Fully support sha pinning + remove docker from runtime.

.github/workflows/codeowners.yml

@@ -25,11 +25,6 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: 'Update action.yml to build locally'
-        run: |
-          sed -i "s/image: .*/image: 'Dockerfile'/" action.yml
-          cat action.yml
-
       - name: 'Codeowners Plus'
         id: codeowners-plus
         uses: ./

.github/workflows/go.yml

@@ -21,7 +21,7 @@ jobs:
     - name: 'Set up Go'
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
       with:
-        go-version: '1.26'
+        go-version-file: go.mod
 
     - name: 'Build'
       run: go build -v ./...
@@ -37,7 +37,7 @@ jobs:
     - name: 'Set up Go'
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
       with:
-        go-version: '1.26'
+        go-version-file: go.mod
 
     - name: 'Golangci-lint'
       uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0

.github/workflows/goreleaser.yml

@@ -2,19 +2,15 @@ name: goreleaser
 
 on:
   release:
-    types: [draft, published]
+    types: [draft]
 
 permissions: {}
 
-env:
-  DOCKER_BUILDKIT: 1
-
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
     permissions:
       contents: write
-      packages: write
 
     steps:
       - name: Checkout
@@ -25,7 +21,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
-          go-version: 1.26
+          go-version-file: go.mod
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7

action.yml

@@ -27,7 +27,88 @@ inputs:
 outputs:
   data:
     description: 'JSON string containing all the codeowners data (success, message, file-owners, file-optional, still-required)'
+    value: ${{ steps.run.outputs.data }}
 
 runs:
-  using: 'docker'
-  image: 'docker://ghcr.io/multimediallc/codeowners-plus:latest'
+  using: 'composite'
+  steps:
+    - name: 'Resolve codeowners-plus binary'
+      id: resolve
+      shell: bash
+      env:
+        # The release tag this commit belongs to. Non-empty only in release
+        # commits: set by scripts/prepare-release.sh and cleared by
+        # scripts/post-release.sh. When set, the action downloads that
+        # release's prebuilt binary; when empty (any non-release ref) it
+        # builds from the checked-out source.
+        RELEASE_VERSION: ''
+      run: |
+        set -euo pipefail
+        {
+          echo "release-version=${RELEASE_VERSION}"
+          echo "bin=${RUNNER_TEMP:-/tmp}/codeowners-plus-action/codeowners-plus"
+        } >>"$GITHUB_OUTPUT"
+
+    # RELEASE_VERSION not set -> not a release: build from source (cached).
+    - name: 'Restore cached built binary'
+      id: buildcache
+      if: steps.resolve.outputs.release-version == ''
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      with:
+        path: ${{ steps.resolve.outputs.bin }}
+        key: codeowners-plus-build-${{ github.action_ref || github.sha }}-${{ runner.os }}-${{ runner.arch }}
+
+    - name: 'Set up Go'
+      if: steps.resolve.outputs.release-version == '' && steps.buildcache.outputs.cache-hit != 'true'
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      with:
+        go-version-file: ${{ github.action_path }}/go.mod
+        cache-dependency-path: ${{ github.action_path }}/go.sum
+
+    - name: 'Build codeowners-plus from source'
+      if: steps.resolve.outputs.release-version == '' && steps.buildcache.outputs.cache-hit != 'true'
+      shell: bash
+      env:
+        ACTION_PATH: ${{ github.action_path }}
+        BIN: ${{ steps.resolve.outputs.bin }}
+      run: |
+        set -euo pipefail
+        mkdir -p "$(dirname "${BIN}")"
+        cd "${ACTION_PATH}"
+        CGO_ENABLED=0 \
+          go build -trimpath -buildvcs=false -ldflags="-s -w" -o "${BIN}" .
+
+    # RELEASE_VERSION set -> a release: download + verify the prebuilt binary (cached).
+    - name: 'Restore cached release binary'
+      id: bincache
+      if: steps.resolve.outputs.release-version != ''
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      with:
+        path: ${{ steps.resolve.outputs.bin }}
+        key: codeowners-plus-action-${{ steps.resolve.outputs.release-version }}-${{ runner.os }}-${{ runner.arch }}
+
+    - name: 'Download codeowners-plus release binary'
+      if: steps.resolve.outputs.release-version != '' && steps.bincache.outputs.cache-hit != 'true'
+      shell: bash
+      env:
+        REPO: ${{ github.action_repository }}
+        ACTION_PATH: ${{ github.action_path }}
+        TAG: ${{ steps.resolve.outputs.release-version }}
+        BIN: ${{ steps.resolve.outputs.bin }}
+      run: '"${ACTION_PATH}/scripts/install-action.sh"'
+
+    - name: 'Run codeowners-plus'
+      id: run
+      shell: bash
+      env:
+        # The hyphenated INPUT_GITHUB-TOKEN name is intentional: it mirrors
+        # what Docker actions export and is exactly what main.go reads via
+        # os.LookupEnv. Bash passes non-identifier env vars through to child
+        # processes untouched.
+        INPUT_GITHUB-TOKEN: ${{ inputs.github-token }}
+        INPUT_PR: ${{ inputs.pr }}
+        INPUT_REPOSITORY: ${{ inputs.repository }}
+        INPUT_VERBOSE: ${{ inputs.verbose }}
+        INPUT_QUIET: ${{ inputs.quiet }}
+        BIN: ${{ steps.resolve.outputs.bin }}
+      run: '"${BIN}"'

go.mod

@@ -2,6 +2,8 @@ module github.com/multimediallc/codeowners-plus
 
 go 1.25.0
 
+toolchain go1.26.4
+
 require (
 	github.com/bmatcuk/doublestar/v4 v4.10.0
 	github.com/boyter/gocodewalker v1.5.1

