Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update pre-commit hook rhysd/actionlint to v1.7.5 #1082

Merged
merged 1 commit into from
Dec 28, 2024
Merged

Update pre-commit hook rhysd/actionlint to v1.7.5 #1082

merged 1 commit into from
Dec 28, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 4, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
rhysd/actionlint repository patch v1.7.3 -> v1.7.5

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

Release Notes

rhysd/actionlint (rhysd/actionlint)

v1.7.5

Compare Source

v1.7.4

Compare Source

  • Disallow the usage of popular actions that run on node16 runner. The node16 runner will reach the end of life on November 12.
    • In case of the error, please update your actions to the latest version so that they run on the latest node20 runner.
    • If you're using self-hosted runner and you cannot upgrade your runner to node20 soon, please consider to ignore the error by the paths configuration described below.
  • Provide the configuration for ignoring errors by regular expressions in actionlint.yml (or actionlint.yaml). Please see the document for more details. (#​217, #​342)
    • The paths is a mapping from the file path glob pattern to the corresponding configuration. The ignore configuration is a list of regular expressions to match error messages (similar to the -ignore command line option). 
      paths:

This pattern matches any YAML file under the '.github/workflows/' directory.

  .github/workflows/**/*.yaml:
    ignore:

Ignore the specific error from shellcheck

      - 'shellcheck reported issue in this script: SC2086:.+'

This pattern only matches '.github/workflows/release.yaml' file.

  .github/workflows/self-hosted.yaml:
    ignore:

Ignore errors from the old runner check. This may be useful for (outdated) self-hosted runner environment.

