feat(action): Marketplace-ready GitHub Action (prebuilt-binary) + github output format#10
Conversation
…stall Make Leakwatch usable from the GitHub Marketplace as `uses: HodeTech/Leakwatch@v1`, matching the low-friction adoption path of comparable tools. Action (action.yml, moved to repo root from action/): - Composite action that downloads the prebuilt release archive for the runner and verifies its SHA-256 checksum before running (Linux/macOS); replaces the compile-on-every-run `go install` approach. - New inputs: output, remediation, config, scan-diff, extra-args, working-directory. - PR-diff scanning: scan-diff=auto limits git scans to commits new to the event via --since-commit (PR base..HEAD / push before..HEAD). - Writes a findings job summary to $GITHUB_STEP_SUMMARY (parsed from SARIF). - Composite outputs now declare value: mappings, so findings-count/sarif-file are actually exposed (previously always empty). CLI: - New `github` output format emits ::error/::warning/::notice workflow commands for inline PR annotations. The raw secret is never printed (redacted only); command data/properties are percent-escaped. Registered in config.validFormats, selectFormatter, and the scan flag help. New internal/output/github package with 98% test coverage. Release & CI: - release.yml moves the floating major tag (v1) to each stable release via the REST API (gh), skipping pre-releases. - action-test.yml self-tests the action on ubuntu+macos and runs actionlint (+shellcheck) over all workflows. - ci.yml: quote the coverage-gate command substitution (SC2046) so the new actionlint job passes. Docs: - ADR-0009 records the decision (main-repo root + prebuilt-binary) and the manual Marketplace publish runbook. - github-action.md and output-formats.md (EN+TR), README badge + usage, CHANGELOG, CLAUDE.md, and the decisions index updated; all `leakwatch-action` references switched to `Leakwatch`. Linux/macOS runners only for now (composite + prebuilt binary); Windows is a documented future enhancement. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ive secrets Security: - Stop echoing the assembled scan command (path/extra-args may carry tokens or authenticated URLs that GitHub log masking would not catch). - Reject action-managed flags (--format/--output/--config/--show-raw) in extra-args so the action's output/summary/upload bookkeeping cannot be bypassed. - SHA-pin github/codeql-action/upload-sarif (runs in consumers' repos) and pin actions/checkout, actions/setup-go and actionlint in action-test.yml and ci.yml; add a least-privilege permissions block to ci.yml. Correctness/robustness: - Add a release-repo input (default HodeTech/Leakwatch) so the self-test can target the current repo and verify the install path end-to-end (the canonical default still applies for consumers; org transfer auto-redirects). - Validate scan-diff (auto|true|false) and fail loudly when "true" has no usable base commit instead of silently scanning full history. - curl --retry on downloads; friendly ::error on a missing/invalid release tag; warn when only-verified is combined with no-verify (which reports nothing); guard absolute working-directory for the SARIF path; note summary truncation. - github formatter: escalate live-verified findings to ::error regardless of severity. Formatter tests now cover %/\r escaping, verify-error, the write error path, and the escalation (100% coverage). - release.yml: require a vX.Y.Z tag before moving the major tag. CI: - New cli-github-format job builds this branch and exercises --format github end-to-end (the released binary the action installs predates that format). - selectFormatter test now covers the github format. Docs: - Fix only-verified examples (README, CI/CD guide) to set no-verify: false; remove now-dead setup-go steps before the action; fix the README binary-download example (goreleaser naming); document release-repo and the extra-args restriction; soften ADR-0009's checksum claim and record provenance as a future enhancement. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…de, doc/bundle sync
- extra-args guard now prefix-matches (-f*/-o*/--format*/--output*/--config*/
--show-raw*), so combined shorthand like `-fcsv` or `-o/tmp/x` can no longer
override the action's managed flags (the previous exact-token guard was
bypassable; -f/-o are format/output only in this CLI).
- scan-diff: auto now degrades to a full scan with a ::warning:: when the base
commit isn't in the local clone (shallow checkout), instead of letting
leakwatch hard-fail (exit 2). scan-diff: true still fails with guidance.
- latest-version resolution: `|| true` on the redirect probe so a repo with no
releases shows the curated ::error:: instead of aborting under set -e; message
now names the repo and links its releases page.
- github format now always writes annotations to stdout even if an output file is
configured (e.g. output.file in .leakwatch.yaml) — workflow commands are inert
in a file, so this prevents silently swallowing them (cmd/scan_common.go).
