Action: sansec-ecomscan (new)
Status: π΄ Convert workflow β action
Source: .github/workflows/sansec-ecomscan.yml (mage-os-only)
Target: sansec-ecomscan/action.yml + .github/workflows/sansec-ecomscan.yml (thin caller)
What the workflow currently does
- Checks out the repo (
actions/checkout@v5, persist-credentials: false, PR head SHA)
- Downloads the ecomscan binary from
https://ecomscan.com/downloads/linux-amd64/ecomscan
chmod +x ecomscan- Runs
./ecomscan --no-auto-update --skip-database --deep --format=csv . with ECOMSCAN_KEY env var
- Fails (
exit 1) if any output is produced
Dependents
No external repos call this workflow (per dependents.md). It is only used internally by mage-os/github-actions itself. This makes the conversion low risk.
Design decisions
- Checkout stays in the caller workflow β consistent with the pattern used by other actions in this repo (
setup-magento, coding-standard post-refactor, etc.)
- License key passed as an input β composite actions cannot read
secrets directly; callers must pass the value explicitly
persist-credentials: false and ref handling β these checkout options are caller concerns and stay in the workflowpull_request_target trigger and the push-on-PR skip guard β these are workflow-level concerns and stay in the caller
New action: sansec-ecomscan/action.yml
Inputs
| Input |
Required |
Description |
ecomscan_key |
true |
Sansec license key (ECOMSCAN_KEY) |
Steps
- Download ecomscan binary
chmod +x ecomscan- Run ecomscan, fail on output
Updated workflow: .github/workflows/sansec-ecomscan.yml
Becomes a thin caller that handles checkout and trigger logic, then delegates to the action:
on:
push:
pull_request_target:
workflow_dispatch:
jobs:
run-ecomscan:
if: github.event.pull_request == null || github.event_name != 'push'
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
steps:
- uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false
- uses: mage-os/github-actions/sansec-ecomscan@main
with:
ecomscan_key: ${{ secrets.SANSEC_LICENSE_KEY }}
Implementation steps
- Create
sansec-ecomscan/action.yml as a composite action with the download/chmod/run steps and an ecomscan_key input
- Update
.github/workflows/sansec-ecomscan.yml to the thin caller above
- Bump
actions/checkout from v5 to v6 in the workflow
Action: sansec-ecomscan (new)
Status: π΄ Convert workflow β action
Source:
.github/workflows/sansec-ecomscan.yml(mage-os-only)Target:
sansec-ecomscan/action.yml+.github/workflows/sansec-ecomscan.yml(thin caller)What the workflow currently does
actions/checkout@v5,persist-credentials: false, PR head SHA)https://ecomscan.com/downloads/linux-amd64/ecomscanchmod +x ecomscan./ecomscan --no-auto-update --skip-database --deep --format=csv .withECOMSCAN_KEYenv varexit 1) if any output is producedDependents
No external repos call this workflow (per dependents.md). It is only used internally by
mage-os/github-actionsitself. This makes the conversion low risk.Design decisions
setup-magento,coding-standardpost-refactor, etc.)secretsdirectly; callers must pass the value explicitlypersist-credentials: falseandrefhandling β these checkout options are caller concerns and stay in the workflowpull_request_targettrigger and the push-on-PR skip guard β these are workflow-level concerns and stay in the callerNew action:
sansec-ecomscan/action.ymlInputs
ecomscan_keyECOMSCAN_KEY)Steps
chmod +x ecomscanUpdated workflow:
.github/workflows/sansec-ecomscan.ymlBecomes a thin caller that handles checkout and trigger logic, then delegates to the action:
Implementation steps
sansec-ecomscan/action.ymlas a composite action with the download/chmod/run steps and anecomscan_keyinput.github/workflows/sansec-ecomscan.ymlto the thin caller aboveactions/checkoutfromv5tov6in the workflow