feat: optimize Snyk workflow to only scan packages with changes in PRs

kishore7snehil · kishore7snehil · commit 4c4afdbb7ade · 2025-08-01T22:21:28.000+05:30
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -21,80 +21,79 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
 jobs:
-  # First job to discover all packages dynamically
-  discover-packages:
-    name: Discover Packages
+  # Discover packages with changes for targeted scanning
+  discover-changed-packages:
+    name: Discover Changed Packages
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
+      has-changes: ${{ steps.set-matrix.outputs.has-changes }}
     steps:
       - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
         run: exit 0
 
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
+          fetch-depth: 0
 
-      - name: Discover packages
+      - name: Discover packages with changes
         id: set-matrix
         run: |
-          packages=$(find packages -maxdepth 1 -type d -name "auth0_*" | sed 's|^packages/||' | jq -R -s -c 'split("\n")[:-1]')
+          # For push events or scheduled runs, scan all packages
+          if [[ "${{ github.event_name }}" == "push" || "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            packages=$(find packages -maxdepth 1 -type d -name "auth0_*" | sed 's|^packages/||' | jq -R -s -c 'split("\n")[:-1]')
+            echo "Scanning all packages for ${{ github.event_name }} event"
+          else
+            # For PRs, only scan packages with changes
+            changed_files=$(git diff --name-only origin/main...HEAD)
+            changed_packages=$(echo "$changed_files" | grep '^packages/auth0_' | cut -d'/' -f2 | sort -u | jq -R -s -c 'split("\n")[:-1] | map(select(length > 0))')
+            packages="$changed_packages"
+            echo "Changed files: $changed_files"
+            echo "Scanning changed packages for PR: $packages"
+          fi
+          
           echo "matrix={\"package\":$packages}" >> $GITHUB_OUTPUT
-          echo "Found packages: $packages"
+          if [ "$packages" = "[]" ]; then
+            echo "has-changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "has-changes=true" >> $GITHUB_OUTPUT
+          fi
+          echo "Final packages to scan: $packages"
 
-  # Main security scanning job for each package
+  # Security scanning for packages with changes
   security-scan:
     name: Security Scan (${{ matrix.package }})
     runs-on: ubuntu-latest
-    needs: discover-packages
-    if: needs.discover-packages.outputs.matrix != '{"package":[]}'
+    needs: discover-changed-packages
+    if: needs.discover-changed-packages.outputs.has-changes == 'true'
     strategy:
       fail-fast: false
-      matrix: ${{ fromJson(needs.discover-packages.outputs.matrix) }}
+      matrix: ${{ fromJson(needs.discover-changed-packages.outputs.matrix) }}
 
     steps:
       - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
-        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues
+        run: exit 0
 
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.11'
-
-      - name: Prepare dependencies for Snyk scan
+      - name: Check for requirements.txt
         working-directory: packages/${{ matrix.package }}
         run: |
-          # Check if requirements.txt exists, if not, generate from Poetry
-          if [ -f "requirements.txt" ]; then
-            echo "Using existing requirements.txt for ${{ matrix.package }}"
-            cp requirements.txt snyk-requirements.txt
-          elif [ -f "pyproject.toml" ]; then
-            echo "Generating requirements.txt from pyproject.toml for ${{ matrix.package }}"
-            pip install poetry
-            poetry export --format requirements.txt --output snyk-requirements.txt --without-hashes
-          else
-            echo "No dependency file found for ${{ matrix.package }}"
+          if [ ! -f "requirements.txt" ]; then
+            echo "❌ requirements.txt not found for ${{ matrix.package }}"
+            echo "Please ensure requirements.txt exists in the package directory"
             exit 1
           fi
-          
-          # Show what we're scanning
+          echo "✅ Found requirements.txt for ${{ matrix.package }}"
           echo "Dependencies to scan:"
-          head -10 snyk-requirements.txt
+          head -5 requirements.txt
 
       - name: Run Snyk security scan
         uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args: --file=packages/${{ matrix.package }}/snyk-requirements.txt --package-manager=pip
-
-      - name: Upload Snyk results to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: snyk.sarif
-          category: snyk-${{ matrix.package }}
+          args: --file=packages/${{ matrix.package }}/requirements.txt --package-manager=pip
