/
action.yaml
51 lines (46 loc) · 1.7 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
name: "secure-project-checkout"
description: "Checkout a project and verify its commit sha"
inputs:
path:
# Same argument to https://github.com/actions/checkout.
description: "Relative path under $GITHUB_WORKSPACE to place the repository."
required: true
# The token is not available to actions by defaults, so we need to
# share it explicitly. The token is needed to checkout private repositories.
token:
description: "Token used to fetch the repository."
required: false
default: ${{ github.token }}
runs:
using: "composite"
steps:
- name: Checkout the repository
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
fetch-depth: 1
# Different from default actions/checkout which defaults to `true`.
persist-credentials: false
token: ${{ inputs.token }}
path: ${{ inputs.path }}
- name: Verify commit sha
shell: bash
env:
CONTEXT: "${{ toJSON(github) }}"
working-directory: "${{ inputs.path }}"
run: |
set -euo pipefail
git_sha="$(git log -1 --format='%H')"
github_sha="$GITHUB_SHA"
# Note: For pull requests, the `github_sha` corresponds to the
# merge commit that GitHub automatically creates.
# It is consistent with what the checkout Actions pulls.
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows.
if [[ "$git_sha" != "$github_sha" ]]; then
echo "mismatch git sha \"$git_sha\" != \"$github_sha\""
echo "GitHub context:"
echo "$CONTEXT"
echo
echo "Last 20 commits:"
git log -20
exit 1
fi