-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathaction.yaml
74 lines (67 loc) · 2.73 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
---
# SPDX-License-Identifier: Apache-2.0
# SPDX-FileCopyrightText: 2024 The Linux Foundation
# pinned-versions-action
name: "📌 Pinned Versions Action"
description: "Verifies action/workflow calls are pinned to SHA commit values"
runs:
using: "composite"
steps:
# Checkout repository on manual invocation
- name: Checkout repository
if: github.event_name == 'workflow_dispatch'
# yamllint disable-line rule:line-length
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# Scan all GitHub actions/workflows on manual invocation
- name: Audit all GitHub actions/workflows
if: github.event_name == 'workflow_dispatch'
shell: bash
run: |
# Audit all GitHub actions/workflows
echo "workflow_changes=true" >> "$GITHUB_ENV"
echo "Auditing all actions/workflows ✅"
# Checkout change when invoked on a pull request
- name: Checkout pull request
if: github.event_name != 'workflow_dispatch'
# yamllint disable-line rule:line-length
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
# Get files changed in the pull request from upstream action
- name: Get changed files from action
id: changed-files
if: github.event_name != 'workflow_dispatch'
# yamllint disable-line rule:line-length
uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45.0.6
with:
since_last_remote_commit: true
files: |
.github/**/*.{yml,yaml}
- name: Prune unmodified workflows/actions from scope
if: github.event_name != 'workflow_dispatch'
env:
ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
shell: bash
run: |
# ✂️ Prune unmodified workflows/actions from scope
find .github -type f -name '*.yaml' -o -name '*.yml' > github.txt
for YAMLFILE in ${ALL_CHANGED_FILES}; do
echo "$YAMLFILE" >> changed.txt
done
if [ ! -f changed.txt ]; then
echo "No changes in scope for check ⏩"
echo "workflow_changes=false" >> "$GITHUB_ENV"
else
grep -Fvf changed.txt github.txt > unmodified.txt
while IFS= read -r YAMLFILE
do
rm "$YAMLFILE"
done < unmodified.txt
echo "workflow_changes=true" >> "$GITHUB_ENV"
echo "Files found to check ✅"
cat changed.txt
fi
- name: "Ensure SHA pinned actions"
# yamllint disable-line rule:line-length
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@c3a2b64f69b7a1542a68f44d9edbd9ec3fc1455e # v3.0.20
if: env.workflow_changes == 'true'