Created
October 31, 2025 19:23
-
-
Save scop/5338376cf835df1c7150bc38856b24c9 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -euo pipefail | |
| shopt -s globstar | |
| allowfile=TODO-missing-signs.txt | |
| # highly volatile, prefix of latest release's sha, https://github.com/sigstore/cosign-installer/releases | |
| cosign_installer_latest_sha_prefix=f | |
| searches=( | |
| # ---------- cosign installers, *.yaml | |
| '"uses:+sigstore/cosign-installer@main"+path:.github/workflows+extension:yaml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v1"+path:.github/workflows+extension:yaml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v2"+path:.github/workflows+extension:yaml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v3"+NOT+cosign-installer@v3.+path:.github/workflows+extension:yaml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v3."+path:.github/workflows+extension:yaml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@"+NOT+cosign-installer@main+NOT+cosign-installer@v1+NOT+cosign-installer@v2+NOT+cosign-installer@v3+path:.github/workflows+extension:yaml' | |
| cosign: | |
| cosign-installer | |
| # ---------- cosign installers, *.yml | |
| '"uses:+sigstore/cosign-installer@main"+path:.github/workflows+extension:yml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v1"+path:.github/workflows+extension:yml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v2"+path:.github/workflows+extension:yml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v3"+NOT+cosign-installer@v3.+path:.github/workflows+extension:yml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v3.5"+path:.github/workflows+extension:yml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v3.6"+path:.github/workflows+extension:yml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v3.7"+path:.github/workflows+extension:yml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v3.8"+path:.github/workflows+extension:yml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v3.9"+path:.github/workflows+extension:yml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@v3."+NOT+cosign-installer@v3.5+NOT+cosign-installer@v3.6+NOT+cosign-installer@v3.7+NOT+cosign-installer@v3.8+NOT+cosign-installer@v3.9+path:.github/workflows+extension:yml' | |
| cosign: | |
| cosign-installer | |
| '"uses:+sigstore/cosign-installer@'$cosign_installer_latest_sha_prefix'"+path:.github/workflows+extension:yml' | |
| cosign: | |
| cosign-installer | |
| # TODO >1000 results 2025-05-05 | |
| '"uses:+sigstore/cosign-installer@"+NOT+cosign-installer@main+NOT+cosign-installer@v1+NOT+cosign-installer@v2+NOT+cosign-installer@v3+NOT+cosign-installer@'$cosign_installer_latest_sha_prefix'+path:.github/workflows+extension:yml' | |
| cosign: | |
| cosign-installer | |
| # ---------- cosign installers, other | |
| '"uses:+sigstore/cosign-installer@"+path:.github+NOT+path:.github/workflows+language:YAML' | |
| cosign: | |
| cosign-installer | |
| # ---------- goreleaser cosign | |
| # Note: filename matches also the same, dot prefixed, so this covers .goreleaser.* too | |
| '"cmd:+cosign"+filename:goreleaser.yaml+filename:goreleaser.yml' | |
| cosign: | |
| cosign-goreleaser | |
| # ---------- cosign attest-blob | |
| '"cosign+attest-blob"+NOT+language:Markdown' | |
| cosign: | |
| cosign-attest-blob | |
| # ---------- gh build provenance, *.yaml | |
| '"uses:+actions/attest-build-provenance@v1"+path:.github/workflows+extension:yaml' | |
| github_artifact_attestations: | |
| gh-attestation | |
| '"uses:+actions/attest-build-provenance@"+NOT+attest-build-provenance@v1+path:.github/workflows+extension:yaml' | |
| github_artifact_attestations: | |
| gh-attestation | |
| # ---------- gh build provenance, *.yml | |
| # TODO >1000 results 2025-05-05 | |
| '"uses:+actions/attest-build-provenance@v1"+NOT+attest-build-provenance@v1.+path:.github/workflows+extension:yml' | |
| github_artifact_attestations: | |
| gh-attestation | |
| '"uses:+actions/attest-build-provenance@v1."+path:.github/workflows+extension:yml' | |
| github_artifact_attestations: | |
| gh-attestation | |
| # TODO >1000 results 2025-05-05 | |
| '"uses:+actions/attest-build-provenance@v2"+NOT+attest-build-provenance@v2.+path:.github/workflows+extension:yml' | |
| github_artifact_attestations: | |
| gh-attestation | |
| '"uses:+actions/attest-build-provenance@v2."+path:.github/workflows+extension:yml' | |
| github_artifact_attestations: | |
| gh-attestation | |
| '"uses:+actions/attest-build-provenance@"+NOT+attest-build-provenance@v1+NOT+attest-build-provenance@v2+path:.github/workflows+extension:yml' | |
| github_artifact_attestations: | |
| gh-attestation | |
| # ---------- gh build provenance, others | |
| '"uses:+actions/attest-build-provenance@"+path:.github+NOT+path:.github/workflows+language:YAML' | |
| github_artifact_attestations: | |
| gh-attestation | |
| '"uses:+actions/attest@"+path:.github+language:YAML' | |
| github_artifact_attestations: | |
| gh-attestation | |
| # ---------- SLSA generator | |
| 'slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@+path:.github+language:YAML' | |
| slsa_provenance: | |
| slsa-go | |
| 'slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@+path:.github+language:YAML' | |
| slsa_provenance: | |
| slsa-generic | |
| ) | |
| workfile=$(mktemp) | |
| trap "rm -f \"$workfile\"" EXIT | |
| # https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#rate-limit | |
| sleep=$((60/10 + 1)) | |
| per_page=100 | |
| for ((i=0; i < ${#searches[*]};)); do | |
| q=${searches[i++]} | |
| match=${searches[i++]} | |
| thing=${searches[i++]} | |
| page=1 | |
| while true; do | |
| ((page == 1)) && printf "# ---- q=%s\n" "$q" >&2 | |
| ((i == 3 && page == 1)) || sleep "$sleep" | |
| printf "# page %s... " "$page" >&2 | |
| gh api "/search/code?q=$q&per_page=$per_page&page=$page" \ | |
| -H Accept:application/vnd.github+json \ | |
| -H X-GitHub-Api-Version:2022-11-28 \ | |
| >"$workfile" || : | |
| n=$(jq ".items | length" <"$workfile" 2>/dev/null || echo 0) | |
| printf "n=%d\n" "$n" >&2 | |
| for repo in $(jq -r ".items.[].repository.full_name" <"$workfile" | sort -u); do | |
| test -d "pkgs/$repo" || continue | |
| for f in $(find "pkgs/$repo" -name registry.yaml); do | |
| printf -v out "%s: %s" "$thing" "$f" | |
| grep -qF "$match" "$f" || \ | |
| grep -qF "$out" "$allowfile" || \ | |
| printf "%s\n" "$out" | |
| done | |
| done | |
| ((page++)) | |
| ((n < per_page)) && break | |
| done | |
| done | |
| for pkgfile in $(grep -L github_immutable_release pkgs/**/registry.yaml); do | |
| [[ $(yq '.packages[0].type' "$pkgfile") == github_release ]] || continue | |
| out="gh-immutable-release: $pkgfile" | |
| grep -qF "$out" "$allowfile" && continue | |
| repo=$(yq '.packages[0].repo_owner + "/" + .packages[0].repo_name' "$pkgfile") | |
| if [[ $(gh release view --repo "$repo" --json isImmutable --jq .isImmutable) == true ]]; then | |
| printf "%s\n" "$out" | |
| fi | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment