Skip to content

update actions to use commit hash #208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 9, 2025
Merged

update actions to use commit hash #208

merged 2 commits into from
Apr 9, 2025

Conversation

GarrettBeatty
Copy link
Contributor

@GarrettBeatty GarrettBeatty commented Apr 4, 2025
edited
Loading

Issue #, if available: DOTNET-8045

Description of changes:
Update workflows to be pinned to sha. This is following the best practices https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide#:~:text=Action%20pinning%20with%20specific%20commit,point%20to%20different%20code%20versions

Created 2 scripts to update everything

Convert tag to commit

# Requires GitHub CLI to be installed and authenticated

function Convert-TagToCommit {
    param (
        [string]$owner,
        [string]$repo,
        [string]$tag
    )
    
    try {
        $result = gh api "repos/$owner/$repo/git/refs/tags/$tag" | ConvertFrom-Json
        return $result.object.sha
    }
    catch {
        Write-Warning "Could not resolve tag $tag for $owner/$repo"
        return $null
    }
}

# Get all workflow files
$workflowFiles = Get-ChildItem -Path ".github/workflows" -Filter "*.yml" -Recurse

foreach ($file in $workflowFiles) {
    $content = Get-Content $file.FullName -Raw
    $modified = $false
    
    # Regular expression to match GitHub Action uses statements with tags
    $regex = 'uses:\s+([\w-]+)/([\w-]+)@(v?\d+\.?\d*\.?\d*)'
    
    $matches = [regex]::Matches($content, $regex)
    
    foreach ($match in $matches) {
        $owner = $match.Groups[1].Value
        $repo = $match.Groups[2].Value
        $tag = $match.Groups[3].Value
        
        Write-Host "Found action: $owner/$repo@$tag"
        
        $commitSha = Convert-TagToCommit -owner $owner -repo $repo -tag $tag
        
        if ($commitSha) {
            Write-Host "Updating $owner/$repo@$tag to $commitSha"
            $content = $content.Replace("$owner/$repo@$tag", "$owner/$repo@$commitSha")
            $modified = $true
        }
    }
    
    if ($modified) {
        Write-Host "Writing changes to $($file.FullName)"
        $content | Set-Content $file.FullName -NoNewline
    }
}

Add comment to the action

# Requires GitHub CLI to be installed and authenticated

function Get-ActionVersion {
    param (
        [string]$owner,
        [string]$repo,
        [string]$sha
    )
    
    try {
        # First try to find the tag that points to this commit
        $tags = gh api "repos/$owner/$repo/tags" | ConvertFrom-Json
        $matchingTag = $tags | Where-Object { $_.commit.sha.StartsWith($sha) } | Select-Object -First 1
        
        if ($matchingTag) {
            return $matchingTag.name
        }
        
        
        return "unknown-version"
    }
    catch {
        Write-Warning "Could not determine version for $owner/$repo@$sha"
        return "unknown-version"
    }
}

# Get all workflow files
$workflowFiles = Get-ChildItem -Path ".github/workflows" -Filter "*.yml" -Recurse

foreach ($file in $workflowFiles) {
    $content = Get-Content $file.FullName
    $modified = $false
    
    # Regular expression to match GitHub Action uses statements with SHA
    $regex = 'uses:\s+([\w-]+)/([\w-]+)@([0-9a-f]{40}|[0-9a-f]{7})'
    
    for ($i = 0; $i -lt $content.Count; $i++) {
        $line = $content[$i]
        $match = [regex]::Match($line, $regex)
        
        if ($match.Success) {
            $owner = $match.Groups[1].Value
            $repo = $match.Groups[2].Value
            $sha = $match.Groups[3].Value
            
            Write-Host "Found action: $owner/$repo@$sha"
            
            $version = Get-ActionVersion -owner $owner -repo $repo -sha $sha
            
            # Check if line already has a version comment
            if ($line -notmatch '#\s*v\d') {
                $content[$i] = "$line #$version"
                $modified = $true
            }
        }
    }
    
    if ($modified) {
        Write-Host "Writing changes to $($file.FullName)"
        $content | Set-Content $file.FullName
    }
}

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@GarrettBeatty GarrettBeatty changed the title Gcbeatty/actions2 update actions to use commit hash Apr 4, 2025
@GarrettBeatty GarrettBeatty marked this pull request as ready for review April 4, 2025 17:40
@GarrettBeatty GarrettBeatty added the Release Not Needed Add this label if a PR does not need to be released. label Apr 4, 2025
@GarrettBeatty GarrettBeatty merged commit 3831588 into v4sdk-development Apr 9, 2025
3 of 4 checks passed
@GarrettBeatty GarrettBeatty deleted the gcbeatty/actions2 branch April 9, 2025 17:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@philasmar philasmar philasmar approved these changes

@sankettangade sankettangade sankettangade approved these changes

Assignees
No one assigned
Labels
Release Not Needed Add this label if a PR does not need to be released.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@GarrettBeatty @philasmar @sankettangade