Merge pull request #33 from Expensify/Rory-ValidateGitHubActions

Check for unsafe action references in GitHub Actions

Author: roryabraham

.github/actionlint.yml

@@ -0,0 +1,19 @@
+# This file contains the config for actionlint.
+# See https://github.com/rhysd/actionlint/blob/main/docs/config.md
+#
+# Primarily, we use this config to define some large runners that are not registered in actionlint
+self-hosted-runner:
+  labels:
+    - ubuntu-latest-xl
+    - macos-15-large
+    - macos-15-xlarge
+    - macos-12
+    - ubuntu-24.04-v4
+
+paths:
+  '**/*':
+    ignore:
+      # This is meant to be a temporary workaround for a bug in actionlint. Upstream:
+      #    - issue: https://github.com/rhysd/actionlint/issues/511
+      #    - PR: https://github.com/rhysd/actionlint/pull/513
+      - '"env" is not allowed in "runs" section because .* is a Composite action.*'

.github/scripts/actionlint.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+#################################################################
+#    Lint workflows with https://github.com/rhysd/actionlint    #
+#################################################################
+
+# Verify that shellcheck is installed (preinstalled on GitHub Actions runners)
+if ! command -v shellcheck &>/dev/null; then
+    error "This script requires shellcheck. Please install it and try again"
+    exit 1
+fi
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)"
+readonly SCRIPT_DIR
+
+# To update the actionlint version, replace this file with the updated checksums file from the GitHub release
+readonly CHECKSUMS_FILE="$SCRIPT_DIR/actionlint_checksums.txt"
+readonly ACTIONLINT_PATH="$SCRIPT_DIR/actionlint"
+
+source "$SCRIPT_DIR/shellUtils.sh"
+
+title "Lint Github Actions via actionlint (https://github.com/rhysd/actionlint)"
+
+# Get the actionlint tarball name from the checksums file, used both for downloading and verifying checksums
+OS="$(uname)"
+ARCH="$(uname -m)"
+readonly OS ARCH
+OS_ARCH=""
+if [[ "$OS" == "Darwin" && "$ARCH" == "arm64" ]]; then
+    OS_ARCH="darwin_arm64"
+elif [[ "$OS" == "Linux" && "$ARCH" == "x86_64" ]]; then
+    OS_ARCH="linux_amd64"
+elif [[ "$OS" == "Linux" && "$ARCH" == "aarch64" ]]; then
+    OS_ARCH="linux_arm64"
+else
+    error "Unknown architecture, unable to get actionlint tarball name" >&2
+    exit 1
+fi
+readonly OS_ARCH
+TARBALL_NAME="$(grep "$OS_ARCH" "$CHECKSUMS_FILE" | awk '{print $2}')"
+readonly TARBALL_NAME
+
+# Get the expected version and checksum of actionlint binary
+EXPECTED_VERSION="$(echo "$TARBALL_NAME" | grep -oE "actionlint_[0-9\.]+_" | awk -F_ '{print $2}')"
+EXPECTED_CHECKSUM="$(grep "$TARBALL_NAME" "$CHECKSUMS_FILE" | awk '{print $1}')"
+readonly EXPECTED_VERSION EXPECTED_CHECKSUM
+
+# Get actionlint binary
+if [[ -x "$ACTIONLINT_PATH" && "$EXPECTED_VERSION" == "$("$ACTIONLINT_PATH" -version | head -n 1)" ]]; then
+    info "Found actionlint version $EXPECTED_VERSION already installed" >&2
+else
+    info "Downloading and verifying actionlint verion $EXPECTED_VERSION..." >&2
+
+    readonly TARBALL="$SCRIPT_DIR/actionlint.tar.gz"
+    if ! curl -sL "https://github.com/rhysd/actionlint/releases/download/v${EXPECTED_VERSION}/${TARBALL_NAME}" -o "$TARBALL"; then
+        error "Unable to download actionlint binary"
+        exit 1
+    fi
+
+    # Ensure tarball is cleaned up
+    trap 'rm -f "$TARBALL"' EXIT
+    ACTUAL_CHECKSUM="$(sha256sum "$TARBALL" | awk '{print $1}')"
+    readonly ACTUAL_CHECKSUM
+
+    if [[ "$ACTUAL_CHECKSUM" != "$EXPECTED_CHECKSUM" ]] ; then
+        error "Checksums did not match, expected $EXPECTED_CHECKSUM, got $ACTUAL_CHECKSUM" >&2
+        exit 1
+    fi
+
+    readonly TMPDIR="${SCRIPT_DIR}/actionlint-${EXPECTED_VERSION}"
+    mkdir -p "$TMPDIR"
+
+    # It's only possible to have one exit trap, so we have to update to include both items we wish to remove
+    trap 'rm -rf "$TMPDIR" "$TARBALL"' EXIT
+    tar -C "$TMPDIR" -xzf "$TARBALL"
+    mv "$TMPDIR/actionlint" "$SCRIPT_DIR/actionlint"
+
+    INSTALLED_VERSION="$("$SCRIPT_DIR/actionlint" -version | head -n 1)"
+    readonly INSTALLED_VERSION
+    info "Successfully installed actionlint version $INSTALLED_VERSION" >&2
+fi
+
+info "Linting workflows..."
+echo
+if ! "$SCRIPT_DIR/actionlint" -color; then
+    error "Workflows did not pass actionlint :("
+    exit 1
+fi
+
+success "Workflows passed actionlint!"

