From d1ee788c08ba39d152c304a7ae140598cc652aa6 Mon Sep 17 00:00:00 2001
From: Dan Rollo <drollo@sonatype.com>
Date: Fri, 19 Feb 2021 14:47:06 -0500
Subject: [PATCH] Use latest nancy (#9)

new configuration option: nancyVersion. Valid values: 'latest' or a specific version, like `v.1.0.6'. Default value is 'latest'.
---
 Dockerfile       | 13 ++++++++-----
 README.md        | 11 +++++++++--
 action.yml       |  4 ++++
 entrypoint.sh    |  3 +++
 install-nancy.sh | 33 +++++++++++++++++++++++++++++++++
 5 files changed, 57 insertions(+), 7 deletions(-)
 create mode 100755 install-nancy.sh

diff --git a/Dockerfile b/Dockerfile
index fa1e1df..ba8da61 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,15 +12,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM alpine:3.12
+FROM alpine:3.13
 
 LABEL com.github.actions.name="Nancy for GitHub Actions" \
     com.github.actions.description="Run Sonatype Nancy as part of your GitHub Actions workflow."
 
-RUN apk add --no-cache curl && \
-    curl -L -o nancy.apk \
-        https://github.com/sonatype-nexus-community/nancy/releases/download/v1.0.0/nancy_1.0.0_linux_386.apk && \
-    apk add --no-cache --allow-untrusted nancy.apk
+# required to fetch nancy.apk via curl
+RUN apk add --no-cache curl
+
+# required to get grep that supports -P option
+RUN apk add --no-cache --upgrade grep
+
+COPY install-nancy.sh /install-nancy.sh
 
 COPY entrypoint.sh /entrypoint.sh
 
diff --git a/README.md b/README.md
index 4a923dd..9ae47eb 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ For example: `sleuth --loud`
 
 The example below only requires `go` be installed in order to generate the `go.list` file. 
 You could instead have some other part of the CI build generate that file for use by `nancy`.
-```
+```yaml
 name: Go Nancy
 
 on: [push]
@@ -54,6 +54,13 @@ jobs:
       uses: sonatype-nexus-community/nancy-github-action@main
 ```
 
+The snippet below shows how to use a specific version of Nancy (rather than the latest)
+```yaml
+    - name: Scan with specific Nancy version
+      uses: sonatype-nexus-community/nancy-github-action@use_latest_nancy
+      with:
+        nancyVersion: "v1.0.6"
+```
 ## Development
 
 I found it useful to leverage the [act](https://github.com/nektos/act) project while developing
@@ -62,7 +69,7 @@ of that branch. For example, a [test project](https://github.com/bhamail/nancy-g
 Notice the commit hash `950a8965cd37d8e14aaa6aebd6c0d71b4da71fa3` used below in the `Scan` step to run the 
 development branch. 
 
-```
+```yaml
 name: Go
 
 on:
diff --git a/action.yml b/action.yml
index 6e40853..ca2619f 100644
--- a/action.yml
+++ b/action.yml
@@ -2,6 +2,10 @@ name: 'Nancy for GitHub Actions'
 author: 'Sonatype'
 description: 'Run Sonatype Nancy as part of your GitHub Actions workflow.'
 inputs:
+  nancyVersion:
+    description: 'The version of Nancy to run. Examples: "latest", "v1.0.15" See: https://github.com/sonatype-nexus-community/nancy/releases for available versions.'
+    required: true
+    default: 'latest'
   goListFile:
     description: 'The path to a file containing the output of a "go list ..." command.'
     required: false
diff --git a/entrypoint.sh b/entrypoint.sh
index 66d3356..e185dd9 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -14,4 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# INPUT_NANCYVERSION env var is set automagically to the value of inputs.nancyVersion
+/install-nancy.sh $INPUT_NANCYVERSION
+
 nancy $2 < $1
diff --git a/install-nancy.sh b/install-nancy.sh
new file mode 100755
index 0000000..7b6e635
--- /dev/null
+++ b/install-nancy.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# Copyright (c) 2019-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+desiredVersion="$1"
+echo "desired nancy version: ${desiredVersion}"
+if [ -z "$desiredVersion" ]; then
+  >&2 echo "must specify a desiredVersion, like: latest or v1.0.15"
+  exit 1
+elif [[ ${desiredVersion} == "latest" ]]; then
+  latest_version_is=$(curl --fail -s https://api.github.com/repos/sonatype-nexus-community/nancy/releases/latest | grep -oP '"tag_name": "\K(.*)(?=")')
+  desiredVersion=${latest_version_is}
+elif [[ ${desiredVersion:0:1} != "v" ]]; then
+  >&2 echo "specific nancy version (${desiredVersion}) must start with v, like: v1.0.15"
+  exit 1
+fi
+# installer filename excludes v from version
+sourceUrl="https://github.com/sonatype-nexus-community/nancy/releases/download/${desiredVersion}/nancy_${desiredVersion:1}_linux_amd64.apk"
+echo "installing nancy via ${sourceUrl}"
+curl --fail -L -o nancy.apk ${sourceUrl}
+apk add --no-progress --quiet --no-cache --allow-untrusted nancy.apk