-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathaction.yml
More file actions
334 lines (294 loc) · 13.5 KB
/
action.yml
File metadata and controls
334 lines (294 loc) · 13.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
# action.yml
name: 'Dirty Waters Analysis'
description: 'Analyze software supply chain issues in your dependencies'
branding:
icon: 'shield'
color: 'blue'
inputs:
github_token:
description: "GitHub token"
required: true
project_repo:
description: 'Project repository path (as in GitHub)'
required: false
default: '${{ github.repository }}'
version_old:
description: 'Release version to analyze - old if differential analysis'
required: false
version_new:
description: 'New release version for differential analysis'
required: false
differential_analysis:
description: 'Whether to perform differential analysis'
required: false
default: 'false'
package_manager:
description: 'Package manager used in the project'
required: true
name_match:
description: 'Compare the package names with the name in the in the package.json file. This option will slow down the execution time due to the API rate limit of code search'
required: false
default: 'false'
#pnpm_scope:
#description: 'Extract dependencies from pnpm with a specific scope'
#required: false
specified_smells:
description: 'List of specified smells to analyze. Provide it as a space-separated list of smells (e.g., "--check-source-code --check-forks")'
required: false
debug:
description: 'Enable debug mode'
required: false
default: 'false'
config:
description: 'Path to the configuration file, relative to the root of the project'
required: false
gradual_report:
description: 'Enable gradual report functionality'
required: false
default: 'true'
fail_on_high_severity:
description: 'Break CI if high severity issues are found'
required: false
default: 'true'
x_to_fail:
description: 'Percentage threshold for the number of high or medium severity issues to fail the CI'
required: false
default: '0'
allow_pr_comment:
description: 'Post analysis results as a PR comment if CI breaks'
required: false
default: 'true'
comment_on_commit:
description: 'Post analysis results as a commit comment if CI breaks'
required: false
default: 'false'
github_event_before:
description: 'GitHub event before SHA, to retrieve the previous cache key'
required: false
default: '${{ github.event.before }}'
ignore_cache:
description: 'Ignore the repository cache for this run'
required: false
default: 'false'
runs:
using: 'composite'
steps:
- name: Set up Python
uses: actions/setup-python@v5.6.0
with:
python-version: '3.14'
- name: Install system dependencies
shell: bash
# TODO: pin versions
run: |
sudo apt-get update
sudo apt-get install -y git curl jq maven npm nodejs
npm install -g pnpm
npm install -g yarn
- name: Set commit SHA
id: set_sha
shell: bash
run: |
DEFAULT_BRANCH=$(curl -s "https://api.github.com/repos/${{ inputs.project_repo }}" | jq -r '.default_branch')
echo "default_branch=$DEFAULT_BRANCH" >> $GITHUB_OUTPUT
echo "branch_name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
if [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
COMMIT_SHA=$(jq -r .pull_request.head.sha $GITHUB_EVENT_PATH)
echo "commit_sha=$COMMIT_SHA" >> $GITHUB_OUTPUT
else
COMMIT_SHA=$GITHUB_SHA
echo "commit_sha=$COMMIT_SHA" >> $GITHUB_OUTPUT
fi
- name: Restore cache
uses: actions/cache/restore@v4.3.0
id: restore-cache
if: ${{ inputs.ignore_cache != true && inputs.ignore_cache != 'true' }}
with:
path: tool/cache
key: dirty-waters-cache-${{ runner.os }}-${{ runner.arch }}-${{ steps.set_sha.outputs.branch_name }}-
restore-keys: |
dirty-waters-cache-${{ runner.os }}-${{ runner.arch }}-${{ steps.set_sha.outputs.default_branch }}-
- name: Create cache directory
if: steps.restore-cache.outputs.cache-hit != 'true'
shell: bash
run: mkdir -p tool/cache
- name: Clone and setup Dirty Waters
shell: bash
run: |
git clone https://github.com/chains-project/dirty-waters.git
cd dirty-waters
# The version is pinned to the latest dirty-waters release at the time of the action release
DIRTY_WATERS_VERSION="v0.104.0"
git checkout $DIRTY_WATERS_VERSION
pip install -r requirements.txt
- name: Run analysis
id: analysis
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.github_token }}
GITHUB_API_TOKEN: ${{ inputs.github_token }}
run: |
cd dirty-waters/tool
# Copy cache if it exists
if [ -d "$GITHUB_WORKSPACE/tool/cache" ]; then
cp -r $GITHUB_WORKSPACE/tool/cache/ .
