Uses Sentinel
Uses Sentinel is a GitHub action that scans all .yml files in the .github/workflows directory of a GitHub repository and performs two checks on the uses fields in the YAML files:
Checks if any
usesfield contains the versionmain,master, orlatest, which are considered unsafe versions to use. If ausesfield contains any of these versions, a warning message is printed to the console.Checks if the
usesfield references the latest version of the action by checking the GitHub repository's tags. If theusesfield does not reference the latest version, a warning message is printed to the console.
Uses Sentinel is written in Bash only and has no dependencies.
Usage
To use Uses Sentinel in your GitHub repository, create a new workflow file (e.g., .github/workflows/uses-sentinel.yml) with the following content:
name: Uses Sentinel
on: [pull_request]
jobs:
uses-sentinel:
runs-on: ubuntu-latest
steps:
- name: Uses Sentinel
uses: maork-elementor/uses-sentinel@1.0.0
- This will run Uses Sentinel on every pull request in your repository.
Inputs
jobs:
uses-sentinel:
runs-on: ubuntu-latest
steps:
- name: Uses Sentinel
uses: maork-elementor/uses-sentinel@1.0.0
with:
exlude:'exlude.yml,exlude2.yml,exlude3.yml'
exlude - list of files to exlude from the scan
Output Example
Here's an example output from Uses Sentinel:
Some actions are not safe to use or not updated
Bad versions:
yml: ./.github/workflows/ci.yml, use: actions/checkout@main version: main, It not safe to use main, master or latest
Not updated actions:
yml: ./.github/workflows/ci.yml, use: actions/setup-node@v1 current version: v1.0.0, latest version: v2.1.4
This output indicates that the .github/workflows/ci.yml file contains an unsafe version (main) of the actions/checkout action and an outdated version (v1.0.0) of the actions/setup-node action.
License
Uses Sentinel is released under the MIT License.
Top comments (0)