Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Workflow for PR run checks to manage secret usage #71

Merged
merged 13 commits into from
Mar 8, 2024
29 changes: 29 additions & 0 deletions .github/workflows/check-run.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: Check PR run

on:
workflow_call:

permissions: read-all

jobs:
check:
name: Check
runs-on: ubuntu-22.04

steps:
- name: Get user permission
id: get-permission
uses: actions-cool/check-user-permission@956b2e73cdfe3bcb819bb7225e490cb3b18fd76e # v2.2.1
with:
require: write
username: ${{ github.triggering_actor }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Check user permission
if: steps.get-permission.outputs.require-result == 'false'
run: |
echo "User ${{ github.triggering_actor }} does not have the necessary access for this repository."
echo "Current permission level is ${{ steps.get-permission.outputs.user-permission }}."
echo "Job originally triggered by ${{ github.actor }}."
exit 1
14 changes: 12 additions & 2 deletions .github/workflows/scan.yml
withinfocus marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -7,25 +7,33 @@ on:
- "main"
- "rc"
- "hotfix-rc"
pull_request:
pull_request_target:
types: [opened, synchronize]

permissions: read-all

jobs:
check-run:
name: Check PR run
uses: ./.github/workflows/check-run.yml

sast:
name: SAST scan
runs-on: ubuntu-22.04
needs: check-run
permissions:
security-events: write

steps:
- name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: Scan with Checkmarx
uses: checkmarx/ast-github-action@749fec53e0db0f6404a97e2e0807c3e80e3583a7 #2.0.23
env:
INCREMENTAL: "${{ github.event_name == 'pull_request' && '--sast-incremental' || '' }}"
INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
with:
project_name: ${{ github.repository }}
cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
Expand All @@ -42,12 +50,14 @@ jobs:
quality:
name: Quality scan
runs-on: ubuntu-22.04
needs: check-run

steps:
- name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}

- name: Scan with SonarCloud
uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
Expand Down