Uses Sentinel is a GitHub action that scans all .yml files in the .github/workflows directory of a GitHub repository and performs two checks on the uses fields in the YAML files:
-
Checks if any
usesfield contains the versionmain,master, orlatest, which are considered unsafe versions to use. If ausesfield contains any of these versions, a warning message is printed to the console. -
Checks if the
usesfield references the latest version of the action by checking the GitHub repository's tags. If theusesfield does not reference the latest version, a warning message is printed to the console.
Uses Sentinel is written in Bash only and has no dependencies.
To use Uses Sentinel in your GitHub repository, create a new workflow file (e.g., .github/workflows/uses-sentinel.yml) with the following content:
name: Uses Sentinel
on: [pull_request]
jobs:
uses-sentinel:
runs-on: ubuntu-latest
steps:
- name: Uses Sentinel
uses: maork-elementor/uses-sentinel@1.0.0- This will run Uses Sentinel on every pull request in your repository.
jobs:
uses-sentinel:
runs-on: ubuntu-latest
steps:
- name: Uses Sentinel
uses: maork-elementor/uses-sentinel@1.0.0
with:
exlude:'exlude.yml,exlude2.yml,exlude3.yml'exlude - list of files to exlude from the scan
Here's an example output from Uses Sentinel:
Some actions are not safe to use or not updated
Bad versions:
yml: ./.github/workflows/ci.yml, use: actions/checkout@main version: main, It not safe to use main, master or latest
Not updated actions:
yml: ./.github/workflows/ci.yml, use: actions/setup-node@v1 current version: v1.0.0, latest version: v2.1.4
This output indicates that the .github/workflows/ci.yml file contains an unsafe version (main) of the actions/checkout action and an outdated version (v1.0.0) of the actions/setup-node action.
License Uses Sentinel is released under the MIT License.