Migrate from bash to sh in snyk/actions/setup #159

fabasoad · 2025-07-01T01:56:45Z

Problem

Currently, snyk/actions/setup supports Alpine OS. There are no Alpine OS GitHub hosted runners, so usual use case is to use alpine docker image (e.g. alpine:latest). Official Alpine docker image does not include bash meaning that user has to install it in advance every time.

Solution

Since snyk/actions/setup is a composite action that runs shell script it is not difficult to rewrite bash to sh. It will remove the dependency on bash. Furthermore, it is not difficult to do as current setup_snyk.sh shell script is already POSIX compliant. Only a few minor changes required to make this GitHub Action work without bash dependency.

Validation results

I've run this GitHub Action before fix and after fix, and everything works as expected.

Before fix

CI pipeline

Workflow configuration

---
name: Test Snyk Setup

on:
  push:
    branches:
      - test/snyk-setup

jobs:
  test-snyk-setup:
    runs-on: ubuntu-latest
    container:
      image: alpine:3.22.0
    defaults:
      run:
        shell: sh
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install curl
        run: apk --no-cache add curl

      - name: Setup Snyk
        uses: snyk/actions/setup@master
        with:
          os: "Alpine"

      - name: Run Snyk Test
        run: snyk test --all-projects --severity-threshold=low --json
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Logs

2025-07-01T01:54:40.4854645Z ##[group]Run snyk/actions/setup@master
2025-07-01T01:54:40.4855082Z with:
2025-07-01T01:54:40.4855386Z   os: Alpine
2025-07-01T01:54:40.4855708Z   snyk-version: latest
2025-07-01T01:54:40.4856070Z ##[endgroup]
2025-07-01T01:54:40.4951076Z ##[group]Run echo $GITHUB_ACTION_PATH
2025-07-01T01:54:40.4951524Z �[36;1mecho $GITHUB_ACTION_PATH�[0m
2025-07-01T01:54:40.4952036Z �[36;1mecho /home/runner/work/_actions/snyk/actions/master/setup�[0m
2025-07-01T01:54:40.4952478Z �[36;1m�[0m
2025-07-01T01:54:40.4953117Z �[36;1m/home/runner/work/_actions/snyk/actions/master/setup/setup_snyk.sh latest Alpine || $GITHUB_ACTION_PATH/setup_snyk.sh latest Alpine�[0m
2025-07-01T01:54:40.4953991Z shell: bash --noprofile --norc -e -o pipefail {0}
2025-07-01T01:54:40.4954416Z ##[endgroup]
2025-07-01T01:54:40.5540807Z OCI runtime exec failed: exec failed: unable to start container process: exec: "bash": executable file not found in $PATH: unknown
2025-07-01T01:54:40.5565826Z ##[error]Process completed with exit code 127.

After fix

CI pipeline

Workflow configuration

---
name: Test Snyk Setup

on:
  push:
    branches:
      - test/snyk-setup

jobs:
  test-snyk-setup:
    runs-on: ubuntu-latest
    container:
      image: alpine:3.22.0
    defaults:
      run:
        shell: sh
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install curl
        run: apk --no-cache add curl

      - name: Setup Snyk
        uses: fabasoad/snyk-actions/setup@fix/bash-to-sh
        with:
          os: "Alpine"

      - name: Run Snyk Test
        run: snyk test --all-projects --severity-threshold=low --json
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Logs

