-
Notifications
You must be signed in to change notification settings - Fork 5
127 lines (114 loc) · 4.89 KB
/
dependency-review-v2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
name: Coveo Dependency Reviewer
on:
workflow_call:
inputs:
comment-summary-in-pr:
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
required: false
default: on-failure
type: string
base-ref:
description: Provide custom git references for the git base
required: false
default: ${{ github.event.pull_request.base.sha }}
type: string
head-ref:
description: Provide custom git references for the git head
required: false
default: ${{ github.event.pull_request.head.sha }}
type: string
fail-on-severity:
description: Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher.
required: false
default: high
type: string
runs-on:
description: |
The type of machine to run the job on. Must be provided as a stringified list (e.g. public repos should specify `runs-on: '["ubuntu-latest"]'`)
default: '["coveo", "arm64" , "linux", "eks"]'
type: string
retry-on-snapshot-warnings:
description: Whether to retry on snapshot warnings (to be used for projects where a dependency submission Action is used)
required: false
type: boolean
default: false
retry-on-snapshot-warnings-timeout:
description: Number of seconds to wait before stopping snapshot retries.
required: false
type: number
default: 120
warn-on-openssf-scorecard-level:
description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you.
required: false
type: number
default: 3
permissions: { }
jobs:
dependency-review:
name: Dependency Review
runs-on: ${{ fromJson(inputs.runs-on) }}
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout scan target
uses: actions/checkout@v4
- name: Checkout licenses
uses: actions/checkout@v4
with:
repository: coveo/dependency-allowed-licenses
path: coveo-dependency-allowed-licenses
- name: Get Properties
uses: actions/github-script@v7
id: get-properties
with:
script: |
const owner = context.repo.owner;
const repo = context.repo.repo;
const repoDetails = await github.request('GET /repos/' + owner + '/' + repo, {
owner: owner,
repo: repo
});
const isPublic = !repoDetails.data.private;
console.log(`Is this a public repo? ${isPublic}`);
core.setOutput('is_public', isPublic);
let distributedValue = isPublic;
if (!isPublic) {
const response = await github.request('GET /repos/' + owner + '/' + repo + '/properties/values', {
owner: owner,
repo: repo
});
console.log('Repository properties: ' + JSON.stringify(response.data, null, 2));
const distributedProperty = response.data.find(prop => prop.property_name === 'is_distributed');
distributedValue = distributedProperty ? distributedProperty.value === 'true' : true;
}
core.setOutput('is_distributed', distributedValue);
- name: Select configuration
id: select-config
uses: actions/github-script@v7
with:
result-encoding: string
script: |
const isPublic = ${{ steps.get-properties.outputs.is_public }} === 'true';
const isDistributed = ${{ steps.get-properties.outputs.is_distributed }} === 'true';
if (isPublic) {
return 'public.yml'
}
if (!isPublic && isDistributed) {
return 'private-distributed.yml'
}
if (!isPublic && !isDistributed) {
return 'private-undistributed.yml'
}
core.setFailure(`Could not determine configuration for inputs: ${inputs}`)
- name: Scan
uses: actions/[email protected]
with:
comment-summary-in-pr: ${{ inputs.comment-summary-in-pr }}
fail-on-severity: ${{ inputs.fail-on-severity }}
config-file: ./coveo-dependency-allowed-licenses/${{ steps.select-config.outputs.result }}
base-ref: ${{ inputs.base-ref }}
head-ref: ${{ inputs.head-ref }}
retry-on-snapshot-warnings: ${{ inputs.retry-on-snapshot-warnings }}
retry-on-snapshot-warnings-timeout: ${{ inputs.retry-on-snapshot-warnings-timeout }}
warn-on-openssf-scorecard-level: ${{ inputs.warn-on-openssf-scorecard-level }}