fix: publish action repo releases automatically (#44)

kantorcodes · kantorcodes · commit b95dbb9791cc · 2026-04-05T09:21:17.000-04:00
* fix: publish action repo releases automatically

Signed-off-by: Michael Kantor &lt;6068672+kantorcodes@users.noreply.github.com&gt;

* fix: address action release review feedback

Signed-off-by: Michael Kantor &lt;6068672+kantorcodes@users.noreply.github.com&gt;

* fix: detect untracked action bundle files

Signed-off-by: Michael Kantor &lt;6068672+kantorcodes@users.noreply.github.com&gt;

* fix: make action release publication rerunnable

Signed-off-by: Michael Kantor &lt;6068672+kantorcodes@users.noreply.github.com&gt;

* docs: tighten action marketplace copy

Signed-off-by: Michael Kantor &lt;6068672+kantorcodes@users.noreply.github.com&gt;

---------

Signed-off-by: Michael Kantor &lt;6068672+kantorcodes@users.noreply.github.com&gt;
diff --git a/.github/workflows/publish-action-repo.yml b/.github/workflows/publish-action-repo.yml
@@ -1,146 +1,140 @@
 name: Publish GitHub Action Repository
 
 on:
-  release:
-    types: [published, edited]
   workflow_dispatch:
-    inputs:
-      release_tag:
-        description: "Release tag to publish from the source repository"
-        required: false
-        default: ""
-      action_repository:
-        description: "Dedicated public repository that hosts the Marketplace action"
-        required: false
-        default: "hashgraph-online/hol-codex-plugin-scanner-action"
-      create_repository:
-        description: "Create the dedicated action repository if it does not exist"
-        required: false
-        default: true
-        type: boolean
+  push:
+    branches:
+      - main
+    paths:
+      - action/action.yml
+      - action/README.md
+      - LICENSE
+      - SECURITY.md
+      - CONTRIBUTING.md
 
 permissions:
   contents: read
 
 concurrency:
-  group: codex-plugin-scanner-action-publish-${{ github.event.release.tag_name || inputs.release_tag || github.ref }}
+  group: codex-plugin-scanner-action-repo-${{ github.ref }}
   cancel-in-progress: false
 
 jobs:
   publish-action-repo:
-    name: Publish GitHub Action Repository
+    name: Sync action repo + publish release notes
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
-      GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
-      ACTION_REPOSITORY: ${{ inputs.action_repository != '' && inputs.action_repository || vars.ACTION_REPOSITORY != '' && vars.ACTION_REPOSITORY || 'hashgraph-online/hol-codex-plugin-scanner-action' }}
-      RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
-      CREATE_REPOSITORY: ${{ github.event_name == 'workflow_dispatch' && (inputs.create_repository && 'true' || 'false') || 'true' }}
-      PUBLISH_IMMUTABLE_RELEASE: ${{ github.event_name == 'release' || inputs.release_tag != '' }}
-      SOURCE_REF: ${{ github.event.release.tag_name || inputs.release_tag || github.ref_name }}
+      ACTION_REPOSITORY: ${{ vars.ACTION_REPOSITORY != '' && vars.ACTION_REPOSITORY || 'hashgraph-online/hol-codex-plugin-scanner-action' }}
+      SOURCE_REF: ${{ github.sha }}
       SOURCE_REPOSITORY: ${{ github.repository }}
       SOURCE_SERVER_URL: ${{ github.server_url }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          ref: ${{ github.event.release.tag_name || inputs.release_tag || github.ref }}
-          fetch-depth: 0
-
       - name: Validate publication credentials
+        env:
+          ACTION_REPO_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
         run: |
-          if [ -z "${GH_TOKEN}" ]; then
-            echo "ACTION_REPO_TOKEN is required to publish the GitHub Action repository." >&2
+          if [ -z "$ACTION_REPO_TOKEN" ]; then
+            echo "ACTION_REPO_TOKEN must be configured to publish the Marketplace action repository." >&2
             exit 1
           fi
 
-      - name: Resolve version
-        id: version
-        run: |
-          TAG="${RELEASE_TAG}"
-          if [ -z "${TAG}" ]; then
-            TAG=$(python3 -c "import tomllib; p=tomllib.load(open('pyproject.toml','rb')); print('v' + p['project']['version'])")
-          fi
-          VERSION="${TAG#v}"
-          echo "tag=${TAG}" >> "${GITHUB_OUTPUT}"
-          echo "version=${VERSION}" >> "${GITHUB_OUTPUT}"
+      - name: Checkout source repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
-      - name: Ensure action repository exists
-        run: |
-          if gh repo view "${ACTION_REPOSITORY}" >/dev/null 2>&1; then
-            exit 0
-          fi
-          if [ "${CREATE_REPOSITORY}" != "true" ]; then
-            echo "Action repository ${ACTION_REPOSITORY} does not exist and automatic creation is disabled." >&2
-            exit 1
-          fi
-          gh repo create "${ACTION_REPOSITORY}" \
-            --public \
-            --description "HOL Codex Plugin Scanner GitHub Action" \
-            --homepage "${SOURCE_SERVER_URL}/${SOURCE_REPOSITORY}" \
-            --disable-wiki
-
-      - name: Sync action repository contents
+      - name: Compute next action release tag
+        id: version
+        env:
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
         run: |
-          VERSION="${{ steps.version.outputs.version }}"
-          TAG="${{ steps.version.outputs.tag }}"
-          WORKDIR="${RUNNER_TEMP}/action-repository"
-          git clone "https://x-access-token:${GH_TOKEN}@github.com/${ACTION_REPOSITORY}.git" "${WORKDIR}"
-          cd "${WORKDIR}"
+          LAST_TAG=$(gh release list --repo "$ACTION_REPOSITORY" --limit 1 --json tagName --jq '.[0].tagName // ""')
 
-          if git ls-remote --exit-code origin refs/heads/main >/dev/null 2>&1; then
-            git fetch origin main
-            git switch -C main origin/main
+          if [ -z "$LAST_TAG" ]; then
+            TAG="v1.0.0"
           else
-            git switch --orphan main
+            IFS=. read -r MAJOR MINOR PATCH <<< "${LAST_TAG#v}"
+            if [ -z "$MAJOR" ] || [ -z "$MINOR" ] || [ -z "$PATCH" ]; then
+              echo "Unsupported release tag format: $LAST_TAG" >&2
+              exit 1
+            fi
+            TAG="v${MAJOR}.${MINOR}.$((PATCH + 1))"
           fi
 
-          find . -mindepth 1 -maxdepth 1 ! -name '.git' -exec rm -rf {} +
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Clone action repository
+        env:
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+        run: gh repo clone "$ACTION_REPOSITORY" action-repo -- --depth 1
 
+      - name: Sync root-ready action bundle
+        working-directory: action-repo
+        run: |
           cp "${GITHUB_WORKSPACE}/action/action.yml" action.yml
           cp "${GITHUB_WORKSPACE}/action/README.md" README.md
           cp "${GITHUB_WORKSPACE}/LICENSE" LICENSE
           cp "${GITHUB_WORKSPACE}/SECURITY.md" SECURITY.md
+          cp "${GITHUB_WORKSPACE}/CONTRIBUTING.md" CONTRIBUTING.md
 
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add action.yml README.md LICENSE SECURITY.md
-
-          HAS_HEAD=true
-          git rev-parse --verify HEAD >/dev/null 2>&1 || HAS_HEAD=false
-
-          if [ "${HAS_HEAD}" = "true" ] && git diff --cached --quiet; then
-            echo "No action repository content changes detected."
+      - name: Detect sync changes
+        id: diff
+        working-directory: action-repo
+        run: |
+          if [ -n "$(git status --short -- action.yml README.md LICENSE SECURITY.md CONTRIBUTING.md)" ]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
           else
-            git commit -m "chore: publish action bundle ${TAG}"
-            git push origin HEAD:main
+            echo "changed=false" >> "$GITHUB_OUTPUT"
           fi
 
-          git tag -f v1
-          git push origin refs/tags/v1 --force
+      - name: Commit synced bundle
+        if: steps.diff.outputs.changed == 'true'
+        working-directory: action-repo
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add action.yml README.md LICENSE SECURITY.md CONTRIBUTING.md
+          git commit -m "chore: publish action bundle ${{ steps.version.outputs.tag }}"
 
