snyk
Migrate from bash to sh in snyk/actions/setup
Problem
Currently, snyk/actions/setup supports Alpine OS. There are no Alpine OS GitHub hosted runners, so usual use case is to use alpine docker image (e.g. alpine:latest). Official Alpine docker image does not include bash meaning that user has to install it in advance every time.
Solution
Since snyk/actions/setup is a composite action that runs shell script it is not difficult to rewrite bash to sh. It will remove the dependency on bash. Furthermore, it is not difficult to do as current setup_snyk.sh shell script is already POSIX compliant. Only a few minor changes required to make this GitHub Action work without bash dependency.
Validation results
I've run this GitHub Action before fix and after fix, and everything works as expected.
Before fix
Workflow configuration
---
name: Test Snyk Setup
on:
push:
branches:
- test/snyk-setup
jobs:
test-snyk-setup:
runs-on: ubuntu-latest
container:
image: alpine:3.22.0
defaults:
run:
shell: sh
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install curl
run: apk --no-cache add curl
- name: Setup Snyk
uses: snyk/actions/setup@master
with:
os: "Alpine"
- name: Run Snyk Test
run: snyk test --all-projects --severity-threshold=low --json
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Logs
2025-07-01T01:54:40.4854645Z ##[group]Run snyk/actions/setup@master
2025-07-01T01:54:40.4855082Z with:
2025-07-01T01:54:40.4855386Z os: Alpine
2025-07-01T01:54:40.4855708Z snyk-version: latest
2025-07-01T01:54:40.4856070Z ##[endgroup]
2025-07-01T01:54:40.4951076Z ##[group]Run echo $GITHUB_ACTION_PATH
2025-07-01T01:54:40.4951524Z [36;1mecho $GITHUB_ACTION_PATH[0m
2025-07-01T01:54:40.4952036Z [36;1mecho /home/runner/work/_actions/snyk/actions/master/setup[0m
2025-07-01T01:54:40.4952478Z [36;1m[0m
2025-07-01T01:54:40.4953117Z [36;1m/home/runner/work/_actions/snyk/actions/master/setup/setup_snyk.sh latest Alpine || $GITHUB_ACTION_PATH/setup_snyk.sh latest Alpine[0m
2025-07-01T01:54:40.4953991Z shell: bash --noprofile --norc -e -o pipefail {0}
2025-07-01T01:54:40.4954416Z ##[endgroup]
2025-07-01T01:54:40.5540807Z OCI runtime exec failed: exec failed: unable to start container process: exec: "bash": executable file not found in $PATH: unknown
2025-07-01T01:54:40.5565826Z ##[error]Process completed with exit code 127.
After fix
Workflow configuration
---
name: Test Snyk Setup
on:
push:
branches:
- test/snyk-setup
jobs:
test-snyk-setup:
runs-on: ubuntu-latest
container:
image: alpine:3.22.0
defaults:
run:
shell: sh
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install curl
run: apk --no-cache add curl
- name: Setup Snyk
uses: fabasoad/snyk-actions/setup@fix/bash-to-sh
with:
os: "Alpine"
- name: Run Snyk Test
run: snyk test --all-projects --severity-threshold=low --json
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Logs
2025-07-01T01:42:58.9958658Z ##[group]Run fabasoad/snyk-actions/setup@fix/bash-to-sh
2025-07-01T01:42:58.9960123Z with:
2025-07-01T01:42:58.9960809Z os: Alpine
2025-07-01T01:42:58.9961548Z snyk-version: latest
2025-07-01T01:42:58.9962362Z ##[endgroup]
2025-07-01T01:42:59.0076854Z ##[group]Run echo $GITHUB_ACTION_PATH
2025-07-01T01:42:59.0077964Z [36;1mecho $GITHUB_ACTION_PATH[0m
2025-07-01T01:42:59.0079598Z [36;1mecho /home/runner/work/_actions/fabasoad/snyk-actions/fix/bash-to-sh/setup[0m
2025-07-01T01:42:59.0081113Z [36;1m[0m
2025-07-01T01:42:59.0083253Z [36;1m/home/runner/work/_actions/fabasoad/snyk-actions/fix/bash-to-sh/setup/setup_snyk.sh latest Alpine || $GITHUB_ACTION_PATH/setup_snyk.sh latest Alpine[0m
2025-07-01T01:42:59.0085828Z shell: sh -e {0}
2025-07-01T01:42:59.0086586Z ##[endgroup]
2025-07-01T01:42:59.0726935Z /__w/_temp/8d1ec298-0e54-4ee0-a3f6-27fbd280111f.sh: line 4: /home/runner/work/_actions/fabasoad/snyk-actions/fix/bash-to-sh/setup/setup_snyk.sh: not found
2025-07-01T01:42:59.0731418Z /__w/_actions/fabasoad/snyk-actions/fix/bash-to-sh/setup
2025-07-01T01:42:59.0733923Z /home/runner/work/_actions/fabasoad/snyk-actions/fix/bash-to-sh/setup
2025-07-01T01:42:59.0755561Z 2025-07-01T01:42:59Z Installing the latest version of Snyk on Alpine
2025-07-01T01:42:59.0763019Z 2025-07-01T01:42:59Z sudo is NOT installed. Trying without sudo, expecting privileges to write to '/usr/local/bin'.
