[DO NOT MERGE] - Added config to scan sub directories for Gemfile.lock #3466
Conversation
Signed-off-by: nikhil2611 <[email protected]>
Signed-off-by: nikhil2611 <[email protected]>
…HEF-28158-NOTICE-generation
Signed-off-by: nikhil2611 <[email protected]>
👷 Deploy Preview for chef-workstation processing.
|
There was a problem hiding this comment.
Pull request overview
This PR modifies the CI/CD workflow configuration to enable scanning of subdirectories for Gemfile.lock files during BlackDuck SCA scans. The changes temporarily redirect the workflow to a development branch for testing the new subdirectory scanning capability.
Key changes:
- Adds configuration to scan specific subdirectories (
.,omnibus,components/gems) for Gemfile.lock files - Temporarily modifies branch triggers and workflow reference to use a development branch
| on: | ||
| pull_request: | ||
| branches: [ main, develop, release/** ] | ||
| branches: [ nikhil/CHEF-28158-NOTICE-generation, develop, release/** ] |
There was a problem hiding this comment.
The branch name 'nikhil/CHEF-28158-NOTICE-generation' doesn't match the PR's purpose of scanning subdirectories for Gemfile.lock files. The Jira ID references 'NOTICE-generation', but this PR is about configuring BlackDuck to scan subdirectories. Consider using a branch name that reflects the actual changes, such as 'nikhil/CHEF-XXXXX-blackduck-subdirectory-scan'.
| call-ci-main-pr-check-pipeline: | ||
| uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main | ||
| uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@nikhil/detect-lockfile-in-subfolders-chef-workstation |
There was a problem hiding this comment.
Hardcoding a personal development branch reference in the workflow creates a temporary dependency that must be reverted before merging. This should be changed back to '@main' before the PR is merged to avoid breaking the workflow for other developers. Since this is marked '[DO NOT MERGE]', ensure this is addressed when creating the final version.
| uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@nikhil/detect-lockfile-in-subfolders-chef-workstation | |
| uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main |
| perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above | ||
| blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product' | ||
| blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name | ||
| blackduck-detect-source-paths: '.;omnibus;components/gems' # Semicolon-separated paths to scan for Gemfile.lock files in subdirectories |
There was a problem hiding this comment.
[nitpick] The comment could be more specific about what happens with these paths. Consider clarifying whether these paths are scanned recursively for Gemfile.lock files or if they represent specific locations where Gemfile.lock is expected to exist. For example: 'Semicolon-separated root paths where BlackDuck will recursively scan for Gemfile.lock files'.
| blackduck-detect-source-paths: '.;omnibus;components/gems' # Semicolon-separated paths to scan for Gemfile.lock files in subdirectories | |
| blackduck-detect-source-paths: '.;omnibus;components/gems' # Semicolon-separated root paths where BlackDuck will recursively scan for Gemfile.lock files |
Signed-off-by: nikhil2611 <[email protected]>
- Added blackduck-detect-source-paths parameter to target components/gems - This focuses Black Duck SCA scan on the primary Ruby dependencies - Excludes omnibus/Gemfile.lock from scanning Signed-off-by: nikhil2611 <[email protected]>
|
| on: | ||
| pull_request: | ||
| branches: [ main, develop, release/** ] | ||
| branches: [ nikhil/CHEF-28158-NOTICE-generation, develop, release/** ] |
There was a problem hiding this comment.
Branch reference 'nikhil/CHEF-28158-NOTICE-generation' appears to be a personal development branch. This should be reverted to 'main' before merging to ensure the workflow triggers on the correct branches.
| branches: [ nikhil/CHEF-28158-NOTICE-generation, develop, release/** ] | ||
| push: | ||
| branches: [ main, develop, release/** ] | ||
| branches: [ nikhil/CHEF-28158-NOTICE-generation, develop, release/** ] |
There was a problem hiding this comment.
Branch reference 'nikhil/CHEF-28158-NOTICE-generation' appears to be a personal development branch. This should be reverted to 'main' before merging to ensure the workflow triggers on the correct branches.
| call-ci-main-pr-check-pipeline: | ||
| uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main | ||
| uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@nikhil/detect-lockfile-in-subfolders-chef-workstation |
There was a problem hiding this comment.
The workflow reference uses a personal feature branch 'nikhil/detect-lockfile-in-subfolders-chef-workstation'. This should be changed to a stable reference (e.g., '@main' or a version tag) before merging.
| uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@nikhil/detect-lockfile-in-subfolders-chef-workstation | |
| uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main |
| blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name | ||
| generate-blackduck-sbom: false # obsolete, use perform-blackduck-sca-scan instead | ||
| blackduck-detect-source-paths: 'components/gems' # Scan only the components/gems directory for Gemfile.lock | ||
| generate-blackduck-sbom: true # obsolete, use perform-blackduck-sca-scan instead |
There was a problem hiding this comment.
The comment indicates this parameter is obsolete and 'perform-blackduck-sca-scan' should be used instead. Setting this to 'true' while it's marked obsolete creates confusion. Either remove this parameter or clarify why it's being enabled despite being obsolete.
| generate-blackduck-sbom: true # obsolete, use perform-blackduck-sca-scan instead |
Description
Added config to scan sub directories for Gemfile.lock
Related Issue
Types of changes
Checklist:
Gemfile.lockhas changed, I have used--conservativeto do it and included the full output in the Description above.