unpm 0.2.0

Lightweight vendoring of static assets. No node_modules, no runtime fetching.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

name: "unpm check"
description: "Verify vendored dependencies: SHA integrity and CVE scanning"
branding:
  icon: "shield"
  color: "green"

inputs:
  allow-vulnerable:
    description: "Allow known vulnerabilities (not recommended)"
    required: false
    default: "false"
  version:
    description: "unpm version to use"
    required: false
    default: "latest"

runs:
  using: "composite"
  steps:
    - name: Install unpm
      shell: bash
      env:
        VERSION: ${{ inputs.version }}
      run: |
        ARCH=$(uname -m)
        case "$ARCH" in
          x86_64) PLATFORM="linux-x86_64" ;;
          aarch64) PLATFORM="linux-aarch64" ;;
          *) echo "Unsupported architecture: $ARCH" && exit 1 ;;
        esac
        if [ "$VERSION" = "latest" ]; then
          URL=$(curl -s https://api.github.com/repos/JamesGuthrie/unpm/releases/latest \
            | grep browser_download_url \
            | grep "unpm-${PLATFORM}" \
            | cut -d '"' -f 4)
        else
          URL="https://github.com/JamesGuthrie/unpm/releases/download/v${VERSION}/unpm-${PLATFORM}"
        fi
        curl -sSL "$URL" -o /usr/local/bin/unpm

    - name: Verify attestation
      shell: bash
      run: gh attestation verify /usr/local/bin/unpm --repo JamesGuthrie/unpm

    - name: Make unpm executable
      shell: bash
      run: chmod +x /usr/local/bin/unpm

    - name: Run unpm check
      shell: bash
      env:
        ALLOW_VULNERABLE: ${{ inputs.allow-vulnerable }}
      run: |
        ARGS="check"
        if [ "$ALLOW_VULNERABLE" = "true" ]; then
          ARGS="$ARGS --allow-vulnerable"
        fi
        unpm $ARGS