Feat: Implement repo and PR check for SHA pinned actions/workflows #6
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # SPDX-License-Identifier: Apache-2.0 | |
| # SPDX-FileCopyrightText: 2024 The Linux Foundation | |
| name: "📌 Pinned Versions" | |
| ### Ensures GitHub Actions/Workflows are pinned to a commit SHA ### | |
| # yamllint disable-line rule:truthy | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| branches: | |
| - main | |
| - master | |
| paths: [".github/**"] | |
| permissions: {} | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| check-actions: | |
| name: "Check GitHub Workflows" | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| - name: Checkout pull request | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Get changed files | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| id: changed-files | |
| # yamllint disable-line rule:line-length | |
| uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366 # v45.0.5 | |
| with: | |
| since_last_remote_commit: true | |
| files: | | |
| .github/**/*.{yml,yaml} | |
| - name: Prune files NOT changed in pull request | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| env: | |
| # yamllint disable-line rule:line-length | |
| ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} | |
| shell: bash | |
| run: | | |
| # Prune files NOT changed in pull request | |
| find .github -type f -name '*.yaml' -o -name '*.yml' > listed.txt | |
| for YAMLFILE in ${ALL_CHANGED_FILES}; do | |
| echo "$YAMLFILE" >> changed.txt | |
| done | |
| grep -Fvf changed.txt listed.txt > excluded.txt | |
| while IFS= read -r YAMLFILE | |
| do | |
| echo "Disabling: $YAMLFILE" | |
| mv "$YAMLFILE" "$YAMLFILE.excluded" | |
| done < excluded.txt | |
| echo "Files to process:" | |
| find .github -type f -name '*.yaml' -o -name '*.yml' | |
| # Otherwise, just check the current pull request | |
| - name: "Ensure SHA pinned actions" | |
| # yamllint disable-line rule:line-length | |
| uses: zgosalvez/github-actions-ensure-sha-pinned-actions@5d6ac37a4cef8b8df67f482a8e384987766f0213 # v3.0.17 |