Include versions ref in report #109
Conversation
sebastienvermeille
force-pushed
the
feat/add-option-to-include-versions-tags-in-report
branch
from
dcb58d4 to
26caace
Compare
|
Hi @rajbos, could you have a look at this PR and let me know if some changes are required? Thank you 👍 |
There was a problem hiding this comment.
Great stuff @sebastienvermeille! Thanks for the PR.
I prefer to add the new field to the workflows array instead of the output array. Adding it to the output array and thus having multiple items for each usage of the action, would mean introducing a breaking change for dependencies of this action (like my actions marketplace).
If we add the new property in the workflows array we now have a non breaking change, but still get the 'version' information out of it.
And note: great name for the property, that is just a good reasoning indeed!
Do you want to create the changes yourself, or need some help?
…ag, version in the same time)
Co-authored-by: Rob Bos <rajbos@users.noreply.github.com>
Co-authored-by: Rob Bos <rajbos@users.noreply.github.com>
sebastienvermeille
force-pushed
the
feat/add-option-to-include-versions-tags-in-report
branch
from
ed0b9fc to
ab6caa3
Compare
sebastienvermeille
deleted the
feat/add-option-to-include-versions-tags-in-report
branch
sebastienvermeille
restored the
feat/add-option-to-include-versions-tags-in-report
branch
Hi @rajbos , this is a totally valid point of view (mine was maybe biased because it was easier for me to dump it to Datadog with this format so I could easily sort out which gh-action versions are used where but I can still rework the data after no worries)
I will give it a try 👍 |
That way it is a non breaking change for existing consumers
|
Hi @rajbos , I applied the requested changes, {
"type": "action",
"actionLink": "someorg/some-action",
"count": 1,
"workflows": [
{
"repo": "someorg/test",
"workflowFileName": "build.yml",
"actionRef": "v3"
}
]
},
...I will probably need to do some remapping with my Datadog monitoring as I want to see "which repo are using compromised version of GitHub actions" but this is another topic for my own :D Wish you a good weekend ahead! 🖖 |
|
Thanks for adding this! Great work @sebastienvermeille 🎉 |
|
Thank you for your help @rajbos, very happy to contribute to a such great project 👍 |
2 participants
What are the incoming changes?
The following changes integrate a new property into the report:
actionRefWhy named action ref?
Can be challenged, I thought it's a good idea as after the
@it can be many different things actually:actions@<SHA | tag | version>< --- Due to that, I think that namingactionVersionactionTagactionShais not really a good choice.Let me know if you get a better idea 👍
Why are they needed
#106
How has this been achieved?
I added the property and tested it on my own workflows it worked like a charm.
It creates one entry per action:ref (= if an action is used with 4 different refs in the GitHub organization, it will be in 4 different "action's" in the report)
This helps to identify which repositories are using actions, including vulnerabilities (i.e version 2 contains an important CVE but 3 fix it)
These are my first line in Powershell, I am very happy to hear your feedback about that change 👍