Conversation
|
This is in a very early stage and meant to just gather feedback and opinions about the approach. |
|
@raboof do you think it's worth tackling this one? |
|
This looks helpful to me. Does it actually share code with |
It does use the load_actions and a data class. But nothing that presents moving the code to a separate .py file. |
snazy
force-pushed
the
gh-action-sha-tag-check
branch
19 times, most recently
from
af91fe6 to
185416b
Compare
|
Made some progress on this one. Moved the code to a separate source file and added it to the The four remaining ones are because the The warnings are:
|
snazy
force-pushed
the
gh-action-sha-tag-check
branch
6 times, most recently
from
6a82461 to
a1796d0
Compare
snazy
force-pushed
the
gh-action-sha-tag-check
branch
4 times, most recently
from
4a17c00 to
41c0e43
Compare
snazy
changed the title
snazy
force-pushed
the
gh-action-sha-tag-check
branch
from
40c514a to
c62528e
Compare
| # Unauthorized GH API requests are quite rate-limited. | ||
| # Tip: add an extra space before 'export' to prevent adding the line to the shell history. | ||
| # export GH_TOKEN=$(gh auth token) | ||
| gh_token = os.environ['GH_TOKEN'] |
There was a problem hiding this comment.
isn't GITHUB_TOKEN more common? (and perhaps even already set?)
There was a problem hiding this comment.
Makes sense - OK to keep it then (though perhaps we should standardize on one)
.github/workflows/update_actions.yml
Outdated
| g.update_patterns("approved_patterns.yml", "actions.yml") | ||
|
|
||
| import action_tags as at | ||
| result = at.verify_actions("actions.yml") |
There was a problem hiding this comment.
can we move this to a job that only has contents: read permissions?
raboof
left a comment
raboof
left a comment
There was a problem hiding this comment.
This seems like a helpful check. I'm not sure it should be executed as part of the Handle Dependabot update workflow, perhaps it should be in its own periodically-scheduled workflow? we'd expect dependabot to specify the 'right' values, but they might change over time.
snazy
force-pushed
the
gh-action-sha-tag-check
branch
from
c62528e to
2a780ec
Compare
incorrectly introduced in https://github.com/apache/infrastructure-actions/pull/419/changes Also adding 0.18.0 as used in https://github.com/apache/skywalking-data-collect-protocol/blob/master/.github/workflows/ci.yaml
follow-up on apache#363, apparently missed some
Remove 'expires_at' if there is also 'keep', since 'keep' currently takes precendence. We'll want to remove the 'keep' entries for most of these cases eventually, but let's do that gradually to reduce impact. See also apache#252
Add the "current" Git commit ID for the moving tag.
Update the moving tag `v5` with the current SHA.
This change introduces a new function `verify_actions` to validate the contents against GitHub.
TL;DR
The function verifies that the SHAs specified in `actions.yml` exist in the GH repo.
Also ensures that the SHA exists on the Git tag, if the `tag` attribute is specified.
The rest of the (currently spaghetti code) function is a lot of output and error(failure) and warning collection.
Although it issues quite a few GH API requests, the rate limiter should not kick in (with an authenticated GH token).
I opted to rely on the HTTP/1.1 `urllib.request` stuff, which has no connection-reuse. The alternative would have been to add a dependency.
The algorithm roughly works like this, for each action specified in `actions.yml`:
* Issue a warning and stop, if the name is like `OWNER/*` ("wildcard" repository).
Can't verify Git SHAs in this case.
* Issue a warning and stop, if the name is like `docker:*` (not implemented)
* Issue an error and stop, if the name doesn't start with an `OWNER/REPO` pattern.
* Each expired entry is just skipped
* If there is a wildcard reference and a SHA reference, issue an error.
Then, for each reference for an action:
* If no `tag` is specified, let GH resolve the commit SHA.
Emit a warning to add the value of the `tag` attribute, if the SHA can be resolved.
Otherwise, emit an error.
* If `tag` is specified:
* Add the SHA to the set of requested-shas-by-tag
* Call GH's "matching-refs" endpoint for the 'tag' value
* Emit en error, if the object type is not a tag or commit.
* Also resolve 'tag' object types to 'commit' object types.
* Add each returned SHA to the set of valid-shas-by-tag.
* For each "requested tag" verify that the sets of valid and requested shas intersect. If not, emit an error.
snazy
force-pushed
the
gh-action-sha-tag-check
branch
from
7e0d2d2 to
2714ffb
Compare
2 participants
This change introduces a new function
verify_actionsto validate the contents against GitHub.TL;DR
The function verifies that the SHAs specified in
actions.ymlexist in the GH repo. Also ensures that the SHA exists on the Git tag, if thetagattribute is specified. The rest of the function is a lot of output and error(failure) and warning collection.Although it issues quite a few GH API requests, the rate limiter should not kick in (with an authenticated GH token, GH workflows have a limit of 15k requests). I opted to rely on the HTTP/1.1
urllib.requeststuff, which has no connection-reuse. The alternative would have been to add a dependency.The algorithm roughly works like this, for each action specified in
actions.yml:OWNER/*("wildcard" repository). Can't verify Git SHAs in this case.docker:*(not implemented)OWNER/REPOpattern.Then, for each reference for an action:
tagis specified, let GH resolve the commit SHA. Emit a warning to add the value of thetagattribute, if the SHA can be resolved. Otherwise, emit an error.tagis specified:Fixes #110