feat: checks pinned version for job.uses

zgosalvez · Oct 9, 2021 · 9acf31d · 9acf31d
1 parent 8877889
commit 9acf31d
Showing 1 changed file with 26 additions and 17 deletions.
diff --git a/src/index.js b/src/index.js
@@ -5,6 +5,12 @@ const path = require('path');
 const sha1 = require('sha1-regex');
 const yaml = require('yaml');
 
+function assertUsesSHA(uses) {
+  return typeof uses === 'string' &&
+    uses.includes('@') &&
+    sha1.test(uses.substr(uses.indexOf('@') + 1))
+}
+
 async function run() {
   try {
     const workflowsPath = '.github/workflows';
@@ -23,27 +29,30 @@ async function run() {
       }
 
       core.startGroup(workflowsPath + '/' + basename);
-      
+
       for (const job in jobs) {
+        const uses = jobs[job]['uses'];
         const steps = jobs[job]['steps'];
 
-        if (steps === undefined) {
-          core.warning(`The "${job}" job of the "${basename}" workflow does not contain steps.`);
-        }
-
-        for (const step of steps) {
-          const uses = step['uses'];
+        if (uses !== undefined) {
+          if (!assertUsesSHA(uses)) {
+            actionHasError = true;
+            fileHasError = true;
 
-          if (typeof uses === 'string' && uses.includes('@')) {
-            const version = uses.substr(uses.indexOf('@') + 1);
-
-            if (!sha1.test(version)) {
-              actionHasError = true;
-              fileHasError = true;
+            core.error(`${uses} is not pinned to a full length commit SHA.`);
+          }
+        } else if (steps !== undefined) {
+          for (const step of steps) {
+            const uses = step['uses'];
+              if (!assertUsesSHA(uses)) {
+                actionHasError = true;
+                fileHasError = true;
 
-              core.error(`${uses} is not pinned to a full length commit SHA.`);
+                core.error(`${uses} is not pinned to a full length commit SHA.`);
+              }
             }
-          }
+        } else {
+          core.warning(`The "${job}" job of the "${basename}" workflow does not contain steps or uses.`);
         }
       }
 
@@ -53,7 +62,7 @@ async function run() {
 
       core.endGroup();
     }
-    
+
     if (actionHasError) {
       throw new Error('At least one workflow contains an unpinned GitHub Action version.');
     }
@@ -62,4 +71,4 @@ async function run() {
   }
 }
 
-run();
+run();