Skip to content

feat(github-actions): add gha-sha-enforcer lint action#3797

Open
josephperrott wants to merge 1 commit into
angular:mainfrom
josephperrott:enforce-gha-shas
Open

feat(github-actions): add gha-sha-enforcer lint action#3797
josephperrott wants to merge 1 commit into
angular:mainfrom
josephperrott:enforce-gha-shas

Conversation

@josephperrott

@josephperrott josephperrott commented Jun 17, 2026

Copy link
Copy Markdown
Member

Enforce full-length SHAs and version comments for external GitHub Actions.

@josephperrott josephperrott added the action: merge The PR is ready for merge by the caretaker label Jun 17, 2026
@angular-robot angular-robot Bot added the detected: feature PR contains a feature commit label Jun 17, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 17, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new GitHub Action, "GHA SHA Enforcer", designed to enforce full-length SHAs and version comments for external actions within workflow files. The implementation includes the TypeScript logic, Bazel build configurations, and workspace updates. Feedback on the implementation highlights two key areas for improvement: implementing a state machine to correctly ignore uses: patterns inside multiline block scalars (such as shell scripts) to prevent false positives, and enhancing robustness by utilizing process.env.GITHUB_WORKSPACE and filtering out subdirectories during directory reads to avoid potential crashes.

Comment thread github-actions/linting/gha-sha-enforcer/lib/main.ts
Comment thread github-actions/linting/gha-sha-enforcer/lib/main.ts Outdated
alan-agius4
alan-agius4 reviewed Jun 18, 2026
View reviewed changes
Comment thread github-actions/linting/gha-sha-enforcer/lib/main.ts Outdated
alan-agius4
alan-agius4 reviewed Jun 18, 2026
View reviewed changes
Comment thread github-actions/linting/gha-sha-enforcer/lib/main.ts Outdated
alan-agius4
alan-agius4 reviewed Jun 18, 2026
View reviewed changes
Comment thread github-actions/linting/gha-sha-enforcer/BUILD.bazel Outdated
alan-agius4
alan-agius4 reviewed Jun 18, 2026
View reviewed changes
Comment thread github-actions/linting/gha-sha-enforcer/package.json Outdated
alan-agius4
alan-agius4 reviewed Jun 18, 2026
View reviewed changes
Comment thread github-actions/linting/gha-sha-enforcer/main.js

@alan-agius4 alan-agius4 Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add this "github-actions/linting/gha-sha-enforcer/main.js" to .prettierignore to prevent formatting check-in mismatches.

alan-agius4
alan-agius4 approved these changes Jun 18, 2026
View reviewed changes

@alan-agius4 alan-agius4 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor stuff, otherwise LGTM.

@josephperrott josephperrott force-pushed the enforce-gha-shas branch 2 times, most recently from a7b27e1 to 46c3068 Compare June 18, 2026 14:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alan-agius4 alan-agius4 alan-agius4 approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker detected: feature PR contains a feature commit

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@josephperrott @alan-agius4