-
Notifications
You must be signed in to change notification settings - Fork 115
/
action.yaml
90 lines (81 loc) · 3.12 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Copyright 2023 SLSA Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: "secure-project-checkout"
description: "Checkout a project and verify its commit sha"
inputs:
checkout-sha1:
description: "The sha1 to checkout."
required: false
default: ""
fetch-depth:
# Same argument to https://github.com/actions/checkout.
description: "Number of commits to fetch. 0 indicates all history for all branches and tags."
required: false
default: 1
path:
# Same argument to https://github.com/actions/checkout.
description: "Relative path under $GITHUB_WORKSPACE to place the repository."
required: true
# The token is not available to actions by defaults, so we need to
# share it explicitly. The token is needed to checkout private repositories.
token:
description: "Token used to fetch the repository."
required: false
default: ${{ github.token }}
runs:
using: "composite"
steps:
- name: Checkout the repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: ${{ inputs.fetch-depth }}
ref: ${{ inputs.checkout-sha1 }}
# Different from default actions/checkout which defaults to `true`.
persist-credentials: false
token: ${{ inputs.token }}
path: ${{ inputs.path }}
- name: Verify commit sha
shell: bash
env:
CONTEXT: "${{ toJSON(github) }}"
CHECKOUT_SHA1: "${{ inputs.checkout-sha1 }}"
working-directory: "${{ inputs.path }}"
run: |
set -euo pipefail
git_sha="$(git log -1 --format='%H')"
# By default, we clone at the sha indicated by the GitHub event.
checkout_sha="$GITHUB_SHA"
# If the user provided a sha, we use it instead.
if [[ -n "${CHECKOUT_SHA1:-}" ]]; then
checkout_sha="${CHECKOUT_SHA1}"
fi
# Verify that the sha is correctly formatted.
regex="^[a-fA-F0-9]{40}$"
if [[ ! "$checkout_sha" =~ $regex ]]; then
echo "invalid sha: $checkout_sha"
exit 1
fi
# Note: For pull requests, the `$GITHUB_SHA` corresponds to the
# merge commit that GitHub automatically creates.
# It is consistent with what the checkout Actions pulls.
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows.
if [[ "$git_sha" != "$checkout_sha" ]]; then
echo "mismatch git sha \"$git_sha\" != \"$checkout_sha\""
echo "GitHub context:"
echo "$CONTEXT"
echo
echo "Last 20 commits:"
git log -20
exit 1
fi