Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add static analysis for Github Action files #771

Open
mrdavidburns opened this issue Feb 3, 2025 · 1 comment
Open

Add static analysis for Github Action files #771

mrdavidburns opened this issue Feb 3, 2025 · 1 comment
Assignees
@elvism-lullabot

Comments

@mrdavidburns
Copy link
Member

Add validator and security checks for Github Actions
@elvism-lullabot elvism-lullabot self-assigned this Feb 11, 2025
@elvism-lullabot
Copy link
Collaborator

elvism-lullabot commented Feb 20, 2025
edited
Loading

@mrdavidburns
Is it necessary to integrate the Zizmor plugin into drainpipe in the same way as was done for @action-validator?

The @action-validator package has been integrated in the github:actions:lint

drainpipe/tasks/github.yml

Lines 4 to 23 in 87d3e9e

actions:lint:
desc: Run lint on Github Actions and Workflows
summary: |
Runs @action-validator/cli on GitHub Actions and Workflows
usage: task github:actions:lint
directories=<directories> A list of directories seperated by spaces. Defaults to ".github/workflows .github/actions"
cmds:
- |
directories=".github/workflows .github/actions"
if [ "{{ .directories }}" != "" ]; then directories="{{ .directories }}"; fi
if [ -f ./vendor/bin/action-validator ]; then
find $directories -type f \( -iname '*.yaml' -o -iname '*.yml' \) | xargs -n1 ./vendor/bin/action-validator
# Fallback for architectures that don't have a release e.g. Windows
else
yamls=$(find $directories -type f \( -iname '*.yaml' -o -iname '*.yml' \))
echo $yamls | xargs -n1 action-validator
fi
task to facilitate testing this functionality. Please follow the next steps.

  • Create a new Drupal project:
  • git clone https://git.drupalcode.org/project/drupal.git
  • cd drupal
  • ddev config --project-type drupal
  • ddev start
  • ddev composer install
  • ddev composer require drush/drush
  • ddev drush site:install -y
  • ddev launch

Then install drainpipe

  • composer config extra.drupal-scaffold.gitignore true
  • composer config --json extra.drupal-scaffold.allowed-packages "[\"lullabot/drainpipe\", \"lullabot/drainpipe-dev\"]"
  • composer require lullabot/drainpipe
  • composer require lullabot/drainpipe-dev --dev
  • ddev restart

It is necessary to create a workflows and actions directory as follows:

  • .github/workflows
  • .github/actions

You should create a file named example-workflow.yml within either the workflows or actions directory. The contents of this file could be as follows:

name: learn-github-actions
run-name: ${{ github.actor }} is learning GitHub Actions
on: [push]
jobs:
  check-bats-version:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm install -g bats
      - run: bats -v

To test the task, run the command:

ddev task github:actions:lint

In the absence of errors, the output will be devoid of content. However, should modifications be made to the file, for instance:

name: learn-github-actions
run-name: ${{ github.actor }} is learning GitHub Actions
on: [push]
jobs:
  check-bats-version:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm install -g bats
      - run

The output would be:

Fatal error validating .github/workflows/example-workflow.yml
[github:actions:lint] Validation failed: ValidationState {
[github:actions:lint] action_type: Some(
[github:actions:lint] Workflow,
[github:actions:lint] ),
[github:actions:lint] file_path: Some(
[github:actions:lint] ".github/workflows/example-workflow.yml",
[github:actions:lint] ),
[github:actions:lint] errors: [
[github:actions:lint] OneOf {
[github:actions:lint] code: "one_of",
[github:actions:lint] detail: None,
[github:actions:lint] path: "/jobs/check-bats-version",
[github:actions:lint] title: "OneOf conditions are not met",
[github:actions:lint] states: [
[github:actions:lint] ValidationState {
[github:actions:lint] action_type: None,
[github:actions:lint] file_path: None,
[github:actions:lint] errors: [
[github:actions:lint] OneOf {
[github:actions:lint] code: "one_of",
[github:actions:lint] detail: None,
[github:actions:lint] path: "/jobs/check-bats-version/steps/3",
[github:actions:lint] title: "OneOf conditions are not met",
[github:actions:lint] states: [
[github:actions:lint] ValidationState {
[github:actions:lint] action_type: None,
[github:actions:lint] file_path: None,
[github:actions:lint] errors: [
[github:actions:lint] WrongType {
[github:actions:lint] code: "wrong_type",
[github:actions:lint] detail: Some(
[github:actions:lint] "The value must be object",
[github:actions:lint] ),
[github:actions:lint] path: "/jobs/check-bats-version/steps/3",
[github:actions:lint] title: "Type of the value is wrong",
[github:actions:lint] },
[github:actions:lint] ],
[github:actions:lint] },
[github:actions:lint] ValidationState {
[github:actions:lint] action_type: None,
[github:actions:lint] file_path: None,
[github:actions:lint] errors: [
[github:actions:lint] WrongType {
[github:actions:lint] code: "wrong_type",
[github:actions:lint] detail: Some(
[github:actions:lint] "The value must be object",
[github:actions:lint] ),
[github:actions:lint] path: "/jobs/check-bats-version/steps/3",
[github:actions:lint] title: "Type of the value is wrong",
[github:actions:lint] },
[github:actions:lint] ],
[github:actions:lint] },
[github:actions:lint] ],
[github:actions:lint] },
[github:actions:lint] WrongType {
[github:actions:lint] code: "wrong_type",
[github:actions:lint] detail: Some(
[github:actions:lint] "The value must be object",
[github:actions:lint] ),
[github:actions:lint] path: "/jobs/check-bats-version/steps/3",
[github:actions:lint] title: "Type of the value is wrong",
[github:actions:lint] },
[github:actions:lint] ],
[github:actions:lint] },
[github:actions:lint] ValidationState {
[github:actions:lint] action_type: None,
[github:actions:lint] file_path: None,
[github:actions:lint] errors: [
[github:actions:lint] Properties {
[github:actions:lint] code: "properties",
[github:actions:lint] detail: Some(
[github:actions:lint] "Additional property 'runs-on' is not allowed",
[github:actions:lint] ),
[github:actions:lint] path: "/jobs/check-bats-version",
[github:actions:lint] title: "Property conditions are not met",
[github:actions:lint] },
[github:actions:lint] Properties {
[github:actions:lint] code: "properties",
[github:actions:lint] detail: Some(
[github:actions:lint] "Additional property 'steps' is not allowed",
[github:actions:lint] ),
[github:actions:lint] path: "/jobs/check-bats-version",
[github:actions:lint] title: "Property conditions are not met",
[github:actions:lint] },
[github:actions:lint] Required {
[github:actions:lint] code: "required",
[github:actions:lint] detail: None,
[github:actions:lint] path: "/jobs/check-bats-version/uses",
[github:actions:lint] title: "This property is required",
[github:actions:lint] },
[github:actions:lint] ],
[github:actions:lint] },
[github:actions:lint] ],
[github:actions:lint] },
[github:actions:lint] ],
[github:actions:lint] }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elvism-lullabot elvism-lullabot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mrdavidburns @elvism-lullabot