From d21e1838eebd7b7ed70ea80f4ed0bef7958f831b Mon Sep 17 00:00:00 2001
From: Matthew Watkins <mwatkins@linuxfoundation.org>
Date: Thu, 24 Oct 2024 00:42:13 +0100
Subject: [PATCH] Feat: Implement repo and PR check for SHA pinned
 actions/workflows

Signed-off-by: Matthew Watkins <mwatkins@linuxfoundation.org>
---
 .github/workflows/verify-action-sha-pins.yaml | 74 +++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 .github/workflows/verify-action-sha-pins.yaml

diff --git a/.github/workflows/verify-action-sha-pins.yaml b/.github/workflows/verify-action-sha-pins.yaml
new file mode 100644
index 0000000..294f460
--- /dev/null
+++ b/.github/workflows/verify-action-sha-pins.yaml
@@ -0,0 +1,74 @@
+---
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2024 The Linux Foundation
+
+name: "📌 Pinned Versions"
+### Ensures GitHub Actions/Workflows are pinned to a commit SHA ###
+
+# yamllint disable-line rule:truthy
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+      - master
+    paths: [".github/**"]
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check-actions:
+    name: "Check GitHub Workflows"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+
+      - name: Checkout pull request
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        if: ${{ github.event_name != 'workflow_dispatch' }}
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Get changed files
+        if: ${{ github.event_name != 'workflow_dispatch' }}
+        id: changed-files
+        # yamllint disable-line rule:line-length
+        uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366 # v45.0.5
+        with:
+          since_last_remote_commit: true
+          files: |
+            .github/**/*.{yml,yaml}
+
+      - name: Prune files NOT changed in pull request
+        if: ${{ github.event_name != 'workflow_dispatch' }}
+        env:
+          # yamllint disable-line rule:line-length
+          ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+        shell: bash
+        run: |
+          # Prune files NOT changed in pull request
+          find .github -type f -name '*.yaml' -o -name '*.yml' > listed.txt
+          for YAMLFILE in ${ALL_CHANGED_FILES}; do
+            echo "$YAMLFILE" >> changed.txt
+          done
+          grep -Fvf changed.txt listed.txt > excluded.txt
+          while IFS= read -r YAMLFILE
+          do
+            echo "Disabling: $YAMLFILE"
+            mv "$YAMLFILE" "$YAMLFILE.excluded"
+          done < excluded.txt
+          echo "Files to process:"
+          find .github -type f -name '*.yaml' -o -name '*.yml'
+
+      # Otherwise, just check the current pull request
+      - name: "Ensure SHA pinned actions"
+        # yamllint disable-line rule:line-length
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@5d6ac37a4cef8b8df67f482a8e384987766f0213 # v3.0.17