Add option to disable checksums for transitive actions

Allow users to opt-out of checksums for transitive actions. This enables
users that depend on actions with transitive dependencies to use ghasum
despite the fact that their dependencies do not (yet) pin its transitive
dependencies. This allows for an improvement in security even in cases
where the best security guarantees cannot be realized.

This is an opt-out option because the in an ideal scenario users do not
need to disable this, even if today's reality may be that most users
will need to disable it.

Author: ericcornelissen

SPECIFICATION.md

@@ -88,10 +88,11 @@ To determine the set of actions a target depends on, first find all `uses:`
 entries in the target. For a repository this covers all workflows in the
 workflows directory, otherwise it covers only the target.
 
-For each `uses:` value, excluding the list below, it is added to the set and the
-repository declared by the `uses:` value is fetched. The action manifest at the
-path specified in the `uses:` value is parsed for additional `uses:` values. For
-each of these transitive `uses:` values, this process is repeated.
+For each `uses:` value, excluding the list below, it is added to the set. If the
+`-no-transitive` option is NOT set the repository declared by the `uses:` value
+is fetched. The action manifest at the path specified in the `uses:` value is
+parsed for additional `uses:` values. For each of these transitive `uses:`
+values, this process is repeated.
 
 The following `uses:` values are to be excluded from the set of actions a
 repository depends on.

cmd/ghasum/init.go

@@ -26,9 +26,10 @@ import (
 
 func cmdInit(argv []string) error {
 	var (
-		flags       = flag.NewFlagSet(cmdNameInit, flag.ContinueOnError)
-		flagCache   = flags.String(flagNameCache, "", "")
-		flagNoCache = flags.Bool(flagNameNoCache, false, "")
+		flags            = flag.NewFlagSet(cmdNameInit, flag.ContinueOnError)
+		flagCache        = flags.String(flagNameCache, "", "")
+		flagNoCache      = flags.Bool(flagNameNoCache, false, "")
+		flagNoTransitive = flags.Bool(flagNameNoTransitive, false, "")
 	)
 
 	flags.Usage = func() { fmt.Fprintln(os.Stderr) }
@@ -57,9 +58,10 @@ func cmdInit(argv []string) error {
 	}
 
 	cfg := ghasum.Config{
-		Repo:  repo.FS(),
-		Path:  target,
-		Cache: c,
+		Repo:       repo.FS(),
+		Path:       target,
+		Cache:      c,
+		Transitive: !(*flagNoTransitive),
 	}
 
 	if err := ghasum.Initialize(&cfg); err != nil {
@@ -84,5 +86,7 @@ The available flags are:
         looks up repositories it needs.
         Defaults to a directory named .ghasum in the user's home directory.
     -no-cache
-        Disable the use of the cache. Makes the -cache flag ineffective.`
+        Disable the use of the cache. Makes the -cache flag ineffective.
+    -no-transitive
+        Do not compute checksums for transitive actions.`
 }

cmd/ghasum/main.go

@@ -45,11 +45,12 @@ const (
 )
 
 const (
-	flagNameCache   = "cache"
-	flagNameForce   = "force"
-	flagNameNoCache = "no-cache"
-	flagNameNoEvict = "no-evict"
-	flagNameOffline = "offline"
+	flagNameCache        = "cache"
+	flagNameForce        = "force"
+	flagNameNoCache      = "no-cache"
+	flagNameNoEvict      = "no-evict"
+	flagNameNoTransitive = "no-transitive"
+	flagNameOffline      = "offline"
 )
 
