microsoft/hve-core
Publicmirrored fromhttps://github.com/microsoft/hve-coreAvailable
.github/workflows/action-version-consistency-scan.yml
158lines · modecode
| 1 | name: Action Version Consistency Scan |
| 2 | |
| 3 | on: |
| 4 | workflow_call: |
| 5 | inputs: |
| 6 | soft-fail: |
| 7 | description: 'Whether to continue on compliance violations' |
| 8 | required: false |
| 9 | type: boolean |
| 10 | default: false |
| 11 | upload-sarif: |
| 12 | description: 'Whether to upload SARIF results to Security tab' |
| 13 | required: false |
| 14 | type: boolean |
| 15 | default: false |
| 16 | upload-artifact: |
| 17 | description: 'Whether to upload results as artifact' |
| 18 | required: false |
| 19 | type: boolean |
| 20 | default: true |
| 21 | outputs: |
| 22 | mismatch-count: |
| 23 | description: 'Number of version mismatches found' |
| 24 | value: ${{ jobs.scan.outputs.mismatch-count }} |
| 25 | missing-comments: |
| 26 | description: 'Number of missing version comments found' |
| 27 | value: ${{ jobs.scan.outputs.missing-comments }} |
| 28 | is-compliant: |
| 29 | description: 'Whether repository meets compliance' |
| 30 | value: ${{ jobs.scan.outputs.is-compliant }} |
| 31 | |
| 32 | permissions: |
| 33 | contents: read |
| 34 | |
| 35 | jobs: |
| 36 | scan: |
| 37 | name: Validate Action Version Consistency |
| 38 | runs-on: ubuntu-latest |
| 39 | permissions: |
| 40 | contents: read |
| 41 | security-events: write # Required for SARIF upload to Security tab |
| 42 | outputs: |
| 43 | mismatch-count: ${{ steps.consistency.outputs.mismatch-count }} |
| 44 | missing-comments: ${{ steps.consistency.outputs.missing-comments }} |
| 45 | is-compliant: ${{ steps.consistency.outputs.is-compliant }} |
| 46 | steps: |
| 47 | - name: Checkout code |
| 48 | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 |
| 49 | with: |
| 50 | persist-credentials: false |
| 51 | |
| 52 | - name: Run Action Version Consistency Validation |
| 53 | id: consistency |
| 54 | shell: pwsh |
| 55 | run: | |
| 56 | Write-Host "Validating GitHub Actions version consistency..." |
| 57 | |
| 58 | # Ensure logs directory exists |
| 59 | New-Item -ItemType Directory -Force -Path logs | Out-Null |
| 60 | |
| 61 | # Build parameter list for JSON output |
| 62 | $params = @{ |
| 63 | Path = '.github/workflows' |
| 64 | Format = 'json' |
| 65 | OutputPath = 'logs/action-version-consistency-results.json' |
| 66 | } |
| 67 | |
| 68 | # Enable failure on violations unless soft-fail is requested |
| 69 | if ('${{ inputs.soft-fail }}' -ne 'true') { |
| 70 | $params['FailOnMismatch'] = $true |
| 71 | $params['FailOnMissingComment'] = $true |
| 72 | } |
| 73 | |
| 74 | # Run validation script (JSON format) |
| 75 | & scripts/security/Test-ActionVersionConsistency.ps1 @params |
| 76 | |
| 77 | # Generate SARIF format if requested |
| 78 | if ('${{ inputs.upload-sarif }}' -eq 'true') { |
| 79 | Write-Host "Generating SARIF format for Security tab..." |
| 80 | $params['Format'] = 'sarif' |
| 81 | $params['OutputPath'] = 'logs/action-version-consistency-results.sarif' |
| 82 | |
| 83 | & scripts/security/Test-ActionVersionConsistency.ps1 @params |
| 84 | } |
| 85 | |
| 86 | # Extract metrics from JSON report |
| 87 | if (Test-Path logs/action-version-consistency-results.json) { |
| 88 | $report = Get-Content logs/action-version-consistency-results.json | ConvertFrom-Json |
| 89 | $mismatchCount = $report.MismatchCount |
| 90 | $missingComments = $report.MissingComments |
| 91 | |
| 92 | $isCompliant = ($mismatchCount -eq 0) -and ($missingComments -eq 0) |
| 93 | |
| 94 | "mismatch-count=$mismatchCount" >> $env:GITHUB_OUTPUT |
| 95 | "missing-comments=$missingComments" >> $env:GITHUB_OUTPUT |
| 96 | "is-compliant=$($isCompliant.ToString().ToLower())" >> $env:GITHUB_OUTPUT |
| 97 | |
| 98 | Write-Host "Mismatch Count: $mismatchCount" |
| 99 | Write-Host "Missing Comments: $missingComments" |
| 100 | Write-Host "Is Compliant: $isCompliant" |
| 101 | } |
| 102 | else { |
| 103 | Write-Error "Failed to generate action version consistency report" |
| 104 | exit 1 |
| 105 | } |
| 106 | |
| 107 | - name: Upload SARIF to Security tab |
| 108 | if: inputs.upload-sarif && always() |
| 109 | uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0 |
| 110 | with: |
| 111 | sarif_file: logs/action-version-consistency-results.sarif |
| 112 | category: action-version-consistency |
| 113 | continue-on-error: true |
| 114 | |
| 115 | - name: Upload validation report |
| 116 | if: inputs.upload-artifact && always() |
| 117 | uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4.4.3 |
| 118 | with: |
| 119 | name: action-version-consistency-results |
| 120 | path: logs/action-version-consistency-results.json |
| 121 | retention-days: 90 |
| 122 | |
| 123 | - name: Add job summary |
| 124 | if: always() |
| 125 | shell: pwsh |
| 126 | run: | |
| 127 | $mismatchCount = '${{ steps.consistency.outputs.mismatch-count }}' |
| 128 | $missingComments = '${{ steps.consistency.outputs.missing-comments }}' |
| 129 | $isCompliant = '${{ steps.consistency.outputs.is-compliant }}' |
| 130 | |
| 131 | @" |
| 132 | ## Action Version Consistency Scan Results |
| 133 | |
| 134 | | Metric | Value | |
| 135 | |--------|-------| |
| 136 | | Version Mismatches | $mismatchCount | |
| 137 | | Missing Comments | $missingComments | |
| 138 | | Status | $(if ($isCompliant -eq 'true') { '✅ Compliant' } else { '⚠️ Non-Compliant' }) | |
| 139 | |
| 140 | $(if ($isCompliant -ne 'true') { |
| 141 | @" |
| 142 | |
| 143 | ### ⚠️ Action Required |
| 144 | |
| 145 | There are version consistency violations in the GitHub Actions workflows. |
| 146 | Review the workflow log to fix version mismatches or add missing version comments to SHA-pinned actions. |
| 147 | |
| 148 | "@ |
| 149 | } else { |
| 150 | @" |
| 151 | |
| 152 | ### ✅ All Actions Consistent |
| 153 | |
| 154 | All SHA-pinned actions have consistent version comments. |
| 155 | |
| 156 | "@ |
| 157 | }) |
| 158 | "@ | Out-File -FilePath $env:GITHUB_STEP_SUMMARY -Encoding UTF8 |
| 159 | |