mirror of
https://github.com/status-im/consul.git
synced 2025-01-20 18:50:04 +00:00
a1c0115a74
We've noticed runners appearing to become resource-starved during heavy CI traffic. While we should try to prevent this by limiting the scanner's CPU consumption, increasing the runner size should help in the interim.
88 lines
2.9 KiB
YAML
88 lines
2.9 KiB
YAML
name: Security Scan
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- release/**
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
- release/**
|
|
|
|
# cancel existing runs of the same workflow on the same ref
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
conditional-skip:
|
|
runs-on: ubuntu-latest
|
|
name: Get files changed and conditionally skip CI
|
|
outputs:
|
|
skip-ci: ${{ steps.read-files.outputs.skip-ci }}
|
|
steps:
|
|
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Get changed files
|
|
id: read-files
|
|
run: ./.github/scripts/filter_changed_files_go_test.sh
|
|
|
|
setup:
|
|
needs: [conditional-skip]
|
|
name: Setup
|
|
if: needs.conditional-skip.outputs.skip-ci != 'true'
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
compute-small: ${{ steps.setup-outputs.outputs.compute-small }}
|
|
compute-medium: ${{ steps.setup-outputs.outputs.compute-medium }}
|
|
compute-large: ${{ steps.setup-outputs.outputs.compute-large }}
|
|
compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }}
|
|
steps:
|
|
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
- id: setup-outputs
|
|
name: Setup outputs
|
|
run: ./.github/scripts/get_runner_classes.sh
|
|
|
|
scan:
|
|
needs: [setup]
|
|
runs-on: ${{ fromJSON(needs.setup.outputs.compute-xl) }}
|
|
# The first check ensures this doesn't run on community-contributed PRs, who
|
|
# won't have the permissions to run this job.
|
|
if: ${{ (github.repository != 'hashicorp/consul' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name))
|
|
&& (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }}
|
|
|
|
steps:
|
|
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
|
|
with:
|
|
cache: true
|
|
go-version: 1.20.12 #TODO move CI build config and this to .go-version or .go-mod
|
|
|
|
- name: Clone Security Scanner repo
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
with:
|
|
repository: hashicorp/security-scanner
|
|
token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
|
|
path: security-scanner
|
|
ref: main
|
|
|
|
- name: Scan
|
|
id: scan
|
|
uses: ./security-scanner
|
|
with:
|
|
repository: "$PWD"
|
|
# See scan.hcl at repository root for config.
|
|
|
|
- name: SARIF Output
|
|
shell: bash
|
|
run: |
|
|
cat results.sarif | jq
|
|
|
|
- name: Upload SARIF file
|
|
uses: github/codeql-action/upload-sarif@46a6823b81f2d7c67ddf123851eea88365bc8a67 # codeql-bundle-v2.13.5
|
|
with:
|
|
sarif_file: results.sarif |