- findings-count output description clarified (it is 0/1, not a count).
- Fix the broken comparison table in 01-COMPETITIVE-ANALYSIS.md (footnotes were
mid-table, terminating it; moved to the end so the last rows render).
- Regenerate site/js/manuals/{en,tr}.js so the updated CI/CD manuals ship
(the generated bundle was stale vs source).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Sorry @cemililik, your pull request is larger than the review limit of 150000 diff characters
|
Warning Review limit reached
Your plan includes 1 review of capacity. Refill in 43 minutes and 19 seconds. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more review capacity refills, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
📝 WalkthroughWalkthroughThis pull request establishes a new root-level GitHub Action ( ChangesGitHub Action Marketplace Release with Annotation Output
Documentation and Guides
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Not up to standards ⛔🔴 Issues
|
| Category | Results |
|---|---|
| ErrorProne | 2 medium |
🟢 Metrics 45 complexity · 19 duplication
Metric Results Complexity 45 Duplication 19
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request prepares the Leakwatch GitHub Action for the Marketplace by moving the metadata to the repository root and transitioning from source compilation to prebuilt binary installation with SHA-256 verification. Key additions include a new github output format for inline PR annotations, automated job summaries, and PR diff scanning. Feedback focuses on improving the robustness of the action's shell script, specifically regarding the handling of absolute working directories for SARIF outputs and preventing unintended shell globbing when processing extra arguments.
| /*) echo "::warning::working-directory is absolute; the SARIF upload step may not locate the file. Use a repository-relative working-directory." | ||
| echo "sarif-file=$OUT" >> "$GITHUB_OUTPUT" ;; |
There was a problem hiding this comment.
When working-directory is an absolute path, the sarif-file output is currently set to just $OUT (e.g., results.sarif). However, the file is actually created inside the absolute directory at ${WORKDIR}/$OUT. This will cause subsequent steps, such as the SARIF upload action, to fail because they expect a path relative to the repository root or a correct absolute path. It is better to provide the full path even when warning the user.
/*) echo "::warning::working-directory is absolute; the SARIF upload step may not locate the file. Use a repository-relative working-directory."
echo "sarif-file=${WORKDIR%/}/$OUT" >> "$GITHUB_OUTPUT" ;;There was a problem hiding this comment.
Fixed in 47d2642. The non-. branch now reports ${WORKDIR%/}/$OUT for both relative and absolute working-directory values, so the SARIF upload step gets the actual path. The previous absolute-path case that emitted bare $OUT (and a warning) is removed.
| # can never silently disagree with the actual CLI invocation. | ||
| if [ -n "$INPUT_EXTRA_ARGS" ]; then | ||
| # shellcheck disable=SC2206 | ||
| extra=($INPUT_EXTRA_ARGS) |
There was a problem hiding this comment.
Using unquoted expansion for extra-args is necessary here to support multiple flags, but it also enables shell globbing. If a user passes an argument containing a wildcard (for example, --exclude="*.go"), the shell will attempt to expand it to matching files in the current directory before passing the result to leakwatch. This can lead to unexpected behavior or scan failures. It is safer to disable globbing with set -f before performing the word-splitting assignment.
set -f
# shellcheck disable=SC2206
extra=($INPUT_EXTRA_ARGS)
set +fThere was a problem hiding this comment.
Fixed in 47d2642. The extra=($INPUT_EXTRA_ARGS) word-split is now wrapped in set -f / set +f, so a bare glob token (e.g. --exclude *.go) is no longer pathname-expanded against the working directory before reaching leakwatch. Verified in bash. Word-splitting into separate args is still intended.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/action-test.yml:
- Around line 31-32: The checkout steps using actions/checkout (the two
occurrences shown as "uses:
actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3") should explicitly
disable persisted credentials by adding "persist-credentials: false" to each
actions/checkout step; update both checkout actions in the workflow so they
include that option to prevent the runner from persisting the GITHUB_TOKEN to
later steps.
- Around line 90-91: Replace the shell conditional assertions that use the "&&
... || { ... }" pattern with explicit if blocks: for the COUNT check, replace `[
"$COUNT" = "1" ] || { echo "::error::expected findings-count=1, got '$COUNT'";
exit 1; }` with an if/then/else that echoes the same error and exits non-zero
when the condition fails; likewise replace the SARIF check `[ -n "$SARIF" ] && [
-f "$SARIF" ] || { echo "::error::expected SARIF file at '$SARIF'"; exit 1; }`
with an explicit if that tests both conditions and errors/exits when they are
not met. Also add `persist-credentials: false` to every actions/checkout step
invocation (the steps using the `actions/checkout` action referenced at lines
near 31, 55, and 123) so each checkout step includes that key. Ensure behavior
and error messages remain identical after the change.
