-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathentrypoint.sh
More file actions
executable file
·131 lines (103 loc) · 4.33 KB
/
entrypoint.sh
File metadata and controls
executable file
·131 lines (103 loc) · 4.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/usr/bin/env bash
set -euo pipefail
[[ -n "${DEBUG:-}" ]] && set -x
REPO_PRIVATE=$(jq -r '.repository.private | tostring' "${GITHUB_EVENT_PATH:-}" 2>/dev/null || echo "")
UPSTREAM="planetscale/ghcommit-action"
ACTION_REPO="${GITHUB_ACTION_REPOSITORY:-}"
DOCS_URL="https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions"
echo ""
echo -e "\033[1;36mStepSecurity Maintained Action\033[0m"
echo "Secure drop-in replacement for $UPSTREAM"
if [ "$REPO_PRIVATE" = "false" ]; then
echo -e "\033[32m✓ Free for public repositories\033[0m"
fi
echo -e "\033[36mLearn more:\033[0m $DOCS_URL"
echo ""
if [ "$REPO_PRIVATE" != "false" ]; then
SERVER_URL="${GITHUB_SERVER_URL:-https://github.com}"
if [ "$SERVER_URL" != "https://github.com" ]; then
BODY=$(printf '{"action":"%s","ghes_server":"%s"}' "$ACTION_REPO" "$SERVER_URL")
else
BODY=$(printf '{"action":"%s"}' "$ACTION_REPO")
fi
API_URL="https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription"
RESPONSE=$(curl --max-time 3 -s -w "%{http_code}" \
-X POST \
-H "Content-Type: application/json" \
-d "$BODY" \
"$API_URL" -o /dev/null) && CURL_EXIT_CODE=0 || CURL_EXIT_CODE=$?
if [ "$CURL_EXIT_CODE" -ne 0 ]; then
echo "Timeout or API not reachable. Continuing to next step."
elif [ "$RESPONSE" = "403" ]; then
echo -e "::error::\033[1;31mThis action requires a StepSecurity subscription for private repositories.\033[0m"
echo -e "::error::\033[31mLearn how to enable a subscription: $DOCS_URL\033[0m"
exit 1
fi
fi
COMMIT_MESSAGE="${1:?Missing commit_message input}"
REPO="${2:?Missing repo input}"
BRANCH="${3:?Missing branch input}"
EMPTY="${4:-false}"
read -r -a FILE_PATTERNS <<<"${5:?Missing file_pattern input}"
git config --global --add safe.directory "$GITHUB_WORKSPACE"
adds=()
deletes=()
while IFS= read -r -d $'\0' line; do
[[ -n "${DEBUG:-}" ]] && echo "line: '$line'"
# Extract the status in the tree and status in the index (first two characters)
index_status="${line:0:1}"
tree_status="${line:1:1}"
# Renamed files have status code 'R' and two filenames separated by NUL. We need to read
# an additional chunk (up to the next NUL) to get the new filename.
if [[ "$index_status" == "R" || "$tree_status" == "R" ]]; then
IFS= read -r -d $'\0' old_filename
new_filename="${line:3}"
echo "Renamed file detected:"
echo "Old Filename: $old_filename"
echo "New Filename: $new_filename"
echo "-----------------------------"
adds+=("$new_filename")
deletes+=("$old_filename")
continue
fi
# Extract the filename by removing the first three characters (two statuses and a whitespace)
filename="${line:3}"
echo "Filename: $filename"
# Print the parsed information, useful for debugging
echo "Index Status: $index_status"
echo "Tree Status: $tree_status"
echo "Filename: $filename"
echo "-----------------------------"
# https://git-scm.com/docs/git-status
# handle adds (A), modifications (M), and type changes (T):
[[ "$tree_status" =~ A|M|T || "$index_status" =~ A|M|T ]] && adds+=("$filename")
# handle untracked files (??):
# https://github.com/planetscale/ghcommit-action/issues/43#issuecomment-1950986790
[[ "$tree_status" == "?" && "$index_status" == "?" ]] && adds+=("$filename")
# handle deletes (D):
[[ "$tree_status" =~ D || "$index_status" =~ D ]] && deletes+=("$filename")
done < <(git status -s --porcelain=v1 -z -- "${FILE_PATTERNS[@]}")
if [[ "${#adds[@]}" -eq 0 && "${#deletes[@]}" -eq 0 && "$EMPTY" == "false" ]]; then
echo "No changes detected, exiting"
exit 0
fi
ghcommit_args=()
ghcommit_args+=(-b "$BRANCH")
ghcommit_args+=(-r "$REPO")
ghcommit_args+=(-m "$COMMIT_MESSAGE")
if [[ "$EMPTY" =~ ^(true|1|yes)$ ]]; then
ghcommit_args+=(--empty)
fi
ghcommit_args+=("${adds[@]/#/--add=}")
ghcommit_args+=("${deletes[@]/#/--delete=}")
[[ -n "${DEBUG:-}" ]] && echo "ghcommit args: '${ghcommit_args[*]}'"
output=$(ghcommit "${ghcommit_args[@]}" 2>&1) || {
# Show the output on error. This is needed since the exit immediately flag is set.
echo "$output" 1>&2;
exit 1
}
echo "$output"
commit_url=$(echo "$output" | grep "Success. New commit:" | awk '{print $NF}')
commit_hash=$(echo "$commit_url" | awk -F '/' '{print $NF}')
echo "commit-url=$commit_url" >> "$GITHUB_OUTPUT"
echo "commit-hash=$commit_hash" >> "$GITHUB_OUTPUT"