      - 'the runner of ".+" action is too old to run on GitHub Actions'
```
  • This configuration was not implemented initially because I wanted to keep the configuration as minimal as possible. However, due to several requests for it, the configuration has now been added.
  • Untrusted inputs check is safely skipped inside specific function calls. (#​459, thanks @​IlyaGulya)
    • For example, the following step contains the untrusted input github.head_ref, but it is safe because it's passed to the contains() argument. 
      - run: echo "is_release_branch=${{ contains(github.head_ref, 'release') }}" >> "$GITHUB_OUTPUT"
    • For more details, please read the rule document.
  • Recognize gcr.io and gcr.dev as the correct container registry hosts. (#​463, thanks @​takaidohigasi)
    • Note that it is recommended explicitly specifying the scheme like docker://gcr.io/....
  • Remove macos-x.0 runner labels which are no longer available. (#​452)
  • Disable shellcheck SC2043 rule because it can cause false positives on checking run:. (#​355)
  • Fix the error message was not deterministic when detecting cycles in needs dependencies.
  • Fix the check for format() function was not applied when the function name contains upper case like Format(). Note that function names in ${{ }} placeholders are case-insensitive.
  • Update the popular actions data set to the latest.
  • Add actions/cache/save and actions/cache/restore to the popular actions data set.
  • Links in the README.md now point to the document of the latest version tag instead of HEAD of main branch.
  • Add Linter.LintStdin method dedicated to linting STDIN instead of handling STDIN in Command.
  • (Dev) Add new check-checks script to maintain the 'Checks' document. It automatically updates the outputs and playground links for example inputs in the document. It also checks the document is up-to-date on CI. Please read the document for more details.

Documentation

[Changes][v1.7.4]

Configuration

📅 Schedule: Branch creation - "after 8pm every weekday,before 10am every weekday,every weekend" in timezone America/Chicago, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovate label Nov 4, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 4, 2024

Testing script results from test/test.sh
✅ Test result: passes

Test script outputs from test/test.sh

  • set -C
  • SARIF_FILE=./test/fixtures/odc.sarif
  • TOKEN=fake-password
  • REPOSITORY=sett-and-hive/sarif-to-issue-action
  • BRANCH=fake-test-branch
  • TITLE='Test security issue from build'
  • LABELS=build
  • DRY_RUN=true
  • ODC_SARIF=true
    ++ echo sett-and-hive/sarif-to-issue-action
    ++ awk '-F[/]' '{print $1}'
  • OWNER=sett-and-hive
    ++ echo sett-and-hive/sarif-to-issue-action
    ++ awk '-F[/]' '{print $2}'
  • REPO=sarif-to-issue-action
  • '[' true == true ']'
  • fix_odc_sarif
  • ord_sarif=./test/fixtures/odc.sarif
  • mod_sarif=./test/fixtures/odc.sarif.mod
  • rm -f ./test/fixtures/odc.sarif.mod
  • jq '.runs[].tool.driver.rules[] |= . + {"defaultConfiguration": { "level": "error"}}' ./test/fixtures/odc.sarif
  • SARIF_FILE=./test/fixtures/odc.sarif.mod
  • echo 'Convert SARIF file ./test/fixtures/odc.sarif'
    Convert SARIF file ./test/fixtures/odc.sarif
  • npx @security-alert/sarif-to-issue --dryRun true --token fake-password --owner sett-and-hive --sarifContentOwner sett-and-hive --repo sarif-to-issue-action --sarifContentRepo sarif-to-issue-action --sarifContentBranch fake-test-branch --title 'Test security issue from build' --labels build ./test/fixtures/odc.sarif.mod
    Create Issue
    owner: sett-and-hive
    repo: sarif-to-issue-action
    labels: build
    assignees:
    title: Test security issue from build
    body: # Report

Results

  • [ERROR] [CVE-2022-24823] CVE-2022-24823 - Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-httpprior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's ownjava.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir\(...\) to set the directory to something that is only readable by the current user.

Suppressed Results

Nothing here.

Rules information

Rules details 
- CVE-2022-24823 [undefined] 

> Medium severity - CVE-2022-24823 Exposure of Resource to Wrong Sphere vulnerability in pkg:maven/io.netty/netty-transport@4.1.76.Final

Tool information

  • Name: dependency-check
  • Organization: undefined
  • Version: undefined

(node:27) [DEP0040] DeprecationWarning: The punycode module is deprecated. Please use a userland alternative instead.
(Use node --trace-deprecation ... to show where the warning was created)

  • echo '::set-output name=output::0'
    ::set-output name=output::0

@github-actions GitHub Actions
Copy link

This PR is stale because it has been open 45 days with no activity.

@github-actions github-actions bot added the Stale label Dec 23, 2024
@renovate renovate bot force-pushed the renovate/rhysd-actionlint-1.x branch from 966b231 to b50825b Compare December 28, 2024 12:54
@renovate renovate bot changed the title Update pre-commit hook rhysd/actionlint to v1.7.4 Update pre-commit hook rhysd/actionlint to v1.7.5 Dec 28, 2024
@github-actions GitHub Actions
Copy link

Testing script results from test/test.sh
✅ Test result: passes

Test script outputs from test/test.sh

  • set -C
  • SARIF_FILE=./test/fixtures/odc.sarif
  • TOKEN=fake-password
  • REPOSITORY=sett-and-hive/sarif-to-issue-action
  • BRANCH=fake-test-branch
  • TITLE='Test security issue from build'
  • LABELS=build
  • DRY_RUN=true
  • ODC_SARIF=true
    ++ awk '-F[/]' '{print $1}'
    ++ echo sett-and-hive/sarif-to-issue-action
  • OWNER=sett-and-hive
    ++ echo sett-and-hive/sarif-to-issue-action
    ++ awk '-F[/]' '{print $2}'
  • REPO=sarif-to-issue-action
  • '[' true == true ']'
  • fix_odc_sarif
  • ord_sarif=./test/fixtures/odc.sarif
  • mod_sarif=./test/fixtures/odc.sarif.mod
  • rm -f ./test/fixtures/odc.sarif.mod
  • jq '.runs[].tool.driver.rules[] |= . + {"defaultConfiguration": { "level": "error"}}' ./test/fixtures/odc.sarif
  • SARIF_FILE=./test/fixtures/odc.sarif.mod
  • echo 'Convert SARIF file ./test/fixtures/odc.sarif'
    Convert SARIF file ./test/fixtures/odc.sarif
  • npx @security-alert/sarif-to-issue --dryRun true --token fake-password --owner sett-and-hive --sarifContentOwner sett-and-hive --repo sarif-to-issue-action --sarifContentRepo sarif-to-issue-action --sarifContentBranch fake-test-branch --title 'Test security issue from build' --labels build ./test/fixtures/odc.sarif.mod
    Create Issue
    owner: sett-and-hive
    repo: sarif-to-issue-action
    labels: build
    assignees:
    title: Test security issue from build
    body: # Report

Results

  • [ERROR] [CVE-2022-24823] CVE-2022-24823 - Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-httpprior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's ownjava.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir\(...\) to set the directory to something that is only readable by the current user.

Suppressed Results

Nothing here.

Rules information

Rules details 
- CVE-2022-24823 [undefined] 

> Medium severity - CVE-2022-24823 Exposure of Resource to Wrong Sphere vulnerability in pkg:maven/io.netty/netty-transport@4.1.76.Final

Tool information

  • Name: dependency-check
  • Organization: undefined
  • Version: undefined

(node:27) [DEP0040] DeprecationWarning: The punycode module is deprecated. Please use a userland alternative instead.
(Use node --trace-deprecation ... to show where the warning was created)

  • echo '::set-output name=output::0'
    ::set-output name=output::0

@renovate renovate bot merged commit c37a325 into main Dec 28, 2024
5 checks passed
@renovate renovate bot deleted the renovate/rhysd-actionlint-1.x branch December 28, 2024 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
renovate Stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants