Merge pull request #944 from fluxcd/build/codeql-on-push

4 years ago · b5f48bee78
parent 9fb9965ffe ff78af5808
commit b5f48bee78
9 changed files with 68 additions and 57 deletions
--- a/.github/workflows/bootstrap.yaml
+++ b/.github/workflows/bootstrap.yaml
@ -2,12 +2,14 @@ name: bootstrap

 on:
  push:
-    branches:
-      - '*'
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]

 jobs:
  github:
    runs-on: ubuntu-latest
+    if: ${{ github.repository_owner == 'fluxcd' }}
    steps:
      - name: Checkout
        uses: actions/checkout@v2
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@ -1,9 +1,8 @@
 name: Publish docs via GitHub Pages
+
 on:
  push:
-    branches:
-      - docs*
-      - main
+    branches: [ 'docs*', main ]

 jobs:
  build:
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@ -1,10 +1,10 @@
 name: e2e

 on:
-  pull_request:
  push:
-    branches:
-      - main
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]

 jobs:
  kind:
--- a/.github/workflows/rebase.yaml
+++ b/.github/workflows/rebase.yaml
@ -2,9 +2,9 @@ name: rebase

 on:
  pull_request:
-    types: [opened]
+    types: [ opened ]
  issue_comment:
-    types: [created]
+    types: [ created ]

 jobs:
  rebase:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -2,8 +2,7 @@ name: release

 on:
  push:
-    tags:
-      - '*'
+    tags: [ '*' ]

 jobs:
  goreleaser:
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@ -0,0 +1,55 @@
+name: Scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '18 10 * * 3'
+
+jobs:
+  fossa:
+    name: FOSSA
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run FOSSA scan and upload build data
+        uses: fossa-contrib/fossa-action@v1
+        with:
+          # FOSSA Push-Only API Token
+          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
+          github-token: ${{ github.token }}
+
+  snyk:
+    name: Snyk
+    runs-on: ubuntu-latest
+    if: ${{ github.repository_owner == 'fluxcd' }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/golang@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: snyk.sarif
+
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: go
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v1
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@ -1,44 +0,0 @@
-name: scan
-on:
-  push:
-  pull_request:
-    branches: [main]
-
-jobs:
-  analyze:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
-        with:
-          go-version: 1.15.x
-      - name: FOSSA Analysis
-        if: github.event_name == 'pull_request'
-        uses: fossa-contrib/fossa-action@v1
-        with:
-          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
-          github-token: ${{ github.token }}
-      - name: CodeQL Init
-        if: github.event_name == 'pull_request'
-        uses: github/codeql-action/init@v1
-        with:
-          languages: "go"
-      - name: CodeQL Autobuild
-        if: github.event_name == 'pull_request'
-        uses: github/codeql-action/autobuild@v1
-      - name: CodeQL Analysis
-        if: github.event_name == 'pull_request'
-        uses: github/codeql-action/analyze@v1
-      - name: Snyk Init
-        if: github.event_name == 'push'
-        uses: snyk/actions/setup@master
-      - name: Snyk Analysis
-        if: github.event_name == 'push'
-        run: snyk test --sarif-file-output=snyk.sarif
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-      - name: Snyk Upload result to GitHub Code Scanning
-        if: github.event_name == 'push'
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: snyk.sarif
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
--- a/docs/internal/release.md
+++ b/docs/internal/release.md
@ -130,7 +130,7 @@ Upgrade procedure:

 `fluxcd/flux2`:

-1. Update the `github.com/fluxcd/*-controller/api` version in `flux2/go.mod` (automated with [GitHub Actions](../../.github/workflows/update.yml))
+1. Update the `github.com/fluxcd/*-controller/api` version in `flux2/go.mod` (automated with [GitHub Actions](../../.github/workflows/update.yaml))
 1. Update the `github.com/fluxcd/pkg/*` version in `flux2/go.mod`
 1. Update the `k8s.io/*` and `github.com/fluxcd/pkg/runtime` version in `flux2/go.mod`