-
Notifications
You must be signed in to change notification settings - Fork 197
66 lines (56 loc) · 2.15 KB
/
pr-code-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0
name: Code Scan
on:
pull_request:
branches: [main]
types: [opened, reopened, ready_for_review, synchronize] # added `ready_for_review` since draft is skipped
paths-ignore:
- "**.md"
workflow_dispatch:
# If there is a new commit, the previous jobs will be canceled
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
env:
DOCKER_CONFIG_NAME: "commonDockerConfig"
REPO_NAME: "code-scan"
REPO_TAG: "1.0"
DOCKER_FILE_NAME: "code-scan"
CONTAINER_NAME: "code-scan"
jobs:
code-scan:
runs-on: ubuntu-latest
strategy:
matrix:
job_name: ["bandit", "hadolint"]
fail-fast: false
steps:
- name: Checkout out Repo
uses: actions/checkout@v4
- name: Check Dangerous Command Injection
uses: opea-project/validation/actions/check-cmd@main
with:
work_dir: ${{ github.workspace }}
- name: Docker Build
run: |
docker build -f ${{ github.workspace }}/.github/workflows/docker/${{ env.DOCKER_FILE_NAME }}.dockerfile -t ${{ env.REPO_NAME }}:${{ env.REPO_TAG }} .
- name: Docker Run
run: |
if [[ $(docker ps -a | grep -i '${{ env.CONTAINER_NAME }}'$) ]]; then
docker stop ${{ env.CONTAINER_NAME }}
docker rm -vf ${{ env.CONTAINER_NAME }} || true
fi
docker run -dit --memory="4g" --memory-reservation="1g" --disable-content-trust --privileged --name=${{ env.CONTAINER_NAME }} --shm-size="1g" \
-v ${{ github.workspace }}:/GenAIExamples \
${{ env.REPO_NAME }}:${{ env.REPO_TAG }}
- name: Code scan check
run: |
docker exec ${{ env.CONTAINER_NAME }} \
bash -c "bash /GenAIExamples/.github/workflows/scripts/codeScan/${{ matrix.job_name }}.sh"
- name: Publish pipeline artifact
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.job_name }}
path: ${{ github.workspace }}/.github/workflows/scripts/codeScan/${{ matrix.job_name }}.*