search

devops-actions / load-used-actions

Load used actions from an entire organization
12 stars 8 forks source link

Include versions ref in report #109

Closed sebastienvermeille closed 2 months ago

sebastienvermeille commented 2 months ago

What are the incoming changes?

The following changes integrate a new property into the report: actionRef

Why named action ref?

Can be challenged, I thought it's a good idea as after the @ it can be many different things actually:

actions@<SHA | tag | version> < --- Due to that, I think that naming actionVersion actionTag actionSha is not really a good choice.

Let me know if you get a better idea :+1:

Why are they needed

https://github.com/devops-actions/load-used-actions/issues/106

How has this been achieved?

I added the property and tested it on my own workflows it worked like a charm.

It creates one entry per action:ref (= if an action is used with 4 different refs in the GitHub organization, it will be in 4 different "action's" in the report)

This helps to identify which repositories are using actions, including vulnerabilities (i.e version 2 contains an important CVE but 3 fix it)

These are my first line in Powershell, I am very happy to hear your feedback about that change :+1:

sebastienvermeille commented 2 months ago

Hi @rajbos, could you have a look at this PR and let me know if some changes are required?

Thank you :+1:

sebastienvermeille commented 2 months ago

I prefer to add the new field to the workflows array instead of the output array. Adding it to the output array and thus having multiple items for each usage of the action, would mean introducing a breaking change for dependencies of this action (like my actions marketplace).

If we add the new property in the workflows array we now have a non breaking change, but still get the 'version' information out of it.

Hi @rajbos , this is a totally valid point of view (mine was maybe biased because it was easier for me to dump it to Datadog with this format so I could easily sort out which gh-action versions are used where but I can still rework the data after no worries)

Do you want to create the changes yourself, or need some help?

I will give it a try :+1:

sebastienvermeille commented 2 months ago

Hi @rajbos , I applied the requested changes, I tested it and could see the expected results happening:

    {
        "type": "action",
        "actionLink": "someorg/some-action",
        "count": 1,
        "workflows": [
            {
                "repo": "someorg/test",
                "workflowFileName": "build.yml",
                "actionRef": "v3"
            }
        ]
    },
...

I will probably need to do some remapping with my Datadog monitoring as I want to see "which repo are using compromised version of GitHub actions" but this is another topic for my own :D

Wish you a good weekend ahead!

:vulcan_salute:

rajbos commented 2 months ago

Thanks for adding this! Great work @sebastienvermeille 🎉

sebastienvermeille commented 2 months ago

Thank you for your help @rajbos, very happy to contribute to a such great project :+1: