flux2/.github/workflows/scan.yaml

name: scan

on:
  workflow_dispatch:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '18 10 * * 3'

permissions:
  contents: read

jobs:
  scan-fossa:
    runs-on: ubuntu-latest
    if: github.actor != 'dependabot[bot]'
    steps:
      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Run FOSSA scan and upload build data
        uses: fossa-contrib/fossa-action@6728dc6fe9a068c648d080c33829ffbe56565023 # v2.0.0
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
          github-token: ${{ github.token }}

  scan-snyk:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
      - name: Setup Go
        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: 1.20.x
      - name: Download modules and build manifests
        run: |
          make tidy
          make cmd/flux/.manifests.done
      - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
      - name:  Run Snyk to check for vulnerabilities
        continue-on-error: true
        run: |
          snyk test --sarif-file-output=snyk.sarif
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
        with:
          sarif_file: snyk.sarif

  scan-codeql:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    if: github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout repository
        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Set up Go
        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: 1.20.x
      - name: Initialize CodeQL
        uses: github/codeql-action/init@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
        with:
          languages: go
      - name: Autobuild
        uses: github/codeql-action/autobuild@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
Update GitHub actions Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 3 years ago			`name: scan`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago
			`on:`
ci: Refactor GitHub workflows Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`workflow_dispatch:`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`push:`
			`branches: [ main ]`
			`pull_request:`
			`branches: [ main ]`
			`schedule:`
			`- cron: '18 10 * * 3'`

Update GitHub actions Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 3 years ago			`permissions:`
ci: Refactor GitHub workflows Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`contents: read`
Update GitHub actions Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 3 years ago
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`jobs:`
ci: Refactor GitHub workflows Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`scan-fossa:`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`runs-on: ubuntu-latest`
Only run e2e tests for Dependabot PRs Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`if: github.actor != 'dependabot[bot]'`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`steps:`
build(deps): bump actions/checkout from 3.3.0 to 3.4.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/ac593985615ec2ede58e132d2e21d2b1cbd6127c...24cb9080177205b6e8c946b17badbe402adc938f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2 years ago			`- uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`- name: Run FOSSA scan and upload build data`
build: update scan workflow To include a (full) version number behind the actions with a SHA reference, so Dependabot will continue to update them from now on. Except for the `snyk/actions`, which follows `main`. Signed-off-by: Hidde Beydals <hidde@hhh.computer> 2 years ago			`uses: fossa-contrib/fossa-action@6728dc6fe9a068c648d080c33829ffbe56565023 # v2.0.0`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`with:`
			`# FOSSA Push-Only API Token`
			`fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de`
			`github-token: ${{ github.token }}`

ci: Refactor GitHub workflows Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`scan-snyk:`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`runs-on: ubuntu-latest`
ci: Refactor GitHub workflows Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`permissions:`
			`security-events: write`
Only run e2e tests for Dependabot PRs Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`if: (github.event_name != 'pull_request' \|\| github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`steps:`
build(deps): bump actions/checkout from 3.3.0 to 3.4.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/ac593985615ec2ede58e132d2e21d2b1cbd6127c...24cb9080177205b6e8c946b17badbe402adc938f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2 years ago			`- uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0`
Embed the install manifests in flux binary - add make target for generating the install manifests using kustomize - embed the generated manifests in flux binary - the install and bootstrap commands default to using the embedded manifests - download the install manifests from GitHub only if the install/bootstrap version arg is set Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 4 years ago			`- name: Setup Kustomize`
build: update scan workflow To include a (full) version number behind the actions with a SHA reference, so Dependabot will continue to update them from now on. Except for the `snyk/actions`, which follows `main`. Signed-off-by: Hidde Beydals <hidde@hhh.computer> 2 years ago			`uses: fluxcd/pkg/actions/kustomize@main`
ci: Fix Snyk Go build VCS stamping error Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`- name: Setup Go`
build: update scan workflow To include a (full) version number behind the actions with a SHA reference, so Dependabot will continue to update them from now on. Except for the `snyk/actions`, which follows `main`. Signed-off-by: Hidde Beydals <hidde@hhh.computer> 2 years ago			`uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0`
ci: Fix Snyk Go build VCS stamping error Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`with:`
Update Go to 1.20 Signed-off-by: Hidde Beydals <hidde@hhh.computer> 2 years ago			`go-version: 1.20.x`
ci: Fix Snyk Go build VCS stamping error Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`- name: Download modules and build manifests`
Embed the install manifests in flux binary - add make target for generating the install manifests using kustomize - embed the generated manifests in flux binary - the install and bootstrap commands default to using the embedded manifests - download the install manifests from GitHub only if the install/bootstrap version arg is set Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 4 years ago			`run: \|`
ci: Fix Snyk Go build VCS stamping error Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`make tidy`
Use a file to record successful manifests build Using the directory cmd/flux/manifests as a prerequisite causes a problem: if the script that creates the files within fails, the next invocation of make will see the directory and assume it succeeded. Since the executable expects certain files to be present, but they are not explicit prerequisites of the recipe for building the binary, this results in a successful build but a broken `flux` executable. Instead, depend on a file that's explicitly updated when the script has succeeded, and which itself depends on the inputs. A couple of the CI workflows run make cmd/flux/manifests before doing other things, presumably as a way to avoid running the whole test suite in a CI pipeline for some purpose other than testing, so these needed changing as well. Signed-off-by: Michael Bridgen <michael@weave.works> 3 years ago			`make cmd/flux/.manifests.done`
ci: Fix Snyk Go build VCS stamping error Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`- uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb`
			`- name: Run Snyk to check for vulnerabilities`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`continue-on-error: true`
ci: Fix Snyk Go build VCS stamping error Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`run: \|`
			`snyk test --sarif-file-output=snyk.sarif`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`env:`
			`SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}`
			`- name: Upload result to GitHub Code Scanning`
build(deps): bump github/codeql-action from 2.2.6 to 2.2.7 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.6 to 2.2.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/16964e90ba004cdf0cd845b866b5df21038b7723...168b99b3c22180941ae7dbdd5f5c9678ede476ba) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2 years ago			`uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`with:`
			`sarif_file: snyk.sarif`

