generated from CDCgov/template
-
Notifications
You must be signed in to change notification settings - Fork 40
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Importing JosiahSiegel's checksum-validate-action GitHub Action
- Loading branch information
Showing
4 changed files
with
337 additions
and
0 deletions.
There are no files selected for viewing
13 changes: 13 additions & 0 deletions
13
.github/actions/checksum-validate-action/.github/dependabot.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Dependabot general documentation: | ||
# https://docs.github.com/en/code-security/dependabot | ||
# Please see the documentation for all configuration options: | ||
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file | ||
|
||
version: 2 | ||
updates: | ||
# GitHub Actions workflows | ||
- package-ecosystem: "github-actions" | ||
# Workflow files stored in `.github/workflows` | ||
directory: "/" | ||
schedule: | ||
interval: "daily" |
119 changes: 119 additions & 0 deletions
119
.github/actions/checksum-validate-action/.github/workflows/test_action.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,119 @@ | ||
name: Test Action | ||
|
||
on: | ||
push: | ||
branches: | ||
- main | ||
pull_request: | ||
branches: | ||
- main | ||
|
||
jobs: | ||
generate-checksums: | ||
name: Test generate checksum on ${{ matrix.os }} | ||
runs-on: ${{ matrix.os }} | ||
strategy: | ||
matrix: | ||
os: [ubuntu-latest] | ||
steps: | ||
- uses: actions/[email protected] | ||
|
||
- name: Generate checksum of string | ||
uses: ./ | ||
with: | ||
key: test string | ||
input: hello world | ||
|
||
- name: Generate checksum of command output | ||
uses: ./ | ||
with: | ||
key: test command | ||
input: $(cat action.yml) | ||
|
||
validate-checksums: | ||
name: Test validate checksum on ${{ matrix.os }} | ||
needs: | ||
- generate-checksums | ||
runs-on: ${{ matrix.os }} | ||
strategy: | ||
matrix: | ||
os: [ubuntu-latest] | ||
steps: | ||
- uses: actions/[email protected] | ||
|
||
- name: Validate checksum of valid string | ||
id: valid-string | ||
uses: ./ | ||
with: | ||
key: test string | ||
validate: true | ||
fail-invalid: true | ||
input: hello world | ||
- name: Fail if output of valid string is wrong | ||
if: steps.valid-string.outputs.valid != 'true' | ||
run: exit 1 | ||
|
||
- name: Validate checksum of INVALID string | ||
id: invalid-string | ||
uses: ./ | ||
with: | ||
key: test string | ||
validate: true | ||
fail-invalid: false | ||
input: hello world! | ||
- name: Fail if output of INVALID string is wrong | ||
if: steps.invalid-string.outputs.valid != 'false' | ||
run: exit 1 | ||
|
||
- name: Validate checksum of valid command output | ||
id: valid-command | ||
uses: ./ | ||
with: | ||
key: test command | ||
validate: true | ||
fail-invalid: true | ||
input: $(cat action.yml) | ||
- name: Fail if output of valid command is wrong | ||
if: steps.valid-command.outputs.valid != 'true' | ||
run: exit 1 | ||
|
||
- name: Validate checksum of INVALID command output | ||
id: invalid-command | ||
uses: ./ | ||
with: | ||
key: test command | ||
validate: true | ||
fail-invalid: false | ||
input: $(cat README.md) | ||
- name: Fail if output of INVALID command is wrong | ||
if: steps.invalid-command.outputs.valid != 'false' | ||
run: exit 1 | ||
|
||
validate-checksum-failures: | ||
name: Test checksum failures on ${{ matrix.os }} | ||
needs: | ||
- generate-checksums | ||
runs-on: ${{ matrix.os }} | ||
strategy: | ||
matrix: | ||
os: [ubuntu-latest] | ||
steps: | ||
- uses: actions/[email protected] | ||
|
||
- name: Validate checksum of INVALID string | ||
continue-on-error: true | ||
uses: ./ | ||
with: | ||
key: test string | ||
validate: true | ||
fail-invalid: true | ||
input: hello world! | ||
|
||
- name: Validate checksum of INVALID command output | ||
continue-on-error: true | ||
uses: ./ | ||
with: | ||
key: test command | ||
validate: true | ||
fail-invalid: true | ||
input: $(cat README.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
# Checksum Validate Action | ||
|
||
[![Test Action](https://github.com/JosiahSiegel/checksum-validate-action/actions/workflows/test_action.yml/badge.svg)](https://github.com/JosiahSiegel/checksum-validate-action/actions/workflows/test_action.yml) | ||
|
||
## Synopsis | ||
|
||
1. Generate a checksum from either a string or shell command (use command substitution: `$()`). | ||
2. Validate if checksum is identical to input (even across multiple jobs), using a `key` to link the validation attempt with the correct generated checksum. | ||
* Validation is possible across jobs since the checksum is uploaded as a workflow artifact | ||
|
||
## Usage | ||
|
||
```yml | ||
jobs: | ||
generate-checksums: | ||
name: Generate checksum | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/[email protected] | ||
|
||
- name: Generate checksum of string | ||
uses: JosiahSiegel/checksum-validate-action@v1 | ||
