ci: sync workflows from central-workflows #42
Conversation
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| # Step to trigger another workflow for releasing, passing the milestone number. | ||
| - name: Trigger Release Workflow | ||
| uses: peter-evans/repository-dispatch@v1 |
Check warning
Code scanning / Semgrep (reported by Codacy)
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Warning
| uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action | ||
|
|
||
| - name: PR Conventional Commit Validation | ||
| uses: ytanikin/[email protected] # Use the PRConventionalCommits action to validate PR titles |
Check warning
Code scanning / Semgrep (reported by Codacy)
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Warning
| @@ -0,0 +1,33 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| @@ -0,0 +1,40 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| tfsec: | ||
| name: Run tfsec sarif report | ||
| runs-on: ubuntu-latest | ||
| permissions: |
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| @@ -0,0 +1,54 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| @@ -0,0 +1,43 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| milestoneId: |
Check notice
Code scanning / Checkov (reported by Codacy)
The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. Note
| @@ -0,0 +1,71 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| with: | ||
| fetch-depth: 0 # Fetch all history for all branches to ensure we have the full commit history | ||
|
|
||
| - name: Set up environment variables |
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure run commands are not vulnerable to shell injection Note
| with: | ||
| fetch-depth: 0 # Fetch all history for all branches to ensure complete commit history is available | ||
|
|
||
| - name: Set up environment variables |
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure run commands are not vulnerable to shell injection Note
This PR syncs workflows from the central-workflows repository. Signed-off-by: Kyle Vorster [email protected]