feat: add opt-in dry_run input to skip commit/apply

[hisco]

Summary

Adds a new dry_run boolean input (default 'false') to gate the two terminal mutation steps:

• Commit changes for GitOps (skyhook-io/git-sync-commit@v1) - now if: mode == 'gitops' && inputs.dry_run != 'true'
• Apply with kubectl (skyhook-io/kustomize-apply@v1) - now if: mode == 'kubectl' && inputs.dry_run != 'true'

Adds a new Dry-run notice step that fires when dry_run == 'true' and logs to stdout which terminal step was skipped plus the inputs it would have received. The existing Deployment plan summary step (unchanged) already runs kustomize build and echoes the rendered manifests on every invocation, so dry-run users see the same plan output as a real run, just without the commit/apply.

All pre-deploy steps (Resolve image inputs, Update kustomize manifests, Inspect, Detect GitOps mode, Set deployment mode, Deployment context, Deployment plan summary) run unchanged - that is the point: verify what would deploy.

Use case: rehearsal / preview runs. Image build + push (cheap, reusable) happens at the caller workflow level; this action stops short of the GitOps commit or kubectl apply so users can validate the planned deployment without prod blast radius.

Example Dry-run notice output (GitOps mode)

==================================================
🔍 DRY RUN - deploy step skipped
==================================================
Skipped: Commit changes for GitOps (skyhook-io/git-sync-commit@v1)
  path: .
  commit_message: Deploy radar-hub to staging [skip ci]
  file_pattern: deploy/overlays/staging/*
==================================================

Security hardening

The Dry-run notice step passes all values via env: block ($VAR references in the shell) rather than ${{ }} interpolation into the run: body. Prevents GitHub Actions script injection through operator-supplied fields such as commit_message.

Backwards compatibility

• New input defaults to 'false'. Callers that omit it get current behavior bit-for-bit identical.
• The modified if: conditions collapse to the original predicate when dry_run is unset ('false' != 'true' is true, so && inputs.dry_run != 'true' is a no-op).
• The new Dry-run notice step is gated by if: inputs.dry_run == 'true' and never fires for default callers.
• No output channels changed; existing outputs (mode, namespace, deployment, workloads_json, managed_by) unchanged.
• @v1 major-version tag remains additive-only.

Coordination with open PRs

• PR feat: add enable_helm input for helmCharts overlays #7 (enable_helm) - same action.yml, same inputs: block; textual conflict on input ordering, no semantic overlap. Either merge order works.
• PR Detect GitOps mode from ArgoCD Application YAML file #2 (Detect GitOps from ArgoCD yaml) - the ArgoCD-yaml-first detection looks already present in main; independent concern, no conflict with this change.

Test plan

• Caller invokes with dry_run: true in GitOps mode → Commit changes for GitOps skips, Dry-run notice logs the skipped step + would-have-been inputs, deploy repo gets no commit
• Caller invokes with dry_run: true in kubectl mode → Apply with kubectl skips, Dry-run notice logs the skipped step + would-have-been inputs, no kubectl apply against the cluster
• Caller invokes with dry_run: false (or omitted) → behavior identical to current @v1
• commit_message containing shell metacharacters (e.g. "; echo PWNED; #) in a dry-run → printed as a literal string, no injection

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9c96e14. Configure here.}

[cursor]

Dry-run step writes to stdout, not step summary

Medium Severity

The PR description and test plan explicitly state that the dry-run step writes to $GITHUB_STEP_SUMMARY for review in the run UI, and includes the full kustomize build output. However, the implementation only uses echo to stdout — GITHUB_STEP_SUMMARY appears nowhere in the file. The dry-run output will be buried in action logs instead of being surfaced in the GitHub step summary panel, which defeats the stated purpose of the feature. The kustomize build output mentioned in the description is also absent.

 

^{Reviewed by Cursor Bugbot for commit 9c96e14. Configure here.}

[github-actions]

🎉 This PR is included in version 1.13.0 🎉

The release is available on:

• GitHub release
• v1.13.0

Your semantic-release bot 📦🚀