Skip to content

Commit 91ab1fc

Browse files
randomicecuberandomicecube
authored
chore: implement feedback from Eric (#11)
- removed path filters from example workflow - set persist-credentials to false in example workflow - pin dirty-waters (and action) in example workflow; every release of the action will be pinned to the latest tag of dirty-waters, at the time of release - stopped requiring project_repo, latest_commit_sha, github_event_before as inputs - switched to major-minor-patch versioning - switched to one comment per PR, at most (updating the first one, to avoid new notifications) - bug fixes
1 parent 5ddcdad commit 91ab1fc

File tree

6 files changed

+160
-122
lines changed

6 files changed

+160
-122
lines changed

.github/workflows/bump_example_version.yml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
name: Bump Action version
2+
3+
on:
4+
push:
5+
branches:
6+
- main
7+
workflow_dispatch:
8+
9+
jobs:
10+
update-version:
11+
runs-on: ubuntu-latest
12+
permissions:
13+
contents: write
14+
steps:
15+
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
16+
with:
17+
fetch-depth: 0
18+
19+
- name: Update dirty-waters-action version
20+
run: |
21+
COMMIT_SHA=$(git rev-parse HEAD)
22+
23+
# Use sed to update occurrences of the version in the workflow file
24+
sed -i "s/chains-project\/dirty-waters-action@v[0-9.]\+/chains-project\/dirty-waters-action@${COMMIT_SHA}/g" ./example_workflow.yml
25+
26+
echo "commit_sha=$COMMIT_SHA" >> $GITHUB_ENV
27+
28+
- name: Update dirty_waters_version in the action to the repo's latest tag
29+
run: |
30+
LATEST_TAG=$(git ls-remote --tags https://github.com/chains-project/dirty-waters.git | awk -F/ '{print $3}' | sort -V | tail -n1)
31+
sed -i "s/DIRTY_WATERS_VERSION=\".*\"/DIRTY_WATERS_VERSION=\"$LATEST_TAG\"/" action.yml
32+
33+
- name: Commit changes
34+
uses: stefanzweifel/git-auto-commit-action@v5.1.0
35+
with:
36+
commit_message: "Bump dirty-waters-action version to ${{ env.commit_sha }}"
37+
branch: ${{ github.head_ref }}

.github/workflows/dirty-waters.yml

Lines changed: 0 additions & 74 deletions
This file was deleted.

.github/workflows/publish-release-tag.yml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ jobs:
1111
permissions:
1212
contents: write
1313
steps:
14-
- uses: actions/checkout@v4
14+
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
1515
with:
1616
fetch-depth: 0 # Fetch all history for tags
1717

@@ -25,8 +25,15 @@ jobs:
2525
id: generate-new-tag
2626
run: |
2727
current_tag=${{ env.LATEST_TAG }}
28-
IFS='.' read -r major minor <<< "${current_tag#v}"
29-
new_tag="v$major.$((minor + 1))"
28+
IFS='.' read -r -a tag_parts <<< "$current_tag"
29+
major=${tag_parts[0]}
30+
minor=${tag_parts[1]}
31+
if [ ${#tag_parts[@]} -eq 2 ]; then
32+
patch=0
33+
else
34+
patch=${tag_parts[2]}
35+
fi
36+
new_tag="v$major.$minor.$((patch + 1))"
3037
echo "NEW_TAG=$new_tag" >> $GITHUB_ENV
3138
3239
- name: Create and push tag

README.md

Lines changed: 21 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
This action runs [Dirty Waters](https://github.com/chains-project/dirty-waters) on your repository to analyze dependencies for Software Supply Chain (SSC) issues.
44
Add this workflow to your repository to analyze dependencies in your pull requests
5-
(change/add inputs as needed -- details in [action.yml](./action.yml)). An example of a workflow that uses this action is available in [.github/workflows/dirty-waters.yml](./.github/workflows/dirty-waters.yml).
5+
(change/add inputs as needed -- details in [action.yml](./action.yml)). An example of a workflow that uses this action is available in [example_workflow.yml](./example_workflow.yml).
66

77
The action will:
88

@@ -27,24 +27,23 @@ SSC issues currently checked for:
2727

2828
### Inputs
2929

30-
| Input | Description | Required | Default |
31-
| --------------------- | -------------------------------------------------------------------------------------------------- | -------- | -------------- |
32-
| github_token | | Yes | - |
33-
| dirty_waters_version | Dirty Waters version to use | No | latest |
34-
| project_repo | Repository name (owner/repo) | Yes | - |
35-
| version_old | Base version/ref to analyze, | No | HEAD |
36-
| version_new | New version/ref for diff analysis | No | HEAD^ |
37-
| differential_analysis | Whether to perform differential analysis (true/false) | No | false |
38-
| package_manager | Package manager (npm, yarn-classic, yarn-berry, pnpm, maven) | Yes | - |
39-
| name_match | Compare the package names with the name in the in the package.json file. Will slow down execution. | No | false |
40-
| pnpm_scope | Extract dependencies from pnpm with a specific scope | No | - |
41-
| specified_smells | Specify the smells to check for | No | all |
42-
| debug | Enable debug mode | No | false |
43-
| no_gradual_report | Disable gradual report functionality | No | false |
44-
| fail_on_high_severity | Fail CI on high severity issues | No | true |
45-
| x_to_fail | Percentage threshold to break CI on non-high severity issues (per type of issue) | No | 5% of packages |
46-
| allow_pr_comment | Post analysis results as a PR comment if CI breaks | No | true |
47-
| comment_on_commit | Post analysis results as a commit comment if CI breaks | No | false |
48-
| latest_commit_sha | Latest commit SHA, used to comment on commits | Yes | - |
49-
| github_event_before | GitHub event before SHA, to retrieve the previous cache key | Yes | - |
50-
| ignore_cache | Ignore the repository cache for this run (true/false) | No | false |
30+
| Input | Description | Required | Default |
31+
| --------------------- | -------------------------------------------------------------------------------------------------- | -------- | -------------------------- |
32+
| github_token | | Yes | - |
33+
| project_repo | Repository name (owner/repo) | No | {{ github.repository }} |
34+
| version_old | Base version/ref to analyze, | No | HEAD |
35+
| version_new | New version/ref for diff analysis | No | HEAD^ |
36+
| differential_analysis | Whether to perform differential analysis (true/false) | No | false |
37+
| package_manager | Package manager (npm, yarn-classic, yarn-berry, pnpm, maven) | Yes | - |
38+
| name_match | Compare the package names with the name in the in the package.json file. Will slow down execution. | No | false |
39+
| pnpm_scope | Extract dependencies from pnpm with a specific scope | No | - |
40+
| specified_smells | Specify the smells to check for | No | all |
41+
| debug | Enable debug mode | No | false |
42+
| gradual_report | Enable gradual report functionality | No | true |
43+
| fail_on_high_severity | Fail CI on high severity issues | No | true |
44+
| x_to_fail | Percentage threshold to break CI on non-high severity issues (per type of issue) | No | 5% of packages |
45+
| allow_pr_comment | Post analysis results as a PR comment if CI breaks | No | true |
46+
| comment_on_commit | Post analysis results as a commit comment if CI breaks | No | false |
47+
| latest_commit_sha | Latest commit SHA, used to comment on commits | No | ${{ github.sha }} |
48+
| github_event_before | GitHub event before SHA, to retrieve the previous cache key | No | ${{ github.event.before }} |
49+
| ignore_cache | Ignore the repository cache for this run (true/false) | No | false |

action.yml

Lines changed: 44 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -9,13 +9,10 @@ inputs:
99
github_token:
1010
description: "GitHub token"
1111
required: true
12-
dirty_waters_version:
13-
description: 'Dirty Waters version to use, defaults to latest'
14-
required: false
15-
default: 'HEAD'
1612
project_repo:
1713
description: 'Project repository path (as in GitHub)'
18-
required: true
14+
required: false
15+
default: '${{ github.repository }}'
1916
version_old:
2017
description: 'Release version to analyze - old if differential analysis'
2118
required: false
@@ -45,10 +42,10 @@ inputs:
4542
description: 'Enable debug mode'
4643
required: false
4744
default: 'false'
48-
no_gradual_report:
49-
description: 'Disable gradual report functionality'
45+
gradual_report:
46+
description: 'Enable gradual report functionality'
5047
required: false
51-
default: 'false'
48+
default: 'true'
5249
fail_on_high_severity:
5350
description: 'Break CI if high severity issues are found'
5451
required: false
@@ -67,10 +64,12 @@ inputs:
6764
default: 'false'
6865
latest_commit_sha:
6966
description: 'Latest commit SHA from the project using this action, using for commenting on commits'
70-
required: true
67+
required: false
68+
default: '${{ github.sha }}'
7169
github_event_before:
7270
description: 'GitHub event before SHA, to retrieve the previous cache key'
73-
required: true
71+
required: false
72+
default: '${{ github.event.before }}'
7473
ignore_cache:
7574
description: 'Ignore the repository cache for this run'
7675
required: false
@@ -80,7 +79,7 @@ runs:
8079
using: 'composite'
8180
steps:
8281
- name: Set up Python
83-
uses: actions/setup-python@v5
82+
uses: actions/setup-python@v5.4.0
8483
with:
8584
python-version: '3.12'
8685

@@ -105,7 +104,7 @@ runs:
105104
fi
106105
107106
- name: Restore cache
108-
uses: actions/cache/restore@v4
107+
uses: actions/cache/restore@v4.2.1
109108
id: restore-cache
110109
if: inputs.ignore_cache != 'true'
111110
with:
@@ -122,9 +121,9 @@ runs:
122121
run: |
123122
git clone https://github.com/chains-project/dirty-waters.git
124123
cd dirty-waters
125-
if [ "${{ inputs.dirty_waters_version }}" != "HEAD" ]; then
126-
git checkout ${{ inputs.dirty_waters_version }}
127-
fi
124+
# The version is pinned to the latest dirty-waters release at the time of the action release
125+
DIRTY_WATERS_VERSION="98952a5a8f08a740e477e6bc1e5b468765af2829"
126+
git checkout $DIRTY_WATERS_VERSION
128127
pip install -r requirements.txt
129128
130129
- name: Run analysis
@@ -164,8 +163,8 @@ runs:
164163
CMD="$CMD --debug"
165164
fi
166165
167-
if [ "${{ inputs.no_gradual_report }}" == "true" ]; then
168-
CMD="$CMD --no-gradual-report"
166+
if [ "${{ inputs.gradual_report }}" == "false" ]; then
167+
CMD="$CMD --gradual-report=false"
169168
fi
170169
171170
echo "Running command: $CMD"
@@ -194,17 +193,20 @@ runs:
194193
195194
# Check for high severity issues
196195
if [ "${{ inputs.fail_on_high_severity }}" == "true" ]; then
197-
if [[ $(cat "$latest_report" | grep -o "(⚠️⚠️⚠️) [0-9]*" | grep -o "[0-9]*" | sort -nr | head -n1) -gt 0 ]]; then
196+
echo "[DEBUG] Fails on high severity, checking for any high severity issues"
197+
if [[ $(cat "$latest_report" | grep -o "(⚠️⚠️⚠️): [0-9]*" | grep -o "[0-9]*" | sort -nr | head -n1) -gt 0 ]]; then
198198
echo "High severity issues found. CI will fail."
199199
CI_WILL_FAIL=1
200200
fi
201201
fi
202202
203203
# Only check for threshold violations if we haven't already decided to fail
204204
if [ $CI_WILL_FAIL -eq 0 ]; then
205+
echo "[DEBUG] Haven't decided to fail yet, checking for threshold being surpassed"
205206
total_packages=$(cat "$latest_report" | grep -o "Total packages in the supply chain: [0-9]*" | grep -o "[0-9]*")
206207
for severity in "⚠️⚠️⚠️" "⚠️⚠️" "⚠️"; do
207-
for count in $(cat "$latest_report" | grep -o "($severity) [0-9]*" | grep -o "[0-9]*"); do
208+
for count in $(cat "$latest_report" | grep -o "($severity): [0-9]*" | grep -o "[0-9]*"); do
209+
echo "[DEBUG] Count for $severity is $count"
208210
if [[ $(echo "scale=2; $count / $total_packages * 100" | bc) -gt ${{ inputs.x_to_fail }} ]]; then
209211
echo "Number of $severity issues surpasses the threshold. CI will fail."
210212
CI_WILL_FAIL=1
@@ -216,13 +218,31 @@ runs:
216218
217219
# Handle comments only if CI will fail
218220
if [ $CI_WILL_FAIL -eq 1 ]; then
221+
echo "[DEBUG] CI will fail"
219222
# Handle PR comments
220223
PR_NUMBER=$(jq -r ".pull_request.number" "$GITHUB_EVENT_PATH")
221224
if [[ "$PR_NUMBER" != "null" && "${{ inputs.allow_pr_comment }}" == "true" ]]; then
222-
curl -s -X POST \
225+
# Check if a comment from this action exists
226+
COMMENT_ID=$(curl -s -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/repos/${{ inputs.project_repo }}/issues/$PR_NUMBER/comments" | jq -r ".[] | select(.user.login == \"github-actions[bot]\") | select(.body | contains(\"Software Supply Chain Report of ${{ inputs.project_repo }}\")) | .id")
227+
228+
# Set the appropriate URL and HTTP method based on whether a comment exists
229+
if [[ -z "$COMMENT_ID" ]]; then
230+
# No existing comment - create new one
231+
COMMENT_URL="https://api.github.com/repos/${{ inputs.project_repo }}/issues/$PR_NUMBER/comments"
232+
HTTP_METHOD="POST"
233+
else
234+
# Comment exists - edit it
235+
COMMENT_URL="https://api.github.com/repos/${{ inputs.project_repo }}/issues/comments/${COMMENT_ID}"
236+
HTTP_METHOD="PATCH" # Use PATCH to update an existing comment
237+
fi
238+
239+
echo "[DEBUG] ${HTTP_METHOD} comment to $COMMENT_URL"
240+
241+
# Single curl command using the determined URL and method
242+
curl -s -X $HTTP_METHOD \
223243
-H "Accept: application/vnd.github.v3+json" \
224244
-H "Authorization: token $GITHUB_TOKEN" \
225-
"https://api.github.com/repos/${{ inputs.project_repo }}/issues/$PR_NUMBER/comments" \
245+
"$COMMENT_URL" \
226246
-d "$(jq -n --arg body "$COMMENT" '{body: $body}')"
227247
fi
228248
@@ -245,12 +265,13 @@ runs:
245265
fi
246266
247267
- name: Save cache
248-
uses: actions/cache/save@v4
268+
uses: actions/cache/save@v4.2.1
249269
if: always()
250270
with:
251271
path: tool/cache
252272
key: dirty-waters-cache-${{ runner.os }}-${{ inputs.project_repo }}-${{ steps.set-sha.outputs.commit_sha }}
253273

254274
- name: Break CI if analyses fail
255-
run: exit $(( steps.analysis.outcome == 'failure' ))
275+
run: |
276+
[[ "${{ steps.analysis.outcome }}" == "failure" ]] && exit 1 || exit 0
256277
shell: bash

0 commit comments

Comments
 (0)