Skip to content

refactor: adding prompt for region if env not set #241

refactor: adding prompt for region if env not set

refactor: adding prompt for region if env not set #241

Workflow file for this run

name: Run CDK-Nag
on:
pull_request:
branches:
- dev
- main
env:
AWS_REGION: "us-west-2"
AWS_PAGER: ""
UNIQUE_FILE_ID: ${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}
jobs:
run-cdk-nag:
permissions:
contents: write
pull-requests: write
id-token: write
runs-on: ubuntu-latest
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-west-2
role-to-assume: arn:aws:iam::${{ secrets[format('OSML_{0}', github.base_ref)] }}:role/GithubAction-AssumeRoleWithAction
role-session-name: GitHub_to_AWS_via_FederatedOIDC
role-duration-seconds: 7200
- name: Run CDK Nag
uses: aws-actions/aws-codebuild-run-build@v1
with:
project-name: CodeBuild-CDKNagOSML
buildspec-override: .github/codebuild/cdk-nag.yml
env-vars-for-codebuild: |
BASE_REF,
UNIQUE_FILE_ID
env:
BASE_REF: ${{ github.base_ref }}
UNIQUE_FILE_ID: ${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}
- name: Download S3 Files
run: |
aws s3 cp s3://osml-cdk-nag-reports-github-${{ secrets[format('OSML_{0}', github.base_ref)] }}/NIST.800.53.R5-violations-${{ env.UNIQUE_FILE_ID }}.md NIST.800.53.R5-violations.md
aws s3 cp s3://osml-cdk-nag-reports-github-${{ secrets[format('OSML_{0}', github.base_ref)] }}/AwsSolutions-violations-${{ env.UNIQUE_FILE_ID }}.md AwsSolutions-violations.md
- uses: peter-evans/find-comment@v3
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: github-actions[bot]
body-includes: Please review the existing CDK-Nag Violations
- name: Comment to the PR with violation(s)
uses: actions/github-script@v7
env:
COMMENT_ID: ${{ steps.fc.outputs.comment-id }}
COMMIT_ID: ${{ github.event.pull_request.head.sha || github.sha }}
with:
script: |
const fs = require('fs');
console.log(JSON.stringify(process.env)["COMMIT_ID"]);
console.log(JSON.stringify(process.env)["COMMENT_ID"]);
const commitId = process.env.COMMIT_ID;
const commentId = process.env.COMMENT_ID;
// get files
const nistFile = fs.readFileSync("NIST.800.53.R5-violations.md", "utf8");
const totalNistViolations = nistFile.split('\n').length - 2; // minus 2 due to the headers
const awsFile = fs.readFileSync("AwsSolutions-violations.md", "utf8");
const totalAwsViolations = awsFile.split('\n').length - 2; // minus 2 due to the headers
const content_body = `Please review the existing CDK-Nag Violations for [${commitId}](https://github.com/aws-solutions-library-samples/guidance-for-processing-overhead-imagery-on-aws/commit/${commitId})
<details close>
<summary>There are ${totalAwsViolations} AwsSolutions Violation(s)</summary>
${awsFile}
</details>
<details close>
<summary>There are ${totalNistViolations} NIST.800.53.R5 Violation(s)</summary>
${nistFile}
</details>
`;
if (commentId == 0) {
await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: content_body
});
} else {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: commentId,
body: content_body
});
}