Replace NPM_TOKEN-based authentication with OIDC trusted publishing.
This eliminates the need for long-lived npm access tokens.
Changes:
- Add id-token: write permission to the release job
- Add registry-url to setup-node
- Remove the setup authentication step (.npmrc token write)
- Remove NPM_TOKEN env var from the Publish packages step
Requires trusted publisher configuration on npmjs.com for each package.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* update default runner image labels
* chore: format in style of file
* remove old labels
* tests: update expected length of runner labels in tests
* tests: fix another test, missed
Update the step-uses description to mention that actions can also be
used from private repositories when access is enabled via repository
settings.
Fixes#319
## Problem
In workflow YAML files, writing `if: foo == bar` shows an error because `foo` and `bar` are not valid contexts. However, the same invalid expression in an action.yml file showed no error.
## Solution
Add expression validation for implicit `if` conditions in action.yml files, matching the behavior of workflow YAML validation.
## What's new
1. **Pre-if/post-if validation** (node and docker actions)
- `pre-if: foo == bar` now shows error for unknown context
- `post-if: unknownFunc()` now shows error for unknown function
2. **Composite step `if` validation** (fix)
- Errors from `convertToIfCondition` were being lost due to call ordering
- Now captured correctly by calling conversion before retrieving errors
## Why the refactor?
The diff includes consolidating multiple validation loops into a single `validateAllTokens()` traversal. This matches the pattern used in workflow YAML validation (`additionalValidations`), making the code consistent between the two validation paths.
* Add missing validation for action.yml (parity with workflow files)
- Add uses format validation for composite action steps
- Validates owner/repo@ref format
- Supports docker:// and ./ local references
- Warns about shortened SHA refs (security concern)
- Detects reusable workflow references in wrong context
- Add if literal text detection for composite action steps
- Detects literal text outside ${{ }} that makes conditions always truthy
- Works for both plain string and mixed expression formats
- Uses shared hasFormatWithLiteralText() utility
- Add pre-if/post-if validation for node and docker actions
- Errors on explicit ${{ }} syntax (runner only supports implicit expressions)
- Literal text detection for implicit expressions
- New runs-if schema type with proper context (runner, github, job, env, inputs, status functions)
- Validates only in strict schema used by language services
- Add format() function validation for all expressions
- Validates format string syntax in all expression contexts
- Checks argument count matches placeholders
- Fix env and matrix context providers to return complete=false
- Prevents false positive 'unknown context' errors
- Matches behavior of other dynamic contexts (secrets, vars, etc.)
- Refactor validation utilities into utils/validate-uses.ts and utils/validate-if.ts
- Shared between workflow and action validation
- Consistent error messages and codes
* Add strategy and matrix contexts to runs-if definition
Based on runner source code analysis (actions/runner):
- ExecutionContext.InitializeJob() populates ExpressionValues from message.ContextData
- strategy and matrix are part of message.ContextData, available before any steps run
- StepsRunner evaluates all steps (pre, main, post) using the same code path
Did NOT add:
- steps: empty at pre-if time (no steps completed yet)
- hashFiles: workspace files don't exist at pre-step time
* Setup CodeActions and add quickfix for missing inputs
* PR feedback
* Update languageservice/src/code-actions/quickfix/add-missing-inputs.ts
Co-authored-by: Salman Chishti <salmanmkc@GitHub.com>
* Fix indentSize detection for code actions after rebase
- Add indentSize to MissingInputsDiagnosticData interface
- Pass indentSize parameter from validate.ts to validateActionReference
- Detect indentSize from workflow structure (jobs key to first child)
- Fall back to detecting from with: block children when available
* update typescript
* formatting
* linting
* Gate missing inputs quickfix behind feature flag
* Address PR review: rename files, move position calculation to quickfix
- Rename index.ts files to follow repo patterns:
- code-actions/index.ts → code-actions/code-actions.ts
- code-actions/quickfix/index.ts → quickfix/quickfix-providers.ts
- Move position calculation from validation to quickfix:
- MissingInputsDiagnosticData now passes raw token ranges
- Quickfix computes insertion position and indentation at code action time
- detectIndentSize moved from validate.ts to validate-action-reference.ts
* wip
* Remove pointless comment
---------
Co-authored-by: Salman Chishti <salmanmkc@GitHub.com>
In YAML, block scalars (`|` and `>`) silently add a trailing newline by default
("clip" chomping). This can cause subtle bugs when the newline is unintentional.
This PR adds a warning when clip chomping is used in fields where trailing
newlines commonly cause issues:
- Environment variables (workflow, job, step, container, service levels)
- Action inputs (`with:`)
- Reusable workflow inputs and secrets
- Job outputs
- Matrix values (including `include` and `exclude`)
- Concurrency groups
The warning suggests using `|-` (strip) or `|+` (keep) to be explicit.
Intentionally does NOT warn for:
- `run:` scripts (trailing newlines are normal)
- Fields trimmed server-side (`if:`, `name:`, `runs-on:`, etc.)
The feature is gated behind the `blockScalarChompingWarning` feature flag.