Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(github-action): Support updating digest pinned actions #10835

Merged
merged 17 commits into from
Jul 14, 2021
Merged

feat(github-action): Support updating digest pinned actions #10835

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
e016e02
feat(github-action): support sha digests
viceice Jul 14, 2021
8fe56e1
fix: add `replaceString`
viceice Jul 14, 2021
d3f63e7
feat: allow following github tags while pinning
viceice Jul 14, 2021
4665d13
Apply suggestions from code review
viceice Jul 14, 2021
4585564
Merge remote-tracking branch 'origin/HEAD' into feat/gh-action-pinning
viceice Jul 14, 2021
f54f96a
fix: rename variable
viceice Jul 14, 2021
ae4a067
fix: support SHA1 and SHA256
viceice Jul 14, 2021
d43fe4b
feat: support pinning
viceice Jul 14, 2021
22a7748
docs: update docs
viceice Jul 14, 2021
a8c6d46
Update lib/manager/github-actions/readme.md
viceice Jul 14, 2021
4b05023
chore: fix snapshots
viceice Jul 14, 2021
c7092ed
Merge branch 'main' into feat/gh-action-pinning
viceice Jul 14, 2021
fe2c340
Update lib/manager/github-actions/readme.md
viceice Jul 14, 2021
f932ba0
chore: add preset
viceice Jul 14, 2021
ff4864f
Merge branch 'main' into feat/gh-action-pinning
viceice Jul 14, 2021
59eadc1
docs: use preset
viceice Jul 14, 2021
3aa33e6
Merge branch 'main' into feat/gh-action-pinning
viceice Jul 14, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
0 ...ithub-actions/__fixtures__/workflow.yml.1 → ...ithub-actions/__fixtures__/workflow_1.yml
View file
Open in desktop
File renamed without changes.
3 changes: 2 additions & 1 deletion ...ithub-actions/__fixtures__/workflow.yml.2 → ...ithub-actions/__fixtures__/workflow_2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,12 @@ jobs:
# Isn't supported current
uses: actions/bin/shellcheck@master
run: ./entrypoint.sh
- uses: docker/setup-qemu-action@c308fdd69d26ed66f4506ebd74b180abe5362145 # renovate: tag=v1.1.0
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@1.0.0
# - uses: docker/setup-qemu-action@v1
- uses: docker/setup-qemu-action@c308fdd69d26ed66f4506ebd74b180abe5362145
- name: Build
uses: docker/build-push-action@v2
22 changes: 22 additions & 0 deletions lib/manager/github-actions/__snapshots__/extract.spec.ts.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,17 @@ Array [
"skipReason": "invalid-version",
"versioning": "docker",
},
Object {
"commitMessageTopic": "{{{depName}}} action",
"currentDigest": "c308fdd69d26ed66f4506ebd74b180abe5362145",
"currentValue": "v1.1.0",
"datasource": "github-tags",
"depName": "docker/setup-qemu-action",
"depType": "action",
"pinDigests": false,
"replaceString": " - uses: docker/setup-qemu-action@c308fdd69d26ed66f4506ebd74b180abe5362145 # renovate: tag=v1.1.0",
"versioning": "docker",
},
Object {
"commitMessageTopic": "{{{depName}}} action",
"currentValue": "1.0.0",
Expand All @@ -21,6 +32,17 @@ Array [
"pinDigests": false,
"versioning": "docker",
},
Object {
"commitMessageTopic": "{{{depName}}} action",
"currentDigest": "c308fdd69d26ed66f4506ebd74b180abe5362145",
"currentValue": undefined,
"datasource": "github-tags",
"depName": "docker/setup-qemu-action",
"depType": "action",
"pinDigests": false,
"replaceString": " - uses: docker/setup-qemu-action@c308fdd69d26ed66f4506ebd74b180abe5362145",
"versioning": "docker",
},
Object {
"commitMessageTopic": "{{{depName}}} action",
"currentValue": "v2",
Expand Down
6 changes: 3 additions & 3 deletions lib/manager/github-actions/extract.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
import { getName, loadFixture } from '../../../test/util';
import { extractPackageFile } from './extract';

