actions/runner-images
1
0
Fork 0
mirror of https://github.com/actions/runner-images.git synced 2025-12-10 11:07:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Check outdated pins

Browse Source
This commit is contained in:
lawrencegripper
2025-01-31 10:39:03 +00:00
parent 3bc475f72e
commit 901125ceec
7 changed files with 150 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.github/workflows/check-pinned-versions.yml vendored Normal file
View File

@@ -0,0 +1,18 @@
on:
push:
branches:
- main
pull_request:
schedule:
- cron: '0 0 * * *' # Run at midnight UTC every day
jobs:
validate-json:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Validate JSON Schema
shell: pwsh
run: ./helpers/CheckOutdatedVersionPinning.ps1

10
helpers/CheckJsonSchema.ps1
View File

@@ -1,7 +1,10 @@
$ErrorActionPreference = 'Stop' $ErrorActionPreference = 'Stop'
# A JSON schema validator which supports outputting line numbers for errors # A JSON schema validator which supports outputting line numbers for errors
Install-Module -Name GripDevJsonSchemaValidator -Force -Scope CurrentUser # this allows us to put annotations on builds for errors in the JSON files
# `Test-Json` built in cmdline doesn't. No existing cli tool supports this
# that I could find either. See: https://github.com/lawrencegripper/gripdev-json-schema-validator
Install-Module -Name GripDevJsonSchemaValidator -Force -Scope CurrentUser
# Find all toolset JSON files # Find all toolset JSON files
$toolsetFiles = Get-ChildItem -Recurse -Filter "toolset-*.json" | Where-Object { $_.Name -notlike "*schema.json" } $toolsetFiles = Get-ChildItem -Recurse -Filter "toolset-*.json" | Where-Object { $_.Name -notlike "*schema.json" }
@@ -9,16 +12,19 @@ $schemaFilePath = "./schemas/toolset-schema.json"
$toolsetHasErrors = $false $toolsetHasErrors = $false
foreach ($file in $toolsetFiles) { foreach ($file in $toolsetFiles) {
Write-Host ""
Write-Host "🔍 Validating $($file.FullName)" -ForegroundColor Cyan Write-Host "🔍 Validating $($file.FullName)" -ForegroundColor Cyan
$validationResult = Test-JsonSchema -SchemaPath $schemaFilePath -JsonPath $file.FullName $validationResult = Test-JsonSchema -SchemaPath $schemaFilePath -JsonPath $file.FullName -PrettyPrint $false
if ($validationResult.Valid) { if ($validationResult.Valid) {
Write-Host "✅ JSON is valid." -ForegroundColor Green Write-Host "✅ JSON is valid." -ForegroundColor Green
} else { } else {
# File has been modified since the commit, enforce validation
$toolsetHasErrors = $true $toolsetHasErrors = $true
Write-Host "`n❌ JSON validation failed!" -ForegroundColor Red Write-Host "`n❌ JSON validation failed!" -ForegroundColor Red
Write-Host " Found the following errors:`n" -ForegroundColor Yellow Write-Host " Found the following errors:`n" -ForegroundColor Yellow
$validationResult.Errors | ForEach-Object { $validationResult.Errors | ForEach-Object {
Write-Host $_.UserMessage Write-Host $_.UserMessage
if ($env:GITHUB_ACTIONS -eq 'true') { if ($env:GITHUB_ACTIONS -eq 'true') {

