Merge branch 'main' into dependabot/npm_and_yarn/undici-5.29.0
This commit is contained in:
@@ -28,5 +28,10 @@ jobs:
|
||||
run: npm rebuild && npm run all
|
||||
|
||||
- name: Verify no uncommitted files
|
||||
run: '[ -z "$(git status --porcelain=v1 2>/dev/null)" ]'
|
||||
run: |
|
||||
if [ -n "$(git status --porcelain=v1 2>/dev/null)" ]; then
|
||||
echo "There are uncommitted changes!"
|
||||
git status --porcelain=v1
|
||||
exit 1
|
||||
fi
|
||||
shell: bash
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
# Go Dependency Submission
|
||||
|
||||
This GitHub Action calculates dependencies for a Go build-target (a Go file with a
|
||||
`main` function) and submits the list to the [Dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). Dependencies then appear in your repository's dependency graph, and you'll receive Dependabot alerts and updates for vulnerable or out-of-date dependencies.
|
||||
`main` function) and submits the list to the [Dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). Dependencies then appear in your repository's dependency graph, and you'll receive Dependabot alerts and updates for vulnerable or out-of-date dependencies.
|
||||
|
||||
### Running locally
|
||||
|
||||
@@ -53,3 +53,81 @@ jobs:
|
||||
# include Go dependencies used by tests and tooling.
|
||||
go-build-target: go-example/cmd/octocat.go
|
||||
```
|
||||
|
||||
### Accessing Private Go Modules
|
||||
|
||||
This action will fail if your `go.mod` contains private Go modules.
|
||||
To access private Go modules the action requires an extra step to access your
|
||||
private module registry.
|
||||
|
||||
See official Go documentation for more information at https://go.dev/doc/faq#git_https
|
||||
|
||||
#### Accessing Private Go Modules Hosted on GitHub
|
||||
|
||||
If your private Go modules are hosted on GitHub, there are various ways for the action to
|
||||
access them. You can use either HTTPS authentication with a Personal Access Token (PAT) or SSH authentication with deploy keys or SSH keys.
|
||||
|
||||
#### Authentication Methods
|
||||
|
||||
**HTTPS with Personal Access Token**: Uses a GitHub Personal Access Token to authenticate with private repositories. This method requires storing the token as a repository secret. See [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) for setup instructions.
|
||||
|
||||
**SSH Authentication**: Uses SSH keys or deploy keys for authentication. This method doesn't require storing tokens and can be more secure for some use cases. See the [GitHub documentation on SSH authentication](https://docs.github.com/en/authentication/connecting-to-github-with-ssh) for setup instructions.
|
||||
|
||||
#### Additional Environment Variables
|
||||
|
||||
- **`GONOPROXY`**: Set this to bypass the module proxy entirely for specific modules
|
||||
- **`GOSUMDB`**: Set to `off` or configure to skip checksum verification for private modules
|
||||
- **`GOPROXY`**: Can be set to `direct` to bypass proxies completely
|
||||
|
||||
#### Example: HTTPS Authentication with Personal Access Token
|
||||
|
||||
This example adds a step to the workflow which uses a GitHub
|
||||
[Personal Access Token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)
|
||||
which has repo permissions. The PAT is saved as a repo [actions secret](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions) `GH_ACCESS_TOKEN`.
|
||||
|
||||
The env variable `GOPRIVATE` has also been set so that the GitHub org `foo` is considered private.
