mirror of
https://github.com/ivuorinen/actions.git
synced 2026-01-26 11:34:00 +00:00
Ismo Vuorinen
44a11e9773
* chore: update actions, cleanup pr-lint * chore: cleanup pre-commit config, formatting * chore: revert sigstore/cosign-installer downgrade * chore: formatting
82 lines
2.5 KiB
YAML
82 lines
2.5 KiB
YAML
---
|
|
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
|
|
name: Action Security
|
|
|
|
on:
|
|
push:
|
|
paths:
|
|
- '**/action.yml'
|
|
- '**/action.yaml'
|
|
pull_request:
|
|
paths:
|
|
- '**/action.yml'
|
|
- '**/action.yaml'
|
|
merge_group:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
actions: read
|
|
pull-requests: read
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze Action Security
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
|
|
permissions:
|
|
security-events: write
|
|
statuses: write
|
|
issues: write
|
|
|
|
steps:
|
|
- name: Checkout Repository
|
|
uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Run Security Scan
|
|
id: security-scan
|
|
uses: ./security-scan
|
|
with:
|
|
gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }}
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Notify on Critical Issues
|
|
if: failure() && steps.security-scan.outputs.critical_issues != '0'
|
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
|
with:
|
|
script: |-
|
|
const { repo, owner } = context.repo;
|
|
const critical = '${{ steps.security-scan.outputs.critical_issues }}';
|
|
const total = '${{ steps.security-scan.outputs.total_issues }}';
|
|
|
|
const body = `🚨 Critical security issues found in GitHub Actions
|
|
|
|
${critical} critical security issues (out of ${total} total) were found during the security scan.
|
|
|
|
### Scan Results
|
|
- Actionlint: Completed
|
|
- Trivy: ${{ steps.security-scan.outputs.has_trivy_results == 'true' && 'Completed' || 'Skipped/Failed' }}
|
|
- Gitleaks: ${{ steps.security-scan.outputs.has_gitleaks_results == 'true' && 'Completed' || 'Skipped' }}
|
|
|
|
[View detailed scan results](https://github.com/${owner}/${repo}/actions/runs/${context.runId})
|
|
|
|
Please address these issues immediately.
|
|
|
|
> Note: Some security tools might have been skipped due to missing configurations.
|
|
> Check the workflow run for details.`;
|
|
|
|
await github.rest.issues.create({
|
|
owner,
|
|
repo,
|
|
title: '🚨 Critical Security Issues in Actions',
|
|
body,
|
|
labels: ['security', 'critical', 'actions'],
|
|
assignees: ['ivuorinen']
|
|
});
|