{"id":44988260,"url":"https://github.com/kosli-dev/control-actions","last_synced_at":"2026-02-18T20:28:26.917Z","repository":{"id":306938103,"uuid":"1027714330","full_name":"kosli-dev/control-actions","owner":"kosli-dev","description":null,"archived":false,"fork":false,"pushed_at":"2025-07-28T13:51:34.000Z","size":17,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-28T15:37:58.101Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kosli-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-28T12:25:59.000Z","updated_at":"2025-07-28T13:51:37.000Z","dependencies_parsed_at":"2025-07-28T15:38:00.029Z","dependency_job_id":"ed53c570-6886-48b3-9dc6-5ac1bc149ff6","html_url":"https://github.com/kosli-dev/control-actions","commit_stats":null,"previous_names":["kosli-dev/control-actions"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/kosli-dev/control-actions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosli-dev%2Fcontrol-actions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosli-dev%2Fcontrol-actions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosli-dev%2Fcontrol-actions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosli-dev%2Fcontrol-actions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kosli-dev","download_url":"https://codeload.github.com/kosli-dev/control-actions/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosli-dev%2Fcontrol-actions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29594256,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-18T18:54:29.675Z","status":"ssl_error","status_checked_at":"2026-02-18T18:50:50.517Z","response_time":162,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-18T20:28:24.822Z","updated_at":"2026-02-18T20:28:26.897Z","avatar_url":"https://github.com/kosli-dev.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Code Review GitHub Actions\n\nThis repository contains GitHub Actions for evaluating code review controls in Kosli. These actions help ensure that all commits in a release have been properly reviewed before deployment.\n\n## Overview\n\nThe repository provides three actions:\n\n1. **Create Code Review Attestation Type** - Sets up a custom attestation type for code review evaluations\n2. **Code Review** - Evaluates code review attestations for commits between two git references\n3. **Override Pull Request** - override a missing or non-compliant pull request attestation\n\n\n## Prerequisites\n\n1. **Kosli Account**: You need a Kosli account and API token for both of these actions\n\n\n## Actions\n\n### 1. Create Code Review Attestation Type\n\nThis action creates a custom attestation type in Kosli for storing code review evaluation results.\nThe action can be run in a manually-triggered workflow or be part of your regular workflow (e.g. on push).\n\nThe custom attestation type created by this action is required by the code-review action described below.\n\n#### Usage\n\n```yaml\n- name: Create Code Review Attestation Type\n  uses: kosli-dev/control-actions/create-code-review-type@v1\n  with:\n    kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}\n    kosli_org: your-organization-name\n    kosli_cli_version: v2.11.20\n    kosli_host_name: https://app.kosli.com  # Optional, defaults to https://app.kosli.com\n```\n\n#### Inputs\n\n| Input | Description | Required | Default |\n|-------|-------------|----------|---------|\n| `kosli_api_token` | The Kosli API token for authorization | Yes | - |\n| `kosli_org` | The Kosli organization name | Yes | - |\n| `kosli_cli_version` | Kosli CLI version to use | Yes | - |\n| `kosli_host_name` | The Kosli host name | No | `https://app.kosli.com` |\n\n#### What it does\n\n- Sets up the Kosli CLI with the specified version\n- Creates a custom attestation type called `code-review` with a schema that validates:\n  - `commit`: 40-character SHA hash\n  - `pass`: boolean indicating if the commit passed review\n  - `reason`: string explaining the result\n  - `attestation_url`: optional URL to the attestation\n\n\n### 2. Code Review\n\n## Prerequisites\n\n1. **Git History**: The repository must have sufficient git history to compare releases (set `fetch-depth: 0` in `actions/checkout`)\n2. **Pull Request Attestations**: Your development flow should have pull request attestations for each commit on the main branch\n3. **Custom Attestation Type**: The code review attestation type must be created before running evaluations\n\n\n**How the evaluation works:**\n\nThe action evaluates each commit in your release (between the base reference and the current release reference) to determine if it meets the code review requirements. A commit passes the review control if:\n\n1. **The commit has an associated pull-request attestation with an associated pull request or has an override** - This means the code was reviewed through a pull request process, Or,\n   the commit has an override attestation associated with it which marks a manual approval/exemption.\n2. **The pull request meets the review criteria** - The pull request is considered passing if:\n   - It has at least two different reviewers, OR\n   - It has at least one reviewer who is not a committer in the branch being merged\n\nIf every commit in your release passes these criteria, the overall evaluation is marked as **passed**. If any commit fails to meet the requirements, the evaluation is marked as **failed**.\n\nThe action then reports these evaluation results to Kosli as an attestation.