-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathentrypoint.sh
More file actions
executable file
·84 lines (68 loc) · 2.68 KB
/
entrypoint.sh
File metadata and controls
executable file
·84 lines (68 loc) · 2.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/bin/sh
REPO_PRIVATE=$(jq -r '.repository.private | tostring' "$GITHUB_EVENT_PATH" 2>/dev/null || echo "")
UPSTREAM="reviewdog/action-markdownlint"
ACTION_REPO="${GITHUB_ACTION_REPOSITORY:-}"
DOCS_URL="https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions"
echo ""
echo -e "\033[1;36mStepSecurity Maintained Action\033[0m"
echo "Secure drop-in replacement for $UPSTREAM"
if [ "$REPO_PRIVATE" = "false" ]; then
echo -e "\033[32m✓ Free for public repositories\033[0m"
fi
echo -e "\033[36mLearn more:\033[0m $DOCS_URL"
echo ""
if [ "$REPO_PRIVATE" != "false" ]; then
SERVER_URL="${GITHUB_SERVER_URL:-https://github.com}"
if [ "$SERVER_URL" != "https://github.com" ]; then
BODY=$(printf '{"action":"%s","ghes_server":"%s"}' "$ACTION_REPO" "$SERVER_URL")
else
BODY=$(printf '{"action":"%s"}' "$ACTION_REPO")
fi
API_URL="https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription"
RESPONSE=$(curl --max-time 3 -s -w "%{http_code}" \
-X POST \
-H "Content-Type: application/json" \
-d "$BODY" \
"$API_URL" -o /dev/null) && CURL_EXIT_CODE=0 || CURL_EXIT_CODE=$?
if [ $CURL_EXIT_CODE -ne 0 ]; then
echo "Timeout or API not reachable. Continuing to next step."
elif [ "$RESPONSE" = "403" ]; then
echo -e "::error::\033[1;31mThis action requires a StepSecurity subscription for private repositories.\033[0m"
echo -e "::error::\033[31mLearn how to enable a subscription: $DOCS_URL\033[0m"
exit 1
fi
fi
cd "${GITHUB_WORKSPACE}" || exit 1
git config --global --add safe.directory "${GITHUB_WORKSPACE}" || exit 1
export REVIEWDOG_GITHUB_API_TOKEN="${INPUT_GITHUB_TOKEN}"
# shellcheck disable=SC2086
markdownlint ${INPUT_MARKDOWNLINT_FLAGS:-.} 2>&1 \
| reviewdog \
-efm="%f:%l:%c %m" \
-efm="%f:%l %m" \
-name="markdownlint" \
-reporter="${INPUT_REPORTER:-github-pr-check}" \
-filter-mode="${INPUT_FILTER_MODE}" \
-fail-level="${INPUT_FAIL_LEVEL}" \
-fail-on-error="${INPUT_FAIL_ON_ERROR}" \
-level="${INPUT_LEVEL}" \
${INPUT_REVIEWDOG_FLAGS} || EXIT_CODE=$?
# github-pr-review only diff adding
if [ "${INPUT_REPORTER}" = "github-pr-review" ]; then
# fix
markdownlint --fix ${INPUT_MARKDOWNLINT_FLAGS:-.} 2>&1 || true
TMPFILE=$(mktemp)
git diff > "${TMPFILE}"
git stash -u
# shellcheck disable=SC2086
reviewdog \
-f=diff \
-f.diff.strip=1 \
-name="markdownlint-fix" \
-reporter="github-pr-review" \
-filter-mode="diff_context" \
-level="${INPUT_LEVEL}" \
${INPUT_REVIEWDOG_FLAGS} < "${TMPFILE}"
git stash drop || true
fi
exit ${EXIT_CODE}