Skip to content

fix(actions/shared): fix action inputs, security issues and add READMEs#215

Open
borislavr wants to merge 4 commits into
mainfrom
docs/actions-documentation
Open

fix(actions/shared): fix action inputs, security issues and add READMEs#215
borislavr wants to merge 4 commits into
mainfrom
docs/actions-documentation

Conversation

@borislavr
Copy link
Copy Markdown
Collaborator

@borislavr borislavr commented May 21, 2026
edited
Loading

What type of change is this? (check all applicable)

  • Workflow change
  • Workflow config / matrix change
  • Deployment template / resource change
  • Action or script change
  • Documentation update
  • Bug fix
  • Refactor / maintenance

Description

Fix several correctness and security issues across six shared actions and add missing
READMEs for collect_diag_info, create_ingress, and get_certs. The fixes address
incorrectly declared required: true inputs that no
step actually uses, a duplicate Initialize error flag step in verify_installation,
a monitoring diagnostic step that could be skipped on job failure, and a hard-coded
${{ matrix.version }} context read in collect_diag_info that always resolved to
empty outside a matrix job.

What is affected? (check all applicable)

  • .github/workflows/*
  • workflow-config/*
  • templates/*
  • actions/*
  • scripts/*
  • docs/*
  • resources/* or restricted/*

Services / scenarios impacted

  • repository_name and path_to_chart are now optional (callers with existing with: blocks are unaffected)
  • get_certs: service_name is now optional — no caller behaviour change
  • verify_installation: duplicate env-var initialisation step removed (was a no-op)
  • collect_diag_info: monitoring diagnostic step now runs under if: always() so it
    collects data even when a preceding Helm deploy or verify step fails; matrix.version
    context access replaced with an explicit version input
  • All six shared actions: new or significantly expanded READMEs added

Related tickets and documents

  • Related Issue #
  • Related docs / workflow reference: actions/shared/*/README.md

Verification

  • Static review only

All changes were verified by reading the action source and cross-checking against
callers in .github/workflows/. No pipeline run was possible on this documentation
branch. The required: false changes were confirmed
safe by grepping all callers — none would fail validation.

Compatibility / impact

  • No compatibility impact
  • Workflow interface changed (inputs, outputs, secrets, job names)
  • Template parameters or behavior changed
  • Test matrix / covered scenarios changed
  • Existing upgrade flow or previous behavior was checked
  • Documentation updated

repository_name and path_to_chart in create_restricted_resources and service_name
in get_certs changed from required: true to required: false. All existing callers
already pass these inputs explicitly, so no caller is broken. The change only relaxes
validation — previously callers that omitted these unused inputs would get an error.

Additional notes (optional)

  • The collect_diag_info action previously read ${{ matrix.version }} directly from
    the job matrix context, which is not accessible inside a composite action — it always
    resolved to an empty string. The new version input is an explicit pass-through;
    all current callers already supply artifact_name so the artifact name is unaffected.
  • The verify_installation action still contains a duplicated monitoring check block
    (Phase 2 logic appears in both Check service is ready and Get monitoring specific resources steps). This pre-existing duplication is documented in the README Notes
    section and is out of scope for this PR.

@borislavr
feat: Update actions to enhance functionality and documentation
bffe19a 
- Modify `create_restricted_resources` action to make inputs optional and adjust kubectl config command.
- Update `get_certs` action to make `service_name` input optional.
- Enhance `get_crds` action with a description and specify input type.
- Revamp `helm_deploy` action documentation to clarify features, inputs, and outputs; improve usage examples.
- Revise `verify_installation` action to streamline error flag initialization and enhance documentation.
- Introduce `collect_diag_info` action to gather Kubernetes diagnostics and upload as artifacts.
- Add `create_ingress` action for setting up ingress-nginx in kind clusters with detailed documentation.
- Implement `get_certs` action to extract TLS certificate data from Kubernetes secrets with comprehensive usage notes.
@github-actions github-actions Bot added the enhancement New feature or request label May 21, 2026
@github-actions github-actions Bot added the bug Something isn't working label May 21, 2026
@nookyo nookyo requested a review from Copilot May 22, 2026 11:17
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates several shared composite GitHub Actions under actions/shared/ to fix correctness/security issues in action implementations (primarily around inputs and execution conditions) and to add/expand missing READMEs so callers have accurate usage + behavior documentation.

