implement warning check for supported actions

bitwarden · Dec 15, 2023 · 08f4e55 · 08f4e55
1 parent d336bf2
commit 08f4e55
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/lint-workflow/lint.py b/lint-workflow/lint.py
@@ -209,6 +209,9 @@ def lint(filename):
     with open(filename) as file:
         workflow = yaml.load(file, Loader=yaml.FullLoader)
 
+    with open("supported-action.json") as file:
+        supported_actions = json.load(file)
+
         # Check for 'name' key for the workflow.
         if "name" not in workflow:
             findings.append(LintFinding("Name key missing for workflow.", "warning"))
@@ -292,9 +295,24 @@ def lint(filename):
                             logging.info("Skipping local action in workflow.")
                             break
 
-                        # If the step has a 'uses' key, check value hash, except bitwarden actions.
+                        # If the step has a 'uses' key, check if actions are in supported actions list and also value hash, except bitwarden actions.
                         if "bitwarden/gh-actions" not in path:
                             try:
+                                # Check if actions are in supported actions list.
+                                actions_count = 0
+                                for action in supported_actions['supported_actions']:
+                                    if action in path:
+                                        break
+                                    else:
+                                        actions_count += 1
+
+                                if actions_count > 0:
+                                    findings.append(
+                                        LintFinding(
+                                            f"Step {str(i)} of job key '{job_key}' uses an unsupported action: {path}.",
+                                            "warning",
+                                        )
+                                    )
                                 # Check to make sure SHA1 hash is 40 characters.
                                 if len(hash) != 40:
                                     findings.append(

diff --git a/lint-workflow/supported-actons.json b/lint-workflow/supported-actons.json
@@ -0,0 +1 @@
+{ "supported_actions": ["act10ns/slack", "actions/cache", "actions/checkout", "actions/delete-package-versions", "actions/download-artifact", "actions/github-script", "actions/labeler", "actions/setup-dotnet", "actions/setup-java", "actions/setup-node", "actions/setup-python", "actions/stale", "actions/upload-artifact", "android-actions/setup-android", "Asana/create-app-attachment-github-action", "Azure/functions-action", "Azure/get-keyvault-secrets", "Azure/login", "azure/webapps-deploy", "bitwarden/sm-action", "checkmarx/ast-github-action", "chrnorm/deployment-action", "chrnorm/deployment-status", "chromaui/action", "cloudflare/pages-action", "convictional/trigger-workflow-and-wait", "crazy-max/ghaction-import-gpg", "crowdin/github-action", "dawidd6/action-download-artifact", "dawidd6/action-homebrew-bump-formula", "digitalocean/action-doctl", "docker/build-push-action", "docker/setup-buildx-action", "docker/setup-qemu-action", "dorny/test-reporter", "dtolnay/rust-toolchain", "futureware-tech/simulator-action", "hashicorp/setup-packer", "macauley/action-homebrew-bump-cask", "microsoft/setup-msbuild", "ncipollo/release-action", "nuget/setup-nuget", "peter-evans/close-issue", "ruby/setup-ruby", "samuelmeuli/action-snapcraft", "snapcore/action-build", "sonarsource/sonarcloud-github-action", "stackrox/kube-linter-action", "Swatinem/rust-cache", "SwiftDocOrg/github-wiki-publish-action", "SwiftDocOrg/swift-doc", "tj-actions/changed-files", "yogevbd/enforce-label-action"]}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{ "supported_actions": ["act10ns/slack", "actions/cache", "actions/checkout", "actions/delete-package-versions", "actions/download-artifact", "actions/github-script", "actions/labeler", "actions/setup-dotnet", "actions/setup-java", "actions/setup-node", "actions/setup-python", "actions/stale", "actions/upload-artifact", "android-actions/setup-android", "Asana/create-app-attachment-github-action", "Azure/functions-action", "Azure/get-keyvault-secrets", "Azure/login", "azure/webapps-deploy", "bitwarden/sm-action", "checkmarx/ast-github-action", "chrnorm/deployment-action", "chrnorm/deployment-status", "chromaui/action", "cloudflare/pages-action", "convictional/trigger-workflow-and-wait", "crazy-max/ghaction-import-gpg", "crowdin/github-action", "dawidd6/action-download-artifact", "dawidd6/action-homebrew-bump-formula", "digitalocean/action-doctl", "docker/build-push-action", "docker/setup-buildx-action", "docker/setup-qemu-action", "dorny/test-reporter", "dtolnay/rust-toolchain", "futureware-tech/simulator-action", "hashicorp/setup-packer", "macauley/action-homebrew-bump-cask", "microsoft/setup-msbuild", "ncipollo/release-action", "nuget/setup-nuget", "peter-evans/close-issue", "ruby/setup-ruby", "samuelmeuli/action-snapcraft", "snapcore/action-build", "sonarsource/sonarcloud-github-action", "stackrox/kube-linter-action", "Swatinem/rust-cache", "SwiftDocOrg/github-wiki-publish-action", "SwiftDocOrg/swift-doc", "tj-actions/changed-files", "yogevbd/enforce-label-action"]}