.github/scripts/actionlint_checksums.txt

@@ -0,0 +1,11 @@
+28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5  actionlint_1.7.7_darwin_amd64.tar.gz
+2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db  actionlint_1.7.7_darwin_arm64.tar.gz
+a6ee742126aa632b32009bdd6f820e0274c5b24536dc302a9574118378ee92f4  actionlint_1.7.7_freebsd_386.tar.gz
+f6eec0e5efd17183a954f0d88280885b7a58f39808050cdfcd7f068fc1734bc8  actionlint_1.7.7_freebsd_amd64.tar.gz
+01d4c173f411aeecf670d5219c008e07bf11539cf1181fdeee0cdb0eb8244aac  actionlint_1.7.7_linux_386.tar.gz
+023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757  actionlint_1.7.7_linux_amd64.tar.gz
+401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0  actionlint_1.7.7_linux_arm64.tar.gz
+82e98d7252341b83fa557764824f225fa50431801b8e3d8e99f70dc1efc317b2  actionlint_1.7.7_linux_armv6.tar.gz
+66de2b65bcee17de1866287a513cadf47d812229e976e99024e9757645258adb  actionlint_1.7.7_windows_386.zip
+7f12f1801bca3d480d67aaf7774f4c2a6359a3ca8eebe382c95c10c9704aa731  actionlint_1.7.7_windows_amd64.zip
+76e9514cfac18e5677aa04f3a89873c981f16a2f2353bb97372a86cd09b1f5a8  actionlint_1.7.7_windows_arm64.zip

.github/scripts/shellCheck.sh

@@ -1,48 +1,34 @@
 #!/bin/bash
 
-CURRENT_DIR=$(pwd)
-ROOT_DIR="$(dirname "$(dirname "$(dirname "$(realpath "${BASH_SOURCE[0]}")")")")"
+ROOT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/../.." &>/dev/null && pwd)
+readonly ROOT_DIR
 
-cd "$ROOT_DIR" || exit 1
+source "$ROOT_DIR"/.github/scripts/shellUtils.sh
 
-source ./.github/scripts/shellUtils.sh
-
-declare -r DIRECTORIES_TO_IGNORE=(
-  './node_modules'
-  './vendor'
-  './ios/Pods'
-  './.husky'
-)
+readonly DIRECTORIES_TO_IGNORE="
+-path $ROOT_DIR/node_modules
+-o -path $ROOT_DIR/vendor
+-o -path $ROOT_DIR/ios/Pods
+-o -path $ROOT_DIR/.husky"
 
 # This lists all shell scripts in this repo except those in directories we want to ignore
-read -ra IGNORE_DIRS < <(join_by_string ' -o -path ' "${DIRECTORIES_TO_IGNORE[@]}")
-SHELL_SCRIPTS=$(find . -type d \( -path "${IGNORE_DIRS[@]}" \) -prune -o -name '*.sh' -print)
-info "👀 Linting the following shell scripts using ShellCheck: $SHELL_SCRIPTS"
-info
-
-ASYNC_PROCESSES=()
-for SHELL_SCRIPT in $SHELL_SCRIPTS; do
-  if [[ "$CI" == 'true' ]]; then
-    # ShellCheck is installed by default on GitHub Actions ubuntu runners
-    shellcheck -e SC1091 "$SHELL_SCRIPT" &
-  else
-    # Otherwise shellcheck is used via npx
-    npx shellcheck -e SC1091 "$SHELL_SCRIPT" &
-  fi
-  ASYNC_PROCESSES+=($!)
-done
+# Note: `-print` is required to prevent pruned directories from being printed
+# shellcheck disable=SC2086
+SHELL_SCRIPTS="$(find "$ROOT_DIR" -type d \( $DIRECTORIES_TO_IGNORE \) -prune -o -name '*.sh' -print)"
+info "👀 Linting the following shell scripts using ShellCheck:"
+echo "$SHELL_SCRIPTS"
+echo
 
 EXIT_CODE=0
-for PID in "${ASYNC_PROCESSES[@]}"; do
-  if ! wait "$PID"; then
-    EXIT_CODE=1
-  fi
+for SHELL_SCRIPT in $SHELL_SCRIPTS; do
+    if ! shellcheck -e SC1091 "$SHELL_SCRIPT"; then
+        EXIT_CODE=1
+    fi
 done
 
-cd "$CURRENT_DIR" || exit 1
-
-if [ $EXIT_CODE == 0 ]; then
-  success "ShellCheck passed for all files!"
+if [[ $EXIT_CODE -ne 0 ]]; then
+    error "ShellCheck failed for one or more files"
+    exit $EXIT_CODE
 fi
 
-exit $EXIT_CODE
+success "ShellCheck passed for all files!"

