Skip to content
Z-AUTOMATED: PR Validator

[PRMP-627] Update enhanced metadata processor Lambda #194

Sign in to view logs

[PRMP-627] Update enhanced metadata processor Lambda

[PRMP-627] Update enhanced metadata processor Lambda #194

Workflow file for this run

.github/workflows/automated-pr-validator.yml at 06522b3
name: "Z-AUTOMATED: PR Validator"
on:
pull_request:
types: [opened, synchronize, reopened, edited]
permissions: {}
jobs:
sbom_scan:
name: SBOM Repo Scan
runs-on: ubuntu-latest
permissions:
actions: read # Required for anchore/sbom-action
contents: write # Required for anchore/sbom-action
id-token: write # Required for requesting the JWT
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v5
with:
fetch-depth: 0
- uses: anchore/sbom-action@v0
with:
path: "."
format: cyclonedx-json
output-file: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json
- uses: anchore/scan-action@v7
id: sbom-scan
with:
sbom: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json
fail-build: true
severity-cutoff: low
only-fixed: true
output-format: sarif
- name: Upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: ${{ steps.sbom-scan.outputs.sarif }}
- name: Add/Update SBOM failure comment
uses: actions/github-script@v8
if: always() && failure()
with:
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
})
// 2. Prepare format of the comment
const output = `### Code security issues found
View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`;
// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.deleteComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
}
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
- name: Delete SBOM failure comment
uses: actions/github-script@v8
if: always() && success()
with:
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
})
// 2. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.deleteComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id
})
}
markdown-validation:
name: Markdown Validation
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Run Markdown Validation Script
id: validate
run: |
BRANCH_NAME=${{ github.event.repository.default_branch }}
chmod +x scripts/markdown-validator.sh
scripts/markdown-validator.sh
checklist_validator:
name: Checklist Validation
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v5
- name: Set up Python 3.11
uses: actions/setup-python@v6
with:
python-version: 3.11
- name: Run checklist validator
run: |
python3 scripts/github/checklist_validator/main.py
env:
PR_BODY: ${{ github.event.pull_request.body }}