From a2e72c22ed3166764d9c086c4e7b0f26a5b69a0e Mon Sep 17 00:00:00 2001 From: Gwynne Raskind Date: Fri, 13 Oct 2023 19:49:36 -0500 Subject: [PATCH] Add Swift dependency graph generator action --- .github/actions/easy-checkout/action.yml | 114 ++++++++++++++++++ .../generate-swift-dependencies/action.yml | 66 ++++++++++ .../convert-dependency-graph.swift | 104 ++++++++++++++++ 3 files changed, 284 insertions(+) create mode 100644 .github/actions/easy-checkout/action.yml create mode 100644 .github/actions/generate-swift-dependencies/action.yml create mode 100755 .github/actions/generate-swift-dependencies/convert-dependency-graph.swift diff --git a/.github/actions/easy-checkout/action.yml b/.github/actions/easy-checkout/action.yml new file mode 100644 index 0000000..d226845 --- /dev/null +++ b/.github/actions/easy-checkout/action.yml @@ -0,0 +1,114 @@ +name: easy-checkout +description: Wraps actions/checkout with additional logic + +# Taken from https://github.com/actions/checkout/blob/c533a0a4cfc4962971818edcfac47a2899e69799/action.yml +inputs: + repository: + description: 'Repository name with owner. For example, actions/checkout' + default: ${{ github.repository }} + ref: + description: > + The branch, tag or SHA to checkout. When checking out the repository that + triggered a workflow, this defaults to the reference or SHA for that + event. Otherwise, uses the default branch. + token: + description: > + Personal access token (PAT) used to fetch the repository. The PAT is configured + with the local git config, which enables your scripts to run authenticated git + commands. The post-job step removes the PAT. + + + We recommend using a service account with the least permissions necessary. + Also when generating a new PAT, select the least scopes necessary. + + + [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) + default: ${{ github.token }} + ssh-key: + description: > + SSH key used to fetch the repository. The SSH key is configured with the local + git config, which enables your scripts to run authenticated git commands. + The post-job step removes the SSH key. + + + We recommend using a service account with the least permissions necessary. + + + [Learn more about creating and using + encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) + ssh-known-hosts: + description: > + Known hosts in addition to the user and global host key database. The public + SSH keys for a host may be obtained using the utility `ssh-keyscan`. For example, + `ssh-keyscan github.com`. The public key for github.com is always implicitly added. + ssh-strict: + description: > + Whether to perform strict host key checking. When true, adds the options `StrictHostKeyChecking=yes` + and `CheckHostIP=no` to the SSH command line. Use the input `ssh-known-hosts` to + configure additional hosts. + default: true + persist-credentials: + description: 'Whether to configure the token or SSH key with the local git config' + default: true + path: + description: 'Relative path under $GITHUB_WORKSPACE to place the repository' + clean: + description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching' + default: true + filter: + description: > + Partially clone against a given filter. + Overrides sparse-checkout if set. + default: null + sparse-checkout: + description: > + Do a sparse checkout on given patterns. + Each pattern should be separated with new lines. + default: null + sparse-checkout-cone-mode: + description: > + Specifies whether to use cone-mode when doing a sparse checkout. + default: true + fetch-depth: + description: 'Number of commits to fetch. 0 indicates all history for all branches and tags.' + default: 1 + fetch-tags: + description: 'Whether to fetch tags, even if fetch-depth > 0.' + default: false + show-progress: + description: 'Whether to show progress status output when fetching.' + default: true + lfs: + description: 'Whether to download Git-LFS files' + default: false + submodules: + description: > + Whether to checkout submodules: `true` to checkout submodules or `recursive` to + recursively checkout submodules. + + + When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are + converted to HTTPS. + default: false + set-safe-directory: + description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory ` + default: true + github-server-url: + description: The base URL for the GitHub instance that you are trying to clone from, will use environment defaults to fetch from the same instance that the workflow is running from unless specified. Example URLs are https://github.com or https://my-ghes-server.example.com + required: false + +runs: + using: composite + steps: + - name: Massage inputs + id: processor + if: ${{ inputs.repository != github.repository && inputs.path != '' }} + env: + INPUTS: ${{ toJSON(inputs) }} + shell: bash + run: | + echo "params=$(echo "${INPUTS}" | jq -c '.path=(.repository|split("/")|last)')" >>"${GITHUB_OUTPUT}" + + - name: Invoke checkout + uses: actions/checkout@v4 + with: ${{ fromJSON(steps.processor.outputs.params || toJSON(inputs)) }} diff --git a/.github/actions/generate-swift-dependencies/action.yml b/.github/actions/generate-swift-dependencies/action.yml new file mode 100644 index 0000000..9a9975d --- /dev/null +++ b/.github/actions/generate-swift-dependencies/action.yml @@ -0,0 +1,66 @@ +name: generate-swift-dependencies +description: Submit the dependencies of a Swift project to the Github API + +inputs: + path: + description: The path to the checked-out package to generate dependencies for. Defaults to workspace. + required: false + default: ${{ github.workspace }} + repository: + description: The Github repo to submit the dependencies to. Defaults to current. + required: false + default: ${{ github.repository }} + branch: + description: The branch to associate the dependency submission with. Defaults to ref. + required: false + default: ${{ github.ref }} + commit: + description: The commit from which the dependencies are generated. Defaults to current. + required: false + default: ${{ github.sha }} + token: + description: Github access token to use for submitting the dependencies. + required: false + default: ${{ github.token }} + +runs: + using: composite + steps: + - name: Generate dependencies + env: + PROJ: ${{ inputs.path || github.workspace }} + REPO_SPEC: ${{ inputs.repository || github.repository }} + BRANCH: ${{ inputs.branch || github.ref }} + COMMIT: ${{ inputs.commit || github.sha }} + TOKEN: ${{ inputs.token || github.token }} + CORRELATOR: ${{ format('{0}-{1}-{2}-{3}', github.workflow, github.job, github.action, runner.os) }} + RUN_ID: ${{ github.run_id }} + shell: bash + run: | + set -e -o pipefail + shopt -s lastpipe + OWNER="${REPO_SPEC%%/*}" REPO="${REPO_SPEC#*/}" + cd "${PROJ}" + + if [[ -f './Package.resolved' ]]; then + # If there's a preexisting Package.resolved and Git knows about it, this + # action has nothing to do; a correct Dependabot configuration will already + # process that file. + if [[ -z "$(git status --porcelain Package.resolved)" ]]; then + exit 0 + fi + # Otherwise it's already present due to something that was done before + # this action was invoked, so leave it alone. + else + # No file exists, we need to run a resolve. + swift package --skip-update resolve + fi + + swift package --skip-update show-dependencies --format json | + "${GITHUB_ACTION_PATH}/convert-dependency-graph.swift" | + curl -fSsL -X POST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${TOKEN}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "${GITHUB_API_URL}/repos/${OWNER}/${REPO}/dependency-graph/snapshots \ + --data @- diff --git a/.github/actions/generate-swift-dependencies/convert-dependency-graph.swift b/.github/actions/generate-swift-dependencies/convert-dependency-graph.swift new file mode 100755 index 0000000..a969b81 --- /dev/null +++ b/.github/actions/generate-swift-dependencies/convert-dependency-graph.swift @@ -0,0 +1,104 @@ +#!/usr/bin/env swift -enable-upcoming-feature ExistentialAny -enable-upcoming-feature BareSlashRegexLiterals + +import Foundation + +struct PackageDependency: Codable { + let identity: String, name: String, url: String, version: String, path: String + let dependencies: [PackageDependency] +} + +struct SwiftPUrl: Codable, RawRepresentable { + let scheme: String, type: String, source: String, name: String, version: String + var rawValue: String { "\(self.scheme):\(self.type)/\(self.source)/\(self.name)@\(self.version)" } + + init?(rawValue raw: String) { + guard let match = raw.wholeMatch(of: #/pkg:swift/(?[^/]+)/(?[^@]+)@(?.+)/#) else { return nil } + self.init(source: .init(match.sp), name: .init(match.nm), version: .init(match.ver)) + } + init(source: String, name: String, version: String) { + (self.scheme, self.type) = ("pkg", "swift") + (self.source, self.name, self.version) = (source, name, version) + } + init(with url: URL, version: String) { + (self.scheme, self.type) = ("pkg", "swift") + self.source = "\(url.host ?? "localhost")\(url.deletingLastPathComponent().path)" + self.name = (url.pathExtension == "git" ? url.deletingPathExtension() : url).lastPathComponent + self.version = version + } +} + +struct GithubDependencyGraph: Codable { + struct Job: Codable { let correlator: String, id: String } + struct Detector: Codable { let name: String, version: String, url: String } + struct Manifest: Codable { + struct File: Codable { let source_location: String } + struct Package: Codable { let package_url: SwiftPUrl, dependencies: [String] } + let name: String, file: File, resolved: [String: Package] + } + let owner: String, repo: String, version: Int, sha: String, ref: String, + job: Job, detector: Detector, scanned: Date, manifests: [String: Manifest] +} + +func env(_ name: String) -> String? { ProcessInfo.processInfo.environment[name] } + +func main() { + let decoder = JSONDecoder(), encoder = JSONEncoder() + decoder.dateDecodingStrategy = .iso8601 + encoder.dateEncodingStrategy = .iso8601 + encoder.outputFormatting = [.withoutEscapingSlashes, .sortedKeys] + + guard let owner = env("OWNER"), let repo = env("REPO"), + let branch = env("BRANCH"), let commit = env("COMMIT"), + let correlator = env("CORRELATOR"), let runId = env("RUN_ID"), + let detector = env("GITHUB_ACTION"), + let detectorVer = env("GITHUB_ACTION_REF"), + let detectorRepo = env("GITHUB_ACTION_REPOSITORY"), + let serverUrl = env("GITHUB_SERVER_URL") + else { + try? FileHandle.standardError.write(contentsOf: Array("Incomplete environment.\n".utf8)) + exit(1) + } + + let dependencies = try! decoder.decode( + PackageDependency.self, + from: FileHandle.standardInput.readToEnd() ?? .init() + ).dependencies + + var resolved = [String: GithubDependencyGraph.Manifest.Package]() + + func handleDeps(_ dependencies: [PackageDependency]) { + for dep in dependencies where !resolved.keys.contains(dep.identity) { + handleDeps(dep.dependencies) + guard !resolved.keys.contains(dep.identity) else { continue } + guard let url = URL(string: dep.url) else { + try? FileHandle.standardError.write(contentsOf: Array("Invalid URL for package \(dep.identity)\n".utf8)) + exit(1) + } + resolved[dep.identity] = .init( + package_url: .init(with: url, version: dep.version), + dependencies: dep.dependencies.map(\.identity).sorted() + ) + } + } + handleDeps(dependencies) + + let graph = GithubDependencyGraph( + owner: owner, repo: repo, version: 0, sha: commit, ref: branch, + job: .init(correlator: correlator, id: runId), + detector: .init( + name: .init(detector.prefix(while: { $0 != "_" })), + version: detectorVer, + url: "\(serverUrl)/\(detectorRepo)" + ), + scanned: Date(), + manifests: ["Package.resolved": .init( + name: "Package.resolved", + file: .init(source_location: "Package.resolved"), + resolved: resolved + )] + ) + + print(String(decoding: try! encoder.encode(graph), as: UTF8.self)) +} + +main()