search

sethvargo / ratchet

A tool for securing CI/CD workflows with version pinning.
Apache License 2.0
771 stars 32 forks source link

feat: Support consistent flag in check command #20

Closed ybelMekk closed 2 years ago

ybelMekk commented 2 years ago

First off all, thanks for this cool project! šŸ™šŸ¾

I started to use this in my Github CI workflows and found out a thing i was thinking of submitting an issue, but its boring so i tried me on a PR.

Ive set it up similar to this;

name: Check pinned workflows
on:
  push:
    paths:
      - '.github/workflows/**'
jobs:
  ratchet:
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # ratchet:actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
      - name: Check if main.yml is pinned
        uses: 'docker://ghcr.io/sethvargo/ratchet@sha256:35c4b5f020000ee9c77a4af7cbe04f1d3e88718e533e6cb949146d4dc2c89220' # ratchet:docker://ghcr.io/sethvargo/ratchet:0.2.1
        with:
          args: 'check .github/workflows/main.yml'

But i noticed when using automated dependency updates, like Dependabot, it updates but, it makes the ratchet inconsistent, the original constraint dont match the update, example;

before PR;

- name: Upload
        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # ratchet:actions/upload-artifact@v2

after PR;

      - name: Upload
        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # ratchet:actions/upload-artifact@v2

The comment constraint # ratchet:actions/upload-artifact@v2 should in this case be # ratchet:actions/upload-artifact@v3

With this useful flag --consistent with check command in Ratchet when in a CI environment and activated automated dependency updates e.g. Dependabot, the workflow will fail fast with a message: found 1 mismatch between ref and constraint: [{"good/repo@2541b1294d2704b0964813337f33b291d3f8596b" "good/repo@v0" "4"}] and you have to update the version, keeping the inconsistency away šŸ—”ļø ..

sethvargo commented 2 years ago

Hi @ybelMekk

Thank you for opening a PR! Could you help me understand this a bit more:

But i noticed when using automated dependency updates, like Dependabot, it updates but, it makes the ratchet inconsistent, the original constraint dont match the update, example;

What is dependabot doing? Is this a custom dependabot integration or are there some documents you could point me to?

Ratchet intentionally won't bump a constraint. In your example, it will pick up the latest checksum in the v2 series, but it will not pull from the v3 series. To do that, you would either manually edit the comment and run ratchet update, or run ratchet unpin, edit, and run ratchet pin.

ybelMekk commented 2 years ago

What is dependabot doing? Is this a custom dependabot integration or are there some documents you could point me to?

Ratchet intentionally won't bump a constraint. In your example, it will pick up the latest checksum in the v2 series, but it will not pull from the v3 series. To do that, you would either manually edit the comment and run ratchet update, or run ratchet unpin, edit, and run ratchet pin.

ok, no custom, dependabot .yml in your workflows folder;

version: 2
updates:
  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: "weekly"

Dependabot sends a PR to update github actions upload-artifact from 2.31 to 3;

      - name: Upload
        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # ratchet:actions/upload-artifact@v2

Original pinned ratchet main.yaml

       - name: Upload
        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # ratchet:actions/upload-artifact@v2

notice the ratchet is not updated but the hash is, but if if you now have a workflow, say called ratchet.yaml that only run when there are changes tot the workflows file;

name: Check pinned workflows
on:
  push:
    paths:
      - '.github/workflows/**'
jobs:
  ratchet:
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # ratchet:actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
      - name: Check if main.yml is pinned
        uses: 'docker://ghcr.io/sethvargo/ratchet@sha256:35c4b5f020000ee9c77a4af7cbe04f1d3e88718e533e6cb949146d4dc2c89220' # ratchet:docker://ghcr.io/sethvargo/ratchet:0.2.1
        with:
          args: 'check --consistent .github/workflows/main.yml'

The flag --consistent with check command in Ratchet will then fail to help the developer keep the consistency in their pinned workflow, then run the update command either manually or in samme workflow.

ybelMekk commented 2 years ago

Ok, i see what you meant.. missing some logic in the PR. šŸ˜…šŸ¤“

ybelMekk commented 2 years ago

Closing this for now, and come back with a new one.