In @.github/workflows/ci.yml:
- Around line 19-20: The checkout steps in the CI workflow leave Git credentials
in the repo config; update every actions/checkout step (references: "uses:
actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3" and any other "uses:
actions/checkout" occurrences in the test, lint, and security jobs) to include
the input persist-credentials: false so credentials are not persisted to the
checked-out repository; ensure you add the persist-credentials: false key under
each checkout step and apply the same change to any other jobs that call
actions/checkout.
In `@docs/architecture/01-COMPETITIVE-ANALYSIS.md`:
- Around line 201-204: The document contradicts itself about TruffleHog custom
detectors; update the earlier statement that says "Go code + recompile" to match
the later note that TruffleHog supports YAML-based custom detectors via a
config.yaml detectors: block. Locate references to "TruffleHog", "config.yaml",
and the phrase "Go code + recompile" and replace or amend them so both sections
consistently state that TruffleHog supports custom detectors defined in YAML
(detectors:), while keeping any mention of optional Go-based extensions as a
secondary note if needed.
In `@docs/decisions/ADR-0009-github-marketplace-action.md`:
- Line 105: Replace the lowercase "github" in the user-facing sentence that
mentions PR-diff scanning and the `github` output format with the official
"GitHub" capitalization; locate the string in
ADR-0009-github-marketplace-action.md (the line containing "PR-diff scanning
(`--since-commit`) and the `github` output format") and update it to "GitHub" to
ensure consistent, correct branding.
In `@docs/user-manuals/en/output/output-formats.md`:
- Line 170: Replace the hash-route internal link `[GitHub
Action](`#/ci-cd/github-action`)` with a relative docs path (e.g.,
`../ci-cd/github-action.md` or appropriate relative location) so the link is
lint-safe and portable; locate the occurrence by searching for the link text
"GitHub Action" or the route '`#/ci-cd/github-action`' near the phrase "format:
github" and update it to the correct relative Markdown path while preserving the
link label and surrounding sentence.
In `@docs/user-manuals/tr/output/output-formats.md`:
- Line 170: Mevcut satırdaki iç bağlantı `[GitHub
Action](`#/ci-cd/github-action`)` hash-route kullanıyor; bunu proje doküman
standartlarına uygun olarak göreli bir Markdown bağlantısıyla değiştir: `[GitHub
Action](<relative-path-to-ci-cd-github-action-doc>)` — yani link hedefini
hash-route yerine doküman ağacındaki ilgili .md dosyasına göreli yol olarak
güncelle ve bağlantının çalıştığından emin ol; hedef link metni `[GitHub
Action]` olarak kalmalı.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 7e8de285-0151-43af-a1f0-e07e1698e9e1
📒 Files selected for processing (32)
.github/workflows/action-test.yml.github/workflows/ci.yml.github/workflows/release.ymlCHANGELOG.mdCLAUDE.mdREADME.mdaction.ymlaction/action.ymlcmd/init.gocmd/scan_common.gocmd/scan_common_test.gocmd/scan_fs.gocmd/scan_gcs.gocmd/scan_git.gocmd/scan_image.gocmd/scan_repos.gocmd/scan_s3.gocmd/scan_slack.godocs/05-ROADMAP.mddocs/architecture/01-COMPETITIVE-ANALYSIS.mddocs/decisions/ADR-0009-github-marketplace-action.mddocs/decisions/README.mddocs/guides/ci-cd-integration.mddocs/user-manuals/en/ci-cd/github-action.mddocs/user-manuals/en/output/output-formats.mddocs/user-manuals/tr/ci-cd/github-action.mddocs/user-manuals/tr/output/output-formats.mdinternal/config/config.gointernal/output/github/github_formatter.gointernal/output/github/github_formatter_test.gosite/js/manuals/en.jssite/js/manuals/tr.js
💤 Files with no reviewable changes (1)
- action/action.yml
| - Fast, reproducible, checksum-verified install. | ||
| - New inputs (`output`, `remediation`, `config`, `scan-diff`, `extra-args`, | ||
| `working-directory`) and a job summary improve the CI experience. | ||
| - PR-diff scanning (`--since-commit`) and the `github` output format (inline |
There was a problem hiding this comment.
