ci: update workflows to improve compatibility with private repositories and enhance security scans (#19)

Som3a99 · web-flow · commit b48073444ad5 · 2026-03-18T19:41:48.000+02:00
diff --git a/.github/workflows/ci-tests-coverage.yml b/.github/workflows/ci-tests-coverage.yml
@@ -50,69 +50,17 @@ jobs:
             /p:ExcludeByFile="**/Migrations/*.cs%3b**/Areas/Identity/**/*.cs%3b**/*.g.cs%3b**/*.designer.cs"
       - name: Install ReportGenerator for HTML coverage
         if: always()
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> 4f764d7 (Add k6 load testing suite and documentation)
-=======
->>>>>>> cf4208d (ci: format ReportGenerator installation and update commands for clarity)
         run: |
           dotnet tool install -g dotnet-reportgenerator-globaltool || dotnet tool update -g dotnet-reportgenerator-globaltool
           echo "$HOME/.dotnet/tools" >> $GITHUB_PATH
-=======
-        run: dotnet tool install -g dotnet-reportgenerator-globaltool || dotnet tool update -g dotnet-reportgenerator-globaltool
->>>>>>> 800dd81 (Add k6 load testing suite and documentation)
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> cf4208d (ci: format ReportGenerator installation and update commands for clarity)
-=======
-        run: |
-          dotnet tool install -g dotnet-reportgenerator-globaltool || dotnet tool update -g dotnet-reportgenerator-globaltool
-          echo "$HOME/.dotnet/tools" >> $GITHUB_PATH
->>>>>>> 348a276 (ci: format ReportGenerator installation and update commands for clarity)
-<<<<<<< HEAD
-=======
->>>>>>> 4f764d7 (Add k6 load testing suite and documentation)
-=======
->>>>>>> cf4208d (ci: format ReportGenerator installation and update commands for clarity)
 
       - name: Generate HTML coverage report
         if: always()
         run: |
           reportgenerator \
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> 4f764d7 (Add k6 load testing suite and documentation)
-=======
->>>>>>> cf4208d (ci: format ReportGenerator installation and update commands for clarity)
-            -reports:"TestResults/**/coverage.cobertura.xml" \
-            -targetdir:"TestResults/coverage-html" \
-            -reporttypes:"Html;HtmlSummary"
-=======
-            -reports:TestResults/**/coverage.cobertura.xml \
-            -targetdir:TestResults/coverage-html \
-            -reporttypes:Html;HtmlSummary
->>>>>>> 800dd81 (Add k6 load testing suite and documentation)
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> cf4208d (ci: format ReportGenerator installation and update commands for clarity)
-=======
             -reports:"TestResults/**/coverage.cobertura.xml" \
             -targetdir:"TestResults/coverage-html" \
             -reporttypes:"Html;HtmlSummary"
->>>>>>> 348a276 (ci: format ReportGenerator installation and update commands for clarity)
-<<<<<<< HEAD
-=======
->>>>>>> 4f764d7 (Add k6 load testing suite and documentation)
-=======
->>>>>>> cf4208d (ci: format ReportGenerator installation and update commands for clarity)
 
 
       - name: Upload test results and coverage
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -17,32 +17,8 @@ permissions:
 jobs:
   analyze:
     name: Analyze C# Code
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> 09e91ff (ci: update security workflows to check for private repository status)
-=======
->>>>>>> 3712a2e (ci: update workflows to remove private repository condition for security scans)
     # Removed: if: github.event.repository.private == false
     # That condition caused the job to be permanently skipped on private repos.
-=======
-    if: github.event.repository.private == false
->>>>>>> aef5768 (ci: update security workflows to check for private repository status)
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> 3712a2e (ci: update workflows to remove private repository condition for security scans)
-=======
-    # Removed: if: github.event.repository.private == false
-    # That condition caused the job to be permanently skipped on private repos.
->>>>>>> e20a634 (ci: update workflows to remove private repository condition for security scans)
-<<<<<<< HEAD
-=======
->>>>>>> 09e91ff (ci: update security workflows to check for private repository status)
-=======
->>>>>>> 3712a2e (ci: update workflows to remove private repository condition for security scans)
     runs-on: ubuntu-latest
     timeout-minutes: 30
 
