ci: sync workflows from central-workflows #39
Conversation
|
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| $API_URL/repos/${{ github.repository }}/milestones/$MILESTONE_NUMBER | ||
|
|
||
| - name: Trigger Release Workflow | ||
| uses: peter-evans/repository-dispatch@v1 |
Check warning
Code scanning / Semgrep (reported by Codacy)
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Warning
| uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action | ||
|
|
||
| - name: PR Conventional Commit Validation | ||
| uses: ytanikin/[email protected] # Use the PRConventionalCommits action to validate PR titles |
Check warning
Code scanning / Semgrep (reported by Codacy)
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Warning
| curl -X POST -H 'Content-Type: application/json' --data '{"alias":"Mo-Auto","emoji":":robot:","text":":x: :cry: I am reporting a bad [commit](https://github.com/${{github.repository}}/commit/${{github.sha}}) by :thinking_face: @${{github.actor}} :x:","attachments":[{"title":"GitHub user behavior reporter","title_link":"https://www.conventionalcommits.org","text":"We are not too happy with your last [commit](https://github.com/${{github.repository}}/commit/${{github.sha}}). Here is why : ${{ steps.push_get_commit_message.outputs.errormsg }}","color":"#764FA5"}]}' ${{ secrets.GITHUBUSERBEHAVIORSLACKREPORTER }} | ||
| exit 1 | ||
|
|
||
| - name: "[Pull Request] Report Commit Standard Status" |
Check notice
Code scanning / Checkov (reported by Codacy)
Suspicious use of curl with secrets Note
| git log --format=%B -n 1 HEAD^2 | npx commitlint | ||
| continue-on-error: true | ||
|
|
||
| - name: "[Push] Report Commit Standard Status" |
Check notice
Code scanning / Checkov (reported by Codacy)
Suspicious use of curl with secrets Note
| @@ -0,0 +1,66 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| @@ -0,0 +1,33 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| with: | ||
| fetch-depth: 0 # Fetch all history for all branches to ensure we have the full commit history | ||
|
|
||
| - name: Check GPG verification status # Step to check each commit for GPG signature verification |
Check notice
Code scanning / Checkov (reported by Codacy)
Suspicious use of curl with secrets Note
| @@ -0,0 +1,49 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| @@ -0,0 +1,43 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| milestoneId: |
Check notice
Code scanning / Checkov (reported by Codacy)
The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. Note
| @@ -0,0 +1,55 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| eslint: | ||
| name: Run eslint scanning | ||
| runs-on: ubuntu-latest | ||
| permissions: |
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
This PR syncs workflows from the central-workflows repository. Signed-off-by: Kyle Vorster [email protected]