ci(deps): bump github/codeql-action/upload-sarif from 4.36.2 to 4.36.3 in the actions-minor-patch group #131
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| schedule: | |
| - cron: '0 2 * * *' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| name: Build and Validate | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Lint Dockerfile | |
| uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 | |
| with: | |
| dockerfile: .devcontainer/Dockerfile | |
| - name: Run gitleaks | |
| # To bump gitleaks: | |
| # 1. Find the latest release at | |
| # https://github.com/gitleaks/gitleaks/releases/latest | |
| # 2. Download gitleaks_<version>_checksums.txt and copy the | |
| # sha256 for gitleaks_<version>_linux_x64.tar.gz | |
| # 3. Update GITLEAKS_VERSION and GITLEAKS_SHA256 below. | |
| env: | |
| GITLEAKS_VERSION: "8.30.1" | |
| GITLEAKS_SHA256: "551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb" | |
| run: | | |
| set -euo pipefail | |
| tarball="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | |
| curl -fsSL -o "$tarball" \ | |
| "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${tarball}" | |
| echo "${GITLEAKS_SHA256} ${tarball}" | sha256sum -c - | |
| tar -xzf "$tarball" gitleaks | |
| ./gitleaks detect \ | |
| --source . \ | |
| --redact \ | |
| --no-banner \ | |
| --exit-code 1 \ | |
| --report-format sarif \ | |
| --report-path gitleaks.sarif | |
| - name: Upload gitleaks SARIF | |
| if: > | |
| always() && | |
| (github.event_name != 'pull_request' || | |
| github.event.pull_request.head.repo.full_name == github.repository) | |
| uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4 | |
| with: | |
| sarif_file: gitleaks.sarif | |
| category: security-analysis/gitleaks | |
| - name: Build Docker image | |
| run: | | |
| docker build --pull -t "dev-template:${{ github.sha }}" .devcontainer/ | |
| docker save "dev-template:${{ github.sha }}" -o /tmp/dev-template.tar | |
| - name: Upload image artifact | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 | |
| with: | |
| name: docker-image-${{ github.sha }} | |
| path: /tmp/dev-template.tar | |
| retention-days: 1 | |
| test: | |
| runs-on: ubuntu-latest | |
| name: Test Devcontainer | |
| needs: build | |
| timeout-minutes: 20 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Test devcontainer functionality | |
| uses: devcontainers/ci@513af61f4de4f75d37e4438f184ba4358f0fc1ca # v0.3 | |
| with: | |
| push: never | |
| runCmd: | | |
| set -eu | |
| for cmd in python3 node npm gh opencode curl jq claude; do | |
| if ! command -v "$cmd" >/dev/null 2>&1; then | |
| echo "::error::$cmd is missing" | |
| exit 1 | |
| fi | |
| done | |
| python3 --version | |
| node --version | |
| npm --version | |
| gh --version | |
| opencode --version | |
| curl --version | head -1 | |
| jq --version | |
| claude --version | |
| scan: | |
| runs-on: ubuntu-latest | |
| name: Security and SBOM Analysis | |
| needs: build | |
| timeout-minutes: 20 | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Download image artifact | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: docker-image-${{ github.sha }} | |
| path: /tmp | |
| - name: Load Docker image | |
| run: docker load -i /tmp/dev-template.tar | |
| - name: Run Trivy vulnerability scanner (image) | |
| id: trivy-image | |
| continue-on-error: true | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | |
| with: | |
| image-ref: 'dev-template:${{ github.sha }}' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL' | |
| ignore-unfixed: true | |
| limit-severities-for-sarif: true | |
| exit-code: '1' | |
| cache: false | |
| - name: Upload Trivy image scan results | |
| if: > | |
| always() && | |
| (github.event_name != 'pull_request' || | |
| github.event.pull_request.head.repo.full_name == github.repository) | |
| uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| category: 'security-analysis/trivy-image' | |
| - name: Generate SBOM | |
| if: always() | |
| uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0 | |
| with: | |
| image: 'dev-template:${{ github.sha }}' | |
| format: 'spdx-json' | |
| output-file: 'sbom.spdx.json' | |
| - name: Upload SBOM as artifact | |
| if: always() | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 | |
| with: | |
| name: sbom-${{ github.sha }} | |
| path: sbom.spdx.json | |
| retention-days: 30 | |
| - name: Run Trivy vulnerability scanner (filesystem) | |
| id: trivy-fs | |
| continue-on-error: true | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-fs-results.sarif' | |
| severity: 'CRITICAL' | |
| ignore-unfixed: true | |
| limit-severities-for-sarif: true | |
| exit-code: '1' | |
| cache: false | |
| - name: Upload Trivy filesystem scan results | |
| if: > | |
| always() && | |
| (github.event_name != 'pull_request' || | |
| github.event.pull_request.head.repo.full_name == github.repository) | |
| uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4 | |
| with: | |
| sarif_file: 'trivy-fs-results.sarif' | |
| category: 'security-analysis/trivy-filesystem' | |
| - name: Fail job if any Trivy scan found CRITICAL vulnerabilities | |
| if: steps.trivy-image.outcome == 'failure' || steps.trivy-fs.outcome == 'failure' | |
| run: | | |
| echo "::error::Trivy found CRITICAL vulnerabilities. Review the Security tab for details." | |
| exit 1 |