Skip to content

Commit cdd2a82

Browse files
assignUserassignUser
authored
feat(gateway): Test for blocked subactions (#279)
Composite Actions can have sub-actions that also need to satisfy our allow list but we currently don't have a way to check this. #276 #135 This 'runs' the dummy job but doesn't run any of the actions, this means the runner will download all actions and in that process any new/changed sub-actions would trigger the allow list.
1 parent 642e99e commit cdd2a82

File tree

2 files changed

+139
-3
lines changed

2 files changed

+139
-3
lines changed

gateway/gateway.py

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -131,10 +131,17 @@ def generate_workflow(actions: ActionsYAML) -> str:
131131
132132
on:
133133
workflow_dispatch:
134+
pull_request:
135+
paths:
136+
- .github/workflows/dummy.yml
137+
push:
138+
paths:
139+
- .github/workflows/dummy.yml
140+
141+
permissions: {}
134142
135143
jobs:
136144
dummy:
137-
if: false
138145
runs-on: ubuntu-latest
139146
steps:
140147
"""
@@ -154,8 +161,9 @@ def is_updatable(ref):
154161
ref = ref_to_update[0]
155162
details = refs[ref]
156163
steps.append(f" - uses: {name}@{ref}" + (f" # {details['tag']}" if 'tag' in details else ''))
164+
steps.append( " if: false")
157165

158-
return header + "\n".join(steps) + "\n"
166+
return header + "\n".join(steps) + "\n" + " - run: echo Success!\n"
159167

160168

161169
def update_refs(
@@ -172,7 +180,12 @@ def update_refs(
172180
ActionsYAML: Updated action references
173181
"""
174182
for step in dummy_steps:
175-
name, new_ref = step["uses"].split("@")
183+
uses = step.get("uses", None)
184+
if uses is None:
185+
# The last step is - run:
186+
continue
187+
188+
name, new_ref = uses.split("@")
176189
new_tag = None
177190
if hasattr(step, 'ca') and 'uses' in step.ca.items:
178191
new_tag = step.ca.items['uses'][2].value[1:].strip()

