shazow · August 29, 2024 18:26
diff --git a/check-workflow-commits b/check-workflow-commits
 #!/usr/bin/env bash
 # Pass in workflow yaml files as stdin, find `uses:` strings with hashes in them and checks if they exist in the claimed repo.
 # Returns non-zero code on failure.
 #
 # Uses this undocumented endpoint: https://stackoverflow.com/questions/29992441/github-api-identify-the-branches-that-contain-a-given-commit
 # https://github.com/$OWNER/$REPO/branch_commits/$COMMIT
 #
 # Example:
 # $ ./check-workflow-commits < .github/workflows/publish.yml
 # $ $? && echo "Everything is okay" || "Things are bad"

 readonly bad_string="js-spoofed-commit-warning-trigger"
 readonly good_string="branches-list"

 while read -r line; do
    uses_line="$(echo "$line" | grep -oP "uses:\s*[-_\w]*/[-_\w]*@[0-9a-f]*")"
    if [[ -z "$uses_line" ]]; then
        continue
    fi

    repo="$(echo "$uses_line" | cut -b6- | cut -d'@' -f1 | xargs)"
    commit="$(echo "$uses_line" | cut -d'@' -f2)"
    url="https://github.com/$repo/branch_commits/$commit"
    echo -n "Checking: $repo@$commit ... "

    # FIXME: This doesn't actually work, need to find another way to check commits
    result="$(curl --silent "$url")";
    if echo "$result" | grep -q "$bad_string"; then
        echo "❌"
        echo "Failed: Found commit that does not exist on claimed repo: $commit"
        echo "  $line"
        exit 1
    elif echo "$result" | grep -q "$good_string"; then
        echo " ✅"
    else
        echo "❓"
        echo "Failed: Commit did not load or got an unexpected result: $commit"
        echo "  $line"
        exit 2
    fi
 done
	#!/usr/bin/env bash
	# Pass in workflow yaml files as stdin, find `uses:` strings with hashes in them and checks if they exist in the claimed repo.
	# Returns non-zero code on failure.
	#
	# Uses this undocumented endpoint: https://stackoverflow.com/questions/29992441/github-api-identify-the-branches-that-contain-a-given-commit
	# https://github.com/$OWNER/$REPO/branch_commits/$COMMIT
	#
	# Example:
	# $ ./check-workflow-commits < .github/workflows/publish.yml
	# $ $? && echo "Everything is okay" \|\| "Things are bad"

	readonly bad_string="js-spoofed-commit-warning-trigger"
	readonly good_string="branches-list"

	while read -r line; do
	uses_line="$(echo "$line" \| grep -oP "uses:\s[-_\w]/[-_\w]@[0-9a-f]")"
	if [[ -z "$uses_line" ]]; then
	continue
	fi

	repo="$(echo "$uses_line" \| cut -b6- \| cut -d'@' -f1 \| xargs)"
	commit="$(echo "$uses_line" \| cut -d'@' -f2)"
	url="https://github.com/$repo/branch_commits/$commit"
	echo -n "Checking: $repo@$commit ... "

	# FIXME: This doesn't actually work, need to find another way to check commits
	result="$(curl --silent "$url")";
	if echo "$result" \| grep -q "$bad_string"; then
	echo "❌"
	echo "Failed: Found commit that does not exist on claimed repo: $commit"
	echo " $line"
	exit 1
	elif echo "$result" \| grep -q "$good_string"; then
	echo " ✅"
	else
	echo "❓"
	echo "Failed: Commit did not load or got an unexpected result: $commit"
	echo " $line"
	exit 2
	fi
	done