feat: scan github actions for commit hash reference (RD-2964) (#76)

robaone-redshelf · web-flow · commit ac8a1988b1b7 · 2025-03-24T16:22:10.000-05:00
* feat(RD-2964): add static analysis action for GitHub workflows

Introduces a new GitHub Action that performs static analysis on workflow YAML files, ensuring that all action calls use commit hashes. The action scans for YAML files in the workflows directory and provides warnings if any issues are found, along with a link to a Jira ticket for resolution.

* feat: add S3 Cache Action for GitHub workflows

Introduces a new GitHub Action that caches files and folders to an S3 bucket, allowing users to specify the cache path, unique key, and AWS credentials. This action enhances workflow efficiency by enabling caching capabilities directly within GitHub Actions.

* fix(RD-2964): add logging for script execution in action.yml

Enhances the static analysis GitHub Action by adding logging statements to indicate the script being run and the current working directory. This improves visibility during execution and aids in debugging.

* fix(RD-2964): update working directory in static analysis action

Modifies the working directory for the static analysis GitHub Action to use the GitHub workspace combined with the specified input path, ensuring correct execution context during script runs.

* fix(RD-2964): simplify working directory in static analysis action

Removes the input path requirement for the working directory in the static analysis GitHub Action, ensuring it defaults to the GitHub workspace for improved execution context.

* fix: remove S3 Cache Action from GitHub workflows

* fix(RD-2964): change exit code to zero when warnings are found in static analysis
diff --git a/.github/actions/static-analysis/action.yml b/.github/actions/static-analysis/action.yml
@@ -0,0 +1,15 @@
+name: "Static Analysis"
+description: "Runs static analysis on the code"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout Code
+      uses: actions/checkout@v4
+    - name: Scan workflow yml files
+      run: |
+        echo "Running the following script: ${{ github.action_path }}/scan_github_actions.js"
+        echo "With the current working directory: $(pwd)"
+        node ${{ github.action_path }}/scan_github_actions.js
+      shell: bash
+      working-directory: ${{ github.workspace }}
diff --git a/.github/actions/static-analysis/scan_github_actions.js b/.github/actions/static-analysis/scan_github_actions.js
@@ -0,0 +1,96 @@
+class StaticAnalysis {
+    constructor(dataProvider, process) {
+        this.dataProvider = dataProvider;
+        this.process = process;
+    }
+
+    isCommitHash(ref) {
+        return /^[0-9a-f]{40}$/.test(ref);
+    }
+
+    findYamlFiles(dir) {
+        let results = [];
+        const list = this.dataProvider.readDirectory(dir);
+        list.forEach(file => {
+            const fullPath = this.dataProvider.path.join(dir, file);
+            const stat = this.dataProvider.getFileStats(fullPath);
+            if (stat && stat.isDirectory()) {
+                results = results.concat(this.findYamlFiles(fullPath));
+            } else if (file.endsWith('.yml') || file.endsWith('.yaml')) {
+                results.push(fullPath);
+            }
+        });
+        return results;
+    }
+
+    scanFile(filePath) {
+        const content = this.dataProvider.readFile(filePath);
+        const regex = /uses:\s*[\w-]+\/[\w-]+@([\w-.]+)/g;
+        let match;
+        let warnings = [];
+        while ((match = regex.exec(content)) !== null) {
+            const ref = match[1];
+            if (!this.isCommitHash(ref)) {
+                warnings.push(`Warning: In file ${filePath}, '${match[0]}' does not use a commit hash.`);
+            }
+        }
+        return warnings;
+    }
+
+    run() {
+        const workflowDir = this.dataProvider.path.join(this.process.cwd(), '.github', 'workflows');
+        if (!this.dataProvider.fileExists(workflowDir)) {
+            console.error(`Error: Directory ${workflowDir} does not exist.`);
+            this.process.exit(1);
+        }
+
+        const yamlFiles = this.findYamlFiles(workflowDir);
+        let allWarnings = [];
+
+        yamlFiles.forEach(filePath => {
+            const warnings = this.scanFile(filePath);
+            allWarnings = allWarnings.concat(warnings);
+        });
+
+        if (allWarnings.length > 0) {
+            allWarnings.forEach(warning => console.warn(warning));
+            console.log('To fix these issues, refer to the solution in the following Jira ticket: https://virdocs.atlassian.net/browse/RD-2964');
+            this.process.exit(0); // TODO: Exit with non-zero code if warnings are found
+        } else {
+            console.log('No issues found. All action calls use commit hashes.');
+            this.process.exit(0);
+        }
+    }
+}
+
+class DataProvider {
+    constructor(fs, path) {
+        this.fs = fs;
+        this.path = path;
+    }
+
+    readDirectory(dir) {
+        return this.fs.readdirSync(dir);
+    }
+
+    readFile(filePath) {
+        return this.fs.readFileSync(filePath, 'utf8');
+    }
+
+    fileExists(filePath) {
+        return this.fs.existsSync(filePath);
+    }
+
+    getFileStats(filePath) {
+        return this.fs.statSync(filePath);
+    }
+}
+
+// Dependency injection
+const fs = require('fs');
+const path = require('path');
+const process = require('process');
+
+const dataProvider = new DataProvider(fs, path);
+const staticAnalysis = new StaticAnalysis(dataProvider, process);
+staticAnalysis.run();
