-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathaction.yml
More file actions
260 lines (231 loc) · 8.29 KB
/
action.yml
File metadata and controls
260 lines (231 loc) · 8.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
name: diffguard
description: Diff-scoped governance linter for pull requests. Only checks added/changed lines.
author: EffortlessMetrics
branding:
icon: shield
color: orange
inputs:
base:
description: Base ref for diff comparison (default: PR base branch or main)
required: false
default: ""
head:
description: Head ref for diff comparison (default: current SHA)
required: false
default: ""
config:
description: Path to diffguard.toml config file
required: false
default: ""
fail-on:
description: "When to fail: error, warn, or never"
required: false
default: "error"
sarif-file:
description: Path to write SARIF output (enables Code Scanning upload if set)
required: false
default: ""
version:
description: diffguard version to install (tag, e.g. v0.2.0)
required: false
default: "v0.2.0"
github-annotations:
description: Emit GitHub Actions annotations
required: false
default: "true"
post-comment:
description: Post findings as PR comment
required: false
default: "false"
outputs:
outcome:
description: "pass or fail"
value: ${{ steps.check.outcome }}
findings-count:
description: Number of findings (from JSON receipt)
value: ${{ steps.check.outputs.findings-count }}
receipt-file:
description: Path to JSON receipt
value: ${{ steps.check.outputs.receipt-file }}
runs:
using: composite
permissions:
contents: read
pull-requests: write
security-events: write
steps:
- name: Resolve target triple
id: target
shell: bash
run: |
OS="$(uname -s)"
ARCH="$(uname -m)"
case "$OS" in
Linux) TARGET="x86_64-unknown-linux-gnu" ;;
Darwin)
case "$ARCH" in
arm64) TARGET="aarch64-apple-darwin" ;;
*) TARGET="x86_64-apple-darwin" ;;
esac
;;
MINGW*|MSYS*) TARGET="x86_64-pc-windows-msvc" ;;
*) echo "::warning::Unsupported OS: $OS — falling back to cargo install" ;;
esac
echo "triple=${TARGET}" >> "$GITHUB_OUTPUT"
- name: Install diffguard
id: install
shell: bash
run: |
if command -v diffguard &> /dev/null; then
echo "diffguard $(diffguard --version) already installed"
exit 0
fi
TARGET="${{ steps.target.outputs.triple }}"
if [ -z "$TARGET" ]; then
echo "::warning::No pre-built binary for this platform"
exit 1
fi
VERSION="${{ inputs.version }}"
ASSET="diffguard-${VERSION}-${TARGET}.tar.gz"
URL="https://github.com/EffortlessMetrics/diffguard/releases/download/${VERSION}/${ASSET}"
echo "::group::Downloading ${ASSET}"
if ! curl -sSLf -o "/tmp/${ASSET}" "$URL"; then
echo "::error::Failed to download ${ASSET} from ${URL}"
echo "::endgroup::"
exit 1
fi
echo "::endgroup::"
INSTALL_DIR="$(mktemp -d)"
tar xzf "/tmp/${ASSET}" -C "$INSTALL_DIR"
mv "$INSTALL_DIR/diffguard" /usr/local/bin/diffguard
chmod +x /usr/local/bin/diffguard
rm -rf "$INSTALL_DIR"
echo "Installed diffguard $(diffguard --version) from release binary"
- name: Fallback to cargo install
if: steps.install.outcome == 'failure'
shell: bash
run: |
echo "::warning::Pre-built binary unavailable for ${{ steps.target.outputs.triple }}. Installing via cargo (slower, ~2-5 min)"
echo "::group::Installing diffguard via cargo"
VERSION="${{ inputs.version }}"
# Strip leading 'v' for cargo version
CARGO_VERSION="${VERSION#v}"
cargo install diffguard --version "$CARGO_VERSION"
echo "::endgroup::"
- name: Resolve base ref
id: refs
shell: bash
run: |
# Base: input > PR base > main
if [ -n "${{ inputs.base }}" ]; then
BASE="${{ inputs.base }}"
elif [ -n "${{ github.base_ref }}" ]; then
BASE="origin/${{ github.base_ref }}"
else
BASE="origin/main"
fi
# Head: input > current SHA
if [ -n "${{ inputs.head }}" ]; then
HEAD="${{ inputs.head }}"
else
HEAD="${{ github.sha }}"
fi
echo "base=${BASE}" >> "$GITHUB_OUTPUT"
echo "head=${HEAD}" >> "$GITHUB_OUTPUT"
echo "Comparing: ${BASE}..${HEAD}"
- name: Run diffguard check
id: check
shell: bash
continue-on-error: true
run: |
RECEIPT="${{ runner.temp }}/diffguard-receipt.json"
mkdir -p "$(dirname "$RECEIPT")"
ARGS=(
check
--base "${{ steps.refs.outputs.base }}"
--head "${{ steps.refs.outputs.head }}"
--out "$RECEIPT"
--fail-on "${{ inputs.fail-on }}"
)
if [ -n "${{ inputs.config }}" ]; then
ARGS+=(--config "${{ inputs.config }}")
fi
if [ -n "${{ inputs.sarif-file }}" ]; then
mkdir -p "$(dirname "${{ inputs.sarif-file }}")"
ARGS+=(--sarif "${{ inputs.sarif-file }}")
fi
if [ "${{ inputs.github-annotations }}" = "true" ]; then
ARGS+=(--github-annotations)
fi
echo "::group::diffguard check"
diffguard "${ARGS[@]}"
echo "::endgroup::"
echo "receipt-file=${RECEIPT}" >> "$GITHUB_OUTPUT"
# Extract findings count
if [ -f "$RECEIPT" ]; then
COUNT=$(jq '.verdicts.total // 0' "$RECEIPT" 2>/dev/null || echo "0")
echo "findings-count=${COUNT}" >> "$GITHUB_OUTPUT"
fi
- name: Upload SARIF
if: inputs.sarif-file != '' && hashFiles(inputs.sarif-file) != ''
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
uses: github/codeql-action/upload-sarif@3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c
with:
sarif_file: ${{ inputs.sarif-file }}
category: diffguard
- name: Post PR comment
if: inputs.post-comment == 'true' && github.event_name == 'pull_request' && hashFiles(steps.check.outputs.receipt-file) != ''
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b
with:
script: |
const fs = require('fs');
const receiptPath = '${{ steps.check.outputs.receipt-file }}';
const receipt = JSON.parse(fs.readFileSync(receiptPath, 'utf8'));
// Build comment body from receipt
const findings = receipt.findings || [];
const verdicts = receipt.verdicts || {};
const lines = [`## Diffguard Results`];
if (findings.length === 0) {
lines.push('No policy violations found. ✅');
} else {
lines.push(`Found **${findings.length}** finding(s):`);
lines.push('');
lines.push('| Severity | Rule | File | Line | Message |');
lines.push('|----------|------|------|------|---------|');
for (const f of findings) {
lines.push(`| ${f.severity} | \`${f.rule_id}\` | ${f.file || ''} | ${f.line || ''} | ${f.message || ''} |`);
}
lines.push('');
lines.push('[View full diffguard annotation report](${{ github.server_url }}/${{ github.repository }}/runs/${{ github.run_id }}#annotations)');
}
const body = lines.join('\n');
// Upsert comment
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
});
const existing = comments.find(c => c.body.includes('## Diffguard Results'));
if (existing) {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: existing.id,
body,
});
} else {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body,
});
}
- name: Fail if violations found
if: steps.check.outcome == 'failure'
shell: bash
run: |
echo "::error::diffguard found policy violations"
exit 1