feat: block header and merkle proof #831
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Linters and SAST | |
on: | |
push: | |
tags: | |
- "*" | |
pull_request: | |
types: | |
- opened | |
- edited | |
- synchronize | |
concurrency: | |
group: linters-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
gosec: | |
runs-on: ubuntu-latest | |
env: | |
GO111MODULE: on | |
steps: | |
- name: Checkout Source | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: '1.20' | |
# - name: Install Pipeline Dependencies | |
# uses: ./.github/actions/install-dependencies | |
- name: Run Gosec Security Scanner | |
run: | | |
export PATH=$PATH:$(go env GOPATH)/bin | |
go install github.com/securego/gosec/v2/cmd/gosec@latest | |
gosec ./... | |
git-guardian: | |
runs-on: ubuntu-latest | |
env: | |
GO111MODULE: on | |
steps: | |
- name: Checkout Source | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: GitGuardian scan | |
uses: GitGuardian/ggshield-action@master | |
env: | |
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} | |
GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
lint: | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
env: | |
GO111MODULE: on | |
steps: | |
- name: Checkout Source | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: Install Pipeline Dependencies | |
uses: ./.github/actions/install-dependencies | |
- name: Set up Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: '1.19' | |
- name: Run golangci-lint | |
uses: golangci/golangci-lint-action@v3 | |
with: | |
version: v1.50 | |
skip-cache: true | |
args: --timeout=15m | |
nosec_alert: | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
env: | |
GO111MODULE: on | |
steps: | |
- name: Checkout Source | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Getting files updated in the PR | |
id: changed-files | |
uses: tj-actions/changed-files@v39 | |
with: | |
base_sha: ${{ github.event.pull_request.base.sha }} | |
- name: List all changed files | |
run: | | |
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
echo "$file was changed" | |
done | |
- name: Report nosec usage | |
run: | | |
nosec_list=() | |
nosec_detected=0 | |
echo "Changed files: ${{ steps.changed-files.outputs.all_changed_files }}" | |
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
if git diff ${{ github.event.pull_request.base.sha }} $file | grep -q nosec; then | |
echo "nosec detected in $file" | |
nosec_list+=("$file,") | |
nosec_detected=1 | |
else | |
echo "nosec not detected in $file" | |
fi | |
done | |
nosec_list_string="${nosec_list[@]}" | |
nosec_list_string="${nosec_list_string%,}" | |
echo "nosec_files=$nosec_list_string" >> $GITHUB_ENV | |
echo "nosec_detected=$nosec_detected" >> $GITHUB_ENV | |
- name: Report nosec uses | |
uses: mshick/add-pr-comment@v2 | |
if: env.nosec_detected == 1 | |
with: | |
message: | | |
*!!!WARNING!!!* | |
`nosec` detected in the following files: ${{ env.nosec_files }} | |
Be very careful about using `#nosec` in code. It can be a quick way to suppress security warnings and move forward with development, it should be employed with caution. Suppressing warnings with #nosec can hide potentially serious vulnerabilities. Only use #nosec when you're absolutely certain that the security issue is either a false positive or has been mitigated in another way. | |
Pay extra attention to the way `#nosec` is being used in the files listed above. | |
- name: Add Label | |
uses: actions/github-script@v6 | |
if: env.nosec_detected == 1 | |
with: | |
script: | | |
github.rest.issues.addLabels({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
labels: ["nosec"] | |
}) |