[feat/bugfix] Allow docker checks (#51)

* Fix README.md links * Add valid/invalid docker uses * Remove SHA1 package (keep it simple) * camelCase for all functions * Short check * Add docker sha256 check * Put regex in const * Resolves merge conflict --------- Co-authored-by: Zennon Gosalvez <[email protected]>
zgosalvez · Feb 19, 2023 · b9ddf6a · b9ddf6a
1 parent 2833a07
commit b9ddf6a
Show file tree

Hide file tree

Showing 9 changed files with 33 additions and 37 deletions.
diff --git a/README.md b/README.md
@@ -45,7 +45,7 @@ jobs:
 ```
 
 ## Contributing
-See [the contributing guide](.github/CONTRIBUTING) for detailed instructions on how to get started with our project.
+See [the contributing guide](.github/CONTRIBUTING.md) for detailed instructions on how to get started with our project.
 
 ## License
-The scripts and documentation in this project are released under the [MIT License](LICENSE)
+The scripts and documentation in this project are released under the [MIT License](LICENSE.md)
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/dist/licenses.txt b/dist/licenses.txt
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -21,7 +21,6 @@
   "dependencies": {
     "@actions/core": "^1.10.0",
     "@actions/glob": "^0.4.0",
-    "sha1-regex": "^1.0.0",
     "yaml": "^2.2.1"
   },
   "devDependencies": {

diff --git a/src/index.js b/src/index.js
@@ -2,13 +2,15 @@ const core = require('@actions/core');
 const fs = require('fs');
 const glob = require('@actions/glob');
 const path = require('path');
-const sha1 = require('sha1-regex');
 const yaml = require('yaml');
 
+const sha1 = /\b[a-f0-9]{40}\b/i;
+const sha256 = /\b[A-Fa-f0-9]{64}\b/i;
+
 async function run() {
   try {
     const allowlist = core.getInput('allowlist');
-    const isDryRun = core.getInput('dry_run') === 'true' ? true : false;
+    const isDryRun = core.getInput('dry_run') === 'true';
     const workflowsPath = process.env['ZG_WORKFLOWS_PATH'] || '.github/workflows';
     const globber = await glob.create([workflowsPath + '/*.yaml', workflowsPath + '/*.yml'].join('\n'));
     let actionHasError = false;
@@ -31,7 +33,7 @@ async function run() {
         const steps = jobs[job]['steps'];
 
         if (assertUsesVersion(uses)) {
-          if (!assertUsesSHA(uses) && !assertUsesAllowlist(uses, allowlist)) {
+          if (!assertUsesSha(uses) && !assertUsesAllowlist(uses, allowlist)) {
             actionHasError = true;
             fileHasError = true;
 
@@ -41,7 +43,7 @@ async function run() {
           for (const step of steps) {
             const uses = step['uses'];
 
-            if (assertUsesVersion(uses) && !assertUsesSHA(uses) && !assertUsesAllowlist(uses, allowlist)) {
+            if (assertUsesVersion(uses) && !assertUsesSha(uses) && !assertUsesAllowlist(uses, allowlist)) {
               actionHasError = true;
               fileHasError = true;
 
@@ -74,7 +76,11 @@ function assertUsesVersion(uses) {
   return typeof uses === 'string' && uses.includes('@');
 }
 
-function assertUsesSHA(uses) {
+function assertUsesSha(uses) {
+  if (uses.startsWith('docker://')) {
+    return sha256.test(uses.substr(uses.indexOf('sha256:') + 7));
+  }
+
   return sha1.test(uses.substr(uses.indexOf('@') + 1));
 }
 

diff --git a/test/stub/pass/valid.yaml b/test/stub/pass/valid.yaml
@@ -8,4 +8,7 @@ jobs:
   allowlistedstub:
     steps:
     - uses: aws-actions/amazon-ecr-login@v1
-    - uses: docker/login-action@v1
+    - uses: docker/login-action@v1
+  dockerstub:
+    steps:
+    - uses: docker://rhysd/actionlint@sha256:5f957b2a08d223e48133e1a914ed046bea12e578fe2f6ae4de47fdbe691a2468
diff --git a/test/stub/unpinned/file.yaml b/test/stub/unpinned/file.yaml
@@ -2,3 +2,7 @@ jobs:
   stub:
     steps:
     - uses: actions/checkout@v1
+  dockerstub:
+    steps:
+      - uses: docker://rhysd/actionlint:latest
+      - uses: docker://rhysd/actionlint:1.6.22