Use the official GitHub capitalization in output-format text.
github should be GitHub in this user-facing sentence for consistency and correctness.
🧰 Tools
🪛 LanguageTool
[uncategorized] ~105-~105: The official name of this software platform is spelled with a capital “H”.
Context: ...iff scanning (--since-commit) and the github output format (inline annotations) b...
(GITHUB)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/decisions/ADR-0009-github-marketplace-action.md` at line 105, Replace
the lowercase "github" in the user-facing sentence that mentions PR-diff
scanning and the `github` output format with the official "GitHub"
capitalization; locate the string in ADR-0009-github-marketplace-action.md (the
line containing "PR-diff scanning (`--since-commit`) and the `github` output
format") and update it to "GitHub" to ensure consistent, correct branding.
There was a problem hiding this comment.
Intentionally left lowercase. Here `github` is the literal output-format value (--format github / the action's format: github), shown in code font — not the GitHub brand name. Capitalizing it to GitHub would misstate the actual CLI/action value, so it is correct as-is.
There was a problem hiding this comment.
@cemililik, you're absolutely right — `github` in code font is the literal CLI enum value (--format github) and must stay lowercase to match the actual flag value. Capitalizing it would introduce a factual error in the documentation. Apologies for the noise.
(∪・ω・∪)
✏️ Learnings added
Learnt from: cemililik
Repo: cemililik/Leakwatch PR: 10
File: docs/decisions/ADR-0009-github-marketplace-action.md:105-105
Timestamp: 2026-05-25T06:53:42.044Z
Learning: In the Leakwatch project (`docs/decisions/ADR-0009-github-marketplace-action.md` and related docs), the token `github` appearing in backtick code spans (e.g., `` `github` ``) refers to the literal CLI output-format value (`--format github` / action input `format: github`), not the GitHub brand name. It must remain lowercase and should not be flagged as a capitalization issue.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
| ::error file=config/prod.env,line=12,title=Leakwatch%3A aws-access-key-id::Potential secret detected by aws-access-key-id (critical): AKIA****K7NP | ||
| ``` | ||
|
|
||
| This format is normally driven by the [GitHub Action](#/ci-cd/github-action) (`format: github`) rather than invoked by hand. |
There was a problem hiding this comment.
Use a relative docs link instead of a hash-route internal link.
[GitHub Action](#/ci-cd/github-action) should be a relative path link to keep docs lint-safe and portable in Markdown renderers.
Suggested fix
-This format is normally driven by the [GitHub Action](`#/ci-cd/github-action`) (`format: github`) rather than invoked by hand.
+This format is normally driven by the [GitHub Action](../ci-cd/github-action.md) (`format: github`) rather than invoked by hand.As per coding guidelines: "docs/**/*.md: Use relative paths for internal documentation links".
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| This format is normally driven by the [GitHub Action](#/ci-cd/github-action) (`format: github`) rather than invoked by hand. | |
| This format is normally driven by the [GitHub Action](../../../ci-cd/github-action.md) (`format: github`) rather than invoked by hand. |
🧰 Tools
🪛 GitHub Check: Codacy Static Code Analysis
[warning] 170-170: docs/user-manuals/en/output/output-formats.md#L170
Link fragments should be valid
🪛 LanguageTool
[uncategorized] ~170-~170: The official name of this software platform is spelled with a capital “H”.
Context: ...GitHub Action (format: github) rather than invoked by hand. ## Comm...
(GITHUB)
🪛 markdownlint-cli2 (0.22.1)
[warning] 170-170: Link fragments should be valid
(MD051, link-fragments)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/user-manuals/en/output/output-formats.md` at line 170, Replace the
hash-route internal link `[GitHub Action](`#/ci-cd/github-action`)` with a
relative docs path (e.g., `../ci-cd/github-action.md` or appropriate relative
location) so the link is lint-safe and portable; locate the occurrence by
searching for the link text "GitHub Action" or the route '`#/ci-cd/github-action`'
near the phrase "format: github" and update it to the correct relative Markdown
path while preserving the link label and surrounding sentence.
There was a problem hiding this comment.
Left as a hash route by design. These user manuals are rendered by a single-page docs portal that uses hash routing (#/section/page); #/ci-cd/github-action is the established convention used by ~140 sibling links across the manuals. A relative .md path would not resolve in the portal and would be inconsistent with every other internal manual link. The "relative paths" guideline applies to standalone Markdown, but these pages are SPA-routed — so skipping this one (and its TR twin) intentionally.
