From c8cfb89513f22de7c51d7362d62dbb9f4c554e68 Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Thu, 30 May 2024 21:25:55 +0200 Subject: [PATCH 1/5] full-loop: fail eagerly on empty --- .github/workflows/full-loop.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/full-loop.yml b/.github/workflows/full-loop.yml index 4cdf3f83..ba48a7e2 100644 --- a/.github/workflows/full-loop.yml +++ b/.github/workflows/full-loop.yml @@ -26,32 +26,31 @@ jobs: gh_to_slack_user_map: ${{ secrets.GH_TO_SLACK_USER_MAP }} - run: | set -e - echo ${{ steps.action.outputs.reviewdog-findings }} - if ((${{ steps.action.outputs.reviewdog-findings }} < 106)); then + if ((${{ fromJson(steps.action.outputs.reviewdog-findings) }} < 106)); then echo "Too few reviewdog findings" exit 1 fi - if ((${{ steps.action.outputs.safesvg-count }} < 2)); then + if ((${{ fromJson(steps.action.outputs.safesvg-count) }} < 2)); then echo "Too few safesvg findings" exit 1 fi - if ((${{ steps.action.outputs.tfsec-count }} < 4)); then + if ((${{ fromJson(steps.action.outputs.tfsec-count) }} < 4)); then echo "Too few tfsec findings" exit 1 fi - if ((${{ steps.action.outputs.semgrep-count }} < 97)); then + if ((${{ fromJson(steps.action.outputs.semgrep-count) }} < 97)); then echo "Too few semgrep findings" exit 1 fi - if ((${{ steps.action.outputs.sveltegrep-count }} < 3)); then + if ((${{ fromJson(steps.action.outputs.sveltegrep-count) }} < 3)); then echo "Too few sveltegrep findings" exit 1 fi - if ((${{ steps.action.outputs.npm-audit-count }} < 3)); then + if ((${{ fromJson(steps.action.outputs.npm-audit-count) }} < 3)); then echo "Too few npm-audit findings" exit 1 fi - if ((${{ steps.action.outputs.pip-audit-count }} < 2)); then + if ((${{ fromJson(steps.action.outputs.pip-audit-count) }} < 2)); then echo "Too few pip-audit findings" exit 1 fi From 768531fe0aa40dcc8cb47fcb32096b4c6ed868eb Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Thu, 30 May 2024 21:40:51 +0200 Subject: [PATCH 2/5] action.yml: invert enabled condition --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index b2234ed6..dea7c78a 100644 --- a/action.yml +++ b/action.yml @@ -84,12 +84,12 @@ runs: using: 'composite' steps: - name: Store reviewdog enabled - # inputs.enabled == 'true' && ( + # inputs.enabled != 'false' && ( # (inputs.baseline_scan_only != 'false' && github.event_name == 'pull_request' && github.event.pull_request.draft == false && github.actor != 'dependabot[bot]') # reviewdog-enabled-pr # || # (inputs.baseline_scan_only == 'false' || github.event_name == 'workflow_dispatch') # reviewdog-enabled-full # ) - if: ${{ inputs.enabled == 'true' && ( (inputs.baseline_scan_only != 'false' && github.event_name == 'pull_request' && github.event.pull_request.draft == false && github.actor != 'dependabot[bot]') || (inputs.baseline_scan_only == 'false' || github.event_name == 'workflow_dispatch') )}} + if: ${{ inputs.enabled != 'false' && ( (inputs.baseline_scan_only != 'false' && github.event_name == 'pull_request' && github.event.pull_request.draft == false && github.actor != 'dependabot[bot]') || (inputs.baseline_scan_only == 'false' || github.event_name == 'workflow_dispatch') )}} id: reviewdog-enabled uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: From e8386e03e14fce2a07d4d18690b9c12d656d228f Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Thu, 30 May 2024 21:43:27 +0200 Subject: [PATCH 3/5] action.cjs: debugLog options --- action.cjs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/action.cjs b/action.cjs index 787b867b..4b8764c0 100644 --- a/action.cjs +++ b/action.cjs @@ -46,6 +46,8 @@ module.exports = async ({ github, context, inputs, actionPath, core, debug = fal const debugLog = options.debug ? console.log : () => {} + debugLog('Options: ', options) + if (!options.enabled) { return } debugLog('Security Action enabled') From 2e2d371256dbeb16b09eabd26c146a2f64f7a5b5 Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Thu, 30 May 2024 21:45:45 +0200 Subject: [PATCH 4/5] action.cjs: input delete if empty string --- action.cjs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/action.cjs b/action.cjs index 4b8764c0..907b3222 100644 --- a/action.cjs +++ b/action.cjs @@ -32,6 +32,9 @@ module.exports = async ({ github, context, inputs, actionPath, core, debug = fal const { default: getConfig } = await import(`${actionPath}/src/getConfig.js`) const { default: getProperties } = await import(`${actionPath}/src/getProperties.js`) + // delete if empty string in inputs value + Object.keys(inputs).forEach(key => inputs[key] === '' && delete inputs[key]) + const config = await getConfig({ owner: context.repo.owner, repo: context.repo.repo, path: '.github/security-action.json', debug, github }) const properties = await getProperties({ owner: context.repo.owner, repo: context.repo.repo, debug, github, prefix: 'security_action_' }) From e50c1b24c4d38688f1c14b2c046e49498a71c029 Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Thu, 30 May 2024 21:51:51 +0200 Subject: [PATCH 5/5] action.cjs: baseline_scan_only is a boolean fix --- action.cjs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.cjs b/action.cjs index 907b3222..d65d99ba 100644 --- a/action.cjs +++ b/action.cjs @@ -55,10 +55,10 @@ module.exports = async ({ github, context, inputs, actionPath, core, debug = fal debugLog('Security Action enabled') // reviewdog-enabled-pr steps - const reviewdogEnabledPr = options.baseline_scan_only !== 'false' && process.env.GITHUB_EVENT_NAME === 'pull_request' && context.payload.pull_request.draft === false && context.actor !== 'dependabot[bot]' + const reviewdogEnabledPr = options.baseline_scan_only && process.env.GITHUB_EVENT_NAME === 'pull_request' && context.payload.pull_request.draft === false && context.actor !== 'dependabot[bot]' debugLog(`Security Action enabled for PR: ${reviewdogEnabledPr}, baseline_scan_only: ${options.baseline_scan_only}, GITHUB_EVENT_NAME: ${process.env.GITHUB_EVENT_NAME}, context.actor: ${context.actor}, context.payload.pull_request.draft: ${context.payload.pull_request?.draft}`) // reviewdog-enabled-full steps - const reviewdogEnabledFull = !reviewdogEnabledPr && (options.baseline_scan_only === 'false' || process.env.GITHUB_EVENT_NAME === 'workflow_dispatch') + const reviewdogEnabledFull = !reviewdogEnabledPr && (!options.baseline_scan_only || process.env.GITHUB_EVENT_NAME === 'workflow_dispatch') debugLog(`Security Action enabled for full: ${reviewdogEnabledFull}, baseline_scan_only: ${options.baseline_scan_only}, GITHUB_EVENT_NAME: ${process.env.GITHUB_EVENT_NAME}`) // reviewdog-enabled steps if (!reviewdogEnabledPr && !reviewdogEnabledFull) { return }