Run licensing, security and best practices checks and generate reports/SBOMs using ORT.
See action.yml
jobs:
ort:
runs-on: ubuntu-latest
steps:
- name: Use HTTPS instead of SSH for Git cloning
run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/
- name: Checkout project
uses: actions/checkout@v3
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
Alternatively, you can also use ORT to download the project sources using Git, Git-repo, Mercurial or Subversion.
jobs:
ort:
runs-on: ubuntu-latest
steps:
- name: Use HTTPS instead of SSH for Git cloning
run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
with:
vcs-url: 'https://github.com/jshttp/mime-types.git'
- Run ORT and analyze only specified package managers
- Run ORT with labels
- Run ORT and fail job on policy violations or security issues
- Run ORT on private repositories
- Run ORT on multiple repositories using a matrix
- Run ORT with a custom global configuration
- Run ORT with a custom Docker image
- Run ORT with PostgreSQL database
- Run only parts of the GitHub Action for ORT
jobs:
ort:
runs-on: ubuntu-latest
steps:
- name: Use HTTPS instead of SSH for Git cloning
run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/
- name: Checkout project
uses: actions/checkout@v3
with:
repository: 'jshttp/mime-types'
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
with:
allow-dynamic-versions: 'true'
ort-cli-args: '-P ort.analyzer.enabledPackageManagers=NPM,Yarn,Yarn2'
Use labels to track scan related info or execute policy rules for specific product, delivery or organization.
jobs:
ort:
runs-on: ubuntu-latest
steps:
- name: Use HTTPS instead of SSH for Git cloning
run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/
- name: Checkout project
uses: actions/checkout@v3
with:
repository: 'jshttp/mime-types'
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
with:
allow-dynamic-versions: 'true'
ort-cli-analyze-args: >
-l project=oss-project
-l dist=external
-l org=engineering-sdk-xyz-team-germany-berlin
Set fail-on
to fail the action if:
- policy violations reported by Evaluator exceed the
severeRuleViolationThreshold
level. - security issues reported by the Advisor exceed the
severeIssueThreshold
level.
By default severeRuleViolationThreshold
and severeIssueThreshold
are set to WARNING
but you can change this to for example ERROR
in your config.yml.
jobs:
ort:
runs-on: ubuntu-latest
steps:
- name: Use HTTPS instead of SSH for Git cloning
run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/
- name: Checkout project
uses: actions/checkout@v3
with:
repository: 'jshttp/mime-types'
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
with:
allow-dynamic-versions: 'true'
fail-on: 'violations'
To run ORT on private Git repositories, we recommend to:
- Set up an account with read-only access rights
- Use a .netrc file, SSH keys or GitHub tokens for authentication.
jobs:
ort:
runs-on: ubuntu-latest
steps:
- name: Checkout project
uses: actions/checkout@v3
with:
repository: 'jshttp/mime-types'
- name: Add .netrc
run: >
default
login ${{ secrets.NETRC_LOGIN }}
password ${{ secrets.NETRC_PASSWORD }}" > ~/.netrc
- name: Add SSH key
run: |
mkdir -p ~/.ssh
echo "${{ secrets.SSH_KEY }}" > ~/.ssh/id_github
echo "${{ secrets.SSH_PUBLIC_KEY }}" > ~/.ssh/id_github.pub
chmod 600 ~/.ssh/id_github*
cat >>~/.ssh/config <<END
Host github.com
HostName ssh.github.com
User git
Port 443
IdentityFile ~/.ssh/id_github
StrictHostKeyChecking no
END
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
with:
allow-dynamic-versions: 'true'
jobs:
ort:
runs-on: [self-hosted, linux]
name: Run ORT
steps:
- name: Configure proxy server
run: |
https_proxy="http://proxy.example.com:3128/"
http_proxy="http://proxy.example.com:3128/"
printenv >> "$GITHUB_ENV"
- name: Use HTTPS with personal token always for Git cloning
