@@ -29,141 +29,141 @@ jobs:
2929
3030name : Check and update action references
3131 env :
32- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
33- run : |
34- python << 'EOF'
35- import os
36- import re
37- import glob
38- from github import Github
39-
40- # Initialize GitHub client
41- g = Github(os.environ['GITHUB_TOKEN'])
42- repo = g.get_repo(os.environ['GITHUB_REPOSITORY'])
43-
44- # Find all workflow files
45- workflow_files = glob.glob('.github/workflows/*.yml')
46-
47- # Initialize counts
48- updated_files = 0
49- updates = 0
50-
51- for workflow_file in workflow_files:
52- with open(workflow_file, 'r') as f:
53- content = f.read()
54-
55- # Find action references: uses: owner/repo@ref
56- action_pattern = r'uses:\s+([a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+)@([a-zA-Z0-9_.-]+)(\s+#.*)?'
57- matches = re.findall(action_pattern, content)
58-
59- updated_content = content
60- file_updated = False
61-
62- for match in matches:
63- action, version, comment = match
64- # Skip if already pinned to a SHA
65- if len(version) == 40 and all(c in '0123456789abcdef' for c in version.lower()):
66- continue
67-
68- try:
69- # Get the SHA for the tag/branch
70- action_repo = g.get_repo(action)
71- if version.startswith('v'):
72- # It's likely a tag
73- try:
74- ref = action_repo.get_git_ref(f"tags/{version}")
75- sha = ref.object.sha
76-
77- # For annotated tags, we need to get the commit SHA
78- if ref.object.type == 'tag':
79- tag = action_repo.get_git_tag(sha)
80- sha = tag.object.sha
81- except Exception as e:
82- print(f"Error resolving tag {version} for {action}: {str(e)}")
83- continue
84- else:
85- # It's likely a branch
86- try:
87- ref = action_repo.get_git_ref(f"heads/{version}")
88- sha = ref.object.sha
89- except Exception as e:
90- print(f"Error resolving branch {version} for {action}: {str(e)}")
91- continue
92-
93- # Create updated reference with SHA
94- old_ref = f"uses: {action}@{version}"
95- new_ref = f"uses: {action}@{sha} # {version}"
96-
97- # Update the content
98- updated_content = updated_content.replace(old_ref, new_ref)
99- print(f"Updating {workflow_file}: {old_ref} -> {new_ref}")
100- file_updated = True
101- updates += 1
102-
103- except Exception as e:
104- print(f"Error processing {action}@{version}: {str(e)}")
105- continue
106-
107- # Write updated content back to the file
108- if file_updated:
109- with open(workflow_file, 'w') as f:
110- f.write(updated_content)
111- updated_files += 1
112-
113- # Create a PR if there were updates
114- if updated_files > 0:
115- try:
116- branch_name = "action-sha-updates"
117- base_branch = repo.default_branch
118-
119- # Check if branch exists and delete if it does
120- try:
121- repo.get_git_ref(f"heads/{branch_name}")
122- repo.get_git_ref(f"heads/{branch_name}").delete()
123- except:
124- pass
125-
126- # Create branch
127- sb = repo.get_branch(base_branch)
128- repo.create_git_ref(ref=f"refs/heads/{branch_name}", sha=sb.commit.sha)
129-
130- # Commit changes
131- commit_message = f"Update action references with SHA pins\n\nUpdated {updates} references in {updated_files} workflow files"
132-
133- # Create a commit with all changes
134- element_list = []
135- for workflow_file in workflow_files:
136- with open(workflow_file, 'r') as f:
137- content = f.read()
138-
139- element = {
140- "path": workflow_file,
141- "mode": "100644",
142- "type": "blob",
143- "content": content
144- }
145- element_list.append(element)
146-
147- base_tree = repo.get_git_tree(sb.commit.sha)
148- tree = repo.create_git_tree(element_list, base_tree)
149- parent = repo.get_git_commit(sb.commit.sha)
150- commit = repo.create_git_commit(commit_message, tree, [parent])
151- ref = repo.get_git_ref(f"heads/{branch_name}")
152- ref.edit(commit.sha)
153-
154- # Create a PR
155- pr = repo.create_pull(
156- title="Update GitHub Action references with SHA pins",
157- body="This PR updates GitHub Action references to use SHA pins for better security.",
158- base=base_branch,
159- head=branch_name
160- )
161- print(f"Created PR #{pr.number}")
162-
163- except Exception as e:
164- print(f"Error creating PR: {str(e)}")
165- exit(1)
166-
32+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
33+ run : |
34+ python << 'EOF'
35+ import os
36+ import re
37+ import glob
38+ from github import Github
39+
40+ # Initialize GitHub client
41+ g = Github(os.environ['GITHUB_TOKEN'])
42+ repo = g.get_repo(os.environ['GITHUB_REPOSITORY'])
43+
44+ # Find all workflow files
45+ workflow_files = glob.glob('.github/workflows/*.yml')
46+
47+ # Initialize counts
48+ updated_files = 0
49+ updates = 0
50+
51+ for workflow_file in workflow_files:
52+ with open(workflow_file, 'r') as f:
53+ content = f.read()
54+
55+ # Find action references: uses: owner/repo@ref
56+ action_pattern = r'uses:\s+([a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+)@([a-zA-Z0-9_.-]+)(\s+#.*)?'
57+ matches = re.findall(action_pattern, content)
58+
59+ updated_content = content
60+ file_updated = False
61+
62+ for match in matches:
63+ action, version, comment = match
64+ # Skip if already pinned to a SHA
65+ if len(version) == 40 and all(c in '0123456789abcdef' for c in version.lower()):
66+ continue
67+
68+ try:
69+ # Get the SHA for the tag/branch
70+ action_repo = g.get_repo(action)
71+ if version.startswith('v'):
72+ # It's likely a tag
73+ try:
74+ ref = action_repo.get_git_ref(f"tags/{version}")
75+ sha = ref.object.sha
76+
77+ # For annotated tags, we need to get the commit SHA
78+ if ref.object.type == 'tag':
79+ tag = action_repo.get_git_tag(sha)
80+ sha = tag.object.sha
81+ except Exception as e:
82+ print(f"Error resolving tag {version} for {action}: {str(e)}")
83+ continue
16784 else:
168- print("No updates needed.")
169- EOF
85+ # It's likely a branch
86+ try:
87+ ref = action_repo.get_git_ref(f"heads/{version}")
88+ sha = ref.object.sha
89+ except Exception as e:
90+ print(f"Error resolving branch {version} for {action}: {str(e)}")
91+ continue
92+
93+ # Create updated reference with SHA
94+ old_ref = f"uses: {action}@{version}"
95+ new_ref = f"uses: {action}@{sha} # {version}"
96+
97+ # Update the content
98+ updated_content = updated_content.replace(old_ref, new_ref)
99+ print(f"Updating {workflow_file}: {old_ref} -> {new_ref}")
100+ file_updated = True
101+ updates += 1
102+
103+ except Exception as e:
104+ print(f"Error processing {action}@{version}: {str(e)}")
105+ continue
106+
107+ # Write updated content back to the file
108+ if file_updated:
109+ with open(workflow_file, 'w') as f:
110+ f.write(updated_content)
111+ updated_files += 1
112+
113+ # Create a PR if there were updates
114+ if updated_files > 0:
115+ try:
116+ branch_name = "action-sha-updates"
117+ base_branch = repo.default_branch
118+
119+ # Check if branch exists and delete if it does
120+ try:
121+ repo.get_git_ref(f"heads/{branch_name}")
122+ repo.get_git_ref(f"heads/{branch_name}").delete()
123+ except:
124+ pass
125+
126+ # Create branch
127+ sb = repo.get_branch(base_branch)
128+ repo.create_git_ref(ref=f"refs/heads/{branch_name}", sha=sb.commit.sha)
129+
130+ # Commit changes
131+ commit_message = f"Update action references with SHA pins\n\nUpdated {updates} references in {updated_files} workflow files"
132+
133+ # Create a commit with all changes
134+ element_list = []
135+ for workflow_file in workflow_files:
136+ with open(workflow_file, 'r') as f:
137+ content = f.read()
138+
139+ element = {
140+ "path": workflow_file,
141+ "mode": "100644",
142+ "type": "blob",
143+ "content": content
144+ }
145+ element_list.append(element)
146+
147+ base_tree = repo.get_git_tree(sb.commit.sha)
148+ tree = repo.create_git_tree(element_list, base_tree)
149+ parent = repo.get_git_commit(sb.commit.sha)
150+ commit = repo.create_git_commit(commit_message, tree, [parent])
151+ ref = repo.get_git_ref(f"heads/{branch_name}")
152+ ref.edit(commit.sha)
153+
154+ # Create a PR
155+ pr = repo.create_pull(
156+ title="Update GitHub Action references with SHA pins",
157+ body="This PR updates GitHub Action references to use SHA pins for better security.",
158+ base=base_branch,
159+ head=branch_name
160+ )
161+ print(f"Created PR #{pr.number}")
162+
163+ except Exception as e:
164+ print(f"Error creating PR: {str(e)}")
165+ exit(1)
166+
167+ else:
168+ print("No updates needed.")
169+ EOF
0 commit comments