 var (

cmd/ghasum/update.go

@@ -26,11 +26,12 @@ import (
 
 func cmdUpdate(argv []string) error {
 	var (
-		flags       = flag.NewFlagSet(cmdNameUpdate, flag.ContinueOnError)
-		flagCache   = flags.String(flagNameCache, "", "")
-		flagForce   = flags.Bool(flagNameForce, false, "")
-		flagNoCache = flags.Bool(flagNameNoCache, false, "")
-		flagNoEvict = flags.Bool(flagNameNoEvict, false, "")
+		flags            = flag.NewFlagSet(cmdNameUpdate, flag.ContinueOnError)
+		flagCache        = flags.String(flagNameCache, "", "")
+		flagForce        = flags.Bool(flagNameForce, false, "")
+		flagNoCache      = flags.Bool(flagNameNoCache, false, "")
+		flagNoEvict      = flags.Bool(flagNameNoEvict, false, "")
+		flagNoTransitive = flags.Bool(flagNameNoTransitive, false, "")
 	)
 
 	flags.Usage = func() { fmt.Fprintln(os.Stderr) }
@@ -65,9 +66,10 @@ func cmdUpdate(argv []string) error {
 	}
 
 	cfg := ghasum.Config{
-		Repo:  repo.FS(),
-		Path:  target,
-		Cache: c,
+		Repo:       repo.FS(),
+		Path:       target,
+		Cache:      c,
+		Transitive: !(*flagNoTransitive),
 	}
 
 	if err := ghasum.Update(&cfg, *flagForce); err != nil {
@@ -98,5 +100,7 @@ The available flags are:
     -no-cache
         Disable the use of the cache. Makes the -cache flag ineffective.
     -no-evict
-        Disable cache eviction.`
+        Disable cache eviction.
+    -no-transitive
+        Do not compute checksums for transitive actions.`
 }

cmd/ghasum/verify.go

@@ -29,11 +29,12 @@ import (
 
 func cmdVerify(argv []string) error {
 	var (
-		flags       = flag.NewFlagSet(cmdNameVerify, flag.ContinueOnError)
-		flagCache   = flags.String(flagNameCache, "", "")
-		flagNoCache = flags.Bool(flagNameNoCache, false, "")
-		flagNoEvict = flags.Bool(flagNameNoEvict, false, "")
-		flagOffline = flags.Bool(flagNameOffline, false, "")
+		flags            = flag.NewFlagSet(cmdNameVerify, flag.ContinueOnError)
+		flagCache        = flags.String(flagNameCache, "", "")
+		flagNoCache      = flags.Bool(flagNameNoCache, false, "")
+		flagNoEvict      = flags.Bool(flagNameNoEvict, false, "")
+		flagOffline      = flags.Bool(flagNameOffline, false, "")
+		flagNoTransitive = flags.Bool(flagNameNoTransitive, false, "")
 	)
 
 	flags.Usage = func() { fmt.Fprintln(os.Stderr) }
@@ -86,12 +87,13 @@ func cmdVerify(argv []string) error {
 	}
 
 	cfg := ghasum.Config{
-		Repo:     repo.FS(),
-		Path:     target,
-		Workflow: workflow,
-		Job:      job,
-		Cache:    c,
-		Offline:  *flagOffline,
+		Repo:       repo.FS(),
+		Path:       target,
+		Workflow:   workflow,
+		Job:        job,
+		Cache:      c,
+		Offline:    *flagOffline,
+		Transitive: !(*flagNoTransitive),
 	}
 
 	problems, err := ghasum.Verify(&cfg)
@@ -151,5 +153,7 @@ The available flags are:
         Disable cache eviction.
     -offline
         Run without fetching repositories from the internet, verify exclusively
-        against the cache. If the cache is missing an entry it causes an error.`
+        against the cache. If the cache is missing an entry it causes an error.
+    -no-transitive
+        Do not compute checksums for transitive actions.`
 }

internal/ghasum/atoms.go

@@ -128,11 +128,13 @@ func compute(cfg *Config, actions []gha.GitHubAction, algo checksum.Algo) ([]sum
 			}
 		}
 
