Skip to content

feat: prevent versioned 3P GitHub actions in PR builds #1305

feat: prevent versioned 3P GitHub actions in PR builds

feat: prevent versioned 3P GitHub actions in PR builds #1305

Workflow file for this run

name: PR Build
on:
workflow_dispatch:
pull_request:
branches:
- main
jobs:
static-code-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: Check for versioned GitHub actions
if: always()
run: |
# Get changed GitHub workflow/action files
CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true)
if [ -n "$CHANGED_FILES" ]; then
# Check for any versioned actions, excluding comments and this validation script
VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true)
if [ -n "$VIOLATIONS" ]; then
echo "Found versioned GitHub actions. Use commit SHAs instead:"
echo "$VIOLATIONS"
exit 1
fi
fi
echo "No versioned actions found in changed files"
build:
name: Gradle Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
with:
java-version: 11
distribution: corretto
- name: Setup Gradle
uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a #4.4.3
- name: Build with Gradle
run: ./gradlew build
all-pr-checks-pass:
runs-on: ubuntu-latest
needs: [build, static-code-checks]
if: always()
steps:
- name: Checkout to get workflow file
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
- name: Check all jobs succeeded and none missing
run: |
# Check if all needed jobs succeeded
results='${{ toJSON(needs) }}'
if echo "$results" | jq -r '.[] | .result' | grep -v success; then
echo "Some jobs failed"
exit 1
fi
# Extract all job names from workflow (excluding this gate job)
all_jobs=$(yq eval '.jobs | keys | .[]' .github/workflows/pr-build.yml | grep -v "all-pr-checks-pass" | sort)
# Extract job names from needs array
needed_jobs='${{ toJSON(needs) }}'
needs_list=$(echo "$needed_jobs" | jq -r 'keys[]' | sort)
# Check if any jobs are missing from needs
missing_jobs=$(comm -23 <(echo "$all_jobs") <(echo "$needs_list"))
if [ -n "$missing_jobs" ]; then
echo "ERROR: Jobs missing from needs array in all-pr-checks-pass:"
echo "$missing_jobs"
echo "Please add these jobs to the needs array of all-pr-checks-pass"
exit 1
fi
echo "All checks passed and no jobs missing from gate!"