chore(deps): bump github/codeql-action from 3.25.10 to 3.26.3 #1172
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: pipeline | |
on: | |
push: | |
branches: | |
- develop | |
- feat/* | |
- hotfix/* | |
- main | |
pull_request: | |
branches: | |
- develop | |
- feat/* | |
- hotfix/* | |
- main | |
jobs: | |
init: | |
name: Init | |
runs-on: ubuntu-22.04 | |
outputs: | |
VERSION: ${{ steps.version.outputs.version }} | |
VERSION_FULL: ${{ steps.version.outputs.version_full }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4.1.7 | |
with: | |
# We need all Git history for "version.sh" | |
fetch-depth: 0 | |
# Ensure "version.sh" submodule are up-to-date | |
submodules: recursive | |
- name: Generate versions | |
id: version | |
run: | | |
echo "version=$(bash cicd/version/version.sh -g . -c)" >> $GITHUB_OUTPUT | |
echo "version_full=$(bash cicd/version/version.sh -g . -c -m)" >> $GITHUB_OUTPUT | |
sast-creds: | |
name: SAST - Credentials | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4.1.7 | |
with: | |
# We need all Git history for testing credentials | |
fetch-depth: 0 | |
# Ensure all submodules up-to-date | |
submodules: recursive | |
- name: Run tests | |
uses: trufflesecurity/trufflehog@v3.78.1 | |
with: | |
base: ${{ github.event.repository.default_branch }} | |
extra_args: --only-verified | |
head: HEAD~1 | |
sast-semgrep: | |
name: SAST - Semgrep | |
runs-on: ubuntu-22.04 | |
permissions: | |
# Allow to write to GitHub Security | |
security-events: write | |
container: | |
image: returntocorp/semgrep | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4.1.7 | |
- name: Run tests | |
# Semgrep can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security | |
continue-on-error: true | |
env: | |
SEMGREP_RULES: p/cwe-top-25 p/owasp-top-ten | |
run: semgrep ci --sarif --output=semgrep.sarif | |
- name: Upload results to GitHub Security | |
uses: github/codeql-action/upload-sarif@v3.26.3 | |
with: | |
sarif_file: semgrep.sarif | |
create-release: | |
name: Create release | |
needs: | |
- init | |
- sast-creds | |
- sast-semgrep | |
permissions: | |
# Allow to create releases | |
contents: write | |
runs-on: ubuntu-22.04 | |
outputs: | |
RELEASE_ID: ${{ steps.create-release.outputs.result }} | |
# Only publish on non-scheduled main branch, as there is only one Helm repo and we cannot override an existing version | |
if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4.1.7 | |
- name: Create release | |
id: create-release | |
uses: actions/github-script@v7.0.1 | |
with: | |
script: | | |
const isMain = context.ref == `refs/heads/main`; | |
const repoName = context.repo.repo; | |
console.log(isMain ? 'Creating release for default branch' : 'Creating release for non-default branch'); | |
const { data } = await github.rest.repos.createRelease({ | |
draft: true, | |
generate_release_notes: true, | |
name: `${repoName} v${{ needs.init.outputs.VERSION }}`, | |
owner: context.repo.owner, | |
prerelease: !isMain, | |
repo: repoName, | |
tag_name: 'v${{ needs.init.outputs.VERSION }}', | |
target_commitish: context.ref, | |
}); | |
return data.id | |
attest-dependencies: | |
name: Attest - Dependencies | |
permissions: | |
# Allow to write to GitHub Security | |
contents: write | |
runs-on: ubuntu-22.04 | |
needs: | |
- create-release | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4.1.7 | |
- name: Run attestation | |
uses: advanced-security/component-detection-dependency-submission-action@v0.0.2 | |
with: | |
directoryExclusionList: tests,docs,examples | |
attest-sbom: | |
name: Attest - SBOM | |
runs-on: ubuntu-22.04 | |
needs: | |
- create-release | |
- init | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4.1.7 | |
- name: Init Syft | |
uses: anchore/sbom-action/download-syft@v0.16.1 | |
- name: Run attestation | |
run: make sbom version_full=${{ needs.init.outputs.VERSION_FULL }} | |
- name: Upload results to release | |
uses: actions/upload-artifact@v4.3.4 | |
with: | |
name: sbom | |
path: sbom-reports/* | |
publish-release: | |
name: Publish release | |
permissions: | |
# Allow to write releases | |
contents: write | |
runs-on: ubuntu-22.04 | |
needs: | |
- create-release | |
# Only publish on non-scheduled default branch | |
if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') | |
steps: | |
- name: publish release | |
id: publish-release | |
uses: actions/github-script@v7.0.1 | |
with: | |
script: | | |
github.rest.repos.updateRelease({ | |
draft: false, | |
owner: context.repo.owner, | |
release_id: ${{ needs.create-release.outputs.RELEASE_ID }}, | |
repo: context.repo.repo, | |
}); |