ci: Refactor GitHub workflows Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`scan-codeql:`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`runs-on: ubuntu-latest`
Additional workflow permissions tweaks Signed-off-by: Eddie Knight <knight@linux.com> 2 years ago			`permissions:`
ci: Refactor GitHub workflows Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`security-events: write`
Only run e2e tests for Dependabot PRs Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com> 2 years ago			`if: github.actor != 'dependabot[bot]'`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`steps:`
			`- name: Checkout repository`
build(deps): bump actions/checkout from 3.3.0 to 3.4.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/ac593985615ec2ede58e132d2e21d2b1cbd6127c...24cb9080177205b6e8c946b17badbe402adc938f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2 years ago			`uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0`
Setup CodeQL CI job with Go 1.18 Signed-off-by: Adrien Fillon <adrien.fillon@manomano.com> 2 years ago			`- name: Set up Go`
build: update scan workflow To include a (full) version number behind the actions with a SHA reference, so Dependabot will continue to update them from now on. Except for the `snyk/actions`, which follows `main`. Signed-off-by: Hidde Beydals <hidde@hhh.computer> 2 years ago			`uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0`
Setup CodeQL CI job with Go 1.18 Signed-off-by: Adrien Fillon <adrien.fillon@manomano.com> 2 years ago			`with:`
Update Go to 1.20 Signed-off-by: Hidde Beydals <hidde@hhh.computer> 2 years ago			`go-version: 1.20.x`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`- name: Initialize CodeQL`
build(deps): bump github/codeql-action from 2.2.6 to 2.2.7 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.6 to 2.2.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/16964e90ba004cdf0cd845b866b5df21038b7723...168b99b3c22180941ae7dbdd5f5c9678ede476ba) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2 years ago			`uses: github/codeql-action/init@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`with:`
			`languages: go`
			`- name: Autobuild`
build(deps): bump github/codeql-action from 2.2.6 to 2.2.7 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.6 to 2.2.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/16964e90ba004cdf0cd845b866b5df21038b7723...168b99b3c22180941ae7dbdd5f5c9678ede476ba) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2 years ago			`uses: github/codeql-action/autobuild@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7`
Bundle CodeQL, FOSSA, Snyk as jobs in workflow Signed-off-by: Hidde Beydals <hello@hidde.co> 4 years ago			`- name: Perform CodeQL Analysis`
build(deps): bump github/codeql-action from 2.2.6 to 2.2.7 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.6 to 2.2.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/16964e90ba004cdf0cd845b866b5df21038b7723...168b99b3c22180941ae7dbdd5f5c9678ede476ba) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2 years ago			`uses: github/codeql-action/analyze@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7`