security #234
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scans | |
| on: | |
| repository_dispatch: | |
| types: [security] | |
| workflow_dispatch: | |
| workflow_call: | |
| env: | |
| RUN_URL: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}} | |
| jobs: | |
| codedx-scans: | |
| name: Run CodeDx Scans | |
| runs-on: [self-hosted, Linux] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Dependency Check Scans | |
| uses: dependency-check/[email protected] | |
| with: | |
| project: "uikit" | |
| path: "." | |
| format: "XML" | |
| - name: Upload Reports to CodeDX | |
| run: .github/scripts/codedx-upload.sh | |
| env: | |
| CODE_DX_URL: "${{ secrets.CODE_DX_URL }}" | |
| CODE_DX_API_KEY: ${{ secrets.CODE_DX_API_KEY }} | |
| CODE_DX_PROJECT_ID: 120 | |
| citadel-scan: | |
| name: Request Citadel Scan | |
| runs-on: [self-hosted, Linux] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 18 | |
| - name: Request Citadel scan | |
| run: .github/scripts/citadel-request.mjs | |
| black-duck-scans: | |
| name: Run Black Duck Scans | |
| runs-on: [self-hosted, Linux] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| PACKAGE: | |
| - "cli" | |
| - "code-editor" | |
| - "core" | |
| - "icons" | |
| - "lab" | |
| - "shared" | |
| - "styles" | |
| - "uno-preset" | |
| - "viz" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 18 | |
| # ========================== | |
| # code-editor (npm package) | |
| # ========================== | |
| # Install dependencies inside each package so blackduck can scan them | |
| # To do this we need to remove the package.json and package-lock.json from the root | |
| - name: Prepare packages for Blackduck scan | |
| uses: lumada-common-services/[email protected] | |
| with: | |
| command: | | |
| rm -rf node_modules package.json package-lock.json && \ | |
| cd packages/${{ matrix.PACKAGE }} && npm i | |
| - name: Load BlackDuck variables | |
| working-directory: packages/${{ matrix.PACKAGE }} | |
| run: | | |
| echo "PROJECT_NAME=$(npm pkg get name --workspaces=false | tr -d '""')" >> $GITHUB_ENV | |
| echo "PROJECT_VERSION=$(npm pkg get version --workspaces=false | tr -d '"')" >> $GITHUB_ENV | |
| - name: Load blackduck project properties | |
| run: echo "BLACKDUCK_ARGS=$(.github/scripts/getBlackduckArgs.mjs ${{ matrix.PACKAGE }})" >> $GITHUB_ENV | |
| - name: Blackduck Scan | |
| uses: lumada-common-services/[email protected] | |
| env: | |
| BLACKDUCK_DOCKER_USERNAME: hvservices-service-cicd | |
| BLACKDUCK_DOCKER_PASSWORD: ${{ secrets.ARTIFACTORY_HVSERVICES_CICD_TOKEN }} | |
| BlackDuck_Project_Name: "${{ env.PROJECT_NAME }}" | |
| BlackDuck_Source_Path: /workdir/packages | |
| BlackDuck_Project_Version: "${{ env.PROJECT_VERSION }}" | |
| BlackDuck_Api_Token: "${{ secrets.BLACKDUCK_TOKEN }}" | |
| BlackDuck_Url: "${{ secrets.BLACKDUCK_URL }}" | |
| ADDITIONAL_ARGS: "${{ env.BLACKDUCK_ARGS }}" | |
| notify-fail: | |
| name: Notify Fail | |
| needs: [codedx-scans, citadel-scan, black-duck-scans] | |
| if: failure() | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: technote-space/workflow-conclusion-action@v1 | |
| - name: Notify Fail | |
| uses: hbfernandes/[email protected] | |
| env: | |
| SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }} | |
| CONCLUSION: ${{ env.WORKFLOW_CONCLUSION }} | |
| COLOR: "#C62828" | |
| with: | |
| args: | | |
| { | |
| "channel": "ui-kit-internal", | |
| "attachments": [ | |
| { | |
| "mrkdwn_in": ["text"], | |
| "color": "${{env.COLOR}}", | |
| "title": "Security Scans failed", | |
| "title_link": "${{ env.RUN_URL }}" | |
| } | |
| ] | |
| } |