search

zgosalvez / github-actions-ensure-sha-pinned-actions

A Github Action to ensure that actions are pinned to full length commit SHAs
https://github.com/marketplace/actions/ensure-sha-pinned-actions
MIT License
34 stars 12 forks source link

Improvement: support composite actions #116

Open MPV opened 11 months ago

MPV commented 11 months ago

Currently this action is hardcoded to only check workflow files: https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/blob/f32435541e24cd6a4700a7f52bb2ec59e80603b1/src/index.js#L14-L15

As "composite" actions can uses: other actions, it would be nice to be able to use this action on them too:

i.e. I'd like this to be caught by this action:

cat action.yml:

name: 'Hello World file creator action'
runs:
  using: "composite"
  steps:
    - uses: actions/checkout@v4 # <---
    - shell: bash
      run: echo "hello world" >> file.txt
MPV commented 11 months ago

While the path may be adjustable using ZG_WORKFLOWS_PATH, there's still a hardcoded *.ya?ml filename (which may include other files than my likely desired action.yml).

MPV commented 11 months ago

Can confirm it doesn't work (as it assumes "jobs" would be required):

Given you have a repo like this:

tree
.
└── my-action
    └── action.yml

2 directories, 1 file

Trying to run it like this:

- name: Ensure SHA pinned actions
  uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
  env:
    ZG_WORKFLOWS_PATH: '*'

...gives:

Run zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1
  env:
    ZG_WORKFLOWS_PATH: *
Error: The "action.yml" workflow does not contain jobs.
*/action.yml
  No issues were found.
pfuhrmann commented 5 months ago

We also wish this would work for composite actions. We have plenty of them and currently, with this action, they are not checked which largely defeats the purpose.