goreleaser.yml

@@ -23,15 +23,37 @@ builds:
     goarch:
       - amd64
       - arm64
+  # The binary the GitHub Action downloads and runs (root main.go).
+  - id: "action"
+    main: .
+    binary: codeowners-plus-action
+    env:
+      - CGO_ENABLED=0
+    ldflags:
+      - -s
+      - -w
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm64
 archives:
-  - name_template: >-
+  - id: "cli"
+    ids: ["cli"]
+    name_template: >-
       {{ .ProjectName }}_{{ .Version }}_{{ title .Os }}_
       {{- if eq .Arch "amd64" }}x86_64
       {{- else if eq .Arch "386" }}i386
       {{- else }}{{ .Arch }}{{ end }}
       {{- if .Arm }}v{{ .Arm }}{{ end -}}
     files:
       - none*
+  - id: "action"
+    ids: ["action"]
+    name_template: "codeowners-plus-action_{{ .Os }}_{{ .Arch }}"
+    files:
+      - none*
 checksum:
   name_template: 'checksums.txt'
 snapshot:

scripts/install-action.sh

@@ -0,0 +1,95 @@
+#! /usr/bin/env bash
+# Installs the prebuilt codeowners-plus binary for the current platform,
+# verified against the release's checksums.txt.
+#
+# Local use (all env vars optional):
+#   scripts/install-action.sh                          # latest release -> ./codeowners-plus
+#   VERSION=v1.9.1 scripts/install-action.sh           # a specific release
+#   BIN=/usr/local/bin/codeowners-plus scripts/install-action.sh
+#   curl -fsSL https://raw.githubusercontent.com/multimediallc/codeowners-plus/main/scripts/install-action.sh | bash
+#
+# Overrides: REPO, VERSION (or TAG), OS, ARCH, BIN. action.yml passes
+# REPO/TAG/BIN; OS and ARCH are detected here so the script is self-contained.
+
+set -eu
+
+REPO="${REPO:-multimediallc/codeowners-plus}"
+BIN="${BIN:-./codeowners-plus}"
+TAG="${TAG:-${VERSION:-}}"
+
+# Detect OS unless overridden. Tokens match goreleaser's {{ .Os }}.
+OS="${OS:-}"
+if [ -z "${OS}" ]; then
+  case "$(uname -s)" in
+    Linux)  OS="linux" ;;
+    Darwin) OS="darwin" ;;
+    *)
+      echo "Error: unsupported OS '$(uname -s)' (supported: linux, darwin)." >&2
+      exit 1
+      ;;
+  esac
+fi
+
+# Detect ARCH unless overridden. Tokens match goreleaser's {{ .Arch }}.
+ARCH="${ARCH:-}"
+if [ -z "${ARCH}" ]; then
+  case "$(uname -m)" in
+    x86_64 | amd64)  ARCH="amd64" ;;
+    arm64 | aarch64) ARCH="arm64" ;;
+    *)
+      echo "Error: unsupported arch '$(uname -m)' (supported: amd64, arm64)." >&2
+      exit 1
+      ;;
+  esac
+fi
+
+# Default to the latest release when no version was requested.
+if [ -z "${TAG}" ]; then
+  TAG="$(curl -fsSL "https://api.github.com/repos/${REPO}/releases/latest" \
+    | awk -F'"' '/"tag_name":/ {print $4; exit}')"
+  if [ -z "${TAG}" ]; then
+    echo "Error: could not determine the latest release of ${REPO}." >&2
+    exit 1
+  fi
+fi
+
+asset="codeowners-plus-action_${OS}_${ARCH}.tar.gz"
+binname="codeowners-plus-action"
+base="https://github.com/${REPO}/releases/download/${TAG}"
+tmp="$(mktemp -d)"
+trap 'rm -rf "${tmp}"' EXIT
+
+echo "Downloading ${asset} from ${REPO} release ${TAG}" >&2
+curl -fsSL --retry 3 -o "${tmp}/${asset}" "${base}/${asset}"
+curl -fsSL --retry 3 -o "${tmp}/checksums.txt" "${base}/checksums.txt"
+
+echo "Verifying ${asset} against checksums.txt" >&2
+expected="$(awk -v a="${asset}" '$2 == a {print $1}' "${tmp}/checksums.txt")"
+if [ -z "${expected}" ]; then
+  echo "Error: ${asset} not found in checksums.txt" >&2
+  exit 1
+fi
+# Guard against a malformed digest: '<checker> -c' treats an improperly
+# formatted line as a skipped (passing) entry rather than a failure.
+if ! printf '%s' "${expected}" | grep -Eq '^[0-9a-f]{64}$'; then
+  echo "Error: invalid checksum for ${asset} in checksums.txt" >&2
+  exit 1
+fi
+# sha256sum is GNU coreutils (Linux); macOS only ships shasum.
+if command -v sha256sum >/dev/null 2>&1; then
+  verify=(sha256sum -c -)
+else
+  verify=(shasum -a 256 -c -)
+fi
+if ! echo "${expected}  ${tmp}/${asset}" | "${verify[@]}"; then
+  echo "Error: downloaded ${asset} does not match its release checksum" >&2
+  exit 1
+fi
+
+echo "Extracting ${binname} from ${asset}" >&2
+tar -xzf "${tmp}/${asset}" -C "${tmp}" "${binname}"
+
+mkdir -p "$(dirname "${BIN}")"
+mv "${tmp}/${binname}" "${BIN}"
+chmod +x "${BIN}"
+echo "Installed codeowners-plus ${TAG} to ${BIN}" >&2