--- # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Action Security on: push: paths: - '**/action.yml' - '**/action.yaml' pull_request: paths: - '**/action.yml' - '**/action.yaml' merge_group: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true permissions: contents: read actions: read pull-requests: read jobs: analyze: name: Analyze Action Security runs-on: ubuntu-latest timeout-minutes: 30 permissions: security-events: write statuses: write issues: write steps: - name: Checkout Repository uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta with: fetch-depth: 0 - name: Run Security Scan id: security-scan uses: ./security-scan with: gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }} token: ${{ secrets.GITHUB_TOKEN }} - name: Notify on Critical Issues if: failure() && steps.security-scan.outputs.critical_issues != '0' uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: |- const { repo, owner } = context.repo; const critical = '${{ steps.security-scan.outputs.critical_issues }}'; const total = '${{ steps.security-scan.outputs.total_issues }}'; const body = `🚨 Critical security issues found in GitHub Actions ${critical} critical security issues (out of ${total} total) were found during the security scan. ### Scan Results - Actionlint: Completed - Trivy: ${{ steps.security-scan.outputs.has_trivy_results == 'true' && 'Completed' || 'Skipped/Failed' }} - Gitleaks: ${{ steps.security-scan.outputs.has_gitleaks_results == 'true' && 'Completed' || 'Skipped' }} [View detailed scan results](https://github.com/${owner}/${repo}/actions/runs/${context.runId}) Please address these issues immediately. > Note: Some security tools might have been skipped due to missing configurations. > Check the workflow run for details.`; await github.rest.issues.create({ owner, repo, title: '🚨 Critical Security Issues in Actions', body, labels: ['security', 'critical', 'actions'], assignees: ['ivuorinen'] });