action-docs/.github/workflows/integration.yaml at main · crazy-matt/action-docs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: Integration

on:
  workflow_dispatch:
    inputs:
      job:
        description: Job to run
        type: choice
        options:
          - Lint commit messages
          - Pin Actions and Docker images
          - Secrets Scan
          - Vulnerability Scan
        required: false
        default: Pin Actions and Docker images
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  lint_commits:
    # Lint commit messages failing if they're not conventional
    name: Lint commit messages
    runs-on: ubuntu-latest
    timeout-minutes: 1
    if: |
      github.event.inputs.job == 'Lint commit messages' ||
      (github.event.forced == false &&
      github.actor != 'dependabot[bot]')
    permissions:
      contents: read
      pull-requests: read
    steps:
      - name: Checkout repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4
      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # ratchet:wagoid/commitlint-github-action@v6
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          configFile: .github/.linters/commitlint.config.mjs

  pin_actions_and_docker_images:
    name: Pin Actions and Docker images
    runs-on: ubuntu-latest
    timeout-minutes: 1
    if: |
      github.event.inputs.job == 'Pin Actions and Docker images' || github.event_name == 'push'
    permissions:
      contents: write
      pull-requests: read
    steps:
      - name: Checkout repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4
        with:
          token: ${{ secrets.BOT_TOKEN }}
          ref: ${{ github.head_ref || github.ref_name }}
      - name: Check for workflow file changes
        id: filter
        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # ratchet:dorny/paths-filter@v3
        with:
          filters: |
            workflows:
              - '.github/workflows/**'
      - name: Set up Go
        if: steps.filter.outputs.workflows == 'true'
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # ratchet:actions/setup-go@v5
        with:
          go-version: 1.23
      - name: Install Ratchet
        if: steps.filter.outputs.workflows == 'true'
        run: go install github.com/sethvargo/ratchet@latest
      - name: Pin
        if: steps.filter.outputs.workflows == 'true'
        run: ratchet pin $(ls .github/workflows/*.{yaml,yml} 2>/dev/null)
      - name: Push changes
        if: steps.filter.outputs.workflows == 'true'
        env:
          COMMIT_MESSAGE: "ci: pin actions and Docker images in workflows [skip ci]"
        run: |
          if [[ -n $(git status --porcelain) ]]; then
            gpg --import <(echo "${{ secrets.BOT_GPG_PRIVATE_KEY_BASE64 }}" | base64 -d)
            git config user.name "gha-bot"
            git config user.email "gha-bot.noreply.wdx1x@tenet.pm"
            git config user.signingkey "ABD02F54EDDADCB6"
            git config commit.gpgsign true
            git status --porcelain
            git commit -am "$COMMIT_MESSAGE"
            git push
          else
            echo "No changes to commit."
          fi

  secrets_scan:
    name: Secrets Scan
    runs-on: ubuntu-latest
    timeout-minutes: 1
    if: |
      github.event.inputs.job == 'Secrets Scan' ||
      (github.actor != 'dependabot[bot]' &&
      github.event_name == 'push')
    permissions:
      contents: read
      pull-requests: read
    steps:
      - name: Checkout repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Scan
        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # ratchet:gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_CONFIG: ${{ github.workspace }}/.security/gitleaks.toml
          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false # sarif upload, would need 'security-events: write'
          GITLEAKS_ENABLE_SUMMARY: true
          GITLEAKS_VERSION: 8.22.0

  vulnerability_scan:
    name: Vulnerability Scan
    runs-on: ubuntu-latest
    timeout-minutes: 3
    if: |
      github.event.inputs.job == 'Vulnerability Scan' || github.actor != 'dependabot[bot]'
    permissions:
      contents: write
      pull-requests: write
      actions: write
      security-events: write
    steps:
      - name: Checkout repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4
      - name: Scan pkg manifests/github actions
        id: trivy_scan
        if: github.event_name == 'push'
        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # ratchet:aquasecurity/trivy-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          scan-type: fs
          github-pat: ${{ secrets.GITHUB_TOKEN }}
          format: github
          output: sbom.json
          trivy-config: .security/trivy.yaml
      - name: Upload trivy report
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # ratchet:actions/upload-artifact@v4
        if: github.event_name == 'push' && hashFiles('sbom.json') != ''
        with:
          name: sbom-report
          path: sbom.json