Merge pull request #14 from amplify-security/develop

lae · web-flow · commit 49193d95202c · 2025-01-23T03:51:38.000+09:00
ENG-1074 Sync main
diff --git a/.github/workflows/amplify.yml b/.github/workflows/amplify.yml
@@ -1,10 +1,13 @@
 ---
+# This should mostly be the production version of the workflow (i.e. Amplify is
+# "installed" in this repo just like any other). It is otherwise not integrated
+# with the contents of the repo itself (the CI workflow instead tests changes)
 name: Amplify Security
 on:
   pull_request: {}
   workflow_dispatch: {}
   push:
-    branches: ["main"]
+    branches: ["main", "develop"]
 
 permissions:
   contents: read
@@ -14,9 +17,8 @@ jobs:
   amplify-security-scan:
     name: Amplify Security Scan
     runs-on: ubuntu-latest
-    if: (github.actor != 'dependabot[bot]')
+    if: (!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]')
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Amplify Runner
-        uses: amplify-security/runner-action@v0.2.0
+        uses: amplify-security/runner-action@main
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -26,7 +26,7 @@ jobs:
 
       - name: Lint Codebase
         id: super-linter
-        uses: super-linter/super-linter/slim@b92721f792f381cedc002ecdbb9847a15ece5bb8 # v7.1.0
+        uses: super-linter/super-linter/slim@85f7611e0f7b53c8573cca84aa0ed4344f6f6a4d # v7.2.1
         env:
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/README.adoc b/README.adoc
@@ -1,4 +1,4 @@
-:action-version: 0.2.0
+:action-version: 0.3.0
 = Amplify Runner Action
 
 Github Action to run https://amplify.security[Amplify Security]'s CI Runner.
@@ -24,7 +24,11 @@ permissions:
 
 jobs:
   amplify-security-scan:
+    # name is currently used to properly identify the workflow in Amplify
+    name: Amplify Security Scan
     runs-on: ubuntu-latest
+    # external PRs do not have permission to request ID tokens
+    if: !github.event.pull_request.head.repo.fork
     steps:
      - name: Run Amplify Security Scan
        uses: amplify-security/runner-action@v{action-version}
diff --git a/action.yml b/action.yml
@@ -13,6 +13,6 @@ inputs:
 
 runs:
   using: "docker"
-  image: "docker://amplifysecurity/runner:0.2"
+  image: "docker://amplifysecurity/runner:0.3"
   env:
     AMPLIFY_ENDPOINT: ${{ inputs.amplify-endpoint }}
