feat: Support customization of the cache key (#24)

Pre-requisite for
github/continuous-ai-for-accessibility#18
(Hubber access only) and
github/continuous-ai-for-accessibility#27
(Hubber access only)

This PR does three things:

1. Adds an optional `cache_key` input to the main action. This allows
folks to choose the filename (and path) where findings will be saved (in
the `gh-cache` branch).

2. Rejects weird `path` inputs in all `gh-cache/*` actions. The main
action passes `cache_key` as `path` to these, so they must ensure its
value is usable.

3. Adds a new `gh-cache/delete` action (for deleting a cached file).
This is not _strictly_ related to customized cache keys, but I didn’t
open a separate PR because `gh-cache/delete` uses the “Validate path”
step introduced in this PR (item 2, above).

Author: smockle

.github/actions/gh-cache/delete/README.md

@@ -0,0 +1,15 @@
+# delete
+
+Delete a file or directory from the orphaned 'gh-cache' branch
+
+## Usage
+
+### Inputs
+
+#### `path`
+
+**Required** Relative path to a file or directory to delete. Allowed characters are `A-Za-z0-9._/-`. For example: `findings.json`.
+
+#### `token`
+
+**Required** Token with fine-grained permissions 'contents: write'.

.github/actions/gh-cache/delete/action.yml

@@ -0,0 +1,91 @@
+name: "delete"
+description: "Delete a file or directory from the orphaned 'gh-cache' branch"
+
+inputs:
+  path:
+    description: "Relative path to a file or directory to delete"
+    required: true
+  token:
+    description: "Token with fine-grained permissions 'contents: write'"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Validate path
+      shell: bash
+      run: |
+        # Check for empty
+        if [[ -z "${{ inputs.path }}" ]]; then
+          echo "Invalid 'path' input (empty)"
+          exit 1
+        fi
+        # Check for absolute paths
+        if [[ "${{ inputs.path }}" == /* ]]; then
+          echo "Invalid 'path' input (absolute path): ${{ inputs.path }}"
+          exit 1
+        fi
+        # Check for directory traversal
+        if [[
+          "${{ inputs.path }}" == "~"* ||
+          "${{ inputs.path }}" =~ (^|/)\.\.(/|$)
+        ]]; then
+          echo "Invalid 'path' input (directory traversal): ${{ inputs.path }}"
+          exit 1
+        fi
+        # Check for disallowed characters (to ensure portability)
+        if [[ ! "${{ inputs.path }}" =~ ^[A-Za-z0-9._/-]+$ ]]; then
+          echo "Invalid 'path' input (disallowed characters): ${{ inputs.path }}"
+          exit 1
+        fi
+
+    - name: Checkout repository to temporary directory
+      uses: actions/checkout@v5
+      with:
+        token: ${{ inputs.token }}
+        fetch-depth: 0
+        path: .gh-cache-${{ github.run_id }}
+        show-progress: 'false'
+
+    - name: Switch to gh-cache branch (or create orphan)
+      shell: bash
+      working-directory: .gh-cache-${{ github.run_id }}
+      run: |
+        if git ls-remote --exit-code --heads origin gh-cache >/dev/null; then
+          git checkout gh-cache >/dev/null 2>&1
+          echo "Checked out existing 'gh-cache' branch"
+        else
+          git checkout --orphan gh-cache >/dev/null 2>&1
+          git rm -rfq . # Clear files from the initial checkout, to avoid adding them to the orphaned branch
+          echo "Created new orphaned 'gh-cache' branch"
+        fi
+
+    - name: Copy file to repo
+      shell: bash
+      run: |
+        if [ -f "${{ inputs.path }}" ]; then
+          rm -Rf "${{ inputs.path }}"
+          rm -Rf ".gh-cache-${{ github.run_id }}/${{ inputs.path }}"
+          echo "Deleted '${{ inputs.path }}' from 'gh-cache' branch"
+        fi
+
+    - name: Commit and push
+      shell: bash
+      working-directory: .gh-cache-${{ github.run_id }}
+      run: |
+        git add "${{ inputs.path }}" || true
+        git config user.name "github-actions[bot]"
+        git config user.email "github-actions[bot]@users.noreply.github.com"
+        git commit -m "$(printf 'Delete artifact: %s' "${{ inputs.path }}")" \
+          && echo "Committed '${{ inputs.path }}' to 'gh-cache' branch" \
+          || echo "No changes to commit"
+        git push origin gh-cache
+
+    - name: Clean up temporary directory
+      shell: bash
+      run: |
+        rm -rf .gh-cache-${{ github.run_id }}
+
+branding:
+  icon: "trash"
+  color: "red"

.github/actions/gh-cache/restore/README.md

@@ -8,7 +8,7 @@ Checkout a file or directory from an orphaned 'gh-cache' branch.
 
 #### `path`
 
-**Required** Relative path to a file or directory to restore. For example: `findings.json`.
+**Required** Relative path to a file or directory to restore. Allowed characters are `A-Za-z0-9._/-`. For example: `findings.json`.
 
