Skip to content
GitHub Actions Scan

Fix autotune agent from passing incorrect configurations and enforce test agent to use input from reference code #16

Sign in to view logs

Fix autotune agent from passing incorrect configurations and enforce test agent to use input from reference code

Fix autotune agent from passing incorrect configurations and enforce test agent to use input from reference code #16

Workflow file for this run

google-gh-automation/workflows/.github/workflows/github_actions_scan.yml at 6eac0e59100035872a2b9a0c06702963a3061b8a
name: 'GitHub Actions Scan'
on:
workflow_call:
inputs:
wif_provider:
type: 'string'
zizmor_result_bucket:
type: 'string'
pull_request_target:
permissions: {}
env:
ZIZMOR_VERSION: '1.25.2'
ZIZMOR_DOCKER_DIGEST: 'sha256:14ea7f5cc7c67933394a35b5a38a277397818d232602635edb2010b313afb110'
ZIZMOR_ENFORCE: 'false'
ZIZMOR_RESULT_BUCKET: 'zizmor-7165'
WIF_PROVIDER: 'projects/102295818544/locations/global/workloadIdentityPools/gitsec-gha-artifacts/providers/gitsec-gha-artifacts-provider'
jobs:
check-changes:
runs-on: 'ubuntu-latest'
outputs:
files: '${{ steps.check.outputs.files }}'
permissions:
contents: 'read'
steps:
- name: 'Checkout source'
uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v6
with:
ref: '${{ github.event.pull_request.head.sha }}'
fetch-depth: 0
persist-credentials: false
- name: 'Check for workflow changes'
id: 'check'
shell: 'bash'
env:
GIT_HEAD_SHA: '${{ github.event.pull_request.head.sha }}'
GIT_BASE_SHA: '${{ github.event.pull_request.base.sha }}'
run: |
files=$(git diff --name-only "${GIT_BASE_SHA}" "${GIT_HEAD_SHA}" | grep -E '^\.github/workflows/.+\.ya?ml$' | xargs || true)
echo "files=$files" >> "$GITHUB_OUTPUT"
zizmor-scan:
needs: ['check-changes']
runs-on: 'ubuntu-latest'
if: >-
needs.check-changes.outputs.files != '' &&
(
inputs.wif_provider != '' ||
(
github.event_name == 'pull_request_target' &&
!startsWith(github.workflow_ref, format('{0}/', github.repository))
)
)
permissions:
contents: 'read'
outputs:
has-high-severity: '${{ steps.check-findings-severity.outputs.has-high-severity }}'
zizmor-enforce: '${{ steps.check-findings-severity.outputs.zizmor-enforce }}'
steps:
- name: 'Checkout source'
uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v6
with:
ref: '${{ github.event.pull_request.head.sha }}'
persist-credentials: false
- name: 'Run zizmor'
shell: 'bash'
env:
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
CHANGED_FILES: '${{ needs.check-changes.outputs.files }}'
run: >-
docker run
--rm
--volume "${GITHUB_WORKSPACE}:/workspace:ro"
--workdir "/workspace"
--env GH_TOKEN="${GH_TOKEN}"
"ghcr.io/zizmorcore/zizmor:${ZIZMOR_VERSION}@${ZIZMOR_DOCKER_DIGEST}"
--format sarif
--no-ignores
--
${CHANGED_FILES}
> zizmor.sarif.json
- name: 'Enrich SARIF with GitHub metadata'
shell: 'bash'
run: >-
jq
--arg uri "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}"
--arg sha "${GITHUB_SHA}"
--argjson repo_id "${GITHUB_REPOSITORY_ID}"
--argjson owner_id "${GITHUB_REPOSITORY_OWNER_ID}"
--arg run_id "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT}"
'.runs[] |= . + {
"versionControlProvenance": [
{
"repositoryUri": $uri,
"revisionId": $sha,
"properties": {
"github_repository_id": $repo_id,
"github_owner_id": $owner_id
}
}
],
"invocations": [
{
"executionSuccessful": true,
"properties": {
"execution_id": $run_id
}
}
]
}' zizmor.sarif.json > enriched.sarif.json
- name: 'Save result'
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
with:
name: 'zizmor'
path: 'enriched.sarif.json'
if-no-files-found: 'error'
retention-days: 1
- name: 'Check for high severity findings'
id: 'check-findings-severity'
shell: 'bash'
run: |
result=$(jq 'any(.runs[].results[]?; .properties["zizmor/severity"] == "High")' zizmor.sarif.json)
echo "has-high-severity=$result" >> "$GITHUB_OUTPUT"
echo "zizmor-enforce=${ZIZMOR_ENFORCE}" >> "$GITHUB_OUTPUT"
zizmor-upload:
needs: ['zizmor-scan']
runs-on: 'ubuntu-latest'
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: 'Retrieve result'
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
with:
name: 'zizmor'
- name: 'Authenticate to GCP'
uses: 'google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed' # ratchet:google-github-actions/auth@v2
with:
workload_identity_provider: >-
${{ inputs.wif_provider != '' && inputs.wif_provider || env.WIF_PROVIDER }}
- name: 'Upload result'
shell: 'bash'
env:
GITHUB_PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number }}'
ZIZMOR_RESULT_BUCKET: >-
${{ inputs.zizmor_result_bucket != '' && inputs.zizmor_result_bucket || env.ZIZMOR_RESULT_BUCKET }}
run: >-
gcloud storage cp
enriched.sarif.json
"gs://${ZIZMOR_RESULT_BUCKET}/${GITHUB_REPOSITORY}/${GITHUB_PULL_REQUEST_NUMBER}_${GITHUB_RUN_ID}_${GITHUB_RUN_ATTEMPT}.sarif.json"
zizmor-output:
needs: ['zizmor-scan']
runs-on: 'ubuntu-latest'
permissions:
contents: 'read'
if: >-
needs.zizmor-scan.outputs.zizmor-enforce == 'true' &&
needs.zizmor-scan.outputs.has-high-severity == 'true'
steps:
- name: 'Checkout source'
uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v6
with:
ref: '${{ github.event.pull_request.head.sha }}'
persist-credentials: false
- name: 'Re-run zizmor with github format'
shell: 'bash'
env:
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
CHANGED_FILES: '${{ needs.check-changes.outputs.files }}'
run: >-
docker run
--rm
--volume "${GITHUB_WORKSPACE}:/workspace:ro"
--workdir "/workspace"
--env GH_TOKEN="${GH_TOKEN}"
"ghcr.io/zizmorcore/zizmor:${ZIZMOR_VERSION}@${ZIZMOR_DOCKER_DIGEST}"
--format github
--
${CHANGED_FILES}