From e936cab461721fbfff3b88dff28ad59b5fe0af3b Mon Sep 17 00:00:00 2001 From: Ernesto Puerta Date: Mon, 29 Sep 2025 17:58:35 +0200 Subject: [PATCH] scripts: add script to fix GH workflows Fixes: https://tracker.ceph.com/issues/73307 Signed-off-by: Ernesto Puerta --- src/script/pin-gh-workflow-deps.sh | 45 ++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100755 src/script/pin-gh-workflow-deps.sh diff --git a/src/script/pin-gh-workflow-deps.sh b/src/script/pin-gh-workflow-deps.sh new file mode 100755 index 0000000000000..bdb7040387d47 --- /dev/null +++ b/src/script/pin-gh-workflow-deps.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +set -euo pipefail + +WORKFLOWS_DIR="${1:-.}/.github/workflows" + +echo "Scanning workflows in: $WORKFLOWS_DIR" + +# Recursively grep workflow files for actions not pinned to SHA-1 +grep -Prno --include="*.yml" --include="*.yaml" 'uses:\s*([^/]+)/([^@]+)@([^[:space:]]+)' "${WORKFLOWS_DIR}" | \ + while IFS=: read -r file _line_num uses_line; do + echo -n "$file - " + # Extract owner/repo/version + if [[ "$uses_line" =~ uses:\ ([^/]+)/([^@]+)@([^[:space:]]+) ]]; then + owner="${BASH_REMATCH[1]}" + repo="${BASH_REMATCH[2]}" + version="${BASH_REMATCH[3]}" + action="$owner/$repo" + echo -n "$owner/$repo: " + else + echo "Failed to parse line: $uses_line [FAIL]" + continue + fi + + # Skip if already pinned to SHA + if [[ "$version" =~ ^[0-9a-f]{40}$ ]]; then + echo "SHA-1 pinned: $version [OK]" + continue + else + echo -n "Tag pinned: $version [WARNING], " + fi + + api_url="https://api.github.com/repos/$owner/$repo/git/ref/tags/$version" + + # Get full SHA + sha=$(curl -s "$api_url" | jq -r '.object.sha') + if [[ "$sha" == "null" || -z "$sha" ]]; then + echo "Could not resolve $action@$version [FAIL]" + continue + fi + + echo "Replacing $version → $sha [OK]" + + # Precise sed replacement: match 'uses:' literally and append comment + sed -i.bak "s|uses:\s*$action@$version|uses: $action@$sha # $version|g" "$file" +done -- 2.39.5