Skip to content

[FEATURE] Extract commit validation and action pin check into reusable org-level GitHub Actions #51

New issue
New issue
Closed
Closed
[FEATURE] Extract commit validation and action pin check into reusable org-level GitHub Actions#51
Labels
featureNew feature or request
@c-vigo

Description

@c-vigo
c-vigo
opened on Feb 11, 2026

Description

Parent: #50 (Security Hardening)

Extract validate_commit_msg.py and check_action_pins.py (with their test suites) into standalone, reusable GitHub Actions hosted in separate vig-os org repositories. This enables consistent enforcement of commit message standards and SHA pinning policy across all org repositories.

Problem Statement

Currently, validate_commit_msg.py and check_action_pins.py live inside the devcontainer repository. Any other vig-os repository that wants the same enforcement must copy these scripts manually, leading to drift and duplicated maintenance.

Proposed Solution

  1. Create vig-os/action-validate-commit-msg

    • Publish as a composite GitHub Action
    • Accept inputs for custom commit message patterns (optional override)
    • Include the test suite for CI on the action repo itself
    • Version with semantic tags (e.g. v1, v1.0.0)

  2. Create vig-os/action-check-action-pins

    • Publish as a composite GitHub Action
    • Accept inputs for repo root path and verbosity
    • Include the test suite for CI on the action repo itself
    • Version with semantic tags

  3. Update devcontainer to consume the new actions

    • Replace local script invocations in .pre-commit-config.yaml and test-project/action.yml with the published actions (SHA-pinned, naturally)
    • Keep local scripts as thin wrappers or remove them entirely

Alternatives Considered

  • Monorepo for all org actions: Simpler repo management but harder to version independently.
  • Keep scripts local, copy to other repos: Current state; does not scale.

Additional Context

  • Both scripts are self-contained Python with no external dependencies beyond the standard library
  • Pre-commit hooks can reference remote repos, so the actions could also serve as pre-commit hook sources

Impact

  • Beneficiaries: All vig-os repositories
  • Compatibility: Non-breaking; existing repos adopt at their own pace
  • Risks: Minimal; versioned releases ensure stability

Metadata

Metadata

Assignees

No one assigned

    Labels

    featureNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions