-
Notifications
You must be signed in to change notification settings - Fork 0
144 lines (124 loc) · 4.41 KB
/
automated-pr-validator.yml
File metadata and controls
144 lines (124 loc) · 4.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: "Z-AUTOMATED: PR Validator"
on:
pull_request:
types: [opened, synchronize, reopened, edited]
permissions: {}
jobs:
sbom_scan:
name: SBOM Repo Scan
runs-on: ubuntu-latest
permissions:
actions: read # Required for anchore/sbom-action
contents: write # Required for anchore/sbom-action
id-token: write # Required for requesting the JWT
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- uses: anchore/sbom-action@v0
with:
path: "."
format: cyclonedx-json
output-file: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json
- uses: anchore/scan-action@v7
id: sbom-scan
with:
sbom: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json
fail-build: true
severity-cutoff: low
only-fixed: true
output-format: sarif
- name: Upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: ${{ steps.sbom-scan.outputs.sarif }}
- name: Add/Update SBOM failure comment
uses: actions/github-script@v8
if: always() && failure()
with:
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
})
// 2. Prepare format of the comment
const output = `### Code security issues found
View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`;
// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.deleteComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
}
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
- name: Delete SBOM failure comment
uses: actions/github-script@v8
if: always() && success()
with:
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
})
// 2. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.deleteComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id
})
}
markdown-validation:
name: Markdown Validation
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Run Markdown Validation Script
id: validate
run: |
BRANCH_NAME=${{ github.event.repository.default_branch }}
chmod +x scripts/markdown-validator.sh
scripts/markdown-validator.sh
checklist_validator:
name: Checklist Validation
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Set up Python 3.11
uses: actions/setup-python@v6
with:
python-version: 3.11
- name: Run checklist validator
run: |
python3 scripts/github/checklist_validator/main.py
env:
PR_BODY: ${{ github.event.pull_request.body }}