mirror of
https://github.com/kemko/nomad.git
synced 2026-01-04 01:15:43 +03:00
e3ac00f30e
This change creates a reusable workflow for notifying Slack on CI failures. The message will include useful links and information about the failure, so product engineers can investigate and fix any problems. The new workflow is used by selected workflows which trigger on merges to main or release/* branches. The notification is only sent on failure and when the event was a push (PR merge) meaning the number of notifications should be minimal. The aim is to help identify and draw attention to failure across our release branches, in particular when automated processes happen.
87 lines
2.7 KiB
YAML
87 lines
2.7 KiB
YAML
name: Security Scan
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- release/**
|
|
paths-ignore:
|
|
- 'README.md'
|
|
- 'CHANGELOG.md'
|
|
- '.changelog/**'
|
|
- '.tours/**'
|
|
- 'contributing/**'
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
- release/**
|
|
paths-ignore:
|
|
- 'README.md'
|
|
- 'CHANGELOG.md'
|
|
- '.changelog/**'
|
|
- '.tours/**'
|
|
- 'contributing/**'
|
|
|
|
# cancel existing runs of the same workflow on the same ref
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
scan:
|
|
runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-22.04' }}
|
|
# The first check ensures this doesn't run on community-contributed PRs, who
|
|
# won't have the permissions to run this job.
|
|
if: ${{ (github.repository != 'hashicorp/nomad' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name))
|
|
&& (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-nomad-core') }}
|
|
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
|
|
with:
|
|
cache: ${{ contains(runner.name, 'Github Actions') }}
|
|
go-version-file: .go-version
|
|
cache-dependency-path: '**/go.sum'
|
|
|
|
- name: Clone Security Scanner repo
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
repository: hashicorp/security-scanner
|
|
token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
|
|
path: security-scanner
|
|
ref: main
|
|
|
|
- name: Scan
|
|
id: scan
|
|
uses: ./security-scanner
|
|
with:
|
|
repository: "$PWD"
|
|
env:
|
|
SECURITY_SCANNER_CONFIG_FILE: .github/scan.hcl
|
|
# See scan.hcl at repository .github location for config.
|
|
|
|
- name: SARIF Output
|
|
shell: bash
|
|
run: |
|
|
jq . < results.sarif
|
|
|
|
- name: Upload SARIF file
|
|
uses: github/codeql-action/upload-sarif@8fd294e26a0e458834582b0fe4988d79966c7c0a # codeql-bundle-v2.18.4
|
|
with:
|
|
sarif_file: results.sarif
|
|
|
|
handle-failure:
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
needs:
|
|
- scan
|
|
if: always() && github.event_name == 'push' && contains(needs.*.result, 'failure')
|
|
uses: ./.github/workflows/test-failure-notification.yml
|
|
secrets: inherit
|
|
with:
|
|
actor: ${{ github.triggering_actor }}
|
|
git-branch: ${{ github.ref_name }}
|
|
workflow-run-id: ${{ github.run_id }}
|
|
workflow-name: ${{ github.workflow }}
|