Fix ci

.github/workflows/code-quality.yml

@@ -0,0 +1,36 @@
+name: code-quality
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - 'releases/*'
+
+permissions:
+  contents: read
+
+jobs:
+  format-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Set up Node.js
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Check formatting
+        run: npm run format-check
+
+      - name: Lint code
+        run: npm run lint

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0

.github/workflows/scorecards.yml

@@ -0,0 +1,81 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 7 * * 2'
+  push:
+    branches: ["main"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      contents: read
+      actions: read
+      # To allow GraphQL ListCommits to work
+      issues: read
+      pull-requests: read
+      # To detect SAST tools
+      checks: read
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        with:
+          sarif_file: results.sarif

.github/workflows/test.yml

@@ -1,4 +1,6 @@
 name: 'build-test'
+permissions:
+  contents: read
 on: # rebuild any PRs and main branch changes
   pull_request:
   push:
@@ -10,15 +12,27 @@ jobs:
   build: # make sure build/ci work properly
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - run: |
           npm install
       - run: |
           npm run all
   test: # make sure the action works on a clean machine without building
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: ./
         with:
-          milliseconds: 1000
+          checkName: 'mypy'
+          mypyFlags: '--config-file pyproject.toml'
+          mypyFiles: '.'

.pre-commit-config.yaml

@@ -0,0 +1,14 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.28.0
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/pre-commit/mirrors-eslint
+  rev: v9.36.0
+  hooks:
+  - id: eslint
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v6.0.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace

README.md

@@ -1,18 +1,30 @@
 <p align="center">
-  <a href="https://github.com/sasanquaneuf/mypy-github-action/actions"><img alt="mypy-github-action status" src="https://github.com/sasanquaneuf/mypy-github-action/workflows/build-test/badge.svg"></a>
+  <a href="https://github.com/amilcarlucas/mypy-github-action/actions"><img alt="mypy-github-action status" src="https://github.com/amilcarlucas/mypy-github-action/workflows/build-test/badge.svg"></a>
 </p>
 
 # `mypy` GitHub Action
 
-This is a GitHub Action to run `mypy` against your repository. It uses the new GitHub Actions API and JavaScript toolkit. It does fancy things like add annotations to your PRs inline.
+This is a GitHub Action to run [`mypy`](https://mypy-lang.org/) against your repository and annotate results directly in your pull requests using GitHub Checks.
 
-(image)
+## Inputs
 
-Use it in your project like:
+This action accepts the following input parameters:
 
-(in `.github/workflows/lint.yml`)
-```
-name: Lint
+- **checkName** (required):
+  The name of the GitHub check to add annotations to. This should generally match the job name in your workflow.
+
+- **mypyFlags** (optional):
+  Additional flags to pass to the `mypy` command (e.g., `--config-file pyproject.toml`). Default: `''`
+
+- **mypyFiles** (optional):
+  Files or directories on which to run `mypy`. Default: `.` (runs on the full project)
+
+## Usage Example
+
+Add the following to your workflow file (e.g. `.github/workflows/lint.yml`):
+
+```yaml
+name: lint
 
 on:
   push:
@@ -24,22 +36,39 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Setup Python
-        uses: actions/setup-python@v4
+        uses: aactions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
-          python-version: 3.7.4
+          python-version: 3.13.0
           architecture: x64
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Install mypy
         run: pip install mypy
       - name: Run mypy
-        uses: sasanquaneuf/mypy-github-action@releases/v1
+        uses: amilcarlucas/mypy-github-action@releases/v2.0.0
         with:
-          checkName: 'mypy'   # NOTE: this needs to be the same as the job name
+          checkName: 'lint'   # NOTE: this needs to be the same as the job name
+          mypyFlags: '--config-file pyproject.toml'
+          mypyFiles: '.'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
 
+## What happens?
+
+The action runs `mypy` on the specified files with the given flags.
+Any type errors found are annotated directly in the PR using GitHub Checks.
+The check will fail if any errors are found, making it easy to enforce type safety in your CI.
+
+Inputs Reference
+
+| Name      | Required | Default | Description                          |
+|-----------|----------|---------|--------------------------------------|
+| checkName | Yes      |         | Name of the GitHub check to annotate.|
+| mypyFlags | No       | ''      | Additional flags for mypy.           |
+| mypyFiles | No       | .       | Files/directories to check.          |
+
 # Acknowledgments
 
 This GitHub Action was made with reference to [flake8-github-action](https://github.com/suo/flake8-github-action)
+This is forked from [sasanquaneuf](https://github.com/sasanquaneuf/mypy-github-action).

__tests__/main.test.ts

@@ -1,15 +1,18 @@
 import * as process from 'process'
 import * as cp from 'child_process'
 import * as path from 'path'
-import {test} from '@jest/globals'
+import {test, expect} from '@jest/globals'
+
+test('action runs and outputs expected result', () => {
+  process.env['INPUT_CHECKNAME'] = 'mypy'
+  process.env['INPUT_MYPYFLAGS'] = '--config-file pyproject.toml'
+  process.env['INPUT_MYPYFILES'] = '.'
 
-// shows how the runner will run a javascript action with env / stdout protocol
-test('test runs', () => {
-  // process.env['INPUT_MILLISECONDS'] = '500'
   const np = process.execPath
   const ip = path.join(__dirname, '..', 'lib', 'main.js')
   const options: cp.ExecFileSyncOptions = {
     env: process.env
   }
-  console.log(cp.execFileSync(np, [ip], options).toString())
+  const output = cp.execFileSync(np, [ip], options).toString()
+  expect(output).toContain('mypy') // Adjust to match expected output
 })

action.yml

@@ -1,6 +1,6 @@
 name: 'Mypy action'
-description: 'Run flake8 and annotate the results'
-author: 'sasanquaneuf'
+description: 'Run mypy and annotate the results'
+author: 'amilcarlucas'
 branding:
   icon: check-circle
   color: yellow
@@ -9,6 +9,14 @@ inputs:
     description: 'The name of the check to add annotations to.
       Generally the same as the job that uses this action'
     required: true
+  mypyFlags:
+    description: 'Additional flags to pass to mypy'
+    required: false
+    default: ''
+  mypyFiles:
+    description: 'Files on which to run mypy (default runs on full project)'
+    required: false
+    default: '.'
 runs:
   using: 'node20'
   main: 'dist/index.js'