cherry-picked manually

Author: Raj-StepSecurity

.editorconfig

@@ -0,0 +1,13 @@
+root = true
+
+[*]
+charset = utf-8
+indent_style = space
+indent_size = 4
+insert_final_newline = true
+trim_trailing_whitespace = true
+end_of_line = lf
+max_line_length = 160
+
+[*.{yaml,yml,json}]
+indent_size = 2

.env

@@ -58,5 +58,5 @@ RUNNER_ARCH="X"
 # RUNNER_NAME=""
 INPUT_VERSION="latest"
 RUNNER_OS="macOS"
-RUNNER_TEMP=".local/tmp"
-RUNNER_TOOL_CACHE=".local/cache"
+RUNNER_TEMP=.local/tmp
+RUNNER_TOOL_CACHE=.local/cache

.github/labeler.yml

@@ -0,0 +1,15 @@
+version: 1
+appendOnly: true
+labels:
+  - label: 'chore'
+    type: 'pull_request'
+    title: '^chore:.*'
+  - label: '🐞 bug'
+    type: 'pull_request'
+    title: '^fix:.*'
+  - label: '✨ enhancement'
+    type: 'pull_request'
+    title: '^feat:.*'
+  - label: '📖 docs'
+    type: 'pull_request'
+    title: '^docs:.*'

.github/release.yml

@@ -0,0 +1,23 @@
+changelog:
+  exclude:
+    labels:
+      - chore
+  categories:
+    - title: 💥 Breaking Changes
+      labels:
+        - 💥 breaking-change
+    - title: ✨ Exciting New Features
+      labels:
+        - ✨ enhancement
+    - title: 🐞 Bug Fixes
+      labels:
+        - 🐞 bug
+    - title: 🛠️ Dependencies
+      labels:
+        - 🛠️ dependencies
+    - title: 📖 Documentation
+      labels:
+        - 📖 docs
+    - title: Other Changes
+      labels:
+        - '*'

.github/workflows/auto_cherry_pick.yml

@@ -4,9 +4,9 @@ on:
   workflow_dispatch:
     inputs:
       base_branch:
-        description: "Base branch to create the PR against"
+        description: 'Base branch to create the PR against'
         required: true
-        default: "main"
+        default: 'main'
       script:
         description: 'Script to run after audit fix'
         required: false
@@ -22,7 +22,7 @@ jobs:
   cherry-pick:
     uses: step-security/reusable-workflows/.github/workflows/auto_cherry_pick.yaml@v1
     with:
-      original-owner: "jkroepke"
-      repo-name: "setup-vals"
+      original-owner: 'jkroepke'
+      repo-name: 'setup-vals'
       base_branch: ${{ inputs.base_branch }}
       script: ${{ inputs.script || 'npm run all' }}

.github/workflows/ci.yml

@@ -0,0 +1,108 @@
+env:
+  RUNNER_DEBUG: 1
+
+name: 'CI'
+on: # rebuild any PRs and main branch changes
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  build: # make sure build/ci work properly
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '22'
+      - run: |
+          npm install
+          npm run all
+      - run: |
+          git diff --exit-code ':!dist/index.js.map' ':!badges/coverage.svg'
+  test: # make sure the action works on a clean machine without building
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ./
+      - name: Get the version
+        run: vals version
+      - uses: ./
+        with:
+          version: v0.40.0
+      - name: Get the version
+        run: vals version | grep 0.40.0
+      - uses: ./
+        with:
+          version: 0.28.0
+      - name: Get the version
+        run: vals version | grep 0.28.0
+
+  super-lint:
+    name: super-lint
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Lint Code Base
+        uses: super-linter/super-linter/slim@4e8a7c2bf106c4c766c816b35ec612638dc9b6b2 # v7.3.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MULTI_STATUS: false
+          LINTER_RULES_PATH: .
+          VALIDATE_ALL_CODEBASE: true
+          VALIDATE_BASH: true
+          VALIDATE_BASH_EXEC: true
+          VALIDATE_ENV: true
+          VALIDATE_GITHUB_ACTIONS: true
+          VALIDATE_HTML: true
+          VALIDATE_NATURAL_LANGUAGE: true
+          VALIDATE_SHELL_SHFMT: true
+          VALIDATE_XML: true
+          VALIDATE_YAML: true
+
+  release:
+    if: github.repository_owner == 'jkroepke' && github.ref_name == 'main'
+    name: Release
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - test
+      - super-lint
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: 1248576
+          private-key: ${{ secrets.AUTOMATION_APP_PRIVATE_KEY }}
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '22'
+      - name: Install dependencies
+        run: npm clean-install
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: npx semantic-release

