fix(action): rewrite GitHub Action as composite with pip installation

.github/workflows/build.yml

@@ -27,7 +27,7 @@ jobs:
           python-version: '3.14'
 
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install codepathfinder Python package from local
         run: |
@@ -64,7 +64,7 @@ jobs:
       run:
         working-directory: sast-engine
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v5
         with:
           go-version: '1.25.3'

.github/workflows/deploy-rules.yml

@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Python
         uses: actions/setup-python@v5

.github/workflows/docker-publish.yml

@@ -12,7 +12,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-tags: true
           fetch-depth: 0

.github/workflows/example-security-scan.yml

@@ -0,0 +1,45 @@
+# Example workflow showing how to use Code-Pathfinder GitHub Action
+# Copy this to your repository at .github/workflows/security-scan.yml
+#
+# NOTE: This workflow uses './' to test the action from the current branch.
+# In your own repository, replace './' with 'shivasurya/[email protected]'
+# or 'shivasurya/code-pathfinder@main' for the latest version.
+
+name: Security Scan
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+# Required for uploading SARIF results to GitHub Code Scanning
+permissions:
+  security-events: write
+  contents: read
+
+jobs:
+  # Scan with multiple remote rulesets (Python + Docker)
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Run Security Scan
+        uses: ./
+        with:
+          # Multiple rulesets can be specified as comma-separated list
+          ruleset: >-
+            python/deserialization,
+            python/django,
+            python/flask,
+            docker/security,
+            docker/best-practice
+          project: .
+          verbose: true
+
+      - name: Upload SARIF to GitHub Security
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: pathfinder-results.sarif

.github/workflows/publish-vscode-extension.yml

@@ -16,7 +16,7 @@ jobs:
       contains(github.event.pull_request.labels.*.name, 'publish-vscode')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@v4

.github/workflows/pypi-publish.yml

@@ -50,7 +50,7 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Python
         uses: actions/setup-python@v5
@@ -180,7 +180,7 @@ jobs:
   build-sdist:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Python
         uses: actions/setup-python@v5

.github/workflows/release.yml

@@ -20,7 +20,7 @@ jobs:
           go-version: '1.25.3'
 
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0  # Fetch all history for tags
 
@@ -62,7 +62,7 @@ jobs:
           go-version: '1.25.3'
 
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0  # Fetch all history for tags
 
@@ -105,7 +105,7 @@ jobs:
           go-version: '1.25.3'
 
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0  # Fetch all history for tags
 
@@ -146,7 +146,7 @@ jobs:
           go-version: '1.25.3'
 
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0  # Fetch all history for tags
 
@@ -188,7 +188,7 @@ jobs:
           go-version: '1.25.3'
 
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0  # Fetch all history for tags
 

.github/workflows/stdlib-r2-upload.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Python 3.9
         uses: actions/setup-python@v5

README.md

@@ -148,6 +148,89 @@ pathfinder scan --rules rules/ --project . --output json | jq .
 pathfinder scan --rules rules/ --project . --fail-on=critical,high
 ```
 
+## GitHub Action
+
+Add security scanning to your CI/CD pipeline in just a few lines.
+
+**Best Practice:** Pin to a specific version (e.g., `@v1.2.0`) for stability and reproducibility. Using `@main` will always pull the latest changes, which may introduce breaking changes.
+
+```yaml
+# .github/workflows/security-scan.yml
+name: Security Scan
+
+on: [push, pull_request]
+
+permissions:
+  security-events: write
+  contents: read
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      # Scan with remote Python rulesets
+      - name: Run Python Security Scan
+        uses: shivasurya/[email protected]
+        with:
+          ruleset: python/deserialization, python/django, python/flask
+          fail-on: critical,high
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: pathfinder-results.sarif
+```
+
+**Scan Dockerfiles:**
+```yaml
+      - name: Run Docker Security Scan
+        uses: shivasurya/[email protected]
+        with:
+          ruleset: docker/security, docker/best-practice
+```
+
+**Use local rules:**
+```yaml
+      - name: Run Custom Rules
+        uses: shivasurya/[email protected]
+        with:
+          rules: python-sdk/examples/owasp_top10.py
+```
+
+### Action Inputs
+
+| Input | Description | Default |
+|-------|-------------|---------|
+| `rules` | Path to Python SDK rules file or directory | - |
+| `ruleset` | Remote ruleset(s) to use (e.g., `python/deserialization, docker/security`). Supports bundles or individual rule IDs. | - |
+| `project` | Path to source code to scan | `.` |
+| `output` | Output format: `sarif`, `json`, `csv`, `text` | `sarif` |
+| `output-file` | Output file path | `pathfinder-results.sarif` |
+| `fail-on` | Fail on severities (e.g., `critical,high`) | - |
+| `verbose` | Enable verbose output with progress and statistics | `false` |
+| `debug` | Enable debug diagnostics with timestamps | `false` |
+| `skip-tests` | Skip scanning test files (test_*.py, *_test.py, etc.) | `true` |
+| `refresh-rules` | Force refresh of cached rulesets (bypasses cache) | `false` |
+| `disable-metrics` | Disable anonymous usage metrics collection | `false` |
+| `python-version` | Python version to use | `3.12` |
+
+**Note:** Either `rules` or `ruleset` must be specified.
+
+### Available Remote Rulesets
+
+**Python:**
+- `python/deserialization` - Unsafe pickle.loads RCE detection
+- `python/django` - Django SQL injection patterns
+- `python/flask` - Flask security misconfigurations
+
+**Docker:**
+- `docker/security` - Critical and high-severity security issues
+- `docker/best-practice` - Dockerfile optimization and best practices
+- `docker/performance` - Performance optimization for container images
+
 ## Acknowledgements
 Code Pathfinder uses tree-sitter for all language parsers.