add special handling for historic actions allowance against branches

snazy · snazy · commit 48b865bb2c22 · 2026-02-24T16:27:19.000+01:00
diff --git a/actions.yml b/actions.yml
@@ -27,6 +27,8 @@ bytedeco/javacpp-presets/.github/actions/*:
 dtolnay/rust-toolchain:
   stable:
     keep: true
+    # 'stable' is a branch, not a Git SHA
+    ignore_invalid_git_sha: true
 golangci/*:
   '*':
     keep: true
@@ -37,6 +39,8 @@ pypa/gh-action-pip-audit:
 pypa/gh-action-pypi-publish:
   release/v1*:
     keep: true
+    # 'release/v1*' is a branch wildcard, not a Git SHA
+    ignore_invalid_git_sha: true
 pytooling/actions/with-post-step:
   '*':
     keep: true
diff --git a/gateway/action_tags.py b/gateway/action_tags.py
@@ -261,7 +261,12 @@ def verify_actions(actions: Path | ActionsYAML | str, log_to_console: bool = Tru
                                 else:
                                     result.failure(m, "      ..")
                 else:
-                    result.failure(f"GitHub action {name} references an invalid Git SHA '{ref}'", "      ..")
+                    ignore_invalid_git_sha = details and 'ignore_invalid_git_sha' in details and details['ignore_invalid_git_sha'] == True
+                    if ignore_invalid_git_sha:
+                        result.warning(f"GitHub action {name} references an invalid Git SHA but 'ignore_invalid_git_sha' is set: will ignore invalid Git SHA '{ref}'", "  ..")
+                    else:
+                        result.failure(f"GitHub action {name} references an invalid Git SHA '{ref}'", "  ..")
+                        raise Exception("foo")
 
             for req_tag, req_shas in requested_shas_by_tag.items():
                 result.log(f"  .. checking tag '{req_tag}'")
diff --git a/gateway/gateway.py b/gateway/gateway.py
@@ -25,6 +25,16 @@ class RefDetails(TypedDict):
     expires_at: date
     keep: NotRequired[bool]
     tag: NotRequired[str]
+    # Action tags check: Ignore invalid Git SHA and GitHub API errors.
+    # Some actions are allowed to use branches.
+    # This should really be used in only very exceptional cases
+    # and MUST NEVER be used for new actions.
+    ignore_invalid_git_sha: NotRequired[bool]
+    # Action tags check: Ignore GitHub API errors in special situations,
+    # when for example the repository has an IP allow list enabled preventing checks using the GH API
+    # against such repositories. Sample error message in such cases:
+    # 'Although you appear to have the correct authorization credentials, the `ScaCap` organization has an IP allow list enabled, and your IP address is not permitted to access this resource.'
+    ignore_gh_api_errors: NotRequired[bool]
 
 
 ActionRefs = Dict[str, RefDetails]
