The task
Two related CI/security hygiene improvements:
1. Add .github/workflows/test.yml
The action has no automated tests. A test workflow should:
- Generate fixture certificates using
openssl req covering: valid, expiring-soon, expired, not-yet-valid, missing file, and multi-cert with a valid replacement
- Run the action against each fixture set and assert correct exit codes and step-summary content
- Execute on both
ubuntu-latest and macos-latest to catch date portability regressions
2. Pin actions/checkout to a full commit SHA in examples/validate_certificates.yml
The example currently uses the mutable @v4 tag, which is vulnerable to supply-chain attacks via tag mutation. Replace with a pinned SHA, e.g.:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
The task
Two related CI/security hygiene improvements:
1. Add
.github/workflows/test.ymlThe action has no automated tests. A test workflow should:
openssl reqcovering: valid, expiring-soon, expired, not-yet-valid, missing file, and multi-cert with a valid replacementubuntu-latestandmacos-latestto catchdateportability regressions2. Pin
actions/checkoutto a full commit SHA inexamples/validate_certificates.ymlThe example currently uses the mutable
@v4tag, which is vulnerable to supply-chain attacks via tag mutation. Replace with a pinned SHA, e.g.: