-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Feat: Implement repo and PR check for SHA pinned actions/workflows
Signed-off-by: Matthew Watkins <[email protected]>
- Loading branch information
1 parent
c1c0594
commit d21e183
Showing
1 changed file
with
74 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| --- | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
| # SPDX-FileCopyrightText: 2024 The Linux Foundation | ||
|
|
||
| name: "📌 Pinned Versions" | ||
| ### Ensures GitHub Actions/Workflows are pinned to a commit SHA ### | ||
|
|
||
| # yamllint disable-line rule:truthy | ||
| on: | ||
| workflow_dispatch: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| - master | ||
| paths: [".github/**"] | ||
|
|
||
| permissions: {} | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| check-actions: | ||
| name: "Check GitHub Workflows" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| if: ${{ github.event_name == 'workflow_dispatch' }} | ||
|
|
||
| - name: Checkout pull request | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| if: ${{ github.event_name != 'workflow_dispatch' }} | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
|
|
||
| - name: Get changed files | ||
| if: ${{ github.event_name != 'workflow_dispatch' }} | ||
| id: changed-files | ||
| # yamllint disable-line rule:line-length | ||
| uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366 # v45.0.5 | ||
| with: | ||
| since_last_remote_commit: true | ||
| files: | | ||
| .github/**/*.{yml,yaml} | ||
| - name: Prune files NOT changed in pull request | ||
| if: ${{ github.event_name != 'workflow_dispatch' }} | ||
| env: | ||
| # yamllint disable-line rule:line-length | ||
| ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} | ||
| shell: bash | ||
| run: | | ||
| # Prune files NOT changed in pull request | ||
| find .github -type f -name '*.yaml' -o -name '*.yml' > listed.txt | ||
| for YAMLFILE in ${ALL_CHANGED_FILES}; do | ||
| echo "$YAMLFILE" >> changed.txt | ||
| done | ||
| grep -Fvf changed.txt listed.txt > excluded.txt | ||
| while IFS= read -r YAMLFILE | ||
| do | ||
| echo "Disabling: $YAMLFILE" | ||
| mv "$YAMLFILE" "$YAMLFILE.excluded" | ||
| done < excluded.txt | ||
| echo "Files to process:" | ||
| find .github -type f -name '*.yaml' -o -name '*.yml' | ||
| # Otherwise, just check the current pull request | ||
| - name: "Ensure SHA pinned actions" | ||
| # yamllint disable-line rule:line-length | ||
| uses: zgosalvez/github-actions-ensure-sha-pinned-actions@5d6ac37a4cef8b8df67f482a8e384987766f0213 # v3.0.17 |