Add FOSSA scan workflow & .fossa.yml (#846)

* 👷 Add FOSSA scan workflow & .fossa.yml Signed-off-by: Rintaro Okamura <rintaro.okamura@gmail.com> * 🎨 Format yamls Signed-off-by: Rintaro Okamura <rintaro.okamura@gmail.com>
vdaas · Nov 19, 2020 · 428740c · 428740c
1 parent b045e86
commit 428740c
Show file tree

Hide file tree

Showing 3 changed files with 171 additions and 2 deletions.
diff --git a/.fossa.yml b/.fossa.yml
@@ -0,0 +1,108 @@
+#
+# Copyright (C) 2019-2020 Vdaas.org Vald team ( kpango, rinx, kmrmt )
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+version: 2
+cli:
+  server: https://app.fossa.com
+  fetcher: custom
+  project: vald
+  locator: git+github.com/vdaas/vald
+analyze:
+  modules:
+  - name: github.com/vdaas/vald/cmd/agent/core/ngt
+    type: go
+    target: github.com/vdaas/vald/cmd/agent/core/ngt
+    path: cmd/agent/core/ngt
+  - name: github.com/vdaas/vald/cmd/agent/sidecar
+    type: go
+    target: github.com/vdaas/vald/cmd/agent/sidecar
+    path: cmd/agent/sidecar
+  - name: github.com/vdaas/vald/cmd/discoverer/k8s
+    type: go
+    target: github.com/vdaas/vald/cmd/discoverer/k8s
+    path: cmd/discoverer/k8s
+  - name: github.com/vdaas/vald/cmd/gateway/vald
+    type: go
+    target: github.com/vdaas/vald/cmd/gateway/vald
+    path: cmd/gateway/vald
+  - name: github.com/vdaas/vald/cmd/manager/backup/cassandra
+    type: go
+    target: github.com/vdaas/vald/cmd/manager/backup/cassandra
+    path: cmd/manager/backup/cassandra
+  - name: github.com/vdaas/vald/cmd/manager/backup/mysql
+    type: go
+    target: github.com/vdaas/vald/cmd/manager/backup/mysql
+    path: cmd/manager/backup/mysql
+  - name: github.com/vdaas/vald/cmd/manager/compressor
+    type: go
+    target: github.com/vdaas/vald/cmd/manager/compressor
+    path: cmd/manager/compressor
+  - name: github.com/vdaas/vald/cmd/manager/index
+    type: go
+    target: github.com/vdaas/vald/cmd/manager/index
+    path: cmd/manager/index
+  - name: github.com/vdaas/vald/cmd/manager/replication/agent
+    type: go
+    target: github.com/vdaas/vald/cmd/manager/replication/agent
+    path: cmd/manager/replication/agent
+  - name: github.com/vdaas/vald/cmd/manager/replication/controller
+    type: go
+    target: github.com/vdaas/vald/cmd/manager/replication/controller
+    path: cmd/manager/replication/controller
+  - name: github.com/vdaas/vald/cmd/meta/cassandra
+    type: go
+    target: github.com/vdaas/vald/cmd/meta/cassandra
+    path: cmd/meta/cassandra
+  - name: github.com/vdaas/vald/cmd/meta/redis
+    type: go
+    target: github.com/vdaas/vald/cmd/meta/redis
+    path: cmd/meta/redis
+  - name: github.com/vdaas/vald/cmd/tools/cli/vdctl
+    type: go
+    target: github.com/vdaas/vald/cmd/tools/cli/vdctl
+    path: cmd/tools/cli/vdctl
+  - name: github.com/vdaas/vald/hack/helm/schema/gen
+    type: go
+    target: github.com/vdaas/vald/hack/helm/schema/gen
+    path: hack/helm/schema/gen
+  - name: github.com/vdaas/vald/hack/license/gen
+    type: go
+    target: github.com/vdaas/vald/hack/license/gen
+    path: hack/license/gen
+  - name: github.com/vdaas/vald/hack/tools/config/agent/core/ngt
+    type: go
+    target: github.com/vdaas/vald/hack/tools/config/agent/core/ngt
+    path: hack/tools/config/agent/core/ngt
+  - name: github.com/vdaas/vald/hack/tools/config/discoverer/k8s
+    type: go
+    target: github.com/vdaas/vald/hack/tools/config/discoverer/k8s
+    path: hack/tools/config/discoverer/k8s
+  - name: github.com/vdaas/vald/hack/tools/config/gateway/vald
+    type: go
+    target: github.com/vdaas/vald/hack/tools/config/gateway/vald
+    path: hack/tools/config/gateway/vald
+  - name: github.com/vdaas/vald/hack/tools/config/manager/backup/mysql
+    type: go
+    target: github.com/vdaas/vald/hack/tools/config/manager/backup/mysql
+    path: hack/tools/config/manager/backup/mysql
+  - name: github.com/vdaas/vald/hack/tools/config/meta/redis
+    type: go
+    target: github.com/vdaas/vald/hack/tools/config/meta/redis
+    path: hack/tools/config/meta/redis
+  - name: github.com/vdaas/vald/hack/tools/metrics
+    type: go
+    target: github.com/vdaas/vald/hack/tools/metrics
+    path: hack/tools/metrics
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
