.github/workflows/ci-main-pull-request.yml

test #21

Workflow file for this run

.github/workflows/ci-main-pull-request.yml at d283b6c

	# CI pipeline for all application types on main and release branches
Check failure on line 1 in .github/workflows/ci-main-pull-request.yml View workflow run for this annotation GitHub Actions / .github/workflows/ci-main-pull-request.yml Invalid workflow file (Line: 1037, Col: 12): Job 'set-application-version' depends on unknown job 'ci-build'., (Line: 1076, Col: 13): Job 'ci-unit-test' depends on unknown job 'ci-build'., (Line: 1232, Col: 12): Job 'package-binary' depends on unknown job 'ci-build'., (Line: 1242, Col: 12): Job 'habitat-build' depends on job 'package-binary' which creates a cycle in the dependency graph., (Line: 1251, Col: 12): Job 'habitat-publish' depends on job 'habitat-build' which creates a cycle in the dependency graph., (Line: 1277, Col: 12): Job 'habitat-grype-scan-linux' depends on job 'habitat-publish' which creates a cycle in the dependency graph., (Line: 1355, Col: 12): Job 'habitat-grype-scan-windows' depends on job 'habitat-publish' which creates a cycle in the dependency graph., (Line: 1463, Col: 12): Job 'publish' depends on job 'habitat-build' which creates a cycle in the dependency graph.
	#
	# use stubs/ci-main-pull-request-stub.yml in your repo to call this common action using workflow_call
	#
	# performs the following actions:
	# 1. run source code complexity checks (SCC) using scc
	# 2. run language-specific pre-compilation checks and linting (e.g., gosec, rubocop, etc.)
	# 3. run language-agnostic pre-compilation checks and secret scans (e.g., OWASP dependency or top 10 checks, trufflehog)
	# 4. build and unit test the application (e.g., go test, cargo test, etc.) - integration tests are in CD pipeline
	# 5. run static application security tests (SAST, e.g. Sonar, Docker Scout or BlackDuck Polaris)
	# 6. report to central dashboards such as harness or Irfan's quality dashboard
	# 7. run packaging steps (e.g., go build, cargo build, hab build, go-releaser, etc.), publishing and optional grype scan on output
	# 8. generate software bill-of-materials (SBOM) using SPDX format and lookup licenses (GitHub SBOM, Micrsosoft SBOM, license_scout, and/or BlackDuck SBOM)
	# 9. run source composition analysis (SCA) scans (e.g., blackduck SCA / "purple" as a replacement to dependabot)
	#
	# See DEV-README.md for more details on the steps and how to use this action, or the confluence page at <TODO: URL>
	#
	# secrets required (by step)
	# SonarQube
	# SONAR_TOKEN (repository level)
	# SONAR_HOST_URL (organization level)
	# AKEYLESS_JWT_ID (organization level, for creation of Azure firewall rules)

	# BlackDuck SAST/Polaris
	# POLARIS_ACCESS_TOKEN (organization level)
	# POLARIS_SERVER_URL (organization level)

	# BlackDuck SCA/SBOM, Sbominator
	# BLACKDUCK_SBOM_URL (organization level)
	# BLACKDUCK_SCA_TOKEN (organization level)

	# Custom repository properties (view these in the repo Settings > Code & Automation > Custom Properties)
	# - GABuildLanguage (the primary language used in compilation and testing in GitHub Actions. select from go, ruby, erlang, rust)
	# - GABuildProfile (a build profile to be used when building an application using GitHub Actions. This is experimental and will determine build, unit test paths by type of application (e.g., CLI, standard container, web API, etc.) in combination with GABuildLanguage
	# - lifecycle (the current status of the repo in terms of level of engagement with the contents: indeterminate, active, inactive, under-review, in-process)
	# - primaryApplication (the primary application of which this repo is a component. Which product owner is responsible for maintaining this repo? indeterminate, automate, chef-360, chef-server, chef-test-kitchen-enterprise, chef-workstation, chef-client, haabitt, inspec, non-product, online-services, other)
	# - standardizationWorkflow (standardize, indtrminate, etc.)

	name: CI flow containing PR checks for main & release, v2

	on:
	workflow_call:
	inputs:
	github-event-name:
	description: 'GitHub event name (pass github.event_name from calling workflow for PR comment detection)'
	required: false
	type: string
	default: ''
	github-branch-name:
	description: 'GitHub branch name (pass github.ref_name from calling workflow for branch-specific logic)'
	required: false
	type: string
	default: ''
	application:
	# NEW IN 1.0.7
	description: 'Application set in repository custom properties, typically primaryApplication'
	required: false
	type: string
	visibility:
	description: 'Visibility of the repository'
	required: false
	type: string
	default: 'public' # (private, public, or internal) TODO: should be removed, we know this from github.event.repository.visibility
	go-private-modules:
	description: 'GOPRIVATE for Go private modules'
	required: false
	type: string
	default: 'github.com/progress-platform-services/*'
	version:
	description: 'Version of the project'
	required: false
	type: string
	default: '1.0.0'
	detect-version-source-type: # options include "none" (do not detect), "file", "github-tag" or "github-release"
	description: 'flag to determine how to detect version dynamically'
	required: false
	type: string
	default: 'none'
	detect-version-source-parameter: # use for file name
	required: false
	type: string
	default: ''
	language:
	description: 'Build language (Go, Ruby, Rust, etc.), typically from the repository custom property GABuildLanguage'
	required: false
	type: string
	default: 'ruby'

