Skip to content

Add CI workflow for action version consistency scanning #1034

New issue
New issue
Closed
Task
#1127
Closed
Add CI workflow for action version consistency scanning#1034
Task
#1127
Assignees
WilliamBerryiii
Labels
securitySecurity-related changes or concernsworkflowsGitHub Actions workflows
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Mar 14, 2026

Summary

Test-ActionVersionConsistency.ps1 now produces JSON output to logs/action-version-consistency-results.json via the lint:version-consistency npm script (#987), but there is no dedicated GitHub Actions workflow to consume these results in CI. The other two security scanning scripts each have reusable workflow files that read JSON output, generate SARIF, upload to GitHub Security tab, publish artifacts, and surface job summaries.

Current Behavior

Running npm run lint:version-consistency writes JSON locally, but CI has no dedicated workflow to:

  • Run the scan as a reusable workflow
  • Upload SARIF results to the GitHub Security tab
  • Publish JSON/SARIF as workflow artifacts
  • Surface compliance metrics as job outputs

Expected Behavior

A new action-version-consistency-scan.yml reusable workflow that follows the established pattern from dependency-pinning-scan.yml and workflow-permissions-scan.yml:

  1. Accepts workflow_call inputs for soft-fail, upload-sarif, and upload-artifact
  2. Runs Test-ActionVersionConsistency.ps1 with -Format Json and -Format Sarif
  3. Extracts metrics (mismatch count, compliance) into job outputs
  4. Uploads SARIF to GitHub Security tab via github/codeql-action/upload-sarif
  5. Publishes results as workflow artifacts
  6. Generates a job summary

Reference Pattern

Existing Workflow Script
.github/workflows/dependency-pinning-scan.yml Test-DependencyPinning.ps1
.github/workflows/workflow-permissions-scan.yml Test-WorkflowPermissions.ps1

The new workflow should mirror these patterns. Test-ActionVersionConsistency.ps1 already supports -Format Json, -Format Sarif, and -OutputPath parameters, so the script side is ready.

Files Requiring Changes

File Change
.github/workflows/action-version-consistency-scan.yml New reusable workflow
Caller workflow(s) referencing the new scan Wire up workflow_call invocation

Prerequisite

References

  • scripts/security/Test-ActionVersionConsistency.ps1 — supports -Format Json|Sarif, -OutputPath, -FailOnMismatch
  • .github/workflows/dependency-pinning-scan.yml — reference pattern
  • .github/workflows/workflow-permissions-scan.yml — reference pattern

Metadata

Metadata

Assignees

Labels

securitySecurity-related changes or concernsworkflowsGitHub Actions workflows

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions