57 lines
1.9 KiB
Bash
Executable file
57 lines
1.9 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# Scan git repositories for GitHub/Gitea/Forgejo Actions used in workflows
|
|
# Usage: ./scripts/scan-actions.sh /var/lib/gitea/repositories
|
|
|
|
set -euo pipefail
|
|
|
|
# Wrapper to handle safe.directory issues when running as root
|
|
git_cmd() {
|
|
git -c safe.directory='*' "$@"
|
|
}
|
|
|
|
if [[ $# -ne 1 ]]; then
|
|
echo "Usage: $0 <base-folder>" >&2
|
|
echo "Example: $0 /var/lib/gitea/repositories" >&2
|
|
exit 1
|
|
fi
|
|
|
|
BASE_DIR="$1"
|
|
|
|
if [[ ! -d "$BASE_DIR" ]]; then
|
|
echo "Error: Directory '$BASE_DIR' does not exist" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Find all bare git repositories
|
|
find "$BASE_DIR" -type d -name "*.git" -print0 2>/dev/null | while IFS= read -r -d '' repo; do
|
|
# Get all branch refs
|
|
branches=$(git_cmd -C "$repo" for-each-ref --format='%(refname:short)' refs/heads/ 2>/dev/null || true)
|
|
|
|
if [[ -z "$branches" ]]; then
|
|
continue
|
|
fi
|
|
|
|
for branch in $branches; do
|
|
# Check all workflow directories
|
|
for workflow_dir in ".github/workflows" ".gitea/workflows" ".forgejo/workflows"; do
|
|
# List files in the workflow directory
|
|
files=$(git_cmd -C "$repo" ls-tree --name-only "$branch":"$workflow_dir" 2>/dev/null || true)
|
|
|
|
for file in $files; do
|
|
# Only process .yml and .yaml files
|
|
case "$file" in
|
|
*.yml|*.yaml)
|
|
# Read the file content and extract uses: statements
|
|
git_cmd -C "$repo" show "$branch:$workflow_dir/$file" 2>/dev/null || true
|
|
;;
|
|
esac
|
|
done
|
|
done
|
|
done
|
|
done | \
|
|
# Extract uses: values - match owner/repo@ref or owner/repo/path@ref pattern
|
|
grep -oE 'uses:\s*["'"'"']?[a-zA-Z0-9_.-]+/[a-zA-Z0-9_./-]+@[a-zA-Z0-9_.-]+' | \
|
|
# Remove the uses: prefix and any quotes
|
|
sed -E 's/uses:\s*["'"'"']?//' | \
|
|
# Sort and deduplicate
|
|
sort -u
|