Skip to content

Commit

Permalink
Merge pull request #857 from stacklok/fix-pinned-tags
Browse files Browse the repository at this point in the history
rules: Fix `actions_check_pinned_tags` rule
  • Loading branch information
JAORMX authored Sep 5, 2023
2 parents 3bad454 + fd326b3 commit f0f00a7
Showing 1 changed file with 12 additions and 8 deletions.
20 changes: 12 additions & 8 deletions examples/github/rule-types/actions_check_pinned_tags.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,11 @@ def:
eval:
type: rego
rego:
type: deny-by-default
type: constraints
def: |
package mediator
default allow := false
allow {
violations[{"msg": msg}] {
# List all workflows
workflows := file.ls("./.github/workflows")
Expand All @@ -57,17 +55,23 @@ def:
workflow := yaml.unmarshal(workflowstr)
# Iterate over all jobs and steps in the current workflow
job_steps := workflow.jobs[_].steps
some job_name
job_steps := workflow.jobs[job_name].steps
# Ensure each step uses a SHA-1 hash
s := job_steps[_]
some step_num
s := job_steps[step_num]
# Check if the step has a uses directive
not is_null(s.uses)
# Split the uses directive at '@'
parts := split(s.uses, "@")
# Check if the string after '@' is 40 characters long (SHA-1 hash length)
count(parts[1]) == 40
count(parts[1]) != 40
# All characters should be hexadecimal
re_match(`^[a-fA-F0-9]+$`, parts[1])
not regex.match(`^[a-fA-F0-9]+$`, parts[1])
msg := sprintf("Workflow '%v' uses an unpinned action '%v' in job '%v' step '%v'", [workflows[w], s.uses, job_name, step_num])
}

0 comments on commit f0f00a7

Please sign in to comment.