.github/workflows/pr.yaml

@@ -0,0 +1,61 @@
+name: Pull Request
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - labeled
+      - unlabeled
+
+permissions: {}
+
+jobs:
+  add-labels:
+    runs-on: ubuntu-latest
+    if: >-
+      !contains(github.event.pull_request.labels.*.name, '💥 breaking-change') &&
+      !contains(github.event.pull_request.labels.*.name, '✨ enhancement') &&
+      !contains(github.event.pull_request.labels.*.name, '🐞 bug') &&
+      !contains(github.event.pull_request.labels.*.name, '📖 docs') &&
+      !contains(github.event.pull_request.labels.*.name, 'chore') &&
+      !contains(github.event.pull_request.labels.*.name, '🛠️ dependencies')
+    steps:
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: 1248576
+          private-key: ${{ secrets.AUTOMATION_APP_PRIVATE_KEY }}
+      - uses: srvaroa/labeler@0a20eccb8c94a1ee0bed5f16859aece1c45c3e55 # v1.13.0
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+  validate-labels:
+    name: check labels missing
+    runs-on: ubuntu-latest
+    steps:
+      - name: check
+        if: >-
+          !contains(github.event.pull_request.labels.*.name, '💥 breaking-change') &&
+          !contains(github.event.pull_request.labels.*.name, '✨ enhancement') &&
+          !contains(github.event.pull_request.labels.*.name, '🐞 bug') &&
+          !contains(github.event.pull_request.labels.*.name, '📖 docs') &&
+          !contains(github.event.pull_request.labels.*.name, 'chore') &&
+          !contains(github.event.pull_request.labels.*.name, '🛠️ dependencies')
+        run: >-
+          echo One of the following labels is missing on this PR:
+          breaking-change enhancement bug docs chore && exit 1
+  validate-title:
+    name: check title prefix
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: check
+        run: |
+          PR_TITLE_PREFIX=$(echo "$PR_TITLE" | cut -d':' -f1)
+          if [[ "$PR_TITLE_PREFIX" == "fix"* ]] || [[ "$PR_TITLE_PREFIX" == "feat"* ]] || [[ "$PR_TITLE_PREFIX" == "chore"* ]]; then
+            exit 0
+          fi
+          echo "PR title must start with feat, fix or chore"
+          exit 1
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}

.github/workflows/renovate-custom-hooks.yaml

@@ -0,0 +1,99 @@
+name: renovate hooks
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'package.json'
+      - 'package-lock.json'
+
+jobs:
+  renovate-post-run:
+    name: Renovate Post Upgrade Hook
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'jkroepke' && github.actor == 'renovate[bot]'
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      # Using a GitHub App token, because GitHub Actions doesn't run on commits from github-actions bot
+      # Used App:
+      # https://github.com/organizations/prometheus-community/settings/apps/helm-charts-renovate-helper.
+      # Ref: https://github.com/prometheus-community/helm-charts/issues/5213.
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: 1248576
+          private-key: ${{ secrets.AUTOMATION_APP_PRIVATE_KEY }}
+
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '22'
+
+      - run: |
+          npm install
+          npm run all
+      - name: Commit changes
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_HEAD_REF: ${{ github.head_ref }}
+        #language=bash
+        run: |
+          # Define the target directory
+          TARGET_DIR="."
+          # Fetch deleted files in the target directory
+          DELETED_FILES=$(git diff --diff-filter=D --name-only HEAD -- "$TARGET_DIR")
+          # Fetch added/modified files in the target directory
+          MODIFIED_FILES=$(git diff --diff-filter=ACM --name-only HEAD -- "$TARGET_DIR")
+          # Create a temporary file for JSON output
+          FILE_CHANGES_JSON_FILE=$(mktemp)
+          # Initialize JSON structure
+          echo '{ "deletions": [], "additions": [] }' > "$FILE_CHANGES_JSON_FILE"
+          # Add deletions
+          for file in $DELETED_FILES; do
+            jq --arg path "$file" '.deletions += [{"path": $path}]' "$FILE_CHANGES_JSON_FILE" > "$FILE_CHANGES_JSON_FILE.tmp"
+            mv "$FILE_CHANGES_JSON_FILE.tmp" "$FILE_CHANGES_JSON_FILE"
+          done
+          # Prepare additions (new or modified files)
+          for file in $MODIFIED_FILES; do
+            jq --rawfile content "$file" --arg path "$file" \
+              '.additions += [{"path": $path, "contents": ($content | @base64)}]' \
+              "$FILE_CHANGES_JSON_FILE" > "$FILE_CHANGES_JSON_FILE.tmp"
+            mv "$FILE_CHANGES_JSON_FILE.tmp" "$FILE_CHANGES_JSON_FILE"
+          done
+          # Create a temporary file for the final JSON payload
+          JSON_PAYLOAD_FILE=$(mktemp)
+          # Construct the final JSON using jq and store it in a file
+          jq -n --arg repo "$GITHUB_REPOSITORY" \
+                --arg branch "$GITHUB_HEAD_REF" \
+                --arg message "post upgrade changes from renovate" \
+                --arg expectedOid "$GITHUB_SHA" \
+                --slurpfile fileChanges "$FILE_CHANGES_JSON_FILE" \
+                '{
+                  query: "mutation ($input: CreateCommitOnBranchInput!) {
+                    createCommitOnBranch(input: $input) {
+                      commit {
+                        url
+                      }
+                    }
+                  }",
+                  variables: {
+                    input: {
+                      branch: {
+                        repositoryNameWithOwner: $repo,
+                        branchName: $branch
+                      },
+                      message: { headline: $message },
+                      fileChanges: $fileChanges[0],
+                      expectedHeadOid: $expectedOid
+                    }
+                  }
+                }' > "$JSON_PAYLOAD_FILE"
+          # Call GitHub API
+          curl https://api.github.com/graphql -f \
+               -sSf -H "Authorization: Bearer $GITHUB_TOKEN" \
+               --data "@$JSON_PAYLOAD_FILE"
+          # Clean up temporary files
+          rm "$FILE_CHANGES_JSON_FILE" "$JSON_PAYLOAD_FILE"