phoenix-oss/llama-stack-mirror
0
0
Fork 1
mirror of https://github.com/meta-llama/llama-stack.git synced 2025-12-03 18:00:36 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: update check-workflows-use-hashes to use github error format (#2875)

Browse source 
# What does this PR do?
Updates the script `scripts/check-workflows-use-hashes.sh` to improve
error reporting by adopting GitHub Actions error annotation format.

* Updated the script to use GitHub Actions error annotation format
(`::error file={name},line={line},col={col}::{message}`) making error
messages more actionable and easier to locate in workflows.
* Modified the script to include line numbers for `uses:` references by
using `grep -n` and extracting line numbers, improving the precision of
error reporting.

Closes #2778

## Test Plan

- Violation check - Created test file with mixed SHA/non-SHA actions

```
echo 'uses: actions/checkout@v4' > test-workflow.yml
echo 'uses: actions/upload-artifact@main' >> test-workflow.yml
```
Result: Correctly detected violations with precise line numbers
```
./scripts/check-workflows-use-hashes.sh
Output:
::error file=test-workflow.yml,line=14::uses non-SHA action ref: uses: actions/checkout@v4
::error file=test-workflow.yml,line=20::uses non-SHA action ref: uses: actions/upload-artifact@main
```

- Verified existing project workflows pass
```
./scripts/check-workflows-use-hashes.sh
# Result: Exit code 0 (all workflows properly SHA-pinned)
```
This commit is contained in:
Mohit Gaur 2025-07-24 21:11:17 +05:30 committed by GitHub
parent e33a50480d
commit 5ef2baacdc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 11 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

20
scripts/check-workflows-use-hashes.sh
View file

@ -12,21 +12,23 @@ set -euo pipefail
failed=0
# Find all workflow YAML files
# Use GitHub Actions error format
# ::error file={name},line={line},col={col}::{message}
for file in $(find .github/workflows/ -type f \( -name "*.yml" -o -name "*.yaml" \)); do
IFS=$'\n'
# Grep for `uses:` lines that look like actions
for line in $(grep -E '^.*uses:[^@]+@[^ ]+' "$file"); do
# Extract the ref part after the last @
# Get line numbers for each 'uses:'
while IFS= read -r match; do
line_num=$(echo "$match" | cut -d: -f1)
line=$(echo "$match" | cut -d: -f2-)
ref=$(echo "$line" | sed -E 's/.*@([A-Za-z0-9._-]+).*/\1/')
# Check if ref is a 40-character hex string (full SHA).
#
# Note: strictly speaking, this could also be a tag or branch name, but
# we'd have to pull this info from the remote. Meh.
if ! [[ $ref =~ ^[0-9a-fA-F]{40}$ ]]; then
echo "ERROR: $file uses non-SHA action ref: $line"
# Output in GitHub Actions annotation format
echo "::error file=$file,line=$line_num::uses non-SHA action ref: $line"
failed=1
fi
done
done < <(grep -n -E '^.*uses:[^@]+@[^ ]+' "$file")
done
exit $failed