[PRM-605] Update .github/PULL_REQUEST_TEMPLATE.md (Jira link & checkboxes) #918
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Z-AUTOMATED: SBOM Repo Scan' | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| actions: read # Required for anchore/sbom-action | |
| contents: write # Required for anchore/sbom-action | |
| id-token: write # Required for requesting the JWT | |
| pull-requests: write | |
| jobs: | |
| sbom_scan: | |
| name: SBOM Repo Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
| - uses: anchore/sbom-action@v0 | |
| with: | |
| path: "." | |
| format: cyclonedx-json | |
| output-file: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json | |
| - uses: anchore/scan-action@v7 | |
| id: sbom-scan | |
| with: | |
| sbom: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json | |
| fail-build: true | |
| severity-cutoff: low | |
| only-fixed: true | |
| output-format: sarif | |
| - name: Upload Anchore scan SARIF report | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: ${{ steps.sbom-scan.outputs.sarif }} | |
| - name: Add/Update SBOM failure comment | |
| uses: actions/github-script@v8 | |
| if: always() && failure() | |
| with: | |
| script: | | |
| // 1. Retrieve existing bot comments for the PR | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| }) | |
| const botComment = comments.find(comment => { | |
| return comment.user.type === 'Bot' && comment.body.includes('Code security issues found') | |
| }) | |
| // 2. Prepare format of the comment | |
| const output = `### Code security issues found | |
| View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`; | |
| // 3. If we have a comment, update it, otherwise create a new one | |
| if (botComment) { | |
| github.rest.issues.deleteComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: botComment.id, | |
| body: output | |
| }) | |
| } | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }) | |
| - name: Delete SBOM failure comment | |
| uses: actions/github-script@v8 | |
| if: always() && success() | |
| with: | |
| script: | | |
| // 1. Retrieve existing bot comments for the PR | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| }) | |
| const botComment = comments.find(comment => { | |
| return comment.user.type === 'Bot' && comment.body.includes('Code security issues found') | |
| }) | |
| // 2. If we have a comment, update it, otherwise create a new one | |
| if (botComment) { | |
| github.rest.issues.deleteComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: botComment.id | |
| }) | |
| } |