feat: add some scripts

scripts/scan-actions.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+# Scan git repositories for GitHub/Gitea/Forgejo Actions used in workflows
+# Usage: ./scripts/scan-actions.sh /var/lib/gitea/repositories
+
+set -euo pipefail
+
+# Wrapper to handle safe.directory issues when running as root
+git_cmd() {
+    git -c safe.directory='*' "$@"
+}
+
+if [[ $# -ne 1 ]]; then
+    echo "Usage: $0 <base-folder>" >&2
+    echo "Example: $0 /var/lib/gitea/repositories" >&2
+    exit 1
+fi
+
+BASE_DIR="$1"
+
+if [[ ! -d "$BASE_DIR" ]]; then
+    echo "Error: Directory '$BASE_DIR' does not exist" >&2
+    exit 1
+fi
+
+# Find all bare git repositories
+find "$BASE_DIR" -type d -name "*.git" -print0 2>/dev/null | while IFS= read -r -d '' repo; do
+    # Get all branch refs
+    branches=$(git_cmd -C "$repo" for-each-ref --format='%(refname:short)' refs/heads/ 2>/dev/null || true)
+
+    if [[ -z "$branches" ]]; then
+        continue
+    fi
+
+    for branch in $branches; do
+        # Check all workflow directories
+        for workflow_dir in ".github/workflows" ".gitea/workflows" ".forgejo/workflows"; do
+            # List files in the workflow directory
+            files=$(git_cmd -C "$repo" ls-tree --name-only "$branch":"$workflow_dir" 2>/dev/null || true)
+
+            for file in $files; do
+                # Only process .yml and .yaml files
+                case "$file" in
+                    *.yml|*.yaml)
+                        # Read the file content and extract uses: statements
+                        git_cmd -C "$repo" show "$branch:$workflow_dir/$file" 2>/dev/null || true
+                        ;;
+                esac
+            done
+        done
+    done
+done | \
+    # Extract uses: values - match owner/repo@ref or owner/repo/path@ref pattern
+    grep -oE 'uses:\s*["'"'"']?[a-zA-Z0-9_.-]+/[a-zA-Z0-9_./-]+@[a-zA-Z0-9_.-]+' | \
+    # Remove the uses: prefix and any quotes
+    sed -E 's/uses:\s*["'"'"']?//' | \
+    # Sort and deduplicate
+    sort -u