-
-
Notifications
You must be signed in to change notification settings - Fork 1
149 lines (130 loc) · 4.19 KB
/
code-health.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: Check Code health
on:
push:
# paths:
# - ansible/**
# branches:
# - main
pull_request:
types: [opened, reopened, edited]
branches-ignore:
- renovate/*
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
meta:
name: Create meta object
runs-on: ubuntu-latest
permissions: read-all
outputs:
check_files: ${{ steps.vars.outputs.check_files }}
steps:
- uses: actions/[email protected]
with:
fetch-depth: 0
- name: Get changed files
id: changed-files
# kics-scan ignore-line
uses: tj-actions/[email protected]
with:
files_ignore: ansible/requirements.txt,ansible/requirements.yml
files_ignore_separator: ","
- name: Create Meta variables
id: vars
run: |
if [[ "${{ steps.changed-files.outputs.all_changed_files }}" == "" ]]; then
echo "check_files=." >> $GITHUB_OUTPUT
elif [[ ${GITHUB_REF//refs\/heads\//} =~ ^renovate/.* ]]; then
echo "check_files=${{ steps.changed-files.outputs.all_changed_files }}" >> $GITHUB_OUTPUT
else
echo "check_files=." >> $GITHUB_OUTPUT
fi
yaml:
name: Check YAML files
runs-on: ubuntu-latest
needs: [meta]
steps:
- uses: actions/[email protected]
- uses: actions/cache@v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('ansible/requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-yamllint
- name: Set up Python
uses: actions/[email protected]
with:
python-version: 3.11
- name: Install linters
working-directory: ansible/
run: |
pip install $(grep wheel requirements.txt)
pip install $(grep yamllint requirements.txt)
- name: Lint YAML files
run: yamllint ${{ needs.meta.outputs.check_files }}
kics:
name: Run kics
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
permissions:
checks: write
contents: read
security-events: write
statuses: write
needs: [yaml, meta]
steps:
- uses: actions/[email protected]
- name: Run kics Scan
uses: Checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16
with:
path: ${{ needs.meta.outputs.check_files }}
config_path: .kics/config.yml
ignore_on_exit: results
output_formats: sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@3d3d628990a5f99229dd9fa1821cc5a4f31b613b
with:
sarif_file: results.sarif
category: kics
ansible-lint:
name: Run Ansible Lint
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
permissions:
checks: write
contents: read
security-events: write
statuses: write
needs: [yaml, meta]
steps:
- uses: actions/[email protected]
- uses: actions/cache@v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('ansible/requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-ansible
- uses: actions/cache@v4
with:
path: ~/.cache/ansible-compat
key: ${{ runner.os }}-pip-${{ hashFiles('ansible/requirements.yml') }}
restore-keys: |
${{ runner.os }}-galaxy
- name: Install Ansible-lint
working-directory: ansible/
run: |
pip install $(grep wheel requirements.txt)
pip install $(grep ansible requirements.txt)
pip install $(grep ansible-lint requirements.txt)
sed -i 's/vault_password_file/#vault_password_file/g' ansible.cfg
- name: Run Ansible-Lint
working-directory: ansible/
run: ansible-lint -p --nocolor --sarif-file ../ansible.sarif || true
- name: Upload SARIF file
if: "!cancelled()"
uses: github/codeql-action/upload-sarif@3d3d628990a5f99229dd9fa1821cc5a4f31b613b
with:
checkout_path: ${{ github.workspace }}/ansible
sarif_file: ansible.sarif
category: ansible