fcli * action *: Add --from option

[rsenden]

Enhancement Request

The (upcoming) fortify/github-action:1.3.0 version makes extensive use of fcli actions, defaulting to running built-in fcli actions but allowing users to override these through the *_ACTION environment variables. This is fine for overriding a single action, but it can become annoying having to specify a full file path or URL if you want to override multiple/all actions.

In such cases, you could potentially create a zip-file containing all (relevant & potentially customized) built-in actions, and set a global environment variable like FCLI_DEFAULT_ACTION_RUN_FROM_ZIP=<URL to zip-file>. This way, the GitHub action would still use the default fcli action names (no need to set *_ACTION variables), but load them from the specified zip-file instead of using the built-in actions.

However, it might be annoying having to maintain these actions in a zip-file; with every action update, you need to update and republish the zip-file with the updated action(s). This makes it difficult to simply host such custom actions in a shared SCM repository for example.

For such use cases, it would be nice to have a --from option, for example:

fcli fod action run check-policy --from https://my.server/fcli-actions

With this command, fcli would attempt to load the action from https://my.server/fcli-actions/check-policy.yaml. In the GitHub Action scenario, users could set the FCLI_DEFAULT_ACTION_RUN_FROM environment variable to have the GitHub Action automatically use the actions defined at this alternative location instead of the built-in actions, without having to override each individual action through *_ACTION environment variables.

Even better would be to have the --from option accept a list of action sources, for example:

fcli fod action run check-policy --from ./fcli-actions,https://my.server/fcli-actions,builtin

This would first look for ./fcli-actions/check-policy.yaml, if not found it would look for https://my.server/fcli-actions/check-policy.yaml, and eventually fall back to the built-in check-policy action if neither of the former locations contain a check-policy.yaml file. This way, the GitHub action would still use the built-in actions, unless 'overridden' at one of the alternative locations specified in FCLI_DEFAULT_ACTION_RUN_FROM.

While we're at it, we could have the --from option also support a location to be specified as zip:<file or URL> (or automatically detect that the --from entry points to a zip-file). This would allow zip-files to be used in such a chain of alternative locations, including possibly fall-back to built-in actions, and allow us to deprecate the --from-zip option.

Note though that this only applies to commands that operate on a single action, like run and help. For import and list commands, we may want to keep the --from-zip option, as these commands need the ability to list all files at a specified location, and we can't for example list all files located at https://my.server/fcli-actions.

As an alternative, but requiring more housekeeping by custom action providers, we could require some kind of index file to be available at --from locations (at least when pointing to a URL), like https://my.server/fcli-actions/index.txt, which would allow for iterating through all actions listed in that index file by the list and import commands. Not sure whether this is a good idea though.