CHEF-31158 Setup common config to block PR merges if trufflehog fails #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # stub to call common GitHub Action (GA) as part of Continuous Integration (CI) Pull Request process checks for main branch | |
| # inputs are described in the chef/common-github-actions/<GA.yml> with same name as this stub | |
| # | |
| # secrets are inherited from the calling workflow, typically SONAR_TOKEN, SONAR_HOST_URL, GH_TOKEN, AKEYLESS_JWT_ID, POLARIS_SERVER_URL and POLARIS_ACCESS_TOKEN | |
| name: CI Pull Request on Main Branch | |
| on: | |
| pull_request: | |
| branches: [ main, release/** ] | |
| push: | |
| branches: [ main, release/** ] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| env: | |
| STUB_VERSION: "1.0.8" | |
| jobs: | |
| echo_version: | |
| name: 'Echo stub version' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: echo version of stub and inputs | |
| run: | | |
| echo "CI main pull request stub version $STUB_VERSION" | |
| detect-custom-metadata: | |
| name: 'Detect custom properties' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| primaryApplication: ${{ steps.set-custom-metadata.outputs.primaryApplication }} | |
| appBuildLanguage: ${{ steps.set-custom-metadata.outputs.applicationBuildLanguage }} | |
| appBuildProfile: ${{ steps.set-custom-metadata.outputs.applicationBuildProfile }} | |
| versionFromFile: ${{ steps.set-version-from-file.outputs.versionFromFile }} | |
| steps: | |
| - name: 'Checkout repository' | |
| uses: actions/checkout@v4 | |
| - name: 'Detect version from file' | |
| id: set-version-from-file | |
| shell: bash | |
| run: | | |
| if [[ -f "VERSION" ]]; then | |
| version=$(head -1 VERSION) | |
| echo "VERSION_FROM_FILE=${version}" >> $GITHUB_ENV | |
| echo "versionFromFile=${version}" >> $GITHUB_OUTPUT | |
| elif [[ -f "go.mod" ]]; then | |
| version=$(grep -Eo 'v[0-9]+\.[0-9]+\.[0-9]+' go.mod | head -1) | |
| echo "VERSION_FROM_FILE=${version}" >> $GITHUB_ENV | |
| echo "versionFromFile=${version}" >> $GITHUB_OUTPUT | |
| else | |
| echo "VERSION_FROM_FILE not found, defaulting to empty" | |
| echo "versionFromFile=" >> $GITHUB_OUTPUT | |
| fi | |
| # do not do echo "::set-output name=versionFromFile::$version" any more per https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ | |
| - name: 'Detect app, language, and build profile environment variables from repository custom properties' | |
| id: set-custom-metadata | |
| # GH API returns something like [{"property_name":"GABuildLanguage","value":"go"},{"property_name":"GABuildProfile","value":"cli"},{"property_name":"primaryApplication","value":"chef-360"}]' | |
| run: | | |
| response=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${{ github.repository }}/properties/values) | |
| primaryApplication=$(echo "$response" | jq -r '.[] | select(.property_name=="primaryApplication") | .value') | |
| GABuildLanguage=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildLanguage") | .value') | |
| GABuildProfile=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildProfile") | .value') | |
| echo "PRIMARY_APPLICATION=$primaryApplication" >> $GITHUB_ENV | |
| echo "GA_BUILD_LANGUAGE=$GABuildLanguage" >> $GITHUB_ENV | |
| echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV | |
| # If workflow_dispatch, use inputs (left), if other trigger, use default env (right) | |
| echo "primaryApplication=${primaryApplication}" >> $GITHUB_OUTPUT | |
| echo "applicationBuildLanguage=${GABuildLanguage}" >> $GITHUB_OUTPUT | |
| echo "applicationBuildProfile=${GABuildProfile}" >> $GITHUB_OUTPUT | |
| continue-on-error: true | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| call-ci-main-pr-check-pipeline: | |
| uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main | |
| # needs: [detect-custom-metadata, detect-version-from-file] | |
| needs: [detect-custom-metadata] | |
| secrets: inherit | |
| permissions: | |
| id-token: write | |
| contents: read | |
| with: | |
| application: ${{ needs.detect-custom-metadata.outputs.primaryApplication }} | |
| visibility: ${{ github.event.repository.visibility }} # private, public, or internal | |
| # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/* | |
| # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest" | |
| version: ${{ needs.detect-custom-metadata.outputs.versionFromFile || '1.0.0' }} | |
| detect-version-source-type: 'file' # options include "none" (do not detect), "file", "github-tag" or "github-release" | |
| detect-version-source-parameter: '' # use for file name | |
| language: ${{ needs.detect-custom-metadata.outputs.appBuildLanguage }} # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting | |
| # complexity-checks, linting, trufflehog and trivy | |
| perform-complexity-checks: true | |
| # scc-output-filename: 'scc-output.txt' | |
| perform-language-linting: true # Perform language-specific linting and pre-compilation checks | |
| perform-trufflehog-scan: true | |
| fail-trufflehog-on-secrets-found: true | |
| perform-trivy-scan: true | |
| # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language | |
| build: true | |
| build-profile: ${{ needs.detect-custom-metadata.outputs.appBuildProfile }} | |
| unit-tests: false | |
| unit-test-output-path: "path/to/file.out" | |
| unit-test-command-override: "" | |
| # BlackDuck SAST (Polaris) require a build or binary present in repo to do SAST testing | |
| # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN | |
| perform-blackduck-polaris: false | |
| polaris-application-name: "Chef-Agents" # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product | |
| polaris-project-name: ${{ github.event.repository.name }} # arch-sample-cli | |
| polaris-working-directory: '.' # Working directory for the scan, defaults to . but usually lang-dependent like ./src | |
| polaris-coverity-build-command: 'go build -o bin/chef-cli.exe' # Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install" | |
| polaris-coverity-clean-command: 'go clean' # Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean" | |
| polaris-detect-search-depth: '5' # Detect search depth, blank but can be set to "3" to search up to 3 levels of subdirectories for code to scan' | |
| polaris-assessment-mode: 'SAST' # Assessment mode (SAST, CI or SOURCE_UPLOAD) | |
| wait-for-scan: true | |
| # polaris-detect-args: '' # Additional Detect arguments, can supply extra arguments like "--detect.diagnostic=true" | |
| # coverity_build_command: "go build" | |
| # coverity_clean_command: "go clean" | |
| # polaris-config-path: '' # Path to Detect configuration file, typically a file supplied at root level like ./detect-config.yml | |
| # polaris-coverity-config-path: '' # Path to Coverity configuration file, typically a file supplied at root level like ./coverity.yml | |
| # polaris-coverity-args: '' # Additional Coverity arguments,can supply extra arguments like "--config-override capture.build.build-command=make | |
| # perform SonarQube scan, with or without unit test coverage data | |
| # requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com) | |
| perform-sonarqube-scan: true | |
| # perform-sonar-build: true | |
| # build-profile: 'default' | |
| # report-unit-test-coverage: true | |
| perform-docker-scan: false # scan Dockerfile and built images with Docker Scout or Trivy; see repo custom properties matching "container" | |
| # report to central developer dashboard | |
| report-to-atlassian-dashboard: false | |
| quality-product-name: 'Chef-Agents' # product name for quality reporting, like Chef360, Courier, Inspec | |
| # quality-product-name: ${{ github.event.repository.name }} # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec | |
| # quality-sonar-app-name: 'YourSonarAppName' | |
| # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security | |
| # quality-service-name: 'YourServiceOrRepoName' | |
| # quality-junit-report: 'path/to/junit/report'' | |
| # perform Habitat-based and native packaging, publish to package repositories | |
| package-binaries: false # Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA) | |
| habitat-build: false # Create Habitat packages | |
| publish-habitat-packages: false # Publish Habitat packages to Builder | |
| publish-habitat-hab_package: false # Chef Habitat package to install (e.g., core/nginx) | |
| publish-habitat-hab_version: "1.0.0" # Chef Habitat package version (optional) | |
| publish-habitat-hab_release: "20240101010101" # Chef Habitat package release (optional) | |
| publish-habitat-hab_channel: "stable" # Chef Habitat package channel (e.g., stable, base, base-2025); default is stable | |
| publish-habitat-hab_auth_token: "" # Chef Habitat Builder authentication token (uses secret if not provided) | |
| publish-habitat-runner_os: "ubuntu-latest" # OS runner for Habitat package publishing job, can also be windows-latest | |
| habitat-grype-scan: false # Scan built Habitat packages with Grype for vulnerabilities | |
| publish-packages: false # Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores) | |
| # generate and export Software Bill of Materials (SBOM) in various formats | |
| generate-sbom: true | |
| export-github-sbom: true # SPDX JSON artifact on job instance | |
| generate-msft-sbom: false | |
| license_scout: false # Run license scout for license compliance (uses .license_scout.yml) | |
| # perform Blackduck software composition analysis (SCA) for 3rd party CVEs, licensing, and operational risk | |
| perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above | |
| blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product' | |
| blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name | |
| blackduck-force-low-accuracy-mode: false # if true, forces BlackDuck Detect to run in low accuracy mode which can reduce scan time for large projects at the cost of potentially missing some vulnerabilities; see https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/1138617921/Black+Duck+Detect+Accuracy+Levels for details | |
| # udf1: 'default' # user defined flag 1 | |
| # udf2: 'default' # user defined flag 2 | |
| # udf3: 'default' # user defined flag 3 |