Skip to content

Commit

Permalink
Merge pull request #120 from OpenConext/feature/reusable-workflow
Browse files Browse the repository at this point in the history
Migrate to Reusable Workflows
  • Loading branch information
quartje authored Jun 7, 2024
2 parents e34e162 + 14df82c commit b34f601
Showing 1 changed file with 3 additions and 101 deletions.
104 changes: 3 additions & 101 deletions .github/workflows/daily-security-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,104 +6,6 @@ on:
workflow_dispatch:

jobs:
security:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout repo
uses: actions/checkout@v4

# PHP checks
- name: Check for php composer project
id: check_composer
uses: andstor/file-existence-action@v3
with:
files: "composer.lock"
- name: Run php local security checker
if: steps.check_composer.outputs.files_exists == 'true'
uses: symfonycorp/security-checker-action@v4

# node-yarn checks
- name: Check for node-yarn project
id: check_node_yarn
uses: andstor/file-existence-action@v3
with:
files: "yarn.lock"
- name: Setup node
if: steps.check_node_yarn.outputs.files_exists == 'true'
uses: actions/setup-node@v4
with:
node-version: 18
- name: Setup PHP 8.2
uses: shivammathur/setup-php@v2
with:
php-version: '8.2'
- name: Composer install
if: steps.check_node_yarn.outputs.files_exists == 'true'
run: composer install --no-interaction
- name: Yarn Audit
if: steps.check_node_yarn.outputs.files_exists == 'true'
run: yarn audit --level high --groups dependencies optionalDependencies

# node-npm checks
- name: Check for node-npm project
id: check_node_npm
uses: andstor/file-existence-action@v3
with:
files: "package.lock"
- name: Setup node
if: steps.check_node_npm.outputs.files_exists == 'true'
uses: actions/setup-node@v4
with:
node-version: 18
- name: npm audit
if: steps.check_node_npm.outputs.files_exists == 'true'
run: npm audit --audit-level=high

# python checks
- name: Check for python project
id: check_python
uses: andstor/file-existence-action@v3
with:
files: "requirements.txt"
- name: Safety checks Python dependencies
if: steps.check_python.outputs.files_exists == 'true'
uses: pyupio/[email protected]

# java checks
- name: Check for java maven project
id: check_maven
uses: andstor/file-existence-action@v3
with:
files: "pom.xml"
- name: Setup java if needed
if: steps.check_maven.outputs.files_exists == 'true'
uses: actions/setup-java@v3
with:
java-version: 11
distribution: 'temurin'
cache: 'maven'
- name: Set up maven cache if needed
if: steps.check_maven.outputs.files_exists == 'true'
uses: actions/cache@v1
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Check java
if: steps.check_maven.outputs.files_exists == 'true'
run: mvn org.owasp:dependency-check-maven:check

# Send results
- name: Send to Slack if something failed
if: failure()
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: surfconext-nightly-check
SLACK_COLOR: ${{ job.status }}
SLACK_ICON: https://static.surfconext.nl/logos/idp/surfnet.png
SLACK_MESSAGE: 'Dependency check failed :crying_cat_face:'
SLACK_TITLE: ${{ github.repository }} wants attention
SLACK_USERNAME: NightlySecurityCheck
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
call-workflow-passing-data:
name: Daily security check (Reusable Workflow)
uses: openconext/openconext-githubactions/.github/workflows/daily-security-check.yml@main

0 comments on commit b34f601

Please sign in to comment.