(vibeguard gate --path "$INPUT_PATH" --fail-on "$INPUT_FAIL_ON")
+
+        if [ "$INPUT_DIFF" = "true" ]; then
+          CMD+=(--diff)
+        fi
+
+        if [ -n "$INPUT_CONFIG" ]; then
+          CMD+=(--config "$INPUT_CONFIG")
+        fi
+
+        if [ -n "$INPUT_BASELINE" ]; then
+          CMD+=(--baseline "$INPUT_BASELINE")
+        fi
+
+        # Output format
+        FORMAT="$INPUT_OUTPUT_FORMAT"
+        case "$FORMAT" in
+          json)       CMD+=(--json) ;;
+          markdown)   CMD+=(--markdown) ;;
+          sarif)      CMD+=(--sarif) ;;
+          pr-comment) CMD+=(--pr-comment) ;;
+        esac
+
+        # Run and capture output. Redirect only stdout to OUTPUT_FILE so that
+        # warnings on stderr (Git missing, config notices, rich formatting)
+        # don't corrupt JSON/SARIF/Markdown reports; stderr flows to the job
+        # log instead.
+        OUTPUT_FILE="$INPUT_OUTPUT_FILE"
+        if [ -n "$OUTPUT_FILE" ]; then
+          "${CMD[@]}" > "$OUTPUT_FILE"
+          EXIT_CODE=$?
+          echo "report-path=$OUTPUT_FILE" >> "$GITHUB_OUTPUT"
+        else
+          "${CMD[@]}"
+          EXIT_CODE=$?
+        fi
+
+        # Parse counts from JSON output. We only know real counts when the user
+        # asked for json + output-file; for any other format we emit "unknown"
+        # rather than lying with a hardcoded zero. gate-passed below remains
+        # authoritative regardless. jq is preinstalled on GitHub-hosted runners.
+        FINDINGS_COUNT="unknown"
+        BLOCKING_COUNT="unknown"
+        if [ "$FORMAT" = "json" ] && [ -n "$OUTPUT_FILE" ] && [ -f "$OUTPUT_FILE" ] && command -v jq >/dev/null 2>&1; then
+          FC=$(jq '.findings | length' "$OUTPUT_FILE" 2>/dev/null)
+          BC=$(jq --arg t "$INPUT_FAIL_ON" '
+            ({info:0,low:1,medium:2,high:3,critical:4}) as $o
+            | ($o[$t] // 3) as $thresh
+            | [.findings[] | select(($o[(.severity // "info") | ascii_downcase] // 0) >= $thresh)]
+            | length
+          ' "$OUTPUT_FILE" 2>/dev/null)
+          if [ -n "$FC" ]; then FINDINGS_COUNT="$FC"; fi
+          if [ -n "$BC" ]; then BLOCKING_COUNT="$BC"; fi
+        fi
+        echo "findings-count=$FINDINGS_COUNT" >> "$GITHUB_OUTPUT"
+        echo "blocking-count=$BLOCKING_COUNT" >> "$GITHUB_OUTPUT"
+
+        if [ $EXIT_CODE -eq 0 ]; then
+          echo "gate-passed=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "gate-passed=false" >> "$GITHUB_OUTPUT"
+        fi
+
+        exit $EXIT_CODE
@@ -0,0 +1,70 @@
+# VibeGuard GitHub Action
+
+The `dgenio/vibeguard` action runs VibeGuard as a composite GitHub Action step.
+
+## Usage
+
+```yaml
+- uses: dgenio/vibeguard@v0.2
+  with:
+    path: '.'
+    diff: 'true'
+    fail-on: 'high'
+    output-format: 'sarif'
+    output-file: 'vibeguard.sarif'
+```
+
+## Inputs
+
+| Input | Required | Default | Description |
+|---|---|---|---|
+| `path` | No | `.` | Directory to scan |
+| `config` | No | `` | Path to vibeguard.yaml |
+| `diff` | No | `false` | Scan only changed files |
+| `fail-on` | No | `high` | Severity threshold for gate failure |
+| `output-format` | No | `console` | `console`, `json`, `markdown`, `sarif`, `pr-comment` |
+| `output-file` | No | `` | Write output to this file path |
+| `baseline` | No | `` | Path to baseline file |
+| `python-version` | No | `3.11` | Python version to use |
+
+## Outputs
+
+| Output | Description |
+|---|---|
+| `findings-count` | Total number of findings |
+| `blocking-count` | Number of findings at or above fail-on threshold |
+| `report-path` | Path to the output file (if output-file was set) |
+| `gate-passed` | `true` or `false` |
+
+## Complete Example
+
+```yaml
+name: VibeGuard
+on: [pull_request]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  vibeguard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: dgenio/vibeguard@v0.2
+        id: vibeguard
+        with:
+          diff: 'true'
+          fail-on: 'high'
+          output-format: 'sarif'
+          output-file: 'vibeguard.sarif'
+
+      - name: Upload SARIF
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: vibeguard.sarif
+```