Changes related to compliance scan for Mend #73
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Mend | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - site/** | |
| - examples/** | |
| workflow_dispatch: | |
| inputs: | |
| branch: | |
| type: string | |
| required: true | |
| default: main | |
| workflow_call: | |
| secrets: | |
| WS_APIKEY_NGINX: | |
| required: true | |
| WS_USER_KEY: | |
| required: true | |
| inputs: | |
| product_name: | |
| type: string | |
| required: true | |
| project_name: | |
| required: true | |
| type: string | |
| concurrency: | |
| group: ${{ github.ref_name }}-mend | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| # check-if-allowed: | |
| # name: Verify Environment | |
| # if: ${{ ( github.repository_owner == 'nginx' || github.repository_owner == 'nginxinc' ) }} | |
| # runs-on: [ ubuntu-latest ] | |
| # steps: | |
| # - name: Check if we're in the allowed environment | |
| # run: | | |
| # org_found=0 | |
| # event_found=0 | |
| # ref_found=0 | |
| # ALLOWED_ORGS="nginx nginxinc" | |
| # ALLOWED_EVENTS="push workflow_dispatch" | |
| # ALLOWED_REFS="refs/heads/main refs/heads/master refs/heads/stable-1.28" | |
| # for org in $ALLOWED_ORGS; do | |
| # if [ "$org" == "$GITHUB_REPOSITORY_OWNER" ]; then org_found=1; fi | |
| # done | |
| # for event in $ALLOWED_EVENTS; do | |
| # if [ "$event" == "$GITHUB_EVENT_NAME" ]; then event_found=1; fi | |
| # done | |
| # for ref in $ALLOWED_REFS; do | |
| # if [ "$ref" == "$GITHUB_REF" ]; then ref_found=1; fi | |
| # done | |
| # if [ $org_found$event_found$ref_found -ne 111 ]; then | |
| # echo "Repository owner, event, or ref are not explicitely allowed to use this workflow: $GITHUB_REPOSITORY_OWNER, $GITHUB_EVENT_NAME, $GITHUB_REF" | |
| # exit 1 | |
| # fi | |
| # exit 0 | |
| scan: | |
| name: Mend | |
| runs-on: ubuntu-22.04 | |
| #needs: check-if-allowed | |
| outputs: | |
| mend-report-file: ${{ steps.report.outputs.mend-report-file }} | |
| mend-scan-result: ${{ steps.scan.outputs.mend-scan-result }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| ref: ${{ inputs.branch && inputs.branch || github.ref }} | |
| - name: Download agent | |
| run: curl -fsSLJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar | |
| - name: Verify JAR | |
| run: jarsigner -verify wss-unified-agent.jar | |
| - name: Scan and upload | |
| id: scan | |
| continue-on-error: true | |
| env: | |
| WS_URL: "https://f5.whitesourcesoftware.com/agent" | |
| WS_APIKEY_NGINX: ${{ secrets.WS_APIKEY_NGINX }} | |
| WS_USER_KEY: ${{ secrets.WS_USER_KEY }} | |
| PRODUCT_NAME: ${{ inputs.product_name}} | |
| PROJECT_NAME: ${{ inputs.project_name}} | |
| WS_CHECKPOLICIES: true | |
| WS_FORCECHECKALLDEPENDENCIES: true | |
| WS_GENERATESCANREPORT: true | |
| WS_FORCEUPDATE: true | |
| WS_FORCEUPDATE_FAILBUILDONPOLICYVIOLATION: true | |
| run: | | |
| if [ -z "$WS_APIKEY_NGINX" ] || [ -z "$WS_USER_KEY" ]; then | |
| echo "Secret is empty" | |
| exit 1 | |
| fi | |
| if [ -z "$PRODUCT_NAME" ] || [ -z "$PROJECT_NAME" ]; then | |
| echo "Project Name is empty" | |
| exit 1 | |
| fi | |
| java -jar wss-unified-agent.jar -noConfig true -wss.url $WS_URL -apiKey $WS_APIKEY_NGINX -userKey $WS_USER_KEY -product $PRODUCT_NAME -project $PROJECT_NAME -d ./ | |
| exit_code=$? | |
| echo "mend-scan-result=$(echo $exit_code)" >> $GITHUB_OUTPUT | |
| echo -e "\nEXIT CODE is: $exit_code\n" | |
| # if (( exit_code != 254 )); then | |
| # printf "\nMend scan detected problems.\n" | |
| # exit 0 | |
| # # exit 254 | |
| # else | |
| # printf "\nMend scan completed successfully. Exiting with code = 0\n" | |
| # exit 0 | |
| # fi | |
| - name: Check if report is generated | |
| if: success() || steps.scan.conclusion == 'failure' | |
| id: report | |
| shell: bash | |
| run: | | |
| echo "Scan conclusion: ${{ steps.scan.conclusion }}" | |
| echo "mend-report-file=$(find whitesource -type f -name "${PROJECT_NAME}*scan_report.json" | head -n 1)" >> $GITHUB_OUTPUT | |
| cat $GITHUB_OUTPUT | |
| - name: Print scan report | |
| if: success() || steps.scan.conclusion == 'failure' | |
| id: print | |
| run: | | |
| echo "Scan conclusion: ${{ steps.scan.conclusion }}" | |
| echo "Scan Outcome: ${{ steps.scan.outcome }}" | |
| cat ${{ steps.report.outputs.mend-report-file }} | jq . | |
| - name: Store mend report | |
| if: success() || steps.scan.conclusion == 'failure' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: mend-scan-report | |
| path: whitesource | |
| retention-days: 7 | |
| - name: Final scan result | |
| if: ${{ steps.scan.outcome }} == "failure" | |
| run: | | |
| printf "\nMend scan detected problems.\n" | |
| exit 1 |