Pinned-Dependencies incorrectly flags a pinned dependency downloaded from GitHub #3339
Description
Is your feature request related to a problem? Please describe.
I have a GitHub Actions workflow that uses rhysd/actionlint to lint GitHub Actions workflow files. As per its own documentation it is used by running a bash script to download and install the tool.
I however changed the value of main to the SHA so that it is pinned:
- name: Lint workflows
shell: bash
env:
ACTIONLINT_VERSION: '7b75d16d41920ec126e6f3269db0c6f3ab613c38' # v1.6.25
run: |
echo "::add-matcher::.github/actionlint-matcher.json"
bash <(curl --silent --show-error "https://raw.githubusercontent.com/rhysd/actionlint/${ACTIONLINT_VERSION}/scripts/download-actionlint.bash")
./actionlint -colorThis was then flagged as an unpinned dependency as the code doesn't walk the whole step to find the referenced environment variable is a SHA to pin the download. It would be nice if it did, but it's understandable that it doesn't support that.
I then refactored to remove the environment variable like so:
- name: Lint workflows
shell: bash
run: |
echo "::add-matcher::.github/actionlint-matcher.json"
bash <(curl --silent --show-error "https://raw.githubusercontent.com/rhysd/actionlint/7b75d16d41920ec126e6f3269db0c6f3ab613c38/scripts/download-actionlint.bash")
./actionlint -colorThis however still flags the warning:
Reason
dependency not pinned by hash detected -- score normalized to 6
Details
Warn: downloadThenRun not pinned by hash: .github/workflows/lint.yml:37
Info: GitHub-owned GitHubActions are pinned
Info: Third-party GitHubActions are pinned
Info: Dockerfile dependencies are pinned
Info: Pip installs are pinned
Describe the solution you'd like
The Pinned-Dependencies rule is able to correctly determine that URLs of this format to raw GitHub content in repositories are pinned.
Describe alternatives you've considered
None.
Additional context
None.