ci: Update sast-linters.yml (#2377)

* Update sast-linters.yml - Exclude .github/workflows/sast-linters.yml from gosec nosec use scanning * Update sast-linters.yml * Update changelog.md * Update sast-linters.yml Also ignore changelog.md
zeta-chain · Jun 24, 2024 · a1af629 · a1af629
1 parent 3a96ba6
commit a1af629
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/.github/workflows/sast-linters.yml b/.github/workflows/sast-linters.yml
@@ -104,7 +104,14 @@ jobs:
           echo "Changed files: ${{ steps.changed-files.outputs.all_changed_files }}"
                     
           for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
-            if git diff ${{ github.event.pull_request.base.sha }} $file | grep -q nosec; then
+            # Skip this workflow file
+            if [ "$file" == ".github/workflows/sast-linters.yml" ] || [ "$file" == "changelog.md" ]; then
+              echo "Skipping nosec check for $file"
+              continue
+            fi
+            
+            # Only consider additions of "nosec", marked by '+'
+            if git diff ${{ github.event.pull_request.base.sha }} $file | grep -q '^+.*nosec'; then
               echo "nosec detected in $file"
               nosec_list+=("$file,")
               nosec_detected=1
@@ -118,6 +125,7 @@ jobs:
           echo "nosec_files=$nosec_list_string" >> $GITHUB_ENV
           echo "nosec_detected=$nosec_detected" >> $GITHUB_ENV
 
+
       - name: Report nosec uses
         uses: mshick/add-pr-comment@v2
         if: env.nosec_detected == 1
@@ -149,6 +157,3 @@ jobs:
         run: |
           DIFF=$(git diff ${{ github.event.pull_request.base.sha }})
           echo "$DIFF" | grep -P '#nosec(?!(\sG\d{3}))(?![^\s\t])([\s\t]*|$)' && echo "nosec without specified rule found!" && exit 1 || exit 0
-
-
-          
diff --git a/changelog.md b/changelog.md
@@ -92,6 +92,7 @@
 * [2191](https://github.com/zeta-chain/node/pull/2191) - Fixed conditional logic for the docker build step for non release builds to not overwrite the github tag
 * [2192](https://github.com/zeta-chain/node/pull/2192) - Added release status checker and updater pipeline that will update release statuses when they go live on network
 * [2335](https://github.com/zeta-chain/node/pull/2335) - ci: updated the artillery report to publish to artillery cloud
+* [2377](https://github.com/zeta-chain/node/pull/2377) - ci: adjusted sast-linters.yml to not scan itself, nor alert on removal of nosec.
 
 ## v17.0.0
 
@@ -531,4 +532,4 @@ Getting the correct TSS address for Bitcoin now requires proviidng the Bitcoin c
 ### CI
 
 * [1218](https://github.com/zeta-chain/node/pull/1218) - cross-compile release binaries and simplify PR testings
-* [1302](https://github.com/zeta-chain/node/pull/1302) - add mainnet builds to goreleaser
+* [1302](https://github.com/zeta-chain/node/pull/1302) - add mainnet builds to goreleaser