actions list/info: add trust level, publisher, paths, policies, and compatibility metadata

[Copilot]

actions list was missing publisher and actions info/show was missing several metadata fields called out in the PRD: trust level, pack path, compatibility, policies, and full security details.

Changes

actions list

• publisher added to every row (text + --json)
• search now also matches on publisher text

actions info / actions show

• trust level — derived field (high/medium/low) from the manifest's security block:
  • high: leastPrivilegePermissions=true + pinThirdPartyActions=required + allowPullRequestTarget=false
  • medium: leastPrivilegePermissions=true + allowPullRequestTarget=false
  • low: anything else
• pack path — CatalogEntry.packDir (absolute path to the pack on disk)
• Compatibility section — providers, languages, package managers, frameworks
• Policies section — installMode, managedComment, requiresReview
• Security section — all four security fields, explicit
• --json output now includes packDir and trustLevel

New export

export function deriveTrustLevel(security: ActionPackManifest['security']): TrustLevel

Tests — 5 new unit tests covering deriveTrustLevel logic and subcommand presence.

Example output (actions info node-pnpm-ci)

Node pnpm CI (node-pnpm-ci@1.0.0)
Least-privilege Node/TypeScript CI workflow using pnpm — install, typecheck, test.

publisher:    profullstack
visibility:   public
license:      MIT
categories:   ci, node, typescript
pricing:      free
trust level:  medium          ← green/yellow/red coloured
pack path:    /…/packages/actions/node-pnpm-ci

Compatibility
  providers: github
  languages: javascript, typescript
  package managers: pnpm
  frameworks: next, sveltekit, react

Policies
  install mode:     pull-request
  managed comment:  true
  requires review:  true

Security
  least-privilege permissions:  true
  pin third-party actions:      optional
  allow pull-request-target:    false
  default timeout (min):        15
…

[alwaysmeticulous]

Meticulous was unable to execute a test run for this PR because the most recent commit is associated with multiple PRs. To execute a test run, please try pushing up a new commit that is only associated with this PR.

_{Last updated for commit f505900. This comment will update as new commits are pushed.}

[github-actions]

vu1nz Security Review

0 finding(s) in PR #435

No security issues found.

Full AI Analysis

After thoroughly reviewing this pull request, I have analyzed the code changes for potential security vulnerabilities including SQLi, XSS, RCE, command injection, hardcoded secrets, IDOR, auth/authz flaws, CSRF, SSRF, insecure crypto, path traversal, dependency risks, and CI/CD supply-chain issues.

Security Analysis Results

NO security issues were found in this pull request.

Analysis Summary

This PR appears to be adding functionality to display and evaluate "trust levels" for action packs in a CLI tool. The changes include:

1. New trust level derivation function (deriveTrustLevel) - This is a pure function that evaluates security settings and returns a trust level classification
2. Enhanced display functionality - Additional output formatting to show publisher, trust level, compatibility, policies, and security information
3. Test coverage - Comprehensive unit tests for the new trust level functionality

Key Security Considerations Reviewed

• Input validation: The code processes manifest data but doesn't accept external user input that could lead to injection attacks
• Path handling: While packDir is displayed, it's sourced from internal catalog entries, not user-controlled input
• Output encoding: Console output uses proper string concatenation without dynamic code execution
• Trust level logic: The security evaluation logic itself is sound and promotes better security practices
• No external dependencies: No new risky dependencies introduced
• No secrets: No hardcoded credentials or sensitive data exposed

The changes enhance the security posture of the tool by providing visibility into action pack security configurations, which is a positive security enhancement rather than introducing vulnerabilities.