@@ -53,28 +53,67 @@ jobs:
5353 env :
5454 GH_TOKEN : ${{ secrets.ONBOARDING_TOKEN }}
5555
56+ - name : Check if target repository is empty
57+ id : check_empty
58+ run : |
59+ REPO="${{ steps.target.outputs.repository }}"
60+ # Try to get repository info
61+ REPO_INFO=$(gh api "repos/$REPO" 2>/dev/null || echo "")
62+
63+ if [ -z "$REPO_INFO" ]; then
64+ echo "Failed to get repository info"
65+ exit 1
66+ fi
67+
68+ # Check if repository has commits (size will be 0 if empty)
69+ IS_EMPTY=$(echo "$REPO_INFO" | jq -r '.size == 0')
70+
71+ echo "is_empty=$IS_EMPTY" >> "$GITHUB_OUTPUT"
72+ echo "Repository empty status: $IS_EMPTY"
73+ shell : bash
74+ env :
75+ GH_TOKEN : ${{ secrets.ONBOARDING_TOKEN }}
76+
5677 - name : Checkout target repository
78+ if : steps.check_empty.outputs.is_empty == 'false'
5779 uses : actions/checkout@v4
5880 with :
5981 repository : ${{ steps.target.outputs.repository }}
6082 token : ${{ secrets.ONBOARDING_TOKEN }}
6183 path : target-repo
6284 ref : ${{ steps.target.outputs.base_branch }}
6385
86+ - name : Initialize empty repository locally
87+ if : steps.check_empty.outputs.is_empty == 'true'
88+ run : |
89+ mkdir -p target-repo
90+ cd target-repo
91+ git init
92+ git remote add origin "https://x-access-token:${{ secrets.ONBOARDING_TOKEN }}@github.com/${{ steps.target.outputs.repository }}.git"
93+ shell : bash
94+
6495 - name : Create branch and add SAST workflow
6596 working-directory : target-repo
6697 run : |
6798 git config user.name "MetaMask Security Bot"
6899 git config user.email "[email protected] " 69100
70- BRANCH_NAME="security/add-sast-scanner"
71- git checkout -b "$BRANCH_NAME"
101+ IS_EMPTY="${{ steps.check_empty.outputs.is_empty }}"
102+ BASE_BRANCH="${{ steps.target.outputs.base_branch }}"
103+
104+ if [ "$IS_EMPTY" = "true" ]; then
105+ # For empty repos, create initial commit on main
106+ BRANCH_NAME="$BASE_BRANCH"
107+ else
108+ # For existing repos, create a feature branch
109+ BRANCH_NAME="security/add-sast-scanner"
110+ git checkout -b "$BRANCH_NAME"
111+ fi
72112
73113 # Create .github/workflows directory if it doesn't exist
74114 mkdir -p .github/workflows
75115
76116 # Copy the security scanner workflow template and replace placeholders
77- BASE_BRANCH="${{ steps.target.outputs.base_branch }}"
78117 sed "s/{ DEFAULT_BRANCH }/$BASE_BRANCH/g" \
79118 ../scanner-repo/.github/templates/security-code-scanner.yml \
80119 > .github/workflows/security-code-scanner.yml
@@ -86,17 +125,18 @@ jobs:
86125 automated security scanning of the codebase.
87126
88127 The scanner will run on:
89- - Push to main branch
90- - Pull requests to main branch
128+ - Push to $BASE_BRANCH branch
129+ - Pull requests to $BASE_BRANCH branch
91130 - Manual workflow dispatch
92131
93132 To configure the scanner for your repository's specific needs,
94133 please review the workflow file and adjust as necessary."
95134
96- git push origin "$BRANCH_NAME"
135+ git push -u origin "$BRANCH_NAME"
97136shell : bash
98137
99138 - name : Create Pull Request
139+ if : steps.check_empty.outputs.is_empty == 'false'
100140 working-directory : target-repo
101141 env :
102142 GH_TOKEN : ${{ secrets.ONBOARDING_TOKEN }}
@@ -120,6 +160,7 @@ jobs:
120160shell : bash
121161
122162 - name : Output PR URL
163+ if : steps.check_empty.outputs.is_empty == 'false'
123164 working-directory : target-repo
124165 env :
125166 GH_TOKEN : ${{ secrets.ONBOARDING_TOKEN }}
@@ -128,3 +169,12 @@ jobs:
128169 echo "✅ Pull Request created: $PR_URL"
129170 echo "PR_URL=$PR_URL" >> "$GITHUB_OUTPUT"
130171shell : bash
172+
173+ - name : Output commit info for empty repo
174+ if : steps.check_empty.outputs.is_empty == 'true'
175+ run : |
176+ REPO="${{ steps.target.outputs.repository }}"
177+ BASE_BRANCH="${{ steps.target.outputs.base_branch }}"
178+ echo "✅ Initial commit pushed to https://github.com/$REPO/tree/$BASE_BRANCH"
179+ echo "Repository was empty - workflow file added directly to $BASE_BRANCH branch"
180+ shell : bash
0 commit comments