Skip to content

feat: add GitHub Actions version audit script#853

Merged
stack72 merged 1 commit intomainfrom
audit-actions
Mar 25, 2026
Merged

feat: add GitHub Actions version audit script#853
stack72 merged 1 commit intomainfrom
audit-actions

Conversation

@stack72
Copy link
Copy Markdown
Contributor

@stack72 stack72 commented Mar 25, 2026

Summary

  • Add scripts/audit_actions.ts that parses workflow files and checks action references against the GitHub API for outdated versions and unpinned third-party actions
  • Add audit-actions deno task
  • Add "Check for outdated GitHub Actions" step to the deps-audit CI job
  • Warning-only — never fails the build, surfaces findings in CI logs and GitHub step summary
  • Acts as a lightweight dependabot replacement for GHA references

Test plan

  • Run deno run audit-actions locally and verify it reports action versions
  • Verify the deps-audit CI job runs the new step without failing
  • Check GitHub step summary renders the audit results table correctly

@stack72
feat: add GitHub Actions version audit script
771dd9b 
## Summary

- Add scripts/audit_actions.ts that parses workflow files and checks action references against the GitHub API for outdated versions and unpinned third-party actions
- Add audit-actions deno task
- Add "Check for outdated GitHub Actions" step to the deps-audit CI job
- Warning-only — never fails the build, surfaces findings in CI logs and GitHub step summary
- Acts as a lightweight dependabot replacement for GHA references

## Test plan

- Run deno run audit-actions locally and verify it reports action versions
- Verify the deps-audit CI job runs the new step without failing
- Check GitHub step summary renders the audit results table correctly
github-actions[bot]
github-actions bot approved these changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI Security Review

Critical / High

None.

Medium

None.

Low

None.

Verdict

PASS — This PR adds a local Deno script (scripts/audit_actions.ts) that audits GitHub Actions references for outdated versions and missing SHA pins. The new CI step is a static run: command with no expression interpolation, no secrets, tightly scoped Deno permissions (--allow-net=api.github.com), and runs in a read-only job. The script itself improves the repo's supply chain security posture. No security concerns found.

github-actions[bot]
github-actions bot approved these changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

Blocking Issues

None — the PR is clean and follows established conventions.

Suggestions

  1. Annotated tag SHA mismatch (scripts/audit_actions.ts:144-151): The /git/ref/tags/{tag} endpoint returns the tag object SHA for annotated tags, not the underlying commit SHA. When tagData.object.type === "tag", you'd need to dereference via /git/tags/{sha} to get the commit SHA. This could produce false "outdated" findings for SHA-pinned actions that use annotated tags. Since common first-party actions (actions/, denoland/) use lightweight tags this isn't critical, but worth handling for third-party actions.

  2. GitHub API rate limiting: The script makes unauthenticated API calls (60 req/hour limit). If the number of unique actions grows, CI runs could hit this. Consider optionally reading GITHUB_TOKEN from the environment and adding it as an Authorization header when available.

  3. Sequential API calls (scripts/audit_actions.ts:282-314): Each action is checked with a sequential await in a for loop. These lookups are independent and could be parallelized with Promise.all (or batched) for faster execution.

  4. no-explicit-any usage (scripts/audit_actions.ts:76,83): Two any casts for YAML parsing. These are pragmatic given the dynamic nature of parsed YAML, but could be replaced with a more specific type (e.g., Record<string, unknown>) and narrowing — though this is low priority for a build script.

Overall this is a solid, well-structured addition that follows the existing audit_deps.ts pattern. License header is present, permissions are scoped appropriately, and the warning-only approach is the right call.

@stack72 stack72 merged commit ee4ef3a into main Mar 25, 2026
11 checks passed
@stack72 stack72 deleted the audit-actions branch March 25, 2026 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stack72