	perform-complexity-checks:
	description: 'Perform complexity checks with SCC'
	required: false
	type: boolean
	default: true
	scc-output-filename:
	description: 'Name of the SCC complexity output file artifact, do not add file extension'
	required: false
	type: string
	default: 'scc-complexity'
	perform-language-linting:
	description: 'Perform language-specific linting and pre-compilation checks'
	required: false
	type: boolean
	default: true
	perform-trufflehog-scan:
	description: 'Perform trufflehog scan'
	required: false
	type: boolean
	default: true
	fail-trufflehog-on-secrets-found:
	description: 'Fail the pipeline if Trufflehog finds verified secrets'
	required: false
	type: boolean
	default: true
	perform-trivy-scan:
	description: 'Perform Trivy scan'
	required: false
	type: boolean
	default: true
	trivy-fail-on-high:
	description: 'Fail pipeline if Trivy finds HIGH vulnerabilities'
	required: false
	type: boolean
	default: false
	trivy-fail-on-critical:
	description: 'Fail pipeline if Trivy finds CRITICAL vulnerabilities'
	required: false
	type: boolean
	default: false
	perform-grype-scan:
	description: 'Perform Grype scan on source code'
	required: false
	type: boolean
	default: false
	grype-fail-on-high:
	description: 'Fail pipeline if Grype finds HIGH vulnerabilities'
	required: false
	type: boolean
	default: false
	grype-fail-on-critical:
	description: 'Fail pipeline if Grype finds CRITICAL vulnerabilities'
	required: false
	type: boolean
	default: false
	perform-grype-image-scan:
	description: 'Perform Grype scan on Docker image'
	required: false
	type: boolean
	default: false
	grype-image-fail-on-high:
	description: 'Fail pipeline if Grype image scan finds HIGH vulnerabilities'
	required: false
	type: boolean
	default: false
	grype-image-fail-on-critical:
	description: 'Fail pipeline if Grype image scan finds CRITICAL vulnerabilities'
	required: false
	type: boolean
	default: false
	grype-image-skip-aws:
	description: 'Skip Grype image scan on AWS ECR images to avoid rate limits (assumes these images are scanned with Amazon ECR scan or Trivy)'
	required: false
	type: boolean
	default: false
	perform-grype-hab-scan:
	description: 'Perform Grype scan on published Habitat packages from bldr.habitat.sh'
	required: false
	type: boolean
	default: false
	grype-hab-build-package:
	description: 'Build Habitat package from source before scanning (requires checkout)'
	required: false
	type: boolean
	default: false
	grype-hab-origin:
	description: 'Habitat origin (e.g., chef-platform)'
	required: false
	type: string
	default: ''
	grype-hab-package:
	description: 'Habitat package name (e.g., node-management-agent)'
	required: false
	type: string
	default: ''
	grype-hab-version:
	description: 'Habitat package version (optional - scans latest from channel if not specified)'
	required: false
	type: string
	default: ''
	grype-hab-release:
	description: 'Habitat package release (optional - scans latest from channel if not specified)'
	required: false
	type: string
	default: ''
	grype-hab-channel:
	description: 'Habitat package channel (e.g., stable, base, unstable, base-2025, lts-2024)'
	required: false
	type: string
	default: 'stable'
	grype-hab-path:
	description: "Path to built Habitat package (used if build_package is true, overrides hab_origin/hab_package inputs)"
	required: false
	type: string
	grype-hab-scan-linux:
	description: 'Scan Linux (x86_64-linux) Habitat package'
	required: false
	type: boolean
	default: true
	grype-hab-scan-windows:
	description: 'Scan Windows (x86_64-windows) Habitat package'
	required: false
	type: boolean
	default: false
	grype-hab-scan-macos:
	description: 'Scan MacOS (x86_64-darwin) Habitat package'
	required: false
	type: boolean
	default: false
	build:
	description: 'CI Build (language-specific)'
	required: false
	type: boolean
	default: true
	build-profile:
	# NEW IN 1.0.7
	description: 'Build profile for build step and Sonar, typically from the custom property GABuildProfile on the repository'
	required: false
	type: string
	default: 'cli'
	unit-tests:
	description: 'Run unit tests (language-specific)'
	required: false
	type: boolean
	default: true
	unit-test-output-path:
	# NEW IN 1.0.7
	description: "Path to test results folder"
	required: false
	type: string
	default: "test/unittest"
	unit-test-command-override:
	# NEW IN 1.0.7
	description: "Command line for running tests in this repo, if not the language default"
	required: false
	type: string

	perform-blackduck-polaris:
	description: 'Perform BlackDuck Polaris (SAST) scan'
	required: false
	type: boolean
	default: false
	polaris-application-name:
	description: 'Polaris application name, one of these {Chef-Agents \| Chef-Automate \| Chef-Chef360 \| Chef-Habitat \| Chef-Infrastructure-Server \| Chef-Shared-Services}'
	required: false
	type: string
	polaris-project-name:
	description: 'Polaris project name, typically the application name, followed by - and the repository name, for example Chef-Chef360-chef-vault'
	required: false
	default: "${{ github.event.repository.name }}"
	type: string
	polaris-working-directory:
	# NEW IN 1.0.7
	description: 'Working directory for the scan, defaults to . but usually lang-dependent like ./src'
	required: false
	default: '.'
	type: string
	polaris-config-path:
	# NEW IN 1.0.7
	description: 'Path to Detect configuration file, typically a file supplied at root level like ./detect-config.yml'
	required: false
	default: ''
	type: string
	polaris-coverity-config-path:
	# NEW IN 1.0.7
	description: 'Path to Coverity configuration file, typically a file supplied at root level like ./coverity.yml'
	required: false
	default: ''
	type: string
	polaris-coverity-clean-command:
	# NEW IN 1.0.7
	description: 'Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean". Leave empty for buildless analysis (Ruby, Python, etc.)'
	required: false
	default: ''
	type: string
	polaris-coverity-build-command:
	# NEW IN 1.0.7
	description: 'Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install". Leave empty for buildless analysis (Ruby, Python, etc.)'
	required: false
	default: ''
	type: string
	polaris-coverity-args:
	# NEW IN 1.0.7
	description: 'Additional Coverity arguments,can supply extra arguments like "--config-override capture.build.build-command=make'
	required: false
	default: ''
	type: string
	polaris-detect-search-depth:
	# NEW IN 1.0.7
	description: 'Detect search depth, blank but can be set to "3" to search up to 3 levels of subdirectories for code to scan'
	required: false
	default: ''
	type: string
	polaris-detect-args:
	# NEW IN 1.0.7
	description: 'Additional Detect arguments, can supply extra arguments like "--detect.diagnostic=true"'
	required: false
	default: ''
	type: string
	polaris-assessment-mode:
	# NEW IN 1.0.7
	description: 'Assessment mode (CI or SOURCE_UPLOAD)'
	required: false
	default: 'CI'
	type: string
	wait-for-scan:
	# NEW IN 1.0.7
	description: 'Wait for scan completion'
	required: false
	default: true
	type: boolean
	polaris-fail-on-high:
	description: 'Fail the pipeline if Polaris SAST scan finds HIGH vulnerabilities'
	required: false
	type: boolean
	default: false
	polaris-fail-on-critical:
	description: 'Fail the pipeline if Polaris SAST scan finds CRITICAL vulnerabilities'
	required: false
	type: boolean
	default: false

	perform-sonarqube-scan:
	description: 'Perform basic SonarQube scan'
	required: false
	type: boolean
	default: true
	perform-docker-scan:
	description: 'Perform Docker scan of Dockerfile and built images in chef360 and other containerized applications'
	required: false
	type: boolean
	default: false
	report-unit-test-coverage:
	description: 'Perform unit tests and report coverage to SonarQube'
	required: false
	type: boolean
	default: true
	report-to-atlassian-dashboard:
	description: 'Report Sonar test coverage and other metrics to Atlassian dashboard (Irfans QA dashboard)'
	required: false
	type: boolean
	default: true
	quality-product-name:
	description: 'Product name for quality reporting (Chef360, Courier, Inspec)'
	required: false
	type: string
	default: 'Chef360'
	quality-sonar-app-name:
	description: 'Sonar application name for quality reporting'
	required: false
	type: string
	default: 'YourSonarAppName'
	quality-testing-type:
	description: 'Testing type for quality reporting (Unit, Integration, e2e, api, Performance, Security)'
	required: false
	type: string
	default: 'Integration'
	quality-service-name:
	description: 'Service or repository name for quality reporting'
	required: false
	type: string
	default: 'YourServiceOrRepoName'
	quality-junit-report:
	description: 'Path to JUnit report for quality reporting'
	required: false
	type: string
	default: 'path/to/junit/report'
	package-binaries:
	description: 'Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA)'
	required: false
	type: boolean
	default: true
	habitat-build:
	description: 'Create Habitat packages'
	required: false
	type: boolean
	default: true
	publish-habitat-packages:
	# NEW IN 1.0.7
	description: 'Publish Habitat packages to Builder'
	required: false
	type: boolean
	default: false
	publish-habitat-hab_package:
	# NEW IN 1.0.7
	description: "Chef Habitat package to install (e.g., core/nginx)"
	required: false
	type: string
	default: "core/nginx"
	# TODO: detect from plan file if not provided
	publish-habitat-hab_version:
	# NEW IN 1.0.7
	description: "Chef Habitat package version (optional)"
	required: false
	type: string
	publish-habitat-hab_release:
	# NEW IN 1.0.7
	description: "Chef Habitat package release (optional)"
	required: false
	type: string
	publish-habitat-hab_channel:
	# NEW IN 1.0.7
	description: "Chef Habitat package channel (e.g., stable, base, base-2025); default is stable"
	required: false
	type: string
	default: "stable"
	publish-habitat-hab_auth_token:
	# NEW IN 1.0.7
	required: false
	type: string
	# TODO: use secret if not provided
	publish-habitat-runner_os:
	description: "Runner OS to use (ubuntu-latest or windows-latest)"
	type: string
	# TODO: these should be options: ubuntu-latest, windows-latest, both, and add MacOS support
	required: false
	default: ubuntu-latest
	habitat-grype-scan:
	# NEW IN 1.0.7
	description: 'Scan built Habitat packages with Grype for vulnerabilities'
	required: false
	type: boolean
	default: false
	publish-packages:
	description: 'Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores)'
	required: false
	type: boolean
	default: true

	generate-sbom:
	description: 'Generate software bill-of-materials (SPDX SBOM)'
	required: false
	type: boolean
	default: true
	export-github-sbom:
	description: 'Export SBOM to GitHub'
	required: false
	type: boolean
	default: true
	generate-msft-sbom:
	description: 'Generate SBOM using MSFT tools'
	required: false
	type: boolean
	default: true
	license_scout:
	description: 'Run license scout for license compliance'
	required: false
	type: boolean
	default: true

	perform-blackduck-sca-scan: # combined with generate sbom below, also needs version above
	description: 'Perform BlackDuck SCA scan'
	required: false
	type: boolean
	default: false
	blackduck-project-group-name:
	description: 'BlackDuck project group name, typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services'
	required: false
	type: string
	default: 'Chef'
	blackduck-project-name:
	description: 'BlackDuck project name, typically the repository name'
	required: false
	type: string
	default: ${{ github.event.repository.name }}
	polaris-blackduck-executable:
	# TODO: this will be obsolete with built-in polaris in action
	description: 'Path to BlackDuck polaris executable after build or download step'
	required: false
	type: string
	default: 'path/to/blackduck/binary'
	polaris-executable-detect-path:
	description: 'Additions to $PATH for BlackDuck polaris to find executable'
	required: false
	type: string
	default: 'path/to/detect'
	blackduck-force-low-accuracy-mode:
	description: 'Force low accuracy mode for BlackDuck SCA scan to speed up scan time at the cost of accuracy (not recommended for production use)'
	required: false
	type: boolean
	default: false
	run-bundle-install: # Added to support projects without committed Gemfile.lock (e.g., chef-cli)
	description: 'Run bundle install before scanning to generate Gemfile.lock at runtime'
	required: false
	type: boolean
	default: false
	ruby-app-directory:
	description: 'Subdirectory containing Ruby Gemfile (e.g., "src/supermarket" for repos with non-root Gemfile location). Leave empty if Gemfile is in root.'
	required: false
	type: string
	default: ''
	blackduck-fail-on-blocker:
	description: 'Fail the pipeline if BlackDuck SCA scan finds BLOCKER vulnerabilities'
	required: false
	type: boolean
	default: false
	blackduck-fail-on-critical:
	description: 'Fail the pipeline if BlackDuck SCA scan finds CRITICAL vulnerabilities'
	required: false
	type: boolean
	default: false
	blackduck-fail-on-major:
	description: 'Fail the pipeline if BlackDuck SCA scan finds MAJOR vulnerabilities'
	required: false
	type: boolean
	default: false

	udf1:
	description: 'User defined flag 1'
	required: false
	type: string
	default: 'default'
	udf2:
	description: 'User defined flag 2'
	required: false
	type: string
	default: 'default'
	udf3:
	description: 'User defined flag 3'
	required: false
	type: string
	default: 'default'

