feat(bau): check-chain script is bit more flexible #147
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Checkmarx One Scan | |
| # ↓ lock down top‐level permissions to only what we use | |
| permissions: | |
| contents: read # we only need to checkout code | |
| actions: read # to query workflows/runs | |
| pull-requests: write # to comment on or label PRs | |
| security-events: write # to upload the scan results | |
| on: | |
| # pull_request_target allows secrets to be read from fork PRs. | |
| # DO NOT build or run checked out code from this job. | |
| # | |
| # Please note: Due to how this job is run, any changes to this | |
| # job will only take affect when merged to main. | |
| # | |
| # From https://michaelheap.com/access-secrets-from-forks/ | |
| # Also see https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| push: | |
| branches: [ 'main' ] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| statuses: write | |
| security-events: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check access | |
| if: ${{ github.event.pull_request.author_association != 'COLLABORATOR' && github.event.pull_request.author_association != 'OWNER' }} | |
| run: | | |
| echo "This job needs re-running by someone with collaboration permissions." | |
| exit 1 | |
| # This is dangerous without the first access check | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 | |
| with: | |
| # Yes we do need to specify head explicitly here (read github article) | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Install dependencies | |
| run: | | |
| python3 -m pip install --upgrade pip | |
| python3 -m pip install beautifulsoup4 requests | |
| - name: Scrape Checkmarx status | |
| run: | | |
| cat <<'EOF' > scrape_checkmarx.py | |
| import requests | |
| from bs4 import BeautifulSoup | |
| # URL of the status page | |
| url = "https://eu2-status.ast.checkmarx.net/" | |
| try: | |
| # Send a GET request to fetch the HTML content | |
| response = requests.get(url) | |
| response.raise_for_status() # Check for request errors | |
| # Parse the HTML content | |
| soup = BeautifulSoup(response.text, 'html.parser') | |
| # Locate the status element based on its HTML structure | |
| status_element = soup.find('aside', class_='operational state-bar') | |
| # Check if the status is operational | |
| if status_element and 'Operating Normally' in status_element.text: | |
| print("The status is operational with status") | |
| print(status_element.text) | |
| else: | |
| print("The status is not operational.") | |
| except requests.exceptions.RequestException as e: | |
| print(f"An error occurred: {e}") | |
| EOF | |
| python3 scrape_checkmarx.py | |
| - name: Check Checkmarx One server health | |
| run: | | |
| response=$(curl -s -o /dev/null -w "%{http_code}" https://ind-status.ast.checkmarx.net/) | |
| if [ "$response" != "200" ]; then | |
| echo "Checkmarx One server is down. Proceeding without breaking the build." | |
| exit 0 # Do not fail the build | |
| else | |
| echo "Checkmarx One server is healthy. Proceeding with scan." | |
| fi | |
| - name: Checkmarx One CLI Action | |
| uses: checkmarx/ast-github-action@f29b1171205dec7f7a301f53809ad54a0ee65f86 #2.3.24 | |
| with: | |
| cx_tenant: ${{ secrets.CX_TENANT }} | |
| base_uri: https://eu-2.ast.checkmarx.net/ | |
| cx_client_id: ${{ secrets.CX_CLIENT_ID }} | |
| cx_client_secret: ${{ secrets.CX_CLIENT_SECRET_EU }} | |
| additional_params: > | |
| --report-format sarif | |
| --scs-repo-url https://github.com/midnightntwrk/midnight-node-docker | |
| --scs-repo-token ${{ secrets.MIDNIGHTCI_REPO }} | |
| - name: Filter out repo level issues that github can't handle | |
| run: | | |
| mv ./cx_result.sarif ./cx_result.sarif.orig | |
| jq '.runs |= map(.results |= map(.locations |= map(if .physicalLocation.artifactLocation.uri == "" then .physicalLocation.artifactLocation.uri = "file:/README.md" else . end)))' cx_result.sarif.orig > cx_result.sarif | |
| # Upload results to github | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@7273f08caa1dcf2c2837f362f1982de0ab4dc344 # v3.29.2 | |
| with: | |
| sarif_file: cx_result.sarif |