scripts/check-composite-action-input-interpolation.py

#!/usr/bin/env python3
from __future__ import annotations

import pathlib
import re
import sys


INPUT_INTERPOLATION_RE = re.compile(r"\$\{\{\s*inputs\.")
RUN_LINE_RE = re.compile(r"^(\s*)run:\s*(.*)$")
USING_COMPOSITE_RE = re.compile(r"^\s*using:\s*composite\s*$", re.MULTILINE)


def indentation(line: str) -> int:
    return len(line) - len(line.lstrip(" "))


def scan_file(path: pathlib.Path) -> list[tuple[int, str]]:
    text = path.read_text(encoding="utf-8")
    if not USING_COMPOSITE_RE.search(text):
        return []

    lines = text.splitlines()
    violations: list[tuple[int, str]] = []
    line_count = len(lines)
    index = 0

    while index < line_count:
        line = lines[index]
        match = RUN_LINE_RE.match(line)
        if not match:
            index += 1
            continue

        run_indent = len(match.group(1))
        run_value = match.group(2).strip()
        line_no = index + 1

        if run_value and run_value[0] not in ("|", ">"):
            if INPUT_INTERPOLATION_RE.search(run_value):
                violations.append((line_no, line.strip()))
            index += 1
            continue

        index += 1
        while index < line_count:
            script_line = lines[index]
            if script_line.strip() == "":
                index += 1
                continue
            if indentation(script_line) <= run_indent:
                break
            if INPUT_INTERPOLATION_RE.search(script_line):
                violations.append((index + 1, script_line.strip()))
            index += 1

    return violations


def main() -> int:
    root = pathlib.Path(".github/actions")
    files = sorted(root.rglob("action.y*ml"))
    all_violations: list[tuple[pathlib.Path, int, str]] = []

    for file_path in files:
        for line_no, line in scan_file(file_path):
            all_violations.append((file_path, line_no, line))

    if all_violations:
        print("Disallowed direct inputs interpolation in composite run blocks:")
        for file_path, line_no, line in all_violations:
            print(f"- {file_path}:{line_no}: {line}")
        print("Use env: and reference shell variables instead.")
        return 1

    print("No direct inputs interpolation found in composite run blocks.")
    return 0


if __name__ == "__main__":
    sys.exit(main())