4646 fi
4747
4848name : Run profile check
49- id : profile
5049 env :
5150 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
5251 run : |
5554 --username "${{ steps.author.outputs.username }}" \
5655 --json > /tmp/profile.json 2>/tmp/profile.log
5756 set -e
58- risk=$(jq -r '.risk // "UNKNOWN"' /tmp/profile.json 2>/dev/null || echo "UNKNOWN")
59- echo "risk=$risk" >> "$GITHUB_OUTPUT"
6057
6158name : Run credential audit
62- id : credential
6359 env :
6460 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
6561 run : |
@@ -69,24 +65,70 @@ jobs:
6965 --repo "${{ github.repository }}" \
7066 --json > /tmp/cred.json 2>/tmp/cred.log
7167 set -e
72- risk=$(jq -r '.risk // "UNKNOWN"' /tmp/cred.json 2>/dev/null || echo "UNKNOWN")
73- echo "risk=$risk" >> "$GITHUB_OUTPUT"
68+
69+ name : Resolve check risks
70+ id : results
71+ run : |
72+ extract_risk() {
73+ file="$1"
74+ fallback="$2"
75+
76+ if [ ! -s "$file" ]; then
77+ echo "$fallback"
78+ return
79+ fi
80+
81+ risk=$(
82+ jq -r '
83+ [
84+ .risk,
85+ .overall_risk,
86+ .overallRisk,
87+ .result.risk,
88+ .result.overall_risk,
89+ .result.overallRisk
90+ ]
91+ | map(select(. != null and . != ""))
92+ | .[0] // empty
93+ ' "$file" 2>/dev/null \
94+ | tr "[:lower:]" "[:upper:]" \
95+ | tr -d "\r"
96+ )
97+
98+ case "$risk" in
99+ HIGH|MEDIUM|LOW|NONE|UNKNOWN) echo "$risk" ;;
100+ "") echo "$fallback" ;;
101+ *) echo "$fallback" ;;
102+ esac
103+ }
104+
105+ profile_risk=$(extract_risk /tmp/profile.json UNKNOWN)
106+ credential_risk=$(extract_risk /tmp/cred.json UNKNOWN)
107+
108+ echo "profile=$profile_risk" >> "$GITHUB_OUTPUT"
109+ echo "credential=$credential_risk" >> "$GITHUB_OUTPUT"
74110
75111name : Compute overall risk
76112 id : overall
77113 run : |
78114 risk_to_num() {
79115 case "$1" in
80116 HIGH) echo 3 ;;
81- MEDIUM|UNKNOWN) echo 2 ;;
82- LOW) echo 1 ;;
83- *) echo 2 ;;
117+ MEDIUM) echo 2 ;;
118+ LOW|NONE) echo 1 ;;
119+ UNKNOWN|"") echo 0 ;;
120+ *) echo 0 ;;
84121 esac
85122 }
86- p=$(risk_to_num "${{ steps.profile .outputs.risk }}")
87- c=$(risk_to_num "${{ steps.credential .outputs.risk }}")
123+ p=$(risk_to_num "${{ steps.results .outputs.profile }}")
124+ c=$(risk_to_num "${{ steps.results .outputs.credential }}")
88125 max=$p; [ "$c" -gt "$max" ] && max=$c
89- case "$max" in 3) r="HIGH" ;; 2) r="MEDIUM" ;; 1) r="LOW" ;; *) r="MEDIUM" ;; esac
126+ case "$max" in
127+ 3) r="HIGH" ;;
128+ 2) r="MEDIUM" ;;
129+ 1) r="LOW" ;;
130+ *) r="UNKNOWN" ;;
131+ esac
90132 echo "risk=$r" >> "$GITHUB_OUTPUT"
91133
92134name : Comment on MEDIUM or HIGH risk
97139 number="${{ steps.author.outputs.number }}"
98140 type="${{ steps.author.outputs.type }}"
99141 risk="${{ steps.overall.outputs.risk }}"
100- profile="${{ steps.profile .outputs.risk }}"
101- cred="${{ steps.credential .outputs.risk }}"
142+ profile="${{ steps.results .outputs.profile }}"
143+ cred="${{ steps.results .outputs.credential }}"
102144
103145 if [ "$risk" = "HIGH" ]; then icon="🔴"; else icon="🟡"; fi
104146
@@ -151,7 +193,7 @@ jobs:
151193 echo "## $icon Contributor Check: \`${{ steps.author.outputs.username }}\`"
152194 echo "| Check | Risk |"
153195 echo "|-------|------|"
154- echo "| Profile | ${{ steps.profile .outputs.risk }} |"
155- echo "| Credential | ${{ steps.credential .outputs.risk }} |"
196+ echo "| Profile | ${{ steps.results .outputs.profile }} |"
197+ echo "| Credential | ${{ steps.results .outputs.credential }} |"
156198 echo "| **Overall** | **$risk** |"
157199 } >> "$GITHUB_STEP_SUMMARY"
0 commit comments