chore(action): bump gosec to 2.25.0 #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Action Integration | |
| on: | |
| pull_request: | |
| branches: | |
| - master | |
| paths: | |
| - action.yml | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| validate-action: | |
| runs-on: ubuntu-latest | |
| env: | |
| SARIF_FILE: results.sarif | |
| SARIF_CATEGORY: action-integration-action-yml | |
| steps: | |
| - name: Checkout Source | |
| uses: actions/checkout@v6 | |
| - name: Run action against gosec source | |
| uses: ./ | |
| with: | |
| args: -no-fail -nosec -fmt sarif -out results.sarif -exclude-generated ./... | |
| - name: Validate SARIF output exists and is valid JSON | |
| run: | | |
| set -euo pipefail | |
| test -s "${SARIF_FILE}" | |
| python3 - <<'PY' | |
| import json | |
| with open("results.sarif", "r", encoding="utf-8") as f: | |
| json.load(f) | |
| PY | |
| - name: Upload SARIF artifact | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: action-integration-sarif | |
| path: ${{ env.SARIF_FILE }} | |
| - name: Upload SARIF to Code Scanning | |
| if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: ${{ env.SARIF_FILE }} | |
| category: ${{ env.SARIF_CATEGORY }} | |
| - name: Verify Code Scanning processed SARIF | |
| if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} | |
| uses: actions/github-script@v8 | |
| env: | |
| TOOL_NAME: gosec | |
| with: | |
| script: | | |
| const owner = context.repo.owner; | |
| const repo = context.repo.repo; | |
| const ref = context.sha; | |
| const toolName = process.env.TOOL_NAME; | |
| const category = process.env.SARIF_CATEGORY; | |
| let matchedAnalysis = null; | |
| for (let attempt = 1; attempt <= 30; attempt++) { | |
| const response = await github.request("GET /repos/{owner}/{repo}/code-scanning/analyses", { | |
| owner, | |
| repo, | |
| ref, | |
| tool_name: toolName, | |
| per_page: 100, | |
| }); | |
| matchedAnalysis = (response.data || []).find((analysis) => { | |
| return analysis.commit_sha === ref && analysis.category === category; | |
| }); | |
| if (matchedAnalysis) { | |
| break; | |
| } | |
| core.info(`Attempt ${attempt}/30: analysis not found yet, waiting 10s...`); | |
| await new Promise((resolve) => setTimeout(resolve, 10000)); | |
| } | |
| if (!matchedAnalysis) { | |
| core.setFailed(`No processed Code Scanning analysis found for commit ${ref} and category ${category}.`); | |
| return; | |
| } | |
| if (matchedAnalysis.error) { | |
| core.setFailed(`Code Scanning analysis reported an error: ${JSON.stringify(matchedAnalysis.error)}`); | |
| return; | |
| } | |
| core.info(`Code Scanning processed analysis ${matchedAnalysis.id} successfully.`); |