-          if [ "${PUBLISH_IMMUTABLE_RELEASE}" = "true" ]; then
-            git tag -f "${TAG}"
-            git push origin "refs/tags/${TAG}" --force
-          fi
+      - name: Push action repository branch and tags
+        if: steps.diff.outputs.changed == 'true'
+        working-directory: action-repo
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          git push origin HEAD:main
+          git tag "$TAG"
+          git push origin "refs/tags/${TAG}"
+          git tag -fa v1 -m "Update floating major tag to ${TAG}"
+          git push origin refs/tags/v1 --force
 
-      - name: Create or update action repository release
-        if: env.PUBLISH_IMMUTABLE_RELEASE == 'true'
+      - name: Check action release state
+        id: release_state
+        working-directory: action-repo
+        env:
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
         run: |
-          VERSION="${{ steps.version.outputs.version }}"
           TAG="${{ steps.version.outputs.tag }}"
-          if [ -n "${RELEASE_TAG}" ]; then
-            NOTES="Published automatically from ${SOURCE_SERVER_URL}/${SOURCE_REPOSITORY}/releases/tag/${TAG}"
+
+          if gh release view "${TAG}" --repo "$ACTION_REPOSITORY" >/dev/null 2>&1; then
+            echo "release_exists=true" >> "$GITHUB_OUTPUT"
           else
-            NOTES="Published automatically from ${SOURCE_SERVER_URL}/${SOURCE_REPOSITORY}/tree/${SOURCE_REF}"
+            echo "release_exists=false" >> "$GITHUB_OUTPUT"
           fi
 
-          if gh release view "${TAG}" --repo "${ACTION_REPOSITORY}" >/dev/null 2>&1; then
-            gh release edit "${TAG}" \
-              --repo "${ACTION_REPOSITORY}" \
-              --title "${TAG}" \
-              --notes "${NOTES}"
+          if git ls-remote --tags origin "refs/tags/${TAG}" | grep -q .; then
+            echo "tag_exists=true" >> "$GITHUB_OUTPUT"
           else
-            gh release create "${TAG}" \
-              --repo "${ACTION_REPOSITORY}" \
-              --title "${TAG}" \
-              --notes "${NOTES}"
+            echo "tag_exists=false" >> "$GITHUB_OUTPUT"
           fi
+
+      - name: Create action repository release
+        if: steps.release_state.outputs.release_exists == 'false' && (steps.diff.outputs.changed == 'true' || steps.release_state.outputs.tag_exists == 'true')
+        env:
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          gh release create "${TAG}" \
+            --repo "$ACTION_REPOSITORY" \
+            --title "$TAG" \
+            --generate-notes \
+            --notes "Published automatically from ${SOURCE_SERVER_URL}/${SOURCE_REPOSITORY}/tree/${SOURCE_REF}"
diff --git a/action/README.md b/action/README.md
@@ -1,8 +1,14 @@
 # HOL Codex Plugin Scanner GitHub Action
 
-Scan your [Codex plugin](https://developers.openai.com/codex/plugins) for security, publishability, and best practices. The action emits a `0-100` score, a grade, and the requested report format.
+[![Latest Release](https://img.shields.io/github/v/release/hashgraph-online/hol-codex-plugin-scanner-action?display_name=tag)](https://github.com/hashgraph-online/hol-codex-plugin-scanner-action/releases/latest)
+[![Marketplace Repository](https://img.shields.io/badge/github-marketplace_repo-0A84FF)](https://github.com/hashgraph-online/hol-codex-plugin-scanner-action)
+[![Source of Truth](https://img.shields.io/badge/source-codex--plugin--scanner-111827)](https://github.com/hashgraph-online/codex-plugin-scanner/tree/main/action)
+[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://github.com/hashgraph-online/codex-plugin-scanner/blob/main/LICENSE)
 
