feat: add common github actions

[olzemal]

What

Add github actions to get go version from flake.nix and check if uncommited changes occured.

Why

This reduces duplicate code in our repos.

Testing

Tests were added in the .github/actions/* dirs. The tests also run on commits to the scripts.

Checklist

• Tests added/updated
• No breaking changes (or upgrade path documented above)
• Readable commit history (squashed and cleaned up as desired)
• AI code review considered and comments resolved

Summary by CodeRabbit

• New Features

  • Added a "Diff Check" GitHub Action that validates working directory state.
  • Added a "Get Go version" GitHub Action for automated version retrieval.

• Tests

  • Added test suite for GitHub Actions with comprehensive coverage.
  • Added automated workflow to validate all GitHub Actions via shell linting and test execution.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces two new GitHub composite actions with supporting infrastructure. The diff-check action verifies clean git working trees, and the get-go-version action extracts Go version metadata from flake.nix. Each includes bash implementation scripts and comprehensive test suites. A new CI workflow validates all scripts via ShellCheck and runs the test harnesses.

Changes

GitHub Actions Infrastructure Setup

Layer / File(s)	Summary
diff-check Action for Clean Working Tree Verification ​.github/actions/diff-check/action.yml, ​.github/actions/diff-check/verify-clean.sh, ​.github/actions/diff-check/test-verify-clean.sh	Composite action that runs verify-clean.sh to detect uncommitted changes. The bash script checks git status for both tracked and untracked file modifications, outputting a success notice on clean trees or detailed error listing with non-zero exit on dirty trees. Tests cover clean repositories, untracked files, tracked file modifications, and re-committed changes.
get-go-version Action for Go Version Extraction ​.github/actions/get-go-version/action.yml, ​.github/actions/get-go-version/extract-go-version.sh, ​.github/actions/get-go-version/test-extract-go-version.sh	Composite action that extracts and outputs a single Go version from flake.nix via regex matching. The bash script enforces exactly one goVersion assignment and writes the result to GITHUB_OUTPUT, or fails with an Actions error annotation. Tests validate successful single-version extraction, behavior on missing versions, and rejection of multiple version declarations.
test-actions CI Workflow ​.github/workflows/test-actions.yml	New workflow triggered on pull requests and pushes to main when shell scripts under ​.github/actions/ change. Runs ShellCheck validation on all action scripts, then executes both test harnesses sequentially with read-only repository permissions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Two new helpers hop into the pen,
One checks for git mess now and then,
The other grabs Go versions bright—
Both tested and workflow-ready to flight!
With ShellCheck standing guard up above,
CI cleanliness, extracted with love! 💚

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: add common github actions' is concise and directly summarizes the main change: adding reusable GitHub Actions for common tasks.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description follows the required template with all major sections completed, including What, Why, Testing, and a checked Checklist.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/common-gh-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/test-actions.yml (1)

19-19: ⚡ Quick win

Consider pinning actions to commit SHAs and disabling credential persistence.

Static analysis identified two security improvements:

1. Unpinned action references: Using tag references like @v4 instead of commit SHAs means tags could be moved or compromised. Pin to specific commit hashes for immutability.

2. Credential persistence: By default, actions/checkout leaves credentials in .git/config, making them accessible to subsequent steps or scripts. Setting persist-credentials: false removes them after checkout.

🔒 Proposed security improvements

     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
       - name: Run ShellCheck on action scripts

     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
       - name: Test verify-clean.sh

Note: The SHA 11bd71901bbe5b1630ceea73d27597364c9af683 corresponds to v4.2.2. Verify this is the desired version.

Also applies to: 27-27

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-actions.yml at line 19, Replace the unpinned checkout
action usage `uses: actions/checkout@v4` with a pinned commit SHA (for example
the suggested `11bd71901bbe5b1630ceea73d27597364c9af683`) to make the action
immutable, and add `persist-credentials: false` to the same `actions/checkout`
step so credentials are not left in `.git/config`; update both occurrences of
`uses: actions/checkout@v4` in the workflow to use the chosen SHA and include
the `persist-credentials: false` setting.

.github/actions/get-go-version/extract-go-version.sh (1)

4-4: ⚡ Quick win

Add explicit check for flake.nix existence.

If flake.nix doesn't exist, sed succeeds silently with empty output, leading to a misleading error message "Expected exactly one goVersion assignment" instead of "flake.nix not found".

🛡️ Proposed improvement

 #!/usr/bin/env bash
 set -euo pipefail
 
+if [ ! -f flake.nix ]; then
+  echo "::error::flake.nix not found"
+  exit 1
+fi
+
 GO_VERSION="$(sed -nE 's/^[[:space:]]*goVersion[[:space:]]*=[[:space:]]*"([0-9]+\.[0-9]+\.[0-9]+)";[[:space:]]*$/\1/p' flake.nix)"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/actions/get-go-version/extract-go-version.sh at line 4, The script
assigns GO_VERSION by running sed against flake.nix but doesn't check that
flake.nix exists; add an explicit file existence check before the sed (e.g.,
test -f or [[ -r flake.nix ]]) and if the file is missing print a clear error
like "flake.nix not found" to stderr and exit with non-zero status; keep the
existing GO_VERSION extraction using the sed command and the existing validation
that ensures exactly one match after the extraction.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/diff-check/action.yml:
- Line 2: Fix the typo in the action metadata by updating the description key
value (the "description:" field) to use the correct spelling "uncommitted"
instead of "uncommited"; locate the description: entry in the action.yml and
correct the word in its string value.

In @.github/actions/diff-check/test-verify-clean.sh:
- Line 9: The script test-verify-clean.sh performs a git init and immediate
commit without configuring identity; configure a repo-local git user identity
before the first commit by running git config to set user.name and user.email
earlier in the script (i.e., add the configuration step before the line with
"git init && git commit ...") so commits no longer fail with "empty ident"
errors.

---

Nitpick comments:
In @.github/actions/get-go-version/extract-go-version.sh:
- Line 4: The script assigns GO_VERSION by running sed against flake.nix but
doesn't check that flake.nix exists; add an explicit file existence check before
the sed (e.g., test -f or [[ -r flake.nix ]]) and if the file is missing print a
clear error like "flake.nix not found" to stderr and exit with non-zero status;
keep the existing GO_VERSION extraction using the sed command and the existing
validation that ensures exactly one match after the extraction.

In @.github/workflows/test-actions.yml:
- Line 19: Replace the unpinned checkout action usage `uses:
actions/checkout@v4` with a pinned commit SHA (for example the suggested
`11bd71901bbe5b1630ceea73d27597364c9af683`) to make the action immutable, and
add `persist-credentials: false` to the same `actions/checkout` step so
credentials are not left in `.git/config`; update both occurrences of `uses:
actions/checkout@v4` in the workflow to use the chosen SHA and include the
`persist-credentials: false` setting.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aa02c3c3-7e61-4932-9ec8-2f447d8f07fc

📥 Commits

Reviewing files that changed from the base of the PR and between c53d2a1 and 3788083.

📒 Files selected for processing (7)

• .github/actions/diff-check/action.yml
• .github/actions/diff-check/test-verify-clean.sh
• .github/actions/diff-check/verify-clean.sh
• .github/actions/get-go-version/action.yml
• .github/actions/get-go-version/extract-go-version.sh
• .github/actions/get-go-version/test-extract-go-version.sh
• .github/workflows/test-actions.yml

[trevex]

lgtm