Skip to content

Enable secret scanning for all repos #4

Enable secret scanning for all repos

Enable secret scanning for all repos #4

Workflow file for this run

name: Validate Otterdog Configuration
on:
workflow_dispatch:
pull_request_target:
branches: [ main ]
permissions:
contents: read
pull-requests: write
jobs:
validate:
# do not run the workflow in the template repo itself
if: ${{ !contains (github.repository, '/.eclipsefdn-template') }}
runs-on: ubuntu-latest
steps:
- name: Checkout OtterDog
run: git clone https://gitlab.eclipse.org/eclipsefdn/security/otterdog.git
- name: Checkout EclipseFdn/otterdog-configs
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
repository: EclipseFdn/otterdog-configs
path: otterdog-configs
# checkout the head ref of the PR
# NOTE: in general it is bad practice to check out the pull request HEAD for PRs originating from forked repos,
# however, this validation workflow produces a diff between the changes in the PR with the base ref, thus
# doing this is acceptable, see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
- name: Checkout HEAD ref of the PR
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
ref: ${{ github.event.pull_request.head.sha }}
path: ${{ github.repository_owner }}
# checkout the base ref of the PR
- name: Checkout BASE ref of the PR (target branch)
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
ref: ${{ github.base_ref }}
path: ${{ github.repository_owner }}-base
- name: Install jsonnet-bundler
run: |
go install -a github.com/jsonnet-bundler/jsonnet-bundler/cmd/[email protected]
echo $(go env GOPATH)/bin >> $GITHUB_PATH
- name: Install poetry
run: pipx install poetry
- name: Setup Python
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: '3.10'
cache: 'poetry'
- name: Install dependencies with poetry
run: |
poetry install --only=main
working-directory: otterdog
- name: Copy configuration from HEAD and BASE ref
run: |
mkdir -p orgs/${{ github.repository_owner }}
cp -r ../${{ github.repository_owner }}/otterdog/* orgs/${{ github.repository_owner }}
cp ../${{ github.repository_owner }}-base/otterdog/${{ github.repository_owner }}.jsonnet orgs/${{ github.repository_owner }}/${{ github.repository_owner }}.jsonnet-BASE
working-directory: otterdog-configs
- name: Validate Otterdog Configuration and diff HEAD <-> BASE
run: |
# use script to enable ansi color output
script -q /dev/null --command "../otterdog/otterdog.sh local-plan ${{ github.repository_owner }} -c otterdog.json --suffix=-BASE" | tee "$GITHUB_WORKSPACE/diff-ansi.txt"
# filter out ansi escape sequences again, use sed as ansi2txt is not available
cat "$GITHUB_WORKSPACE/diff-ansi.txt" | sed -e 's/\x1b\[[0-9;]*m//g' | sed -E 's/^([[:space:]]+)([-+!])/\2\1/g' | sed -E 's/^([[:space:]]+)([~])/!\1/g' > "$GITHUB_WORKSPACE/diff.txt"
working-directory: otterdog-configs
- name: Generate canonical diff
run: ../otterdog/otterdog.sh canonical-diff ${{ github.repository_owner }} -c otterdog.json | tee "$GITHUB_WORKSPACE/canonical-diff.txt"
working-directory: otterdog-configs
# Add a comment to the pull request with the diff
- name: Generate comment
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
script: |
const commentText = 'Diff for ' + process.env.GITHUB_SHA + ':';
const fs = require('fs');
const diff = fs.readFileSync(process.env.GITHUB_WORKSPACE + '/diff.txt').toString().trimEnd();
const canonicalDiff = fs.readFileSync(process.env.GITHUB_WORKSPACE + '/canonical-diff.txt').toString().trimEnd();
var body = "<details>\n<summary>" + commentText + "</summary>\n\n```diff\n" + diff + "\n```\n\n```diff\n" + canonicalDiff + "\n```\n\n</details>";
fs.writeFileSync(process.env.GITHUB_STEP_SUMMARY, body);
fs.writeFileSync(process.env.GITHUB_WORKSPACE + '/comment.txt', body);
- name: Attach comment to PR
uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0
with:
hide_and_recreate: true
hide_classify: "OUTDATED"
path: ${{ github.workspace }}/comment.txt