Skip to content

make shell patterns safer in action #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
brendanjryan merged 1 commit into from
Jan 19, 2026
Merged

make shell patterns safer in action #5

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 20 additions & 9 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: "Tempo Lints"
description: "Run Tempo ast-grep lint rules on your codebase"
author: "Stripe"
description: "Run Tempo lint rules on your codebase"
author: "Tempo Labs"

branding:
icon: "check-circle"
Expand Down Expand Up @@ -76,27 +76,28 @@ runs:
OUTPUT_FORMAT="--github-action"
fi

CLI_ARGS="${{ inputs.language }} $SCAN_PATH $OUTPUT_FORMAT"
# Build CLI args array for safe parameter passing
CLI_ARGS=("${{ inputs.language }}" "$SCAN_PATH" "$OUTPUT_FORMAT")

if [ -n "${{ inputs.exclude-rules }}" ]; then
CLI_ARGS="$CLI_ARGS --exclude ${{ inputs.exclude-rules }}"
CLI_ARGS+=("--exclude" "${{ inputs.exclude-rules }}")
fi

if [ "${{ inputs.fix }}" = "true" ]; then
CLI_ARGS="$CLI_ARGS --fix"
CLI_ARGS+=("--fix")
fi

# Debug: show what we're scanning
echo "Scanning: $SCAN_PATH"
echo "CLI args: $CLI_ARGS"
echo "CLI args: ${CLI_ARGS[*]}"

# Run lint and capture output
OUTPUT_FILE="${{ runner.temp }}/tempo-lints-output.json"
set +e
if [ "$OUTPUT_FORMAT" = "--json" ]; then
pnpm --dir "${{ github.action_path }}" exec tsx "${{ github.action_path }}/bin/tempo-lints.ts" $CLI_ARGS > "$OUTPUT_FILE" 2>/dev/null
pnpm --dir "${{ github.action_path }}" exec tsx "${{ github.action_path }}/bin/tempo-lints.ts" "${CLI_ARGS[@]}" > "$OUTPUT_FILE" 2>/dev/null
else
pnpm --dir "${{ github.action_path }}" exec tsx "${{ github.action_path }}/bin/tempo-lints.ts" $CLI_ARGS
pnpm --dir "${{ github.action_path }}" exec tsx "${{ github.action_path }}/bin/tempo-lints.ts" "${CLI_ARGS[@]}"
fi
EXIT_CODE=$?
set -e
Expand All @@ -109,7 +110,11 @@ runs:

echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT
echo "has_errors=$HAS_ERRORS" >> $GITHUB_OUTPUT
echo "output_file=$OUTPUT_FILE" >> $GITHUB_OUTPUT

# Only set output_file when using JSON format
if [ "$OUTPUT_FORMAT" = "--json" ]; then
echo "output_file=$OUTPUT_FILE" >> $GITHUB_OUTPUT
fi

- name: Post PR comment
if: inputs.post-comment == 'true' && github.event_name == 'pull_request'
Expand All @@ -124,6 +129,12 @@ runs:

OUTPUT_FILE="${{ steps.run-lint.outputs.output_file }}"

# Validate output file exists
if [ ! -f "$OUTPUT_FILE" ]; then
echo "::error::Output file not found at $OUTPUT_FILE"
exit 1
fi

# Count issues from JSON output
TOTAL_ISSUES=$(node -p "try { JSON.parse(require('fs').readFileSync('$OUTPUT_FILE','utf8')).length } catch { 0 }" 2>/dev/null || echo "0")

Expand Down