]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph.git/commitdiff
projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6cceb6c)
scripts: add script to fix GH workflows 65720/head
authorErnesto Puerta <epuertat@redhat.com>
Mon, 29 Sep 2025 15:58:35 +0000 (17:58 +0200)
committerErnesto Puerta <epuertat@redhat.com>
Mon, 29 Sep 2025 16:17:56 +0000 (18:17 +0200)
Fixes: https://tracker.ceph.com/issues/73307
Signed-off-by: Ernesto Puerta <epuertat@redhat.com>
src/script/pin-gh-workflow-deps.sh [new file with mode: 0755] patch | blob

diff --git a/src/script/pin-gh-workflow-deps.sh b/src/script/pin-gh-workflow-deps.sh
new file mode 100755 (executable)
index 0000000..bdb7040
--- /dev/null
+++ b/src/script/pin-gh-workflow-deps.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+WORKFLOWS_DIR="${1:-.}/.github/workflows"
+
+echo "Scanning workflows in: $WORKFLOWS_DIR"
+
+# Recursively grep workflow files for actions not pinned to SHA-1
+grep -Prno --include="*.yml" --include="*.yaml" 'uses:\s*([^/]+)/([^@]+)@([^[:space:]]+)' "${WORKFLOWS_DIR}" | \
+  while IFS=: read -r file _line_num uses_line; do
+    echo -n "$file - "
+    # Extract owner/repo/version
+    if [[ "$uses_line" =~ uses:\ ([^/]+)/([^@]+)@([^[:space:]]+) ]]; then
+        owner="${BASH_REMATCH[1]}"
+        repo="${BASH_REMATCH[2]}"
+        version="${BASH_REMATCH[3]}"
+        action="$owner/$repo"
+        echo -n "$owner/$repo: "
+    else
+        echo "Failed to parse line: $uses_line [FAIL]"
+        continue
+    fi
+
+    # Skip if already pinned to SHA
+    if [[ "$version" =~ ^[0-9a-f]{40}$ ]]; then
+        echo "SHA-1 pinned: $version [OK]"
+        continue
+    else
+        echo -n "Tag pinned: $version [WARNING], "
+    fi
+
+    api_url="https://api.github.com/repos/$owner/$repo/git/ref/tags/$version"
+
+    # Get full SHA
+    sha=$(curl -s "$api_url" | jq -r '.object.sha')
+    if [[ "$sha" == "null" || -z "$sha" ]]; then
+        echo "Could not resolve $action@$version [FAIL]"
+        continue
+    fi
+
+    echo "Replacing $version → $sha [OK]"
+
+    # Precise sed replacement: match 'uses:' literally and append comment
+    sed -i.bak "s|uses:\s*$action@$version|uses: $action@$sha # $version|g" "$file"
+done
Unnamed repository; edit this file 'description' to name the repository.