From 4d33b68ad0be6e46aa520611439db8a984056b90 Mon Sep 17 00:00:00 2001 From: Raj-StepSecurity Date: Fri, 27 Mar 2026 10:55:25 +0530 Subject: [PATCH] Revert "Fix/auto fill subscription" --- .github/workflows/replace_subscription.yml | 131 ---------- scripts/replace_validate_subscription.go.go | 258 -------------------- 2 files changed, 389 deletions(-) delete mode 100644 .github/workflows/replace_subscription.yml delete mode 100644 scripts/replace_validate_subscription.go.go diff --git a/.github/workflows/replace_subscription.yml b/.github/workflows/replace_subscription.yml deleted file mode 100644 index 906fa74..0000000 --- a/.github/workflows/replace_subscription.yml +++ /dev/null @@ -1,131 +0,0 @@ -name: Update validateSubscription - -on: - workflow_dispatch: - inputs: - repo_name: - description: "Repository to update in owner/repo format" - required: true - type: string - package_manager: - description: "Specify package manager (npm or yarn)" - required: false - type: choice - options: - - npm - - yarn - default: npm - use_private_packages: - description: "Use private packages" - required: false - type: boolean - default: false - script: - description: "Specify the npm/yarn script to run" - required: false - type: string - default: "npm run build" - yarn_version: - description: "Yarn version to use if package_manager=yarn" - required: false - type: string - working_directory: - description: "Working directory inside repo" - required: false - type: string - default: "." - node_version: - description: "Specify Node.js version (e.g., '18', '20', 'lts/*')" - required: false - type: string - default: "20" - -jobs: - update-subscription-check: - runs-on: ubuntu-latest - permissions: - contents: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 - with: - egress-policy: audit - - - name: Checkout automation repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Setup Go - uses: actions/setup-go@v5 - with: - go-version: "1.22" - - - name: Clone target repository - env: - GH_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }} - REPO_NAME: ${{ inputs.repo_name }} - run: | - set -euo pipefail - git clone "https://x-access-token:${GH_TOKEN}@github.com/${REPO_NAME}.git" target-repo - - - name: Install specific Yarn version if defined - if: ${{ inputs.package_manager == 'yarn' && inputs.yarn_version != '' }} - run: | - corepack enable - corepack prepare "yarn@${{ inputs.yarn_version }}" --activate - echo "Activated Yarn version ${{ inputs.yarn_version }}" - - - name: Set up Node.js - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 - with: - node-version: ${{ inputs.node_version }} - cache: ${{ inputs.package_manager }} - cache-dependency-path: | - target-repo/${{ inputs.working_directory }}/package-lock.json - target-repo/${{ inputs.working_directory }}/npm-shrinkwrap.json - target-repo/${{ inputs.working_directory }}/yarn.lock - - - name: Authenticate npm with GitHub Packages (if using private packages) - if: inputs.use_private_packages == true - run: | - echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" > ~/.npmrc - echo "@${{ github.repository_owner }}:registry=https://npm.pkg.github.com/" >> ~/.npmrc - - - name: Replace validateSubscription block - working-directory: target-repo/${{ inputs.working_directory }} - run: | - go run "${GITHUB_WORKSPACE}/scripts/replace_validate_subscription.go" - - - name: Install dependencies - working-directory: target-repo/${{ inputs.working_directory }} - run: | - set -euo pipefail - if [ "${{ inputs.package_manager }}" == "npm" ]; then - npm ci - else - yarn install --frozen-lockfile - fi - - - name: Build project - working-directory: target-repo/${{ inputs.working_directory }} - run: | - set -euo pipefail - SCRIPT="${{ inputs.script }}" - eval "$SCRIPT" || echo "No build script found or failed, skipping." - - - name: Commit and push changes - working-directory: target-repo - run: | - set -euo pipefail - - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - - if git diff --quiet; then - echo "No changes found" - exit 0 - fi - - git add . - git commit -m "chore: update validateSubscription for maintained actions" - git push origin HEAD diff --git a/scripts/replace_validate_subscription.go.go b/scripts/replace_validate_subscription.go.go deleted file mode 100644 index 9cc37ac..0000000 --- a/scripts/replace_validate_subscription.go.go +++ /dev/null @@ -1,258 +0,0 @@ -package main - -import ( - "bytes" - "fmt" - "io/fs" - "os" - "path/filepath" - "regexp" - "strings" -) - -const replacement = `async function validateSubscription() { - const repoPrivate = github.context?.payload?.repository?.private - const upstream = 'SwiftyLab/setup-swift' - const action = process.env.GITHUB_ACTION_REPOSITORY - const docsUrl = - 'https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions' - - info('') - info('\u001b[1;36mStepSecurity Maintained Action\u001b[0m') - info(` + "`" + `Secure drop-in replacement for ${upstream}` + "`" + `) - if (repoPrivate === false) - info('\u001b[32m\u2713 Free for public repositories\u001b[0m') - info(` + "`" + `\u001b[36mLearn more:\u001b[0m ${docsUrl}` + "`" + `) - info('') - - if (repoPrivate === false) return - - const serverUrl = process.env.GITHUB_SERVER_URL || 'https://github.com' - const body: Record = {action: action || ''} - if (serverUrl !