From c4dadecc05874dd13684bcea151993acf42199f7 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 23 Nov 2021 21:14:53 +0100 Subject: [PATCH] find a way to pin the SHA for detekt workflow template --- code-scanning/detekt.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 0edc8b5..a8610c3 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -53,21 +53,30 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - DETEKT_DOWNLOAD_URL=$( gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' + gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' query getReleaseAssetDownloadUrl($tagName: String!) { repository(name: "detekt", owner: "detekt") { release(tagName: $tagName) { - # it doesn't look like there is an alternative semantics for this with a specific SHA, is this release tag immutable? releaseAssets(name: "detekt", first: 1) { nodes { downloadUrl } } + tagCommit { + oid + } } } } - ' | \ - jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' ) + ' 1> gh_response.json + + DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json) + if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then + echo "Release tag doesn't match expected commit SHA" + exit 1 + fi + + DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" # Sets up the detekt cli