Migrate security-check to reusable Github Actions

OpenConext · Jun 7, 2024 · a4fe5a9 · a4fe5a9
1 parent 4c73a83
commit a4fe5a9
Showing 1 changed file with 3 additions and 94 deletions.
diff --git a/.github/workflows/daily-security-check.yml b/.github/workflows/daily-security-check.yml
@@ -6,97 +6,6 @@ on:
   workflow_dispatch:
 
 jobs:
-  security:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v2
-
-      # PHP checks
-      - name: Check for php composer project
-        id: check_composer
-        uses: andstor/file-existence-action@v2
-        with:
-          files: "composer.lock"
-      - name: Run php local security checker
-        if: steps.check_composer.outputs.files_exists == 'true'
-        uses: symfonycorp/security-checker-action@v4
-
-      # node-yarn checks
-      - name: Check for node-yarn project
-        id: check_node_yarn
-        uses: andstor/file-existence-action@v2
-        with:
-          files: "yarn.lock"
-      - name: Setup node
-        if: steps.check_node_yarn.outputs.files_exists == 'true'
-        uses: actions/setup-node@v3
-        with:
-          node-version: 14
-      - name: Yarn Audit
-        if: steps.check_node_yarn.outputs.files_exists == 'true'
-        run: yarn audit --level high --groups dependencies optionalDependencies
-
-      # node-npm checks
-      - name: Check for node-npm project
-        id: check_node_npm
-        uses: andstor/file-existence-action@v2
-        with:
-          files: "package.lock"
-      - name: Setup node
-        if: steps.check_node_npm.outputs.files_exists == 'true'
-        uses: actions/setup-node@v3
-        with:
-          node-version: 14
-      - name: npm audit
-        if: steps.check_node_npm.outputs.files_exists == 'true'
-        run: npm audit --audit-level=high
-
-      # python checks
-      - name: Check for python project
-        id: check_python
-        uses: andstor/file-existence-action@v2
-        with:
-          files: "requirements.txt"
-      - name: Safety checks Python dependencies
-        if: steps.check_python.outputs.files_exists == 'true'
-        uses: pyupio/[email protected]
-
-      # java checks
-      - name: Check for java maven project
-        id: check_maven
-        uses: andstor/file-existence-action@v2
-        with:
-          files: "pom.xml"
-      - name: Setup java if needed
-        if: steps.check_maven.outputs.files_exists == 'true'
-        uses: actions/setup-java@v3
-        with:
-          java-version: 11
-          distribution: 'temurin'
-          cache: 'maven'
-      - name: Set up maven cache if needed
-        if: steps.check_maven.outputs.files_exists == 'true'
-        uses: actions/cache@v1
-        with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            ${{ runner.os }}-maven-
-      - name: Check java
-        if: steps.check_maven.outputs.files_exists == 'true'
-        run: mvn org.owasp:dependency-check-maven:check
-
-      # Send results
-      - name: Send to Slack if something failed
-        if: failure()
-        uses: rtCamp/action-slack-notify@v2
-        env:
-          SLACK_CHANNEL: surfconext-nightly-check
-          SLACK_COLOR: ${{ job.status }}
-          SLACK_ICON: https://static.surfconext.nl/logos/idp/surfnet.png
-          SLACK_MESSAGE: 'Dependency check failed :crying_cat_face:'
-          SLACK_TITLE: ${{ github.repository }} wants attention
-          SLACK_USERNAME: NightlySecurityCheck
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+  call-workflow-passing-data:
+    name: Daily security check (Reusable Workflow)
+    uses: openconext/openconext-githubactions/.github/workflows/daily-security-check.yml@main