Fix immutable action ref parser

[AndrewGable]

Details

Fixes validateImmutableActionRefs.sh so it only parses actual YAML uses: keys. The previous grep "uses:" also matched keys like permission-statuses: read, causing the validator to treat read as an action reference and fail incorrectly.

Related Issues

N/A

Manual Tests

Run this from the GitHub-Actions repo root:

set -euo pipefail

FIXTURE_DIR=$(mktemp -d /tmp/immutable-action-refs.XXXXXX)
mkdir -p "$FIXTURE_DIR/.github/workflows"
cat > "$FIXTURE_DIR/.github/workflows/repro.yml" <<'YAML'
name: Repro
on: workflow_dispatch
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Generate token
        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3
        with:
          permission-statuses: read
YAML

old_usages=$(grep "uses:" "$FIXTURE_DIR/.github/workflows/repro.yml" | awk '{print $2}' | sort | uniq)
printf 'Old parser output:\n%s\n\n' "$old_usages"
printf '%s\n' "$old_usages" | grep -qx 'read'

REPO_ROOT="$FIXTURE_DIR" scripts/validateImmutableActionRefs.sh
scripts/shellCheck.sh
REPO_ROOT=/Users/andrew/Expensidev/melvin scripts/validateImmutableActionRefs.sh

Expected output from the old parser check includes the false-positive read action usage:

Old parser output:
actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3
read

Expected output from the fixed validator does not include read in All action usages and ends with:

All untrusted actions are using immutable references

Linked PRs

https://github.com/Expensify/melvin/pull/93