Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate security-check to reusable Github Actions #324

Merged
merged 1 commit into from
Jun 6, 2024
Merged

Migrate security-check to reusable Github Actions #324

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 3 additions & 94 deletions .github/workflows/daily-security-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,97 +6,6 @@ on:
workflow_dispatch:

jobs:
security:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout repo
uses: actions/checkout@v2

# PHP checks
- name: Check for php composer project
id: check_composer
uses: andstor/file-existence-action@v2
with:
files: "composer.lock"
- name: Run php local security checker
if: steps.check_composer.outputs.files_exists == 'true'
uses: symfonycorp/security-checker-action@v4

# node-yarn checks
- name: Check for node-yarn project
id: check_node_yarn
uses: andstor/file-existence-action@v2
with:
files: "yarn.lock"
- name: Setup node
if: steps.check_node_yarn.outputs.files_exists == 'true'
uses: actions/setup-node@v3
with:
node-version: 20
- name: Yarn Audit
if: steps.check_node_yarn.outputs.files_exists == 'true'
run: yarn audit --level high --groups dependencies optionalDependencies

# node-npm checks
- name: Check for node-npm project
id: check_node_npm
uses: andstor/file-existence-action@v2
with:
files: "package.lock"
- name: Setup node
if: steps.check_node_npm.outputs.files_exists == 'true'
uses: actions/setup-node@v3
with:
node-version: 20
- name: npm audit
if: steps.check_node_npm.outputs.files_exists == 'true'
run: npm audit --audit-level=high

# python checks
- name: Check for python project
id: check_python
uses: andstor/file-existence-action@v2
with:
files: "requirements.txt"
- name: Safety checks Python dependencies
if: steps.check_python.outputs.files_exists == 'true'
uses: pyupio/safety@2.3.5

# java checks
- name: Check for java maven project
id: check_maven
uses: andstor/file-existence-action@v2
with:
files: "pom.xml"
- name: Setup java if needed
if: steps.check_maven.outputs.files_exists == 'true'
uses: actions/setup-java@v3
with:
java-version: 11
distribution: 'temurin'
cache: 'maven'
- name: Set up maven cache if needed
if: steps.check_maven.outputs.files_exists == 'true'
uses: actions/cache@v1
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Check java
if: steps.check_maven.outputs.files_exists == 'true'
run: mvn org.owasp:dependency-check-maven:check

# Send results
- name: Send to Slack if something failed
if: failure()
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: surfconext-nightly-check
SLACK_COLOR: ${{ job.status }}
SLACK_ICON: https://static.surfconext.nl/logos/idp/surfnet.png
SLACK_MESSAGE: 'Dependency check failed :crying_cat_face:'
SLACK_TITLE: ${{ github.repository }} wants attention
SLACK_USERNAME: NightlySecurityCheck
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
call-workflow-passing-data:
name: Daily security check (Reusable Workflow)
uses: openconext/openconext-githubactions/.github/workflows/daily-security-check.yml@main