Updating GHES workflows
This commit is contained in:
@@ -0,0 +1,118 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow performs a static analysis of your Kotlin source code using
|
||||
# Detekt.
|
||||
#
|
||||
# Scans are triggered:
|
||||
# 1. On every push to default and protected branches
|
||||
# 2. On every Pull Request targeting the default branch
|
||||
# 3. On a weekly schedule
|
||||
# 4. Manually, on demand, via the "workflow_dispatch" event
|
||||
#
|
||||
# The workflow should work with no modifications, but you might like to use a
|
||||
# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG
|
||||
# environment variable.
|
||||
name: Scan with Detekt
|
||||
|
||||
on:
|
||||
# Triggers the workflow on push or pull request events but only for default and protected branches
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
# Allows you to run this workflow manually from the Actions tab
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
# Release tag associated with version of Detekt to be installed
|
||||
# SARIF support (required for this workflow) was introduced in Detekt v1.15.0
|
||||
DETEKT_RELEASE_TAG: v1.15.0
|
||||
|
||||
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
|
||||
jobs:
|
||||
# This workflow contains a single job called "scan"
|
||||
scan:
|
||||
name: Scan
|
||||
# The type of runner that the job will run on
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
# Steps represent a sequence of tasks that will be executed as part of the job
|
||||
steps:
|
||||
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
# Gets the download URL associated with the $DETEKT_RELEASE_TAG
|
||||
- name: Get Detekt download URL
|
||||
id: detekt_info
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query='
|
||||
query getReleaseAssetDownloadUrl($tagName: String!) {
|
||||
repository(name: "detekt", owner: "detekt") {
|
||||
release(tagName: $tagName) {
|
||||
releaseAssets(name: "detekt", first: 1) {
|
||||
nodes {
|
||||
downloadUrl
|
||||
}
|
||||
}
|
||||
tagCommit {
|
||||
oid
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
' 1> gh_response.json
|
||||
|
||||
DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json)
|
||||
if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then
|
||||
echo "Release tag doesn't match expected commit SHA"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json)
|
||||
echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL"
|
||||
|
||||
# Sets up the detekt cli
|
||||
- name: Setup Detekt
|
||||
run: |
|
||||
dest=$( mktemp -d )
|
||||
curl --request GET \
|
||||
--url ${{ steps.detekt_info.outputs.download_url }} \
|
||||
--silent \
|
||||
--location \
|
||||
--output $dest/detekt
|
||||
chmod a+x $dest/detekt
|
||||
echo $dest >> $GITHUB_PATH
|
||||
|
||||
# Performs static analysis using Detekt
|
||||
- name: Run Detekt
|
||||
continue-on-error: true
|
||||
run: |
|
||||
detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json
|
||||
|
||||
# Modifies the SARIF output produced by Detekt so that absolute URIs are relative
|
||||
# This is so we can easily map results onto their source files
|
||||
# This can be removed once relative URI support lands in Detekt: https://git.io/JLBbA
|
||||
- name: Make artifact location URIs relative
|
||||
continue-on-error: true
|
||||
run: |
|
||||
echo "$(
|
||||
jq \
|
||||
--arg github_workspace ${{ github.workspace }} \
|
||||
'. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \
|
||||
${{ github.workspace }}/detekt.sarif.json
|
||||
)" > ${{ github.workspace }}/detekt.sarif.json
|
||||
|
||||
# Uploads results to GitHub repository using the upload-sarif action
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: ${{ github.workspace }}/detekt.sarif.json
|
||||
checkout_path: ${{ github.workspace }}
|
||||
@@ -0,0 +1,50 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# ESLint is a tool for identifying and reporting on patterns
|
||||
# found in ECMAScript/JavaScript code.
|
||||
# More details at https://github.com/eslint/eslint
|
||||
# and https://eslint.org
|
||||
|
||||
name: ESLint
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
eslint:
|
||||
name: Run eslint scanning
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Install ESLint
|
||||
run: |
|
||||
npm install eslint@8.10.0
|
||||
npm install @microsoft/eslint-formatter-sarif@2.1.7
|
||||
|
||||
- name: Run ESLint
|
||||
run: npx eslint .
|
||||
--config .eslintrc.js
|
||||
--ext .js,.jsx,.ts,.tsx
|
||||
--format @microsoft/eslint-formatter-sarif
|
||||
--output-file eslint-results.sarif
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: eslint-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"name": "CodeQL Analysis",
|
||||
"creator": "GitHub",
|
||||
"enterprise": true,
|
||||
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
|
||||
"iconName": "octicon mark-github",
|
||||
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"name": "Detekt",
|
||||
"creator": "Detekt",
|
||||
"description": "Static code analysis for Kotlin",
|
||||
"iconName": "detekt",
|
||||
"categories": ["Code Scanning", "Kotlin"],
|
||||
"enterprise": false
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"name": "ESLint",
|
||||
"description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.",
|
||||
"iconName": "eslint",
|
||||
"enterprise": false,
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"JavaScript",
|
||||
"EcmaScript",
|
||||
"TypeScript"
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user