check: support directory scan

sethvargo / ratchet

A tool for securing CI/CD workflows with version pinning.

Apache License 2.0

772 stars 32 forks source link

check: support directory scan #28

Closed Dentrax closed 2 years ago

Dentrax commented 2 years ago

TL;DR

It would be nice to support directory inputs for check subcommand:

$ ratchet check .github/workflows/
failed to parse .github/workflows/: failed to decode yaml: yaml: input error: read .github/workflows/: is a directory

Detailed design

If given arg is directory, traverse all `.yml | .yaml` files (it's ok to ignore symlinks for now).

If given arg is file, it should work as is.

Example output format:

[PASS] .github/workflows/foo.yaml
[FAIL] .github/workflows/bar.yaml
[PASS] .github/workflows/baz.yaml

Additional information

No response

sethvargo commented 2 years ago

Hi @Dentrax

This gets really complex with authentication, so I would prefer not to support a collection of files. Instead, you can use unix commands like find an xargs to accomplish this:

find . -name '*.yml' -exec ratchet check {} \;

Dentrax commented 2 years ago

Yes, I've tried the same method to scan directory but if we want to implement this in the CI, things get complicated since our entry point is ratchet in Docker image. So I want to use the following use-case scenario. Notice that we can not use the way you provided above.

# Example of checking all versions under .github/workflows/ are pinned.
      - uses: 'docker://ghcr.io/sethvargo/ratchet:0.2.3'
        with:
          args: 'check .github/workflows/'

We created a simple PR anyway 🤷‍♂️ #29 (@developer-guy)