-
Notifications
You must be signed in to change notification settings - Fork 22
138 lines (117 loc) · 3.98 KB
/
security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: Security Scans
on:
repository_dispatch:
types: [security]
workflow_dispatch:
workflow_call:
env:
RUN_URL: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}
jobs:
codedx-scans:
name: Run CodeDx Scans
runs-on: [self-hosted, Linux]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Dependency Check Scans
uses: dependency-check/[email protected]
with:
project: "uikit"
path: "."
format: "XML"
- name: Upload Reports to CodeDX
run: .github/scripts/codedx-upload.sh
env:
CODE_DX_URL: "${{ secrets.CODE_DX_URL }}"
CODE_DX_API_KEY: ${{ secrets.CODE_DX_API_KEY }}
CODE_DX_PROJECT_ID: 120
citadel-scan:
name: Request Citadel Scan
runs-on: [self-hosted, Linux]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 18
- name: Request Citadel scan
run: .github/scripts/citadel-request.mjs
black-duck-scans:
name: Run Black Duck Scans
runs-on: [self-hosted, Linux]
strategy:
fail-fast: false
matrix:
PACKAGE:
- "cli"
- "code-editor"
- "core"
- "icons"
- "lab"
- "shared"
- "styles"
- "uno-preset"
- "viz"
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 18
# ==========================
# code-editor (npm package)
# ==========================
# Install dependencies inside each package so blackduck can scan them
# To do this we need to remove the package.json and package-lock.json from the root
- name: Prepare packages for Blackduck scan
uses: lumada-common-services/[email protected]
with:
command: |
rm -rf node_modules package.json package-lock.json && \
cd packages/${{ matrix.PACKAGE }} && npm i
- name: Load BlackDuck variables
working-directory: packages/${{ matrix.PACKAGE }}
run: |
echo "PROJECT_NAME=$(npm pkg get name --workspaces=false | tr -d '""')" >> $GITHUB_ENV
echo "PROJECT_VERSION=$(npm pkg get version --workspaces=false | tr -d '"')" >> $GITHUB_ENV
- name: Load blackduck project properties
run: echo "BLACKDUCK_ARGS=$(.github/scripts/getBlackduckArgs.mjs ${{ matrix.PACKAGE }})" >> $GITHUB_ENV
- name: Blackduck Scan
uses: lumada-common-services/[email protected]
env:
BLACKDUCK_DOCKER_USERNAME: hvservices-service-cicd
BLACKDUCK_DOCKER_PASSWORD: ${{ secrets.ARTIFACTORY_HVSERVICES_CICD_TOKEN }}
BlackDuck_Project_Name: "${{ env.PROJECT_NAME }}"
BlackDuck_Source_Path: /workdir/packages
BlackDuck_Project_Version: "${{ env.PROJECT_VERSION }}"
BlackDuck_Api_Token: "${{ secrets.BLACKDUCK_TOKEN }}"
BlackDuck_Url: "${{ secrets.BLACKDUCK_URL }}"
ADDITIONAL_ARGS: "${{ env.BLACKDUCK_ARGS }}"
notify-fail:
name: Notify Fail
needs: [codedx-scans, citadel-scan, black-duck-scans]
if: failure()
runs-on: ubuntu-latest
steps:
- uses: technote-space/workflow-conclusion-action@v1
- name: Notify Fail
uses: hbfernandes/[email protected]
env:
SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
CONCLUSION: ${{ env.WORKFLOW_CONCLUSION }}
COLOR: "#C62828"
with:
args: |
{
"channel": "ui-kit-internal",
"attachments": [
{
"mrkdwn_in": ["text"],
"color": "${{env.COLOR}}",
"title": "Security Scans failed",
"title_link": "${{ env.RUN_URL }}"
}
]
}