■ はじめに
Github Actions で様々なプログラム言語のLinter を実行してきたが
https://dk521123.hatenablog.com/entry/2024/04/05/000136
で Github Actions 自体のセキュリティ脆弱性が潜むことを知って ちょっと怖くなった。 そこで、Github Actions 自体をチェックしてくれる Linter について 調査してみた
目次
【1】Github Actions の Linter 1)actionlint 2)ghalint 【2】サンプル 例1:actionlint 例2:ghalint 【3】補足:ghalintのエラーについて 1)エラー「job should have permissions」 2)エラー「action ref should be full length SHA1」
【1】Github Actions の Linter
1)actionlint
* 一番メジャーっぽい
https://github.com/rhysd/actionlint
Install
https://github.com/rhysd/actionlint/blob/main/docs/install.md
Usage
https://github.com/rhysd/actionlint/blob/main/docs/usage.md
Playground
* どんなもんかちょっと試したかったら、以下で試せる
https://rhysd.github.io/actionlint/
2)ghalint
* 開発者が日本人の方?のGitHub Action(GHA) の Linter
https://github.com/suzuki-shunsuke/ghalint
Install
https://github.com/suzuki-shunsuke/ghalint#how-to-install
# Install in Ubuntu curl -OL https://github.com/suzuki-shunsuke/ghalint/releases/download/v0.2.9/ghalint_0.2.9_linux_amd64.tar.gz sudo tar -zxvf ghalint_0.2.9_linux_amd64.tar.gz -C /usr/local/ sudo update-alternatives --install /usr/bin/ghalint ghalint /usr/local/ghalint 100 # 確認 ghalint -v # ghalint version 0.2.9 (247bf257b2f59bd7d01280754028fc3d3a807dbe)
【2】サンプル
例1:actionlint
name: RunGithubActionsLinters on: workflow_dispatch: jobs: lint-by-actionlint: runs-on: ubuntu-latest steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - uses: reviewdog/action-actionlint@c6ee1eb0a5d47b2af53a203652b5dac0b6c4016e # v1.40.0 with: fail_on_error: true filter_mode: nofilter level: info
例2:ghalint
name: RunGithubActionsLinters on: workflow_dispatch: jobs: lint-by-ghalint: runs-on: ubuntu-latest steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # ghalint - name: Run Github Actions's Linter run: | curl -OL https://github.com/suzuki-shunsuke/ghalint/releases/download/v0.2.9/ghalint_0.2.9_linux_amd64.tar.gz tar -zxvf ghalint_0.2.9_linux_amd64.tar.gz ./ghalint run
実行例
・・・ time="2024-04-06T14:56:22Z" level=error msg="the job violates policies" error="job should have permissions" job_name=sample-job policy_name=job_permissions program=ghalint reference="https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/001.md" version=0.2.9 workflow_file_path=.github/workflows/demo-py-linter.yml time="2024-04-06T14:56:22Z" level=error msg="the step violates policies" action=actions/checkout error="action ref should be full length SHA1" job_name=sample-job policy_name=action_ref_should_be_full_length_commit_sha program=ghalint reference="https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/008.md" version=0.2.9 workflow_file_path=.github/workflows/demo-py-linter.yml ・・・
[修復前] .github/workflows/demo-py-linter.yml
name: DemoPythonLinter on: workflow_dispatch: jobs: sample-job: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v4 with: python-version: '3.10' - name: Install dependencies run: | python -m pip install --upgrade pip pip install ruff - name: Lint with Ruff run: | ruff --output-format=github . continue-on-error: true
[修復後] .github/workflows/demo-py-linter.yml
name: DemoPythonLinter on: workflow_dispatch: jobs: sample-job: runs-on: ubuntu-latest # !! Fixing for "job should have permissions" permissions: {} steps: # !! Fixing for "action ref should be full length SHA1" # v4.1.2 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.8.0 - name: Set up Python uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa with: python-version: '3.10' - name: Install dependencies run: | python -m pip install --upgrade pip pip install ruff - name: Lint with Ruff run: | ruff --output-format=github . continue-on-error: true
【3】補足:ghalintのエラーについて
1)エラー「job should have permissions」
* permissions を付与する => permissions = GITHUB_TOKEN に付与される既定の権限を変更
https://docs.github.com/ja/enterprise-cloud@latest/actions/using-jobs/assigning-permissions-to-jobs
2)エラー「action ref should be full length SHA1」
冒頭に言った ===== https://dk521123.hatenablog.com/entry/2024/04/05/000136 で Github Actions 自体のセキュリティ脆弱性が潜むことを知って ちょっと怖くなった。 ===== については、「2)ghalint」で感知してくれる。 (「1)actionlint」では感知してくれない)
https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/008.md
参考文献
https://engineering.mercari.com/blog/entry/20231223-mercoin-github-actions/
関連記事
Github Actions ~ 基礎知識編 ~
https://dk521123.hatenablog.com/entry/2021/11/04/142835
Github Actions ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2022/06/16/151443
Github Actions ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2023/12/22/195715
Github Actions ~ Third-Party Github Action の指定方法 ~
https://dk521123.hatenablog.com/entry/2024/04/05/000136