.github/workflows/rl-secure.yml

name: RL-Secure Workflow
run-name: rl-scanner-only

on:
  merge_group:
  workflow_dispatch:
  push:
    branches: ['main']
  pull_request:
    types:
      - opened
      - synchronize

jobs:
  checkout-build-scan-only:
    runs-on: ubuntu-latest

    environment: security

    permissions:
      pull-requests: write

    steps:
      - uses: actions/checkout@v4

      - name: Install npm dependencies
        run: npm install

      - name: Create tgz build artifact
        run: |
          tar -czvf auth0-spa-js.tgz *

      - name: Get Artifact Version
        id: get_version
        run: echo "::set-output name=version::$(cat .version)"

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.9'

      - name: Install Python dependencies
        run: |
          pip install --upgrade pip
          pip install -r scripts/requirements.txt

      - name: Run Reversing Labs Wrapper Scanner
        env:
          RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
          RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
          SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
        run: |
          python scripts/rl-wrapper.py \
            --artifact "$(pwd)/auth0-spa-js.tgz" \
            --name "${{ github.event.repository.name }}" \
            --version "${{ steps.get_version.outputs.version }}" \
            --repository "${{ github.repository }}" \
            --commit "${{ github.sha }}" \
            --build-env "GitHub Actions"
        continue-on-error: true
      - name: Add or Update PR Comment
        uses: actions/github-script@v6
        with:
          script: |
            const fs = require('fs');
            const path = 'violations.txt';
            const commentBody = fs.readFileSync(path, 'utf8');

            const prNumber = context.issue.number;
            const repoOwner = context.repo.owner;
            const repoName = context.repo.repo;
            const header = 'RL-Secure Scanner Results';

            const { data: comments } = await github.rest.issues.listComments({
              owner: repoOwner,
              repo: repoName,
              issue_number: prNumber
            });

            const existingComment = comments.find(comment => comment.body.startsWith(header));

            if (existingComment) {
              await github.rest.issues.updateComment({
                owner: repoOwner,
                repo: repoName,
                comment_id: existingComment.id,
                body: `${header}\n\n${commentBody}`
              });
            } else {
              await github.rest.issues.createComment({
                owner: repoOwner,
                repo: repoName,
                issue_number: prNumber,
                body: `${header}\n\n${commentBody}`
              });
            }
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}