Feat/ci actions @coderabbitio (#61)

* feat(ci): create daily releases * feat(ci): better splitting of security-suite steps * fix(ci): update new-release workflow
2026-02-01 06:41:25 +00:00 · 2025-03-02 00:27:36 +02:00
parent 2661996471
commit ebf9a673d0
3 changed files with 156 additions and 39 deletions
--- a/.github/workflows/security-suite.yml
+++ b/.github/workflows/security-suite.yml
@@ -28,25 +28,18 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-env:
-  SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-
 jobs:
-  security-checks:
-    name: Security Checks
+  check-secrets:
+    name: Check Required Secrets
    runs-on: ubuntu-latest
-    timeout-minutes: 30
-
-    permissions:
-      security-events: write
-      pull-requests: write
-      statuses: write
-      issues: write
-      id-token: write
+    outputs:
+      run_snyk: ${{ steps.check.outputs.run_snyk }}
+      run_slack: ${{ steps.check.outputs.run_slack }}
+      run_sonarcloud: ${{ steps.check.outputs.run_sonarcloud }}

    steps:
      - name: Check Required Secrets
-        id: check-secrets
+        id: check
        shell: bash
        run: |
          {
@@ -55,7 +48,6 @@ jobs:
            echo "run_sonarcloud=false"
          } >> "$GITHUB_OUTPUT"

-          # Check secrets
          if [ -n "${{ secrets.SNYK_TOKEN }}" ]; then
            echo "run_snyk=true" >> "$GITHUB_OUTPUT"
          else
@@ -74,11 +66,15 @@ jobs:
            echo "::warning::SONAR_TOKEN not set - SonarCloud analysis will be skipped"
          fi

-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
+  owasp:
+    name: OWASP Dependency Check
+    runs-on: ubuntu-latest
+    needs: check-secrets
+    permissions:
+      security-events: write

-      # OWASP Dependency Check
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run OWASP Dependency Check
        uses: dependency-check/Dependency-Check_Action@3102a65fd5f36d0000297576acc56a475b0de98d # main
        with:
@@ -90,53 +86,92 @@ jobs:
            --enableRetired
            --enableExperimental
            --failOnCVSS 7
-
      - name: Upload OWASP Results
        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          sarif_file: reports/dependency-check-report.sarif
          category: owasp-dependency-check
+      - name: Upload artifact
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: owasp-results
+          path: reports/dependency-check-report.sarif

-      # Snyk Analysis
-      - name: Setup Node.js
-        if: steps.check-secrets.outputs.run_snyk == 'true'
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+  snyk:
+    name: Snyk Security Scan
+    runs-on: ubuntu-latest
+    needs: check-secrets
+    if: needs.check-secrets.outputs.run_snyk == 'true'
+    permissions:
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
        with:
          node-version: 'lts/*'
          cache: 'npm'
-
      - name: Run Snyk Scan
-        id: snyk
-        if: steps.check-secrets.outputs.run_snyk == 'true'
        uses: snyk/actions/node@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --all-projects --sarif-file-output=snyk-results.sarif
-
      - name: Upload Snyk Results
-        if: steps.check-secrets.outputs.run_snyk == 'true'
        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          sarif_file: snyk-results.sarif
          category: snyk
+      - name: Upload artifact
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: snyk-results
+          path: snyk-results.sarif

-      # OSSF Scorecard
+  scorecard:
+    name: OSSF Scorecard
+    runs-on: ubuntu-latest
+    needs: check-secrets
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run Scorecard
        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: scorecard-results.sarif
          results_format: sarif
          publish_results: true
-
      - name: Upload Scorecard Results
        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          sarif_file: scorecard-results.sarif
          category: scorecard
+      - name: Upload artifact
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: scorecard-results
+          path: scorecard-results.sarif
+
+  analyze:
+    name: Analyze Results
+    runs-on: ubuntu-latest
+    needs: [check-secrets, owasp, scorecard, snyk]
+    if: always()
+    permissions:
+      issues: write
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Download scan results
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.0
+        with:
+          path: ./results

-      # Analysis and Metrics
      - name: Analyze Results
        id: analysis
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
@@ -194,16 +229,16 @@ jobs:

              // Analyze all SARIF files
              metrics.tools = {
-                owasp: analyzeSarif('reports/dependency-check-report.sarif', 'OWASP'),
-                snyk: ${{ steps.check-secrets.outputs.run_snyk == 'true' }} ?
-                  analyzeSarif('snyk-results.sarif', 'Snyk') : null,
-                scorecard: analyzeSarif('scorecard-results.sarif', 'Scorecard')
+                owasp: analyzeSarif('./results/owasp-results/dependency-check-report.sarif', 'OWASP'),
+                snyk: ${{ needs.check-secrets.outputs.run_snyk == 'true' }} ?
+                  analyzeSarif('./results/snyk-results/snyk-results.sarif', 'Snyk') : null,
+                scorecard: analyzeSarif('./results/scorecard-results/scorecard-results.sarif', 'Scorecard')
              };

-              // Save results for other steps
+              // Save results
              fs.writeFileSync('security-results.json', JSON.stringify(metrics, null, 2));

-              // Set outputs for other steps
+              // Set outputs
              core.setOutput('total_critical', metrics.vulnerabilities.critical);
              core.setOutput('total_high', metrics.vulnerabilities.high);

@@ -313,7 +348,7 @@ jobs:
          retention-days: 30

      - name: Notify on Failure
-        if: failure() && steps.check-secrets.outputs.run_slack == 'true'
+        if: failure() && needs.check-secrets.outputs.run_slack == 'true'
        run: |
          curl -X POST -H 'Content-type: application/json' \
            --data '{"text":"❌ Security checks failed! Check the logs for details."}' \