There was a problem hiding this comment.
@cemililik, understood — that's a clear and valid distinction. The #/section/page hash-routing convention for the SPA docs portal overrides the standalone-Markdown guideline, and applying relative .md paths there would break navigation. I'll record this for future reviews.
(ᵔ◡ᵔ)🐇
✏️ Learnings added
Learnt from: cemililik
Repo: cemililik/Leakwatch PR: 10
File: docs/user-manuals/en/output/output-formats.md:170-170
Timestamp: 2026-05-25T06:53:45.117Z
Learning: In the `cemililik/Leakwatch` repository, docs under `docs/user-manuals/` (both `en/` and `tr/` subtrees) are rendered by a single-page application (SPA) docs portal that uses hash routing. Internal cross-document links in these files intentionally use hash routes in the form `#/section/page` (e.g., `#/ci-cd/github-action`), not relative `.md` file paths. Relative `.md` paths would not resolve in the portal and would be inconsistent with ~140 existing sibling links. The coding guideline "use relative paths for internal documentation links" does NOT apply to files under `docs/user-manuals/`; do not flag hash-route links in those files as issues.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
| ::error file=config/prod.env,line=12,title=Leakwatch%3A aws-access-key-id::Potential secret detected by aws-access-key-id (critical): AKIA****K7NP | ||
| ``` | ||
|
|
||
| Bu format normalde elle çağrılmak yerine [GitHub Action](#/ci-cd/github-action) (`format: github`) tarafından kullanılır. |
There was a problem hiding this comment.
İç bağlantı için hash-route yerine göreli dosya yolu kullanın.
[GitHub Action](#/ci-cd/github-action) ifadesi, doküman standartlarına uygun şekilde göreli bağlantı olmalı.
Önerilen düzeltme
-Bu format normalde elle çağrılmak yerine [GitHub Action](`#/ci-cd/github-action`) (`format: github`) tarafından kullanılır.
+Bu format normalde elle çağrılmak yerine [GitHub Action](../ci-cd/github-action.md) (`format: github`) tarafından kullanılır.As per coding guidelines: "docs/**/*.md: Use relative paths for internal documentation links".
🧰 Tools
🪛 GitHub Check: Codacy Static Code Analysis
[warning] 170-170: docs/user-manuals/tr/output/output-formats.md#L170
Link fragments should be valid
🪛 markdownlint-cli2 (0.22.1)
[warning] 170-170: Link fragments should be valid
(MD051, link-fragments)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/user-manuals/tr/output/output-formats.md` at line 170, Mevcut satırdaki
iç bağlantı `[GitHub Action](`#/ci-cd/github-action`)` hash-route kullanıyor; bunu
proje doküman standartlarına uygun olarak göreli bir Markdown bağlantısıyla
değiştir: `[GitHub Action](<relative-path-to-ci-cd-github-action-doc>)` — yani
link hedefini hash-route yerine doküman ağacındaki ilgili .md dosyasına göreli
yol olarak güncelle ve bağlantının çalıştığından emin ol; hedef link metni
`[GitHub Action]` olarak kalmalı.
There was a problem hiding this comment.
Left as a hash route by design. These user manuals are rendered by a single-page docs portal that uses hash routing (#/section/page); #/ci-cd/github-action is the established convention used by ~140 sibling links across the manuals. A relative .md path would not resolve in the portal and would be inconsistent with every other internal manual link. The "relative paths" guideline applies to standalone Markdown, but these pages are SPA-routed — so skipping this one (and its TR twin) intentionally.
There was a problem hiding this comment.
@cemililik, understood — that context makes total sense. The hash-route convention is the correct approach for an SPA docs portal, and flagging these as broken links would be a false positive going forward. I'll record this for future reviews.