-This README is intentionally root-ready for a dedicated GitHub Marketplace action repository. GitHub Marketplace requires that repository to contain a single root `action.yml` and no workflow files.
+| ![Hashgraph Online Logo](https://raw.githubusercontent.com/hashgraph-online/standards-sdk-py/main/Hashgraph-Online.png) | Marketplace-ready GitHub Action for scanning [Codex plugins](https://developers.openai.com/codex/plugins) for security, publishability, runtime readiness, and registry trust signals. The action emits structured reports, SARIF, policy results, and submission metadata while staying aligned to the main scanner release train.<br><br>[Latest Release](https://github.com/hashgraph-online/hol-codex-plugin-scanner-action/releases/latest)<br>[Marketplace Repository](https://github.com/hashgraph-online/hol-codex-plugin-scanner-action)<br>[Scanner Source of Truth](https://github.com/hashgraph-online/codex-plugin-scanner/tree/main/action)<br>[Report an Issue](https://github.com/hashgraph-online/codex-plugin-scanner/issues) |
+| :--- | :--- |
+
+This repository is the Marketplace-facing wrapper for the scanner action. The main scanner repo remains the source of truth, while this published action bundle keeps the required root `action.yml` layout for GitHub Marketplace.
 
 ## Usage
 
@@ -15,8 +21,6 @@ This README is intentionally root-ready for a dedicated GitHub Marketplace actio
     fail_on_severity: high
 ```
 
-If your repository exposes multiple plugins from `.agents/plugins/marketplace.json`, keep `plugin_dir: "."`. The action will discover local `./plugins/...` entries automatically, scan each local plugin, and skip remote marketplace entries.
-
 ## Inputs
 
 | Input | Description | Default |
@@ -37,7 +41,7 @@ If your repository exposes multiple plugins from `.agents/plugins/marketplace.js
 | `fail_on_severity` | Fail on findings at or above this severity: `none`, `critical`, `high`, `medium`, `low`, `info` | `none` |
 | `cisco_skill_scan` | Cisco skill-scanner mode: `auto`, `on`, `off` | `auto` |
 | `cisco_policy` | Cisco policy preset: `permissive`, `balanced`, `strict` | `balanced` |
-| `install_cisco` | Install the scanner with its `cisco` extra enabled | `false` |
+| `install_cisco` | Install the published Cisco skill-scanner dependency used by this repo | `false` |
 | `submission_enabled` | Open submission issues for awesome-list and registry automation when the plugin clears the submission threshold | `false` |
 | `submission_score_threshold` | Minimum score required before a submission issue is created | `80` |
 | `submission_repos` | Comma-separated GitHub repositories that should receive the submission issue | `hashgraph-online/awesome-codex-plugins` |
@@ -97,7 +101,7 @@ jobs:
   scan:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
       - uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
         with:
           plugin_dir: "."
@@ -119,7 +123,6 @@ This `plugin_dir: "."` pattern is correct for both single-plugin repositories an
     cisco_policy: strict
     install_cisco: true
 ```
-The action installs the scanner with its published `cisco` extra enabled, so the optional Cisco analysis path stays aligned with the dependency declared in `pyproject.toml`.
 
 ### Export registry payload for Codex ecosystem automation
 
@@ -153,7 +156,7 @@ jobs:
   scan:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Scan plugin and submit if eligible
         id: scan
@@ -184,7 +187,7 @@ Use a fine-grained token with `issues:write` on `hashgraph-online/awesome-codex-
     output: scan-report.md
 
 - name: Comment PR
-  uses: actions/github-script@v8
+  uses: actions/github-script@v7
   with:
     script: |
       const fs = require('fs');
@@ -199,16 +202,18 @@ Use a fine-grained token with `issues:write` on `hashgraph-online/awesome-codex-
 
 ## Release Management
 
-- Publish immutable releases such as `v1.4.0`.
+- Publish immutable releases for this Marketplace wrapper repository automatically from the source scanner repo when `action/` changes merge to `main`.
 - Move the floating major tag `v1` to the latest compatible release.
 - Keep this action in its own public repository for GitHub Marketplace publication.
-- Configure `ACTION_REPO_TOKEN` in the source repository so `publish-action-repo.yml` can sync this root-ready bundle automatically.
+- Configure `ACTION_REPO_TOKEN` as a secret in the source repository so `publish-action-repo.yml` can automatically sync this root-ready bundle, create the action-repo release, and publish autogenerated release notes.
 - Optionally set `ACTION_REPOSITORY` in the source repository if the target repository should not be `hashgraph-online/hol-codex-plugin-scanner-action`.
 
-## Source Of Truth
+## Source of Truth
 
 The source bundle for this action lives in the main scanner repository under `action/`. Release artifacts from that repository should export a root-ready action bundle for the dedicated Marketplace repository.
 
