diff --git a/.github/workflows/find-vulnerabilities.yml b/.github/workflows/find-vulnerabilities.yml index 72ab7d6..ecbf980 100644 --- a/.github/workflows/find-vulnerabilities.yml +++ b/.github/workflows/find-vulnerabilities.yml @@ -28,7 +28,6 @@ jobs: - uses: ./ with: pipelines: "scan_codebase,find_vulnerabilities" - scancodeio-repo-branch: "main" check-compliance: true compliance-fail-on-vulnerabilities: true env: diff --git a/.github/workflows/multi-runs.yml b/.github/workflows/multi-runs.yml index 3bde222..d1b3ae3 100644 --- a/.github/workflows/multi-runs.yml +++ b/.github/workflows/multi-runs.yml @@ -35,11 +35,10 @@ jobs: project-name: "scan-2" pipelines: "scan_codebase" - - name: Verify scanpipe and scancode commands availability + - name: Verify scanpipe command availability shell: bash run: | - echo "Checking ScanCode CLI availability..." + echo "Checking scanpipe CLI availability..." which scanpipe || { echo "scanpipe not found in PATH"; exit 1; } - which scancode || { echo "scancode not found in PATH"; exit 1; } echo "Versions:" - scanpipe shell -c "import scancodeio; from scancode_config import __version__ as scancode_version;print(f'ScanCode.io version: {scancodeio.__version__}');print(f'ScanCode-toolkit version: v{scancode_version}')" + scanpipe --version diff --git a/.github/workflows/run-android-deploy-to-develop.yml b/.github/workflows/run-android-deploy-to-develop.yml index af31e7f..33c5463 100644 --- a/.github/workflows/run-android-deploy-to-develop.yml +++ b/.github/workflows/run-android-deploy-to-develop.yml @@ -20,11 +20,11 @@ jobs: sparse-checkout-cone-mode: false persist-credentials: false - - uses: ./ - with: - scancodeio-repo-branch: "main" - scancodeio-extras: "android_analysis" - pipelines: "android_d2d" - input-urls: - https://github.com/aboutcode-org/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/from-flume-ng-node-1.9.0.zip#from - https://github.com/aboutcode-org/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/to-flume-ng-node-1.9.0.zip#to \ No newline at end of file +# scancodeio-extras: "android_analysis" not available with the Docker image for now +# - uses: ./ +# with: +# scancodeio-extras: "android_analysis" +# pipelines: "android_d2d" +# input-urls: +# https://github.com/aboutcode-org/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/from-flume-ng-node-1.9.0.zip#from +# https://github.com/aboutcode-org/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/to-flume-ng-node-1.9.0.zip#to diff --git a/action.yml b/action.yml index b319b20..e0fc476 100644 --- a/action.yml +++ b/action.yml @@ -37,88 +37,90 @@ inputs: packages and dependencies. required: false default: "false" - python-version: - description: "Python version." - default: "3.13" - scancodeio-repo-branch: - description: "Branch to install ScanCode.io from the GitHub repository (optional)" - required: false - default: "" - scancodeio-extras: - description: "ScanCode.io optional dependencies (comma-separated) (optional)." - required: false - default: "" + scancodeio-image: + description: "ScanCode.io Docker image to use." + default: "ghcr.io/aboutcode-org/scancode.io@sha256:6fc8023bc588602ef2ec2b699c2503d8771fe5ef16470475fe64b641f0955f5b" # v37.1.0 runs: using: "composite" steps: - - name: Set up Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - with: - python-version: ${{ inputs.python-version }} - - - name: Set up environment + - name: Validate inputs shell: bash env: + INPUT_IMAGE: ${{ inputs.scancodeio-image }} INPUT_PROJECT_NAME: ${{ inputs.project-name }} + INPUT_FAIL_LEVEL: ${{ inputs.compliance-fail-level }} + INPUT_PIPELINES: ${{ inputs.pipelines }} run: | - echo "SECRET_KEY=$(openssl rand -base64 32)" >> "$GITHUB_ENV" - echo "SCANCODEIO_DB_NAME=scancodeio" >> "$GITHUB_ENV" - echo "SCANCODEIO_DB_USER=scancodeio" >> "$GITHUB_ENV" - echo "SCANCODEIO_DB_PASSWORD=scancodeio" >> "$GITHUB_ENV" - # Sanitize project name for artifact usage - SAFE_PROJECT_NAME="${INPUT_PROJECT_NAME//[^a-zA-Z0-9._-]/_}" - echo "SAFE_PROJECT_NAME=$SAFE_PROJECT_NAME" >> "$GITHUB_ENV" + # Docker image ref: registry/name:tag or registry/name@sha256:digest + if [[ ! "$INPUT_IMAGE" =~ ^[a-zA-Z0-9./_:@-]+$ ]]; then + echo "::error::Invalid image name: $INPUT_IMAGE" + exit 1 + fi - - name: Detect if ScanCode.io is already installed - shell: bash - run: | - if command -v scanpipe &> /dev/null; then - echo "ScanCode.io already installed." - echo "SCANCODEIO_IS_INSTALLED=true" >> "$GITHUB_ENV" - else - echo "ScanCode.io not found." - echo "SCANCODEIO_IS_INSTALLED=false" >> "$GITHUB_ENV" + # Project name: alphanumeric, spaces, hyphens, underscores, dots + if [[ ! "$INPUT_PROJECT_NAME" =~ ^[a-zA-Z0-9[:space:]._-]+$ ]]; then + echo "::error::Invalid project name: $INPUT_PROJECT_NAME" + exit 1 fi - - name: Start and setup the PostgreSQL service - if: env.SCANCODEIO_IS_INSTALLED != 'true' + # Fail level: only known values + if [[ ! "$INPUT_FAIL_LEVEL" =~ ^(ERROR|WARNING|MISSING)$ ]]; then + echo "::error::Invalid compliance-fail-level: $INPUT_FAIL_LEVEL" + exit 1 + fi + + # Pipeline names: alphanumeric, underscores, commas, colons + if [[ ! "$INPUT_PIPELINES" =~ ^[a-zA-Z0-9_,:[:space:]]+$ ]]; then + echo "::error::Invalid pipelines value: $INPUT_PIPELINES" + exit 1 + fi + + - name: Set up environment shell: bash + env: + INPUT_PROJECT_NAME: ${{ inputs.project-name }} + INPUT_IMAGE: ${{ inputs.scancodeio-image }} run: | - sudo systemctl start postgresql.service - sudo -u postgres createuser --no-createrole --no-superuser --login --inherit --createdb "$SCANCODEIO_DB_USER" - sudo -u postgres psql -c "ALTER USER $SCANCODEIO_DB_USER WITH ENCRYPTED PASSWORD '$SCANCODEIO_DB_PASSWORD'" - sudo -u postgres createdb --owner=scancodeio --encoding=UTF-8 "$SCANCODEIO_DB_NAME" + echo "SECRET_KEY=$(openssl rand -base64 32)" >> "$GITHUB_ENV" + # Workspace location mounted into the container, so outputs are directly accessible + echo "SCANCODEIO_WORKSPACE_LOCATION=/workspace/.scancodeio" >> "$GITHUB_ENV" + echo "SCANCODEIO_IMAGE=$INPUT_IMAGE" >> "$GITHUB_ENV" + # Sanitize project name for