Add jbangdev/setup-jbang action with tag v0.1.1#806
Conversation
Signed-off-by: Tiago Bento <1584568+tiagobento@users.noreply.github.com>
|
@tiagobento thanks for the PR. Heads up: I ran curl -Ls https://sh.jbang.dev | bash -s - app setup…and the equivalent The good news is that upstream I've opened an issue with a concrete proposal: jbangdev/setup-jbang#16. Could you support it there and add a comment saying you'd like to use this from ASF infra? An ack from a real downstream consumer would help nudge it along. Until verification lands upstream we can't approve this action — but it should be a quick fix once they pick a mechanism (sha256sum, gpg --verify, or sigstore are all accepted). |
|
Thanks @potiuk! In the mean time, is it okay if I install a specific version manually and perform the checksums myself, in a temporary custom action? I can tag you in the PR where I do it, so that you can advise on best practices. |
Sure. No need to tag me. |
Add a repo-scoped Claude Code skill at .claude/skills/analyze-action-pr/ that triages allowlist PRs end-to-end: extract action refs via verify-action-build --from-pr, classify each finding (pipe-to-shell, unverified-download, nested-action-issue, verify-script-bug, all-clean), look up what verification material upstream already publishes, and draft the right next moves — recommend approval, open an upstream issue + ping the PR author, or fix verify-action-build itself with a regression test. Includes an "Improve this skill" step so future runs that hit a new shape (false positive, novel verification mechanism, asset-naming convention) leave the skill better than they found it: the SKILL.md grows by a row in the case table or a line in the precedents table, not by re-deriving the analysis. The skill encodes shapes recently triaged: PR apache#795 / apache#798 (TS-generic regex hole), PR apache#802 (carabiner-dev nested install actions), PR apache#803 / apache#804 (multi-action extraction), PR apache#806 (jbangdev pipe-to-shell). Replace the broad .claude/ rule in .gitignore with specific entries for personal state (settings*.json, worktrees/, debug/) so .claude/ itself can host shared assets without leaking per-user files.
Add a repo-scoped Claude Code skill at .claude/skills/analyze-action-pr/ that triages allowlist PRs end-to-end: extract action refs via verify-action-build --from-pr, classify each finding (pipe-to-shell, unverified-download, nested-action-issue, verify-script-bug, all-clean), look up what verification material upstream already publishes, and draft the right next moves — recommend approval, open an upstream issue + ping the PR author, or fix verify-action-build itself with a regression test. Includes an "Improve this skill" step so future runs that hit a new shape (false positive, novel verification mechanism, asset-naming convention) leave the skill better than they found it: the SKILL.md grows by a row in the case table or a line in the precedents table, not by re-deriving the analysis. The skill encodes shapes recently triaged: PR apache#795 / apache#798 (TS-generic regex hole), PR apache#802 (carabiner-dev nested install actions), PR apache#803 / apache#804 (multi-action extraction), PR apache#806 (jbangdev pipe-to-shell). Replace the broad .claude/ rule in .gitignore with specific entries for personal state (settings*.json, worktrees/, debug/) so .claude/ itself can host shared assets without leaking per-user files.
2 participants
Why this action is needed for your project
A new CI / PR checks system introduced in KIE (apache/incubator-kie-drools@eaed278) needs to run some scripts in order to produce efficient build partitioning for Maven builds. JBang was selected because it doesn't require any additional tooling for developers to install.
Any alternatives you've considered
Installing JBang manually but I would just be duplicating what the action already does. See manual installation instructions here. And the action's code here.
Any security concerns you've identified
None.
jbagdevis the official organization of the JBang project in GitHub.