-		transitiveActions, err := gha.ManifestActions(os.DirFS(actionDir), action.Path)
-		if err != nil {
-			return nil, fmt.Errorf("action manifest parsing failed: %v", err)
+		if cfg.Transitive {
+			transitiveActions, err := gha.ManifestActions(os.DirFS(actionDir), action.Path)
+			if err != nil {
+				return nil, fmt.Errorf("action manifest parsing failed: %v", err)
+			}
+			actions = append(actions, transitiveActions...)
 		}
-		actions = append(actions, transitiveActions...)
 
 		id := fmt.Sprintf("%s%s%s", action.Owner, action.Project, action.Ref)
 		if _, ok := entries[id]; !ok {

internal/ghasum/operations.go

@@ -28,36 +28,41 @@ import (
 type (
 	// Config is the configuration for a ghasum operation.
 	Config struct {
-		// Repo is a pointer to the file system hierarchy of the target repository
-		// for the operation.
+		// Repo is a pointer to the file system hierarchy of the target
+		// repository for the operation.
 		Repo fs.FS
 
 		// Path is the absolute or relate path to the target repository for the
 		// operation.
 		//
-		// This must be provided in addition to Repo because that does not allow for
-		// non-read file system operation.
+		// This must be provided in addition to Repo because that does not allow
+		// for non-read file system operation.
 		Path string
 
-		// Workflow is the file path (relative to Path) of the workflow that is the
-		// subject of the operation. If this has the zero value all workflows in the
-		// Repo will collectively be the subject of the operation instead.
+		// Workflow is the file path (relative to Path) of the workflow that is
+		// the subject of the operation. If this has the zero value all of the
+		// workflows in the Repo will collectively be the subject of the
+		// operation instead.
 		Workflow string
 
-		// Job is the id (also known as key) of the job that is the subject of the
-		// operation. If this has the zero value all jobs in the Workflow will
-		// collectively be the subject of the operation instead. (If Workflow has
-		// the zero value this value is ignored.)
+		// Job is the id (also known as key) of the job that is the subject of
+		// the operation. If this has the zero value all jobs in the Workflow
+		// will collectively be the subject of the operation instead. (If
+		// Workflow has the zero value this value is ignored.)
 		Job string
 
 		// Cache is the cache that should be used for the operation.
 		Cache cache.Cache
 
-		// Offline sets whether to rely exclusively on the cache or fetch missing
-		// repositories from the internet.
+		// Offline sets whether to rely exclusively on the cache or fetch
+		// missing repositories from the internet.
 		//
 		// Only applies to verification.
 		Offline bool
+
+		// Transitive sets whether to compute/verify checksums for transitive
+		// dependencies.
+		Transitive bool
 	}
 
 	// Problem represents an issue detected when verifying ghasum checksums.

testdata/init/success.txtar

@@ -4,6 +4,14 @@ stdout 'Ok'
 ! stderr .
 cmp target/.github/workflows/gha.sum want/gha.sum
 
+rm target/.github/workflows/gha.sum
+
+# Without transitive actions
+exec ghasum init -cache .cache/ -no-transitive target/
+stdout 'Ok'
+! stderr .
+cmp target/.github/workflows/gha.sum want/gha-no-transitive.sum
+
 -- want/gha.sum --
 version 1
 
@@ -12,6 +20,13 @@ actions/composite@v1 a3ht0IImDEBC7NqbohfejBtv7W5GdKiGJgc4OtYkjEs=
 actions/[email protected] NoW6+RttcHeApXsFxN2DfY/2Oc7t0g9mgq22uJ3rAbg=
 actions/[email protected] Gdoys4h+gIN02lzrWZW0uxjBQ8Rk5YSE6+q1SOrw/+o=
 golangci/golangci-lint-action@3a91952 Whvj26yZchrz2jiVS3IZrwZ2DXX71qu4gynanpV3G4I=
+-- want/gha-no-transitive.sum --
+version 1
+
+actions/checkout@main JHipZi1UCvybC3fwi9RFLTK8vpI/gURTga/ColyHI4k=
+actions/composite@v1 a3ht0IImDEBC7NqbohfejBtv7W5GdKiGJgc4OtYkjEs=
+actions/[email protected] NoW6+RttcHeApXsFxN2DfY/2Oc7t0g9mgq22uJ3rAbg=
+golangci/golangci-lint-action@3a91952 Whvj26yZchrz2jiVS3IZrwZ2DXX71qu4gynanpV3G4I=
 -- target/.github/workflows/workflow.yml --
 name: Example workflow
 on: [push]

