From 6d801e5d272de2d81e97336bbbdac51056de219d Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Thu, 23 May 2024 13:16:41 +0200 Subject: [PATCH] Migrate security-check to reusable Github Actions --- .github/workflows/daily-security-check.yml | 97 +--------------------- 1 file changed, 3 insertions(+), 94 deletions(-) diff --git a/.github/workflows/daily-security-check.yml b/.github/workflows/daily-security-check.yml index 25a73ff2..57031b01 100644 --- a/.github/workflows/daily-security-check.yml +++ b/.github/workflows/daily-security-check.yml @@ -6,97 +6,6 @@ on: workflow_dispatch: jobs: - security: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - name: Checkout repo - uses: actions/checkout@v2 - - # PHP checks - - name: Check for php composer project - id: check_composer - uses: andstor/file-existence-action@v2 - with: - files: "composer.lock" - - name: Vulnerability check - run: php composer audit - if: steps.check_composer.outputs.files_exists == 'true' - - # node-yarn checks - - name: Check for node-yarn project - id: check_node_yarn - uses: andstor/file-existence-action@v2 - with: - files: "yarn.lock" - - name: Setup node - if: steps.check_node_yarn.outputs.files_exists == 'true' - uses: actions/setup-node@v3 - with: - node-version: 14 - - name: Yarn Audit - if: steps.check_node_yarn.outputs.files_exists == 'true' - run: yarn audit --level high --groups dependencies optionalDependencies - - # node-npm checks - - name: Check for node-npm project - id: check_node_npm - uses: andstor/file-existence-action@v2 - with: - files: "package.lock" - - name: Setup node - if: steps.check_node_npm.outputs.files_exists == 'true' - uses: actions/setup-node@v3 - with: - node-version: 14 - - name: npm audit - if: steps.check_node_npm.outputs.files_exists == 'true' - run: npm audit --audit-level=high - - # python checks - - name: Check for python project - id: check_python - uses: andstor/file-existence-action@v2 - with: - files: "requirements.txt" - - name: Safety checks Python dependencies - if: steps.check_python.outputs.files_exists == 'true' - uses: pyupio/safety@2.3.5 - - # java checks - - name: Check for java maven project - id: check_maven - uses: andstor/file-existence-action@v2 - with: - files: "pom.xml" - - name: Setup java if needed - if: steps.check_maven.outputs.files_exists == 'true' - uses: actions/setup-java@v3 - with: - java-version: 11 - distribution: 'temurin' - cache: 'maven' - - name: Set up maven cache if needed - if: steps.check_maven.outputs.files_exists == 'true' - uses: actions/cache@v1 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - - name: Check java - if: steps.check_maven.outputs.files_exists == 'true' - run: mvn org.owasp:dependency-check-maven:check - - # Send results - - name: Send to Slack if something failed - if: failure() - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: surfconext-nightly-check - SLACK_COLOR: ${{ job.status }} - SLACK_ICON: https://static.surfconext.nl/logos/idp/surfnet.png - SLACK_MESSAGE: 'Dependency check failed :crying_cat_face:' - SLACK_TITLE: ${{ github.repository }} wants attention - SLACK_USERNAME: NightlySecurityCheck - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + call-workflow-passing-data: + name: Daily security check (Reusable Workflow) + uses: openconext/openconext-githubactions/.github/workflows/daily-security-check.yml@main