81
helpers/CheckOutdatedVersionPinning.ps1 Normal file
View File

@@ -0,0 +1,81 @@
$ErrorActionPreference = 'Stop'
# Find all toolset JSON files
$toolsetFiles = Get-ChildItem -Recurse -Filter "toolset-*.json" | Where-Object { $_.Name -notlike "*schema.json" }
$expiringPins = @()
$now = Get-Date
$warningDays = 30 # Warn if expiring within 30 days
foreach ($file in $toolsetFiles) {
Write-Host "Processing $($file.Name)"
$content = Get-Content $file.FullName | ConvertFrom-Json
# Recursively search for pinnedDetails in the JSON
function Search-PinnedDetails {
param($obj, $path)
$foundPins = @()
if ($obj -is [System.Management.Automation.PSCustomObject]) {
foreach ($prop in $obj.PSObject.Properties) {
if ($prop.Name -eq "pinnedDetails") {
Write-Host "Found pinned version at $path"
$reviewAt = [DateTime]::Parse($prop.Value.'review-at')
$daysUntilExpiry = ($reviewAt - $now).Days
if ($daysUntilExpiry -lt $warningDays) {
Write-Host "Adding to expiringPins array"
$foundPins += @{
Path = $path
File = $file.Name
ReviewAt = $reviewAt
DaysUntilExpiry = $daysUntilExpiry
Reason = $prop.Value.reason
Link = $prop.Value.link
}
}
} else {
$foundPins += Search-PinnedDetails -obj $prop.Value -path "$path.$($prop.Name)"
}
}
} elseif ($obj -is [Array]) {
for ($i = 0; $i -lt $obj.Count; $i++) {
$foundPins += Search-PinnedDetails -obj $obj[$i] -path "$path[$i]"
}
}
return $foundPins
}
$expiringPins += Search-PinnedDetails -obj $content -path $file.Name
}
if ($expiringPins) {
$issueBody = "# Version Pinning Review Required`n`n"
$issueBody += "The following pinned versions need review:`n`n"
foreach ($pin in $expiringPins) {
$status = if ($pin.DaysUntilExpiry -lt 0) { "EXPIRED" } else { "Expiring Soon" }
$issueBody += "## $($status) - $($pin.Path)`n"
$issueBody += "- **File**: $($pin.File)`n"
$issueBody += "- **Review Date**: $($pin.ReviewAt.ToString('yyyy-MM-dd'))`n"
$issueBody += "- **Days until expiry**: $($pin.DaysUntilExpiry)`n"
$issueBody += "- **Reason**: $($pin.Reason)`n"
$issueBody += "- **Original PR**: $($pin.Link)`n`n"
}
if ($env:GITHUB_ACTIONS -eq 'true') {
# In GitHub Actions, create an issue
$issueBody | gh issue create --title "Version Pinning Review Found Expired Pinned Versions" --body -
}
Write-Host "`nIssue Content:`n"
Write-Host $issueBody
}
else {
Write-Host "No expiring pins found."
if ($env:GITHUB_ACTIONS -eq 'true') {
"expired_pins=0" >> $env:GITHUB_OUTPUT
}
}

69
helpers/CheckPinnedDetails.ps1
View File

@@ -1,69 +0,0 @@
$ErrorActionPreference = 'Stop'
function Get-PinnedDetailsRecursive($obj) {
$pinnedDetails = @()
if ($obj -is [System.Management.Automation.PSCustomObject]) {
if ($obj.PSObject.Properties.Name -contains "review-at") {
$pinnedDetails += $obj
}
foreach ($prop in $obj.PSObject.Properties) {
Get-PinnedDetailsRecursive $prop.Value
}
}
elseif ($obj -is [Array]) {
foreach ($item in $obj) {
Get-PinnedDetailsRecursive $item
}
}
return $pinnedDetails
}
Write-Host "Checking pinned details for overdue review dates"
# Find all toolset JSON files in the current directory and subdirectories
$toolsetFiles = Get-ChildItem -Recurse -Filter "toolset-*.json"
foreach ($toolsetFile in $toolsetFiles) {
Write-Host "Checking $toolsetFile"
# Skip schema file
if ($toolsetFile.Name -like "*toolset-schema.json") {
continue
}
# Get all objects with 'review-at' property from the JSON file
$jsonContent = Get-Content $toolsetFile.FullName | ConvertFrom-Json
$pinnedDetails = Get-PinnedDetailsRecursive $jsonContent | Where-Object { $_ -ne $null }
foreach ($pinnedDetail in $pinnedDetails) {
$reviewDate = $pinnedDetail.'review-at'
$reason = $pinnedDetail.reason
Write-Host "Info: Review date $reviewDate, reason $reason"
if (![string]::IsNullOrEmpty($reviewDate)) {
$reviewDateTime = [DateTime]::Parse($reviewDate)
$currentTime = Get-Date
$sevenDaysAgo = $currentTime.AddDays(-7)
Write-Host "Info: Review date $reviewDate, current time $currentTime"
# Check if review date is in the past
if ($reviewDateTime -lt $currentTime) {
Write-Host "ERROR: Overdue review date: $reviewDate for tool in $($toolsetFile.Name)"
Write-Host " Pinned for '$reason'"
Write-Host ""
}
# Check if review date is within the next 7 days
if ($reviewDateTime -gt $sevenDaysAgo -and $reviewDateTime -le $currentTime) {
Write-Host "WARNING: Review date is coming up within the next 7 days: $reviewDate for tool in $($toolsetFile.Name)"
Write-Host " Pinned for '$reason'"
Write-Host ""
}
}
}
}

