From 00882aceab921c644118a94bcaf92304f1d0e144 Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Wed, 8 May 2024 14:41:29 +0200 Subject: [PATCH] action.yml: no more bash --- action.yml | 59 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 39 insertions(+), 20 deletions(-) diff --git a/action.yml b/action.yml index da453262..16e9aa5b 100644 --- a/action.yml +++ b/action.yml @@ -167,13 +167,18 @@ runs: bundler-cache: true - if: ${{ steps.reviewdog-enabled.outputs.result == 'true' }} name: Install semgrep & pip-audit - shell: bash - run: | - python3 -m pip install --disable-pip-version-check -r ${{ github.action_path }}/requirements.txt + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const { execSync } = require('child_process'); + execSync('pip install --disable-pip-version-check -r ${{ github.action_path }}/requirements.txt'); - if: ${{ steps.reviewdog-enabled.outputs.result == 'true' }} name: Install xmllint for safesvg - shell: bash - run: sudo apt-get install -y libxml2-utils + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const { execSync } = require('child_process'); + execSync('sudo apt-get install -y libxml2-utils'); - if: ${{ steps.reviewdog-enabled.outputs.result == 'true' }} name: Install tfsec uses: jaxxstorm/action-install-gh-release@71d17cb091aa850acb2a1a4cf87258d183eb941b # v1.11.0 @@ -184,25 +189,36 @@ runs: - if: ${{ steps.reviewdog-enabled.outputs.result == 'true' && inputs.debug == 'true'}} env: ASSIGNEES: ${{inputs.assignees}} - run: ${{ github.action_path }}/assets/debug.sh - shell: bash - # REVIEWDOG Run + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const { execSync } = require('child_process') + execSync('${{ github.action_path }}/assets/debug.sh') + # REVIEWDOG Run - if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' }} name: Run reviewdog id: run-reviewdog-pr - shell: bash env: ASSIGNEES: ${{inputs.assignees}} REVIEWDOG_GITHUB_API_TOKEN: ${{ inputs.github_token }} SEC_ACTION_DEBUG: ${{ inputs.debug }} PYPI_INDEX_URL: ${{ inputs.pip_audit_pypi_index_url }} PYPI_INSECURE_HOSTS: ${{ inputs.pip_audit_pypi_insecure_hosts }} - run: ${{ github.action_path }}/assets/reviewdog.sh + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const { execSync } = require('child_process') + execSync('${{ github.action_path }}/assets/reviewdog.sh') - if: ${{ steps.reviewdog-enabled-full.outputs.result == 'true' }} name: Run reviewdog full id: run-reviewdog-full - shell: bash - run: unset GITHUB_BASE_REF && ${{ github.action_path }}/assets/reviewdog.sh + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const { execSync } = require('child_process') + const env = { ...process.env } + delete env['GITHUB_BASE_REF'] + execSync('${{ github.action_path }}/assets/reviewdog.sh', { env }) - id: comments-after if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' }} uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 @@ -262,15 +278,18 @@ runs: github_token: ${{ inputs.github_token }} assignees: ${{ fromJson(steps.assignees-after.outputs.result) }} - if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' && hashFiles('reviewdog.fail.log') }} - shell: bash - run: | - set +x - echo -e '\033[0;31mThis action encountered an error while reporting the following findings via the Github API:' - cat reviewdog.fail.log | sed 's/^/\x1B[0;34m/' - echo -e '\033[0;31mThe failure of this action should not prevent you from merging your PR. Please report this failure to the maintainers of https://github.com/brave/security-action \033[0m' + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const fs = require('fs') + const log = fs.readFileSync('reviewdog.fail.log', 'UTF-8').replaceAll(/^/g, '\x1B[0;34m') + console.log('\033[0;31mThis action encountered an error while reporting the following findings via the Github API:') + console.log(log) + console.log('\033[0;31mThe failure of this action should not prevent you from merging your PR. Please report this failure to the maintainers of https://github.com/brave/security-action \033[0m') - if: ${{ steps.reviewdog-enabled.outputs.result == 'true' && !inputs.slack_token && hashFiles('reviewdog.fail.log') }} - shell: bash - run: exit 1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: throw new Error('Error was thrown and Slack token is missing, exiting eagerly!') - if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' && inputs.slack_token && hashFiles('reviewdog.fail.log') }} id: reviewdog-fail-log-head uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1