Uses Sentinel is a GitHub action that scans all .yml
files in the .github/workflows
directory of a GitHub repository and performs two checks on the uses
fields in the YAML files:
-
Checks if any
uses
field contains the versionmain
,master
, orlatest
, which are considered unsafe versions to use. If auses
field contains any of these versions, a warning message is printed to the console. -
Checks if the
uses
field references the latest version of the action by checking the GitHub repository's tags. If theuses
field does not reference the latest version, a warning message is printed to the console.
Uses Sentinel is written in Bash only and has no dependencies.
To use Uses Sentinel in your GitHub repository, create a new workflow file (e.g., .github/workflows/uses-sentinel.yml
) with the following content:
name: Uses Sentinel
on: [pull_request]
jobs:
uses-sentinel:
runs-on: ubuntu-latest
steps:
- name: Uses Sentinel
uses: maork-elementor/uses-sentinel@1.0.0
- This will run Uses Sentinel on every pull request in your repository.
jobs:
uses-sentinel:
runs-on: ubuntu-latest
steps:
- name: Uses Sentinel
uses: maork-elementor/uses-sentinel@1.0.0
with:
exlude:'exlude.yml,exlude2.yml,exlude3.yml'
exlude - list of files to exlude from the scan
Here's an example output from Uses Sentinel:
Some actions are not safe to use or not updated
Bad versions:
yml: ./.github/workflows/ci.yml, use: actions/checkout@main version: main, It not safe to use main, master or latest
Not updated actions:
yml: ./.github/workflows/ci.yml, use: actions/setup-node@v1 current version: v1.0.0, latest version: v2.1.4
This output indicates that the .github/workflows/ci.yml file contains an unsafe version (main) of the actions/checkout action and an outdated version (v1.0.0) of the actions/setup-node action.
License Uses Sentinel is released under the MIT License.