with: | ||
key: test string | ||
input: hello world | ||
|
||
- name: Generate checksum of command output | ||
uses: JosiahSiegel/checksum-validate-action@v1 | ||
with: | ||
key: test command | ||
input: $(cat action.yml) | ||
|
||
validate-checksums: | ||
name: Validate checksum | ||
needs: | ||
- generate-checksums | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/[email protected] | ||
|
||
- name: Validate checksum of valid string | ||
id: valid-string | ||
uses: JosiahSiegel/checksum-validate-action@v1 | ||
with: | ||
key: test string | ||
validate: true | ||
fail-invalid: true | ||
input: hello world | ||
|
||
- name: Validate checksum of valid command output | ||
id: valid-command | ||
uses: JosiahSiegel/checksum-validate-action@v1 | ||
with: | ||
key: test command | ||
validate: true | ||
fail-invalid: true | ||
input: $(cat action.yml) | ||
|
||
- name: Get outputs | ||
run: | | ||
echo ${{ steps.valid-string.outputs.valid }} | ||
echo ${{ steps.valid-command.outputs.valid }} | ||
``` | ||
## Workflow summary | ||
### ✅ test string checksum valid ✅ | ||
### ❌ test string checksum INVALID ❌ | ||
## Inputs | ||
```yml | ||
inputs: | ||
validate: | ||
description: Check if checksums match | ||
default: false | ||
key: | ||
description: String to keep unique checksums separate | ||
required: true | ||
fail-invalid: | ||
description: Fail step if invalid checksum | ||
default: false | ||
input: | ||
description: String or command for checksum | ||
required: true | ||
``` | ||
## Outputs | ||
```yml | ||
outputs: | ||
valid: | ||
description: True if checksums match | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
# action.yml | ||
name: Checksum Validate Action | ||
description: Generate and validate checksums | ||
branding: | ||
icon: 'lock' | ||
color: 'orange' | ||
inputs: | ||
validate: | ||
description: Check if checksums match | ||
default: false | ||
key: | ||
description: String to keep unique checksums separate | ||
required: true | ||
fail-invalid: | ||
description: Fail step if invalid checksum | ||
default: false | ||
input: | ||
description: String or command for checksum | ||
required: true | ||
outputs: | ||
valid: | ||
description: True if checksums match | ||
value: ${{ steps.validate_checksum.outputs.valid }} | ||
|
||
runs: | ||
using: "composite" | ||
steps: | ||
|
||
# CHECKSUM START | ||
- name: Generate SHA | ||
uses: nick-fields/[email protected] | ||
with: | ||
max_attempts: 5 | ||
retry_on: any | ||
timeout_seconds: 10 | ||
retry_wait_seconds: 15 | ||
command: | | ||
function fail { | ||
printf '%s\n' "$1" >&2 | ||
exit "${2-1}" | ||
} | ||
input_cmd="${{ inputs.input }}" || fail | ||
sha="$(echo "$input_cmd" | sha256sum)" | ||
echo "sha=$sha" >> $GITHUB_ENV | ||
echo "success=true" >> $GITHUB_ENV | ||
- name: Get input SHA | ||
if: env.success | ||
id: input_sha | ||
shell: bash | ||
run: echo "sha=${{ env.sha }}" >> $GITHUB_OUTPUT | ||
|
||
- name: Get input SHA | ||
if: env.success != 'true' | ||
shell: bash | ||
run: | | ||
echo "failed to generate sha" | ||
exit 1 | ||
# CHECKSUM END | ||
|
||
# UPLOAD FILE START | ||
- name: Create checksum file | ||
if: inputs.validate != 'true' | ||
shell: bash | ||
run: | | ||
echo "${{ steps.input_sha.outputs.sha }}" > "${{ github.sha }}-${{ inputs.key }}.txt" | ||
- name: Upload checksum file | ||
if: inputs.validate != 'true' | ||
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 | ||
with: | ||
name: "${{ github.sha }}-${{ inputs.key }}.txt" | ||
path: "${{ github.sha }}-${{ inputs.key }}.txt" | ||
retention-days: 5 | ||
# UPLOAD FILE END | ||
|
||
# VALIDATE FILE START | ||
- name: Download checksum file | ||
if: inputs.validate == 'true' | ||
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe | ||
with: | ||
name: "${{ github.sha }}-${{ inputs.key }}.txt" | ||
|
||
- name: Validate pre and post checksums | ||
if: inputs.validate == 'true' | ||
id: validate_checksum | ||
shell: bash | ||
run: | | ||
echo "${{ steps.input_sha.outputs.sha }}" > "${{ github.sha }}-${{ inputs.key }}-2.txt" | ||
DIFF=$(diff -q "${{ github.sha }}-${{ inputs.key }}-2.txt" "${{ github.sha }}-${{ inputs.key }}.txt") || true | ||
codevalid=true | ||
if [ "$DIFF" != "" ] | ||
then | ||
codevalid=false | ||
fi | ||
echo "valid=$codevalid" >> $GITHUB_OUTPUT | ||
- name: Create summary | ||
if: inputs.validate == 'true' | ||
run: | | ||
# Use ternary operator to assign emoji based on validity | ||
emoji=${{ steps.validate_checksum.outputs.valid == 'true' && '✅' || '❌' }} | ||
valid=${{ steps.validate_checksum.outputs.valid == 'true' && 'valid' || 'INVALID' }} | ||
echo "### $emoji ${{ inputs.key }} checksum $valid $emoji" >> $GITHUB_STEP_SUMMARY | ||
shell: bash | ||
# VALIDATE FILE END | ||
|
||
- name: Fail if invalid checksum | ||
if: inputs.validate == 'true' && steps.validate_checksum.outputs.valid == 'false' && inputs.fail-invalid == 'true' | ||
run: exit 1 | ||
shell: bash |