-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathaction.yml
More file actions
115 lines (108 loc) · 3.45 KB
/
Copy pathaction.yml
File metadata and controls
115 lines (108 loc) · 3.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
name: Devr Codeguard
description: Run Devr CodeGuard repository policy checks for AI generated and human code
branding:
icon: shield
color: gray-dark
inputs:
config:
description: Path to the Devr CodeGuard config file
required: false
default: codeguard.yaml
profile:
description: Optional policy profile override
required: false
default: ""
mode:
description: Scan mode
required: false
default: full
base-ref:
description: Base ref to diff against when mode is diff
required: false
default: main
format:
description: Output format
required: false
default: github
comment-fix-mode:
description: PR comment mode. Use sticky to create or update a fix-oriented PR comment.
required: false
default: "off"
comment-tag:
description: Sticky marker used to update an existing CodeGuard PR comment.
required: false
default: codeguard-action-comment
version:
description: Devr CodeGuard version to install
required: false
default: latest
runs:
using: composite
steps:
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: "1.23"
- name: Install Devr CodeGuard
shell: bash
run: go install github.com/devr-tools/codeguard/cmd/codeguard@${{ inputs.version }}
- name: Run Devr CodeGuard
id: scan
shell: bash
run: |
set +e
if [ -n "${{ inputs.profile }}" ]; then
codeguard scan \
-config "${{ inputs.config }}" \
-mode "${{ inputs.mode }}" \
-base-ref "${{ inputs.base-ref }}" \
-format "${{ inputs.format }}" \
-profile "${{ inputs.profile }}"
status=$?
else
codeguard scan \
-config "${{ inputs.config }}" \
-mode "${{ inputs.mode }}" \
-base-ref "${{ inputs.base-ref }}" \
-format "${{ inputs.format }}"
status=$?
fi
echo "exit_code=$status" >> "$GITHUB_OUTPUT"
exit 0
- name: Post Devr CodeGuard fix comment
if: ${{ inputs.comment-fix-mode != 'off' && (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') }}
shell: bash
working-directory: ${{ github.action_path }}
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
report_file="$(mktemp)"
set +e
if [ -n "${{ inputs.profile }}" ]; then
codeguard scan \
-config "${{ inputs.config }}" \
-mode "${{ inputs.mode }}" \
-base-ref "${{ inputs.base-ref }}" \
-format github-comment \
-profile "${{ inputs.profile }}" > "$report_file"
else
codeguard scan \
-config "${{ inputs.config }}" \
-mode "${{ inputs.mode }}" \
-base-ref "${{ inputs.base-ref }}" \
-format github-comment > "$report_file"
fi
set -e
if [ ! -s "$report_file" ]; then
echo "CodeGuard comment report was empty; skipping comment publish."
exit 0
fi
go run ./cmd/codeguard-action-comment \
-body-file "$report_file" \
-repository "${{ github.repository }}" \
-marker "${{ inputs.comment-tag }}" \
-mode "${{ inputs.comment-fix-mode }}"
- name: Fail workflow on Devr CodeGuard findings
if: ${{ steps.scan.outputs.exit_code != '0' }}
shell: bash
run: exit "${{ steps.scan.outputs.exit_code }}"