feat: composite actions (privacy-scan, komodo-deploy) for step-level reuse#14
Merged
Conversation
Step-level reuse for the pieces that compose inside an existing job, alongside the job-level reusable workflows: - privacy-scan/ — composite action wrapping the scan script (moved from scripts/ to privacy-scan/ so the action is self-contained). Drop it in as a step: `uses: roleme/workflows/privacy-scan@<sha>`. - komodo-deploy/ — composite action for the HMAC-signed Komodo deploy webhook, extracted from docker-publish-reusable.yml. No host hardcoded (public repo); caller supplies host/stack/secret as inputs. The privacy-scan reusable workflow and .pre-commit-hooks.yaml now point at the new privacy-scan/privacy-scan.sh path (single source of truth, shared by the composite action, the reusable workflow, and the local pre-commit hook). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Per the agreed architecture — composite actions for step-level reuse, reusable workflows for job-level — this adds composite actions for the pieces that compose inside an existing job:
privacy-scan/— composite action wrapping the scan script. Use as a step at the end of any job:uses: roleme/workflows/privacy-scan@<sha>(withextra-patternsfor private hostnames). No separate job / runner needed.komodo-deploy/— composite action for the HMAC-signed Komodo deploy webhook, extracted fromdocker-publish-reusable.yml. No host hardcoded (public repo); caller passeshost/stack/webhook-secret.Single source of truth
The scan script moved
scripts/privacy-scan.sh→privacy-scan/privacy-scan.shso the composite action is self-contained. The privacy-scan reusable workflow and.pre-commit-hooks.yamlnow point at that one path — so the composite action, the reusable workflow, and the local pre-commit hook all run the exact same script.Why docker-publish-reusable.yml still inlines the deploy
uses:cannot take an expression ref, so a reusable workflow can't pin an action to its own commit (@${{ github.workflow_sha }}is invalid). Pinning to@mainwould be a mutable ref. The inline step is already secure, so it stays;komodo-deployis for new step-level callers.Validation
🤖 Generated with Claude Code