 #### `token`
 

.github/actions/gh-cache/restore/action.yml

@@ -3,7 +3,7 @@ description: "Checkout a file or directory from an orphaned 'gh-cache' branch"
 
 inputs:
   path:
-    description: "Relative path to a file or directory to restore"
+    description: "Relative path to a file or directory to restore."
     required: true
   token:
     description: "Token with fine-grained permissions 'contents: read'"
@@ -16,6 +16,33 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: Validate path
+      shell: bash
+      run: |
+        # Check for empty
+        if [[ -z "${{ inputs.path }}" ]]; then
+          echo "Invalid 'path' input (empty)"
+          exit 1
+        fi
+        # Check for absolute paths
+        if [[ "${{ inputs.path }}" == /* ]]; then
+          echo "Invalid 'path' input (absolute path): ${{ inputs.path }}"
+          exit 1
+        fi
+        # Check for directory traversal
+        if [[
+          "${{ inputs.path }}" == "~"* ||
+          "${{ inputs.path }}" =~ (^|/)\.\.(/|$)
+        ]]; then
+          echo "Invalid 'path' input (directory traversal): ${{ inputs.path }}"
+          exit 1
+        fi
+        # Check for disallowed characters (to ensure portability)
+        if [[ ! "${{ inputs.path }}" =~ ^[A-Za-z0-9._/-]+$ ]]; then
+          echo "Invalid 'path' input (disallowed characters): ${{ inputs.path }}"
+          exit 1
+        fi
+
     - name: Checkout repository to temporary directory
       uses: actions/checkout@v5
       with:

.github/actions/gh-cache/save/README.md

@@ -8,7 +8,7 @@ Commit a file or directory to an orphaned 'gh-cache' branch.
 
 #### `path`
 
-**Required** Relative path to a file or directory to save. For example: `findings.json`.
+**Required** Relative path to a file or directory to save. Allowed characters are `A-Za-z0-9._/-`. For example: `findings.json`.
 
 #### `token`
 

.github/actions/gh-cache/save/action.yml

@@ -12,6 +12,33 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: Validate path
+      shell: bash
+      run: |
+        # Check for empty
+        if [[ -z "${{ inputs.path }}" ]]; then
+          echo "Invalid 'path' input (empty)"
+          exit 1
+        fi
+        # Check for absolute paths
+        if [[ "${{ inputs.path }}" == /* ]]; then
+          echo "Invalid 'path' input (absolute path): ${{ inputs.path }}"
+          exit 1
+        fi
+        # Check for directory traversal
+        if [[
+          "${{ inputs.path }}" == "~"* ||
+          "${{ inputs.path }}" =~ (^|/)\.\.(/|$)
+        ]]; then
+          echo "Invalid 'path' input (directory traversal): ${{ inputs.path }}"
+          exit 1
+        fi
+        # Check for disallowed characters (to ensure portability)
+        if [[ ! "${{ inputs.path }}" =~ ^[A-Za-z0-9._/-]+$ ]]; then
+          echo "Invalid 'path' input (disallowed characters): ${{ inputs.path }}"
+          exit 1
+        fi
+
     - name: Checkout repository to temporary directory
       uses: actions/checkout@v5
       with:

.github/dependabot.yml

@@ -23,6 +23,10 @@ updates:
     directory: "/.github/actions/gh-cache/cache"
     schedule:
       interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/.github/actions/gh-cache/delete"
+    schedule:
+      interval: "weekly"
   - package-ecosystem: "github-actions"
     directory: "/.github/actions/gh-cache/restore"
     schedule:

README.md

@@ -23,6 +23,10 @@ https://primer.style/octicons/
 
 **Required** Personal access token (PAT) with fine-grained permissions 'contents: write', 'issues: write', and 'pull_requests: write'.
 
+#### `cache_key`
+
+**Optional** Custom key for caching findings across runs. Allowed characters are `A-Za-z0-9._/-`. For example: `cached_findings-main-primer.style.json`.
+
 ### Example workflow
 
 ```YAML

action.yml

@@ -12,15 +12,28 @@ inputs:
   token:
     description: "Personal access token (PAT) with fine-grained permissions 'contents: write', 'issues: write', and 'pull_requests: write'"
     required: true
+  cache_key:
+    description: "Custom key for caching findings across runs"
+    required: false
 
 runs:
   using: "composite"
   steps:
+    - name: Generate cache key
+      id: cache_key
+      shell: bash
+      run: |
+        CACHE_KEY="${{ inputs.cache_key }}"
+        if [[ -z "$CACHE_KEY" ]]; then
+          # If cache_key is not provided, generate a default one using the branch name, replacing characters (e.g. `/`) which would create unexpected paths.
+          CACHE_KEY=$(printf 'cached_findings-%s' "${{ github.ref_name }}" | tr -cs 'A-Za-z0-9._-' '_')
+        fi
+        echo "cache_key=$CACHE_KEY" >> $GITHUB_OUTPUT
     - name: Restore cached_findings
       id: restore
       uses: github/continuous-ai-for-accessibility-scanner/.github/actions/gh-cache/cache@main
       with:
-        key: cached_findings-${{ github.ref_name }}
+        key: ${{ steps.cache_key.outputs.cache_key }}
         token: ${{ inputs.token }}
     - name: Find
       id: find
@@ -45,7 +58,7 @@ runs:
     - name: Save cached_findings
       uses: github/continuous-ai-for-accessibility-scanner/.github/actions/gh-cache/cache@main
       with:
-        key: cached_findings-${{ github.ref_name }}
+        key: ${{ steps.cache_key.outputs.cache_key }}
         value: ${{ steps.file.outputs.findings }}
         token: ${{ inputs.token }}