.github/scripts/shellUtils.sh

@@ -2,123 +2,41 @@
 
 # Check if GREEN has already been defined
 if [ -z "${GREEN+x}" ]; then
-  declare -r GREEN=$'\e[1;32m'
+    declare -r GREEN=$'\e[1;32m'
 fi
 
 # Check if RED has already been defined
 if [ -z "${RED+x}" ]; then
-  declare -r RED=$'\e[1;31m'
+    declare -r RED=$'\e[1;31m'
 fi
 
 # Check if BLUE has already been defined
 if [ -z "${BLUE+x}" ]; then
-  declare -r BLUE=$'\e[1;34m'
+    declare -r BLUE=$'\e[1;34m'
 fi
 
 # Check if TITLE has already been defined
 if [ -z "${TITLE+x}" ]; then
-  declare -r TITLE=$'\e[1;4;34m'
+    declare -r TITLE=$'\e[1;4;34m'
 fi
 
 # Check if RESET has already been defined
 if [ -z "${RESET+x}" ]; then
-  declare -r RESET=$'\e[0m'
+    declare -r RESET=$'\e[0m'
 fi
 
 function success {
-  echo "🎉 $GREEN$1$RESET"
+    echo "🎉 $GREEN$1$RESET"
 }
 
 function error {
-  echo "💥 $RED$1$RESET"
+    echo "💥 $RED$1$RESET"
 }
 
 function info {
-  echo "$BLUE$1$RESET"
+    echo "$BLUE$1$RESET"
 }
 
 function title {
-  printf "\n%s%s%s\n" "$TITLE" "$1" "$RESET"
-}
-
-# Function to clear the last printed line
-clear_last_line() {
-  echo -ne "\033[1A\033[K"
-}
-
-function assert_equal {
-  if [[ "$1" != "$2" ]]; then
-    error "Assertion failed: $1 is not equal to $2"
-    exit 1
-  else
-    success "Assertion passed: $1 is equal to $1"
-  fi
-}
-
-# Usage: join_by_string <delimiter> ...strings
-# example: join_by_string ' + ' 'string 1' 'string 2'
-# example: join_by_string ',' "${ARRAY_OF_STRINGS[@]}"
-function join_by_string {
-  local separator="$1"
-  shift
-  local first="$1"
-  shift
-  printf "%s" "$first" "${@/#/$separator}"
-}
-
-# Usage: get_abs_path <path>
-# Will make a path absolute, resolving any relative paths
-# example: get_abs_path "./foo/bar"
-get_abs_path() {
-    local the_path=$1
-    local -a path_elements
-    IFS='/' read -ra path_elements <<< "$the_path"
-
-    # If the path is already absolute, start with an empty string.
-    # We'll prepend the / later when reconstructing the path.
-    if [[ "$the_path" = /* ]]; then
-        abs_path=""
-    else
-        abs_path="$(pwd)"
-    fi
-
-    # Handle each path element
-    for element in "${path_elements[@]}"; do
-        if [ "$element" = "." ] || [ -z "$element" ]; then
-            continue
-        elif [ "$element" = ".." ]; then
-            # Remove the last element from abs_path
-            abs_path=$(dirname "$abs_path")
-        else
-            # Append element to the absolute path
-            abs_path="${abs_path}/${element}"
-        fi
-    done
-
-    # Remove any trailing '/'
-    while [[ $abs_path == */ ]]; do
-        abs_path=${abs_path%/}
-    done
-
-    # Special case for root
-    [ -z "$abs_path" ] && abs_path="/"
-
-    # Special case to remove any starting '//' when the input path was absolute
-    abs_path=${abs_path/#\/\//\/}
-
-    echo "$abs_path"
-}
-
-# Function to read lines from standard input into an array using a temporary file.
-# This is a bash 3 polyfill for readarray.
-# Arguments:
-#   $1: Name of the array variable to store the lines
-# Usage:
-#   read_lines_into_array array_name
-read_lines_into_array() {
-  local array_name="$1"
-  local line
-  while IFS= read -r line || [ -n "$line" ]; do
-    eval "$array_name+=(\"$line\")"
-  done
+    printf "\n%s%s%s\n" "$TITLE" "$1" "$RESET"
 }