Use package version for action install default

Signed-off-by: jmclaughlin724 <31931302+jmclaughlin724@users.noreply.github.com>

Author: jmclaughlin724

action.yml

@@ -9,9 +9,8 @@ inputs:
     description: JSON array of argv entries passed to supaschema, excluding the binary name. Use ["scan","--reporter","json"] for PR comments and check runs.
     required: true
   version:
-    description: Exact supaschema npm version to run.
+    description: Exact supaschema npm version to run. Defaults to this action tag's package.json version.
     required: false
-    default: "0.3.0"
 runs:
   using: composite
   steps:

docs/release.mdx

@@ -22,7 +22,7 @@ The package is designed for trusted publishing from GitHub Actions. `main` is th
 ## Per-release checklist
 
 1. Add changesets for user-facing PRs while the change is fresh.
-2. Run `npm run release:version` for the release PR and review the resulting `package.json`, `package-lock.json`, `CHANGELOG.md`, and `action.yml` changes.
+2. Run `npm run release:version` for the release PR and review the resulting `package.json`, `package-lock.json`, and `CHANGELOG.md` changes.
 3. Run `npm run release:notes -- --version <version>` and confirm the output is the GitHub Release body you want.
 4. Run `npm run release:verify`.
 5. Confirm PR CI passes all required checks before merge.

scripts/actions/run-supaschema-action.mjs

@@ -5,16 +5,27 @@ import { fileURLToPath } from "node:url";
 
 const scanReportMarker = "<!-- supaschema:scan-report -->";
 const defaultApiUrl = "https://api.github.com";
+const packageJsonPath = fileURLToPath(new URL("../../package.json", import.meta.url));
 
 export function validateExactVersion(version) {
   if (typeof version !== "string" || !isExactVersion(version)) {
-    throw new Error(
-      `invalid supaschema version: ${version} (use an exact npm version, e.g. 0.3.0)`
-    );
+    throw new Error(`invalid supaschema version: ${version} (use an exact npm version)`);
   }
   return version;
 }
 
+export function readPackageVersion(readFile = readFileSync) {
+  const packageJson = JSON.parse(readFile(packageJsonPath, "utf8"));
+  return validateExactVersion(packageJson.version);
+}
+
+export function resolveActionVersion(version, readFile = readFileSync) {
+  if (version === undefined || version.length === 0) {
+    return readPackageVersion(readFile);
+  }
+  return validateExactVersion(version);
+}
+
 function isExactVersion(version) {
   const plusParts = version.split("+");
   if (plusParts.length > 2) {
@@ -106,7 +117,7 @@ export async function runAction({
   platform = process.platform,
   spawnImpl = spawn,
 } = {}) {
-  const version = validateExactVersion(env.SUPASCHEMA_ACTION_VERSION);
+  const version = resolveActionVersion(env.SUPASCHEMA_ACTION_VERSION, readFile);
   const argv = parseActionArgv(env.SUPASCHEMA_ACTION_ARGV);
   const command = npxCommand(platform);
   const args = buildNpxArgs(version, argv);

scripts/guards/check-release-version-surfaces.mjs

@@ -30,12 +30,13 @@ const action = parseYaml(actionText);
 const actionVersionInput = action?.inputs?.version;
 assert(actionVersionInput, "action.yml must declare inputs.version");
 assert(
-  actionVersionInput.default === version,
-  `action.yml inputs.version.default must match package.json version ${version}`
+  actionVersionInput.default === undefined,
+  "action.yml inputs.version.default must stay unset; the runner defaults from package.json"
 );
 assert(
   typeof actionVersionInput.description === "string" &&
-    actionVersionInput.description.includes("Exact supaschema npm version"),
+    actionVersionInput.description.includes("Exact supaschema npm version") &&
+    actionVersionInput.description.includes("package.json version"),
   "action.yml inputs.version.description must require an exact supaschema npm version"
 );
 assert(
@@ -48,8 +49,13 @@ assert(
   "supaschema action runner version validation must tell users to use an exact npm version"
 );
 assert(
-  actionRunnerText.includes(`e.g. ${version}`),
-  `supaschema action runner exact-version example must use package.json version ${version}`
+  actionRunnerText.includes("../../package.json") &&
+    actionRunnerText.includes("resolveActionVersion"),
+  "supaschema action runner must default the action version from package.json"
+);
+assert(
+  !actionRunnerText.includes(`e.g. ${version}`),
+  "supaschema action runner must not duplicate package.json version in validation text"
 );
 assert(
   !actionRunnerText.includes("latest|next"),

