diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index b64249c..e53b203 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -38,12 +38,12 @@ jobs: steps: - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' - run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection. + run: exit 0 - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: - ref: ${{ github.event.pull_request.head.sha || github.ref }} + ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }} - run: semgrep ci env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + SEMGREP_APP_TOKEN: ${{ secrets.DX_SDKS_SEMGREP_TOKEN }} diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index db04609..516645a 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -2,7 +2,6 @@ name: Snyk on: merge_group: - workflow_dispatch: pull_request_target: types: - opened @@ -16,6 +15,12 @@ on: permissions: contents: read +env: + DX_SDKS_SNYK_ORGANIZATION: 8303ea71-ac72-4ae6-9cd0-ae2f3eda82b7 + DX_SDKS_SNYK_PROJECT: auth0/laravel-auth0 + DX_SDKS_SNYK_TAGS: Refactoring-target:DX,Refactoring-origin:auth0-sdks + DX_SDKS_SNYK_REMOTE_REPO_URL: https://github.com/auth0/laravel-auth0 + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} @@ -28,24 +33,56 @@ jobs: steps: - run: true + configure: + name: Configure + needs: [authorize] + runs-on: ubuntu-latest + + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }} + + - id: set-matrix + run: echo "matrix=$(jq -c . < ./.github/workflows/matrix.json)" >> $GITHUB_OUTPUT + check: - needs: authorize + needs: [configure] name: Check for Vulnerabilities runs-on: ubuntu-latest steps: - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' - run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection. + run: exit 0 - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: - ref: ${{ github.event.pull_request.head.sha || github.ref }} + ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }} - uses: ./.github/actions/setup with: - php: 8.1 + php: ${{ fromJson(needs.configure.outputs.matrix).include[0].php }} + + - run: npm install snyk -g + + - if: github.ref == 'refs/heads/main' + run: snyk monitor --file=composer.lock --org=$SNYK_ORGANIZATION --project-name=$SNYK_PROJECT --project-tags=$SNYK_TAGS --remote-repo-url=$SNYK_REMOTE_REPO --target-reference="$(git branch --show-current)" + env: + SNYK_TOKEN: ${{ secrets.DX_SDKS_SNYK_TOKEN }} + SNYK_ORGANIZATION: ${{ env.DX_SDKS_SNYK_ORGANIZATION }} + SNYK_PROJECT: ${{ env.DX_SDKS_SNYK_PROJECT }} + SNYK_TAGS: ${{ env.DX_SDKS_SNYK_TAGS }} + SNYK_REMOTE_REPO: ${{ env.DX_SDKS_SNYK_REMOTE_REPO_URL }} + continue-on-error: true - - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 + - run: snyk test --file=composer.lock --org=$SNYK_ORGANIZATION --project-name=$SNYK_PROJECT --remote-repo-url=$SNYK_REMOTE_REPO env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + SNYK_TOKEN: ${{ secrets.DX_SDKS_SNYK_TOKEN }} + SNYK_ORGANIZATION: ${{ env.DX_SDKS_SNYK_ORGANIZATION }} + SNYK_PROJECT: ${{ env.DX_SDKS_SNYK_PROJECT }} + SNYK_TAGS: ${{ env.DX_SDKS_SNYK_TAGS }} + SNYK_REMOTE_REPO: ${{ env.DX_SDKS_SNYK_REMOTE_REPO_URL }}