Check that actions specify hashes instead of allowlist (#24042)

heiskr · web-flow · commit 55ee70e06ba9 · 2022-01-04T17:43:40.000Z
* Check that actions specify hashes instead of allowlist

* Fixes for unhashed version

* Update actions-workflows.js
diff --git a/.github/allowed-actions.js b/.github/allowed-actions.js
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -31,8 +31,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
-      - uses: github/codeql-action/init@v1
+      - uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5
         with:
           languages: javascript # comma separated list of values from {go, python, javascript, java, cpp, csharp} (not YET ruby, sorry!)
-      - uses: github/codeql-action/analyze@v1
+      - uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5
         continue-on-error: true
diff --git a/tests/unit/actions-workflows.js b/tests/unit/actions-workflows.js
@@ -3,8 +3,7 @@ import path from 'path'
 import fs from 'fs'
 import yaml from 'js-yaml'
 import flat from 'flat'
-import { chain, difference, get } from 'lodash-es'
-import allowedActions from '../../.github/allowed-actions.js'
+import { chain, get } from 'lodash-es'
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
 const workflowsDir = path.join(__dirname, '../../.github/workflows')
 const workflows = fs
@@ -31,16 +30,13 @@ const scheduledWorkflows = workflows
 const allUsedActions = chain(workflows).map(actionsUsedInWorkflow).flatten().uniq().sort().value()
 
 describe('GitHub Actions workflows', () => {
-  test('all used actions are allowed in .github/allowed-actions.js', () => {
+  test('all used actions are listed', () => {
     expect(allUsedActions.length).toBeGreaterThan(0)
-    const unusedActions = difference(allowedActions, allUsedActions)
-    expect(unusedActions).toEqual([])
   })
 
-  test('all allowed actions by .github/allowed-actions.js are used by at least one workflow', () => {
-    expect(allowedActions.length).toBeGreaterThan(0)
-    const disallowedActions = difference(allUsedActions, allowedActions)
-    expect(disallowedActions).toEqual([])
+  test.each(allUsedActions)('requires specific hash: %p', (actionName) => {
+    const actionRegexp = /^[A-Za-z0-9-/]+@[0-9a-f]{40}$/
+    expect(actionName).toMatch(actionRegexp)
   })
 
   test('no scheduled workflows run on the hour', () => {
