Merge pull request #1 from step-security/release

feat: Initial Release

Author: amanstep

.env

@@ -0,0 +1,61 @@
+# dotenv-linter:off IncorrectDelimiter
+
+# Do not commit your actual .env file to Git! This may contain secrets or other
+# private information.
+
+# Enable/disable step debug logging (default: `false`). For local debugging, it
+# may be useful to set it to `true`.
+ACTIONS_STEP_DEBUG=true
+
+# GitHub Actions inputs should follow `INPUT_<name>` format (case-sensitive).
+# Hyphens should not be converted to underscores!
+INPUT_MILLISECONDS=2400
+
+# GitHub Actions default environment variables. These are set for every run of a
+# workflow and can be used in your actions. Setting the value here will override
+# any value set by the local-action tool.
+# https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables
+
+# CI="true"
+# GITHUB_ACTION=""
+# GITHUB_ACTION_PATH=""
+# GITHUB_ACTION_REPOSITORY=""
+# GITHUB_ACTIONS=""
+# GITHUB_ACTOR=""
+# GITHUB_ACTOR_ID=""
+# GITHUB_API_URL=""
+# GITHUB_BASE_REF=""
+# GITHUB_ENV=""
+# GITHUB_EVENT_NAME=""
+# GITHUB_EVENT_PATH=""
+# GITHUB_GRAPHQL_URL=""
+# GITHUB_HEAD_REF=""
+# GITHUB_JOB=""
+# GITHUB_OUTPUT=""
+# GITHUB_PATH=""
+# GITHUB_REF=""
+# GITHUB_REF_NAME=""
+# GITHUB_REF_PROTECTED=""
+# GITHUB_REF_TYPE=""
+# GITHUB_REPOSITORY=""
+# GITHUB_REPOSITORY_ID=""
+# GITHUB_REPOSITORY_OWNER=""
+# GITHUB_REPOSITORY_OWNER_ID=""
+# GITHUB_RETENTION_DAYS=""
+# GITHUB_RUN_ATTEMPT=""
+# GITHUB_RUN_ID=""
+# GITHUB_RUN_NUMBER=""
+# GITHUB_SERVER_URL=""
+# GITHUB_SHA=""
+# GITHUB_STEP_SUMMARY=""
+# GITHUB_TRIGGERING_ACTOR=""
+# GITHUB_WORKFLOW=""
+# GITHUB_WORKFLOW_REF=""
+# GITHUB_WORKFLOW_SHA=""
+# GITHUB_WORKSPACE=""
+RUNNER_ARCH="X"
+# RUNNER_DEBUG=""
+# RUNNER_NAME=""
+RUNNER_OS="macOS"
+RUNNER_TEMP=".local/tmp"
+RUNNER_TOOL_CACHE=".local/cache"

.github/workflows/actions_release.yml

@@ -0,0 +1,28 @@
+name: Release GitHub Actions
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag for the release'
+        required: true
+      script:
+        description: 'Specify the build script to run'
+        required: false
+        type: string
+        default: 'npm run all'
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+
+    uses: step-security/reusable-workflows/.github/workflows/actions_release.yaml@v1
+    with:
+      tag: '${{ github.event.inputs.tag }}'
+      script: '${{ github.event.inputs.script }}'

.github/workflows/audit_package.yml

@@ -0,0 +1,34 @@
+name: NPM Audit Fix Run
+
+on:
+  workflow_dispatch:
+    inputs:
+      force:
+        description: 'Use --force flag for npm audit fix?'
+        required: true
+        type: boolean
+      base_branch:
+        description: 'Specify a base branch'
+        required: false
+        default: 'main'
+      script:
+        description: 'Specify the build script to run'
+        required: false
+        type: string
+        default: 'npm run all'
+  schedule:
+    - cron: '0 0 * * 1'
+
+jobs:
+  audit-fix:
+    uses: step-security/reusable-workflows/.github/workflows/audit_fix.yml@v1
+    with:
+      force: ${{ inputs.force || false }}
+      base_branch: ${{ inputs.base_branch || 'main' }}
+      script: ${{ inputs.script || 'npm run all' }}
+
+permissions:
+  contents: write
+  pull-requests: write
+  packages: read
+  issues: write

.github/workflows/guarddog.yml

@@ -0,0 +1,14 @@
+name: Run GuardDog Scan on PRs
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  call-guarddog-scan:
+    uses: step-security/reusable-workflows/.github/workflows/guarddog.yml@v1

.github/workflows/test.yml

@@ -0,0 +1,35 @@
+env:
+  RUNNER_DEBUG: 1
+
+name: 'build-test'
+on: # rebuild any PRs and main branch changes
+  pull_request:
+  push:
+    branches:
+      - main
+      - 'release/*'
+
+jobs:
+  build: # make sure build/ci work properly
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '22'
+      - run: |
+          npm install
+          npm run all
+      - run: |
+          git diff --exit-code ':!dist/index.js.map' ':!badges/coverage.svg'
+  test: # make sure the action works on a clean machine without building
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ./
+        id: install
+      - name: Get the vals version
+        run: vals --version

.gitignore

@@ -0,0 +1,99 @@
+# Dependency directory
+node_modules
+
+# Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.local
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+
+# next.js build output
+.next
+
+# nuxt.js build output
+.nuxt
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# OS metadata
+.DS_Store
+Thumbs.db
+
+# Ignore built ts files
+__tests__/runner/*
+
+.idea

.prettierrc.yml

@@ -0,0 +1,16 @@
+# See: https://prettier.io/docs/en/configuration
+
+printWidth: 80
+tabWidth: 2
+useTabs: false
+semi: false
+singleQuote: true
+quoteProps: as-needed
+jsxSingleQuote: false
+trailingComma: none
+bracketSpacing: true
+bracketSameLine: true
+arrowParens: always
+proseWrap: always
+htmlWhitespaceSensitivity: css
+endOfLine: lf

LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) Microsoft Corporation.
+Copyright (c) 2025 StepSecurity
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -1 +1,21 @@
-# setup-vals
+## Setup Vals
+
+GitHub Action for installing
+[variantdev/vals](https://github.com/variantdev/vals)
+
+Install a specific version of vals binary on the runner. Acceptable values are
+latest or any semantic version string like v2.16.7 Use this action in workflow
+to define which version of sops will be used.
+
+```yaml
+- name: Vals Binary Installer
+  uses: step-security/setup-vals@v1
+  with:
+    version: '<version>' # default is latest stable
+  id: install
+```
+
+The cached vals binary path is prepended to the PATH environment variable as
+well as stored in the vals-path output variable. Refer to the action metadata
+file for details about all the inputs
+[here](https://github.com/step-security/setup-vals/blob/master/action.yml).

SECURITY.md

@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities to [email protected]