Add reusable GitHub Actions for setup and validation

[jorgenosberg]

Summary

• Adds action/setup composite action to download, SHA256-verify, and cache the oav binary
• Adds action/validate composite action wrapping oav init + oav validate with input mapping, step summary, and artifact upload
• Adds test-action.yml CI workflow to dogfood both actions against test fixtures
• Adds update-action-tag release job to auto-update the major version tag on each release
• Documents GitHub Action usage in README with examples, inputs, and outputs

Design notes

• Composite actions (not container actions) since oav runs Docker on the host
• Validate action assumes oav is already on $PATH — callers use setup + validate as separate steps. This avoids a circular remote uses: reference that would break before the first tagged release.
• Shell scripts invoked via bash "${{ github.action_path }}/script.sh" so execution doesn't depend on the file permission bit

Test plan

• shellcheck passes on all scripts (verified locally)
• test-action.yml runs on this PR and validates setup, pass, and failure scenarios
• Manual test from an external repo using uses: entur/openapi-validator-cli/action/validate@feat/github-action

Closes #41

[Copilot]

Pull request overview

This pull request adds reusable GitHub Actions for setting up and validating OpenAPI specifications using the oav CLI tool. It introduces two composite actions (setup and validate), adds a CI workflow to test them, enhances the release workflow to maintain action version tags, and documents the new GitHub Actions usage in the README.

Changes:

• Added composite actions for installing oav binary (with SHA256 verification and caching) and running validation workflows
• Added test-action.yml workflow to verify action functionality with passing and failing test cases
• Added update-action-tag job to automatically update major version tag (e.g., v1) on each release for easier action consumption

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
action/setup/action.yml	Composite action that resolves version/platform, caches binary, and installs oav
action/setup/install.sh	Downloads, verifies checksum, and installs the oav binary to PATH
action/validate/action.yml	Composite action that runs oav validate, generates step summary, uploads reports, and sets exit code
action/validate/validate.sh	Builds and executes oav init/validate commands with input mapping and output parsing
action/validate/summary.sh	Generates GitHub step summary table from status.tsv
.github/workflows/test-action.yml	CI workflow testing setup and validation actions with valid/invalid fixtures
.github/workflows/release.yml	Adds update-action-tag job to maintain major version tags for actions
README.md	Documents GitHub Action usage with examples, inputs, and outputs

Comments suppressed due to low confidence (3)

action/validate/validate.sh:11

• When init_args is an empty array and set -u is enabled (line 2), the expansion "${init_args[@]}" in the command can fail with "unbound variable" error in some bash versions. This is a well-known bash gotcha. Use "${init_args[@]+"${init_args[@]}"}" or check if the array has elements before expanding it to avoid this issue.

oav init "${init_args[@]}" 2>&1 || true

action/setup/install.sh:26

• The install script only checks for sha256sum (line 26), which is typically available on Linux but not on macOS. The main install.sh script (lines 76-79) handles both sha256sum and shasum for cross-platform compatibility. This action should also support macOS runners since the setup action detects and handles Darwin platforms (action.yml lines 41-44). Add a fallback to use shasum on macOS.

  (cd "$tmpdir" && sha256sum -c "$sha_asset")

action/setup/install.sh:7

• The fallback path when RUNNER_TOOL_CACHE is not set ($HOME/.oav/bin) differs from the cache key path (runner.tool_cache) in action.yml line 59. If RUNNER_TOOL_CACHE is undefined, the install directory becomes "$HOME/.oav/bin/oav/${version}", but the cache is looking for "${runner.tool_cache}/oav/${version}". This mismatch means the cache will not function correctly when RUNNER_TOOL_CACHE is not set. Either use a consistent fallback or ensure RUNNER_TOOL_CACHE is always available in GitHub Actions (which it should be).

install_dir="${RUNNER_TOOL_CACHE:-$HOME/.oav/bin}/oav/${version}"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The git configuration is missing before executing git commands. The update-formula job (lines 168-169) sets git user.name and user.email before using git commands, but this job does not. Without git config, the git tag and git push commands may fail depending on the runner environment.

Suggested change

	major="v$(echo "$version" | cut -d. -f1)"
	major="v$(echo "$version" | cut -d. -f1)"
	git config user.name "github-actions[bot]"
	git config user.email "41898282+github-actions[bot]@users.noreply.github.com"