19
images/ubuntu/toolsets/toolset-2004.json
View File

@@ -377,10 +377,21 @@
}, },
"aliyunCli": { "aliyunCli": {
"version": "3.0.174", "version": "3.0.174",
"sha256": "0c51028a7a32fc02c8de855f73e273556f957115eb5624565738f9b9f83a50ba" "sha256": "0c51028a7a32fc02c8de855f73e273556f957115eb5624565738f9b9f83a50ba",
"pinnedDetails": {
"link": "https://github.com/actions/runner-images-internal/pull/6702",
"reason": "Meaningful reason must be added at next update.",
"review-at": "2025-06-01",
"type": "preexisting-pinned-version-without-reason"
}
}, },
"ocCli": { "ocCli": {
"version": "4.15.19" "version": "4.15.19",
} "pinnedDetails": {
"link": "https://github.com/actions/runner-images-internal/pull/6702",
"reason": "Meaningful reason must be added at next update.",
"review-at": "2025-06-01",
"type": "preexisting-pinned-version-without-reason"
}
}
} }

16
images/windows/toolsets/toolset-2022.json
View File

@@ -380,13 +380,25 @@
}, },
"postgresql": { "postgresql": {
"version": "14.12.1", "version": "14.12.1",
"signature": "698BA51AA27CC31282AACA5055E4B9190BC6C0E9" "signature": "698BA51AA27CC31282AACA5055E4B9190BC6C0E9",
"pinnedDetails": {
"link": "https://github.com/actions/runner-images-internal/pull/6702",
"reason": "Meaningful reason must be added at next update.",
"review-at": "2025-06-01",
"type": "preexisting-pinned-version-without-reason"
}
}, },
"kotlin": { "kotlin": {
"version": "latest" "version": "latest"
}, },
"openssl": { "openssl": {
"version": "1.1.1" "version": "1.1.1",
"pinnedDetails": {
"link": "https://github.com/actions/runner-images-internal/pull/6702",
"reason": "Meaningful reason must be added at next update.",
"review-at": "2024-06-01",
"type": "preexisting-pinned-version-without-reason"
}
}, },
"pwsh": { "pwsh": {
"version": "7.4" "version": "7.4"

16
images/windows/toolsets/toolset-2025.json
View File

@@ -107,7 +107,13 @@
}, },
"mingw": { "mingw": {
"version": "14.2.0", "version": "14.2.0",
"runtime": "ucrt" "runtime": "ucrt",
"pinnedDetails": {
"link": "https://github.com/actions/runner-images-internal/pull/6702",
"reason": "Meaningful reason must be added at next update.",
"review-at": "2025-06-01",
"type": "preexisting-pinned-version-without-reason"
}
}, },
"MsysPackages": { "MsysPackages": {
"msys2": [], "msys2": [],
@@ -318,7 +324,13 @@
"version": "latest" "version": "latest"
}, },
"openssl": { "openssl": {
"version": "3.4.0" "version": "3.4.0",
"pinnedDetails": {
"link": "https://github.com/actions/runner-images-internal/pull/6702",
"reason": "Meaningful reason must be added at next update.",
"review-at": "2025-06-01",
"type": "preexisting-pinned-version-without-reason"
}
}, },
"pwsh": { "pwsh": {
"version": "7.4" "version": "7.4"