fi
# Correct versions
differential="${{ inputs.differential_analysis }}"
version_old="${{ inputs.version_old }}"
version_new="${{ inputs.version_new }}"
# Always set version_new to the commit that triggered the workflow if not provided
if [ -z "$version_new" ]; then
version_new=${{ steps.set_sha.outputs.commit_sha }}
fi
if [ "$differential" = "true" ]; then
echo "Running in differential analysis mode"
if [ -z "$version_old" ]; then
version_old=$(git rev-parse "$version_new^")
echo "version_old not provided, using version_new^: $version_old"
else
echo "Using version_old from input: $version_old"
fi
echo "Comparing $version_old -> $version_new"
else
# Non-differential mode: just analyze version_old = current SHA OR given one
if [ -z "$version_old" ]; then
version_old=${{ steps.set_sha.outputs.commit_sha }}
fi
echo "Running in non-differential mode"
echo "Analyzing single commit: $version_old"
fi
# Build command
CMD="python main.py -p ${{ inputs.project_repo }} -v $version_old -pm ${{ inputs.package_manager }}"
if [ "${{ inputs.differential_analysis }}" == "true" ]; then
CMD="$CMD -vn $version_new -d"
fi
if [ -n "${{ inputs.name_match }}" ]; then
CMD="$CMD -n"
fi
#if [ -n "${{ inputs.pnpm_scope }}" ]; then
# CMD="$CMD --pnpm-scope ${{ inputs.pnpm_scope }}"
#fi
if [ -n "${{ inputs.specified_smells }}" ]; then
CMD="$CMD ${{ inputs.specified_smells }}"
fi
if [ "${{ inputs.debug }}" == "true" ]; then
CMD="$CMD --debug"
fi
if [ -n "${{ inputs.config }}" ]; then
#cp $GITHUB_WORKSPACE/${{ inputs.config }} .
CMD="$CMD --config $GITHUB_WORKSPACE/${{ inputs.config }}"
fi
if [ "${{ inputs.gradual_report }}" == "false" ]; then
CMD="$CMD --gradual-report=false"
fi
echo "Running command: $CMD"
eval $CMD
# Copy cache back
cp -r cache/ "$GITHUB_WORKSPACE/tool/"
# Process results
if [ ! -d "results" ]; then
echo "An error occurred: no reports were generated"
exit 1
fi
if [ "${{ inputs.differential_analysis }}" == "true" ]; then
latest_report=$(ls -t results/*/*_diff_summary.md | head -n1)
else
latest_report=$(ls -t results/*/*_static_summary.md | head -n1)
fi
COMMENT=$(cat "$latest_report")
cat "$latest_report" # Debug purposes: we always paste it in the logs
# Check for CI failure conditions
CI_WILL_FAIL=0
# Check for high severity issues
if [ "${{ inputs.fail_on_high_severity }}" == "true" ]; then
echo "[DEBUG] Fails on high severity, checking for any high severity issues"
if [[ $(cat "$latest_report" | grep -o "(⚠️⚠️⚠️): [0-9]*" | grep -o "[0-9]*" | sort -nr | head -n1) -gt 0 ]]; then
echo "High severity issues found. CI will fail."
CI_WILL_FAIL=1
fi
fi
# function from https://unix.stackexchange.com/questions/137110/comparison-of-decimal-numbers-in-bash
compare() (IFS=" "
exec awk "BEGIN{if (!($*)) exit(1)}"
)
# Only check for threshold violations if we haven't already decided to fail
if [ $CI_WILL_FAIL -eq 0 ]; then
echo "[DEBUG] Haven't decided to fail yet, checking for threshold being surpassed"
total_packages=$(cat "$latest_report" | grep -o "Total packages in the supply chain: [0-9]*" | grep -o "[0-9]*")
for severity in "⚠️⚠️⚠️" "⚠️⚠️"; do
for count in $(cat "$latest_report" | grep -o "($severity): [0-9]*" | grep -o "[0-9]*"); do
echo "[DEBUG] Count for $severity is $count"
if compare "$(echo "scale=2; $count / $total_packages * 100" | bc) > ${{ inputs.x_to_fail }}"; then
echo "Number of $severity issues surpasses the threshold. CI will fail."
