-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Continuously validate ghasum checksums at the job level
Remove the GitHub Actions workflow that continuously validates the ghasum checksums for all Actions in this project in favor of a per-job step that validates the ghasum checksums for that job only. This reduces makes jobs self-validating, which prevents potentially compromised jobs from executing while allowing other jobs to keep running. The implementation leverages GitHub Actions context values to determine what job to validate, resulting in an identical step in all jobs. This makes it a good proof of concept for a ghasum action that can be used in any job. This commit is a followup to <2effc08890ff0aaa80d46a390489693b3c3deddc>.
- Loading branch information
1 parent
d99e5b0
commit fe84eda
Showing
6 changed files
with
74 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -26,5 +26,12 @@ jobs: | |
| uses: actions/[email protected] | ||
| with: | ||
| go-version-file: go.mod | ||
| - name: Verify action checksums | ||
| env: | ||
| JOB: ${{ github.job }} | ||
| WORKFLOW: ${{ github.workflow_ref }} | ||
| run: | | ||
| WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) | ||
| go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" | ||
| - name: Audit | ||
| run: go run tasks.go audit | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,6 +18,13 @@ jobs: | |
| uses: actions/[email protected] | ||
| with: | ||
| go-version-file: go.mod | ||
| - name: Verify action checksums | ||
| env: | ||
| JOB: ${{ github.job }} | ||
| WORKFLOW: ${{ github.workflow_ref }} | ||
| run: | | ||
| WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) | ||
| go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" | ||
| - name: Build binary | ||
| run: go run tasks.go build | ||
| dogfeed: | ||
|
|
@@ -32,6 +39,13 @@ jobs: | |
| uses: actions/[email protected] | ||
| with: | ||
| go-version-file: go.mod | ||
| - name: Verify action checksums | ||
| env: | ||
| JOB: ${{ github.job }} | ||
| WORKFLOW: ${{ github.workflow_ref }} | ||
| run: | | ||
| WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) | ||
| go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" | ||
| - name: Uninitialize ghasum | ||
| run: rm -f .github/workflows/gha.sum | ||
| - name: Run on this repository | ||
|
|
@@ -50,6 +64,13 @@ jobs: | |
| uses: actions/[email protected] | ||
| with: | ||
| go-version-file: go.mod | ||
| - name: Verify action checksums | ||
| env: | ||
| JOB: ${{ github.job }} | ||
| WORKFLOW: ${{ github.workflow_ref }} | ||
| run: | | ||
| WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) | ||
| go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" | ||
| - name: Check source code formatting | ||
| run: go run tasks.go format-check | ||
| reproducible: | ||
|
|
@@ -64,6 +85,13 @@ jobs: | |
| uses: actions/[email protected] | ||
| with: | ||
| go-version-file: go.mod | ||
| - name: Verify action checksums | ||
| env: | ||
| JOB: ${{ github.job }} | ||
| WORKFLOW: ${{ github.workflow_ref }} | ||
| run: | | ||
| WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) | ||
| go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" | ||
| - name: Check reproducibility | ||
| run: go run tasks.go reproducible | ||
| test: | ||
|
|
@@ -78,6 +106,13 @@ jobs: | |
| uses: actions/[email protected] | ||
| with: | ||
| go-version-file: go.mod | ||
| - name: Verify action checksums | ||
| env: | ||
| JOB: ${{ github.job }} | ||
| WORKFLOW: ${{ github.workflow_ref }} | ||
| run: | | ||
| WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) | ||
| go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" | ||
| - name: Run tests | ||
| run: go run tasks.go coverage | ||
| vet: | ||
|
|
@@ -92,5 +127,12 @@ jobs: | |
| uses: actions/[email protected] | ||
| with: | ||
| go-version-file: go.mod | ||
| - name: Verify action checksums | ||
| env: | ||
| JOB: ${{ github.job }} | ||
| WORKFLOW: ${{ github.workflow_ref }} | ||
| run: | | ||
| WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) | ||
| go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" | ||
| - name: Vet source code | ||
| run: go run tasks.go vet | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -20,6 +20,13 @@ jobs: | |
| uses: actions/[email protected] | ||
| with: | ||
| go-version-file: go.mod | ||
| - name: Verify action checksums | ||
| env: | ||
| JOB: ${{ github.job }} | ||
| WORKFLOW: ${{ github.workflow_ref }} | ||
| run: | | ||
| WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) | ||
| go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/[email protected] | ||
| with: | ||
|
|
||
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,6 +19,13 @@ jobs: | |
| uses: actions/[email protected] | ||
| with: | ||
| go-version-file: go.mod | ||
| - name: Verify action checksums | ||
| env: | ||
| JOB: ${{ github.job }} | ||
| WORKFLOW: ${{ github.workflow_ref }} | ||
| run: | | ||
| WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) | ||
| go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" | ||
| - name: Get release version | ||
| id: version | ||
| shell: bash | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,6 +17,17 @@ jobs: | |
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/[email protected] | ||
| - name: Install Go | ||
| uses: actions/[email protected] | ||
| with: | ||
| go-version-file: go.mod | ||
| - name: Verify action checksums | ||
| env: | ||
| JOB: ${{ github.job }} | ||
| WORKFLOW: ${{ github.workflow_ref }} | ||
| run: | | ||
| WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) | ||
| go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" | ||
| - name: Perform Semgrep analysis | ||
| run: semgrep ci --sarif --output semgrep.sarif | ||
| env: | ||
|
|
||