Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: be able to scan actions defined within a composite actions #48

Open
jdsantosadam opened this issue Dec 15, 2022 · 2 comments
Open

Feature Request: be able to scan actions defined within a composite actions #48

jdsantosadam opened this issue Dec 15, 2022 · 2 comments
Labels
Needs More Information

Comments

@jdsantosadam
Copy link

Since composite actions are a alternative method to make the workflows more reusable, i think it would be good to add a way to check if the actions defined within have a new version.

Today, a composite action can be defined in two ways:

  • In a public repository
    Then, can be used in a workflow like another Github Action in the marketplace (ex: uses: actions/checkout@v3). For this case, the version updater will work without problems.

  • In a private repository
    For this case, you need to checkout the repo that contains the composite action using a PAT token. Then in the step, the action need be specified specified without the version (@x.x.x). The version of the composite action is determined by the ref input of the checkouted step of the composite action repo.

The problem is, in both cases, there is no way to check the versions of the actions used in the composite actions. Our projects uses a lot of these composite actions in the workflows. We used this approach because Github Actions does not support using reusable workflows from private repositores, only composite actions. There is a way to add this feature? Maybe scan the composite action file, instead of the workflow itself...

Thanks in advance.
@saadmk11
Copy link
Owner

Can you please provide a sample/example workflow file of your use case?

@Qu4tro
Copy link

Qu4tro commented Oct 24, 2023
edited

I have an example:

# .github/actions/setup-poetry/action.yml (lines 1-25)
name: 'Setup Poetry'
description: 'Install and cache Poetry using pipx'
runs:
  using: "composite"
  steps:
    - name: Set pipx environment variables
      run: |
        echo "PIPX_HOME=${HOME}/.cache/pipx" >> $GITHUB_ENV
        echo "PIPX_BIN_DIR=${HOME}/.local/bin" >> $GITHUB_ENV
      shell: bash

    - name: Cache pipx poetry installation and binaries
      uses: actions/cache@v3
      with:
        path: |
          ${{ env.PIPX_HOME }}
          ${{ env.PIPX_BIN_DIR }}
        key: 1-${{ runner.os }}-pipx-poetry-${{ env.POETRY_VERSION }}

    - name: Install poetry
      run: |
        if ! pipx list | grep -q "package poetry ${{ env.POETRY_VERSION }}"; then
          pipx install poetry==${{ env.POETRY_VERSION }}
        fi
      shell: bash

This is then used like so:

# .github/workflows/lint.yml (lines 25-26)
- name: Setup Poetry
  uses: ./.github/actions/setup-poetry
  env:
     POETRY_VERSION: '1.6.1'

I've run github-actions-version-updater on my repo, but as you can see it didn't update actions/cache@v3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs More Information
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Qu4tro @saadmk11 @jdsantosadam