testdata/update/success.txtar

@@ -30,6 +30,14 @@ stdout 'Ok'
 ! stderr .
 cmp preserve/.github/workflows/gha.sum want/gha-preserve.sum
 
+# Remove transitive
+cmp changed/.github/workflows/gha.sum want/gha.sum
+
+exec ghasum update -cache .cache/ -no-transitive changed/
+stdout 'Ok'
+! stderr .
+cmp changed/.github/workflows/gha.sum want/gha-no-transitive.sum
+
 -- want/gha.sum --
 version 1
 
@@ -38,6 +46,13 @@ actions/composite@v1 a3ht0IImDEBC7NqbohfejBtv7W5GdKiGJgc4OtYkjEs=
 actions/[email protected] NoW6+RttcHeApXsFxN2DfY/2Oc7t0g9mgq22uJ3rAbg=
 actions/[email protected] Gdoys4h+gIN02lzrWZW0uxjBQ8Rk5YSE6+q1SOrw/+o=
 golangci/golangci-lint-action@3a91952 Whvj26yZchrz2jiVS3IZrwZ2DXX71qu4gynanpV3G4I=
+-- want/gha-no-transitive.sum --
+version 1
+
+actions/[email protected] TTVf+dWEJueFyMoZnvuqlW5lX4aXYXxGWaFaV8lO910=
+actions/composite@v1 a3ht0IImDEBC7NqbohfejBtv7W5GdKiGJgc4OtYkjEs=
+actions/[email protected] NoW6+RttcHeApXsFxN2DfY/2Oc7t0g9mgq22uJ3rAbg=
+golangci/golangci-lint-action@3a91952 Whvj26yZchrz2jiVS3IZrwZ2DXX71qu4gynanpV3G4I=
 -- want/gha-preserve.sum --
 version 1
 

testdata/verify/success.txtar

@@ -28,6 +28,11 @@ exec ghasum verify -cache .cache/ redundant/.github/workflows/workflow.yml:examp
 stdout 'Ok'
 ! stderr .
 
+# Redundant checksum stored - Transitive
+exec ghasum verify -cache .cache/ -no-transitive no-transitive/
+stdout 'Ok'
+! stderr .
+
 # Checksums match partially - Workflow
 exec ghasum verify -cache .cache/ partial/.github/workflows/valid.yml
 stdout 'Ok'
@@ -152,6 +157,29 @@ jobs:
         go-version-file: go.mod
     - name: This step uses transitive actions
       uses: actions/composite@v1
+-- no-transitive/.github/workflows/gha.sum --
+version 1
+
+actions/composite@v1 a3ht0IImDEBC7NqbohfejBtv7W5GdKiGJgc4OtYkjEs=
+actions/[email protected] NoW6+RttcHeApXsFxN2DfY/2Oc7t0g9mgq22uJ3rAbg=
+actions/[email protected] this-action-is-only-used-transitively
+-- no-transitive/.github/workflows/workflow.yml --
+name: Example workflow
+on: [push]
+
+jobs:
+  example:
+    name: example
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Install Go
+      uses: actions/[email protected]
+      with:
+        go-version-file: go.mod
+    - name: This step uses transitive actions
+      uses: actions/composite@v1
+    - name: This step does not use an action
+      run: Echo 'hello world!'
 -- .cache/actions/checkout/main/action.yml --
 name: actions/checkout@main
 -- .cache/actions/composite/v1/action.yml --