da_build: add PDF/UA checker with severity classification and optional strict mode

README.md

@@ -306,6 +306,7 @@ jobs:
 - Python all compiles
 - The interview file is minimally correct (python code blocks compile, mako statements compile, we are using known Docassemble keys in the YAML)
 - Absolute URLs in `docassemble/*/data/questions` do not return HTTP 404 (excluding `example.com` links)
+- PDFs in the repository (especially `docassemble/*/data/templates`) are checked for PDF/UA-1 accessibility compliance using [veraPDF](https://verapdf.org/)
 
 #### Usage
 
@@ -327,8 +328,46 @@ jobs:
           ignore-urls: |
             https://example.com/known-flaky-endpoint
             https://another.example.org/blocked-from-ci
+          # Optional: skip PDF accessibility check entirely
+          skip-pdf-check: "true"
+          # Optional: fail the build instead of just warning on inaccessible PDFs
+          verapdf-validation-mode: "error"
+          # Optional: enforce form-field annotation structure rules (strict mode)
+          verapdf-strict: "true"
 ```
 
+#### Input Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `python-version` | Python version to use | `"3.12"` |
+| `skip-url-check` | Skip URL checker network calls | `"false"` |
+| `skip-templates` | Skip checking URLs in template files | `"false"` |
+| `ignore-urls` | Comma/newline-separated absolute URLs to ignore in URL checks | `""` |
+| `skip-pdf-check` | Skip PDF accessibility checking and veraPDF installation | `"false"` |
+| `verapdf-validation-mode` | How to report PDF/UA-1 accessibility failures: `"warning"` annotates without failing; `"error"` fails the build | `"warning"` |
+| `verapdf-strict` | Enable strict checking: `"true"` activates tab-order and form-annotation structure rules (suppressed by default because forms are often flattened before users see them) | `"false"` |
+
+#### PDF Accessibility Checking
+
+veraPDF is installed automatically and used to validate every PDF in the repository against the **PDF/UA-1** (ISO 14289-1) accessibility standard.
+PDFs found under `docassemble/*/data/templates/` are checked first, followed by any other PDFs in the repository.
+
+Results are written to the **job summary** with per-PDF rule tables and a **warning annotation** is emitted in the action log.
+Set `verapdf-validation-mode: "error"` to turn failures into build failures, or `skip-pdf-check: "true"` to disable the check entirely.
+
+Rules are classified into four severity levels:
+
+| Severity | Behaviour | Examples |
+|----------|-----------|---------|
+| **Fail** | Emits warning/error annotation; fails build in `error` mode | Missing structure tree, untagged content, figures without alt text, font missing ToUnicode |
+| **Warning** | Always emits a warning annotation; never fails the build | Missing `dc:title`, missing language, missing `DisplayDocTitle`, advisory table/list structure |
+| **Info** | Logged to console only; no annotation | Missing PDF/UA XMP identifier (`§5`), optional content config |
+| **Suppressed** *(non-strict)* | Logged as suppressed; no annotation | Tab order (`§7.18.3`), widget annotation in Form tag (`§7.18.4`) |
+
+In **non-strict mode** (default), tab-order and form-annotation structure rules are suppressed because many tools flatten form fields before the user sees the final PDF.
+Set `verapdf-strict: "true"` to treat these as failures.
+
 ## Development Details
 
 Using [codeql-action](https://github.com/github/codeql-action) as

da_build/action.yml

@@ -14,6 +14,22 @@ inputs:
   ignore-urls:
     description: Comma/newline-separated absolute URLs to ignore in URL checks