gateway/test_dummy.yml

Lines changed: 123 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,124 +9,247 @@ jobs:
99
runs-on: ubuntu-latest
1010
steps:
1111
- uses: 1Password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0
12+
if: false
1213
- uses: ana06/get-changed-files@v2.3.0
14+
if: false
1315
- uses: DavidAnson/markdownlint-cli2-action@b4c9feab76d8025d1e83c653fa3990936df0e6c8 # v16
16+
if: false
1417
- uses: JamesIves/github-pages-deploy-action@881db5376404c5c8d621010bcbec0310b58d5e29 # v4.6.8
18+
if: false
1519
- uses: JustinBeckwith/linkinator-action@3d5ba091319fa7b0ac14703761eebb7d100e6f6d
20+
if: false
1621
- uses: JustinBeckwith/linkinator-action@v1.11.0
22+
if: false
1723
- uses: Kesin11/actions-timeline@427ee2cf860166e404d0d69b4f2b24012bb7af4f
24+
if: false
1825
- uses: Madrapps/jacoco-report@fd4800e8a81e21bdf373438e5918b975df041d15
26+
if: false
1927
- uses: VirtusLab/scala-cli-setup@ca54569bf13a29cd648721038a89c47c7921c060
28+
if: false
2029
- uses: VirtusLab/scala-cli-setup@6fc878be89f1990f6599f4f6a2e52a252e54d9f9
30+
if: false
2131
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b
32+
if: false
2233
- uses: actions/setup-go@v5
34+
if: false
2335
- uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185
36+
if: false
2437
- uses: addnab/docker-run-action@v3
38+
if: false
2539
- uses: amondnet/vercel-action@225d234cfe5340ca1f9a6cd158338126b5b6845f
40+
if: false
2641
- uses: amondnet/vercel-action@v25.1.1
42+
if: false
2743
- uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722
44+
if: false
2845
- uses: aws-actions/configure-aws-credentials@v4.1.0
46+
if: false
2947
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
48+
if: false
3049
- uses: azure/setup-helm@v3
50+
if: false
3151
- uses: betahuhn/repo-file-sync-action@8b92be3375cf1d1b0cd579af488a9255572e4619
52+
if: false
3253
- uses: betahuhn/repo-file-sync-action@v1
54+
if: false
3355
- uses: bnjbvr/cargo-machete@5eaad10acf89fb0c6a31d9b197a2d48ba762d28e
56+
if: false
3457
- uses: bnjbvr/cargo-machete@v0.7.0
58+
if: false
3559
- uses: browser-actions/setup-firefox@5b19b18df8c293aae9e77f0a936e9fdc358f543a
60+
if: false
3661
- uses: browser-actions/setup-firefox@v1
62+
if: false
3763
- uses: browser-actions/setup-geckodriver@5ef1526ed36211ab6cb531ec1cfb11f924ca2dee
64+
if: false
3865
- uses: burnett01/rsync-deployments@0dc935cdecc5f5e571865e60d2a6cdc673704823
66+
if: false
3967
- uses: burnett01/rsync-deployments@5.2
68+
if: false
4069
- uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5
70+
if: false
4171
- uses: carloscastrojumo/github-cherry-pick-action@v1.0.9
72+
if: false
4273
- uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3
74+
if: false
4375
- uses: carloscastrojumo/github-cherry-pick-action@v1.0.10
76+
if: false
4477
- uses: commit-check/commit-check-action@8d507e12899a9feb405c3ed546252ff9508724e0
78+
if: false
4579
- uses: coursier/cache-action@4e2615869d13561d626ed48655e1a39e5b192b3c
80+
if: false
4681
- uses: coursier/setup-action@039f736548afa5411c1382f40a5bd9c2d30e0383
82+
if: false
4783
- uses: cpp-linter/cpp-linter-action@e3fcb174b19d50de4eae1b46896698a1dd48b094
84+
if: false
4885
- uses: cpp-linter/cpp-linter-action@v2.13.3
86+
if: false
4987
- uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549
88+
if: false
5089
- uses: crazy-max/ghaction-setup-docker@b60f85385d03ac8acfca6d9996982511d8620a19
90+
if: false
5191
- uses: crazy-max/ghaction-setup-docker@v4
92+
if: false
5293
- uses: damccorm/tag-ur-it@6fa72bbf1a2ea157b533d7e7abeafdb5855dbea5
94+
if: false
5395
- uses: dawidd6/action-send-mail@4226df7daafa6fc901a43789c49bf7ab309066e7
96+
if: false
5497
- uses: dawidd6/action-send-mail@v3
98+
if: false
5599
- uses: docker://jekyll/jekyll@sha256:400b8d1569f118bca8a3a09a25f32803b00a55d1ea241feaf5f904d66ca9c625
100+
if: false
56101
- uses: docker://jekyll/jekyll@*
102+
if: false
57103
- uses: dominikh/staticcheck-action@4ec9a0dff54be2642bc76581598ba433fd8d4967
104+
if: false
58105
- uses: dominikh/staticcheck-action@v1.1.0
106+
if: false
59107
- uses: dorny/paths-filter@v3.0.2
108+
if: false
60109
- uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a
110+
if: false
61111
- uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab
112+
if: false
62113
- uses: graalvm/setup-graalvm@v1
114+
if: false
63115
- uses: gradle/wrapper-validation-action@v3.5.0
116+
if: false
64117
- uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183
118+
if: false
65119
- uses: hadolint/hadolint-action@v2.1.0
120+
if: false
66121
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
122+
if: false
67123
- uses: hashicorp/setup-terraform@v3
124+
if: false
68125
- uses: helm/chart-releaser-action@fc23f249f75decd5edf254c6b4401532cef093c3
126+
if: false
69127
- uses: helm/chart-releaser-action@v1.4.0
128+
if: false
70129
- uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992
130+
if: false
71131
- uses: helm/chart-testing-action@v2.6.1
132+
