build(deps): bump the prod-github-actions group across 1 directory with 5 updates #370
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow uses actions that are not certified by GitHub. | |
| # They are provided by a third-party and are governed by | |
| # separate terms of service, privacy policy, and support | |
| # documentation. | |
| # This workflow performs a static analysis of your Kotlin source code using | |
| # Detekt. | |
| # | |
| # Scans are triggered: | |
| # 1. On every push to default and protected branches | |
| # 2. On every Pull Request targeting the default branch | |
| # 3. On a weekly schedule | |
| # 4. Manually, on demand, via the "workflow_dispatch" event | |
| # | |
| # The workflow should work with no modifications, but you might like to use a | |
| # later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG | |
| # environment variable. | |
| name: Vulnerability Scan with Detekt | |
| on: | |
| # Triggers the workflow on push or pull request events but only for default and protected branches | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '25 6 * * 1' | |
| # Allows you to run this workflow manually from the Actions tab | |
| workflow_dispatch: | |
| # A workflow run is made up of one or more jobs that can run sequentially or in parallel | |
| jobs: | |
| # This workflow contains a single job called "scan" | |
| scan: | |
| name: Detekt Scan | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| # The type of runner that the job will run on | |
| runs-on: ubuntu-latest | |
| # Steps represent a sequence of tasks that will be executed as part of the job | |
| steps: | |
| # Sets up JDK as a prerequisite to run Gradle | |
| - name: Setup Java | |
| uses: actions/setup-java@v4.3.0 | |
| with: | |
| java-version: '17' | |
| distribution: 'zulu' | |
| # Sets up the reviewdog cli | |
| - name: Setup reviewdog | |
| uses: reviewdog/action-setup@v1.3.0 | |
| - name: Show reviewdog version | |
| run: reviewdog -version | |
| # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | |
| - name: Checkout repository | |
| uses: actions/checkout@v4.1.7 | |
| # Sets up Gradle as a prerequisite to run Detekt | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4.1.0 | |
| with: | |
| gradle-home-cache-cleanup: true | |
| # Performs analysis using Detekt via Gradle and outputs a Sarif Report | |
| - name: Run Detekt | |
| run: ./gradlew detektRelease detektTest detektReportMergeSarif --continue | |
| # Uploads Sarif Report to GitHub | |
| - name: Upload SARIF to GitHub | |
| uses: github/codeql-action/upload-sarif@v3.26.7 | |
| if: success() || failure() | |
| with: | |
| sarif_file: build/reports/detekt/merge.sarif.json | |
| # Process Sarif Report file from Detekt with reviewdog cli | |
| - name: Run reviewdog | |
| if: success() || failure() | |
| env: | |
| REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: reviewdog -f=sarif -diff="git diff FETCH_HEAD" -name="detekt" -reporter=github-pr-check < build/reports/detekt/merge.sarif.json |