flux2/.github/workflows/scan.yaml

name: scan

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '18 10 * * 3'

permissions:
  contents: read # for actions/checkout to fetch code
  security-events: write # for codeQL to write security events

jobs:
  fossa:
    name: FOSSA
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run FOSSA scan and upload build data
        uses: fossa-contrib/fossa-action@v1
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
          github-token: ${{ github.token }}

  snyk:
    name: Snyk
    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    steps:
      - uses: actions/checkout@v3
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Build manifests
        run: |
          make cmd/flux/.manifests.done
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/golang@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk.sarif
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: snyk.sarif

  codeql:
    name: CodeQL
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.19.x
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: go
      - name: Autobuild
        uses: github/codeql-action/autobuild@v2
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2
Update GitHub actions Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 3 years ago			`name: scan`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago
			`on:`
			`push:`
			`branches: [ main ]`
			`pull_request:`
			`branches: [ main ]`
			`schedule:`
			`- cron: '18 10 * * 3'`

Update GitHub actions Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 3 years ago			`permissions:`
			`contents: read # for actions/checkout to fetch code`
			`security-events: write # for codeQL to write security events`

Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`jobs:`
			`fossa:`
			`name: FOSSA`
			`runs-on: ubuntu-latest`
			`steps:`
Update GitHub actions Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 3 years ago			`- uses: actions/checkout@v3`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`- name: Run FOSSA scan and upload build data`
			`uses: fossa-contrib/fossa-action@v1`
			`with:`
			`# FOSSA Push-Only API Token`
			`fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de`
			`github-token: ${{ github.token }}`

			`snyk:`
			`name: Snyk`
			`runs-on: ubuntu-latest`
Fix detection of PRs from forks Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`if: github.event_name != 'pull_request' \|\| github.event.pull_request.head.repo.full_name == github.repository`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`steps:`
Update GitHub actions Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 3 years ago			`- uses: actions/checkout@v3`
Embed the install manifests in flux binary - add make target for generating the install manifests using kustomize - embed the generated manifests in flux binary - the install and bootstrap commands default to using the embedded manifests - download the install manifests from GitHub only if the install/bootstrap version arg is set Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 4 years ago			`- name: Setup Kustomize`
			`uses: fluxcd/pkg//actions/kustomize@main`
			`- name: Build manifests`
			`run: \|`
Use a file to record successful manifests build Using the directory cmd/flux/manifests as a prerequisite causes a problem: if the script that creates the files within fails, the next invocation of make will see the directory and assume it succeeded. Since the executable expects certain files to be present, but they are not explicit prerequisites of the recipe for building the binary, this results in a successful build but a broken `flux` executable. Instead, depend on a file that's explicitly updated when the script has succeeded, and which itself depends on the inputs. A couple of the CI workflows run make cmd/flux/manifests before doing other things, presumably as a way to avoid running the whole test suite in a CI pipeline for some purpose other than testing, so these needed changing as well. Signed-off-by: Michael Bridgen <michael@weave.works> 3 years ago			`make cmd/flux/.manifests.done`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`- name: Run Snyk to check for vulnerabilities`
			`uses: snyk/actions/golang@master`
			`continue-on-error: true`
			`env:`
			`SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}`
			`with:`
			`args: --sarif-file-output=snyk.sarif`
			`- name: Upload result to GitHub Code Scanning`
			`uses: github/codeql-action/upload-sarif@v1`
			`with:`
			`sarif_file: snyk.sarif`

			`codeql:`
			`name: CodeQL`
			`runs-on: ubuntu-latest`
			`steps:`
			`- name: Checkout repository`
Update GitHub actions Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 3 years ago			`uses: actions/checkout@v3`
Setup CodeQL CI job with Go 1.18 Signed-off-by: Adrien Fillon <adrien.fillon@manomano.com> 2 years ago			`- name: Set up Go`
			`uses: actions/setup-go@v2`
			`with:`
Build with Go 1.19 Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`go-version: 1.19.x`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`- name: Initialize CodeQL`
Update GitHub actions Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 3 years ago			`uses: github/codeql-action/init@v2`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`with:`
			`languages: go`
			`- name: Autobuild`
Update GitHub actions Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 3 years ago			`uses: github/codeql-action/autobuild@v2`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`- name: Perform CodeQL Analysis`
Update GitHub actions Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 3 years ago			`uses: github/codeql-action/analyze@v2`