{"id":17383863,"url":"https://github.com/mcandre/rubberstamp","last_synced_at":"2025-04-15T10:09:28.581Z","repository":{"id":239509424,"uuid":"799720245","full_name":"mcandre/rubberstamp","owner":"mcandre","description":"GitHub Action to fix GitHub Actions","archived":false,"fork":false,"pushed_at":"2025-04-01T00:17:52.000Z","size":1554,"stargazers_count":3,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-15T10:09:09.028Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mcandre.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-13T00:37:29.000Z","updated_at":"2025-04-01T00:17:55.000Z","dependencies_parsed_at":"2024-08-27T05:35:29.907Z","dependency_job_id":"6ea01258-e103-4f17-a1e9-87855071dba5","html_url":"https://github.com/mcandre/rubberstamp","commit_stats":null,"previous_names":["mcandre/rubberstamp"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcandre%2Frubberstamp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcandre%2Frubberstamp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcandre%2Frubberstamp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcandre%2Frubberstamp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mcandre","download_url":"https://codeload.github.com/mcandre/rubberstamp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249048738,"owners_count":21204306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-16T07:44:01.592Z","updated_at":"2025-04-15T10:09:28.575Z","avatar_url":"https://github.com/mcandre.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# rubberstamp: GitHub Action to fix GitHub Actions\n\n# ABOUT\n\n## Problem\n\nIn a weaksauce attempt to cut costs, GitHub Actions stops triggering `cron` scheduled actions after a period of inactivity. With deleterious security implications.\n\nWhy does this matter?\n\nLike other security tools, Dependabot and CodeQL have gaps, which are filled in by configuring GitHub Actions to run additional security scanning tools. Think, `npm audit`, etc. Hence the need for (GitHub Actions) CI/CD.\n\nTriggering actions on commit events has gaps, in terms of timing. Attackers don't wait for new commits to take advantage of the latest vulnerabilities. Consider a project where most workers leave for the weekend. The last commit is on Thursday. After work on Friday, researchers announce a new vulnerability that impacts the project. But no new commits arrive, so no new scans are run.\n\nBut it gets worse. As a project naturally ages, the number of commits reduces over time. But the likelihood of vulnerabilities increases with time. When the project is most in need of security scanning, commit triggers no longer fire. Hence the need for recurring CI/CD, until the project is eventually archived.\n\n## Solution\n\nWe implement a new GitHub Action to rubberstamp a repository with nonce commits. In order to restore the accuracy of `cron` schedules for all of the repository's actions.\n\n# LICENSE\n\nBSD-2-Clause\n\n# USAGE\n\nInstall rubberstamp on each affected repository.\n\n# INSTALL\n\n## Prerequisites\n\n* Auxiliary SSH keypair generated with [ssh-keygen](https://linux.die.net/man/1/ssh-keygen)\n* Public key registered with GitHub owner account\n* Private key registered as an `SSH_KEY` GitHub Actions Repository Secret\n\nCopy [rubberstamp.yml](.github/workflows/rubberstamp.yml) to `.github/workflows/`.\n\n# UNINSTALL\n\nRemove `.github/workflows/rubberstamp.yml` from git version control.\n\n# TEST\n\nTemporarily configure the `cron` interval to `*/5 * * * *` (every 5 minutes).\n\nWarning: Validate `cron` schedule syntax for accuracy, such as with [crontab.guru](https://crontab.guru/). Misconfigured schedules may fail to parse; run too infrequently; or run too frequently, risking rate limits.\n\nWarning: Avoid enabling commit triggers for the rubberstamp action other than `cron`. Commit triggers may create a nasty feedback loop, risking rate limits.\n\nIf you accidentally trigger an infinite series of jobs, you can quickly recover by either:\n\n* Force pushing the action with all the `on` triggers removed, to relevant remote branches.\n* Using the GitHub Web UI to manually disable the job\n\nNote that GitHub Actions does not support multiple `cron` triggers for the same action: It silently selects one of the `cron` schedules as the one and only schedule.\n\n🔴\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmcandre%2Frubberstamp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmcandre%2Frubberstamp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmcandre%2Frubberstamp/lists"}