SECURITY-99775 - Adding security workflow file with SAST scan #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Workflow will trigger on all pull request (except draft), pull request | |
# review, and commit push to a pull request (synchronize) event types | |
# | |
# NOTE: pull_request_target behaves the same as pull_request except it grants a | |
# read/write token to workflows running on a pull request from a fork. While | |
# this may seem unsafe, the permissions for the token are limited below and | |
# the permissions can not be changed without merging to master which is | |
# protected by CODEOWNERS. | |
name: Check | |
on: | |
pull_request_review: | |
type: [submitted, edited, dismissed] | |
pull_request_target: | |
types: [opened, ready_for_review, synchronize, labeled, unlabeled] | |
# Limit the permissions on the GitHub token for this workflow to the subset | |
# that is required. In this case, the check workflow needs to invalidate | |
# reviews and delete workflow runs, so it needs write access to "actions" and | |
# "pull-requests", nothing else. | |
permissions: | |
actions: write | |
pull-requests: write | |
checks: none | |
contents: none | |
deployments: none | |
issues: none | |
packages: none | |
repository-projects: none | |
security-events: none | |
statuses: none | |
jobs: | |
check-reviews: | |
name: Checking reviewers | |
if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Generate GitHub Token | |
id: generate_token | |
uses: actions/create-github-app-token@v1 | |
with: | |
app-id: ${{ secrets.REVIEWERS_APP_ID }} | |
private-key: ${{ secrets.REVIEWERS_PRIVATE_KEY }} | |
# Checkout main branch of shared-workflow repository. | |
- name: Checkout shared-workflow | |
uses: actions/checkout@v4 | |
with: | |
repository: gravitational/shared-workflows | |
path: .github/shared-workflows | |
ref: main | |
- name: Installing Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 'stable' | |
# Run "check" subcommand on bot. | |
- name: Checking reviewers | |
run: cd .github/shared-workflows/bot && go run main.go -workflow=check -token="${{ steps.generate_token.outputs.token }}" -reviewers="${{ secrets.reviewers }}" |