shithub Public

Watch 1 Fork 0 Star 0

Bash · 3580 bytes Raw Blame History

  
        1
        #!/usr/bin/env bash
      
        2
        # SPDX-License-Identifier: AGPL-3.0-or-later
      
        3
        
        4
        set -eu
      
        5
        
        6
        ROOT="$(git rev-parse --show-toplevel)"
      
        7
        cd "$ROOT"
      
        8
        
        9
        fail() {
      
        10
          printf 'audit-actions-ga: %s\n' "$*" >&2
      
        11
          exit 1
      
        12
        }
      
        13
        
        14
        ok() {
      
        15
          printf 'ok: %s\n' "$*"
      
        16
        }
      
        17
        
        18
        require_file() {
      
        19
          [ -f "$1" ] || fail "missing required file: $1"
      
        20
          ok "found $1"
      
        21
        }
      
        22
        
        23
        require_grep() {
      
        24
          pattern="$1"
      
        25
          file="$2"
      
        26
          desc="$3"
      
        27
          rg -q "$pattern" "$file" || fail "$desc not found in $file"
      
        28
          ok "$desc"
      
        29
        }
      
        30
        
        31
        require_file ".shithub/workflows/checkout-canary.yml"
      
        32
        require_file "bench/fixtures/actions/checkout-canary.yml"
      
        33
        require_file "bench/k6/actions-load.js"
      
        34
        require_file "deploy/monitoring/grafana/dashboards/actions.json"
      
        35
        require_file "deploy/monitoring/prometheus/rules.yml"
      
        36
        require_file "deploy/runner-config/firewall.sh.j2"
      
        37
        require_file "deploy/runner-config/dnsmasq.conf.j2"
      
        38
        require_file "deploy/runner-config/seccomp.json"
      
        39
        require_file "docs/internal/actions-ga-readiness.md"
      
        40
        require_file "docs/internal/runbooks/actions.md"
      
        41
        require_file "docs/internal/runbooks/runner-deploy.md"
      
        42
        require_file "docs/public/user/actions.md"
      
        43
        require_file "docs/public/api/actions.md"
      
        44
        
        45
        uses_hits="$(rg -n '^[[:space:]-]*uses:[[:space:]]*' .shithub/workflows -g '*.yml' -g '*.yaml' || true)"
      
        46
        printf '%s\n' "$uses_hits" | while IFS= read -r hit; do
      
        47
          [ -n "$hit" ] || continue
      
        48
          ref="$(printf '%s' "$hit" | sed -E 's/.*uses:[[:space:]]*//; s/[[:space:]]+#.*$//; s/^"//; s/"$//; s/^[[:space:]]*//; s/[[:space:]]*$//')"
      
        49
          ref="${ref#\'}"
      
        50
          ref="${ref%\'}"
      
        51
          case "$ref" in
      
        52
            actions/checkout@v4|shithub/upload-artifact@v1|shithub/download-artifact@v1)
      
        53
              ;;
      
        54
            *)
      
        55
              fail "unsupported .shithub workflow uses alias $ref in $hit"
      
        56
              ;;
      
        57
          esac
      
        58
        done
      
        59
        ok ".shithub workflows use only v1-supported aliases"
      
        60
        
        61
        require_grep 'actions/setup-go@v5' ".github/workflows/ci.yml" "GitHub CI still documents setup-go dependency"
      
        62
        require_grep 'golangci/golangci-lint-action@v8' ".github/workflows/ci.yml" "GitHub CI still documents golangci action dependency"
      
        63
        require_grep 'Do not move `.github/workflows/ci.yml`' "docs/internal/actions-ga-readiness.md" "dogfood decision"
      
        64
        
        65
        for alert in \
      
        66
          ActionsRunnerHeartbeatStale \
      
        67
          ActionsQueueDepthHigh \
      
        68
          ActionsRunDurationP99Regressed \
      
        69
          ActionsLogScrubberPossiblyMissing
      
        70
        do
      
        71
          require_grep "$alert" "deploy/monitoring/prometheus/rules.yml" "alert $alert"
      
        72
        done
      
        73
        
        74
        for metric in \
      
        75
          shithub_actions_queue_depth \
      
        76
          shithub_actions_active \
      
        77
          shithub_actions_runner_heartbeat_age_seconds \
      
        78
          shithub_actions_run_duration_seconds \
      
        79
          shithub_actions_log_chunk_bytes_total
      
        80
        do
      
        81
          require_grep "$metric" "docs/internal/runbooks/observability.md" "observability doc metric $metric"
      
        82
        done
      
        83
        
        84
        require_grep 'runner_jwt_used' "docs/internal/actions-schema.md" "runner JWT replay table documentation"
      
        85
        require_grep 'workflow_job_secret_masks' "docs/internal/actions-schema.md" "claim-time mask table documentation"
      
        86
        require_grep 'direct-IP' "docs/internal/runbooks/runner-deploy.md" "direct-IP egress mitigation"
      
        87
        require_grep 'checkout token leaked into argv' "internal/runner/engine/docker_test.go" "checkout-token argv regression test"
      
        88
        require_grep 'checkout token push unexpectedly succeeded' "internal/web/handlers/githttp/githttp_test.go" "checkout-token push denial test"
      
