mirror of
				https://github.com/meta-llama/llama-stack.git
				synced 2025-10-26 01:12:59 +00:00 
			
		
		
		
	# What does this PR do?
Updates the script `scripts/check-workflows-use-hashes.sh` to improve
error reporting by adopting GitHub Actions error annotation format.
* Updated the script to use GitHub Actions error annotation format
(`::error file={name},line={line},col={col}::{message}`) making error
messages more actionable and easier to locate in workflows.
* Modified the script to include line numbers for `uses:` references by
using `grep -n` and extracting line numbers, improving the precision of
error reporting.
Closes #2778
## Test Plan
- Violation check - Created test file with mixed SHA/non-SHA actions
```
echo 'uses: actions/checkout@v4' > test-workflow.yml
echo 'uses: actions/upload-artifact@main' >> test-workflow.yml
```
Result: Correctly detected violations with precise line numbers
```
./scripts/check-workflows-use-hashes.sh
Output:
::error file=test-workflow.yml,line=14::uses non-SHA action ref: uses: actions/checkout@v4
::error file=test-workflow.yml,line=20::uses non-SHA action ref: uses: actions/upload-artifact@main
```
- Verified existing project workflows pass
```
./scripts/check-workflows-use-hashes.sh
# Result: Exit code 0 (all workflows properly SHA-pinned)
```
		
	
			
		
			
				
	
	
		
			34 lines
		
	
	
	
		
			1.1 KiB
		
	
	
	
		
			Bash
		
	
	
		
			Executable file
		
	
	
	
	
			
		
		
	
	
			34 lines
		
	
	
	
		
			1.1 KiB
		
	
	
	
		
			Bash
		
	
	
		
			Executable file
		
	
	
	
	
| #!/usr/bin/env bash
 | |
| # Copyright (c) Meta Platforms, Inc. and affiliates.
 | |
| # All rights reserved.
 | |
| #
 | |
| # This source code is licensed under the terms described in the LICENSE file in
 | |
| # the root directory of this source tree.
 | |
| #
 | |
| # Fails if any GitHub Actions workflow uses an external action without a full SHA pin.
 | |
| 
 | |
| set -euo pipefail
 | |
| 
 | |
| failed=0
 | |
| 
 | |
| # Find all workflow YAML files
 | |
| 
 | |
| # Use GitHub Actions error format
 | |
| # ::error file={name},line={line},col={col}::{message}
 | |
| 
 | |
| for file in $(find .github/workflows/ -type f \( -name "*.yml" -o -name "*.yaml" \)); do
 | |
|     IFS=$'\n'
 | |
|     # Get line numbers for each 'uses:'
 | |
|     while IFS= read -r match; do
 | |
|         line_num=$(echo "$match" | cut -d: -f1)
 | |
|         line=$(echo "$match" | cut -d: -f2-)
 | |
|         ref=$(echo "$line" | sed -E 's/.*@([A-Za-z0-9._-]+).*/\1/')
 | |
|         if ! [[ $ref =~ ^[0-9a-fA-F]{40}$ ]]; then
 | |
|             # Output in GitHub Actions annotation format
 | |
|             echo "::error file=$file,line=$line_num::uses non-SHA action ref: $line"
 | |
|             failed=1
 | |
|         fi
 | |
|     done < <(grep -n -E '^.*uses:[^@]+@[^ ]+' "$file")
 | |
| done
 | |
| 
 | |
| exit $failed
 |