2025-07-01T01:42:59.0788916Z 2025-07-01T01:42:59Z Downloading files from https://downloads.snyk.io/cli/latest
2025-07-01T01:42:59.0828175Z % Total % Received % Xferd Average Speed Time Time Time Current
2025-07-01T01:42:59.0830428Z Dload Upload Total Spent Left Speed
2025-07-01T01:42:59.0831307Z
2025-07-01T01:42:59.2020913Z 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
2025-07-01T01:42:59.6355069Z HTTP/1.1 200 OK
2025-07-01T01:42:59.6355980Z x-amz-id-2: T571bGuatzumFGGakXvtXeKvNYUGZ55YAXUTUWuMhjNinpRpHKPQUx9SkM54ahH9pLe8cDxpyJx8XOBVYqABxg==
2025-07-01T01:42:59.6356718Z x-amz-request-id: FGK54PV7WE4MQ01F
2025-07-01T01:42:59.6357072Z x-amz-server-side-encryption: AES256
2025-07-01T01:42:59.6357396Z Accept-Ranges: bytes
2025-07-01T01:42:59.6357681Z Content-Type: binary/octet-stream
2025-07-01T01:42:59.6357980Z Server: AmazonS3
2025-07-01T01:42:59.6359289Z Last-Modified: Mon, 23 Jun 2025 15:46:17 GMT
2025-07-01T01:42:59.6359991Z ETag: "c58afb554467a4c7519c4d0ce8290089-16"
2025-07-01T01:42:59.6360294Z Content-Length: 126927108
2025-07-01T01:42:59.6360540Z Cache-Control: max-age=0
2025-07-01T01:42:59.6360803Z Expires: Tue, 01 Jul 2025 01:42:59 GMT
2025-07-01T01:42:59.6361074Z Date: Tue, 01 Jul 2025 01:42:59 GMT
2025-07-01T01:42:59.6361339Z Connection: keep-alive
2025-07-01T01:42:59.6361855Z Akamai-Cache-Status: Miss from child, Miss from parent
2025-07-01T01:42:59.6362239Z Access-Control-Max-Age: 3000
2025-07-01T01:42:59.6362500Z Access-Control-Allow-Methods: GET
2025-07-01T01:42:59.6362778Z Access-Control-Allow-Origin: *
2025-07-01T01:42:59.6362955Z
2025-07-01T01:43:00.1821629Z 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
2025-07-01T01:43:01.1819859Z 11 121M 11 14.1M 0 0 12.8M 0 0:00:09 0:00:01 0:00:08 12.8M
2025-07-01T01:43:02.1700532Z 31 121M 31 38.0M 0 0 18.1M 0 0:00:06 0:00:02 0:00:04 18.1M
2025-07-01T01:43:03.1992329Z 52 121M 52 64.0M 0 0 20.7M 0 0:00:05 0:00:03 0:00:02 20.7M
2025-07-01T01:43:04.1676948Z 74 121M 74 90.0M 0 0 21.8M 0 0:00:05 0:00:04 0:00:01 21.8M
2025-07-01T01:43:04.3867692Z 94 121M 94 114M 0 0 22.4M 0 0:00:05 0:00:05 --:--:-- 22.9M
2025-07-01T01:43:04.3868507Z 100 121M 100 121M 0 0 22.8M 0 0:00:05 0:00:05 --:--:-- 25.4M
2025-07-01T01:43:04.3906916Z 2025-07-01T01:43:04Z Downloaded binary from https://downloads.snyk.io/cli/latest/snyk-alpine?utm_source=GITHUB_ACTIONS
2025-07-01T01:43:04.3943009Z % Total % Received % Xferd Average Speed Time Time Time Current
2025-07-01T01:43:04.3943706Z Dload Upload Total Spent Left Speed
2025-07-01T01:43:04.3944132Z
2025-07-01T01:43:04.5146411Z HTTP/1.1 200 OK
2025-07-01T01:43:04.5147337Z x-amz-id-2: yPCqf28W/zxyzGs4hOMpx2kVlqtrV5fvnliVXOCV2rZX9pJb27rX1yOhPf7nz9ZmNSIG4bS91I8=
2025-07-01T01:43:04.5148443Z x-amz-request-id: 5XVXBZDC146QF3YG
2025-07-01T01:43:04.5148983Z Last-Modified: Mon, 23 Jun 2025 15:46:25 GMT
2025-07-01T01:43:04.5149756Z ETag: "139ca3a8e86f8df3d60d0b46370f30d1"
2025-07-01T01:43:04.5150307Z x-amz-server-side-encryption: AES256
2025-07-01T01:43:04.5150886Z Accept-Ranges: bytes
2025-07-01T01:43:04.5151326Z Content-Type: binary/octet-stream
2025-07-01T01:43:04.5151723Z Content-Length: 78
2025-07-01T01:43:04.5152015Z Server: AmazonS3
2025-07-01T01:43:04.5152266Z Cache-Control: max-age=0
2025-07-01T01:43:04.5152570Z Expires: Tue, 01 Jul 2025 01:43:04 GMT
2025-07-01T01:43:04.5152876Z Date: Tue, 01 Jul 2025 01:43:04 GMT
2025-07-01T01:43:04.5153148Z Connection: keep-alive
2025-07-01T01:43:04.5153458Z Akamai-Cache-Status: Miss from child, RefreshHit from parent
2025-07-01T01:43:04.5153812Z Access-Control-Max-Age: 3000
2025-07-01T01:43:04.5154072Z Access-Control-Allow-Methods: GET
2025-07-01T01:43:04.5154355Z Access-Control-Allow-Origin: *