        89
        require_grep 'TestEval_GithubAliasIsTainted' "internal/actions/expr/eval_test.go" "github alias taint test"
      
        90
        require_grep 'Actions workflow API' "docs/public/SUMMARY.md" "public Actions API docs link"
      
        91
        require_grep '\[Actions\]\(\./user/actions\.md\)' "docs/public/SUMMARY.md" "public Actions user docs link"
      
        92
        
        93
        ok "S41h Actions pre-GA static audit packet complete"

1	#!/usr/bin/env bash
2	# SPDX-License-Identifier: AGPL-3.0-or-later
3
4	set -eu
5
6	ROOT="$(git rev-parse --show-toplevel)"
7	cd "$ROOT"
8
9	fail() {
10	printf 'audit-actions-ga: %s\n' "$*" >&2
11	exit 1
12	}
13
14	ok() {
15	printf 'ok: %s\n' "$*"
16	}
17
18	require_file() {
19	[ -f "$1" ] \|\| fail "missing required file: $1"
20	ok "found $1"
21	}
22
23	require_grep() {
24	pattern="$1"
25	file="$2"
26	desc="$3"
27	rg -q "$pattern" "$file" \|\| fail "$desc not found in $file"
28	ok "$desc"
29	}
30
31	require_file ".shithub/workflows/checkout-canary.yml"
32	require_file "bench/fixtures/actions/checkout-canary.yml"
33	require_file "bench/k6/actions-load.js"
34	require_file "deploy/monitoring/grafana/dashboards/actions.json"
35	require_file "deploy/monitoring/prometheus/rules.yml"
36	require_file "deploy/runner-config/firewall.sh.j2"
37	require_file "deploy/runner-config/dnsmasq.conf.j2"
38	require_file "deploy/runner-config/seccomp.json"
39	require_file "docs/internal/actions-ga-readiness.md"
40	require_file "docs/internal/runbooks/actions.md"
41	require_file "docs/internal/runbooks/runner-deploy.md"
42	require_file "docs/public/user/actions.md"
43	require_file "docs/public/api/actions.md"
44
45	uses_hits="$(rg -n '^[[:space:]-]uses:[[:space:]]' .shithub/workflows -g '.yml' -g '.yaml' \|\| true)"
46	printf '%s\n' "$uses_hits" \| while IFS= read -r hit; do
47	[ -n "$hit" ] \|\| continue
48	ref="$(printf '%s' "$hit" \| sed -E 's/.uses:[[:space:]]//; s/[[:space:]]+#.$//; s/^"//; s/"$//; s/^[[:space:]]//; s/[[:space:]]*$//')"
49	ref="${ref#\'}"
50	ref="${ref%\'}"
51	case "$ref" in
52	actions/checkout@v4\|shithub/upload-artifact@v1\|shithub/download-artifact@v1)
53	;;
54	*)
55	fail "unsupported .shithub workflow uses alias $ref in $hit"
56	;;
57	esac
58	done
59	ok ".shithub workflows use only v1-supported aliases"
60
61	require_grep 'actions/setup-go@v5' ".github/workflows/ci.yml" "GitHub CI still documents setup-go dependency"
62	require_grep 'golangci/golangci-lint-action@v8' ".github/workflows/ci.yml" "GitHub CI still documents golangci action dependency"
63	require_grep 'Do not move `.github/workflows/ci.yml`' "docs/internal/actions-ga-readiness.md" "dogfood decision"
64
65	for alert in \
66	ActionsRunnerHeartbeatStale \
67	ActionsQueueDepthHigh \
68	ActionsRunDurationP99Regressed \
69	ActionsLogScrubberPossiblyMissing
70	do
71	require_grep "$alert" "deploy/monitoring/prometheus/rules.yml" "alert $alert"
72	done
73
74	for metric in \
75	shithub_actions_queue_depth \
76	shithub_actions_active \
77	shithub_actions_runner_heartbeat_age_seconds \
78	shithub_actions_run_duration_seconds \
79	shithub_actions_log_chunk_bytes_total
80	do
81	require_grep "$metric" "docs/internal/runbooks/observability.md" "observability doc metric $metric"
82	done
83
84	require_grep 'runner_jwt_used' "docs/internal/actions-schema.md" "runner JWT replay table documentation"
85	require_grep 'workflow_job_secret_masks' "docs/internal/actions-schema.md" "claim-time mask table documentation"
86	require_grep 'direct-IP' "docs/internal/runbooks/runner-deploy.md" "direct-IP egress mitigation"
87	require_grep 'checkout token leaked into argv' "internal/runner/engine/docker_test.go" "checkout-token argv regression test"
88	require_grep 'checkout token push unexpectedly succeeded' "internal/web/handlers/githttp/githttp_test.go" "checkout-token push denial test"
89	require_grep 'TestEval_GithubAliasIsTainted' "internal/actions/expr/eval_test.go" "github alias taint test"
90	require_grep 'Actions workflow API' "docs/public/SUMMARY.md" "public Actions API docs link"
91	require_grep '\[Actions\]\(\./user/actions\.md\)' "docs/public/SUMMARY.md" "public Actions user docs link"
92
93	ok "S41h Actions pre-GA static audit packet complete"