-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathaction.yaml
176 lines (152 loc) · 6.15 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
# Action's main info
name: "Packj Security Audit"
description: 'Use Packj to avoid malicious and other "risky" open-source software dependencies'
# Action's author name
author: "Ossillate, Inc."
# Action's branding data for GitHub Marketplace
branding:
icon: "package" # icon name from Feather open source icons pack
color: "orange"
inputs:
DEPENDENCY_FILES:
description: A string params passed to Packj for auditing
required: true
REPO_TOKEN:
description: Your repo GITHUB_TOKEN
required: true
runs:
using: "composite"
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Check out repository code
uses: actions/checkout@v3
with:
fetch-depth: 100
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v35
- name: Detect changed dependencies
shell: bash
run: |
input=$(echo "${{ inputs.DEPENDENCY_FILES }}" | sed 's/,/ /g')
input_files=()
audit_files=()
for item in $input; do
if [[ $item == *":"* ]]; then
pm_name=$(echo $item | cut -f1 -d:)
dep_file=$(echo $item | cut -f2 -d:)
path=${{ github.workspace }}/$dep_file
if [ -f $path ]; then
input_files+=$dep_file" "
audit_files+=$pm_name":"$path" "
fi
fi
done
echo "Input files: "$input_files
echo "Audit files: "$audit_files
echo "Files changed: "${{ steps.changed-files.outputs.all_changed_files }}
passed=false
for changed_file in ${{ steps.changed-files.outputs.all_changed_files }}; do
for input_file in $input_files; do
if [[ "$changed_file" == "$input_file" ]]; then
passed=true
break
fi
done
if [[ $passed == true ]]; then
echo "Detected new dependencies: $audit_files"
echo "AUDIT_DEP_FILES=$audit_files" >> $GITHUB_ENV
break
fi
done
echo "Detect changed dependencies -> CHECK_PASSED: $passed"
echo "CHECK_PASSED=$passed" >> $GITHUB_ENV
- name: Check for .packj.yaml file in the repo
if: env.CHECK_PASSED == 'true'
id: check_files
uses: andstor/file-existence-action@v2
with:
files: ".packj.yaml"
- name: Clone Packj repo
if: env.CHECK_PASSED == 'true'
shell: bash
run: |
git clone https://github.com/ossillate-inc/packj packj-tool
echo "Packj repo cloned as packj-tool"
- name: Copy .packj.yaml from the repo
if: ${{ env.CHECK_PASSED == 'true' && steps.check_files.outputs.files_exists == 'true' }}
shell: bash
run: |
echo ".packj.yaml found in the repo -> Copying it to packj-tool"
cp .packj.yaml packj-tool/.
- name: Setup python & pip
if: env.CHECK_PASSED == 'true'
uses: actions/setup-python@v4
with:
python-version: "3.10"
cache: pip
- name: Create virtual environment
if: env.CHECK_PASSED == 'true'
shell: bash
run: python3 -m venv venv
- name: Activate virtual environment
if: env.CHECK_PASSED == 'true'
shell: bash
run: source venv/bin/activate
- name: Install Packj's dependencies
if: env.CHECK_PASSED == 'true'
shell: bash
run: pip3 install -r ./packj-tool/requirements.txt
- name: Auditing deps with Packj
if: env.CHECK_PASSED == 'true'
shell: bash
run: cd ./packj-tool && python3 main.py audit -f ${{ env.AUDIT_DEP_FILES }}
- name: Analyze audit report
if: env.CHECK_PASSED == 'true'
shell: bash
run: |
echo "BODY<<EOF" >> $GITHUB_ENV
if [ -f /tmp/packj_audit_*/*.html ]; then
html_report=$(ls /tmp/packj_audit_*/*.html)
cat $html_report | head -n -2 | tail -n +10 | sed 's/^[\s\t\r]*//g' >> $GITHUB_ENV
else
echo "<h4>Failed to perform Packj audit! Refer to workflow run for details</h4>" >> /$GITHUB_ENV
fi
run_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
commit_link="${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}"
echo "<h6>Triggered by <a href=$run_url>workflow run ${{ github.run_number }}</a> on commit <a href=$commit_link>${{ github.sha }}</a></h6>" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
echo "TITLE=Packj audit found risky dependencies!" >> $GITHUB_ENV
# Create an issue for 'push'
- name: create issue if ISSUE_REQUIRED is set
if: ${{ github.head_ref == '' && env.CHECK_PASSED == 'true' }}
uses: rishabhgupta/git-action-issue@v2
with:
token: ${{ inputs.REPO_TOKEN }}
title: ${{ env.TITLE }}
body: ${{ env.BODY }}
# Comment on the PR
- name: Comment PR
if: ${{ github.head_ref && env.CHECK_PASSED == 'true' }}
uses: actions/[email protected]
with:
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `<h2><img src="https://packj.dev/static/img/packj-factory-logo.svg" width="24" alt="Packj"> Packj Audit Report</h2> ${{ env.BODY }}`
})
- name: Comment PR
if: ${{ github.head_ref && env.CHECK_PASSED == 'false' }}
uses: actions/[email protected]
with:
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `<h2><img src="https://packj.dev/static/img/packj-factory-logo.svg" width="24" alt="Packj"> Packj Audit Report</h2>
<h4>:white_check_mark: No new dependencies are introduced</h4>
<h6>Triggered by <a href="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}">workflow run ${{ github.run_number }}</a> on commit <a href="${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}">${{ github.sha }}</a></h6>`
})