const workflow1 = loadFixture('workflow.yml.1');
const workflow2 = loadFixture('workflow.yml.2');
const workflow1 = loadFixture('workflow_1.yml');
const workflow2 = loadFixture('workflow_2.yml');

describe(getName(), () => {
describe('extractPackageFile()', () => {
Expand All @@ -19,7 +19,7 @@ describe(getName(), () => {
expect(res.deps).toMatchSnapshot();
expect(
res.deps.filter((d) => d.datasource === 'github-tags')
).toHaveLength(3);
).toHaveLength(5);
});
});
});
53 changes: 35 additions & 18 deletions lib/manager/github-actions/extract.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@ import * as dockerVersioning from '../../versioning/docker';
import { getDep } from '../dockerfile/extract';
import type { PackageDependency, PackageFile } from '../types';

const dockerRe = /^\s+uses: docker:\/\/([^"]+)\s*$/;
const actionRe =
/^\s+-?\s+?uses: (?<depName>[\w-]+\/[\w-]+)(?<path>.*)?@(?<currentValue>.+?)(?: # renovate: tag=(?<tag>.+?))?\s*?$/;
const sha256Re = /^[a-z0-9]{40}$/;

export function extractPackageFile(content: string): PackageFile | null {
logger.trace('github-actions.extractPackageFile()');
const deps: PackageDependency[] = [];
Expand All @@ -13,7 +18,7 @@ export function extractPackageFile(content: string): PackageFile | null {
continue; // eslint-disable-line no-continue
}

const dockerMatch = /^\s+uses: docker:\/\/([^"]+)\s*$/.exec(line);
const dockerMatch = dockerRe.exec(line);
if (dockerMatch) {
const [, currentFrom] = dockerMatch;
const dep = getDep(currentFrom);
Expand All @@ -23,25 +28,37 @@ export function extractPackageFile(content: string): PackageFile | null {
continue; // eslint-disable-line no-continue
}

const tagMatch =
/^\s+-?\s+?uses: (?<depName>[\w-]+\/[\w-]+)(?<path>.*)?@(?<currentValue>.+?)\s*?$/.exec(
line
);
const tagMatch = actionRe.exec(line);
if (tagMatch?.groups) {
const { depName, currentValue } = tagMatch.groups;
const dep: PackageDependency = {
depName,
currentValue,
commitMessageTopic: '{{{depName}}} action',
datasource: githubTagsDatasource.id,
versioning: dockerVersioning.id,
depType: 'action',
pinDigests: false,
};
if (!dockerVersioning.api.isValid(currentValue)) {
dep.skipReason = SkipReason.InvalidVersion;
const { depName, currentValue, tag } = tagMatch.groups;
if (sha256Re.test(currentValue)) {
const dep: PackageDependency = {
depName,
currentValue: tag,
currentDigest: currentValue,
commitMessageTopic: '{{{depName}}} action',
datasource: githubTagsDatasource.id,
versioning: dockerVersioning.id,
depType: 'action',
pinDigests: false,
replaceString: line,
};
deps.push(dep);
} else {
const dep: PackageDependency = {
depName,
currentValue,
commitMessageTopic: '{{{depName}}} action',
datasource: githubTagsDatasource.id,
versioning: dockerVersioning.id,
depType: 'action',
pinDigests: false,
};
if (!dockerVersioning.api.isValid(currentValue)) {
dep.skipReason = SkipReason.InvalidVersion;
}
deps.push(dep);
}
deps.push(dep);
}
}
if (!deps.length) {
Expand Down
16 changes: 16 additions & 0 deletions lib/manager/github-actions/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,17 @@
The `github-actions` manager extracts dependencies from GitHub Actions workflow and workflow template files.

If you like to use digest pinning but following the action version, you can use the following sample:

```yaml
name: build

on: [push]

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@af513c7a016048ae468971c52ed77d9562c7c819 # renovate: tag=v1.0.0
```

So renovate will update the commit sha but follow the github tag you specified.