@@ -0,0 +1,61 @@
+name: "Run FOSSA scan"
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types:
+      - "labeled"
+
+jobs:
+  fossa-scan:
+    name: "trigger FOSSA scan"
+    runs-on: ubuntu-latest
+    container:
+      image: vdaas/vald-ci-container:nightly
+    if: github.ref == 'refs/heads/master' || github.event.action == 'labeled' && github.event.label.name == 'actions/fossa'
+    steps:
+      - uses: actions/checkout@v2
+      - name: "Install fossa-cli"
+        run: |
+          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash
+      - name: "Run for master branch"
+        if: github.ref == 'refs/heads/master'
+        run: |
+          fossa analyze --branch master --revision ${GITHUB_SHA}
+        env:
+          FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_SHA: ${{ github.sha }}
+      - name: "Run for PRs"
+        if: github.event_name == 'pull_request'
+        run: |
+          curl -s ${PR_INFO_URL} > /tmp/pr_info.json
+          PR_RESP=`cat /tmp/pr_info.json`
+          HEAD_BRANCH=$(cat /tmp/pr_info.json | jq -r .head.ref)
+          if [ -z "$HEAD_BRANCH" ]; then
+            echo "Cannot get head branch information for PR #${PR_NUM}!"
+            echo "API response: $PR_RESP"
+            fossa analyze --revision ${GITHUB_SHA}
+          else
+            echo "Head branch for PR #${PR_NUM} is ${HEAD_BRANCH}"
+
+            fossa analyze --branch ${HEAD_BRANCH} --revision ${GITHUB_SHA}
+
+            ESCAPED=`echo -n "${HEAD_BRANCH}" | python3 -c 'import urllib.parse; import sys; print(urllib.parse.quote(sys.stdin.read(), safe=""))'`
+
+            curl --include --verbose --fail \
+            -H "Accept: application/json" \
+            -H "Content-Type:application/json" \
+            -H "Authorization: token ${GITHUB_TOKEN}" \
+            --request POST \
+            --data "{\"body\": \"**[FOSSA]** The scan result will be available at https://app.fossa.com/projects/custom%2B21465%2Fvald/refs/branch/${ESCAPED}/${GITHUB_SHA}\"}" \
+            $API_URL
+          fi
+        env:
+          FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_SHA: ${{ github.sha }}
+          PR_INFO_URL: ${{ github.event.pull_request.url }}
+          API_URL: ${{ github.event.pull_request.comments_url }}
+          PR_NUM: ${{ github.event.pull_request.number }}
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@
 [![Codacy Badge](https://img.shields.io/codacy/grade/a6e544eee7bc49e08a000bb10ba3deed?style=flat-square)](https://www.codacy.com/app/i.can.feel.gravity/vald?utm_source=github.com&utm_medium=referral&utm_content=vdaas/vald&utm_campaign=Badge_Grade)
 [![Go Report Card](https://goreportcard.com/badge/github.com/vdaas/vald?style=flat-square)](https://goreportcard.com/report/github.com/vdaas/vald)
 [![DepShield Badge](https://depshield.sonatype.org/badges/vdaas/vald/depshield.svg?style=flat-square)](https://depshield.github.io)
-[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgit.luolix.top%2Fvdaas%2Fvald.svg?type=small&style=flat-square)](https://app.fossa.com/projects/git%2Bgit.luolix.top%2Fvdaas%2Fvald?ref=badge_small)
+[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B21465%2Fvald.svg?type=small)](https://app.fossa.com/projects/custom%2B21465%2Fvald?ref=badge_small)
 [![DeepSource](https://static.deepsource.io/deepsource-badge-light-mini.svg)](https://deepsource.io/gh/vdaas/vald/?ref=repository-badge)
 [![CLA](https://cla-assistant.io/readme/badge/vdaas/vald?&style=flat-square)](https://cla-assistant.io/vdaas/vald)
 [![Artifact Hub](https://img.shields.io/badge/chart-ArtifactHub-informational?logo=helm&style=flat-square)](https://artifacthub.io/packages/chart/vald/vald)
@@ -297,4 +297,4 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
 
 vald released under Apache 2.0 license, refer [LICENSE](https://github.com/vdaas/vald/blob/master/LICENSE) file.
 
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgit.luolix.top%2Fvdaas%2Fvald.svg?type=large)](https://app.fossa.io/projects/git%2Bgit.luolix.top%2Fvdaas%2Fvald?ref=badge_large)
+[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B21465%2Fvald.svg?type=large)](https://app.fossa.com/projects/custom%2B21465%2Fvald?ref=badge_large)