[feat/bugfix] Allow docker checks (#51)

* Fix README.md links

* Add valid/invalid docker uses

* Remove SHA1 package
(keep it simple)

* camelCase for all functions

* Short check

* Add docker sha256 check

* Put regex in const

* Resolves merge conflict

---------

Co-authored-by: Zennon Gosalvez <[email protected]>

Author: MarcHagen

README.md

@@ -45,7 +45,7 @@ jobs:
 ```
 
 ## Contributing
-See [the contributing guide](.github/CONTRIBUTING) for detailed instructions on how to get started with our project.
+See [the contributing guide](.github/CONTRIBUTING.md) for detailed instructions on how to get started with our project.
 
 ## License
-The scripts and documentation in this project are released under the [MIT License](LICENSE)
+The scripts and documentation in this project are released under the [MIT License](LICENSE.md)

dist/index.js

@@ -21,7 +21,6 @@
   "dependencies": {
     "@actions/core": "^1.10.0",
     "@actions/glob": "^0.4.0",
-    "sha1-regex": "^1.0.0",
     "yaml": "^2.2.1"
   },
   "devDependencies": {

dist/index.js.map

@@ -2,13 +2,15 @@ const core = require('@actions/core');
 const fs = require('fs');
 const glob = require('@actions/glob');
 const path = require('path');
-const sha1 = require('sha1-regex');
 const yaml = require('yaml');
 
+const sha1 = /\b[a-f0-9]{40}\b/i;
+const sha256 = /\b[A-Fa-f0-9]{64}\b/i;
+
 async function run() {
   try {
     const allowlist = core.getInput('allowlist');
-    const isDryRun = core.getInput('dry_run') === 'true' ? true : false;
+    const isDryRun = core.getInput('dry_run') === 'true';
     const workflowsPath = process.env['ZG_WORKFLOWS_PATH'] || '.github/workflows';
     const globber = await glob.create([workflowsPath + '/*.yaml', workflowsPath + '/*.yml'].join('\n'));
     let actionHasError = false;
@@ -31,7 +33,7 @@ async function run() {
         const steps = jobs[job]['steps'];
 
         if (assertUsesVersion(uses)) {
-          if (!assertUsesSHA(uses) && !assertUsesAllowlist(uses, allowlist)) {
+          if (!assertUsesSha(uses) && !assertUsesAllowlist(uses, allowlist)) {
             actionHasError = true;
             fileHasError = true;
 
@@ -41,7 +43,7 @@ async function run() {
           for (const step of steps) {
             const uses = step['uses'];
 
-            if (assertUsesVersion(uses) && !assertUsesSHA(uses) && !assertUsesAllowlist(uses, allowlist)) {
+            if (assertUsesVersion(uses) && !assertUsesSha(uses) && !assertUsesAllowlist(uses, allowlist)) {
               actionHasError = true;
               fileHasError = true;
 
@@ -74,7 +76,11 @@ function assertUsesVersion(uses) {
   return typeof uses === 'string' && uses.includes('@');
 }
 
-function assertUsesSHA(uses) {
+function assertUsesSha(uses) {
+  if (uses.startsWith('docker://')) {
+    return sha256.test(uses.substr(uses.indexOf('sha256:') + 7));
+  }
+
   return sha1.test(uses.substr(uses.indexOf('@') + 1));
 }
 

dist/licenses.txt

@@ -8,4 +8,7 @@ jobs:
   allowlistedstub:
     steps:
     - uses: aws-actions/amazon-ecr-login@v1
-    - uses: docker/login-action@v1
+    - uses: docker/login-action@v1
+  dockerstub:
+    steps:
+    - uses: docker://rhysd/actionlint@sha256:5f957b2a08d223e48133e1a914ed046bea12e578fe2f6ae4de47fdbe691a2468

package-lock.json

@@ -2,3 +2,7 @@ jobs:
   stub:
     steps:
     - uses: actions/checkout@v1
+  dockerstub:
+    steps:
+      - uses: docker://rhysd/actionlint:latest
+      - uses: docker://rhysd/actionlint:1.6.22