2025-07-01T01:42:58.9958658Z ##[group]Run fabasoad/snyk-actions/setup@fix/bash-to-sh
2025-07-01T01:42:58.9960123Z with:
2025-07-01T01:42:58.9960809Z   os: Alpine
2025-07-01T01:42:58.9961548Z   snyk-version: latest
2025-07-01T01:42:58.9962362Z ##[endgroup]
2025-07-01T01:42:59.0076854Z ##[group]Run echo $GITHUB_ACTION_PATH
2025-07-01T01:42:59.0077964Z �[36;1mecho $GITHUB_ACTION_PATH�[0m
2025-07-01T01:42:59.0079598Z �[36;1mecho /home/runner/work/_actions/fabasoad/snyk-actions/fix/bash-to-sh/setup�[0m
2025-07-01T01:42:59.0081113Z �[36;1m�[0m
2025-07-01T01:42:59.0083253Z �[36;1m/home/runner/work/_actions/fabasoad/snyk-actions/fix/bash-to-sh/setup/setup_snyk.sh latest Alpine || $GITHUB_ACTION_PATH/setup_snyk.sh latest Alpine�[0m
2025-07-01T01:42:59.0085828Z shell: sh -e {0}
2025-07-01T01:42:59.0086586Z ##[endgroup]
2025-07-01T01:42:59.0726935Z /__w/_temp/8d1ec298-0e54-4ee0-a3f6-27fbd280111f.sh: line 4: /home/runner/work/_actions/fabasoad/snyk-actions/fix/bash-to-sh/setup/setup_snyk.sh: not found
2025-07-01T01:42:59.0731418Z /__w/_actions/fabasoad/snyk-actions/fix/bash-to-sh/setup
2025-07-01T01:42:59.0733923Z /home/runner/work/_actions/fabasoad/snyk-actions/fix/bash-to-sh/setup
2025-07-01T01:42:59.0755561Z 2025-07-01T01:42:59Z Installing the latest version of Snyk on Alpine
2025-07-01T01:42:59.0763019Z 2025-07-01T01:42:59Z sudo is NOT installed. Trying without sudo, expecting privileges to write to '/usr/local/bin'.
2025-07-01T01:42:59.0788916Z 2025-07-01T01:42:59Z Downloading files from https://downloads.snyk.io/cli/latest
2025-07-01T01:42:59.0828175Z   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
2025-07-01T01:42:59.0830428Z                                  Dload  Upload   Total   Spent    Left  Speed
2025-07-01T01:42:59.0831307Z 
2025-07-01T01:42:59.2020913Z   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
2025-07-01T01:42:59.6355069Z HTTP/1.1 200 OK
2025-07-01T01:42:59.6355980Z x-amz-id-2: T571bGuatzumFGGakXvtXeKvNYUGZ55YAXUTUWuMhjNinpRpHKPQUx9SkM54ahH9pLe8cDxpyJx8XOBVYqABxg==
2025-07-01T01:42:59.6356718Z x-amz-request-id: FGK54PV7WE4MQ01F
2025-07-01T01:42:59.6357072Z x-amz-server-side-encryption: AES256
2025-07-01T01:42:59.6357396Z Accept-Ranges: bytes
2025-07-01T01:42:59.6357681Z Content-Type: binary/octet-stream
2025-07-01T01:42:59.6357980Z Server: AmazonS3
2025-07-01T01:42:59.6359289Z Last-Modified: Mon, 23 Jun 2025 15:46:17 GMT
2025-07-01T01:42:59.6359991Z ETag: "c58afb554467a4c7519c4d0ce8290089-16"
2025-07-01T01:42:59.6360294Z Content-Length: 126927108
2025-07-01T01:42:59.6360540Z Cache-Control: max-age=0
2025-07-01T01:42:59.6360803Z Expires: Tue, 01 Jul 2025 01:42:59 GMT
2025-07-01T01:42:59.6361074Z Date: Tue, 01 Jul 2025 01:42:59 GMT
2025-07-01T01:42:59.6361339Z Connection: keep-alive
2025-07-01T01:42:59.6361855Z Akamai-Cache-Status: Miss from child, Miss from parent
2025-07-01T01:42:59.6362239Z Access-Control-Max-Age: 3000
2025-07-01T01:42:59.6362500Z Access-Control-Allow-Methods: GET
2025-07-01T01:42:59.6362778Z Access-Control-Allow-Origin: *
2025-07-01T01:42:59.6362955Z 
2025-07-01T01:43:00.1821629Z   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
2025-07-01T01:43:01.1819859Z  11  121M   11 14.1M    0     0  12.8M      0  0:00:09  0:00:01  0:00:08 12.8M
2025-07-01T01:43:02.1700532Z  31  121M   31 38.0M    0     0  18.1M      0  0:00:06  0:00:02  0:00:04 18.1M
2025-07-01T01:43:03.1992329Z  52  121M   52 64.0M    0     0  20.7M      0  0:00:05  0:00:03  0:00:02 20.7M
2025-07-01T01:43:04.1676948Z  74  121M   74 90.0M    0     0  21.8M      0  0:00:05  0:00:04  0:00:01 21.8M
2025-07-01T01:43:04.3867692Z  94  121M   94  114M    0     0  22.4M      0  0:00:05  0:00:05 --:--:-- 22.9M
2025-07-01T01:43:04.3868507Z 100  121M  100  121M    0     0  22.8M      0  0:00:05  0:00:05 --:--:-- 25.4M
2025-07-01T01:43:04.3906916Z 2025-07-01T01:43:04Z Downloaded binary from https://downloads.snyk.io/cli/latest/snyk-alpine?utm_source=GITHUB_ACTIONS
2025-07-01T01:43:04.3943009Z   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
2025-07-01T01:43:04.3943706Z                                  Dload  Upload   Total   Spent    Left  Speed
2025-07-01T01:43:04.3944132Z 
2025-07-01T01:43:04.5146411Z HTTP/1.1 200 OK
2025-07-01T01:43:04.5147337Z x-amz-id-2: yPCqf28W/zxyzGs4hOMpx2kVlqtrV5fvnliVXOCV2rZX9pJb27rX1yOhPf7nz9ZmNSIG4bS91I8=
2025-07-01T01:43:04.5148443Z x-amz-request-id: 5XVXBZDC146QF3YG
2025-07-01T01:43:04.5148983Z Last-Modified: Mon, 23 Jun 2025 15:46:25 GMT
2025-07-01T01:43:04.5149756Z ETag: "139ca3a8e86f8df3d60d0b46370f30d1"
2025-07-01T01:43:04.5150307Z x-amz-server-side-encryption: AES256
2025-07-01T01:43:04.5150886Z Accept-Ranges: bytes
2025-07-01T01:43:04.5151326Z Content-Type: binary/octet-stream
2025-07-01T01:43:04.5151723Z Content-Length: 78
2025-07-01T01:43:04.5152015Z Server: AmazonS3
2025-07-01T01:43:04.5152266Z Cache-Control: max-age=0
2025-07-01T01:43:04.5152570Z Expires: Tue, 01 Jul 2025 01:43:04 GMT
2025-07-01T01:43:04.5152876Z Date: Tue, 01 Jul 2025 01:43:04 GMT
2025-07-01T01:43:04.5153148Z Connection: keep-alive
2025-07-01T01:43:04.5153458Z Akamai-Cache-Status: Miss from child, RefreshHit from parent
2025-07-01T01:43:04.5153812Z Access-Control-Max-Age: 3000
2025-07-01T01:43:04.5154072Z Access-Control-Allow-Methods: GET
2025-07-01T01:43:04.5154355Z Access-Control-Allow-Origin: *
2025-07-01T01:43:04.5154529Z 
2025-07-01T01:43:04.5154694Z   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
2025-07-01T01:43:04.5155045Z 100    78  100    78    0     0    645      0 --:--:-- --:--:-- --:--:--   650
2025-07-01T01:43:04.5202375Z 2025-07-01T01:43:04Z Downloaded shasum from https://downloads.snyk.io/cli/latest/snyk-alpine.sha256?utm_source=GITHUB_ACTIONS
2025-07-01T01:43:04.5207776Z 2025-07-01T01:43:04Z Validating shasum
2025-07-01T01:43:05.1508710Z snyk-alpine: OK
2025-07-01T01:43:05.1521936Z 2025-07-01T01:43:05Z Moving and cleaning files
2025-07-01T01:43:05.7153439Z 2025-07-01T01:43:05Z Installed Snyk v1.1297.3
2025-07-01T01:43:05.7210909Z ##[group]Run echo "version=$(snyk version)" >> $GITHUB_OUTPUT
2025-07-01T01:43:05.7211285Z �[36;1mecho "version=$(snyk version)" >> $GITHUB_OUTPUT�[0m
2025-07-01T01:43:05.7211680Z shell: sh -e {0}
2025-07-01T01:43:05.7211859Z ##[endgroup]