tests/action.test.ts

@@ -9,25 +9,32 @@ import {
   parseScanReport,
   publishActionReport,
   renderActionScanMarkdown,
+  resolveActionVersion,
   runAction,
   validateExactVersion,
 } from "../scripts/actions/run-supaschema-action.mjs";
 
 const githubExpression = (name: string) => `${"$"}{{ ${name} }}`;
 const shellParameter = (name: string) => `${"$"}{${name}}`;
+const explicitVersion = "1.2.3";
 
 describe("composite action", () => {
-  it("defaults to the pinned package version, not an npm dist-tag", () => {
+  it("defaults to package.json version, not an action metadata literal or npm dist-tag", () => {
     const root = resolve(import.meta.dirname, "..");
     const action = readFileSync(resolve(root, "action.yml"), "utf8");
     const actionRunner = readFileSync(
       resolve(root, "scripts/actions/run-supaschema-action.mjs"),
       "utf8"
     );
     const packageJson = JSON.parse(readFileSync(resolve(root, "package.json"), "utf8"));
+    const actionMetadata = parse(action);
 
-    expect(action).toContain(`default: "${packageJson.version}"`);
+    expect(actionMetadata.inputs?.version?.default).toBeUndefined();
+    expect(resolveActionVersion(undefined)).toBe(packageJson.version);
+    expect(resolveActionVersion("")).toBe(packageJson.version);
     expect(actionRunner).toContain("use an exact npm version");
+    expect(actionRunner).toContain("../../package.json");
+    expect(actionRunner).not.toContain(`e.g. ${packageJson.version}`);
     expect(action).not.toContain("default: latest");
     expect(action).not.toContain("latest|next");
   });
@@ -73,9 +80,9 @@ describe("composite action", () => {
       "--fail-on-diff",
       "--quiet",
     ]);
-    expect(buildNpxArgs("0.2.3", ["diff", "--fail-on-diff", "--quiet"])).toEqual([
+    expect(buildNpxArgs(explicitVersion, ["diff", "--fail-on-diff", "--quiet"])).toEqual([
       "--yes",
-      "supaschema@0.2.3",
+      `supaschema@${explicitVersion}`,
       "diff",
       "--fail-on-diff",
       "--quiet",
@@ -112,7 +119,7 @@ describe("composite action", () => {
     const code = await runAction({
       env: {
         SUPASCHEMA_ACTION_ARGV: '["sync","--target","remote"]',
-        SUPASCHEMA_ACTION_VERSION: "0.2.4",
+        SUPASCHEMA_ACTION_VERSION: explicitVersion,
       },
       platform: "linux",
       spawnImpl,
@@ -122,16 +129,60 @@ describe("composite action", () => {
     expect(captured?.args).toEqual([
       "npx",
       "--yes",
-      "supaschema@0.2.4",
+      `supaschema@${explicitVersion}`,
       "sync",
       "--target",
       "remote",
     ]);
     expect(captured?.options.shell).toBe(false);
-    expect(captured?.env?.SUPASCHEMA_ACTION_VERSION).toBe("0.2.4");
+    expect(captured?.env?.SUPASCHEMA_ACTION_VERSION).toBe(explicitVersion);
     expect(captured?.env?.SUPASCHEMA_REMOTE_SYNC_APPROVED).toBeUndefined();
   });
 
+  it("uses package.json version when action version input is omitted", async () => {
+    const packageJson = JSON.parse(
+      readFileSync(resolve(import.meta.dirname, "..", "package.json"), "utf8")
+    );
+    let captured:
+      | {
+          args: string[];
+          options: { shell?: boolean };
+        }
+      | undefined;
+    const spawnImpl = (
+      command: string,
+      args: string[],
+      options: { env?: NodeJS.ProcessEnv; shell?: boolean }
+    ) => {
+      captured = { args: [command, ...args], options };
+      return {
+        on(event: string, handler: (code: number) => void) {
+          if (event === "exit") {
+            queueMicrotask(() => handler(0));
+          }
+          return this;
+        },
+      };
+    };
+
+    const code = await runAction({
+      env: {
+        SUPASCHEMA_ACTION_ARGV: '["--version"]',
+      },
+      platform: "linux",
+      spawnImpl,
+    });
+
+    expect(code).toBe(0);
+    expect(captured?.args).toEqual([
+      "npx",
+      "--yes",
+      `supaschema@${packageJson.version}`,
+      "--version",
+    ]);
+    expect(captured?.options.shell).toBe(false);
+  });
+
   it("renders a scan report for GitHub surfaces", () => {
     const report = scanReport();
     const parsed = parseScanReport(JSON.stringify(report));