artifact usage + echo "SAFE_PROJECT_NAME=${INPUT_PROJECT_NAME//[^a-zA-Z0-9._-]/_}" >> "$GITHUB_ENV" - - name: Generate scancodeio pip install argument - if: env.SCANCODEIO_IS_INSTALLED != 'true' + - name: Start and setup the PostgreSQL service shell: bash - env: - INPUT_EXTRAS: ${{ inputs.scancodeio-extras }} run: | - SCANCODEIO_PIP_PACKAGE_ARG="scancodeio" - TRIMMED_EXTRAS="$(echo "$INPUT_EXTRAS" | tr -d '[:space:]')" - if [ -n "$TRIMMED_EXTRAS" ]; then - SCANCODEIO_PIP_PACKAGE_ARG+="[$TRIMMED_EXTRAS]" + if ! sudo systemctl is-active --quiet postgresql; then + sudo systemctl start postgresql.service + sudo -u postgres psql -c "CREATE USER scancodeio WITH CREATEDB ENCRYPTED PASSWORD 'scancodeio';" + sudo -u postgres createdb --owner=scancodeio --encoding=UTF-8 scancodeio fi - echo "SCANCODEIO_PIP_PACKAGE_ARG=${SCANCODEIO_PIP_PACKAGE_ARG}" >> "$GITHUB_ENV" - - name: Install ScanCode.io (only if not already installed) - if: env.SCANCODEIO_IS_INSTALLED != 'true' + - name: Write scanpipe wrapper script shell: bash - env: - INPUT_REPO_BRANCH: ${{ inputs.scancodeio-repo-branch }} run: | - if [ -z "$INPUT_REPO_BRANCH" ]; then - echo "Installing the latest ${SCANCODEIO_PIP_PACKAGE_ARG} release from PyPI" - pip install --upgrade "$SCANCODEIO_PIP_PACKAGE_ARG" - else - echo "Installing ${SCANCODEIO_PIP_PACKAGE_ARG} from the GitHub branch: $INPUT_REPO_BRANCH" - pip install "${SCANCODEIO_PIP_PACKAGE_ARG} @ git+https://github.com/aboutcode-org/scancode.io.git@${INPUT_REPO_BRANCH}" - fi + if [ -f "$RUNNER_TEMP/scanpipe" ]; then exit 0; fi + cat > "$RUNNER_TEMP/scanpipe" << 'EOF' + #!/usr/bin/env bash + set -euo pipefail + exec docker run --rm \ + --network host \ + --user "$(id -u):$(id -g)" \ + --cap-drop ALL \ + --security-opt no-new-privileges \ + -e SECRET_KEY \ + -e SCANCODEIO_WORKSPACE_LOCATION \ + -e HOME=/workspace/.home \ + -v "$GITHUB_WORKSPACE:/workspace" \ + "$SCANCODEIO_IMAGE" \ + scanpipe "$@" + EOF + chmod +x "$RUNNER_TEMP/scanpipe" + echo "$RUNNER_TEMP" >> "$GITHUB_PATH" - name: Run migrations to prepare the database - if: env.SCANCODEIO_IS_INSTALLED != 'true' shell: bash run: scanpipe migrate --verbosity 0 @@ -130,6 +132,7 @@ runs: IFS=',' read -ra PIPELINES <<< "$INPUT_PIPELINES" PIPELINE_CLI_ARGS="" for pipeline in "${PIPELINES[@]}"; do + pipeline="$(echo "$pipeline" | tr -d '[:space:]')" PIPELINE_CLI_ARGS+=" --pipeline $pipeline" done echo "PIPELINE_CLI_ARGS=${PIPELINE_CLI_ARGS}" >> "$GITHUB_ENV" @@ -164,8 +167,9 @@ runs: INPUT_PROJECT_NAME: ${{ inputs.project-name }} run: | project_status=$(scanpipe status --project "$INPUT_PROJECT_NAME") - work_directory=$(echo "$project_status" | grep -oP 'Work directory:\s*\K[^\n]+') - echo "PROJECT_WORK_DIRECTORY=$work_directory" >> "$GITHUB_ENV" + container_work_dir=$(echo "$project_status" | grep -oP 'Work directory:\s*\K[^\n]+') + host_work_dir="$GITHUB_WORKSPACE${container_work_dir#/workspace}" + echo "PROJECT_WORK_DIRECTORY=$host_work_dir" >> "$GITHUB_ENV" - name: Copy input files to project work directory if: ${{ !inputs.input-urls }}