Merge pull request #49 from pleo-io/feat/DEVX-3103-opslevel-to-port-m… #9
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # THIS CODE WAS AUTOGENERATED. DO NOT MODIFY THIS FILE DIRECTLY | ||
| # THE SOURCE CODE LIVES IN A DIFFERENT REPOSITORY: | ||
| # - centralized-templates | ||
| # FILE STEWARD: @pleo-io/team-security | ||
| name: CodeQL Analysis | ||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| - master | ||
| - develop | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| - master | ||
| - develop | ||
| merge_group: | ||
| types: [checks_requested] | ||
| env: | ||
| CONFIG_FILE: "" | ||
| RUN_ON_DEFAULT_BRANCH: true | ||
| jobs: | ||
| preflight: | ||
| if: ${{ !contains(github.event.pull_request.title, '(deps)') }} | ||
| name: Determine if CodeQL should run | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| should_run_analyze: ${{ steps.maybe_skip_analyze.outputs.should_run_analyze }} | ||
| steps: | ||
| - uses: winterjung/split@a211a1c46e35fcdc4097d59dd6282d4a9859651b # v2 | ||
| id: split | ||
| with: | ||
| msg: ${{ github.repository }} | ||
| separator: "/" | ||
| - id: get_default_branch | ||
| name: Determine our default branch | ||
| uses: octokit/[email protected] | ||
| with: | ||
| route: GET /repos/{owner}/{repo} | ||
| owner: ${{ github.repository_owner }} | ||
| repo: ${{ steps.split.outputs._1 }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| - id: set_default_branch | ||
| name: Set our default branch | ||
| run: echo "DEFAULT_BRANCH=${{ fromJson(steps.get_default_branch.outputs.data).default_branch }}" >> "$GITHUB_ENV" | ||
| - id: maybe_skip_analyze | ||
| name: Check if analyze should run | ||
| shell: bash | ||
| run: | | ||
| if [[ "${{ env.RUN_ON_DEFAULT_BRANCH }}" == "false" && "${{ github.ref }}" == "refs/heads/${{ env.DEFAULT_BRANCH }}" && "${{ github.event_name }}" == "push" ]]; then | ||
| echo "Skipping CodeQL analysis on main branch due to configuration" | ||
| echo "should_run_analyze=false" >> "$GITHUB_OUTPUT" | ||
| elif [[ "${{ github.event_name }}" == "merge_group" ]]; then | ||
| echo "Skipping CodeQL analysis on merge queue due to a GitHub's known issue, see: https://github.com/github/codeql-action/issues/1537" | ||
| echo "should_run_analyze=false" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "Running CodeQL analysis" | ||
| echo "should_run_analyze=true" >> "$GITHUB_OUTPUT" | ||
| fi | ||
| wiz-cli-scanning: | ||
| if: ${{ (github.ref != 'refs/heads/main' || github.event_name != 'push') && (!contains(github.event.pull_request.title, 'deps')) }} | ||
| name: Scan Dependency, Container or IaC with Wiz-CLI | ||
| uses: pleo-io/reusable-workflows/.github/workflows/security-analysis-with-wiz.reusable-external.yaml@main | ||
|
Check failure on line 69 in .github/workflows/codeql-analysis.managed.yaml
|
||
| permissions: | ||
| security-events: write | ||
| actions: read | ||
| contents: read | ||
| secrets: inherit | ||
| with: | ||
| # Dependency Scanning | ||
| wiz_scan_deps: false | ||
| wiz_scan_deps_path: "." | ||
| wiz_scan_deps_policy: "Pleo-Default-vulnerabilities-policy" | ||
| # Container Scanning | ||
| wiz_scan_container: false | ||
| wiz_scan_container_policy: "Pleo-Default-container-policy" | ||
| wiz_scan_container_dockerfile_path: "." | ||
| jdk_version: "17" | ||
| node_version: 20 | ||
| languages: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| matrix: ${{ steps.set-matrix.outputs.languages }} | ||
| steps: | ||
| - name: Get languages from repo | ||
| id: set-matrix | ||
| uses: pleo-io/set-codeql-language-matrix@fix_output | ||
| with: | ||
| access-token: ${{ secrets.GITHUB_TOKEN }} | ||
| endpoint: ${{ github.event.repository.languages_url }} | ||
| analyze-code: | ||
| name: Analyze code with CodeQL | ||
| if: ${{ (needs.preflight.outputs.should_run_analyze == 'true') && (!contains(github.event.pull_request.title, 'deps')) && (needs.languages.outputs.matrix != '[]') }} | ||
| needs: | ||
| - preflight | ||
| - languages | ||
| runs-on: | ||
| group: codeql-runner-group | ||
| timeout-minutes: 30 | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
| env: | ||
| CODEQL_ACTION_EXTRA_OPTIONS: '{"database": {"run-queries": ["--off-heap-ram=3072"]}}' | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| language: ${{ fromJSON(needs.languages.outputs.matrix) }} | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | ||
| # Set up a JDK environment for building, testing and releasing. | ||
| - name: CodeQL Analysis | ||
| uses: pleo-io/reusable-actions/codeql@main | ||
| with: | ||
| language: ${{ matrix.language }} | ||
| github_token: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }} | ||
| gradle_read_key: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }} | ||
| job_runr_repo_password: ${{ secrets.JOB_RUNR_REPO_PASSWORD }} | ||
| config_file: ${{ env.CONFIG_FILE }} | ||
| nodeVersion: 20 | ||
| jdkVersion: 17 | ||
