Skip to content

Commit ca98707

Browse files
authored
Merge pull request #72 from step-security/feat/update-subscription-check
feat: added banner and update subscription check to make maintained actions free for public repos
2 parents efde16f + efd29f7 commit ca98707

4 files changed

Lines changed: 54 additions & 21 deletions

File tree

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
FROM python:3.14-alpine3.23@sha256:faee120f7885a06fcc9677922331391fa690d911c020abb9e8025ff3d908e510
22

3-
RUN apk add --no-cache curl && apk upgrade --no-cache zlib
3+
RUN apk add --no-cache curl jq && apk upgrade --no-cache zlib
44

55
COPY LICENSE \
66
README.md \

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
[![StepSecurity Maintained Action](https://raw.githubusercontent.com/step-security/maintained-actions-assets/main/assets/maintained-action-banner.png)](https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions)
2+
13
# Codespell with GitHub Actions -- including annotations for Pull Requests
24

35
This GitHub Actions runs codespell over your code.

entrypoint.sh

Lines changed: 40 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,26 +1,49 @@
11
#!/bin/sh
22

3-
# Validate subscription status
4-
API_URL="https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/subscription"
3+
REPO_PRIVATE=$(jq -r '.repository.private | tostring' "$GITHUB_EVENT_PATH" 2>/dev/null || echo "")
4+
UPSTREAM="codespell-project/actions-codespell"
5+
ACTION_REPO="${GITHUB_ACTION_REPOSITORY:-}"
6+
DOCS_URL="https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions"
57

6-
# Set a timeout for the curl command (3 seconds)
7-
RESPONSE=$(curl --max-time 3 -s -w "%{http_code}" "$API_URL" -o /dev/null) || true
8-
CURL_EXIT_CODE=${?}
8+
echo ""
9+
echo -e "\033[1;36mStepSecurity Maintained Action\033[0m"
10+
echo "Secure drop-in replacement for $UPSTREAM"
11+
if [ "$REPO_PRIVATE" = "false" ]; then
12+
echo -e "\033[32m✓ Free for public repositories\033[0m"
13+
fi
14+
echo -e "\033[36mLearn more:\033[0m $DOCS_URL"
15+
echo ""
916

10-
# Decide based on curl exit code and HTTP status
11-
if [ $CURL_EXIT_CODE -ne 0 ]; then
12-
echo "Timeout or API not reachable. Continuing to next step."
13-
elif [ "$RESPONSE" = "200" ]; then
14-
:
15-
elif [ "$RESPONSE" = "403" ]; then
16-
echo "Subscription is not valid. Reach out to support@stepsecurity.io"
17-
exit 1
18-
else
19-
echo "Timeout or API not reachable. Continuing to next step."
17+
if [ "$REPO_PRIVATE" != "false" ]; then
18+
SERVER_URL="${GITHUB_SERVER_URL:-https://github.com}"
19+
20+
if [ "$SERVER_URL" != "https://github.com" ]; then
21+
BODY=$(printf '{"action":"%s","ghes_server":"%s"}' "$ACTION_REPO" "$SERVER_URL")
22+
else
23+
BODY=$(printf '{"action":"%s"}' "$ACTION_REPO")
24+
fi
25+
26+
API_URL="https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription"
27+
28+
RESPONSE=$(curl --max-time 3 -s -w "%{http_code}" \
29+
-X POST \
30+
-H "Content-Type: application/json" \
31+
-d "$BODY" \
32+
"$API_URL" -o /dev/null) && CURL_EXIT_CODE=0 || CURL_EXIT_CODE=$?
33+
34+
if [ $CURL_EXIT_CODE -ne 0 ]; then
35+
echo "Timeout or API not reachable. Continuing to next step."
36+
elif [ "$RESPONSE" = "403" ]; then
37+
echo -e "::error::\033[1;31mThis action requires a StepSecurity subscription for private repositories.\033[0m"
38+
echo -e "::error::\033[31mLearn how to enable a subscription: $DOCS_URL\033[0m"
39+
exit 1
40+
fi
2041
fi
2142

22-
# Copy the matcher to the host system; otherwise "add-matcher" can't find it.
23-
cp /code/codespell-matcher.json /github/workflow/codespell-matcher.json
43+
# Copy the matcher directly to RUNNER_TEMP; the /github/workflow bind-mount is not reliable.
44+
CODE_DIR="${CODE_DIR:-/code}"
45+
mkdir -p "${RUNNER_TEMP}/_github_workflow"
46+
cp "${CODE_DIR}/codespell-matcher.json" "${RUNNER_TEMP}/_github_workflow/codespell-matcher.json"
2447
echo "::add-matcher::${RUNNER_TEMP}/_github_workflow/codespell-matcher.json"
2548

2649
# Run codespell.

test/test.bats

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,10 +29,18 @@ function setup() {
2929
[ -d "/code/" ] || sudo mkdir -p /code/
3030
[ -f "/code/codespell-matcher.json" ] || sudo cp codespell-problem-matcher/codespell-matcher.json /code/
3131
#ls -alR /code/
32+
# Create the _github_workflow dir that entrypoint.sh copies the matcher into
33+
[ -d "${RUNNER_TEMP}/_github_workflow/" ] || sudo mkdir -p ${RUNNER_TEMP}/_github_workflow/ && sudo chmod 777 ${RUNNER_TEMP}/_github_workflow/
3234
# Add a random place BATS tries to put it
3335
[ -d "/github/workflow/" ] || sudo mkdir -p /github/workflow/ && sudo chmod 777 /github/workflow/
3436
#ls -alR /github/workflow/
3537

38+
# Set GITHUB_EVENT_PATH to a fake public-repo event so REPO_PRIVATE=false,
39+
# which skips the subscription check and keeps banner output deterministic.
40+
local event_file="/tmp/test-event.json"
41+
printf '{"repository":{"private":false}}' > "${event_file}"
42+
export GITHUB_EVENT_PATH="${event_file}"
43+
3644
# Set default input values
3745
export INPUT_CHECK_FILENAMES=""
3846
export INPUT_CHECK_HIDDEN=""
@@ -54,9 +62,9 @@ function setup() {
5462
[ $status -eq $expectedExitStatus ]
5563

5664
# Check output
57-
[ "${lines[0]}" == "::add-matcher::${RUNNER_TEMP}/_github_workflow/codespell-matcher.json" ]
58-
outputRegex="^Running codespell on '${INPUT_PATH}'"
59-
[[ "${lines[1]}" =~ $outputRegex ]]
65+
[[ "${output}" == *"::add-matcher::${RUNNER_TEMP}/_github_workflow/codespell-matcher.json"* ]]
66+
outputRegex="Running codespell on '${INPUT_PATH}'"
67+
[[ "${output}" =~ $outputRegex ]]
6068
[ "${lines[-4 - $errorCount]}" == "$errorCount" ]
6169
[ "${lines[-3]}" == "Codespell found one or more problems" ]
6270
[ "${lines[-2]}" == "::remove-matcher owner=codespell-matcher-default::" ]

0 commit comments

Comments
 (0)