+Direct edits in this Marketplace repository should stay limited to Marketplace-specific copy or metadata. Functional changes and release publication logic belong in `hashgraph-online/codex-plugin-scanner` so merges there can publish a matching action release automatically.
+
 ## License
 
 [Apache-2.0](https://github.com/hashgraph-online/codex-plugin-scanner/blob/main/LICENSE)
diff --git a/tests/test_action_bundle.py b/tests/test_action_bundle.py
@@ -15,8 +15,6 @@ def test_action_metadata_includes_marketplace_branding_and_fallback_install() ->
     assert "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405" in action_text
     assert "pip install codex-plugin-scanner" in action_text
     assert 'pip install "$LOCAL_SOURCE"' in action_text
-    assert 'pip install "$LOCAL_SOURCE[cisco]"' in action_text
-    assert 'pip install "codex-plugin-scanner[cisco]"' in action_text
     assert "write_step_summary:" in action_text
     assert "profile:" in action_text
     assert "config:" in action_text
@@ -80,32 +78,39 @@ def test_publish_action_repo_workflow_syncs_action_repository() -> None:
     assert "hashgraph-online/hol-codex-plugin-scanner-action" in workflow_text
     assert "Validate publication credentials" in workflow_text
     assert "if: secrets.ACTION_REPO_TOKEN != ''" not in workflow_text
-    assert "inputs.create_repository && 'true' || 'false'" in workflow_text
+    assert 'git status --short -- action.yml README.md LICENSE SECURITY.md CONTRIBUTING.md' in workflow_text
     assert "SOURCE_REF" in workflow_text
-    assert "PUBLISH_IMMUTABLE_RELEASE" in workflow_text
-    assert 'gh repo create "${ACTION_REPOSITORY}"' in workflow_text
+    assert 'gh repo clone "$ACTION_REPOSITORY" action-repo -- --depth 1' in workflow_text
     assert 'cp "${GITHUB_WORKSPACE}/action/action.yml" action.yml' in workflow_text
-    assert 'if [ "${PUBLISH_IMMUTABLE_RELEASE}" = "true" ]; then' in workflow_text
+    assert 'git push origin HEAD:main' in workflow_text
+    assert 'gh release view "${TAG}" --repo "$ACTION_REPOSITORY"' in workflow_text
+    assert 'git ls-remote --tags origin "refs/tags/${TAG}"' in workflow_text
     assert "git push origin refs/tags/v1 --force" in workflow_text
+    assert "steps.release_state.outputs.release_exists == 'false'" in workflow_text
+    assert "steps.release_state.outputs.tag_exists == 'true'" in workflow_text
     assert 'gh release create "${TAG}"' in workflow_text
+    assert "--generate-notes" in workflow_text
     assert "Published automatically from ${SOURCE_SERVER_URL}/${SOURCE_REPOSITORY}/tree/${SOURCE_REF}" in workflow_text
 
 
 def test_action_bundle_docs_live_in_action_readme() -> None:
     action_readme = (ROOT / "action" / "README.md").read_text(encoding="utf-8")
 
-    assert "single root `action.yml`" in action_readme
-    assert "no workflow files" in action_readme
-    assert "dedicated Marketplace repository" in action_readme
-    assert "Source Of Truth" in action_readme
+    assert "Hashgraph-Online.png" in action_readme
+    assert "Latest Release" in action_readme
+    assert "Marketplace-facing wrapper" in action_readme
+    assert "root `action.yml` layout" in action_readme
+    assert "published action bundle" in action_readme
+    assert "Source of Truth" in action_readme
     assert "registry_payload_output" in action_readme
     assert "grade_label" in action_readme
     assert "max_severity" in action_readme
     assert "submission issue" in action_readme
     assert "awesome-codex-plugins" in action_readme
     assert "publish-action-repo.yml" in action_readme
-    assert "actions/github-script@v8" in action_readme
-    assert "scanner with its published `cisco` extra enabled" in action_readme
+    assert "hashgraph-online/hol-codex-plugin-scanner-action@v1" in action_readme
+    assert "actions/checkout@v4" in action_readme
+    assert "actions/github-script@v7" in action_readme
 
 
 def test_readme_uses_stable_apache_license_badge() -> None:
