diff --git a/.github/workflows b/.github/workflows new file mode 100644 index 0000000..c2a8909 --- /dev/null +++ b/.github/workflows @@ -0,0 +1,51 @@ +on: + pull_request: + types: [opened, reopened, synchronize] + pull_request_review_comment: + types: [created, edited, deleted] + +name: Metomic Scan + +jobs: + scan-secrets: + name: Scan For Secrets + runs-on: ubuntu-latest + steps: + - name: checkout-repo + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: authenticate-with-metomic + id: authenticate + continue-on-error: ${{ vars.METOMIC_FAIL_ON_CONNECTION_ERROR != 'TRUE' }} + run: | + curl -s --location --request GET '${{ vars.METOMIC_INTEGRATION_ENDPOINT }}/token' --header 'X-API-Key: ${{ secrets.METOMIC_API_TOKEN }}' -o .metomic_token.json + echo METOMIC_ACCESS_TOKEN=$(cat .metomic_token.json | jq -r -c '.accessToken') >> $GITHUB_OUTPUT + PASS=$(cat .metomic_token.json | jq -r -c '.accessToken // empty') + if [ -z "$PASS" ]; then + cat .metomic_token.json + echo "" + echo "FAIL: failed to fetch auth token from Metomic. Ensure required organisation variables / secrets are set correctly. METOMIC_INTEGRATION_ENDPOINT, METOMIC_API_TOKEN" + echo "The correct values for these variables are available from the installations page of the Metomic dashboard" + exit 1 + fi + + - name: checkout-metomic-action + id: checkout + uses: actions/checkout@v3 + if: ${{ steps.authenticate.outcome == 'success' }} + continue-on-error: ${{ vars.METOMIC_FAIL_ON_CONNECTION_ERROR != 'TRUE' }} + with: + repository: metomic/metomic-github-integration-action.git + path: "./.metomic" + ref: "main" + token: ${{ steps.authenticate.outputs.METOMIC_ACCESS_TOKEN }} + + - name: scan + uses: ./.metomic/.github/actions/scan-secrets + if: ${{ steps.authenticate.outputs.METOMIC_ACCESS_TOKEN && steps.checkout.outcome == 'success' }} + with: + metomic_endpoint: ${{ vars.METOMIC_INTEGRATION_ENDPOINT }} + metomic_api_token: ${{ secrets.METOMIC_API_TOKEN }} + head_ref: ${{ github.event.pull_request.head.sha }}