Add vu1nz-scan sample action package

[Copilot]

Implements the MVP vu1nz-scan action package as specified in the PRD (issue #422), adding a JSON manifest format alongside the existing YAML-based catalog format, a workflows/ subdirectory structure, and a new registry index.

New files

• packages/actions/vu1nz-scan/sh1pt.action.json — JSON manifest (name, publisher, type, version, files, permissions, thirdPartyActions, trustLevel, recommendedInstallMode) per the PRD's sh1pt.action format
• packages/actions/vu1nz-scan/workflows/vu1nz-scan.yml — Workflow template in the workflows/ subdirectory; MVP stub that wires up permissions (contents: read, security-events: write) and checkout
• packages/registry/actions.json — New top-level registry index listing available action packages; currently contains the single vu1nz-scan entry pointing at its manifest path

Registry entry format

[
  {
    "name": "vu1nz-scan",
    "publisher": "profullstack",
    "version": "0.1.0",
    "description": "Adds vu1nz security scanning to GitHub Actions.",
    "trustLevel": "verified",
    "category": "security",
    "path": "packages/actions/vu1nz-scan/sh1pt.action.json"
  }
]

The existing sh1pt.actionpack.yaml-based catalog and all existing tests are unaffected.

[alwaysmeticulous]

Meticulous was unable to execute a test run for this PR because the most recent commit is associated with multiple PRs. To execute a test run, please try pushing up a new commit that is only associated with this PR.

_{Last updated for commit f53ffb3. This comment will update as new commits are pushed.}

[github-actions]

vu1nz Security Review

0 finding(s) in PR #?

No security issues found.

[greptile-apps]

Greptile Summary

This PR adds a new JSON-format manifest (sh1pt.action.json) and a stub workflow template for the vu1nz-scan package, alongside a new packages/registry/actions.json registry index. The existing YAML-based catalog and tests are untouched.

• sh1pt.action.json: Introduces the new manifest format; the secrets array is empty despite the implementation requiring ENV_FILE/ANTHROPIC_API_KEY, and the declared version (0.1.0) conflicts with the YAML manifest's 1.0.0 in the same directory.
• workflows/vu1nz-scan.yml: Stub template wired to security-events: write; the scan step is a placeholder echo, and the workflow adds push triggers on main/master that are absent from — and inconsistent with — the existing workflow.yml which is pull_request-only.
• packages/registry/actions.json: Clean new registry index with one entry pointing at the JSON manifest path.

Confidence Score: 3/5

The new JSON manifest and stub workflow can be merged as a skeleton, but two issues should be resolved before the package is usable: the empty secrets array means installations will miss the required ANTHROPIC_API_KEY credential, and the push-to-main trigger will fire spurious scans with no PR context on every merge.

The secrets field being empty in the JSON manifest is a functional gap — any consumer installing via this manifest won't be prompted to provision ENV_FILE, so the eventual real scan step will fail silently on first use. The push trigger on main/master diverges from the established PR-only pattern and will cause the workflow to run on every merge commit with no actionable PR number.

packages/actions/vu1nz-scan/sh1pt.action.json (empty secrets, version mismatch, unpinned action) and packages/actions/vu1nz-scan/workflows/vu1nz-scan.yml (push trigger on main/master) need attention before the package is distributed.

Security Review

• Supply-chain pinning: sh1pt.action.json declares \"pinned\": false for actions/checkout@v4, explicitly opting out of commit-SHA pinning. A tag-based reference is mutable and vulnerable to tag-replacement attacks.

Important Files Changed

Filename	Overview
packages/actions/vu1nz-scan/sh1pt.action.json	New JSON manifest for vu1nz-scan; version (0.1.0) conflicts with the YAML manifest (1.0.0), the secrets array is empty despite the existing implementation requiring ENV_FILE, and actions/checkout@v4 is explicitly marked as unpinned.
packages/actions/vu1nz-scan/workflows/vu1nz-scan.yml	MVP stub workflow template; adds an unintended push trigger on main/master branches absent from the existing workflow.yml, and the scan step is a placeholder echo that produces no actual scanning.
packages/registry/actions.json	New registry index with a single vu1nz-scan entry; format and path reference look correct, though the version (0.1.0) diverges from the YAML manifest's 1.0.0.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[User installs vu1nz-scan] --> B{Format}
    B -->|YAML: sh1pt.actionpack.yaml| C[workflow.yml\nFull implementation\nPR-only trigger\npull-requests:write]
    B -->|JSON: sh1pt.action.json| D[workflows/vu1nz-scan.yml\nMVP stub\npush+PR triggers\nsecurity-events:write]
    D --> E[Installs into .github/workflows/vu1nz-scan.yml]
    C --> E
    E --> F{Trigger}
    F -->|pull_request| G[Scan PR]
    F -->|push to main/master| H[Scan merge - no PR context]
    G --> I{Manifest source}
    I -->|YAML path| J[Full vu1nz scan + PR comment]
    I -->|JSON path| K[echo TODO - no scan]

Loading

_{Reviews (1): Last reviewed commit: "Add vu1nz-scan action package: sh1pt.act..." | Re-trigger Greptile}

[greptile-apps]

Push trigger on main/master is inconsistent with existing behavior

The existing workflow.yml (used by sh1pt.actionpack.yaml) only fires on pull_request, which makes sense for a PR-focused security scanner. Adding push triggers on main and master means this workflow will also fire on every merge commit, producing scans with no open PR context. That will generate unnecessary CI runs (and SARIF uploads) on every merge, which diverges from the established pattern and from how the vu1nz tool is designed to be used.

[greptile-apps]

secrets array is empty, but the real implementation requires ENV_FILE

The existing sh1pt.actionpack.yaml for this same package declares ENV_FILE (containing ANTHROPIC_API_KEY) as a required secret. The new JSON manifest leaves "secrets": [], so any consumer resolving dependencies from this manifest won't know to provision that secret before installing the workflow template. When the stub is replaced with the real scan step, installs done against this manifest will silently miss the required credential.

Suggested change

	"secrets": [],
	"secrets": [
	{
	"name": "ENV_FILE",
	"description": "Env-file formatted secret containing ANTHROPIC_API_KEY.",
	"required": true
	}
	],

[greptile-apps]

pinned: false explicitly opts out of action pinning

Supply-chain security best practice is to pin third-party actions to a full commit SHA. Explicitly setting "pinned": false signals to any tooling that processes this manifest that pinning is not required, making it easier for a compromised tag (v4) to affect consumers.

Suggested change

	{
	"uses": "actions/checkout@v4",
	"pinned": false,
	"trusted": true
	}
	{
	"uses": "actions/checkout@v4",
	"pinned": true,
	"trusted": true
	}

[greptile-apps]

Version mismatch between the two manifests for the same package

sh1pt.action.json declares "version": "0.1.0" while sh1pt.actionpack.yaml in the same directory declares version: 1.0.0. The registry entry in actions.json also uses 0.1.0. Having two different canonical versions for the same package in the same directory will confuse any tooling that inspects both files to determine the installed version.

Suggested change

	"version": "0.1.0",
	"version": "1.0.0",