mirror of
https://github.com/meta-llama/llama-stack.git
synced 2025-06-27 18:50:41 +00:00
268725868e
# What does this PR do? Don't allow git tags and branches for external actions. Signed-off-by: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
32 lines
1.1 KiB
Bash
Executable file
32 lines
1.1 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# Copyright (c) Meta Platforms, Inc. and affiliates.
|
|
# All rights reserved.
|
|
#
|
|
# This source code is licensed under the terms described in the LICENSE file in
|
|
# the root directory of this source tree.
|
|
#
|
|
# Fails if any GitHub Actions workflow uses an external action without a full SHA pin.
|
|
|
|
set -euo pipefail
|
|
|
|
failed=0
|
|
|
|
# Find all workflow YAML files
|
|
for file in $(find .github/workflows/ -type f \( -name "*.yml" -o -name "*.yaml" \)); do
|
|
IFS=$'\n'
|
|
# Grep for `uses:` lines that look like actions
|
|
for line in $(grep -E '^.*uses:[^@]+@[^ ]+' "$file"); do
|
|
# Extract the ref part after the last @
|
|
ref=$(echo "$line" | sed -E 's/.*@([A-Za-z0-9._-]+).*/\1/')
|
|
# Check if ref is a 40-character hex string (full SHA).
|
|
#
|
|
# Note: strictly speaking, this could also be a tag or branch name, but
|
|
# we'd have to pull this info from the remote. Meh.
|
|
if ! [[ $ref =~ ^[0-9a-fA-F]{40}$ ]]; then
|
|
echo "ERROR: $file uses non-SHA action ref: $line"
|
|
failed=1
|
|
fi
|
|
done
|
|
done
|
|
|
|
exit $failed
|