\n\n#### Usage\n\n```yaml\n- name: Evaluate Code Review Control\n  uses: kosli-dev/control-actions/code-review@v1\n  with:\n    base_ref: v1.0.0\n    release_ref: v1.1.0\n    kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}\n    kosli_org: your-organization-name\n    kosli_search_flow_name: development\n    kosli_code_review_attestation_type: code-review\n    kosli_code_review_attestation_name: release-code-review\n    kosli_code_review_flow_name: releases\n    kosli_code_review_trail_name: v1.1.0\n    kosli_host_name: https://app.kosli.com  # Optional\n```\n\n#### Inputs\n\n| Input | Description | Required | Default |\n|-------|-------------|----------|---------|\n| `base_ref` | The base git ref (e.g., previous release tag) | Yes | - |\n| `release_ref` | The git ref being released | Yes | - |\n| `kosli_api_token` | The Kosli API token for authorization | Yes | - |\n| `kosli_org` | The Kosli organization name | Yes | - |\n| `kosli_search_flow_name` | The Kosli flow where source attestations are stored | Yes | - |\n| `kosli_code_review_attestation_type` | The attestation type for reporting code review results | Yes | - |\n| `kosli_code_review_attestation_name` | The attestation name for reporting code review results | Yes | - |\n| `kosli_code_review_flow_name` | The flow name to report code review attestations to | Yes | - |\n| `kosli_code_review_trail_name` | The trail name to report code review attestations to | Yes | - |\n| `kosli_host_name` | The Kosli host name | No | `https://app.kosli.com` |\n\n#### What it does\n\n1. **Gets commit list**: Retrieves all commits between `base_ref` and `release_ref`\n2. **Fetches attestations**: Queries Kosli API for pull request attestations for each commit\n3. **Evaluates reviews**: Checks if each commit passes the code-review control\n4. **Reports results**: Creates a new attestation in the specified flow/trail with evaluation results\n\n#### Output\n\nThe action generates:\n- `attestations_evidence.json`: Raw attestation data from Kosli\n- `evaluation_results.json`: Processed evaluation results\n- A new attestation in the specified Kosli flow/trail with the evaluation summary\n\n## Complete Workflow Example\n\nHere's a complete example of how to use both actions in a release workflow:\n\n```yaml\nname: Release with Code Review Control\n\non:\n  push:\n    tags:\n      - 'v*'\n\njobs:\n  setup:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout code\n        uses: actions/checkout@v4\n        with:\n          fetch-depth: 0  # Important: fetch all history for git operations\n\n      - name: Create Code Review Attestation Type\n        uses: kosli-dev/control-actions/create-code-review-type@main\n        with:\n          kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}\n          kosli_org: my-organization\n          kosli_cli_version: v2.11.19\n\n  evaluate-code-review:\n    runs-on: ubuntu-latest\n    needs: setup\n    steps:\n      - name: Checkout code\n        uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n\n      - name: Get previous release tag\n        id: previous_release\n        run: |\n          PREVIOUS_TAG=$(git tag --sort=-version:refname | head -n 2 | tail -n 1)\n          echo \"tag=$PREVIOUS_TAG\" \u003e\u003e $GITHUB_OUTPUT\n\n      - name: Evaluate Code Review Control\n        uses: kosli-dev/control-actions/code-review@main\n        with:\n          base_ref: ${{ steps.previous-tag.outputs.previous_tag }}\n          release_ref: ${{ github.ref_name }}\n          kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}\n          kosli_org: my-organization\n          kosli_search_flow_name: development\n          kosli_code_review_attestation_type: code-review\n          kosli_code_review_attestation_name: release-code-review\n          kosli_code_review_flow_name: releases\n          kosli_code_review_trail_name: ${{ github.ref_name }}\n```\n\n### 2. Override Pull Request attestation\n\nThis action allows you to override a specific `pull_request` attestation to mark it as compliant.\n\n#### Usage\n\n```yaml\n- name: Override pull request attestation\n  uses: kosli-dev/control-actions/override-pull-request@v1\n  with:\n    kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}\n    kosli_org: your-organization-name\n    kosli_flow_name: build_flow\n    kosli_trail_name: 5b33764ac5d08a7945afd792476dd139afadc376\n    attestation_name: pull-request\n    override_reason: \"looks good to me!\"\n    override_compliance: true\n    kosli_host_name: https://app.kosli.com  # Optional, defaults to https://app.kosli.com\n```\n\n#### Inputs\n\n| Input | Description | Required | Default |\n|-------|-------------|----------|---------|\n| `kosli_api_token` | The Kosli API token for authorization | Yes | - |\n| `kosli_org` | The Kosli organization | Yes | - |\n| `kosli_flow_name` | The Kosli flow for the pull-request override | Yes | - |\n| `kosli_trail_name` | The Kosli trail for the pull-request override | Yes | - |\n| `attestation_name` | The name of the pull_request attestation we want to override | Yes | - |\n| `override_reason` | The reason for the override | Yes | - |\n| `override_compliance` | Compliance value for override | Yes | - |\n| `kosli_host_name` | The Kosli host name | No | `https://app.kosli.com` |\n\n#### What it does\n\n- It creates a new `override` attestation in the specified flow and trail for the attestation_name provided.\n- The override attestation causes a new compliance calculation of the trail to consider the override effect.\n\n#### Next steps\n\nAfter overriding missing/non-compliant individual pull_request attestations, you need to re-attest the code-review attestation (e.g. re-run the code-review workflow) to produce an updated code-review attestation that takes the overrides into account.\n\n\n## Troubleshooting\n\n### Common Issues\n\n1. **No commits found**: Ensure `base_ref` exists and `fetch-depth: 0` is set in checkout\n2. **API errors**: Check that the Kosli API token is valid and has proper permissions\n3. **Custom attestation type not found**: Run the create action before the evaluation action\n\n### Debugging\n\nThe actions generate detailed logs for debugging:\n- Check the action logs for error messages\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkosli-dev%2Fcontrol-actions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkosli-dev%2Fcontrol-actions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkosli-dev%2Fcontrol-actions/lists"}