pinpoint/action.yml at main · tehreet/pinpoint · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
name: 'Pinpoint Gate'
description: 'Verify GitHub Action tag integrity before execution'
branding:
  icon: 'shield'
  color: 'red'
inputs:
  manifest:
    description: 'Path to lockfile (default: auto-detect .github/actions-lock.json or .pinpoint-manifest.json)'
    required: false
    default: '.github/actions-lock.json'
  fail-on-missing:
    description: 'Fail if an action reference is not in the manifest'
    required: false
    default: 'false'
  fail-on-unpinned:
    description: 'Fail if any action uses a mutable ref (tag/branch)'
    required: false
    default: 'false'
  on-disk:
    description: 'Verify on-disk action content against lockfile (eliminates TOCTOU race conditions, recommended for security-sensitive workflows)'
    required: false
    default: 'false'
  integrity:
    description: 'Re-download and verify tarball content hashes (slower, use for periodic audits)'
    required: false
    default: 'false'
  version:
    description: 'Pinpoint version to use'
    required: false
    default: '0.7.0'
runs:
  using: 'composite'
  steps:
    - name: Download pinpoint
      shell: bash
      run: |
        VERSION="${{ inputs.version }}"
        OS=$(uname -s | tr '[:upper:]' '[:lower:]')
        ARCH=$(uname -m)
        case "$ARCH" in
          x86_64)       ARCH="amd64" ;;
          aarch64|arm64) ARCH="arm64" ;;
        esac
        BINARY="pinpoint-${OS}-${ARCH}"
        URL="https://github.com/tehreet/pinpoint/releases/download/v${VERSION}/${BINARY}"

        curl -sSL "$URL" -o "${{ runner.temp }}/pinpoint"
        curl -sSL "${URL}.sha256" -o "${{ runner.temp }}/pinpoint.sha256"

        cd "${{ runner.temp }}"
        sha256sum -c pinpoint.sha256
        chmod +x pinpoint

    - name: Verify action integrity
      shell: bash
      env:
        GITHUB_TOKEN: ${{ github.token }}
        RUNNER_WORKSPACE: ${{ runner.workspace }}
      run: |
        ARGS="--manifest ${{ inputs.manifest }}"
        if [ "${{ inputs.fail-on-missing }}" = "true" ]; then
          ARGS="$ARGS --fail-on-missing"
        fi
        if [ "${{ inputs.fail-on-unpinned }}" = "true" ]; then
          ARGS="$ARGS --fail-on-unpinned"
        fi
        if [ "${{ inputs.on-disk }}" = "true" ]; then
          ARGS="$ARGS --on-disk"
        fi
        if [ "${{ inputs.integrity }}" = "true" ]; then
          ARGS="$ARGS --integrity"
        fi

        "${{ runner.temp }}/pinpoint" gate $ARGS