From 2206a29f681cd3846bbbb22c1a7e5e593d68cba1 Mon Sep 17 00:00:00 2001 From: martincostello Date: Tue, 4 Feb 2025 10:46:15 +0000 Subject: [PATCH 1/2] Fix actions/*-artifact false positives for GHES Attempt to resolve false positives for v4 artifacts actions in GitHub Enterprise Server. Contributes to #509. --- rule_action.go | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/rule_action.go b/rule_action.go index 3cc181c64..30f618c32 100644 --- a/rule_action.go +++ b/rule_action.go @@ -286,6 +286,15 @@ var BrandingIcons = map[string]struct{}{ "zoom-out": {}, } +// These actions are still supported in GitHub Enterprise Server as the v4 back-end infrastructure +// that the *-artifact actions use is not available, or they depend on those v4 actions. +var OutdatedPopularActionSpecsStillSupportedByGitHubEnterpriseServer = map[string]struct{}{ + "actions/deploy-pages@v2": {}, + "actions/download-artifact@v3": {}, + "actions/upload-artifact@v3": {}, + "actions/upload-pages-artifact@v3": {}, +} + // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runsimage func isImageOnDockerRegistry(image string) bool { return strings.HasPrefix(image, "docker://") || @@ -374,7 +383,12 @@ func (rule *RuleAction) checkRepoAction(spec string, exec *ExecAction) { meta, ok := PopularActions[spec] if !ok { if _, ok := OutdatedPopularActionSpecs[spec]; ok { - rule.Errorf(exec.Uses.Pos, "the runner of %q action is too old to run on GitHub Actions. update the action's version to fix this issue", spec) + serverURL := os.Getenv("GITHUB_SERVER_URL") + isGHES := serverURL != "https://github.com" && !strings.HasSuffix(serverURL, ".ghe.com") + _, stillSupported := OutdatedPopularActionSpecsStillSupportedByGitHubEnterpriseServer[spec] + if !isGHES || !stillSupported { + rule.Errorf(exec.Uses.Pos, "the runner of %q action is too old to run on GitHub Actions. update the action's version to fix this issue", spec) + } return } rule.Debug("This action is not found in popular actions data set: %s", spec) From 9d45b525cb7b5c689cfb9a5eebff5256bbc7c27f Mon Sep 17 00:00:00 2001 From: martincostello Date: Tue, 4 Feb 2025 10:52:04 +0000 Subject: [PATCH 2/2] Private field Don't export the var, which I think means the lint warning will go away. --- rule_action.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rule_action.go b/rule_action.go index 30f618c32..5e3111183 100644 --- a/rule_action.go +++ b/rule_action.go @@ -288,7 +288,7 @@ var BrandingIcons = map[string]struct{}{ // These actions are still supported in GitHub Enterprise Server as the v4 back-end infrastructure // that the *-artifact actions use is not available, or they depend on those v4 actions. -var OutdatedPopularActionSpecsStillSupportedByGitHubEnterpriseServer = map[string]struct{}{ +var outdatedPopularActionSpecsStillSupportedByGitHubEnterpriseServer = map[string]struct{}{ "actions/deploy-pages@v2": {}, "actions/download-artifact@v3": {}, "actions/upload-artifact@v3": {}, @@ -385,7 +385,7 @@ func (rule *RuleAction) checkRepoAction(spec string, exec *ExecAction) { if _, ok := OutdatedPopularActionSpecs[spec]; ok { serverURL := os.Getenv("GITHUB_SERVER_URL") isGHES := serverURL != "https://github.com" && !strings.HasSuffix(serverURL, ".ghe.com") - _, stillSupported := OutdatedPopularActionSpecsStillSupportedByGitHubEnterpriseServer[spec] + _, stillSupported := outdatedPopularActionSpecsStillSupportedByGitHubEnterpriseServer[spec] if !isGHES || !stillSupported { rule.Errorf(exec.Uses.Pos, "the runner of %q action is too old to run on GitHub Actions. update the action's version to fix this issue", spec) }