Enhance verify-action-build.py with deep composite/docker verification#629
Enhance verify-action-build.py with deep composite/docker verification#629
Conversation
|
Example raport before approval: 
|
|
Generated with literally few prompts with Claude and few manual fixes after testing and reviewing code. |
|
Verified two proposed actions - also enhanced action detection so that `--from-pr will properly detect the action from a PR manully adding actions.yaml |
potiuk
force-pushed
the
worktree-fix-verify-action-node-version
branch
from
612d6b8 to
b5e34c1
Compare
dave2wave
left a comment
dave2wave
left a comment
There was a problem hiding this comment.
Hard to tell since the current three PRs don't fall completely into the changes. I did notice better workflow.
|
@potiuk it looks this PR has fallen behind. Close, rebase, or recreate? |
Just conflicts to solve - and waits for approval. |
potiuk
force-pushed
the
worktree-fix-verify-action-node-version
branch
from
b5e34c1 to
92b87fb
Compare
|
rebased |
|
This one should handle actions like lhotari's better. @raboof @dave2wave -> possibly worth merging |
raboof
left a comment
raboof
left a comment
There was a problem hiding this comment.
I think this seems OK to me, though it's a lot to digest.
The script is also getting quite large, it might be time to start moving it to its own folder, moving some of the 'inline' code/scripts/dockerfiles to dedicated files, and accompanying new features with regression tests?
Correct. I will do it shortly. |
For non-JS actions the script previously just printed "SKIPPED". Now it performs comprehensive analysis: - Recursive nested action inspection (all types, not just composite), with trusted org skip for actions/ and github/ - Dockerfile analysis (base image pinning, suspicious commands) - Script pattern scanning (eval, exec, pipe-to-shell, obfuscation) - Dependency pinning checks (Python requirements, package.json, lock files) - Action metadata analysis (shell injection, GITHUB_ENV writes, secrets) - Repository metadata (license, security policy, well-known org) - Structured verification summary table with nested actions sub-table - All prompts now support 'q' to quit cleanly - Extract action refs from actions.yml entries in PR diffs (--from-pr) Generated-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
potiuk
force-pushed
the
worktree-fix-verify-action-node-version
branch
from
92b87fb to
5aa2376
Compare
|
Removed the "open in browser". Merging just deep-composite action verification. |
4 participants
Summary
using:field (e.g.node20→20) and handleuse:typosactionsandgithuborgs skip deep recursive inspection (still checked for hash-pinning) and are marked as trusted in the summary tableactions,github,google-github-actions,aws-actions,azure,docker,hashicorp,pypa,gradleactions.yml:--from-prand dependabot review now also detect action references from added entries inactions.yml(not just workflowuses:lines), e.g. PR Add lhotari/sandboxed-trivy-action v1.0.1 #582Test plan
pypa/gh-action-pypi-publish@ed0c539...actions/checkout@11bd719...— no regressions--cimode (non-interactive)qquit in interactive prompts--from-pr 582(actions.yml format extraction)--from-pr 618(workflow uses: format extraction)--check-dependabot-prsflowGenerated with Claude Code