Changes:

  • Relaxed/adjusted action inputs (e.g., making previously-unused inputs optional) and improved shell safety by using step env vars and quoting.
  • Fixed action execution behavior issues (e.g., removing a duplicate ERROR_FLAG init step; ensuring monitoring diagnostics run under always(); replacing unusable matrix.version access with an explicit version input).
  • Added or significantly expanded README documentation for multiple shared actions.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
actions/shared/verify_installation/README.md Expanded documentation: inputs/behavior breakdown and usage guidance.
actions/shared/verify_installation/action.yml Removes duplicated “Initialize error flag” step.
actions/shared/helm_deploy/README.md Expanded documentation for behavior, inputs, and usage examples.
actions/shared/get_crds/action.yaml Adds description/type and refactors to use env var for path; minor quoting improvements.
actions/shared/get_certs/README.md New README documenting cert extraction behavior and usage.
actions/shared/get_certs/action.yml Makes service_name optional; improves quoting/uses env vars for safer shell usage.
actions/shared/create_restricted_resources/README.md Expanded documentation including side-effects, phases, and operational notes.
actions/shared/create_restricted_resources/action.yml Makes some inputs optional; improves quoting; avoids kubectl config view --raw.
actions/shared/create_ingress/README.md New README documenting kind ingress setup and CoreDNS changes.
actions/shared/collect_diag_info/README.md New README documenting diagnostic collection behavior and artifact naming.
actions/shared/collect_diag_info/action.yml Adds version input; runs monitoring diagnostics under always(); uses inputs.version instead of matrix.version.
Comments suppressed due to low confidence (2)

actions/shared/get_crds/action.yaml:32

  • CRDS_ARRAY is initialised as an array, but CRDS_ARRAY+=$crd_name concatenates into element 0 rather than appending a new entry. If multiple CRDs exist, the output becomes a single concatenated string (no separator), which will break callers that expect a space-separated list. Use proper array append (e.g. CRDS_ARRAY+=("$crd_name")) or build CRDS with an explicit delimiter.
        CRDS_ARRAY=()
        for yaml in ${yamls}; do
          yml_kind=$(yq e '.kind' $yaml)
          if [ "$yml_kind" == "CustomResourceDefinition" ]; then
            crd_name=$(yq e '.metadata.name' $yaml)
            CRDS_ARRAY+=$crd_name

actions/shared/get_certs/action.yml:36

  • The null/empty check won’t catch missing keys: yq eval '.data["ca.crt"]' returns the literal string null when the field is absent, so -z is false and the action will write null into the output files. If the intent is to fail when any field is missing, either use yq -e (and check exit codes) or explicitly treat null as an error value.
        ca_crt=$(echo "$secret" | yq eval '.data["ca.crt"]' -)
        tls_crt=$(echo "$secret" | yq eval '.data["tls.crt"]' -)
        tls_key=$(echo "$secret" | yq eval '.data["tls.key"]' -)

        if [ -z "$ca_crt" ] || [ -z "$tls_crt" ] || [ -z "$tls_key" ]; then
          echo "ERROR: Failed to extract certificates!"

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread actions/shared/collect_diag_info/action.yml
Comment on lines 244 to 248
SERVICE_BRANCH: ${{ inputs.service_branch }}
INPUT_ARTIFACT_NAME: ${{ inputs.artifact_name }}
MATRIX_VERSION: ${{ matrix.version }}
MATRIX_VERSION: ${{ inputs.version }}
GITHUB_JOB: ${{ github.job }}
NAMESPACE: ${{ inputs.namespace }}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@KryukovaPolina KryukovaPolina Awaiting requested review from KryukovaPolina KryukovaPolina is a code owner

@andrewluckyguy andrewluckyguy Awaiting requested review from andrewluckyguy andrewluckyguy is a code owner

@Gravelord Gravelord Awaiting requested review from Gravelord Gravelord is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@KryukovaPolina KryukovaPolina

Labels

bug Something isn't working enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@borislavr @KryukovaPolina