(◕‿◕✿) 🐇
✏️ Learnings added
Learnt from: cemililik
Repo: cemililik/Leakwatch PR: 10
File: docs/user-manuals/tr/output/output-formats.md:170-170
Timestamp: 2026-05-25T06:53:44.746Z
Learning: In the `docs/user-manuals/` directory (both `en/` and `tr/` subtrees) of the Leakwatch repository, internal cross-document links intentionally use SPA hash-route syntax (`#/section/page`, e.g., `#/ci-cd/github-action`) instead of relative `.md` file paths. These docs are rendered by a single-page docs portal that uses hash routing; approximately 140 links across the manuals follow this convention. Suggesting replacement with relative `.md` paths would break navigation in the portal. Do not flag these hash-route links as invalid or suggest converting them to relative paths.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
…gs, sarif path Valid findings fixed: - Add `persist-credentials: false` to every actions/checkout step in action-test.yml and ci.yml (don't persist GITHUB_TOKEN; matches release.yml). - action.yml: `set -f` around the extra-args word-split so a bare glob token (e.g. `--exclude *.go`) isn't pathname-expanded against the work dir before reaching leakwatch. - action.yml: report the correct sarif-file path for a non-"." working-directory (relative or absolute) instead of bare $OUT, so the SARIF upload step finds it. - action-test.yml: convert the finding/SARIF assertions to explicit if blocks (drops the `A && B || C` pattern; identical messages/behavior). - 01-COMPETITIVE-ANALYSIS.md: reconcile the two "requires writing Go code and recompiling" claims with the corrected footnote — TruffleHog supports YAML custom regex detectors; only custom verification logic needs Go. Skipped (not valid against current code): - ADR-0009 lowercase `github`: it's the backticked literal output-format name (`--format github`); capitalizing would misstate the CLI value. - output-formats.md `#/ci-cd/github-action` links: `#/` hash routes are the deliberate docs-portal (SPA) convention used by ~140 sibling manual links; switching one to a .md path would break portal navigation and be inconsistent. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
1 participant
Summary
Makes Leakwatch usable from the GitHub Marketplace with one line —
uses: HodeTech/Leakwatch@v1— matching the low-friction adoption path of comparable tools. The action metadata moves to the repo root and installs a prebuilt, checksum-verified binary (no morego installcompile-on-every-run). Also adds a CLIgithuboutput format for inline PR annotations, release/CI plumbing, and a self-test.Decision record: ADR-0009.
What's included
Action (
action.yml, moved to repo root fromaction/)output,remediation,config,scan-diff,extra-args,working-directory,release-repo.scan-diff: autolimitsgitscans to commits new to the event (--since-commit); degrades to a full scan (with a warning) on a shallow checkout instead of hard-failing.$GITHUB_STEP_SUMMARY.outputsnow declarevalue:mappings (previouslyfindings-count/sarif-filewere never exposed).extra-argsrejects action-managed flags by prefix; nestedupload-sarifis SHA-pinned.CLI
githuboutput format (internal/output/github): emits::error/::warning/::noticeworkflow commands for inline PR annotations. Never prints the raw secret; data/properties are percent-escaped; live-verified findings escalate to::error. 100% test coverage. The format always writes to stdout even if an output file is configured.Release & CI
release.ymlmoves the floatingv1tag to each stablevX.Y.Zrelease via the REST API (semver-guarded, skips pre-releases).action-test.ymlself-tests the action on ubuntu + macOS and lints all workflows withactionlint(+shellcheck); acli-github-formatjob builds this branch to exercise--format githubend-to-end.ci.yml: least-privilegepermissions, SHA-pinned actions, quoted coverage-gate substitution.Docs
github-action.md&output-formats.md(EN+TR), README badge + usage, CHANGELOG, CLAUDE.md, decisions index; allleakwatch-actionrefs →Leakwatch. Regeneratedsite/js/manuals/*.js.Reviews addressed
Two thorough external reviews were fully addressed across
9cdc2acand8726065: security (no arg logging,extra-argsbypass via combined shorthand, SHA-pinning), correctness (scan-diffvalidation/degradation, friendly version errors,release-repooverride so the self-test verifies the install path against real artifacts), formatter escalation + test gaps, and doc fixes (only-verified examples, deadsetup-gosteps, broken competitive-analysis table, binary-download example).Verification (all green locally)
gofumpt -l∅ ·go vet·go build·golangci-lint run0 issues ·go test -race ./...0 FAIL ·actionlint+shellcheckclean. The install path is verified end-to-end against real release artifacts (same goreleaser archive naming) via the self-test.@v1until all three are trueThis PR's code is ready to merge, but the action is non-functional for the public until the release sequence is done (inherent to the org migration, not a code defect):
HodeTech/Leakwatchexists (repo transfer/creation; remote is currentlycemililik/Leakwatch).latestincludes thegithubformatter and the binary download resolves).v1tag exists (created automatically byrelease.ymlon the firstvX.Y.Z).Then tick Publish this Action to the GitHub Marketplace on the release. Until then, don't point users at
@v1.Notes
91a2c0d, ROADMAP/competitive-analysis) and the regenerated site bundle.🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
githuboutput format for GitHub Actions annotations with severity-level mappingDocumentation