mirror of
https://github.com/meta-llama/llama-stack.git
synced 2025-07-27 06:28:50 +00:00
5ef2baacdc
# What does this PR do?
Updates the script `scripts/check-workflows-use-hashes.sh` to improve
error reporting by adopting GitHub Actions error annotation format.
* Updated the script to use GitHub Actions error annotation format
(`::error file={name},line={line},col={col}::{message}`) making error
messages more actionable and easier to locate in workflows.
* Modified the script to include line numbers for `uses:` references by
using `grep -n` and extracting line numbers, improving the precision of
error reporting.
Closes #2778
## Test Plan
- Violation check - Created test file with mixed SHA/non-SHA actions
```
echo 'uses: actions/checkout@v4' > test-workflow.yml
echo 'uses: actions/upload-artifact@main' >> test-workflow.yml
```
Result: Correctly detected violations with precise line numbers
```
./scripts/check-workflows-use-hashes.sh
Output:
::error file=test-workflow.yml,line=14::uses non-SHA action ref: uses: actions/checkout@v4
::error file=test-workflow.yml,line=20::uses non-SHA action ref: uses: actions/upload-artifact@main
```
- Verified existing project workflows pass
```
./scripts/check-workflows-use-hashes.sh
# Result: Exit code 0 (all workflows properly SHA-pinned)
```
34 lines
1.1 KiB
Bash
Executable file
34 lines
1.1 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# Copyright (c) Meta Platforms, Inc. and affiliates.
|
|
# All rights reserved.
|
|
#
|
|
# This source code is licensed under the terms described in the LICENSE file in
|
|
# the root directory of this source tree.
|
|
#
|
|
# Fails if any GitHub Actions workflow uses an external action without a full SHA pin.
|
|
|
|
set -euo pipefail
|
|
|
|
failed=0
|
|
|
|
# Find all workflow YAML files
|
|
|
|
# Use GitHub Actions error format
|
|
# ::error file={name},line={line},col={col}::{message}
|
|
|
|
for file in $(find .github/workflows/ -type f \( -name "*.yml" -o -name "*.yaml" \)); do
|
|
IFS=$'\n'
|
|
# Get line numbers for each 'uses:'
|
|
while IFS= read -r match; do
|
|
line_num=$(echo "$match" | cut -d: -f1)
|
|
line=$(echo "$match" | cut -d: -f2-)
|
|
ref=$(echo "$line" | sed -E 's/.*@([A-Za-z0-9._-]+).*/\1/')
|
|
if ! [[ $ref =~ ^[0-9a-fA-F]{40}$ ]]; then
|
|
# Output in GitHub Actions annotation format
|
|
echo "::error file=$file,line=$line_num::uses non-SHA action ref: $line"
|
|
failed=1
|
|
fi
|
|
done < <(grep -n -E '^.*uses:[^@]+@[^ ]+' "$file")
|
|
done
|
|
|
|
exit $failed
|