From aa2b5409c68d55f6a1cdcb3f62fe5b71a1887d7d Mon Sep 17 00:00:00 2001 From: tdruez Date: Fri, 27 Mar 2026 15:45:49 +0400 Subject: [PATCH 1/5] use the pre-built docker image in place of a pip install Signed-off-by: tdruez --- action.yml | 118 +++++++++++++++++++++++++++++------------------------ 1 file changed, 65 insertions(+), 53 deletions(-) diff --git a/action.yml b/action.yml index b319b20..f1447ca 100644 --- a/action.yml +++ b/action.yml @@ -37,52 +37,61 @@ inputs: packages and dependencies. required: false default: "false" - python-version: - description: "Python version." - default: "3.13" - scancodeio-repo-branch: - description: "Branch to install ScanCode.io from the GitHub repository (optional)" - required: false - default: "" - scancodeio-extras: - description: "ScanCode.io optional dependencies (comma-separated) (optional)." - required: false - default: "" + scancodeio-image: + description: "ScanCode.io Docker image to use." + default: "ghcr.io/aboutcode-org/scancode.io:sha256-057627791ae2748b9ce980b0bd21bd6b521c77b7b2e24c074ef7ba98119a611f" runs: using: "composite" steps: - - name: Set up Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - with: - python-version: ${{ inputs.python-version }} + - name: Validate inputs + shell: bash + env: + INPUT_IMAGE: ${{ inputs.scancodeio-image }} + INPUT_PROJECT_NAME: ${{ inputs.project-name }} + INPUT_FAIL_LEVEL: ${{ inputs.compliance-fail-level }} + INPUT_PIPELINES: ${{ inputs.pipelines }} + run: | + # Docker image ref: registry/name:tag or registry/name@sha256:digest + if [[ ! "$INPUT_IMAGE" =~ ^[a-zA-Z0-9./_:@-]+$ ]]; then + echo "::error::Invalid image name: $INPUT_IMAGE" + exit 1 + fi + + # Project name: alphanumeric, spaces, hyphens, underscores, dots + if [[ ! "$INPUT_PROJECT_NAME" =~ ^[a-zA-Z0-9[:space:]._-]+$ ]]; then + echo "::error::Invalid project name: $INPUT_PROJECT_NAME" + exit 1 + fi + + # Fail level: only known values + if [[ ! "$INPUT_FAIL_LEVEL" =~ ^(ERROR|WARNING|MISSING)$ ]]; then + echo "::error::Invalid compliance-fail-level: $INPUT_FAIL_LEVEL" + exit 1 + fi + + # Pipeline names: alphanumeric, underscores, commas + if [[ ! "$INPUT_PIPELINES" =~ ^[a-zA-Z0-9_,[:space:]]+$ ]]; then + echo "::error::Invalid pipelines value: $INPUT_PIPELINES" + exit 1 + fi - name: Set up environment shell: bash env: INPUT_PROJECT_NAME: ${{ inputs.project-name }} + INPUT_IMAGE: ${{ inputs.scancodeio-image }} run: | echo "SECRET_KEY=$(openssl rand -base64 32)" >> "$GITHUB_ENV" echo "SCANCODEIO_DB_NAME=scancodeio" >> "$GITHUB_ENV" echo "SCANCODEIO_DB_USER=scancodeio" >> "$GITHUB_ENV" echo "SCANCODEIO_DB_PASSWORD=scancodeio" >> "$GITHUB_ENV" - # Sanitize project name for artifact usage + echo "SCANCODEIO_WORKSPACE_LOCATION=/workspace/.scancodeio" >> "$GITHUB_ENV" + echo "SCANCODEIO_IMAGE=$INPUT_IMAGE" >> "$GITHUB_ENV" SAFE_PROJECT_NAME="${INPUT_PROJECT_NAME//[^a-zA-Z0-9._-]/_}" echo "SAFE_PROJECT_NAME=$SAFE_PROJECT_NAME" >> "$GITHUB_ENV" - - name: Detect if ScanCode.io is already installed - shell: bash - run: | - if command -v scanpipe &> /dev/null; then - echo "ScanCode.io already installed." - echo "SCANCODEIO_IS_INSTALLED=true" >> "$GITHUB_ENV" - else - echo "ScanCode.io not found." - echo "SCANCODEIO_IS_INSTALLED=false" >> "$GITHUB_ENV" - fi - - name: Start and setup the PostgreSQL service - if: env.SCANCODEIO_IS_INSTALLED != 'true' shell: bash run: | sudo systemctl start postgresql.service @@ -90,35 +99,36 @@ runs: sudo -u postgres psql -c "ALTER USER $SCANCODEIO_DB_USER WITH ENCRYPTED PASSWORD '$SCANCODEIO_DB_PASSWORD'" sudo -u postgres createdb --owner=scancodeio --encoding=UTF-8 "$SCANCODEIO_DB_NAME" - - name: Generate scancodeio pip install argument - if: env.SCANCODEIO_IS_INSTALLED != 'true' + - name: Write scanpipe wrapper script shell: bash - env: - INPUT_EXTRAS: ${{ inputs.scancodeio-extras }} run: | - SCANCODEIO_PIP_PACKAGE_ARG="scancodeio" - TRIMMED_EXTRAS="$(echo "$INPUT_EXTRAS" | tr -d '[:space:]')" - if [ -n "$TRIMMED_EXTRAS" ]; then - SCANCODEIO_PIP_PACKAGE_ARG+="[$TRIMMED_EXTRAS]" - fi - echo "SCANCODEIO_PIP_PACKAGE_ARG=${SCANCODEIO_PIP_PACKAGE_ARG}" >> "$GITHUB_ENV" + cat > "$RUNNER_TEMP/scanpipe" << 'EOF' + #!/usr/bin/env bash + set -euo pipefail + exec docker run --rm \ + --network host \ + --read-only \ + --tmpfs /tmp \ + --cap-drop ALL \ + --security-opt no-new-privileges \ + -e SECRET_KEY \ + -e SCANCODEIO_DB_NAME \ + -e SCANCODEIO_DB_USER \ + -e SCANCODEIO_DB_PASSWORD \ + -e SCANCODEIO_DB_HOST=localhost \ + -e SCANCODEIO_WORKSPACE_LOCATION \ + -v "$GITHUB_WORKSPACE:/workspace" \ + "$SCANCODEIO_IMAGE" \ + scanpipe "$@" + EOF + chmod +x "$RUNNER_TEMP/scanpipe" + echo "$RUNNER_TEMP" >> "$GITHUB_PATH" - - name: Install ScanCode.io (only if not already installed) - if: env.SCANCODEIO_IS_INSTALLED != 'true' + - name: Pull the ScanCode.io image shell: bash - env: - INPUT_REPO_BRANCH: ${{ inputs.scancodeio-repo-branch }} - run: | - if [ -z "$INPUT_REPO_BRANCH" ]; then - echo "Installing the latest ${SCANCODEIO_PIP_PACKAGE_ARG} release from PyPI" - pip install --upgrade "$SCANCODEIO_PIP_PACKAGE_ARG" - else - echo "Installing ${SCANCODEIO_PIP_PACKAGE_ARG} from the GitHub branch: $INPUT_REPO_BRANCH" - pip install "${SCANCODEIO_PIP_PACKAGE_ARG} @ git+https://github.com/aboutcode-org/scancode.io.git@${INPUT_REPO_BRANCH}" - fi + run: docker pull "$SCANCODEIO_IMAGE" - name: Run migrations to prepare the database - if: env.SCANCODEIO_IS_INSTALLED != 'true' shell: bash run: scanpipe migrate --verbosity 0 @@ -130,6 +140,7 @@ runs: IFS=',' read -ra PIPELINES <<< "$INPUT_PIPELINES" PIPELINE_CLI_ARGS="" for pipeline in "${PIPELINES[@]}"; do + pipeline="$(echo "$pipeline" | tr -d '[:space:]')" PIPELINE_CLI_ARGS+=" --pipeline $pipeline" done echo "PIPELINE_CLI_ARGS=${PIPELINE_CLI_ARGS}" >> "$GITHUB_ENV" @@ -164,8 +175,9 @@ runs: INPUT_PROJECT_NAME: ${{ inputs.project-name }} run: | project_status=$(scanpipe status --project "$INPUT_PROJECT_NAME") - work_directory=$(echo "$project_status" | grep -oP 'Work directory:\s*\K[^\n]+') - echo "PROJECT_WORK_DIRECTORY=$work_directory" >> "$GITHUB_ENV" + container_work_dir=$(echo "$project_status" | grep -oP 'Work directory:\s*\K[^\n]+') + host_work_dir="$GITHUB_WORKSPACE${container_work_dir#/workspace}" + echo "PROJECT_WORK_DIRECTORY=$host_work_dir" >> "$GITHUB_ENV" - name: Copy input files to project work directory if: ${{ !inputs.input-urls }} From e45de1496ea3a53d543127d5238621e9a056633b Mon Sep 17 00:00:00 2001 From: tdruez Date: Fri, 27 Mar 2026 15:49:25 +0400 Subject: [PATCH 2/5] adjustments Signed-off-by: tdruez --- .github/workflows/find-vulnerabilities.yml | 1 - .github/workflows/run-android-deploy-to-develop.yml | 1 - action.yml | 4 ++-- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/find-vulnerabilities.yml b/.github/workflows/find-vulnerabilities.yml index 72ab7d6..ecbf980 100644 --- a/.github/workflows/find-vulnerabilities.yml +++ b/.github/workflows/find-vulnerabilities.yml @@ -28,7 +28,6 @@ jobs: - uses: ./ with: pipelines: "scan_codebase,find_vulnerabilities" - scancodeio-repo-branch: "main" check-compliance: true compliance-fail-on-vulnerabilities: true env: diff --git a/.github/workflows/run-android-deploy-to-develop.yml b/.github/workflows/run-android-deploy-to-develop.yml index af31e7f..74b63a5 100644 --- a/.github/workflows/run-android-deploy-to-develop.yml +++ b/.github/workflows/run-android-deploy-to-develop.yml @@ -22,7 +22,6 @@ jobs: - uses: ./ with: - scancodeio-repo-branch: "main" scancodeio-extras: "android_analysis" pipelines: "android_d2d" input-urls: diff --git a/action.yml b/action.yml index f1447ca..e9738bd 100644 --- a/action.yml +++ b/action.yml @@ -39,7 +39,7 @@ inputs: default: "false" scancodeio-image: description: "ScanCode.io Docker image to use." - default: "ghcr.io/aboutcode-org/scancode.io:sha256-057627791ae2748b9ce980b0bd21bd6b521c77b7b2e24c074ef7ba98119a611f" + default: "ghcr.io/aboutcode-org/scancode.io@sha256:057627791ae2748b9ce980b0bd21bd6b521c77b7b2e24c074ef7ba98119a611f" runs: using: "composite" @@ -71,7 +71,7 @@ runs: fi # Pipeline names: alphanumeric, underscores, commas - if [[ ! "$INPUT_PIPELINES" =~ ^[a-zA-Z0-9_,[:space:]]+$ ]]; then + if [[ ! "$INPUT_PIPELINES" =~ ^[a-zA-Z0-9_,:[:space:]]+$ ]]; then echo "::error::Invalid pipelines value: $INPUT_PIPELINES" exit 1 fi From 4b44255d8e5b68550ec829d4685f7ad42eecdc27 Mon Sep 17 00:00:00 2001 From: tdruez Date: Fri, 27 Mar 2026 15:52:19 +0400 Subject: [PATCH 3/5] adjustments Signed-off-by: tdruez --- action.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/action.yml b/action.yml index e9738bd..99ee22e 100644 --- a/action.yml +++ b/action.yml @@ -109,6 +109,7 @@ runs: --network host \ --read-only \ --tmpfs /tmp \ + --tmpfs /opt/scancodeio/.cache \ --cap-drop ALL \ --security-opt no-new-privileges \ -e SECRET_KEY \ @@ -121,8 +122,6 @@ runs: "$SCANCODEIO_IMAGE" \ scanpipe "$@" EOF - chmod +x "$RUNNER_TEMP/scanpipe" - echo "$RUNNER_TEMP" >> "$GITHUB_PATH" - name: Pull the ScanCode.io image shell: bash From c3fb078ebf46d77f6abab0089bc149de1332afc9 Mon Sep 17 00:00:00 2001 From: tdruez Date: Fri, 27 Mar 2026 15:56:39 +0400 Subject: [PATCH 4/5] adjustments Signed-off-by: tdruez --- action.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/action.yml b/action.yml index 99ee22e..c85834a 100644 --- a/action.yml +++ b/action.yml @@ -122,6 +122,8 @@ runs: "$SCANCODEIO_IMAGE" \ scanpipe "$@" EOF + chmod +x "$RUNNER_TEMP/scanpipe" + echo "$RUNNER_TEMP" >> "$GITHUB_PATH" - name: Pull the ScanCode.io image shell: bash From 180a3fa08aa23763ab1a9b2a794bbbc8cabecd65 Mon Sep 17 00:00:00 2001 From: tdruez Date: Fri, 27 Mar 2026 15:58:22 +0400 Subject: [PATCH 5/5] adjustments Signed-off-by: tdruez --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index c85834a..66cd4b4 100644 --- a/action.yml +++ b/action.yml @@ -109,7 +109,7 @@ runs: --network host \ --read-only \ --tmpfs /tmp \ - --tmpfs /opt/scancodeio/.cache \ + --tmpfs /opt/scancodeio/.cache:mode=1777 \ --cap-drop ALL \ --security-opt no-new-privileges \ -e SECRET_KEY \