2025-07-01T01:43:04.5154529Z
2025-07-01T01:43:04.5154694Z 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
2025-07-01T01:43:04.5155045Z 100 78 100 78 0 0 645 0 --:--:-- --:--:-- --:--:-- 650
2025-07-01T01:43:04.5202375Z 2025-07-01T01:43:04Z Downloaded shasum from https://downloads.snyk.io/cli/latest/snyk-alpine.sha256?utm_source=GITHUB_ACTIONS
2025-07-01T01:43:04.5207776Z 2025-07-01T01:43:04Z Validating shasum
2025-07-01T01:43:05.1508710Z snyk-alpine: OK
2025-07-01T01:43:05.1521936Z 2025-07-01T01:43:05Z Moving and cleaning files
2025-07-01T01:43:05.7153439Z 2025-07-01T01:43:05Z Installed Snyk v1.1297.3
2025-07-01T01:43:05.7210909Z ##[group]Run echo "version=$(snyk version)" >> $GITHUB_OUTPUT
2025-07-01T01:43:05.7211285Z [36;1mecho "version=$(snyk version)" >> $GITHUB_OUTPUT[0m
2025-07-01T01:43:05.7211680Z shell: sh -e {0}
2025-07-01T01:43:05.7211859Z ##[endgroup]
Hey @fabasoad - thanks for your contribution. I am not 100% sure I trust my own tests enough to merge this. Will think a bit about it.
According to Snyk's breaking change policy this could also be seen as a breaking change, considering how all downstream users of this action are currently using it.
Just a heads-up that this might be a bit before you hear something.
Hi @dotkas! yeah, makes sense. I just stepped on this issues a few times in the past and thought would be good to fix it. Later on dependency on curl also can be fixed with something like this, but I understand your concern on the possible breaking change. Feel free to close it if you think it is too risky, or we can think how we can improve testing, so that changes like this would be "easier" to roll out in the future. Technically, if we could have tests for all supported environments, then we could be more confident on such changes. Simple test - setup snyk and run its version but on the every supported runner (Alpine/macOS/Linux x x86_64/ARM64 = matrix with 6 tests on 6 different runners). The only problem here to get Linux ARM64 and macOS x86_64 runners as they are not provided by GitHub. So, if your organization have those self-hosted runners, we could use them for these tests. Just some thoughts. LMK.
TIL, that GitHub actually has Linux arm64 and macOS Intel runners: https://docs.github.com/en/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories
I will add some tests.
@dotkas I've removed bash from the installation step in tests. This should prove that GitHub Action works as expected. Please review.
P.S. I've added more tests in scope of https://github.com/snyk/actions/pull/160
Your PR has not had any activity for 30 days. In 2 days I'll close it. Make some activity to remove this.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @dotkas! WDYT about this PR? Would it be OK to move it forward or should we close it?
Hi @fabasoad I still think it's good, but our internal processes are taking way longer than I had expected. I am sorry for the delay on it.
Your PR has not had any activity for 30 days. In 2 days I'll close it. Make some activity to remove this.
Your PR has not had any activity for 30 days. In 2 days I'll close it. Make some activity to remove this.
:white_check_mark: Snyk checks have passed. No issues have been found so far.
| Status | Scanner |  Critical |
 High |
 Medium |
 Low |
Total (0) |
|---|---|---|---|---|---|---|
| :white_check_mark: | Code Security | 0 | 0 | 0 | 0 | 0 issues |
:computer: Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.
![snyk-io[bot] avatar](https://avatars.githubusercontent.com/in/372950?v=4 "Published by a pub.dev verified publisher"){kind=small}
Your PR has not had any activity for 30 days. In 2 days I'll close it. Make some activity to remove this.