Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat: Implement repo and PR check for SHA pinned actions/workflows #194

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Feat: Implement repo and PR check for SHA pinned actions/workflows #194

wants to merge 1 commit into from

Conversation

ModeSevenIndustrialSolutions
Copy link
Contributor

@ModeSevenIndustrialSolutions ModeSevenIndustrialSolutions commented Oct 23, 2024
edited
Loading

Tested here:
https://github.com/ModeSevenIndustrialSolutions/test-gradle-build/actions
On raise of a new PR, runs and checks against just the pull request contents.
Can run on demand with workflow_dispatch, where it checks the entire repository.
Can be set to be mandatory, preventing standard versions pins from being merged.

@ModeSevenIndustrialSolutions ModeSevenIndustrialSolutions force-pushed the action-sha-pin-validation branch 3 times, most recently from a90de69 to 8b7ec79 Compare October 24, 2024 14:41
@ModeSevenIndustrialSolutions ModeSevenIndustrialSolutions marked this pull request as draft October 25, 2024 12:34
tykeal
tykeal previously approved these changes Dec 6, 2024
View reviewed changes
Copy link
Member

@tykeal tykeal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@ModeSevenIndustrialSolutions ModeSevenIndustrialSolutions force-pushed the action-sha-pin-validation branch 3 times, most recently from b48c40b to fa13d8c Compare December 10, 2024 16:04
@ModeSevenIndustrialSolutions ModeSevenIndustrialSolutions marked this pull request as ready for review December 10, 2024 16:07
@ModeSevenIndustrialSolutions
Copy link
Contributor Author

Tested extensively here:
https://github.com/os-climate/osc-github-devops/actions/runs/12259920677/job/34203261143
Previously, I could not prevent the action from testing all workflows, it was all or nothing. I have had to fetch a list of files changed in the pull request, then rename the file extensions of actions/workflows that are not present in the pull request modified list, effectively excluding them from processing. When invoked using workflow_dispatch, this workflow will still provide feedback on the entire repository, which is useful for evaluating our overall posture.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tykeal tykeal tykeal left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@ModeSevenIndustrialSolutions ModeSevenIndustrialSolutions

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ModeSevenIndustrialSolutions @tykeal