Release engineering overhaul #2

Workflow file for this run

.github/workflows/security.yml at 38b251f

	name: Security

	on:
	workflow_call:
	push:
	branches: [master]
	pull_request:
	branches: [master]
	schedule:
	- cron: '0 6 * * 1'

	permissions:
	contents: read
	security-events: write

	jobs:
	secrets:
	name: Secret scanning
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Install gitleaks
	run: \|
	VERSION=$(curl -sL https://api.github.com/repos/gitleaks/gitleaks/releases/latest \| jq -r .tag_name)
	curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/${VERSION}/gitleaks_${VERSION#v}_linux_x64.tar.gz" \| tar -xz
	sudo mv gitleaks /usr/local/bin/
	- name: Run gitleaks
	run: gitleaks detect --source . --verbose --config .gitleaks.toml

	trivy:
	name: Trivy vulnerability scan
	runs-on: ubuntu-latest
	if: github.event_name != 'pull_request'
	steps:
	- uses: actions/checkout@v4
	- uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
	with:
	scan-type: fs
	format: sarif
	output: trivy-results.sarif
	- uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: trivy-results.sarif
	category: trivy

	gosec:
	name: Go security analysis
	runs-on: ubuntu-latest
	if: github.event_name != 'pull_request'
	steps:
	- uses: actions/checkout@v4
	- uses: securego/gosec@bb17e422fc34bf4c0a2e5cab9d07dc45a68c040c # v2.24.7
	with:
	args: -fmt sarif -out gosec-results.sarif ./...
	- uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: gosec-results.sarif
	category: gosec

	dependency-review:
	name: Dependency review
	runs-on: ubuntu-latest
	if: github.event_name == 'pull_request'
	steps:
	- uses: actions/checkout@v4
	- uses: actions/dependency-review-action@v4

	codeql:
	name: CodeQL analysis
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- uses: github/codeql-action/init@v3
	with:
	languages: go
	config-file: .github/codeql/codeql-config.yml
	- uses: github/codeql-action/autobuild@v3
	- uses: github/codeql-action/analyze@v3

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release engineering overhaul #2

Workflow file

Release engineering overhaul #2

Uh oh!

Workflow file for this run