actionlint icon indicating copy to clipboard operation
actionlint copied to clipboard

Published 20 hours ago verified publisher icon rhysd

Feature: Expose dependency type for `uses` parameter

Open raghavkaul opened this issue 2 years ago • 3 comments

GitHub Actions' jobs.<job_id>.steps[*].uses parameter accepts several specifiers for Action dependencies, e.g.:

  • Public actions
  • Subdirectories
  • Local filepaths
  • Docker/Container registries

actionlint should parse the uses parameter and export the dependency type. This would make it easier to determine whether a Action dependency is pinned.

raghavkaul avatar Jan 10 '23 21:01 raghavkaul

Please describe more specifically

  • What does 'export' mean here?
  • What is the outcome you expect here?
  • Why do you want it? What is your use case?

BTW, actionlint parses uses: content in action rule: https://github.com/rhysd/actionlint/blob/main/rule_action.go

rhysd avatar Jan 19 '23 02:01 rhysd

For context, I work on a project that uses actionlint to parse GitHub actions files and recommend that GitHub actions used in a workflow be pinned by SHA. This prevents supply chain attack where an action is modified upstream (and the downstream permissions are overly broad), and the workflow (which typically runs automatically) consumes the new action.

Ideal outcome: Instead of *String, ExecAction.Uses would be another struct, hopefully with an enumerated type, indicating what type of GitHub action is being invoked transitively. Is it another action that was checked out? Is it a composite action? Is it a Docker container? Is that container or other action pinned to a version? These are the kinds of questions we want to answer.

actionlint has done the hard work here of extracting uses, but I think it makes sense to further break down that parameter. If this makes sense to add here, I'd be happy to contribute a PR.

raghavkaul avatar Jan 23 '23 19:01 raghavkaul

actionlint does not parse uses content because parse error prevents further checks after parse.

Getting type of uses is quite straight forward. I'm not sure it worths providing API for this.

if strings.HasPrefix(exec.Uses.Value, "./") {
    // Local action
} else if strings.HasPrefix(exec.Uses.Value, "docker://") {
    // Docker action
} else {
    // Remote action
}

Do you want an API to parse {owner}/{repo}@{ref} or {owner}/{repo}/{path}@{ref} formats at uses: rather than to check Docker/local/remote action types? If so, I would be able to make a separate function to parse the formats as a public API.

rhysd avatar Jan 29 '23 06:01 rhysd