search

rancher-sandbox / rancher-desktop

Container Management and Kubernetes on the Desktop
https://rancherdesktop.io
Apache License 2.0
5.7k stars 266 forks source link

Epic: Audit GHA for compliance with SUSE policies #6982

Open jandubois opened 1 month ago

jandubois commented 1 month ago

Actions that need to be replaced (or their workflows disabled):

jandubois commented 1 month ago

I've used the following script to audit our use of GitHub actions. It ignores repos that have disabled all actions:

#!/usr/bin/env bash

set -o errexit -o nounset

tempdir=$(mktemp -d -t repos) || exit 1
pushd "$tempdir" >/dev/null

for repo in $(gh api /orgs/rancher-sandbox/teams/rancher-desktop/repos --jq '.[].full_name'); do
    enabled=$(gh api "/repos/${repo}/actions/permissions" --jq '.enabled')
    if [[ $enabled == true ]]; then
        echo "$repo"
        git clone --quiet "git@github.com:${repo}"
    else
        echo "${repo} [DISABLED]"
    fi
done

perl <(cat <<'EOF'
use v5.20;
my %action;
while (<>) {
  my($repo) = $ARGV =~ m#^(?:\./)?([^/]+)#;
  next unless /^\s*-?\s*uses:\s+([^@\n]+)/;
  $action{$1}{$repo}++;
}
for my $action (sort keys %action) {
  say "\n$action";
  say "    $_" for sort keys %{$action{$action}};
}
EOF
) ./**/.github/workflows/*

popd >/dev/null
rm -rf "${tempdir:?}"

The output right now is

$ ./gha.sh
rancher-sandbox/alpine-lima
rancher-sandbox/bats-assert [DISABLED]
rancher-sandbox/bats-core [DISABLED]
rancher-sandbox/bats-file [DISABLED]
rancher-sandbox/bats-support [DISABLED]
rancher-sandbox/boot2tcl [DISABLED]
rancher-sandbox/cri-dockerd [DISABLED]
rancher-sandbox/dashboard
rancher-sandbox/docker-machine-driver-hyperkit [DISABLED]
rancher-sandbox/docs.rancherdesktop.io
rancher-sandbox/epinio-desktop-extension
rancher-sandbox/lima [DISABLED]
rancher-sandbox/lima-and-qemu
rancher-sandbox/moproxy
rancher-sandbox/ngx_http_proxy_connect_module
rancher-sandbox/openresty-packaging
rancher-sandbox/rancher-desktop
rancher-sandbox/rancher-desktop-agent
rancher-sandbox/rancher-desktop-docker-cli
rancher-sandbox/rancher-desktop-goproxy
rancher-sandbox/rancher-desktop-host-resolver
rancher-sandbox/rancher-desktop-lima
rancher-sandbox/rancher-desktop-networking
rancher-sandbox/rancher-desktop-steve
rancher-sandbox/rancher-desktop-upgrade-responder
rancher-sandbox/rancher-desktop-wsl-distro
rancher-sandbox/rancherdesktop.io

./.github/actions/setup-environment
    rancher-desktop

./.github/workflows/paths-ignore.yaml
    rancher-desktop

actions-rs/cargo
    moproxy

actions-rs/install
    moproxy

actions/checkout
    alpine-lima
    dashboard
    docs.rancherdesktop.io
    epinio-desktop-extension
    lima-and-qemu
    moproxy
    ngx_http_proxy_connect_module
    rancher-desktop
    rancher-desktop-agent
    rancher-desktop-docker-cli
    rancher-desktop-goproxy
    rancher-desktop-host-resolver
    rancher-desktop-lima
    rancher-desktop-networking
    rancher-desktop-steve
    rancher-desktop-upgrade-responder
    rancher-desktop-wsl-distro
    rancherdesktop.io

actions/create-github-app-token
    rancher-desktop-wsl-distro

actions/deploy-pages
    docs.rancherdesktop.io
    rancherdesktop.io

actions/download-artifact
    dashboard
    lima-and-qemu
    rancher-desktop
    rancher-desktop-agent
    rancher-desktop-goproxy
    rancher-desktop-lima
    rancher-desktop-networking
    rancher-desktop-wsl-distro

actions/setup-go
    lima-and-qemu
    rancher-desktop
    rancher-desktop-agent
    rancher-desktop-goproxy
    rancher-desktop-host-resolver
    rancher-desktop-lima
    rancher-desktop-networking
    rancher-desktop-steve
    rancher-desktop-upgrade-responder

actions/setup-node
    dashboard
    docs.rancherdesktop.io
    epinio-desktop-extension
    rancher-desktop
    rancherdesktop.io

actions/setup-python
    rancher-desktop

actions/upload-artifact
    dashboard
    lima-and-qemu
    rancher-desktop
    rancher-desktop-agent
    rancher-desktop-docker-cli
    rancher-desktop-goproxy
    rancher-desktop-lima
    rancher-desktop-networking
    rancher-desktop-steve
    rancher-desktop-wsl-distro

actions/upload-pages-artifact
    docs.rancherdesktop.io
    rancherdesktop.io

check-spelling/check-spelling
    rancher-desktop

codecov/codecov-action
    dashboard

docker/bake-action
    rancher-desktop-docker-cli

docker/build-push-action
    epinio-desktop-extension
    rancher-desktop
    rancher-desktop-upgrade-responder

docker/login-action
    epinio-desktop-extension
    rancher-desktop
    rancher-desktop-upgrade-responder

docker/metadata-action
    rancher-desktop

docker/setup-buildx-action
    epinio-desktop-extension
    rancher-desktop
    rancher-desktop-docker-cli

docker/setup-qemu-action
    epinio-desktop-extension
    rancher-desktop

golangci/golangci-lint-action
    rancher-desktop
    rancher-desktop-agent
    rancher-desktop-host-resolver
    rancher-desktop-networking

ncipollo/release-action
    moproxy

peaceiris/actions-gh-pages
    dashboard

prewk/s3-cp-action
    rancher-desktop

rancher-eio/read-vault-secrets
    rancher-desktop-wsl-distro

svenstaro/upload-release-action
    rancher-desktop-steve

updatecli/updatecli-action
    epinio-desktop-extension

wangyoucao577/go-release-action
    rancher-desktop-host-resolver
jandubois commented 1 month ago

After checking against the current policy, I believe the following actions are problematic:

actions-rs/cargo
    moproxy

actions-rs/install
    moproxy

check-spelling/check-spelling
    rancher-desktop

ncipollo/release-action
    moproxy

peaceiris/actions-gh-pages
    dashboard

prewk/s3-cp-action
    rancher-desktop

svenstaro/upload-release-action
    rancher-desktop-steve

wangyoucao577/go-release-action
    rancher-desktop-host-resolver