ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-03-08 04:56:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f995f89a21ae2dec451d48e66eeb6701243bfaa7
actions/_tools/check-version-refs.sh
Ismo Vuorinen f995f89a21 chore(claude): add hooks, skills, and agents for Claude Code (#496) 
* chore(claude): add hooks, skills, and agents for Claude Code

Add auto-formatting hooks (ruff, shfmt, prettier, actionlint),
rules.yml edit blocker, 5 skills (/release, /test-action,
/new-action, /validate, /check-pins), and 2 subagents
(action-validator, test-coverage-reviewer). Update CLAUDE.md
with hook documentation.

* fix(claude): add tool availability guards and fix skill docs

Add jq availability checks to hook scripts (block-rules-yml.sh,
post-edit-write.sh) and wrap actionlint call in command -v guard,
consistent with project rules #2 and #10. Fix validate skill to
reflect actual make all pipeline order and note that make test
runs separately.

* fix(claude): correct skill docs per PR review feedback

Fix validate skill description to say "precommit" instead of "test",
and fix check-pins SHA guidance to use origin/main instead of HEAD.

* feat(tools): add SHA-pinning enforcement to check-version-refs

The check-version-refs script previously only displayed existing
SHA-pinned refs but silently skipped non-SHA references. Add a
validation pass that detects and reports any ivuorinen/actions/*
references not using a 40-char hex SHA, exiting 1 on violations.

* fix(tools): fix temp file leak in check-version-refs.sh

Write find output directly to $violations_file instead of
$violations_file.all so the EXIT trap covers cleanup on all
exit paths, not just the happy path.
2026-03-08 04:22:02 +02:00

145 lines
4.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# Check and display all current SHA-pinned action references
set -eu
# Source shared utilities
# shellcheck source=_tools/shared.sh
SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
# shellcheck disable=SC1091
. "$SCRIPT_DIR/shared.sh"
# Warn once if git is not available
if ! has_git; then
printf '%b' "${YELLOW}Warning: git is not installed or not in PATH${NC}\n" >&2
printf 'Git tag information will not be available.\n' >&2
fi
# Check for required coreutils
for tool in find grep sed printf sort cut tr wc; do
if ! command -v "$tool" >/dev/null 2>&1; then
printf '%b' "${RED}Error: Required tool '%s' is not installed or not in PATH${NC}\n" "$tool" >&2
printf 'Please install coreutils to use this script.\n' >&2
exit 1
fi
done
# --- Validation pass: detect non-SHA-pinned references ---
violations_file=$(safe_mktemp)
trap 'rm -f "$violations_file"' EXIT
find . -maxdepth 2 -name "action.yml" -path "*/action.yml" \
! -path "./_*" ! -path "./.github/*" \
-exec grep -nE '^\s+uses:\s+ivuorinen/actions/' {} /dev/null \; \
>"$violations_file"
violations_found=false
while IFS= read -r match; do
if ! printf '%s\n' "$match" | grep -qE '@[0-9a-f]{40}'; then
if [ "$violations_found" = false ]; then
msg_error "Non-SHA-pinned action references found:"
violations_found=true
fi
printf ' %s\n' "$match" >&2
fi
done <"$violations_file"
if [ "$violations_found" = true ]; then
rm -f "$violations_file"
exit 1
fi
rm -f "$violations_file"
printf '%b' "${BLUE}Current SHA-pinned action references:${NC}\n"
printf '\n'
# Create temp files for processing
temp_file=$(safe_mktemp)
temp_input=$(safe_mktemp)
trap 'rm -f "$temp_file" "$temp_input"' EXIT
# Find all action references and collect SHA|action pairs
# Use input redirection to avoid subshell issues with pipeline
find . -maxdepth 2 -name "action.yml" -path "*/action.yml" ! -path "./_*" ! -path "./.github/*" -exec grep -h "uses: ivuorinen/actions/" {} \; >"$temp_input"
while IFS= read -r line; do
# Extract action name and SHA using sed
action=$(echo "$line" | sed -n 's|.*ivuorinen/actions/\([a-z-]*\)@.*|\1|p')
sha=$(echo "$line" | sed -n 's|.*@\([a-f0-9]\{40\}\).*|\1|p')
if [ -n "$action" ] && [ -n "$sha" ]; then
printf '%s\n' "$sha|$action" >>"$temp_file"
fi
done <"$temp_input"
# Check if we found any references
if [ ! -s "$temp_file" ]; then
printf '%b' "${YELLOW}No SHA-pinned references found${NC}\n"
exit 0
fi
# Sort by SHA and group
sort "$temp_file" | uniq >"${temp_file}.sorted"
mv "${temp_file}.sorted" "$temp_file"
# Count unique SHAs
sha_count=$(cut -d'|' -f1 "$temp_file" | sort -u | wc -l | tr -d ' ')
if [ "$sha_count" -eq 1 ]; then
printf '%b' "${GREEN}✓ All references use the same SHA (consistent)${NC}\n"
printf '\n'
fi
# Process and display grouped by SHA
current_sha=""
actions_list=""
while IFS='|' read -r sha action; do
if [ "$sha" != "$current_sha" ]; then
# Print previous SHA group if exists
if [ -n "$current_sha" ]; then
# Try to find tags pointing to this SHA
if has_git; then
tags=$(git tag --points-at "$current_sha" 2>/dev/null | tr '\n' ', ' | sed 's/,$//')
else
tags=""
fi
printf '%b' "${GREEN}SHA: $current_sha${NC}\n"
if [ -n "$tags" ]; then
printf '%b' " Tags: ${BLUE}$tags${NC}\n"
fi
printf ' Actions: %s\n' "$actions_list"
printf '\n'
fi
# Start new SHA group
current_sha="$sha"
actions_list="$action"
else
# Add to current SHA group
actions_list="$actions_list, $action"
fi
done <"$temp_file"
# Print last SHA group
if [ -n "$current_sha" ]; then
if has_git; then
tags=$(git tag --points-at "$current_sha" 2>/dev/null | tr '\n' ', ' | sed 's/,$//')
else
tags=""
fi
printf '%b' "${GREEN}SHA: $current_sha${NC}\n"
if [ -n "$tags" ]; then
printf '%b' " Tags: ${BLUE}$tags${NC}\n"
fi
printf ' Actions: %s\n' "$actions_list"
printf '\n'
fi
printf '%b' "${BLUE}Summary:${NC}\n"
printf ' Unique SHAs: %s\n' "$sha_count"
if [ "$sha_count" -gt 1 ]; then
printf '%b' " ${YELLOW}⚠ Warning: Multiple SHAs in use (consider updating)${NC}\n"
fi
Reference in New Issue View Git Blame Copy Permalink