github.com/yogeshkumararora/slsa-github-generator@v1.10.1-0.20240520161934-11278bd5afb4/.github/actions/README.md

github.com/yogeshkumararora/slsa-github-generator@v1.10.1-0.20240520161934-11278bd5afb4/.github/actions/README.md (about)

     1  # Internal Action Development
     2  
     3  ## External Actions
     4  
     5  The following Actions:
     6  
     7  - detect-workflow
     8  - privacy-check
     9  - rng
    10  - secure-builder-checkout
    11  - generate-builder
    12  
    13  are considered "external" even though they are hosted on the same repository: they are not called via:
    14  
    15  `././github/actions/name`
    16  
    17  but instead via their "fully-qualified" name:
    18  
    19  `yogeshkumararora/slsa-github-generator/.github/actions/name@vX.Y.Z`.
    20  
    21  We do this because the Actions are part of the builder, whereas the workflow runs in the "context" of the calling repository.
    22  
    23  These Action _MUST_ be pinned with the release tag for consistency.
    24  
    25  ## Internal Actions
    26  
    27  Other Actions are called via:
    28  
    29  `././github/actions/name`
    30  
    31  and always require a checkout of the builder repository before being called.
    32  The `secure-builder-checkout` is always used to checkout the builder repository
    33  at `__BUILDER_CHECKOUT_DIR__` location. The `secure-project-checkout-*` checkout
    34  the project to build at the location `__PROJECT_CHECKOUT_DIR__`.
    35  
    36  These Actions are _composite actions_. They invoke scripts and also call other Actions.
    37  
    38  ## Development
    39  
    40  To create or update an internal Action, reference them at `@main`. For a release, reference them at the release tag.
    41  
    42  1. Create / modify the Action under `./github/actions/<your-action>` and get the changes merged. Let's call the resulting
    43     commit hash after merge `CH`. (Note: This won't affect any workflow's behavior since
    44     the existing code will still be calling the Action at an older commit hash).
    45  
    46  2. Update the re-usable workflow / Actions to use them in a follow-up PR:
    47  
    48  ```yaml
    49  uses: yogeshkumararora/slsa-github-generator/.github/actions/<your-action>@<CH>
    50  ```
    51  
    52  You can update using the following command:
    53  
    54  ```shell
    55  find .github/ -name '*.yaml' -o -name '*.yml' | xargs sed -i 's/uses: slsa-framework\/slsa-github-generator\/\.github\/actions\/\(.*\)@[a-f0-9]*/uses: slsa-framework\/slsa-github-generator\/.github\/actions\/\1@_YOUR_CH__/'
    56  ```