【Github】Github Actions ~ Github Actions の Linter ~

Github

■ はじめに

Github Actions で様々なプログラム言語のLinter を実行してきたが

https://dk521123.hatenablog.com/entry/2024/04/05/000136

で Github Actions 自体のセキュリティ脆弱性が潜むことを知って
ちょっと怖くなった。

そこで、Github Actions 自体をチェックしてくれる Linter について
調査してみた

目次

【1】Github Actions の Linter
 1)actionlint
 2)ghalint
【2】サンプル
 例1:actionlint
 例2:ghalint
【3】補足:ghalintのエラーについて
 1)エラー「job should have permissions」
 2)エラー「action ref should be full length SHA1」

【1】Github Actions の Linter

1)actionlint

* 一番メジャーっぽい

https://github.com/rhysd/actionlint

Install
https://github.com/rhysd/actionlint/blob/main/docs/install.md

Usage
https://github.com/rhysd/actionlint/blob/main/docs/usage.md

Playground 

* どんなもんかちょっと試したかったら、以下で試せる

https://rhysd.github.io/actionlint/

2)ghalint

* 開発者が日本人の方?のGitHub Action(GHA) の Linter

https://github.com/suzuki-shunsuke/ghalint

Install
https://github.com/suzuki-shunsuke/ghalint#how-to-install

# Install in Ubuntu
curl -OL https://github.com/suzuki-shunsuke/ghalint/releases/download/v0.2.9/ghalint_0.2.9_linux_amd64.tar.gz
sudo tar -zxvf ghalint_0.2.9_linux_amd64.tar.gz -C /usr/local/
sudo update-alternatives --install /usr/bin/ghalint ghalint /usr/local/ghalint 100

# 確認
ghalint -v
# ghalint version 0.2.9 (247bf257b2f59bd7d01280754028fc3d3a807dbe)

【2】サンプル

例1:actionlint

name: RunGithubActionsLinters

on:
  workflow_dispatch:
jobs:
  lint-by-actionlint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
      - uses: reviewdog/action-actionlint@c6ee1eb0a5d47b2af53a203652b5dac0b6c4016e # v1.40.0
        with:
          fail_on_error: true
          filter_mode: nofilter
          level: info

例2:ghalint

name: RunGithubActionsLinters

on:
  workflow_dispatch:
jobs:
  lint-by-ghalint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
      # ghalint
      - name: Run Github Actions's Linter
        run: |
          curl -OL https://github.com/suzuki-shunsuke/ghalint/releases/download/v0.2.9/ghalint_0.2.9_linux_amd64.tar.gz
          tar -zxvf ghalint_0.2.9_linux_amd64.tar.gz
          ./ghalint run

実行例 

・・・
time="2024-04-06T14:56:22Z" level=error
 msg="the job violates policies"
 error="job should have permissions"
 job_name=sample-job
 policy_name=job_permissions program=ghalint
 reference="https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/001.md"
 version=0.2.9
 workflow_file_path=.github/workflows/demo-py-linter.yml

time="2024-04-06T14:56:22Z" level=error
 msg="the step violates policies"
 action=actions/checkout
 error="action ref should be full length SHA1"
 job_name=sample-job
 policy_name=action_ref_should_be_full_length_commit_sha
 program=ghalint
 reference="https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/008.md"
 version=0.2.9
 workflow_file_path=.github/workflows/demo-py-linter.yml
・・・

[修復前] .github/workflows/demo-py-linter.yml 

name: DemoPythonLinter

on:
  workflow_dispatch:

jobs:
  sample-job:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.10'
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install ruff
      - name: Lint with Ruff
        run: |
          ruff --output-format=github .
        continue-on-error: true

[修復後] .github/workflows/demo-py-linter.yml 

name: DemoPythonLinter

on:
  workflow_dispatch:

jobs:
  sample-job:
    runs-on: ubuntu-latest
    # !! Fixing for "job should have permissions"
    permissions: {}
    steps:
      # !! Fixing for "action ref should be full length SHA1"
      # v4.1.2
      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
      # v4.8.0
      - name: Set up Python
        uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa
        with:
          python-version: '3.10'
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install ruff
      - name: Lint with Ruff
        run: |
          ruff --output-format=github .
        continue-on-error: true

【3】補足:ghalintのエラーについて

1)エラー「job should have permissions」

* permissions を付与する
 => permissions = GITHUB_TOKEN に付与される既定の権限を変更

https://docs.github.com/ja/enterprise-cloud@latest/actions/using-jobs/assigning-permissions-to-jobs

2)エラー「action ref should be full length SHA1

冒頭に言った
=====
https://dk521123.hatenablog.com/entry/2024/04/05/000136  
で Github Actions 自体のセキュリティ脆弱性が潜むことを知って
ちょっと怖くなった。
=====
については、「2)ghalint」で感知してくれる。
(「1)actionlint」では感知してくれない)

https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/008.md

参考文献

https://engineering.mercari.com/blog/entry/20231223-mercoin-github-actions/

関連記事

Github Actions ~ 基礎知識編 ~
https://dk521123.hatenablog.com/entry/2021/11/04/142835
Github Actions ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2022/06/16/151443
Github Actions ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2023/12/22/195715
Github Actions ~ Third-Party Github Action の指定方法 ~
https://dk521123.hatenablog.com/entry/2024/04/05/000136