Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workflow for PR run checks to manage secret usage #71

Merged
merged 13 commits into from
Mar 8, 2024
Merged

Workflow for PR run checks to manage secret usage #71

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
e985a07
Workflow for PR run checks to manage secret usage
withinfocus Mar 1, 2024
87904ee
Use full permission check
withinfocus Mar 4, 2024
4e4b12e
Make check-run only for workflow calls and scan on targets
withinfocus Mar 5, 2024
22beae5
Check target
withinfocus Mar 5, 2024
a0ef2a1
Preliminary needs
withinfocus Mar 5, 2024
ca2da45
Keep target removed
withinfocus Mar 5, 2024
24c4e28
Temporarily open up
withinfocus Mar 5, 2024
65a9560
Revert "Temporarily open up"
withinfocus Mar 5, 2024
b02a21e
Always run check
withinfocus Mar 5, 2024
13efe89
Allow PRs again, and check only on targets
withinfocus Mar 5, 2024
92b5cba
Incremental for both PR events
withinfocus Mar 5, 2024
015e179
Do not skip
withinfocus Mar 5, 2024
f634c62
Removal for final testing post-merge
withinfocus Mar 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .github/workflows/check-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Check PR run

on:
pull_request_target:
types: [opened, synchronize]
workflow_call:

permissions: read-all

jobs:
check:
name: Check
runs-on: ubuntu-22.04

steps:
- name: Check access
if: ${{ github.event.pull_request.author_association != 'COLLABORATOR' && github.event.pull_request.author_association != 'OWNER' }}
withinfocus marked this conversation as resolved.
Show resolved Hide resolved
run: |
echo "Event not triggered by a collaborator."
exit 1
7 changes: 7 additions & 0 deletions .github/workflows/scan.yml
View file
Open in desktop
withinfocus marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,15 @@ on:
permissions: read-all

jobs:
check-run:
name: Check PR run
if: github.event_name == 'pull_request'
uses: ./.github/workflows/check-run.yml

sast:
name: SAST scan
runs-on: ubuntu-22.04
needs: check-run
permissions:
security-events: write

Expand Down Expand Up @@ -42,6 +48,7 @@ jobs:
quality:
name: Quality scan
runs-on: ubuntu-22.04
needs: check-run

steps:
- name: Check out repo
Expand Down