@@ -80,48 +56,11 @@ jobs:
         uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           category: "/language:${{ matrix.language }}"
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> a7cca78 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
-=======
->>>>>>> 3712a2e (ci: update workflows to remove private repository condition for security scans)
-=======
-=======
->>>>>>> a7cca78 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
->>>>>>> 41d52d6 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
           # FIX: Disable SARIF upload to GitHub's code-scanning API.
           # This repo is private without GitHub Advanced Security, so the upload
           # endpoint returns "Code scanning is not enabled" and fails the job.
           # The scan itself completes successfully — disabling upload lets the
           # job pass while preserving full analysis coverage.
           # To re-enable: remove this line and enable Code Scanning at
           # Settings → Code security → Code scanning (requires GHAS).
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> 3712a2e (ci: update workflows to remove private repository condition for security scans)
-=======
->>>>>>> 41d52d6 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
-          upload: false
-=======
-          # upload: false is NOT set — we attempt upload normally.
-          # On private repos without GHAS the upload will warn but the job still passes
-          # because the action only hard-errors when security-events write is explicitly denied.
-        continue-on-error: false
->>>>>>> e20a634 (ci: update workflows to remove private repository condition for security scans)
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
-          upload: false
->>>>>>> a7cca78 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
-=======
->>>>>>> 3712a2e (ci: update workflows to remove private repository condition for security scans)
-=======
-=======
           upload: false
->>>>>>> a7cca78 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
->>>>>>> 41d52d6 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -32,104 +32,14 @@ jobs:
         uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> 3712a2e (ci: update workflows to remove private repository condition for security scans)
-=======
->>>>>>> 41d52d6 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
           # GITLEAKS_CONFIG points to your custom rules file at repo root.
           GITLEAKS_CONFIG: .gitleaks.toml
-<<<<<<< HEAD
-<<<<<<< HEAD
-          # FIX: gitleaks-action v2 auto-generates a SARIF file internally and
-          # handles its own artifact upload when GITLEAKS_ENABLE_UPLOAD_ARTIFACT=true
-          # (the default). The `with.args` parameter does not exist in this action
-          # and was silently ignored — that is why results.sarif was never written
-          # to disk, causing the upload step to fail with "file not found".
-          # Uploading SARIF to the code-scanning API also requires GitHub Advanced
-          # Security (GHAS), which is not available on private free-plan repos.
-          # We therefore disable the built-in artifact upload and instead capture
-          # the report ourselves below using actions/upload-artifact (no GHAS needed).
-          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
-=======
-        with:
-          args: detect --source=. --report-format sarif --report-path results.sarif
->>>>>>> aef5768 (ci: update security workflows to check for private repository status)
-
-      - name: Upload Gitleaks report as workflow artifact
-        # Run even when gitleaks finds secrets (exit code 1) so the report is
-        # always available for review — but skip when the step was cancelled.
-        if: always() && steps.gitleaks.outcome != 'cancelled'
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: gitleaks-report
-          # gitleaks-action v2 writes the SARIF to this fixed path
-          path: results.sarif
-          if-no-files-found: ignore
-=======
-          # Fix: In gitleaks-action v2, report format/path are controlled via
-          # GITLEAKS_REPORT_FORMAT and GITLEAKS_REPORT_PATH env vars, NOT via
-          # the `with.args` parameter (which is ignored by this action version).
+          # FIX: In gitleaks-action v2, report format/path are controlled by env vars.
+          # The action does not support `with.args` in this pinned version.
           GITLEAKS_REPORT_FORMAT: sarif
           GITLEAKS_REPORT_PATH: results.sarif
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
-          # GITLEAKS_CONFIG points to your custom rules file at repo root.
->>>>>>> a7cca78 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
-          GITLEAKS_CONFIG: .gitleaks.toml
-=======
->>>>>>> 09e91ff (ci: update security workflows to check for private repository status)
-          # FIX: gitleaks-action v2 auto-generates a SARIF file internally and
-          # handles its own artifact upload when GITLEAKS_ENABLE_UPLOAD_ARTIFACT=true
-          # (the default). The `with.args` parameter does not exist in this action
-          # and was silently ignored — that is why results.sarif was never written
-          # to disk, causing the upload step to fail with "file not found".
-          # Uploading SARIF to the code-scanning API also requires GitHub Advanced
-          # Security (GHAS), which is not available on private free-plan repos.
-          # We therefore disable the built-in artifact upload and instead capture
-          # the report ourselves below using actions/upload-artifact (no GHAS needed).
-          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
-=======
-        with:
-          args: detect --source=. --report-format sarif --report-path results.sarif
->>>>>>> aef5768 (ci: update security workflows to check for private repository status)
-
-      - name: Upload Gitleaks report as workflow artifact
-        # Run even when gitleaks finds secrets (exit code 1) so the report is
-        # always available for review — but skip when the step was cancelled.
-        if: always() && steps.gitleaks.outcome != 'cancelled'
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-<<<<<<< HEAD
-          sarif_file: results.sarif
-        continue-on-error: true
->>>>>>> e20a634 (ci: update workflows to remove private repository condition for security scans)
-=======
-          name: gitleaks-report
-          # gitleaks-action v2 writes the SARIF to this fixed path
-          path: results.sarif
-          if-no-files-found: ignore
->>>>>>> a7cca78 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
-=======
-=======
-=======
-          # GITLEAKS_CONFIG points to your custom rules file at repo root.
->>>>>>> a7cca78 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
->>>>>>> 41d52d6 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
-          GITLEAKS_CONFIG: .gitleaks.toml
-          # FIX: gitleaks-action v2 auto-generates a SARIF file internally and
-          # handles its own artifact upload when GITLEAKS_ENABLE_UPLOAD_ARTIFACT=true
-          # (the default). The `with.args` parameter does not exist in this action
-          # and was silently ignored — that is why results.sarif was never written
-          # to disk, causing the upload step to fail with "file not found".
-          # Uploading SARIF to the code-scanning API also requires GitHub Advanced
-          # Security (GHAS), which is not available on private free-plan repos.
-          # We therefore disable the built-in artifact upload and instead capture
-          # the report ourselves below using actions/upload-artifact (no GHAS needed).
+          # FIX: Disable built-in artifact upload and upload explicitly below.
+          # This avoids dependency on code-scanning integrations in private repos.
           GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
 