run: |
git config --global url."https://oauth2:${{ secrets.PERSONAL_TOKEN_1 }}@github.com/".insteadOf "ssh://git@github.com/"
git config --global url."https://oauth2:${{ secrets.PERSONAL_TOKEN_2 }}@git.example.com/".insteadOf "ssh://git@git.example.com/"
git config --global url."https://oauth2:${{ secrets.PERSONAL_TOKEN_2 }}@git.example.com/".insteadOf "https://git.example.com/"
- name: Checkout project
uses: actions/checkout@v3
with:
repository: 'example-org/alpha'
ref: 'master'
github-server-url: 'https://git.example.com'
token: ${{ secrets.PERSONAL_TOKEN_2 }}
- name: Run GitHub action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
with:
ort-config-repository: 'https://oauth2:${{ secrets.PERSONAL_TOKEN_2 }}@git.example.com/ort-project/ort-config.git'
run: >
cache-dependencies,
metadata-labels,
analyzer,
advisor,
reporter,
upload-results
jobs:
ort:
strategy:
fail-fast: false
matrix:
include:
- repository: example-org/alpha
sw-name: alpha
- repository: example-org/beta
sw-name: beta
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
repository: ${{ matrix.repository }}
- uses: oss-review-toolkit/ort-ci-github-action@v1
with:
sw-name: ${{ matrix.sw-name }}
Use ort-config-repository
to specify the location of your ORT global configuration repository.
If ort-config-revision
is not automatically latest state of configuration repository will be used.
Alternatively, you can also place your ORT global configuration files in ~/.ort/config
prior to running GitHub Action for ORT.
jobs:
ort:
runs-on: ubuntu-latest
steps:
- name: Use HTTPS instead of SSH for Git cloning
run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/
- name: Checkout project
uses: actions/checkout@v3
with:
repository: 'jshttp/mime-types'
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
with:
ort-config-repository: 'https://github.com/oss-review-toolkit/ort-config'
ort-config-revision: 'e4ae8f0a2d0415e35d80df0f48dd95c90a992514'
jobs:
ort:
runs-on: ubuntu-latest
steps:
- name: Use HTTPS instead of SSH for Git cloning
run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/
- name: Checkout project
uses: actions/checkout@v3
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
with:
image: 'my-org/ort-images/ort:latest'
ORT supports using a PostgreSQL database to caching scan data to speed-up scans.
Use the following action secrets at GitHub org or repository level to specified the database to use:
POSTGRES_URL
: 'jdbc:postgresql://ort-db.example.com:5432/ort'POSTGRES_USERNAME
: 'ort-db-username'POSTGRES_PASSWORD
: 'ort-db-password'
Next, pass these secrets to GitHub Action for ORT:
jobs:
ort:
runs-on: ubuntu-latest
steps:
- name: Use HTTPS instead of SSH for Git cloning
run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/
- name: Checkout project
uses: actions/checkout@v3
with:
repository: 'jshttp/mime-types'
ref: '2.1.35'
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
with:
db-url: ${{ secrets.POSTGRES_URL }}
db-username: ${{ secrets.POSTGRES_USERNAME }}
db-password: ${{ secrets.POSTGRES_PASSWORD }}
run: 'cache-dependencies,analyzer,scanner,evaluator,advisor,reporter,upload-results'
sw-name: 'Mime Types'
sw-version: '2.1.35'
jobs:
ort:
runs-on: ubuntu-latest
steps:
- name: Checkout project
uses: actions/checkout@v3
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
with:
run: >
cache-dependencies,
metadata-labels,
analyzer,
advisor,
reporter,
upload-results,
upload-evaluation-result
All contributions are welcome. If you are interested in contributing, please read our contributing guide, and to get quick answers to any of your questions we recommend you join our Slack community.
Copyright (C) 2020-2022 The ORT Project Authors.
See the LICENSE file in the root of this project for license details.
OSS Review Toolkit (ORT) is a Linux Foundation project and part of ACT.