fcli-ci-test-public/.github/workflows/test-pipeline.yml at main · fortify/fcli-ci-test-public · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Test Pipeline
run-name: ${{ inputs.pipeline_name }}

on:
  workflow_dispatch:
    inputs:
      pipeline_name:
        description: 'Pipeline display name'
        required: true
      version:
        description: 'Integration version (v2, v3)'
        required: true
      fcli_version:
        description: 'Fcli version (e.g., v3, dev_v3.x)'
        required: true
      product:
        description: 'Product (fod or ssc)'
        required: true
      component:
        description: 'Component (setup or ast-scan)'
        required: true
      source_dir:
        description: 'Source directory name'
        required: true
      os:
        description: 'Operating system (linux, windows, mac)'
        required: true
      fortify_release:
        description: 'Fortify release/appversion name'
        required: true
      setup_steps:
        description: 'JSON array of build tool setup steps'
        required: false
        default: '[]'
      runs_on:
        description: 'Runner label override'
        required: false
        default: ''

jobs:
  # Setup component test (product-agnostic)
  test-setup:
    name: ${{ inputs.version }} / setup / ${{ inputs.os }}
    runs-on: ${{ inputs.runs_on != '' && inputs.runs_on || inputs.os == 'linux' && 'ubuntu-latest' || inputs.os == 'windows' && 'windows-latest' || 'macos-latest' }}
    if: ${{ inputs.component == 'setup' }}
    steps:
      - name: Checkout fortify/github-action
        uses: actions/checkout@v4
        with:
          repository: fortify/github-action
          ref: ${{ inputs.version }}
          path: github-action

      - name: Run setup action
        uses: ./github-action/setup
        with:
          fcli: bootstrapped
        env:
          FCLI_BOOTSTRAP_VERSION: ${{ inputs.fcli_version }}

      - name: Verify fcli installation
        run: fcli --version
        shell: bash

  # FoD ast-scan component test
  test-fod-ast-scan:
    name: ${{ inputs.version }} / FoD / ast-scan / ${{ inputs.os }}
    runs-on: ${{ inputs.runs_on != '' && inputs.runs_on || inputs.os == 'linux' && 'ubuntu-latest' || inputs.os == 'windows' && 'windows-latest' || 'macos-latest' }}
    if: ${{ inputs.product == 'fod' && inputs.component == 'ast-scan' }}
    steps:
      - name: Checkout test sources
        uses: actions/checkout@v4

      - name: Setup build tools
        uses: ./.github/actions/setup-build-tools
        with:
          source_dir: ${{ inputs.source_dir }}

      - name: Checkout fortify/github-action
        uses: actions/checkout@v4
        with:
          repository: fortify/github-action
          ref: ${{ inputs.version }}
          path: github-action

      - name: Run AST scan action
        uses: ./github-action
        env:
          FCLI_BOOTSTRAP_VERSION: ${{ inputs.fcli_version }}
          SOURCE_DIR: ${{ github.workspace }}/${{ inputs.source_dir }}
          FOD_URL: ${{ vars.FCLI_FT_FOD_URL }}
          FOD_CLIENT_ID: ${{ secrets.FCLI_FT_FOD_CLIENT_ID }}
          FOD_CLIENT_SECRET: ${{ secrets.FCLI_FT_FOD_CLIENT_SECRET }}
          FOD_RELEASE: ${{ inputs.fortify_release }}
          DO_SCA_SCAN: true
          DO_AVIATOR_AUDIT: true
          OVERRIDE_SAST_SETTINGS: true

  # SSC ast-scan component test
  test-ssc-ast-scan:
    name: ${{ inputs.version }} / SSC / ast-scan / ${{ inputs.os }}
    runs-on: ${{ inputs.runs_on != '' && inputs.runs_on || inputs.os == 'linux' && 'ubuntu-latest' || inputs.os == 'windows' && 'windows-latest' || 'macos-latest' }}
    if: ${{ inputs.product == 'ssc' && inputs.component == 'ast-scan' }}
    steps:
      - name: Checkout test sources
        uses: actions/checkout@v4

      - name: Setup build tools
        uses: ./.github/actions/setup-build-tools
        with:
          source_dir: ${{ inputs.source_dir }}

      - name: Checkout fortify/github-action
        uses: actions/checkout@v4
        with:
          repository: fortify/github-action
          ref: ${{ inputs.version }}
          path: github-action

      - name: Run AST scan action
        uses: ./github-action
        env:
          FCLI_BOOTSTRAP_VERSION: ${{ inputs.fcli_version }}
          SOURCE_DIR: ${{ github.workspace }}/${{ inputs.source_dir }}
          SSC_URL: ${{ vars.FCLI_FT_SSC_URL }}
          SSC_TOKEN: ${{ secrets.FCLI_FT_SSC_TOKEN }}
          SC_SAST_TOKEN: ${{ secrets.FCLI_FT_SC_SAST_TOKEN }}
          SSC_APPVERSION: ${{ inputs.fortify_release }}
          SETUP_EXTRA_OPTS: --issue-template "Prioritized High Risk Issue Template"
          SAST_SCAN_EXTRA_OPTS: --no-replace