lookup file #42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Mend | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - site/** | |
| - examples/** | |
| workflow_dispatch: | |
| inputs: | |
| branch: | |
| type: string | |
| required: true | |
| default: main | |
| workflow_call: | |
| inputs: | |
| product_name: | |
| type: string | |
| required: true | |
| project_name: | |
| required: true | |
| type: string | |
| concurrency: | |
| group: ${{ github.ref_name }}-mend | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| check-if-allowed: | |
| if: ${{ ( github.repository_owner == 'nginx' || github.repository_owner == 'nginxinc' ) }} | |
| runs-on: [ ubuntu-latest ] | |
| steps: | |
| - name: Check if we're in the allowed environment | |
| run: | | |
| org_found=0 | |
| event_found=0 | |
| ref_found=0 | |
| ALLOWED_ORGS="nginx nginxinc" | |
| ALLOWED_EVENTS="push" | |
| ALLOWED_REFS="refs/heads/main refs/heads/master refs/heads/stable-1.28" | |
| for org in $ALLOWED_ORGS; do | |
| if [ "$org" == "$GITHUB_REPOSITORY_OWNER" ]; then org_found=1; fi | |
| done | |
| for event in $ALLOWED_EVENTS; do | |
| if [ "$event" == "$GITHUB_EVENT_NAME" ]; then event_found=1; fi | |
| done | |
| for ref in $ALLOWED_REFS; do | |
| if [ "$ref" == "$GITHUB_REF" ]; then ref_found=1; fi | |
| done | |
| if [ $org_found$event_found$ref_found -ne 111 ]; then | |
| echo "Repository owner, event, or ref are not explicitely allowed to use this workflow: $GITHUB_REPOSITORY_OWNER, $GITHUB_EVENT_NAME, $GITHUB_REF" | |
| exit 1 | |
| fi | |
| exit 0 | |
| scan: | |
| name: Mend | |
| runs-on: ubuntu-22.04 | |
| needs: check-if-allowed | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| # with: | |
| # ref: ${{ inputs.branch && inputs.branch || github.ref }} | |
| - name: Download agent | |
| run: curl -fsSLJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar | |
| - name: Verify JAR | |
| run: jarsigner -verify wss-unified-agent.jar | |
| - name: Scan and upload | |
| env: | |
| WS_URL: "https://f5.whitesourcesoftware.com/agent" | |
| WS_APIKEY_NGINX: ${{ secrets.WS_APIKEY_NGINX }} | |
| PRODUCT_NAME: ${{ inputs.product_name}} | |
| PROJECT_NAME: ${{ inputs.project_name}} | |
| WS_CHECKPOLICIES: true | |
| WS_FORCECHECKALLDEPENDENCIES: true | |
| WS_GENERATESCANREPORT: true | |
| WS_FORCEUPDATE: true | |
| WS_FORCEUPDATE_FAILBUILDONPOLICYVIOLATION: true | |
| WS_USER_KEY: ${{ secrets.WS_USER_KEY }} | |
| run: | | |
| if [ -z "$WS_APIKEY_NGINX" ] || [ -z "$WS_USER_KEY" ]; then | |
| echo "Secret is empty" | |
| exit 1 | |
| fi | |
| if [ -z "$PRODUCT_NAME" ] || [ -z "$PROJECT_NAME" ]; then | |
| echo "Project Name is empty" | |
| exit 1 | |
| fi | |
| java -jar wss-unified-agent.jar -noConfig true -wss.url $WS_URL -apiKey $WS_APIKEY_NGINX -userKey $WS_USER_KEY -product $PRODUCT_NAME -project $PROJECT_NAME -d ./ | |
| exit_code=$? | |
| echo -e "\nEXIT CODE is: $exit_code\n" | |
| if (( exit_code == 254 )); then | |
| exit 254 | |
| else | |
| printf "\nMend scan completed successfully. Exiting with code = 0\n" | |
| exit 0 | |
| fi | |
| parse: | |
| name: Parse mend report | |
| needs: scan | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Check if report is generated | |
| shell: bash | |
| run: | | |
| file=$(find . -type f -regex ".*/${WS_PROJECT}.*scan_report\.json" | head -n 1) | |
| echo -e "\nFound Mend scan log file - $file\n" | |
| upload: | |
| name: Archive mend scan report | |
| needs: parse | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Prepare mend archive | |
| shell: bash | |
| run: | | |
| echo Archiving mend report | |
| - name: Upload mend archive | |
| shell: bash | |
| run: | | |
| echo Uploading mend archive to... |