ci: bump checkout v4->v6, add CLI tests to CI, add GitHub Action for health scanning

dusan-maintains · dusan-maintains · commit 2f98a404d502 · 2026-03-19T12:42:14.000+05:00
- Updated all 3 workflows to actions/checkout@v6
- Added test-cli job to validate.yml (npm test + --version check)
- Created cli/action.yml for GitHub Marketplace:
  inputs: path, threshold, include-dev, github-token
  outputs: results (JSON), average-score, critical-count
  Features: CI annotations, threshold-based failure
diff --git a/.github/workflows/evidence-daily.yml b/.github/workflows/evidence-daily.yml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Git Identity
         run: |
diff --git a/.github/workflows/publish-cli.yml b/.github/workflows/publish-cli.yml
@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -12,9 +12,29 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Validate configuration and scripts
         shell: pwsh
         run: |
           ./scripts/validate-repo.ps1
+
+  test-cli:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Run CLI unit tests
+        working-directory: cli
+        run: npm test
+
+      - name: Verify CLI runs
+        working-directory: cli
+        run: node bin/scan.js --version
diff --git a/cli/action.yml b/cli/action.yml
@@ -0,0 +1,83 @@
+name: "OSS Health Scan"
+description: "Scan your dependencies for abandoned, unmaintained, or unhealthy npm packages. Get health scores (0-100) for every dependency."
+author: "dusan-maintains"
+
+branding:
+  icon: "shield"
+  color: "blue"
+
+inputs:
+  path:
+    description: "Path to directory containing package.json (default: repo root)"
+    required: false
+    default: "."
+  threshold:
+    description: "Fail if any package scores below this threshold (0-100)"
+    required: false
+    default: "0"
+  include-dev:
+    description: "Include devDependencies in scan"
+    required: false
+    default: "false"
+  github-token:
+    description: "GitHub token for higher API rate limits (recommended)"
+    required: false
+    default: ${{ github.token }}
+
+outputs:
+  results:
+    description: "JSON scan results"
+    value: ${{ steps.scan.outputs.results }}
+  average-score:
+    description: "Average health score across all dependencies"
+    value: ${{ steps.scan.outputs.average }}
+  critical-count:
+    description: "Number of packages with critical health scores"
+    value: ${{ steps.scan.outputs.critical }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+
+    - name: Install oss-health-scan
+      shell: bash
+      run: npm install -g oss-health-scan@latest
+
+    - name: Run health scan
+      id: scan
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.github-token }}
+      run: |
+        FLAGS=""
+        if [ "${{ inputs.include-dev }}" = "true" ]; then
+          FLAGS="$FLAGS --dev"
+        fi
+        if [ "${{ inputs.threshold }}" != "0" ]; then
+          FLAGS="$FLAGS --threshold ${{ inputs.threshold }}"
+        fi
+
+        # Run JSON scan for outputs
+        RESULTS=$(oss-health-scan ${{ inputs.path }} --json $FLAGS 2>/dev/null || true)
+        echo "results<<EOF" >> $GITHUB_OUTPUT
+        echo "$RESULTS" >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+
+        # Extract stats
+        AVG=$(echo "$RESULTS" | node -e "const d=require('fs').readFileSync(0,'utf8');try{const j=JSON.parse(d);const s=j.results.filter(r=>r.health_score!=null);console.log((s.reduce((a,r)=>a+r.health_score,0)/s.length).toFixed(1))}catch{console.log('N/A')}")
+        CRIT=$(echo "$RESULTS" | node -e "const d=require('fs').readFileSync(0,'utf8');try{const j=JSON.parse(d);console.log(j.results.filter(r=>r.risk_level==='critical').length)}catch{console.log(0)}")
+        echo "average=$AVG" >> $GITHUB_OUTPUT
+        echo "critical=$CRIT" >> $GITHUB_OUTPUT
+
+        # Print human-readable report
+        oss-health-scan ${{ inputs.path }} $FLAGS --ci || true
+
+        # Fail if critical packages found and threshold > 0
+        if [ "${{ inputs.threshold }}" != "0" ] && [ "$CRIT" -gt 0 ]; then
+          echo "::error::$CRIT package(s) scored below threshold ${{ inputs.threshold }}"
+          exit 1
+        fi