CI_WILL_FAIL=1
break 2 # Break both loops once we know we'll fail
fi
done
done
fi
# Handle comments only if CI will fail
if [ $CI_WILL_FAIL -eq 1 ]; then
echo "[DEBUG] CI will fail"
# Handle PR comments
PR_NUMBER=$(jq -r ".pull_request.number" "$GITHUB_EVENT_PATH")
if [[ "$PR_NUMBER" != "null" && "${{ inputs.allow_pr_comment }}" == "true" ]]; then
# Check if a comment from this action exists
COMMENT_ID=$(curl -s -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/repos/${{ inputs.project_repo }}/issues/$PR_NUMBER/comments" | jq -r ".[] | select(.user.login == \"github-actions[bot]\") | select(.body | contains(\"Software Supply Chain Report of ${{ inputs.project_repo }}\")) | .id")
# Set the appropriate URL and HTTP method based on whether a comment exists
if [[ -z "$COMMENT_ID" ]]; then
# No existing comment - create new one
COMMENT_URL="https://api.github.com/repos/${{ inputs.project_repo }}/issues/$PR_NUMBER/comments"
HTTP_METHOD="POST"
else
# Comment exists - edit it
COMMENT_URL="https://api.github.com/repos/${{ inputs.project_repo }}/issues/comments/${COMMENT_ID}"
HTTP_METHOD="PATCH" # Use PATCH to update an existing comment
fi
echo "[DEBUG] ${HTTP_METHOD} comment to $COMMENT_URL"
# Single curl command using the determined URL and method
curl -s -X $HTTP_METHOD \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token $GITHUB_TOKEN" \
"$COMMENT_URL" \
-d "$(jq -n --arg body "$COMMENT" '{body: $body}')"
fi
# Handle commit comments
if [ "${{ inputs.comment_on_commit }}" == "true" ]; then
curl -s -X POST \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token $GITHUB_TOKEN" \
"https://api.github.com/repos/${{ inputs.project_repo }}/commits/${{ steps.set_sha.outputs.commit_sha }}/comments" \
-d "$(jq -n --arg body "$COMMENT" '{body: $body}')"
fi
else
echo "[DEBUG] CI will not fail"
echo "[DEBUG] Checking if a comment from this action exists in the PR; if so, we're updating it, saying that the CI passed"
PR_NUMBER=$(jq -r ".pull_request.number" "$GITHUB_EVENT_PATH")
if [[ "$PR_NUMBER" != "null" && "${{ inputs.allow_pr_comment }}" == "true" ]]; then
COMMENT_ID=$(curl -s -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/repos/${{ inputs.project_repo }}/issues/$PR_NUMBER/comments" | jq -r ".[] | select(.user.login == \"github-actions[bot]\") | select(.body | contains(\"Software Supply Chain Report of ${{ inputs.project_repo }}\")) | .id")
if [[ -n "$COMMENT_ID" ]]; then
BODY="Currently, this project does not break CI via \`dirty-waters-action\`, as it either didn't identify any smells, or did but not in an amount enough to break CI. You can still see the current report status below."
BODY+="<details><summary>Software Supply Chain Report of ${{ inputs.project_repo }}</summary>"
BODY+="$COMMENT"
BODY+="</details>"
curl -s -X PATCH \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token $GITHUB_TOKEN" \
"https://api.github.com/repos/${{ inputs.project_repo }}/issues/comments/${COMMENT_ID}" \
-d "$(jq -n --arg body "$BODY" '{body: $body}')"
fi
fi
fi
# Copy results
cp -r results/* "$GITHUB_WORKSPACE/"
# Exit with failure if CI_WILL_FAIL is set
if [ $CI_WILL_FAIL -eq 1 ]; then
exit 1
fi
- name: Save cache
uses: actions/cache/save@v4.3.0
if: always()
with:
path: tool/cache
key: dirty-waters-cache-${{ runner.os }}-${{ runner.arch }}-${{ steps.set_sha.outputs.branch_name }}-${{ github.run_id }}-${{ github.run_attempt }}