forked from rhysd/actionlint
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrule_credentials.go
41 lines (35 loc) · 1.07 KB
/
rule_credentials.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package actionlint
import (
"fmt"
"strings"
)
// RuleCredentials is a rule to check credentials in workflows
type RuleCredentials struct {
RuleBase
}
// NewRuleCredentials creates new RuleCredentials instance
func NewRuleCredentials() *RuleCredentials {
return &RuleCredentials{
RuleBase: RuleBase{name: "credentials"},
}
}
// VisitJobPre is callback when visiting Job node before visiting its children.
func (rule *RuleCredentials) VisitJobPre(n *Job) error {
if n.Container != nil {
rule.checkContainer("\"container\" section", n.Container)
}
for _, s := range n.Services {
rule.checkContainer(fmt.Sprintf("%q service", s.Name.Value), s.Container)
}
return nil
}
func (rule *RuleCredentials) checkContainer(where string, n *Container) {
if n.Credentials == nil || n.Credentials.Password == nil {
return
}
p := n.Credentials.Password
s := strings.TrimSpace(p.Value)
if !strings.HasPrefix(s, "${{") || !strings.HasSuffix(s, "}}") {
rule.errorf(p.Pos, "\"password\" section in %s should be specified via secrets. do not put password value directly", where)
}
}