Updating GHES workflows

This commit is contained in:
GitHub Actions
2022-09-22 11:46:26 +00:00
parent 9038abce30
commit 7f1d660112
7 changed files with 222 additions and 0 deletions
+118
View File
@@ -0,0 +1,118 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow performs a static analysis of your Kotlin source code using
# Detekt.
#
# Scans are triggered:
# 1. On every push to default and protected branches
# 2. On every Pull Request targeting the default branch
# 3. On a weekly schedule
# 4. Manually, on demand, via the "workflow_dispatch" event
#
# The workflow should work with no modifications, but you might like to use a
# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG
# environment variable.
name: Scan with Detekt
on:
# Triggers the workflow on push or pull request events but only for default and protected branches
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
# Release tag associated with version of Detekt to be installed
# SARIF support (required for this workflow) was introduced in Detekt v1.15.0
DETEKT_RELEASE_TAG: v1.15.0
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "scan"
scan:
name: Scan
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
# Gets the download URL associated with the $DETEKT_RELEASE_TAG
- name: Get Detekt download URL
id: detekt_info
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query='
query getReleaseAssetDownloadUrl($tagName: String!) {
repository(name: "detekt", owner: "detekt") {
release(tagName: $tagName) {
releaseAssets(name: "detekt", first: 1) {
nodes {
downloadUrl
}
}
tagCommit {
oid
}
}
}
}
' 1> gh_response.json
DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json)
if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then
echo "Release tag doesn't match expected commit SHA"
exit 1
fi
DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json)
echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL"
# Sets up the detekt cli
- name: Setup Detekt
run: |
dest=$( mktemp -d )
curl --request GET \
--url ${{ steps.detekt_info.outputs.download_url }} \
--silent \
--location \
--output $dest/detekt
chmod a+x $dest/detekt
echo $dest >> $GITHUB_PATH
# Performs static analysis using Detekt
- name: Run Detekt
continue-on-error: true
run: |
detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json
# Modifies the SARIF output produced by Detekt so that absolute URIs are relative
# This is so we can easily map results onto their source files
# This can be removed once relative URI support lands in Detekt: https://git.io/JLBbA
- name: Make artifact location URIs relative
continue-on-error: true
run: |
echo "$(
jq \
--arg github_workspace ${{ github.workspace }} \
'. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \
${{ github.workspace }}/detekt.sarif.json
)" > ${{ github.workspace }}/detekt.sarif.json
# Uploads results to GitHub repository using the upload-sarif action
- uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/detekt.sarif.json
checkout_path: ${{ github.workspace }}
+50
View File
@@ -0,0 +1,50 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# ESLint is a tool for identifying and reporting on patterns
# found in ECMAScript/JavaScript code.
# More details at https://github.com/eslint/eslint
# and https://eslint.org
name: ESLint
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
eslint:
name: Run eslint scanning
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install ESLint
run: |
npm install eslint@8.10.0
npm install @microsoft/eslint-formatter-sarif@2.1.7
- name: Run ESLint
run: npx eslint .
--config .eslintrc.js
--ext .js,.jsx,.ts,.tsx
--format @microsoft/eslint-formatter-sarif
--output-file eslint-results.sarif
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: eslint-results.sarif
wait-for-processing: true
@@ -1,6 +1,7 @@
{
"name": "CodeQL Analysis",
"creator": "GitHub",
"enterprise": true,
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
"iconName": "octicon mark-github",
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]
@@ -0,0 +1,8 @@
{
"name": "Detekt",
"creator": "Detekt",
"description": "Static code analysis for Kotlin",
"iconName": "detekt",
"categories": ["Code Scanning", "Kotlin"],
"enterprise": false
}
@@ -0,0 +1,12 @@
{
"name": "ESLint",
"description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.",
"iconName": "eslint",
"enterprise": false,
"categories": [
"Code Scanning",
"JavaScript",
"EcmaScript",
"TypeScript"
]
}
+32
View File
@@ -0,0 +1,32 @@
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
viewBox="0 0 60 60" style="enable-background:new 0 0 60 60;" xml:space="preserve">
<g>
<linearGradient id="XMLID_3_" gradientUnits="userSpaceOnUse" x1="15.9594" y1="-13.0143" x2="44.3068" y2="15.3332" gradientTransform="matrix(1 0 0 -1 0 61)">
<stop offset="9.677000e-02" style="stop-color:#0095D5"/>
<stop offset="0.3007" style="stop-color:#238AD9"/>
<stop offset="0.6211" style="stop-color:#557BDE"/>
<stop offset="0.8643" style="stop-color:#7472E2"/>
<stop offset="1" style="stop-color:#806EE3"/>
</linearGradient>
<polygon id="XMLID_2_" style="fill:url(#XMLID_3_);" points="0,60 30.1,29.9 60,60 "/>
<linearGradient id="SVGID_1_" gradientUnits="userSpaceOnUse" x1="4.2092" y1="48.9409" x2="20.6734" y2="65.405" gradientTransform="matrix(1 0 0 -1 0 61)">
<stop offset="0.1183" style="stop-color:#0095D5"/>
<stop offset="0.4178" style="stop-color:#3C83DC"/>
<stop offset="0.6962" style="stop-color:#6D74E1"/>
<stop offset="0.8333" style="stop-color:#806EE3"/>
</linearGradient>
<polygon style="fill:url(#SVGID_1_);" points="0,0 30.1,0 0,32.5 "/>
<linearGradient id="SVGID_2_" gradientUnits="userSpaceOnUse" x1="-10.1017" y1="5.8362" x2="45.7315" y2="61.6694" gradientTransform="matrix(1 0 0 -1 0 61)">
<stop offset="0.1075" style="stop-color:#C757BC"/>
<stop offset="0.2138" style="stop-color:#D0609A"/>
<stop offset="0.4254" style="stop-color:#E1725C"/>
<stop offset="0.6048" style="stop-color:#EE7E2F"/>
<stop offset="0.743" style="stop-color:#F58613"/>
<stop offset="0.8232" style="stop-color:#F88909"/>
</linearGradient>
<polygon style="fill:url(#SVGID_2_);" points="30.1,0 0,31.7 0,60 30.1,29.9 60,0 "/>
</g>
</svg>

After

Width:  |  Height:  |  Size: 1.8 KiB

+1
View File
File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 80 KiB