if: false
72133
- uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
134+
if: false
73135
- uses: helm/chart-testing-action@v2.7.0
136+
if: false
74137
- uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde
138+
if: false
75139
- uses: helm/kind-action@v1.10.0
140+
if: false
76141
- uses: ilammy/setup-nasm@e77cc62a22a374a4d0668286007cc3e3b4c17760
142+
if: false
77143
- uses: ilammy/setup-nasm@v1
144+
if: false
78145
- uses: jasonetco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5
146+
if: false
79147
- uses: jasonetco/create-an-issue@v2
148+
if: false
80149
- uses: jrouly/scalafmt-native-action@14620cde093e5ff6bfbbecd4f638370024287b9d
150+
if: false
81151
- uses: jwgmeligmeyling/pmd-github-action@322e346bd76a0757c4d54ff9209e245965aa066d
152+
if: false
82153
- uses: korandoru/setup-zig@92b649f4723a14798d8b3cf3b6168edb65d5b04e
154+
if: false
83155
- uses: korandoru/setup-zig@v1
156+
if: false
84157
- uses: leafo/gh-actions-luarocks@e65774a6386cb4f24e293dca7fc4ff89165b64c5
158+
if: false
85159
- uses: ludeeus/action-shellcheck@1.1.0
160+
if: false
86161
- uses: ludeeus/action-shellcheck@94e0aab03ca135d11a35e5bfc14e6746dc56e7e9
162+
if: false
87163
- uses: manusa/actions-setup-minikube@b589f2d61bf96695c546929c72b38563e856059d
164+
if: false
88165
- uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd
166+
if: false
89167
- uses: mozilla-actions/sccache-action@v0.0.4
168+
if: false
90169
- uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad
170+
if: false
91171
- uses: mozilla-actions/sccache-action@v0.0.9
172+
if: false
92173
- uses: mukunku/tag-exists-action@bdad1eaa119ce71b150b952c97351c75025c06a9
174+
if: false
93175
- uses: mukunku/tag-exists-action@v1.6.0
176+
if: false
94177
- uses: ncipollo/release-action@1e3e9c6637e5566e185b7ab66f187539c5a76da7
178+
if: false
95179
- uses: neofinancial/ticket-check-action@609d901d5130a4bbd7d9f62931082ed67f855891
180+
if: false
96181
- uses: neofinancial/ticket-check-action@v2.0.0
182+
if: false
97183
- uses: nwtgck/actions-netlify@ac1cb16858bada08a9c71a81240a85cfc3f72913
184+
if: false
98185
- uses: nwtgck/actions-netlify@v1.2
186+
if: false
99187
- uses: opentofu/setup-opentofu@592200bd4b9bbf4772ace78f887668b1aee8f716
188+
if: false
100189
- uses: opentofu/setup-opentofu@v1
190+
if: false
101191
- uses: orhun/git-cliff-action@4a4a951bc43fafe41cd2348d181853f52356bee7
192+
if: false
102193
- uses: orhun/git-cliff-action@v4
194+
if: false
103195
- uses: packetcoders/action-setup-cache-python-poetry@a3f2e6ed12462e038bc14270d139e373bf5ac564
196+
if: false
104197
- uses: packetcoders/action-setup-cache-python-poetry@v1.1.0
198+
if: false
105199
- uses: pdm-project/setup-pdm@483717a073bdef51804a58dac17d043a4183c384
200+
if: false
106201
- uses: pdm-project/setup-pdm@v4
202+
if: false
107203
- uses: peter-evans/close-issue@1373cadf1f0c96c1420bc000cfba2273ea307fd1
204+
if: false
108205
- uses: peter-evans/close-issue@v2
206+
if: false
109207
- uses: peter-evans/create-or-update-comment@c9fcb64660bc90ec1cc535646af190c992007c32
208+
if: false
110209
- uses: phoenix-actions/test-reporting@f957cd93fc2d848d556fa0d03c57bc79127b6b5e
210+
if: false
111211
- uses: phoenix-actions/test-reporting@v15
212+
if: false
112213
- uses: pmd/pmd-github-action@967a81f8b657c87f7c3e96b62301cb1a48efef29
214+
if: false
113215
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd
216+
if: false
114217
- uses: pre-commit/action@v3.0.1
218+
if: false
115219
- uses: pypa/cibuildwheel@0f04e96e2f58e63b8b03886c1db16a507f2199bf
220+
if: false
116221
- uses: pypa/cibuildwheel@v2.12.0
222+
if: false
117223
- uses: sbt/setup-sbt@26ab4b0fa1c47fa62fc1f6e51823a658fb6c760c
224+
if: false
118225
- uses: scacap/action-surefire-report@1a128e49c0585bc0b8e38e541ac3b6e35a5bc727
226+
if: false
119227
- uses: scala-steward-org/scala-steward-action@5021652c555c5724af574758b78ea5be49640007
228+
if: false
120229
- uses: scalacenter/sbt-dependency-submission@64084844d2b0a9b6c3765f33acde2fbe3f5ae7d3
230+
if: false
121231
- uses: seanmiddleditch/gha-setup-ninja@8b297075da4cd2a5f1fd21fe011b499edf06e9d2
232+
if: false
122233
- uses: seanmiddleditch/gha-setup-ninja@v4
234+
if: false
123235
- uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a
236+
if: false
124237
- uses: snok/install-poetry@v1
238+
if: false
125239
- uses: untitaker/hyperlink@0.1.21
240+
if: false
126241
- uses: untitaker/hyperlink@d277930ba480c61cd3dd1a0caf0d18acfed294a6
242+
if: false
127243
- uses: uraimo/run-on-arch-action@ac33288c3728ca72563c97b8b88dda5a65a84448
244+
if: false
128245
- uses: uraimo/run-on-arch-action@v2
246+
if: false
129247
- uses: vimtor/action-zip@5f1c4aa587ea41db1110df6a99981dbe19cee310
248+
if: false
130249
- uses: vimtor/action-zip@v1
250+
if: false
131251
- uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d
252+
if: false
132253
- uses: slackapi/slack-github-action@v2.0.0
254+
if: false
255+
- run: Success!

0 commit comments

Comments
 (0)