     default: ""
+  skip-pdf-check:
+    description: Skip PDF accessibility checking and veraPDF installation
+    default: "false"
+  verapdf-validation-mode:
+    description: >-
+      How to report PDF/UA-1 accessibility failures found by veraPDF.
+      'warning' annotates the job without failing it (default).
+      'error' fails the build.
+    default: "warning"
+  verapdf-strict:
+    description: >-
+      Enable strict PDF/UA-1 checking.
+      When 'false' (default), tab-order and annotation structure rules for form
+      fields are suppressed because forms are often flattened before users see
+      them. Set to 'true' to treat those rules as failures.
+    default: "false"
 
 runs:
   using: composite
@@ -94,3 +110,64 @@ runs:
           echo "::warning title=URL checker::$escaped"
         fi
       shell: bash
+
+    - name: Install veraPDF
+      run: |
+        if [ "${{ inputs.skip-pdf-check }}" = "true" ]; then
+          echo "Skipping veraPDF installation"
+          exit 0
+        fi
+
+        # veraPDF 1.28+ is required for compatibility with Java 21 (GitHub Actions default).
+        VERAPDF_VERSION="1.28.1"
+        VERAPDF_MINOR="1.28"
+        INSTALL_DIR="${RUNNER_TEMP}/verapdf"
+
+        if command -v verapdf &>/dev/null; then
+          echo "veraPDF already available: $(verapdf --version 2>&1 | head -1)"
+          exit 0
+        fi
+
+        echo "Downloading veraPDF ${VERAPDF_VERSION}..."
+        wget -q \
+          "https://software.verapdf.org/releases/${VERAPDF_MINOR}/verapdf-greenfield-${VERAPDF_VERSION}-installer.zip" \
+          -O "${RUNNER_TEMP}/verapdf-installer.zip"
+
+        unzip -q "${RUNNER_TEMP}/verapdf-installer.zip" -d "${RUNNER_TEMP}/verapdf-installer-src"
+
+        cat > "${RUNNER_TEMP}/verapdf-autoinstall.xml" << EOF
+        <AutomatedInstallation langpack="eng">
+          <com.izforge.izpack.panels.htmlhello.HTMLHelloPanel id="welcome"/>
+          <com.izforge.izpack.panels.target.TargetPanel id="install_dir">
+            <installpath>${INSTALL_DIR}</installpath>
+          </com.izforge.izpack.panels.target.TargetPanel>
+          <com.izforge.izpack.panels.packs.PacksPanel id="sdk_pack_select">
+            <pack name="veraPDF GUI" selected="true"/>
+            <pack name="veraPDF Mac and *nix Scripts" selected="true"/>
+            <pack name="veraPDF Batch files" selected="false"/>
+            <pack name="veraPDF Validation model" selected="true"/>
+            <pack name="veraPDF Documentation" selected="false"/>
+            <pack name="veraPDF Sample Plugins" selected="false"/>
+          </com.izforge.izpack.panels.packs.PacksPanel>
+          <com.izforge.izpack.panels.install.InstallPanel id="install"/>
+          <com.izforge.izpack.panels.finish.FinishPanel id="finish"/>
+        </AutomatedInstallation>
+        EOF
+
+        INSTALLER_JAR=$(find "${RUNNER_TEMP}/verapdf-installer-src" -name "*.jar" | head -1)
+        java -jar "${INSTALLER_JAR}" "${RUNNER_TEMP}/verapdf-autoinstall.xml"
+        echo "${INSTALL_DIR}" >> "${GITHUB_PATH}"
+        echo "Installed veraPDF: $("${INSTALL_DIR}/verapdf" --version 2>&1 | head -1)"
+      shell: bash
+
+    - name: Check PDF accessibility with veraPDF
+      run: |
+        if [ "${{ inputs.skip-pdf-check }}" = "true" ]; then
+          echo "Skipping PDF accessibility check"
+          exit 0
+        fi
+        python "${{ github.action_path }}/check_pdf_accessibility.py"
+      env:
+        PDF_ACCESSIBILITY_MODE: ${{ inputs.verapdf-validation-mode }}
+        PDF_ACCESSIBILITY_STRICT: ${{ inputs.verapdf-strict }}
+      shell: bash