fix #116: support composite actions (#239)

* fix #116: support composite actions

* improve parsing error

* trigger workflow

* Revert "trigger workflow"

This reverts commit cdda5ad.

* specify repository name to handle validation on fork

* Update index.js.map

* Update index.js.map

---------

Co-authored-by: Zennon Gosalvez <[email protected]>

Author: atchertchian

.github/workflows/ci.yml

@@ -24,6 +24,7 @@ jobs:
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       with:
         ref: ${{ github.head_ref }} # https://github.com/stefanzweifel/git-auto-commit-action#checkout-the-correct-branch
+        repository: ${{ github.event.pull_request.head.repo.full_name }}
     - name: Get runs.using version
       id: get-runs-using-version
       uses: zgosalvez/github-actions-get-action-runs-using-version@0a8dcac2c28bdcbfcbdca07d46bae8eab7930dc2

dist/index.js

@@ -11,42 +11,93 @@ async function run() {
   try {
     const allowlist = core.getInput('allowlist');
     const isDryRun = core.getInput('dry_run') === 'true';
+    let hasError = false;
+
     const workflowsPath = process.env['ZG_WORKFLOWS_PATH'] || '.github/workflows';
-    const globber = await glob.create([workflowsPath + '/*.yaml', workflowsPath + '/*.yml'].join('\n'));
-    let actionHasError = false;
+    const workflowsGlobber = await glob.create([
+      workflowsPath + '/*.yaml',
+      workflowsPath + '/*.yml'
+    ].join('\n'));
 
-    for await (const file of globber.globGenerator()) {
+    for await (const file of workflowsGlobber.globGenerator()) {
       const basename = path.basename(file);
       const fileContents = fs.readFileSync(file, 'utf8');
       const yamlContents = yaml.parse(fileContents);
-      const jobs = yamlContents['jobs'];
       let fileHasError = false;
 
-      if (jobs === undefined) {
+      let jobs = getYamlAttribute(yamlContents, 'jobs');
+      if (jobs === undefined || jobs === null) {
         core.setFailed(`The "${basename}" workflow does not contain jobs.`);
+        break;
       }
 
       core.startGroup(workflowsPath + '/' + basename);
 
       for (const job in jobs) {
-        const uses = jobs[job]['uses'];
-        const steps = jobs[job]['steps'];
+        jobObject = jobs[job];
         let jobHasError = false;
-
-        if (uses !== undefined) {
-          jobHasError = runAssertions(uses, allowlist, isDryRun);
-        } else if (steps !== undefined) {
-          for (const step of steps) {
-            if (!jobHasError) {
-              jobHasError = runAssertions(step['uses'], allowlist, isDryRun);
+        if (jobObject === undefined || jobObject === null) {
+          core.warning(`The "${job}" job of the "${basename}" workflow is undefined.`);
+          jobHasError = true;
+        } else {
+          const uses = getYamlAttribute(jobObject, "uses");
+          const steps = getYamlAttribute(jobObject, "steps");
+          if (uses !== undefined && uses !== null) {
+            jobHasError = runAssertions(uses, allowlist, isDryRun);
+          } else if (steps !== undefined && steps !== null) {
+            for (const step of steps) {
+              if (!jobHasError) {
+                jobHasError = runAssertions(step['uses'], allowlist, isDryRun);
+              }
             }
+          } else {
+            core.warning(`The "${job}" job of the "${basename}" workflow does not contain uses or steps.`);
           }
-        } else {
-          core.warning(`The "${job}" job of the "${basename}" workflow does not contain uses or steps.`);  
         }
 
         if (jobHasError) {
-          actionHasError = true;
+          hasError = true;
+          fileHasError = true;
+        }
+      }
+
+      if (!fileHasError) {
+        core.info('No issues were found.');
+      }
+
+      core.endGroup();
+    }
+
+    const actionsPath = process.env['ZG_ACTIONS_PATH'] || '.github/actions';
+    const actionsGlobber = await glob.create([
+      actionsPath + '/*/action.yaml',
+      actionsPath + '/*/action.yml'
+    ].join('\n'));
+
+    for await (const file of actionsGlobber.globGenerator()) {
+      const basename = path.basename(path.dirname(file));
+      const fileContents = fs.readFileSync(file, 'utf8');
+      const yamlContents = yaml.parse(fileContents);
+      let fileHasError = false;
+
+      let runs = getYamlAttribute(yamlContents, 'runs');
+      if (runs === undefined || runs === null) {
+        core.setFailed(`The "${basename}" action does not contain runs.`);
+        break;
+      }
+
+      core.startGroup(actionsPath + '/' + basename);
+
+      let runHasError = false;
+      const steps = getYamlAttribute(runs, 'steps');
+      if (steps !== undefined && steps !== null) {
+        for (const step of steps) {
+          if (!runHasError) {
+            runHasError = runAssertions(step['uses'], allowlist, isDryRun);
+          }
+        }
+        if (runHasError) {
+          hasError = true;
           fileHasError = true;
         }
       }
@@ -58,8 +109,8 @@ async function run() {
       core.endGroup();
     }
 
-    if (!isDryRun && actionHasError) {
-      throw new Error('At least one workflow contains an unpinned GitHub Action version.');
+    if (!isDryRun && hasError) {
+      throw new Error('At least one workflow or composite action contains an unpinned GitHub Action version.');
     }
   } catch (error) {
     core.setFailed(error.message);
@@ -68,6 +119,13 @@ async function run() {
 
 run();
 
+function getYamlAttribute(yamlContents, attribute) {
+  if (yamlContents && typeof yamlContents === 'object' && Object.prototype.hasOwnProperty.call(yamlContents, attribute)) {
+    return yamlContents[attribute];
+  }
+  return undefined;
+}
+
 function assertUsesVersion(uses) {
   return typeof uses === 'string' && uses.includes('@');
 }
@@ -89,7 +147,7 @@ function assertUsesAllowlist(uses, allowlist) {
   const isAllowed = allowlist.split(/\r?\n/).some((allow) => action.startsWith(allow));
 
   if(isAllowed) {
-    core.info(`${action} matched allowlist — ignoring action.`)
+    core.info(`${action} matched allowlist — ignoring action.`);
   }
 
   return isAllowed;