|
||||
|
||||
```yaml
|
||||
name: Go Dependency Submission
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
# The API requires write permission on the repository to submit dependencies
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
# Environment variables to configure Go and Go modules. Customize as necessary
|
||||
env:
|
||||
GOPROXY: 'https://proxy.golang.org,direct' # To add a private proxy, place it between the public golang proxy and direct
|
||||
GOPRIVATE: 'github.com/foo/*' # repositories in organization foo are considered private
|
||||
|
||||
jobs:
|
||||
go-action-detection:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: ">=1.18.0"
|
||||
|
||||
# Authentication step
|
||||
- name: Authenticate with GitHub
|
||||
run: git config --global url.https://${{ secrets.GH_ACCESS_TOKEN }}@github.com/.insteadOf https://github.com/
|
||||
|
||||
- name: Run snapshot action
|
||||
uses: actions/go-dependency-submission@v2
|
||||
with:
|
||||
# Required: Define the repo path to the go.mod file used by the
|
||||
# build target
|
||||
go-mod-path: go-example/go.mod
|
||||
#
|
||||
# Optional: Define the path of a build target (a file with a
|
||||
# `main()` function) If not defined, this Action will collect all
|
||||
# dependencies used by all build targets for the module, which may
|
||||
# include Go dependencies used by tests and tooling.
|
||||
go-build-target: go-example/cmd/octocat.go
|
||||
```
|
||||
|
||||
+28
@@ -17,6 +17,34 @@ inputs:
|
||||
required: true
|
||||
description: 'Build target to detect build dependencies. If unspecified, will use "all", with will detect all dependencies used in all build targets (including tests and tools).'
|
||||
default: 'all'
|
||||
snapshot-sha:
|
||||
description: The SHA that the results will be linked to in the dependency snapshot
|
||||
type: string
|
||||
required: false
|
||||
default: ''
|
||||
snapshot-ref:
|
||||
description: The ref that the results will be linked to in the dependency snapshot
|
||||
type: string
|
||||
required: false
|
||||
default: ''
|
||||
|
||||
# If any of detector-name, detector-version, or detector-url are provided, they all have to be provided.
|
||||
# Defaults will be used if none are not provided. If only one or two are provided, the action will fail.
|
||||
detector-name:
|
||||
description: The name of the detector that generated the dependency snapshot
|
||||
type: string
|
||||
required: false
|
||||
default: ''
|
||||
detector-version:
|
||||
description: The version of the detector that generated the dependency snapshot
|
||||
type: string
|
||||
required: false
|
||||
default: ''
|
||||
detector-url:
|
||||
description: The URL to the detector that generated the dependency snapshot
|
||||
type: string
|
||||
required: false
|
||||
default: ''
|
||||
runs:
|
||||
using: 'node20'
|
||||
main: 'dist/index.js'
|
||||
|
||||
+39
-5
@@ -94,15 +94,49 @@ function main() {
|
||||
}
|
||||
manifest.addIndirectDependency(dep);
|
||||
});
|
||||
const snapshot = new dependency_submission_toolkit_1.Snapshot({
|
||||
name: 'actions/go-dependency-submission',
|
||||
url: 'https://github.com/actions/go-dependency-submission',
|
||||
version: '0.0.1'
|
||||
}, github.context, {
|
||||
let snapshotDetector;
|
||||
const detectorName = core.getInput('detector-name');
|
||||
const detectorUrl = core.getInput('detector-url');
|
||||
const detectorVersion = core.getInput('detector-version');
|
||||
if (detectorName === '' && detectorUrl === '' && detectorVersion === '') {
|
||||
// use defaults if none are specified
|
||||
snapshotDetector = {
|
||||
name: 'actions/go-dependency-submission',
|
||||
url: 'https://github.com/actions/go-dependency-submission',
|
||||
version: '0.0.1'
|
||||
};
|
||||
}
|
||||
else if (detectorName === '' ||
|
||||
detectorUrl === '' ||
|
||||
detectorVersion === '') {
|
||||
// if any of detectorName, detectorUrl, or detectorVersion have value, then they are all required
|
||||
throw new Error("Invalid input: if any of 'detector-name', 'detector-url', or 'detector-version' have value, then thay are all required.");
|
||||
}
|
||||
else {
|
||||
// use inputs since all are specified
|
||||
snapshotDetector = {
|
||||
name: detectorName,
|
||||
url: core.getInput('detector-url', { required: true }),
|
||||
version: core.getInput('detector-version', { required: true })
|
||||
};
|
||||
}
|
||||
const snapshot = new dependency_submission_toolkit_1.Snapshot(snapshotDetector, github.context, {
|
||||
correlator: `${github.context.job}-${goBuildTarget}`,
|
||||
id: github.context.runId.toString()
|
||||
});
|
||||
snapshot.addManifest(manifest);
|
||||
// only override the sha if the input has a value
|
||||
// otherwise, continue to use the sha set from the context in the Snapshot constructor
|
||||
const inputSHA = core.getInput('sha');
|
||||
if (inputSHA !== '') {
|
||||
snapshot.sha = inputSHA;
|
||||
}
|
||||
// only override the ref if the input has a value
|
||||
// otherwise, continue to use the ref set from the context in the Snapshot constructor
|
||||
const inputRef = core.getInput('ref');
|
||||
if (inputRef !== '') {
|
||||
snapshot.ref = inputRef;
|
||||
}
|
||||
(0, dependency_submission_toolkit_1.submitSnapshot)(snapshot);
|
||||
});
|
||||
}
|
||||
|
||||
+1
-1
File diff suppressed because one or more lines are too long
+51
-8
@@ -77,19 +77,62 @@ async function main () {
|
||||
manifest.addIndirectDependency(dep)
|
||||
})
|
||||
|
||||
const snapshot = new Snapshot(
|
||||
{
|
||||
type SnapshotDetector = {
|
||||
name: string
|
||||
url: string
|
||||
version: string
|
||||
}
|
||||
let snapshotDetector: SnapshotDetector
|
||||
|
||||
const detectorName = core.getInput('detector-name')
|
||||
const detectorUrl = core.getInput('detector-url')
|
||||
const detectorVersion = core.getInput('detector-version')
|
||||
|
||||
if (detectorName === '' && detectorUrl === '' && detectorVersion === '') {
|
||||
// use defaults if none are specified
|
||||
snapshotDetector = {
|
||||
name: 'actions/go-dependency-submission',
|
||||
url: 'https://github.com/actions/go-dependency-submission',
|
||||
version: '0.0.1'
|
||||
},
|
||||
github.context,
|
||||
{
|
||||
correlator: `${github.context.job}-${goBuildTarget}`,
|
||||
id: github.context.runId.toString()
|
||||
}
|
||||
)
|
||||
} else if (
|
||||
detectorName === '' ||
|
||||
detectorUrl === '' ||
|
||||
detectorVersion === ''
|
||||
) {
|
||||
// if any of detectorName, detectorUrl, or detectorVersion have value, then they are all required
|
||||
throw new Error(
|
||||
"Invalid input: if any of 'detector-name', 'detector-url', or 'detector-version' have value, then thay are all required."
|
||||
)
|
||||
} else {
|
||||
// use inputs since all are specified
|
||||
snapshotDetector = {
|
||||
name: detectorName,
|
||||
url: core.getInput('detector-url', { required: true }),
|
||||
version: core.getInput('detector-version', { required: true })
|
||||
}
|
||||
}
|
||||
|
||||
const snapshot = new Snapshot(snapshotDetector, github.context, {
|
||||
correlator: `${github.context.job}-${goBuildTarget}`,
|
||||
id: github.context.runId.toString()
|
||||
})
|
||||
snapshot.addManifest(manifest)
|
||||
|
||||
// only override the sha if the input has a value
|
||||
// otherwise, continue to use the sha set from the context in the Snapshot constructor
|
||||
const inputSHA = core.getInput('sha')
|
||||
if (inputSHA !== '') {
|
||||
snapshot.sha = inputSHA
|
||||
}
|
||||
|
||||
// only override the ref if the input has a value
|
||||
// otherwise, continue to use the ref set from the context in the Snapshot constructor
|
||||
const inputRef = core.getInput('ref')
|
||||
if (inputRef !== '') {
|
||||
snapshot.ref = inputRef
|
||||
}
|
||||
|
||||
submitSnapshot(snapshot)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user