diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index cfd61f1..ece4964 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -26,5 +26,12 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Audit run: go run tasks.go audit diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 5cc9468..0d3b3f1 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -18,6 +18,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Build binary run: go run tasks.go build dogfeed: @@ -32,6 +39,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Uninitialize ghasum run: rm -f .github/workflows/gha.sum - name: Run on this repository @@ -50,6 +64,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Check source code formatting run: go run tasks.go format-check reproducible: @@ -64,6 +85,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Check reproducibility run: go run tasks.go reproducible test: @@ -78,6 +106,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Run tests run: go run tasks.go coverage vet: @@ -92,5 +127,12 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Vet source code run: go run tasks.go vet diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d2711d8..d84d927 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,6 +20,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Initialize CodeQL uses: github/codeql-action/init@v3.24.7 with: diff --git a/.github/workflows/ghasum.yml b/.github/workflows/ghasum.yml deleted file mode 100644 index 09aeb04..0000000 --- a/.github/workflows/ghasum.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: ghasum -on: - pull_request: ~ - push: - branches: - - main - -permissions: read-all - -jobs: - verify: - name: Verify - runs-on: ubuntu-22.04 - steps: - - name: Checkout repository - uses: actions/checkout@v4.1.2 - - name: Install Go - uses: actions/setup-go@v5.0.0 - with: - go-version-file: go.mod - - name: Verify checksums - run: go run ./cmd/ghasum verify -cache /home/runner/work/_actions diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 9f435a4..a30119d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -19,6 +19,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Get release version id: version shell: bash diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index c0e8e19..b546ac3 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -17,6 +17,17 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.1.2 + - name: Install Go + uses: actions/setup-go@v5.0.0 + with: + go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Perform Semgrep analysis run: semgrep ci --sarif --output semgrep.sarif env: