From 0cd6236a1179d0a362d60e4edd8b678d5babe87c Mon Sep 17 00:00:00 2001 From: Michael Seele Date: Thu, 30 Apr 2026 10:09:54 +0200 Subject: [PATCH] feat: add checkout action Co-authored-by: Copilot --- README.md | 7 ++++++- checkout/README.md | 24 ++++++++++++++++++++++++ checkout/action.yml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 checkout/README.md create mode 100644 checkout/action.yml diff --git a/README.md b/README.md index 78d702e..0a7e0d0 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,19 @@ # shared-actions -Shared composite actions for Forgejo CI/CD pipelines. +Shared actions for Forgejo CI/CD pipelines. ## Actions | Action | Description | |--------|-------------| | [aws-configure](aws-configure) | Authenticate with AWS via OIDC | +| [checkout](checkout) | Action for checking out a repository | +## Security + +Where third-party Forgejo/GitHub Actions are used internally, they are pinned to exact commit hashes rather than mutable tags to prevent supply chain attacks. + ## Usage Reference actions from your project's workflow: diff --git a/checkout/README.md b/checkout/README.md new file mode 100644 index 0000000..819e519 --- /dev/null +++ b/checkout/README.md @@ -0,0 +1,24 @@ +# checkout + +Composite wrapper around actions/checkout pinned to a specific commit SHA to prevent supply chain attacks via tag or branch hijacking. + +## Inputs + +| Input | Required | Default | Description | +|-------|----------|---------|-------------| +| `ref` | No | `''` | Branch, tag, or SHA to checkout | +| `repository` | No | `${{ github.repository }}` | Repository name with owner | +| `token` | No | `${{ github.token }}` | Personal access token to fetch the repository | +| `path` | No | `''` | Relative path under `$GITHUB_WORKSPACE` to place the repository | +| `fetch-depth` | No | `1` | Number of commits to fetch. `0` fetches all history | +| `submodules` | No | `false` | Whether to checkout submodules (`true`, `false`, or `recursive`) | + +## Usage + +```yaml +- uses: schmalz/shared-actions/.forgejo/actions/checkout@v1 +``` + +## Notes + +- Pinned to `actions/checkout` commit SHA `de0fac2e` (v6.0.2) to prevent supply chain attacks via tag or branch hijacking. \ No newline at end of file diff --git a/checkout/action.yml b/checkout/action.yml new file mode 100644 index 0000000..4292e84 --- /dev/null +++ b/checkout/action.yml @@ -0,0 +1,45 @@ +name: Schmalz Checkout +description: > + Composite wrapper around actions/checkout pinned to a specific commit SHA + to prevent supply chain attacks via tag or branch hijacking. + +inputs: + ref: + description: The branch, tag, or SHA to checkout. Defaults to the ref that triggered the workflow. + required: false + default: '' + repository: + description: Repository name with owner (e.g. actions/checkout). Defaults to the current repository. + required: false + default: ${{ github.repository }} + token: + description: Personal access token used to fetch the repository. + required: false + default: ${{ github.token }} + path: + description: Relative path under $GITHUB_WORKSPACE to place the repository. + required: false + default: '' + fetch-depth: + description: Number of commits to fetch. 0 fetches all history. + required: false + default: '1' + submodules: + description: Whether to checkout submodules. true, false, or recursive. + required: false + default: 'false' + +runs: + using: composite + steps: + # Pinned to commit SHA instead of a tag to prevent supply chain attacks. + # actions/checkout v6.0.2 — https://code.forgejo.org/actions/checkout/commits/tag/v6.0.2 + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + ref: ${{ inputs.ref }} + repository: ${{ inputs.repository }} + token: ${{ inputs.token }} + path: ${{ inputs.path }} + fetch-depth: ${{ inputs.fetch-depth }} + submodules: ${{ inputs.submodules }}