From ee7ed3cac173045fb855130b4ca478efdea20a6c Mon Sep 17 00:00:00 2001 From: Zhiwei Liang <121905282+zliang-akamai@users.noreply.github.com> Date: Mon, 16 Dec 2024 16:24:18 -0500 Subject: [PATCH] Add dependencies and code scan workflows and organize existing workflows (#1689) * Add dependencies and code scan for PRs * Re-organize workflows * No need to handle macos/swift case --- .github/workflows/codeql.yml | 46 ++++++++++++++++++++++++++++++ .github/workflows/gosec_pr.yml | 16 ----------- .github/workflows/pull_request.yml | 27 +++++++++++++++++- .github/workflows/unit-tests.yml | 2 +- 4 files changed, 73 insertions(+), 18 deletions(-) create mode 100644 .github/workflows/codeql.yml delete mode 100644 .github/workflows/gosec_pr.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..06c9cab3f --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,46 @@ +name: "CodeQL Advanced" + +on: + push: + branches: [ "dev", "main", "proj/*" ] + pull_request: + branches: [ "dev", "main", "proj/*" ] + schedule: + - cron: '39 0 * * 6' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: go + build-mode: autobuild + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: security-and-quality + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/gosec_pr.yml b/.github/workflows/gosec_pr.yml deleted file mode 100644 index 0ab0c7e15..000000000 --- a/.github/workflows/gosec_pr.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: Gosec Scan -on: - pull_request: null - -jobs: - gosec_scan: - runs-on: ubuntu-latest - env: - GO111MODULE: on - steps: - - name: Checkout Source - uses: actions/checkout@v4 - - name: Run Gosec Security Scanner - uses: securego/gosec@master - with: - args: -exclude=G104 ./... diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index aa3a1c8c5..2489c5045 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -1,4 +1,4 @@ -name: Pull Request +name: CI for Pull Requests on: pull_request jobs: tests: @@ -22,3 +22,28 @@ jobs: run: go mod tidy - name: Fail if changes run: git diff-index --exit-code HEAD + + dependency-review: + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: 'Checkout repository' + uses: actions/checkout@v4 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 + with: + comment-summary-in-pr: on-failure + + gosec_scan: + runs-on: ubuntu-latest + env: + GO111MODULE: on + steps: + - name: Checkout Source + uses: actions/checkout@v4 + - name: Run Gosec Security Scanner + uses: securego/gosec@master + with: + args: -exclude=G104 ./... diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index 7b247ef33..04b3ea7c9 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -2,7 +2,7 @@ name: Unit Tests on: workflow_dispatch: null push: - pull_request: + jobs: unit_tests: runs-on: ubuntu-latest