-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
164 lines (138 loc) · 5.59 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
name: "sonarqube-mobb-fixer-action"
description: "Mobb automatic vulnerability fixer action for SonarQube connected via Webhook"
branding:
icon: aperture
color: blue
inputs:
sonarqube-token:
description: "your SonarQube credentials"
required: true
mobb-api-token:
description: "Mobb API token"
required: true
github-token:
description: "GitHub token"
required: true
sonarqube-host-url:
description: "SonarQube Host URL"
required: true
sonarqube-project:
description: "SonarQube Project"
required: true
sonarqube-org:
description: "SonarQube Org"
required: true
outputs:
fix-report-url:
description: "Mobb fix report URL"
value: ${{ steps.run-npx-mobb-dev.outputs.fix-report-url }}
runs:
using: "composite"
steps:
- uses: actions/[email protected]
with:
node-version: 18
# This step extracts the Head SHA and stores it in the 'head-sha' variable
- id: env
name: Set Up Environment
run: |
OUT=$(curl --header 'authorization: Bearer ${{ inputs.github-token }}' -s ${{github.event.issue.pull_request.url }} | jq -r '.head.sha')
echo $OUT
echo "head-sha=$OUT" >> $GITHUB_OUTPUT
RUN_PATH=$GITHUB_SERVER_URL"/"$GITHUB_REPOSITORY"/actions/runs/"$GITHUB_RUN_ID
echo RUN_PATH: $RUN_PATH
echo "action-run-path=$RUN_PATH" >> $GITHUB_OUTPUT
#Getting the head-ref
GITHUB_HEAD_REF=$(curl --header 'authorization: Bearer ${{ inputs.github-token }}' -s ${{github.event.issue.pull_request.url }} | jq -r '.head.ref')
echo "github-head-ref=$GITHUB_HEAD_REF" >> $GITHUB_OUTPUT
shell: bash -l {0}
- name: Checkout repository
uses: actions/checkout@v3
with:
ref: ${{ steps.env.outputs.github-head-ref }}
# Displays status in the PR that this action is in 'pending' status
- uses: guibranco/[email protected]
with:
authToken: ${{ inputs.github-token }}
context: "Mobb Fix Analysis"
state: "pending"
target_url: ${{ steps.env.outputs.action-run-path }}
sha: ${{steps.env.outputs.head-sha}}
description: "Mobb fix analysis in progress..."
#wait for 15s as Sonarcloud may not yet have the report ready.
# - name: Sleep for 30 seconds
# uses: jakejarvis/wait-action@master
# with:
# time: '30s'
# Extract the scan ID from the Checkmarx comment and use it to generate a Checkmarx json report
- name: Get SonarQube Report
run: |
echo "Branch is: ${{ steps.env.outputs.github-head-ref }}"
echo "Running python command:"
python_cmd="SONARQUBE_HOST_URL=${{ inputs.sonarqube-host-url }} \
SONARQUBE_PROJECT=${{ inputs.sonarqube-project }} \
SONARQUBE_TOKEN=${{ inputs.sonarqube-token }} \
SONARQUBE_ORG=${{ inputs.sonarqube-org }} \
PULL_REQUEST_ID=${{ github.event.issue.number }} \
REPORT_PATH=report.json \
python ./.github/scripts/sonarqube_download_report.py"
# Print the command
echo "Executing the following python cmd to download JSON report:"
echo "$python_cmd"
# Execute the command
eval "$python_cmd"
ls -l
env
shell: bash -l {0}
- id: run-npx-mobb-dev
name: Mobb - Generate Autofix
run: |
REPO=$(git remote get-url origin)
REPO=${REPO%".git"}
SCANNER=sonarqube
PR_NUMBER=${{ github.event.issue.number }}
GITHUB_HEAD_REF=${{ steps.env.outputs.github-head-ref }}
COMMIT_HASH=$(git rev-parse $GITHUB_HEAD_REF)
echo REPO: $REPO
echo GITHUB_HEAD_REF: $GITHUB_HEAD_REF
echo GITHUB_SHA: $GITHUB_SHA
echo COMMIT_HASH: $COMMIT_HASH
echo PR_NUMBER: $PR_NUMBER
OUT=$(npx --yes mobbdev@latest review -r $REPO --ref $GITHUB_HEAD_REF --ch $COMMIT_HASH --api-key ${{ inputs.mobb-api-token }} -f report.json --pr $PR_NUMBER --github-token ${{ inputs.github-token }} --scanner $SCANNER -p .)
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
exit $RETVAL
fi
OUT=$(echo $OUT | tr '\n' ' ')
echo "fix-report-url=$OUT" >> $GITHUB_OUTPUT
echo "Mobb URL: $OUT"
shell: bash -l {0}
# Publish the Mobb fix report link in the PR
- uses: guibranco/[email protected]
with:
authToken: ${{ inputs.github-token }}
context: "Mobb Fix Report Link"
state: "success"
target_url: ${{ steps.run-npx-mobb-dev.outputs.fix-report-url }}
sha: ${{steps.env.outputs.head-sha}}
description: "Click \"Details\" to access the full fix analysis report"
# Displays status in the PR that this action is in 'complete' status
- uses: guibranco/[email protected]
if: success()
with:
authToken: ${{ inputs.github-token }}
context: "Mobb Fix Analysis"
state: "success"
target_url: ${{ steps.env.outputs.action-run-path }}
sha: ${{steps.env.outputs.head-sha}}
description: "Mobb fix analysis completed. See comment in the PR for results"
# Displays status in the PR that this action is in 'failure' status
- uses: guibranco/[email protected]
if: failure()
with:
authToken: ${{ inputs.github-token }}
context: "Mobb Fix Analysis"
state: "failure"
target_url: ${{ steps.env.outputs.action-run-path }}
sha: ${{steps.env.outputs.head-sha}}
description: "Mobb fix analysis failed. Click \"Details\" to see console logs"