Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 91 additions & 1 deletion .github/workflows/workflow.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,85 @@ env:
IMAGE_NAME: ${{ github.repository }}

jobs:
gitleaks:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Run the secret scan on every file change

Because this new Gitleaks job is inside the existing push/pull_request paths allowlist, it only runs when the changed files match that list. A PR that adds a credential to an unlisted file such as README.md, .env, or another documentation/config file will not start this job at all, so the secret can merge before any scan sees it. Move the secret scan to an unfiltered workflow or remove/expand the path filters for this job.

Useful? React with 👍 / 👎.

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read

steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

- name: Scan repository for secrets
uses: gitleaks/gitleaks-action@dcedce43c6f43de0b836d1fe38946645c9c638dc # v2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Pass GITHUB_TOKEN into gitleaks on PRs

On pull_request runs, gitleaks-action v2's ScanPullRequest path exits when process.env.GITHUB_TOKEN is absent; its upstream usage example explicitly passes env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}. This job only grants token permissions, which does not create that environment variable, so every PR run will fail in the first gate before scanning or reaching later jobs. Add the env mapping (with the existing read permissions) or switch to a scan invocation that does not need the PR API.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the required token mapping. Gitleaks now passes on pull requests.

env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

hadolint:
runs-on: ubuntu-latest
needs: [gitleaks]
strategy:
matrix:
dockerfile: [Dockerfile, Dockerfile.migration]

steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Lint ${{ matrix.dockerfile }}
uses: hadolint/hadolint-action@3fc49fb50d59c6ab7917a2e4195dba633e515b29 # v3.2.0
with:
dockerfile: ${{ matrix.dockerfile }}
failure-threshold: warning

actionlint:
runs-on: ubuntu-latest
needs: [hadolint]

steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Lint GitHub Actions workflows
uses: raven-actions/actionlint@3d39aea434753780c3b3d4a1a31c854b4dbf49d7 # v2

dependency-audit:
runs-on: ubuntu-latest
needs: [hadolint]
strategy:
fail-fast: false
matrix:
include:
- project: application
working-directory: .
- project: scenario-tests
working-directory: scenario-tests

steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2
with:
version: "0.11.28"

- name: Audit ${{ matrix.project }} dependencies
working-directory: ${{ matrix.working-directory }}
run: uv audit --locked

dependency-review:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
needs: [hadolint]
permissions:
contents: read

steps:
- name: Review dependency changes
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0

ruff:
runs-on: ubuntu-latest
needs: [hadolint]

steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
Expand All @@ -57,6 +134,7 @@ jobs:

ty:
runs-on: ubuntu-latest
needs: [hadolint]

steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
Expand All @@ -71,6 +149,7 @@ jobs:

import-linter:
runs-on: ubuntu-latest
needs: [hadolint]

steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
Expand All @@ -85,6 +164,7 @@ jobs:

test:
runs-on: ubuntu-latest
needs: [hadolint]
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -112,7 +192,7 @@ jobs:

build:
runs-on: ubuntu-latest
needs: [ruff, ty, import-linter, test]
needs: [actionlint, dependency-audit, ruff, ty, import-linter, test]
permissions:
contents: read
strategy:
Expand Down Expand Up @@ -142,6 +222,16 @@ jobs:
tags: ${{ matrix.tag }}
cache-from: type=gha
cache-to: type=gha,mode=max
load: true

- name: Scan ${{ matrix.image-name }} image
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: ${{ matrix.tag }}
format: table
exit-code: "1"
ignore-unfixed: true
severity: HIGH,CRITICAL

e2e:
name: Scenario tests
Expand Down
Loading