       - name: Upload Gitleaks report as workflow artifact
@@ -138,17 +48,6 @@ jobs:
         if: always() && steps.gitleaks.outcome != 'cancelled'
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-<<<<<<< HEAD
-          sarif_file: results.sarif
-        continue-on-error: true
->>>>>>> e20a634 (ci: update workflows to remove private repository condition for security scans)
-<<<<<<< HEAD
->>>>>>> 3712a2e (ci: update workflows to remove private repository condition for security scans)
-=======
-=======
           name: gitleaks-report
-          # gitleaks-action v2 writes the SARIF to this fixed path
           path: results.sarif
-          if-no-files-found: ignore
->>>>>>> a7cca78 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
->>>>>>> 41d52d6 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
+          if-no-files-found: ignore
diff --git a/.github/workflows/security-scans.yml b/.github/workflows/security-scans.yml
@@ -12,79 +12,12 @@ permissions:
   contents: read
 
 jobs:
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> 319cdfb (ci: remove dependency review job to enhance compatibility with private repositories)
-=======
->>>>>>> 09e91ff (ci: update security workflows to check for private repository status)
-=======
-=======
->>>>>>> 319cdfb (ci: remove dependency review job to enhance compatibility with private repositories)
->>>>>>> 82c510d (ci: remove dependency review job to enhance compatibility with private repositories)
   # NOTE: actions/dependency-review-action has been intentionally removed.
   # It hard-requires GitHub Advanced Security (GHAS) on private repositories —
   # the Dependency Graph being enabled is necessary but not sufficient.
   # GHAS is only available on GitHub Enterprise plans.
   # Equivalent coverage is provided by dotnet-vulnerability-scan below,
   # which uses `dotnet list --vulnerable` and needs no special GitHub features.
-<<<<<<< HEAD
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> 82c510d (ci: remove dependency review job to enhance compatibility with private repositories)
-=======
-  dependency-review:
-    name: Dependency Review
-    # Fix: Removed `github.event.repository.private == false` — that condition
-    # permanently skips this job on private repos.
-    #
-    # Dependency Review requires the Dependency Graph to be enabled in your
-    # repository settings (Settings → Code security → Dependency graph).
-    # It does NOT require GitHub Advanced Security on private repos —
-    # the Dependency Graph feature is available on all GitHub plans.
-    # Enable it at: https://github.com/Som3a99/company-management-system/settings/security_analysis
-    if: github.event_name == 'pull_request'
-=======
-=======
-  dependency-review:
-    name: Dependency Review
-<<<<<<< HEAD
-    if: github.event_name == 'pull_request' && github.event.repository.private == false
->>>>>>> 09e91ff (ci: update security workflows to check for private repository status)
-=======
-    # Fix: Removed `github.event.repository.private == false` — that condition
-    # permanently skips this job on private repos.
-    #
-    # Dependency Review requires the Dependency Graph to be enabled in your
-    # repository settings (Settings → Code security → Dependency graph).
-    # It does NOT require GitHub Advanced Security on private repos —
-    # the Dependency Graph feature is available on all GitHub plans.
-    # Enable it at: https://github.com/Som3a99/company-management-system/settings/security_analysis
-    if: github.event_name == 'pull_request'
->>>>>>> 3712a2e (ci: update workflows to remove private repository condition for security scans)
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Dependency Review
-        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
-        with:
-          fail-on-severity: moderate
->>>>>>> aef5768 (ci: update security workflows to check for private repository status)
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> 319cdfb (ci: remove dependency review job to enhance compatibility with private repositories)
-=======
->>>>>>> 09e91ff (ci: update security workflows to check for private repository status)
-=======
-=======
->>>>>>> 319cdfb (ci: remove dependency review job to enhance compatibility with private repositories)
->>>>>>> 82c510d (ci: remove dependency review job to enhance compatibility with private repositories)
 
   dotnet-vulnerability-scan:
     name: .NET Vulnerability Audit
