rasa-custom/.github/workflows/security-scans.yml at 2.4.3-custom · YouBotTeam/rasa-custom · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
name: Security Scans

on:
  pull_request:
    types: [opened, synchronize, labeled]

jobs:
  changes:
    name: Check for file changes
    runs-on: ubuntu-latest
    outputs:
      backend: ${{ steps.filter.outputs.backend }}
      docker: ${{ steps.filter.outputs.docker }}
      docs: ${{ steps.filter.outputs.docs }}
    steps:
      - uses: actions/checkout@v2
      - uses: RasaHQ/pr-changed-files-filter@c4f7116a04b8a4596313469429e2ad235f59d9c4
        id: filter
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          filters: .github/change_filters.yml

  cleanup_runs:
    name: Cancel old branch builds
    runs-on: ubuntu-latest
    if: "!startsWith(github.ref, 'refs/tags/') && github.ref != 'refs/heads/main'"

    steps:
      - name: Find and cancel old builds of this branch
        uses: styfle/cancel-workflow-action@0.6.0
        with:
          access_token: "${{ secrets.GITHUB_TOKEN }}"

  gitleaks:
    name: Detecting hardcoded secrets
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
      with:
        # Fetch all history for all tags and branches
        fetch-depth: '0'

    - name: Gitleaks - detecting hardcoded secrets
      uses: zricethezav/gitleaks-action@v1.3.0

  bandit:
    name: Detect python security issues
    runs-on: ubuntu-latest
    needs: [changes]

    steps:
    - name: Checkout git repository 🕝
      if: needs.changes.outputs.backend == 'true'
      uses: actions/checkout@v2

    - name: Set up Python 3.7 🐍
      if: needs.changes.outputs.backend == 'true'
      uses: actions/setup-python@v1
      with:
        python-version: 3.7

    - name: Read Poetry Version 🔢
      if: needs.changes.outputs.backend == 'true'
      run: |
        echo "POETRY_VERSION=$(scripts/poetry-version.sh)" >> $GITHUB_ENV
      shell: bash

    - name: Install poetry 🦄
      if: needs.changes.outputs.backend == 'true'
      uses: Gr1N/setup-poetry@v4
      with:
        poetry-version: ${{ env.POETRY_VERSION }}

    - name: Set up virtual environment
      if: needs.changes.outputs.backend == 'true'
      run: poetry config virtualenvs.in-project true

    - name: Load Poetry Cached Libraries ⬇
      if: needs.changes.outputs.backend == 'true'
      uses: actions/cache@v1
      with:
        path: .venv
        key: ${{ runner.os }}-poetry-${{ env.POETRY_VERSION }}-3.7-${{ hashFiles('**/poetry.lock') }}-${{ secrets.POETRY_CACHE_VERSION }}
        restore-keys: ${{ runner.os }}-poetry-3.7

    - name: Install Dependencies (Linux) 📦
      if: needs.changes.outputs.backend == 'true'
      run: make install

    - name: Run Bandit 🔪
      if: needs.changes.outputs.backend == 'true'
      run: make lint-security