|
1 | 1 | name: Workflows with large secrets |
2 | 2 |
|
3 | | -on: push |
| 3 | +on: |
| 4 | + push: |
| 5 | + |
| 6 | +permissions: |
| 7 | + contents: read |
4 | 8 |
|
5 | 9 | jobs: |
6 | 10 | my-job: |
7 | 11 | name: My Job |
8 | 12 | runs-on: ubuntu-latest |
| 13 | + |
9 | 14 | steps: |
10 | | - - uses: actions/checkout@v2 |
11 | | - - name: get_val |
12 | | - env: |
13 | | - SPECIAL_KEY: ${{ secrets.FOURK_KEY2 }} |
| 15 | + - name: Checkout |
| 16 | + uses: actions/checkout@v4 |
| 17 | + |
| 18 | + - name: Set up Java (LTS) |
| 19 | + uses: actions/setup-java@v4 |
| 20 | + with: |
| 21 | + distribution: temurin |
| 22 | + java-version: "21" |
| 23 | + |
| 24 | + - name: Set up Node.js (LTS) + Yarn (via Corepack) |
| 25 | + uses: actions/setup-node@v4 |
| 26 | + with: |
| 27 | + node-version: "20" |
| 28 | + cache: npm |
| 29 | + |
| 30 | + - name: Enable Corepack (Yarn) |
| 31 | + run: corepack enable |
| 32 | + |
| 33 | + - name: Set up Ruby |
| 34 | + uses: ruby/setup-ruby@v1 |
| 35 | + with: |
| 36 | + ruby-version: "3.3" |
| 37 | + bundler-cache: false |
| 38 | + |
| 39 | + - name: Install system packages |
| 40 | + run: | |
| 41 | + set -euo pipefail |
| 42 | + sudo apt-get update |
| 43 | + sudo apt-get install -y --no-install-recommends \ |
| 44 | + unzip curl git ca-certificates |
| 45 | + sudo rm -rf /var/lib/apt/lists/* |
| 46 | +
|
| 47 | + - name: Install Bundler (latest compatible) |
| 48 | + run: | |
| 49 | + set -euo pipefail |
| 50 | + gem --version |
| 51 | + bundle --version || gem install bundler |
| 52 | +
|
| 53 | + - name: Get latest OWASP Dependency-Check |
| 54 | + run: | |
| 55 | + set -euo pipefail |
| 56 | + latest_tag="$(curl -fsSL https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest | \ |
| 57 | + ruby -rjson -e 'puts JSON.parse(STDIN.read).fetch("tag_name")')" |
| 58 | +
|
| 59 | + echo "Latest Dependency-Check: ${latest_tag}" |
| 60 | +
|
| 61 | + asset_url="$(curl -fsSL https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest | \ |
| 62 | + ruby -rjson -e ' |
| 63 | + r = JSON.parse(STDIN.read) |
| 64 | + a = r.fetch("assets").find { |x| x["name"] =~ /dependency-check-.*-release\.zip$/ } |
| 65 | + puts a.fetch("browser_download_url") |
| 66 | + ')" |
| 67 | +
|
| 68 | + curl -fsSL -o /tmp/dependency-check.zip "$asset_url" |
| 69 | + rm -rf /tmp/dependency-check |
| 70 | + mkdir -p /tmp/dependency-check |
| 71 | + unzip -q /tmp/dependency-check.zip -d /tmp/dependency-check |
| 72 | +
|
| 73 | + # Normalize to a stable path regardless of versioned folder name |
| 74 | + dc_dir="$(find /tmp/dependency-check -maxdepth 1 -type d -name 'dependency-check*' | head -n 1)" |
| 75 | + echo "Dependency-Check directory: $dc_dir" |
| 76 | + echo "DC_DIR=$dc_dir" >> "$GITHUB_ENV" |
| 77 | +
|
| 78 | + - name: Run Dependency-Check against sample Rails app |
| 79 | + name: get_val |
| 80 | + env: |
| 81 | + SPECIAL_KEY: ${{ secrets.FOURK_KEY2 }} |
14 | 82 | run: | |
15 | | - export DEBIAN_FRONTEND=noninteractive && sudo apt-get -y update && sudo apt-get -y upgrade && sudo apt-get -y install unzip curl openjdk-16-jre-headless git openjdk-13-jre-headless git ruby npm openssh-client && \ |
16 | | - [ -x /usr/bin/gem2.7 ] && sudo gem install bundler:2.2.15 && \ |
17 | | - [ -x /usr/share/npm/bin/npm-cli.js ] && sudo npm install --global yarn && \ |
18 | | - [ -x /usr/local/lib/node_modules/yarn/bin/yarn.js ] && curl -L -o /tmp/dependency-check.zip https://github.com/jeremylong/DependencyCheck/releases/download/v6.1.6/dependency-check-6.1.6-release.zip && \ |
19 | | - cd /tmp && mkdir -p ~/.ssh/ && chmod 700 ~/.ssh/ && \ |
20 | | - unzip dependency-check.zip && \ |
21 | | - git clone https://github.com/JetBrains/sample_rails_app.git && \ |
22 | | - echo "cloned stuff" && \ |
23 | | - cd /tmp/sample_rails_app && npm install && \ |
24 | | - mkdir -p /tmp/depCheck && \ |
25 | | - /tmp/dependency-check/bin/dependency-check.sh -s /tmp/sample_rails_app/ -f JSON --project "rails sample app" -o /tmp/depCheck --disableBundleAudit |
| 83 | + set -euo pipefail |
| 84 | +
|
| 85 | + rm -rf /tmp/sample_rails_app |
| 86 | + git clone --depth 1 https://github.com/JetBrains/sample_rails_app.git /tmp/sample_rails_app |
| 87 | + echo "cloned stuff" |
| 88 | +
|
| 89 | + cd /tmp/sample_rails_app |
| 90 | +
|
| 91 | + # Node deps (choose npm or yarn; keeping npm like your original) |
| 92 | + npm ci || npm install |
| 93 | +
|
| 94 | + mkdir -p /tmp/depCheck |
| 95 | +
|
| 96 | + "${DC_DIR}/bin/dependency-check.sh" \ |
| 97 | + -s /tmp/sample_rails_app/ \ |
| 98 | + -f JSON \ |
| 99 | + --project "rails sample app" \ |
| 100 | + -o /tmp/depCheck \ |
| 101 | + --disableBundleAudit |
| 102 | +
|
26 | 103 | echo "ALL DONE" |
| 104 | +
|
| 105 | + - name: Upload Dependency-Check report |
| 106 | + uses: actions/upload-artifact@v4 |
| 107 | + with: |
| 108 | + name: dependency-check-report |
| 109 | + path: /tmp/depCheck |
0 commit comments