fix(action): implement potential fixes for 4 code quality findings from GitHub

[ajhalili2006]

This PR applies 4/5 suggestions from code quality AI findings. 1 suggestion was skipped to avoid creating conflicts.

Summary by CodeRabbit

• Bug Fixes

  • Added defensive input validation with a warning and safe fallback for invalid values.
  • Improved secret decryption detection and masking so encrypted inputs are handled and reported correctly.

• Chores

  • Simplified debug logging configuration to make debug output more consistent.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR tightens input validation for INPUT_INJECT_ENV_VARS, simplifies the options debug callback, and updates secrets loading to track pre- and post-decryption encrypted prefixes to refine decryption warnings and masking.

Changes

Secrets handling and input validation improvements

Layer / File(s)	Summary
Input validation and logging cleanup action.js	getBoolInputEnv now warns and falls back to false when INPUT_INJECT_ENV_VARS is set but not a recognized true/false string. The options debug logging group callback is changed from an async arrow to a non-async arrow.
Secrets decryption and masking logic action.js	Secrets loaders use core.isDebug() for debug. The secrets loop computes separate encrypted-prefix flags for the pre-decryption (dotenvPlain) and decrypted (secretsTmp) values; decryption-failure warnings trigger only when the decrypted value still begins with encrypted:. core.setSecret is called only when the pre-decryption value looked encrypted but the decrypted value no longer does.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through dotenvx with care,
Watching prefixes hidden there.
Warnings whisper when inputs stray,
And secrets cloak the safer way.
A tiny hop, a careful patch — hooray!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately reflects the main change: implementing fixes for code quality findings in action.js with defensive validation improvements and logging adjustments.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ai-findings-autofix/action.js

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ajhalili2006]

LGTM, might need to manually approve this via @MFHellscapes

[Copilot]

Pull request overview

This PR addresses several automated code-quality findings in the GitHub Action implementation, focusing on safer input handling and clearer behavior when decrypting/masking secrets.

Changes:

• Add a warning + fallback behavior when INPUT_INJECT_ENV_VARS is set to an unrecognized value.
• Simplify boolean expressions (e.g., debug: core.isDebug()).
• Avoid potential runtime errors by guarding .startsWith("encrypted:") checks with typeof === "string" and reusing computed flags.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@action.js`:
- Around line 34-35: The debug log currently serializes opts (inside the
core.group callback) and may expose opts.key; before calling
core.debug(JSON.stringify(...)) create a sanitized version (e.g., const safeOpts
= { ...opts, key: opts.key ? '[REDACTED]' : opts.key }) or use a JSON replacer
to omit or mask the key, then call core.debug(JSON.stringify(safeOpts, null, 2))
so the private key is not written to logs; update the code where
core.group("options debug", ...) and core.debug are used to reference the
sanitized object.
- Around line 21-25: The bundled runtime (dist/index.js) doesn't match
action.js: update the getBoolInputEnv() implementation in dist/index.js to
mirror action.js by adding the invalid-value branch that calls core.warning with
the same message and returns false so invalid INPUT_INJECT_ENV_VARS values fall
back to false at runtime; ideally regenerate the dist bundle from source to
ensure parity, but if editing manually, modify the getBoolInputEnv function in
dist/index.js to include the warning + return false branch identical to
action.js.
- Around line 34-37: Remove the redundant core.endGroup() calls that live inside
core.group(...) callbacks: locate each core.group usage (e.g., the callback
invoking core.debug(JSON.stringify(opts, null, 2)) for the "options debug" group
and the other groups named "Parsed data (w/o decryption)" and "dotenv-keys meta
configs") and delete the explicit core.endGroup() call from the callback body;
keep the core.group(...) call and its contents intact since `@actions/core`
handles endGroup() automatically.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 86dbae72-da99-4b12-8a1e-7af6d338e8ec

📥 Commits

Reviewing files that changed from the base of the PR and between 8785884 and 8bf761b.

📒 Files selected for processing (1)

• action.js

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

[MFHellscapes]

@ajhalili2006 on the line here, LGTMing