-
Notifications
You must be signed in to change notification settings - Fork 2
80 lines (75 loc) · 3.37 KB
/
reusable-presubmit-actions-workflow-require-commit-digest-vet.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
name: presubmit Actions workflow vet
on:
workflow_call: {}
jobs:
presubmit-workflow:
runs-on: ubuntu-latest
steps:
- if: ${{ startsWith(github.repository, 'GeoNet/') == false }}
name: require GeoNet org
run: |
exit 1
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: actions-per-workflow
name: discover actions per workflow
run: |
# steps
# 1. get jobs from uses fields
# 2. format as {"invalid":[], "file":""}
REPOSITORY="${{ github.repository }}"
ACTIONS=$(
for WORKFLOW in $(find .github/workflows -type f -name '*.yml' -not -name 'test*.yml'); do
ACTIONS=$(< $WORKFLOW \
yq e '.jobs.*.steps[].uses as $jobsteps | .jobs.*.uses as $jobuses | $jobsteps | [., $jobuses]' -o json \
| jq -rcMs --arg file "$WORKFLOW" --arg repository "$REPOSITORY" '{"actions": . | flatten} | .file = $file')
[ -z "${ACTIONS}" ] && continue
echo -e "${ACTIONS}"
done | jq -sc '.'
)
echo "actions=$ACTIONS" >> $GITHUB_OUTPUT
- name: display actions
run: |
echo -e '${{ steps.actions-per-workflow.outputs.actions }}' | yq e -P
- name: Create issue comment in pull request
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
if: ${{ github.event_name == 'pull_request' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const re = /([a-zA-Z0-9-]+\/)([a-zA-Z0-9-]+)(\/[a-zA-Z0-9-]+)?@([a-z0-9]{40})/
const actionsJSONString = `${{ steps.actions-per-workflow.outputs.actions }}`
const githubRepo = `${{ github.repository }}`
const invalidActions = JSON.parse(actionsJSONString).filter(i => {
i.actions = i.actions.filter(v => {
return !(re.test(v) || v.includes(githubRepo) || v.startsWith('docker://'))
})
if (i.actions.length === 0) {
return
}
return i
})
if (invalidActions.length === 0 || typeof invalidActions === 'undefined' || invalidActions === null) {
console.log(`All actions are valid and formatted correctly. Exiting...`)
return
}
let output = `#### Actions presubmit\n\n
Actions must be used with the commit digest\n\n
##### The following actions require updating\n`
invalidActions.forEach(i => {
output += `[${i.file}](${{ github.server_url }}/${{ github.repository }}/blob/main/${i.file})\n`
i.invalid.forEach(v => {
output += `- ${v}\n`
})
output += `\n`
})
output += `\n`
output += `**Actions are required to be used like _\`actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222\`_ instead of a version tag**\n`
output += `*Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*
<!-- from ${{ github.workflow_ref }} -->
`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})