Add italia/publiccode-parser-action to the allowlist

[bfabio]

Request for adding a new GitHub Action to the allow list

Overview

Validates publiccode.yml against the spec in CI.

Project apache/syncope publishes a publiccode.yml and it'd be nice to use CI to
validate it on every push and PR. See apache/syncope#1384.

publiccode.yml is the standard metadata format for public-sector FLOSS.

This action runs the official parser/validator so the file stays correct
over time.

Name of action: publiccode.yml parser and validation Action

URL of action: https://github.com/italia/publiccode-parser-action

Version to pin to (hash only): 21086c73ec0563e14c6748787efa1b34b025ad8c (v1.5.1)

Permissions

Default run (comment-on-pr=false) needs no special permissions and
makes no GitHub API calls. Pass/fail is the workflow status.

With comment-on-pr=true the action pipes parser output to reviewdog
(-reporter=github-pr-review) to post inline comments, so the calling
workflow needs pull-requests: write and GITHUB_TOKEN. Nothing
beyond that. No secrets are read, no env files (GITHUB_ENV,
GITHUB_PATH, GITHUB_OUTPUT) are touched.

Security

Docker action, so the JS-rebuild verification script does not apply.

• action.yml: docker action, passes 4 inputs as args. No env/secret
  reads.
• Dockerfile: FROM italia/publiccode-parser-go:v5.3.1 (same org,
  the actual validator). At build time it downloads reviewdog v0.21.0
  from GitHub releases, pinned by SHA256
  (ad5ce7d5ffa52aaa7ec8710a8fa764181b6cecaab843cc791e1cce1680381569)
  and checked with sha256sum -c.
• entrypoint.sh: Runs publiccode-parser on the given path, pipes to
  reviewdog -reporter=github-pr-review only when comment-on-pr=true.

Related Actions

No existing approved action validates publiccode.yml. The only other
way to get the same check is to call the parser binary directly in a
workflow step (run the italia/publiccode-parser-go binary by
hand), which duplicates what this action already wraps and still pulls
third-party code.

Checklist

• The action is listed in the GitHub Actions Marketplace
• The action is not already on the list of approved actions
• The action has a sufficient number of contributors or has contributors within the ASF community¹
• The action has a clearly defined license
• The action is actively developed or maintained
• The action has CI/unit tests configured²
• Compiled JavaScript in dist/ matches a clean rebuild³

Footnotes

1. Not sure about that, having more contributors will be nice for sure :) ↩

2. the action wrapper has no test suite, but the validation logic lives in italia/publiccode-parser-go, which is tested. The wrapper is a thin shell launcher ↩

3. N/A, this is a Docker action with no compiled JS. ↩

[potiuk]

Reviewed — clean. Recommend approval. ✅

Manual source review at the pinned SHA (21086c73ec0563e14c6748787efa1b34b025ad8c, v1.5.1):

• action.yml — Docker action; 4 inputs passed as container args. No env/secret reads, no outputs.
• Dockerfile — FROM italia/publiccode-parser-go:v5.3.1 (same italia org — the actual validator). Downloads reviewdog 0.21.0 via wget, verified with sha256sum -c against a pinned hash before extraction. Textbook good download pattern.
• entrypoint.sh — runs publiccode-parser; pipes to reviewdog -reporter=github-pr-review only when comment-on-pr=true. No pipe-to-shell, no secret/env reads, no GITHUB_PATH/GITHUB_ENV/GITHUB_OUTPUT writes.

JS-rebuild check correctly N/A (Docker action). Soft note only: the base image is pinned by tag rather than digest — normal for a Docker action and same-org, so not a blocker.

Thanks for the thorough writeup, @bfabio.