Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add optional lint to require that actions are pinned to commit hashes #436

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions config.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,8 @@ type Config struct {
// Paths is a "paths" mapping in the configuration file. The keys are glob patterns to match file paths.
// And the values are corresponding configurations applied to the file paths.
Paths map[string]PathConfig `yaml:"paths"`
// Requires action and docker versions to use a commit hash instead of version/branch.
RequireCommitHash bool `yaml:"require-commit-hash"`
}

// PathConfigs returns a list of all PathConfig values matching to the given file path. The path must
Expand Down
7 changes: 7 additions & 0 deletions docs/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -1708,6 +1708,9 @@ jobs:
- uses: 'docker://image:'
# ERROR: local action must start with './'
- uses: .github/my-actions/do-something
# Optional when `require-commit-hash: true` is set in .github/actionlint.yaml:
# ERROR: not pinned to commit hash
- uses: actions/checkout@main
```

Output:
Expand All @@ -1729,6 +1732,10 @@ test.yaml:13:15: specifying action ".github/my-actions/do-something" in invalid
|
13 | - uses: .github/my-actions/do-something
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.yaml:16:15: specifying action "actions/checkout@main" in invalid format because action versions must be pinned to a SHA hash. available formats are "{owner}/{repo}@{sha}" or "{owner}/{repo}/{path}@{sha}" [action]
|
16 | - uses: actions/checkout@main
| ^~~~~~~~~~~~~~~~~~~~~
```

[Playground](https://rhysd.github.io/actionlint/#eNpczbEOwyAMBNA9X+EtE0XqyNRfAWIBTbGj2K7Uv69olYXppHsnHVOAw6QuT04SFgBF0ZEAp5G44ZaM1NwrDvuRKB7yXwE4MEEJELM2JvG5Yt7ZdOKrfrzvk6wb5x3P4H3rsWBYJ7+VptWS7x93fWzshDtqbVS+AQAA//+oTjwo)
Expand Down
3 changes: 3 additions & 0 deletions docs/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ paths:
ignore:
# Ignore errors from the old runner check. This may be useful for (outdated) self-hosted runner environment.
- 'the runner of ".+" action is too old to run on GitHub Actions'
# Require actions to be pinned to commit hashes instead of tags/branches
require-commit-hash: true
```

- `self-hosted-runner`: Configuration for your self-hosted runner environment.
Expand All @@ -57,6 +59,7 @@ paths:
- `ignore`: The configuration to ignore (filter) the errors by the error messages. This is an array of regular
expressions. When one of the patterns matches the error message, the error will be ignored. It's similar to the
`-ignore` command line option.
- `require-commit-hash`: Optional lint to require actions to be pinned to commit hashes instead of tags/branches. Defaults to `false`.

## Generate the initial configuration

Expand Down
4 changes: 4 additions & 0 deletions linter_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,10 @@ func TestLinterLintError(t *testing.T) {

l.defaultConfig = &Config{}

if strings.Contains(testName, "security") {
l.defaultConfig.RequireCommitHash = true
}

errs, err := l.Lint("test.yaml", b, proj)
if err != nil {
t.Fatal(err)
Expand Down
17 changes: 17 additions & 0 deletions rule_action.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"net/url"
"os"
"path/filepath"
"regexp"
"strconv"
"strings"
)
Expand Down Expand Up @@ -286,6 +287,10 @@ var BrandingIcons = map[string]struct{}{
"zoom-out": {},
}

var hashRegex = regexp.MustCompile("^[0-9a-f]{40}$")
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could use short hashes as well, but I was almost certain that would conflict with branch names so this seems better.


var dockerDigestHashRegex = regexp.MustCompile("^sha256:")

// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runsimage
func isImageOnDockerRegistry(image string) bool {
return strings.HasPrefix(image, "docker://") ||
Expand Down Expand Up @@ -371,6 +376,10 @@ func (rule *RuleAction) checkRepoAction(spec string, exec *ExecAction) {
rule.invalidActionFormat(exec.Uses.Pos, spec, "owner and repo and ref should not be empty")
}

if rule.config != nil && rule.config.RequireCommitHash && !hashRegex.MatchString(ref) {
rule.invalidActionFormatCommitHash(exec.Uses.Pos, spec, "action versions must be pinned to a SHA hash")
}

meta, ok := PopularActions[spec]
if !ok {
if _, ok := OutdatedPopularActionSpecs[spec]; ok {
Expand All @@ -394,6 +403,10 @@ func (rule *RuleAction) invalidActionFormat(pos *Pos, spec string, why string) {
rule.Errorf(pos, "specifying action %q in invalid format because %s. available formats are \"{owner}/{repo}@{ref}\" or \"{owner}/{repo}/{path}@{ref}\"", spec, why)
}

func (rule *RuleAction) invalidActionFormatCommitHash(pos *Pos, spec string, why string) {
rule.Errorf(pos, "specifying action %q in invalid format because %s. available formats are \"{owner}/{repo}@{sha}\" or \"{owner}/{repo}/{path}@{sha}\"", spec, why)
}

func (rule *RuleAction) missingRunsProp(pos *Pos, prop, ty, action, path string) {
rule.Errorf(pos, `%q is required in "runs" section because %q is a %s action. the action is defined at %q`, prop, action, ty, path)
}
Expand Down Expand Up @@ -522,6 +535,10 @@ func (rule *RuleAction) checkDockerAction(uri string, exec *ExecAction) {
if tagExists && tag == "" {
rule.Errorf(exec.Uses.Pos, "tag of Docker action should not be empty: %q", uri)
}

if rule.config != nil && rule.config.RequireCommitHash && !dockerDigestHashRegex.MatchString(tag) {
rule.Errorf(exec.Uses.Pos, "docker versions must be pinned to a SHA hash: %q", uri)
}
}

// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions
Expand Down
2 changes: 2 additions & 0 deletions testdata/examples/invalid_action_format_security.out
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
test.yaml:7:15: specifying action "actions/checkout@main" in invalid format because action versions must be pinned to a SHA hash. available formats are "{owner}/{repo}@{sha}" or "{owner}/{repo}/{path}@{sha}" [action]
test.yaml:9:15: docker versions must be pinned to a SHA hash: "docker://image" [action]
13 changes: 13 additions & 0 deletions testdata/examples/invalid_action_format_security.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
on: push
jobs:
test:
runs-on: ubuntu-latest
steps:
# ERROR: not pinned to commit hash
- uses: actions/checkout@main
# ERROR: docker image not pinned to commit hash
- uses: 'docker://image:latest'
# OK: pinned to commit hash
- uses: actions/checkout@db41740e12847bb616a339b75eb9414e711417df
# OK: docker image pinned to commit hash
- uses: docker://image:sha256:3235326357dfb65f1781dbc4df3b834546d8bf914e82cce58e6e6b676e23ce8f