dotkas · 2025-07-02T08:44:53Z

Hey @fabasoad - thanks for your contribution. I am not 100% sure I trust my own tests enough to merge this. Will think a bit about it.

According to Snyk's breaking change policy this could also be seen as a breaking change, considering how all downstream users of this action are currently using it.

Just a heads-up that this might be a bit before you hear something.

fabasoad · 2025-07-04T12:34:46Z

Hi @dotkas! yeah, makes sense. I just stepped on this issues a few times in the past and thought would be good to fix it. Later on dependency on curl also can be fixed with something like this, but I understand your concern on the possible breaking change. Feel free to close it if you think it is too risky, or we can think how we can improve testing, so that changes like this would be "easier" to roll out in the future. Technically, if we could have tests for all supported environments, then we could be more confident on such changes. Simple test - setup snyk and run its version but on the every supported runner (Alpine/macOS/Linux x x86_64/ARM64 = matrix with 6 tests on 6 different runners). The only problem here to get Linux ARM64 and macOS x86_64 runners as they are not provided by GitHub. So, if your organization have those self-hosted runners, we could use them for these tests. Just some thoughts. LMK.

fabasoad · 2025-07-05T07:38:13Z

TIL, that GitHub actually has Linux arm64 and macOS Intel runners: https://docs.github.com/en/actions/how-tos/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories

I will add some tests.

fabasoad · 2025-07-05T07:48:52Z

@dotkas I've removed bash from the installation step in tests. This should prove that GitHub Action works as expected. Please review.

P.S. I've added more tests in scope of #160

github-actions · 2025-09-04T00:03:28Z