== 'https://github.com') body.ghes_server = serverUrl - try { - await axios.post( - ` + "`" + `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription` + "`" + `, - body, - {timeout: 3000} - ) - } catch (error) { - if (isAxiosError(error) && error.response?.status === 403) { - err( - ` + "`" + `\u001b[1;31mThis action requires a StepSecurity subscription for private repositories.\u001b[0m` + "`" + ` - ) - err( - ` + "`" + `\u001b[31mLearn how to enable a subscription: ${docsUrl}\u001b[0m` + "`" + ` - ) - process.exit(1) - } - info('Timeout or API not reachable. Continuing to next step.') - } -}` - -var signatureRE = regexp.MustCompile(`async\s+function\s+validateSubscription\s*$begin:math:text$\[\^\)\]\*$end:math:text$\s*(?::\s*Promise<[^>]+>)?\s*\{`) - -func main() { - root, err := os.Getwd() - if err != nil { - fmt.Fprintf(os.Stderr, "failed to get working directory: %v\n", err) - os.Exit(1) - } - - var updatedFile string - - err = filepath.WalkDir(root, func(path string, d fs.DirEntry, walkErr error) error { - if walkErr != nil { - return walkErr - } - - name := d.Name() - - if d.IsDir() { - switch name { - case ".git", "node_modules", "dist", "coverage", "vendor": - return filepath.SkipDir - } - return nil - } - - if !isCandidateFile(path) { - return nil - } - - changed, err := replaceInFile(path) - if err != nil { - return err - } - if changed { - updatedFile = path - return fs.SkipAll - } - return nil - }) - - if err != nil { - fmt.Fprintf(os.Stderr, "error while processing files: %v\n", err) - os.Exit(1) - } - - if updatedFile == "" { - fmt.Fprintln(os.Stderr, "could not find async function validateSubscription() in any .ts or .js file outside dist/") - os.Exit(1) - } - - fmt.Printf("updated: %s\n", updatedFile) - fmt.Println("replacement completed successfully") -} - -func isCandidateFile(path string) bool { - if strings.HasSuffix(path, ".d.ts") { - return false - } - return strings.HasSuffix(path, ".ts") || strings.HasSuffix(path, ".js") -} - -func replaceInFile(path string) (bool, error) { - contents, err := os.ReadFile(path) - if err != nil { - return false, err - } - - start, end, found := findFunctionRange(contents) - if !found { - return false, nil - } - - var out bytes.Buffer - out.Write(contents[:start]) - out.WriteString(replacement) - out.Write(contents[end:]) - - if bytes.Equal(out.Bytes(), contents) { - return false, nil - } - - if err := os.WriteFile(path, out.Bytes(), 0644); err != nil { - return false, err - } - - return true, nil -} - -func findFunctionRange(content []byte) (int, int, bool) { - loc := signatureRE.FindIndex(content) - if loc == nil { - return 0, 0, false - } - - start := loc[0] - openBrace := bytes.IndexByte(content[loc[0]:loc[1]], '{') - if openBrace == -1 { - return 0, 0, false - } - openBrace += loc[0] - - depth := 0 - inSingle := false - inDouble := false - inTemplate := false - inLineComment := false - inBlockComment := false - - for i := openBrace; i < len(content); i++ { - ch := content[i] - var next byte - if i+1 < len(content) { - next = content[i+1] - } - - if inLineComment { - if ch == '\n' { - inLineComment = false - } - continue - } - - if inBlockComment { - if ch == '*' && next == '/' { - inBlockComment = false - i++ - } - continue - } - - if inSingle { - if ch == '\\' { - i++ - continue - } - if ch == '\'' { - inSingle = false - } - continue - } - - if inDouble { - if ch == '\\' { - i++ - continue - } - if ch == '"' { - inDouble = false - } - continue - } - - if inTemplate { - if ch == '\\' { - i++ - continue - } - if ch == '`' { - inTemplate = false - } - continue - } - - if ch == '/' && next == '/' { - inLineComment = true - i++ - continue - } - - if ch == '/' && next == '*' { - inBlockComment = true - i++ - continue - } - - if ch == '\'' { - inSingle = true - continue - } - - if ch == '"' { - inDouble = true - continue - } - - if ch == '`' { - inTemplate = true - continue - } - - if ch == '{' { - depth++ - continue - } - - if ch == '}' { - depth-- - if depth == 0 { - return start, i + 1, true - } - } - } - - return 0, 0, false -} \ No newline at end of file