chore: enforce no git tags or branches in external github actions (#2159)

# What does this PR do? Don't allow git tags and branches for external actions. Signed-off-by: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
2025-06-27 18:50:41 +00:00 · 2025-05-14 14:40:06 -04:00 · 2025-05-14 14:40:06 -04:00 · 268725868e
commit 268725868e
parent a1fbfb51e2
3 changed files with 41 additions and 1 deletions
--- a/.github/workflows/integration-auth-tests.yml
+++ b/.github/workflows/integration-auth-tests.yml
@ -44,7 +44,7 @@ jobs:

      - name: Install minikube
        if: ${{ matrix.auth-provider == 'kubernetes' }}
-        uses: medyagh/setup-minikube@latest
+        uses: medyagh/setup-minikube@cea33675329b799adccc9526aa5daccc26cd5052 # v0.0.19

      - name: Start minikube
        if: ${{ matrix.auth-provider == 'kubernetes' }}
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -106,6 +106,14 @@ repos:
        pass_filenames: false
        require_serial: true
        files: ^llama_stack/apis/|^docs/openapi_generator/
+      - id: check-workflows-use-hashes
+        name: Check GitHub Actions use SHA-pinned actions
+        entry: ./scripts/check-workflows-use-hashes.sh
+        language: system
+        pass_filenames: false
+        require_serial: true
+        always_run: true
+        files: ^\.github/workflows/.*\.ya?ml$

 ci:
    autofix_commit_msg: 🎨 [pre-commit.ci] Auto format from pre-commit.com hooks
--- a/scripts/check-workflows-use-hashes.sh
+++ b/scripts/check-workflows-use-hashes.sh
@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+# Copyright (c) Meta Platforms, Inc. and affiliates.
+# All rights reserved.
+#
+# This source code is licensed under the terms described in the LICENSE file in
+# the root directory of this source tree.
+#
+# Fails if any GitHub Actions workflow uses an external action without a full SHA pin.
+
+set -euo pipefail
+
+failed=0
+
+# Find all workflow YAML files
+for file in $(find .github/workflows/ -type f \( -name "*.yml" -o -name "*.yaml" \)); do
+    IFS=$'\n'
+    # Grep for `uses:` lines that look like actions
+    for line in $(grep -E '^.*uses:[^@]+@[^ ]+' "$file"); do
+        # Extract the ref part after the last @
+        ref=$(echo "$line" | sed -E 's/.*@([A-Za-z0-9._-]+).*/\1/')
+        # Check if ref is a 40-character hex string (full SHA).
+        #
+        # Note: strictly speaking, this could also be a tag or branch name, but
+        # we'd have to pull this info from the remote. Meh.
+        if ! [[ $ref =~ ^[0-9a-fA-F]{40}$ ]]; then
+            echo "ERROR: $file uses non-SHA action ref: $line"
+            failed=1
+        fi
+    done
+done
+
+exit $failed