feat: initial version

sdn4z · sdn4z · commit 0a42516c00f7 · 2025-11-11T16:01:05.000+01:00
diff --git a/.github/release.yml b/.github/release.yml
@@ -0,0 +1,19 @@
+changelog:
+  exclude:
+    labels:
+      - ignore-for-release
+    authors:
+      - octocat
+  categories:
+    - title: Breaking Changes 🛠
+      labels:
+        - breaking
+    - title: New Features 🎉
+      labels:
+        - feature
+    - title: Fixes 🔧
+      labels:
+        - fix
+    - title: Other Changes
+      labels:
+        - "*"
diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
@@ -0,0 +1,29 @@
+name: Bump version
+
+on:
+  workflow_dispatch:
+jobs:
+  bump_version:
+    if: "!startsWith(github.event.head_commit.message, 'bump:') && github.ref == 'refs/heads/main'"
+    runs-on: ubuntu-latest
+    name: "Bump version and create changelog with commitizen"
+    steps:
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: app-token
+        with:
+          app-id: ${{ vars.ELEMENTSINTERACTIVE_BOT_APP_ID }}
+          private-key: ${{ secrets.ELEMENTSINTERACTIVE_BOT_PRIVATE_KEY }}
+      - uses: actions/checkout@@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
+          ref: ${{ github.head_ref }}
+          # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config
+          persist-credentials: false
+      - id: cz
+        name: Create bump and changelog
+        uses: commitizen-tools/commitizen-action@5b0848cd060263e24602d1eba03710e056ef7711 # v0.24.0
+        with:
+          github_token: ${{ steps.app-token.outputs.token }}
+      - name: Print Version
+        run: echo "Bumped to version ${{ steps.cz.outputs.version }}"
diff --git a/.github/workflows/conventional-label.yaml b/.github/workflows/conventional-label.yaml
@@ -0,0 +1,12 @@
+on:
+  pull_request_target:
+    branches: ["main"]
+
+name: conventional-release-labels
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8 #v1.3.1
+        with:
+          type_labels: '{"feat": "feature", "fix": "fix", "BREAKING CHANGE": "breaking", "ci": "CI", "build": "build", "refactor": "refactor", "test": "test"}'
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,23 @@
+# This workflow will check our code for having a proper format, as well as the commit message to meet the expected ones
+
+name: Lint
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  lint-commit:
+    runs-on: ubuntu-latest
+    name: "Lint commit message"
+    container:
+      image: commitizen/commitizen:4.8.3@sha256:08a078c52b368f85f34257a66e10645ee74d8cbe9b471930b80b2b4e95a9bd4a
+    steps:
+      - name: Check out
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Check commit message
+        run: |
+          git config --global --add safe.directory . 
+          cz check --rev-range HEAD
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,22 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Release
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
+        with:
+          generate_release_notes: true
+          make_latest: true
+          token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/simple-test.yml b/.github/workflows/simple-test.yml
@@ -0,0 +1,21 @@
+name: Simple Test
+
+on:
+  workflow_dispatch: # Allow manual triggering
+  push:
+    branches: [main, init]
+
+jobs:
+  test-action:
+    name: Test Twyn Action
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Twyn Security Check
+        id: twyn
+        uses: ./
+        with:
+          dependency-file: "requirements.txt"
+          github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1 @@
+@sdn4z @scastlara
diff --git a/README.md b/README.md
@@ -0,0 +1,62 @@
+# Twyn Action
+
+A GitHub Action that runs security checks against dependency typosquatting attacks using [Twyn](https://github.com/elementsinteractive/twyn).
+
+![Twyn Action Results](assets/twyn-action-results.png)
+
+
+## What is Twyn?
+
+Twyn is a security tool that analyzes your project dependencies to detect potential typosquatting attacks - when malicious packages have names similar to legitimate ones to trick developers into installing them.
+
+## Examples
+
+### Basic Security Check
+
+```yaml
+  pull_request:
+    branches: [ main ]
+
+- name: Run Twyn Security Check
+  uses: elementsinteractive/twyn-action@v1
+  with:
+    publish: true
+    github-token: ${{ secrets.GITHUB_TOKEN }}
+```
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `dependency-file` | Dependency file(s) to analyze (comma-separated) | No | Auto-detect |
+| `table` | Display results in table format (requires version >=v6) | No | `false` |
+| `json` | Display results in JSON format | No | `false` |
+| `publish` | Publish results as PR comments. It must run in a PR context | No | `false` |
+| `github-token` | GitHub token for publishing comments | No | - |
+| `recursive` | Recursively search for dependency files | No | `false` |
+| `selector-method` | Method for selecting typosquats (`first-letter`, `nearby-letter`, `all`) | No | - |
+| `v` | Enable verbose output | No | `false` |
+| `vv` | Enable extra verbose output | No | `false` |
+| `version` | Twyn version to use | No | `latest` |
+
+## Outputs
+
+| Output | Description |
+|--------|-------------|
+| `results` | Raw output from twyn scan |
+| `exit-code` | Exit code (0=no issues, 1=issues found, >1=error) |
+| `has-findings` | Boolean indicating if issues were found |
+
+## Publishing Results to PR
+
+When `publish: true` is enabled, the action will automatically post a comment to the Pull Request with a formatted table showing any security findings.
+
+**⚠️ Important: Publishing only works when the workflow runs in a Pull Request context.** Make sure your workflow is triggered by `pull_request` events, not just `push` or `workflow_dispatch`.
+
+This requires:
+- `table: true` (automatically enabled when publish is true)
+- `version: "v6"` or higher (table format requires Twyn v6+)
+- `github-token` to be provided
+- The workflow to run on a Pull Request event (`on: pull_request`)
+
+The PR comment will include a detailed table with information about potential typosquatting packages found.
diff --git a/action.yml b/action.yml
diff --git a/requirements.txt b/requirements.txt