	# no longer used (retained just for older stub versions)
	generate-blackduck-sbom: # obsolete
	description: 'Generate SBOM using BlackDuck polaris (OBSOLETE, use perform-blackduck-sca-scan instead)'
	required: false
	type: boolean
	default: false
	# polaris-server-url:
	# # should be obsolete with POLARIS_SERVER_URL secret
	# description: 'Polaris server URL'
	# required: false
	# default: 'https://polaris.blackduck.com'
	# type: string
	perform-wiz-scan:
	description: 'Perform Wiz CLI security scan on Docker image'
	required: false
	type: boolean
	default: false
	wiz-fail-build:
	description: 'Fail the build on Wiz policy violations'
	required: false
	type: boolean
	default: true
	wiz-fail-on-critical:
	description: 'Fail the pipeline if Wiz finds CRITICAL vulnerabilities'
	required: false
	type: boolean
	default: false
	wiz-fail-on-high:
	description: 'Fail the pipeline if Wiz finds HIGH vulnerabilities'
	required: false
	type: boolean
	default: false
	wiz-fail-on-medium:
	description: 'Fail the pipeline if Wiz finds MEDIUM vulnerabilities'
	required: false
	type: boolean
	default: false
	wiz-fail-on-low:
	description: 'Fail the pipeline if Wiz finds LOW vulnerabilities'
	required: false
	type: boolean
	default: false

	env:
	PRIMARY_APPLICATION: ${{ inputs.application }} # was 'default' # Custom repo property [primaryApplication]: chef360, automate, infra-server, habitat, supermarket, licensing, downloads, chef-client, inspec, chef-workstation (or derivatives like habitat-builder)
	REPO_VISIBILITY: ${{ github.event.repository.visibility }}
	REPO_NAME: ${{ github.event.repository.name }}
	PIPELINE_VERSION: '1.0.7' # version of this CI pipeline
	GA_BUILD_LANGUAGE: ${{ inputs.language}} # Custom repo property [GABuildLanguage]: go, ruby, erlang, rust (replaces Language input)
	GA_BUILD_PROFILE: ${{ inputs.build-profile }} # Custom repo property [GABuildProfile]: TBD
	# APP_VERSION: $(cat VERSION)
	FILE_PREFIX: $(echo "${{ github.repository }}" \| sed 's\|/\|-\|g')-$(date +%Y%m%d%H%M%S)
	DEFAULT_FILE_EXTENSION: ".json"
	DEFAULT_SEPARATOR: "-"

	jobs:
	precompilation-checks:
	name: 'Pre-compilation checks'
	runs-on: ubuntu-latest
	steps:
	- name: detect-custom-properties
	# 'Detect app, language, and build profile environment variables from repository custom properties'
	# GH API returns something like [{"property_name":"GABuildLanguage","value":"go"},{"property_name":"GABuildProfile","value":"cli"},{"property_name":"primaryApplication","value":"chef-360"}]'
	run: \|
	response=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${{ github.repository }}/properties/values)

	primaryApplication=$(echo "$response" \| jq -r '.[] \| select(.property_name=="primaryApplication") \| .value')
	GABuildLanguage=$(echo "$response" \| jq -r '.[] \| select(.property_name=="GABuildLanguage") \| .value')
	GABuildProfile=$(echo "$response" \| jq -r '.[] \| select(.property_name=="GABuildProfile") \| .value')

	echo "PRIMARY APP... $primaryApplication"
	echo "BUILD LANG... $GABuildLanguage"
	echo "BUILD PROFILE... $GABuildProfile"

	echo "PRIMARY_APPLICATION=$primaryApplication" >> $GITHUB_ENV
	echo "GA_BUILD_LANGUAGE=$GABuildLanguage" >> $GITHUB_ENV
	echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV
	continue-on-error: true
	env:
	GITHUB_TOKEN: ${{ secrets.GH_TOKEN \|\| secrets.GITHUB_TOKEN }}

	- name: generate-filename-slug
	# description: Generate a simple slug based on repo and date for use in any output artifacts
	run: \|
	FILE_PREFIX=$(echo "${{ github.repository }}${{ env.DEFAULT_SEPARATOR }}${{ github.ref_name }}${{ env.DEFAULT_SEPARATOR }}" \| sed 's\|/\|-\|g')-$(date +%Y%m%d%H%M%S)
	echo "FILE_PREFIX=${FILE_PREFIX}" >> $GITHUB_ENV
	# FILE_NAME=$(echo "${{ env.FILE_PREFIX }}${{ env.DEFAULT_SEPARATOR }}${{ env.DEFAULT_FILE_NAME }}${{ env.DEFAULT_FILE_EXTENSION }}")

	- name: 'Echo inputs'
	run: \|
	echo "CI pipeline execution plan for repository [$REPO_NAME] with pipeline version $PIPELINE_VERSION"
	echo "Environment variables"
	echo " Repository visibility $REPO_VISIBILITY [workflow param was: ${{ inputs.visibility }}]"
	echo " Repository primary application $PRIMARY_APPLICATION [workflow param was: ${{ inputs.application }}]"
	echo " Repository build language $GA_BUILD_LANGUAGE [workflow param was: ${{ inputs.language }}]"
	echo " Repository build profile $GA_BUILD_PROFILE [workflow param was: ${{ inputs.build-profile }}]"
	echo " Computed file name prefix $FILE_PREFIX"
	if [ ${{ inputs.version }} ]; then
	echo " Repository version ${{ inputs.version }} from parameter ${{ inputs.detect-version-source-parameter }} and type ${{ inputs.detect-version-source-type }}"
	fi
	if [ ${{ inputs.go-private-modules }} ]; then
	echo " GOPRIVATE ${{ inputs.go-private-modules }}"
	fi
	echo " Pipeline executing on ubuntu-latest"

	echo " SOURCE CODE COMPLEXITY AND LINTING *********************************************"
	if [ ${{ inputs.perform-complexity-checks }} ]; then
	echo " SCC: performing complexity checks with output filename ${{ inputs.scc-output-filename }} "
	fi
	if [ ${{ inputs.perform-language-linting }} ]; then
	echo " Linting: performing language-specific linting"
	fi

	echo " TRUFFLEHOG (SECRETS) AND TRIVY (DEP SCAN) **************************************"
	if [ ${{ inputs.perform-trufflehog-scan }} ]; then
	echo " Trufflehog"
	fi
	if [ ${{ inputs.perform-trivy-scan }} ]; then
	echo " trivy"
	fi

	if [ ${{ inputs.perform-grype-hab-scan }} ]; then
	echo " GRYPE HABITAT PACKAGE SCAN ********************************************************"
	echo " Mode: ${{ inputs.grype-hab-build-package == true && 'Build from source' \|\| 'Download from Builder' }}"
	if [ ${{ inputs.grype-hab-build-package }} ]; then
	echo " Origin: ${{ inputs.grype-hab-origin }}"
	fi
	echo " Scanning Habitat package: ${{ inputs.grype-hab-origin }}/${{ inputs.grype-hab-package }}"
	echo " Version: ${{ inputs.grype-hab-version }} Release: ${{ inputs.grype-hab-release }} Channel: ${{ inputs.grype-hab-channel }}"
	echo " Platforms: Linux=${{ inputs.grype-hab-scan-linux }} Windows=${{ inputs.grype-hab-scan-windows }} MacOS=${{ inputs.grype-hab-scan-macos }}"
	fi

	if [ ${{ inputs.build }} ]; then
	echo " BUILD AND UNIT TEST ***********************************************************"
	echo " Repository build profile $GA_BUILD_PROFILE [${{ inputs.build-profile }}]"
	if [ ${{ inputs.unit-tests }} ]; then
	echo " Unit testing to ${{ inputs.unit-test-output-path }} with override command ${{ inputs.unit-test-command-override }}"
	fi
	fi

	if [ ${{ inputs.perform-blackduck-polaris }} ]; then
	echo " POLARIS (SAST) TESTING ***********************************************************"
	echo " Polaris application name ${{ inputs.polaris-application-name }}"
	echo " Polaris project name ${{ inputs.polaris-project-name }}"
	echo " Working directory ${{ inputs.polaris-working-directory }}"
	echo " Config path ${{ inputs.polaris-config-path }} (Coverity ${{ inputs.polaris-coverity-config-path }})"
	echo " Clean command ${{ inputs.polaris-coverity-clean-command }}"
	echo " Build command ${{ inputs.polaris-coverity-build-command }}"
	echo " Args ${{ inputs.polaris-coverity-args }}"
	echo " Detect search depth ${{ inputs.polaris-detect-search-depth }}"
	echo " Detect args ${{ inputs.polaris-detect-args }}"
	echo " Assessment mode ${{ inputs.polaris-assessment-mode }}"
	echo " Wait for scan ${{ inputs.wait-for-scan }}"
	fi

	if [ ${{ inputs.perform-sonarqube-scan }} ]; then
	echo " SONARQUBE ****************************************************************"
	fi
	if [ ${{ inputs.perform-docker-scan }} ]; then
	echo " DOCKER SCOUT *************************************************************"
	fi

	if [ ${{ inputs.report-unit-test-coverage }} ]; then
	echo " QUALITY DASHBOARD UNIT TEST COVERAGE REPORT ******************************"
	# ignored for now - report-to-atlassian-dashboard, quality-product-name, quality-sonar-app-name, quality-testing-type, quality-service-name, quality-junit-report
	fi

	if [ ${{ inputs.package-binaries }} ]; then
	echo " PACKAGING ****************************************************************"
	if [ ${{ inputs.habitat-build }} ]; then
	echo " HABITAT BUILD ************************************************************"
	echo " Publish Habitat packages ${{ inputs.publish-habitat-packages }}"
	echo " Habitat package name ${{ inputs.publish-habitat-hab_package }}"
	echo " Habitat package version ${{ inputs.publish-habitat-hab_version }}"
	echo " Habitat package release ${{ inputs.publish-habitat-hab_release }}"
	echo " Habitat package channel ${{ inputs.publish-habitat-hab_channel }}"
	echo " Auth token (overrides secret) ${{ inputs.publish-habitat-hab_auth_token }}"
	echo " Publish operating system ${{ inputs.publish-habitat-runner_os }}"
	fi
	if [ ${{ inputs.habitat-grype-scan }} ]; then
	echo " Performing grype scan on published package"
	fi
	if [ ${{ inputs.publish-packages }} ]; then
	echo " PUBLISHING PACKAGES TO ECR, BLDR, RUBYGEMS NOT YET SUPPORTED"
	fi
	fi

	if [ ${{ inputs.generate-sbom }} ]; then
	echo " SOFTWARE BILL OF MATERIALS FILE GENERATION **************************************"
	if [ ${{ inputs.export-github-sbom }} ]; then
	echo " GitHub SBOM export"
	fi
	if [ ${{ inputs.generate-msft-sbom }} ]; then
	echo " Microsoft SBOM file"
	fi
	if [ ${{ inputs.license_scout }} ]; then
	echo " License scout"
	fi
	fi
	# Generate BlackDuck SBOM set to ${{ inputs.generate-blackduck-sbom }} OBSOLETE, NO EFFECT

	if [ ${{ inputs.perform-blackduck-sca-scan }} ]; then
	echo " BLACKDUCK SCAN AND REPORT *********************************************"
	echo " Chef is located at https://progresssoftware.app.blackduck.com/api/project-groups/fc6da208-79a9-4c47-a14d-6cfdf26bcfd5"
	echo " BlackDuck project group name ${{ inputs.blackduck-project-group-name }}"
	echo " BlackDuck project name ${{ inputs.blackduck-project-name }}"
	echo " Polaris BlackDuck executable ${{ inputs.polaris-blackduck-executable }}"
	echo " Polaris executable detect path ${{ inputs.polaris-executable-detect-path }}"
	fi

	echo " USER DEFINED FLAGS *************************************"
	if [ -n "$${{ inputs.udf1 }}" ]; then
	echo " UDF1 ${{ inputs.udf1 }}"
	fi
	if [ -n "$${{ inputs.udf2 }}" ]; then
	echo " UDF2 ${{ inputs.udf2 }}"
	fi
	if [ -n "$${{ inputs.udf3 }}" ]; then
	echo " UDF3 ${{ inputs.udf3 }}"
	fi
	# echo "The job_id is: $GITHUB_JOB"
	# echo ${{ secrets.GITHUB_TOKEN }} DO NOT ECHO THIS

	checkout:
	name: 'Checkout repository'
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@v6
	with:
	fetch-depth: 0

	scc:
	name: 'Source code complexity checks'
	if: ${{ inputs.perform-complexity-checks == true }}
	uses: chef/common-github-actions/.github/workflows/scc.yml@main
	needs: checkout
	with:
	outputfilename: ${{ inputs.scc-output-filename }}

	language-specific-checks:
	name: 'Language-specific pre-compilation steps and linting'
	# TODO: make three separate flows, by language with all steps (as oposed to one file per step with language-branching in each)
	# language specific tests (gosec, rubocop, linters, etc.)
	# ${{ inputs.language == 'rust' && inputs.perform-language-linting == true }}
	# TODO: note you cannot do a conditional on the job, only on the step if using an ENV VAR

	if: inputs.perform-language-linting
	runs-on: ubuntu-latest
	needs: checkout
	steps:
	- name: echo language
	run: \|
	echo "Build language is set to ${{ env.GA_BUILD_LANGUAGE }}"
	echo "Build language passed in ${{ inputs.language }}"
	- name: Rust language checks
	if: inputs.language == 'rust' # env.GA_BUILD_LANGUAGE
	run: echo 'crate linter'
	# https://github.com/rust-lang/rust-clippy
	# cargo clippy --all-targets --all-features -- -D warnings

	- name: Ruby language checks
	if: inputs.language == 'ruby'
	uses: ruby/setup-ruby@v1
	with:
	ruby-version: '3.4'
	bundler-cache: true # runs 'bundle install' and caches installed gems automatically
	# generate gemfile.lock (TODO: move this below to OWASP)
	- name: RuboCop Lint
	if: inputs.language == 'ruby'
	run: \|
	echo 'ruby linter'
	# gem install rubocop
	# rubocop --format=github --display-cop-names --extra-details --force-exclusion .
	# bundle install
	# - name: 'Bundler Audit'
	# if: ${{ inputs.language == 'Ruby' && inputs.perform-complexity-checks == true }}
	# uses: andrewmcodes/bundler-audit-action@main
	# env:
	# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	# TODO: get with Marc/Prajakta on this sequence for Ruby uses: chef/common-github-actions/.github/workflows/rubocop.yml@main
	# TODO: this is also not certified, craete a copy in .github/actions - https://github.com/marketplace/actions/bundler-audit-action
	# Bundler Audit Action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

	- name: Go language checks
	if: inputs.language == 'go'
	uses: actions/setup-go@v5
	with:
	go-version: '1.24'
	check-latest: true
	- name: Configure git for private Go modules
	if: inputs.language == 'go'
	env:
	GOPRIVATE: ${{ inputs.go-private-modules }}
	run: git config --global url."https://${{ secrets.GH_TOKEN \|\| secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"
	- name: Go linting and security checks
	if: inputs.language == 'go'
	run: echo "Running Go linting and security checks"
	# TODO: THESE DO NOT RUN IN CHEF ORG - need to create copies in common-github-actions/.github/actions/
	# we can download and install them manually here if needed
	# ERROR ON WORKFLOW: The actions golangci/golangci-lint-action@v6, dominikh/staticcheck-action@v1, and securego/gosec@master are not allowed in chef/arch-sample-cli because all actions must be from a repository owned by your enterprise, created by GitHub, verified in the GitHub Marketplace, or match one of the patterns: chef/, chef/.github, chef/.github/workflows/.
	# - name: Run golangci-lint
	# if: env.GA_BUILD_LANGUAGE == 'go'
	# uses: golangci/golangci-lint-action@v6
	# with:
	# version: latest
	# args: --timeout=5m
	# - name: Run staticcheck
	# if: env.GA_BUILD_LANGUAGE == 'go'
	# uses: dominikh/staticcheck-action@v1
	# with:
	# version: latest
	# - name: Run Gosec Security Scanner
	# uses: securego/gosec@master
	# with:
	# args: ./...

	# TO GET OUTPUT AS ARTIFACT go install github.com/securego/gosec/v2/cmd/gosec@latest
	# gosec ./... >> ./bin/gosec.out

	# https://go.googlesource.com/vuln - govulncheck is same as BlackDuck SCA backend, redundant to add it here

	language-agnostic-checks:
	name: 'Language-agnostic pre-compilation steps'
	if: inputs.perform-language-linting
	runs-on: ubuntu-latest
	needs: checkout
	steps:
	- name: Language agnostic checks (OWASP dep check)
	run: echo "placeholder"
	# - name: 'Language-agnostic pre-compilation steps (OWASP dependency check)'
	# uses: dependency-check/Dependency-Check_Action@main
	# TODO: Dependency Check is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation
	# create a copy in common-github-actions/.github/actions/owasp-dependency-check.yml
	# https://github.com/marketplace/actions/dependency-check & https://owasp.org/www-project-dependency-check/
	# and flags at https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html
	# - name: 'OWASP dependency check'
	# uses: dependency-check/Dependency-Check_Action@v4.0.0
	# with:
	# project: ${{ github.event.repository.name }}
	# with:
	# project: $REPO_NAME
	# path: '.'
	# format: 'JSON'
	# # out: 'reports' # this is the default, no need to specify unless you wish to override it
	# args: >
	# --enableRetired
	# --prettyPrint
	# - name: Upload Test results
	# uses: actions/upload-artifact@v4
	# with:
	# name: OWASP dependency check report
	# path: ${{github.workspace}}/reports
	# TODO: add flag --failOnCVSS 7
	# TODO: integrate with SonarQube
	# TODO: correct artifact upload names like Sonu's in sbom.yml

	run-trufflehog:
	name: 'Trufflehog scan'
	if: ${{ inputs.perform-trufflehog-scan }}
	uses: chef/common-github-actions/.github/workflows/trufflehog.yml@main
	needs: checkout
	with:
	github-event-name: ${{ inputs.github-event-name }}
	github-branch-name: ${{ inputs.github-branch-name }}
	fail-trufflehog-on-secrets-found: ${{ inputs.fail-trufflehog-on-secrets-found }}

	# temporarily commenting out trivy scan due to https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation
	# run-trivy:
	# name: 'Trivy scan'
	# if: ${{ inputs.perform-trivy-scan }}
	# uses: chef/common-github-actions/.github/workflows/trivy.yml@main
	# needs: checkout
	# with:
	# version: ${{ inputs.version }}
	# trivy-fail-on-high: ${{ inputs.trivy-fail-on-high }}
	# trivy-fail-on-critical: ${{ inputs.trivy-fail-on-critical }}

	run-grype:
	name: 'Grype scan'
	if: ${{ inputs.perform-grype-scan }}
	runs-on: ubuntu-latest
	needs: checkout # TODO: fix set-application-version
	steps:
	- name: Checkout repository
	uses: actions/checkout@v6
	with:
	fetch-depth: 0

	- name: Determine severity threshold
	id: severity
	run: \|
	if [ "${{ inputs.grype-fail-on-high }}" == "true" ]; then
	echo "level=high" >> $GITHUB_OUTPUT
	elif [ "${{ inputs.grype-fail-on-critical }}" == "true" ]; then
	echo "level=critical" >> $GITHUB_OUTPUT
	else
	echo "level=none" >> $GITHUB_OUTPUT
	fi

	- name: Install Grype and update database
	run: \|
	curl -sSfL https://get.anchore.io/grype \| sh -s -- -b /usr/local/bin
	grype db update
	grype version

	- name: Generate Artifact Name
	run: \|
	TIMESTAMP=$(date +%Y%m%d-%H%M%S)
	ARTIFACT_NAME=$(echo "grype-scan-${{ github.event.repository.name }}-${TIMESTAMP}" \| sed 's\|/\|-\|g')
	echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV

	- name: Run Grype scan on repo
	id: scan
	run: \|
	# Run grype with only-fixed flag and output to JSON for analysis
	grype dir:. --only-fixed -o json > grype-scan.json
	grype dir:. --only-fixed --only-fixed --output table >> grype-scan.log \|\| true
	echo "✅ Grype scan completed successfully"


	- name: Check Grype results and fail if vulnerabilities found
	if: always()
	run: \|
	JSON_FILE="./grype-scan.json"

	if [ ! -f "$JSON_FILE" ] \|\| [ -z "$JSON_FILE" ]; then
	echo "⚠️ Grype JSON output not found"
	exit 0
	fi

	# Extract vulnerability counts using jq or grep fallback
	if command -v jq &> /dev/null; then
	CRITICAL_COUNT=$(jq '[.matches[]? \| select(.vulnerability.severity == "Critical")] \| length' "$JSON_FILE" 2>/dev/null \|\| echo "0")
	HIGH_COUNT=$(jq '[.matches[]? \| select(.vulnerability.severity == "High")] \| length' "$JSON_FILE" 2>/dev/null \|\| echo "0")
	else
	CRITICAL_COUNT=$(grep -o '"severity":"Critical"' "$JSON_FILE" \| wc -l \| tr -d ' ' \|\| echo "0")
	HIGH_COUNT=$(grep -o '"severity":"High"' "$JSON_FILE" \| wc -l \| tr -d ' ' \|\| echo "0")
	fi

	echo ""
	echo "============================================"
	echo "Grype Security Scan Summary"
	echo "============================================"
	echo "CRITICAL vulnerabilities: $CRITICAL_COUNT"
	echo "HIGH vulnerabilities: $HIGH_COUNT"
	echo "============================================"

	VIOLATIONS=""
	[ "${{ inputs.grype-fail-on-critical }}" == "true" ] && [ "$CRITICAL_COUNT" -gt 0 ] && VIOLATIONS="${VIOLATIONS}$CRITICAL_COUNT CRITICAL, "
	[ "${{ inputs.grype-fail-on-high }}" == "true" ] && [ "$HIGH_COUNT" -gt 0 ] && VIOLATIONS="${VIOLATIONS}$HIGH_COUNT HIGH, "

	if [ -n "$VIOLATIONS" ]; then
	echo ""
	echo "❌ BUILD FAILED: Found ${VIOLATIONS%, }"
	exit 1
	fi

	echo ""
	echo "✅ No policy violations found"

	- name: Upload Grype scan results
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: ${{ env.ARTIFACT_NAME }}
	path: \|
	grype-scan.json
	grype-scan.log

	# - name: Run Grype scan on repo
	# uses: anchore/scan-action@v3
	# with:
	# path: .
	# fail-build: true
	# severity-cutoff: high

	run-grype-image:
	name: 'Grype Docker image scan'
	if: ${{ inputs.perform-grype-image-scan }}
	uses: chef/common-github-actions/.github/workflows/grype.yml@grype-wiz
	needs: checkout
	secrets: inherit
	with:
	fail-grype-on-high: ${{ inputs.grype-image-fail-on-high }}
	fail-grype-on-critical: ${{ inputs.grype-image-fail-on-critical }}
	grype-image-skip-aws: ${{ inputs.grype-image-skip-aws }}

	run-wiz-scan:
	name: 'Wiz CLI security scan'
	if: ${{ inputs.perform-wiz-scan == true }}
	uses: chef/common-github-actions/.github/workflows/wiz.yml@grype-wiz
	needs: checkout
	with:
	fail-build: ${{ inputs.wiz-fail-build }}
	fail-on-critical: ${{ inputs.wiz-fail-on-critical }}
	fail-on-high: ${{ inputs.wiz-fail-on-high }}
	fail-on-medium: ${{ inputs.wiz-fail-on-medium }}
	fail-on-low: ${{ inputs.wiz-fail-on-low }}
	secrets: inherit

	set-application-version:
	runs-on: ubuntu-latest
	name: 'Detect SBOM version for application'
	if: (inputs.version == '') && (inputs.detect-version-source-parameter != '')
	needs: ci-build
	steps:
	- name: Detect SBOM version
	run: \|
	echo "placeholder for setting version"
	echo ${{ inputs.version }}
	echo ${{ inputs.detect-version-source-parameter }}
	echo ${{ inputs.detect-version-source-type }}
	# outputs:
	# app-version: ${{ steps.set-app-version.outputs.version }} # Map the step's output to the job's output
	# steps:
	# - name: Checkout code
	# uses: actions/checkout@v6
	# - name: Set application version from file
	# id: set-app-version
	# run: \|
	# VERSION=$(cat VERSION) # cat VERSION works
	# echo "APP_VERSION=$VERSION" >> $GITHUB_ENV

	# echo "env.APP_VERSION = ${{ env.APP_VERSION }}"

	# VERSION=$(cat VERSION)
	# echo "two $VERSION"
	# echo "VERSION=$VERSION" >> $GITHUB_ENV
	# echo "$VERSION is the shell variable"
	# echo "Setting version to ${{ github.env.VERSION }} [$VERSION]"
	# echo "version=$VERSION" >> $GITHUB_OUTPUT

	# if "latest-tag" then use action to get latest tag or ${{ github.event.release.tag_name }}
	# - name: Get latest tag
	# uses: actions-ecosystem/action-get-latest-tag@v1
	# id: latest_tag
	# - name: Use the latest tag
	# run: echo "The latest tag is ${{ steps.latest_tag.outputs.tag }}"

	ci-unit-test: # FROM CHEF-VAULT
	# TODO: add language-specific unit tests
	name: 'Unit tests'
	if: ${{ inputs.unit-tests == true && success() && inputs.language == 'Ruby' }}
	needs: ci-build
	strategy:
	fail-fast: false
	matrix:
	os-version: [ubuntu-latest, ubuntu-22.04, macos-latest] # ubuntu-22.04 was original chef-vault
	ruby-version: ['3.4'] # '2.7', '3.1',
	runs-on: ${{ matrix.os-version }}
	steps:
	- uses: actions/checkout@v6
	- name: Set up ruby version
	uses: ruby/setup-ruby@v1
	with:
	ruby-version: ${{ matrix.ruby-version }}
	bundler-cache: true
	- name: run specs
	run: bundle exec rake spec --trace
	# - name: Simplecov Report
	# uses: aki77/simplecov-report-action@v1 # TODO: archived action - replace with another simplecov
	# with:
	# token: ${{ secrets.GITHUB_TOKEN }}
	# failedThreshold: 90
	# resultPath: coverage/.last_run.json

	# runs-on: ubuntu-latest
	# needs: ci-package-binary
	# name: 'CI unit tests'
	# steps:
	# - name: Build for Rust binary
	# if: ${{ inputs.language == 'Rust' }}
	# run: echo 'hello world'
	# # cargo test --target-dir ./bin OR
	# - name: Run cargo-tarpaulin
	# shell: bash
	# run: \|
	# RUN_MODE=local cargo tarpaulin --ignore-tests --all-features --release --out Lcov
	# sonar-scanner -Dcommunity.rust.lcov.reportPaths=lcov.info -Dsonar.login=${{ secrets.SONAR_TOKEN }}

	# - name: Build for Ruby binary
	# if: ${{ inputs.language == 'Ruby' }}
	# run: echo 'hello world'
	# # bundle exec rake test
	# # bundle exec rake test:unit
	# # bundle exec rake test:integration
	# # bundle exec rake test:unit:rubocop

	# - name: Build for Go binary
	# if: ${{ inputs.language == 'Go' }}
	# run: echo 'hello world'
	# # go test -v ./... > ./bin/test.out

	# - name: Upload test coverage artifact
	# uses: actions/upload-artifact@v4
	# with:
	# # Name of the artifact to upload.
	# name: test-coverage.out
	# # A file, directory or wildcard pattern that describes what to upload
	# path: test/unittest/coverage.out

	# Sonar-public-repo:
	# name: 'PUBLIC Sonar SAST scan'
	# needs: ci-build
	# if: ${{ inputs.perform-sonarqube-scan == true && success() && inputs.visibility == 'public'}}
	# uses: chef/common-github-actions/.github/workflows/sonarqube-public-repo.yml@main
	# secrets: inherit
	# permissions:
	# id-token: write
	# contents: read
	# with:
	# perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }}
	# build-profile: ${{ inputs.build-profile }}
	# language: ${{ inputs.language }}
	# report-unit-test-coverage: ${{ inputs.report-unit-test-coverage }}
	# report-to-atlassian-dashboard: ${{ inputs.report-to-atlassian-dashboard }}
	# quality-product-name: ${{ inputs.quality-product-name }}
	# quality-sonar-app-name: ${{ inputs.quality-sonar-app-name }}
	# quality-testing-type: ${{ inputs.quality-testing-type }}
	# quality-service-name: ${{ inputs.quality-service-name }}
	# quality-junit-report: ${{ inputs.quality-junit-report }}
	# visibility: ${{ inputs.visibility }}
	# go-private-modules: ${{ inputs.go-private-modules }}
	# udf1: ${{ inputs.udf1 }}
	# udf2: ${{ inputs.udf2 }}
	# udf3: ${{ inputs.udf3 }}

	# Sonar-private-repo:
	# name: 'PRIVATE Sonar scan (inline)'
	# if: ${{ inputs.perform-sonarqube-scan == true && success() && inputs.visibility == 'private'}}
	# needs: ci-build
	# # was uses: chef/common-github-actions/.github/workflows/sonarqube-private-repo.yml@main
	# runs-on: ubuntu-latest
	# steps:
	# - name: SonarQube Scan
	# if: ${{ inputs.visibility == 'private' }}
	# uses: sonarsource/sonarqube-scan-action@v5.3.1
	# continue-on-error: true
	# env:
	# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	# SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

	# Sonar-internal-repo:
	# name: 'INTERNAL Sonar scan'
	# if: ${{ inputs.perform-sonarqube-scan == true && inputs.visibility == 'internal'}}
	# # was if: ${{ inputs.perform-sonarqube-scan == true && success() && inputs.visibility == 'internal'}}
	# needs: ci-build
	# uses: chef/common-github-actions/.github/workflows/sonarqube-internal-repo.yml@main
	# secrets: inherit
	# permissions:
	# id-token: write
	# contents: read
	# with:
	# perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }}
	# build-profile: ${{ inputs.build-profile }}
	# language: ${{ inputs.language }}
	# report-unit-test-coverage: ${{ inputs.report-unit-test-coverage }}
	# report-to-atlassian-dashboard: ${{ inputs.report-to-atlassian-dashboard }}
	# quality-product-name: ${{ inputs.quality-product-name }}
	# quality-sonar-app-name: ${{ inputs.quality-sonar-app-name }}
	# quality-testing-type: ${{ inputs.quality-testing-type }}
	# quality-service-name: ${{ inputs.quality-service-name }}
	# quality-junit-report: ${{ inputs.quality-junit-report }}
	# visibility: ${{ inputs.visibility }}
	# go-private-modules: ${{ inputs.go-private-modules }}
	# udf1: ${{ inputs.udf1 }}
	# udf2: ${{ inputs.udf2 }}
	# udf3: ${{ inputs.udf3 }}

	BlackDuck-Polaris-SAST:
	name: 'BlackDuck Polaris SAST scan'
	if: ${{ inputs.perform-blackduck-polaris && github.event_name == 'push' }}
	uses: chef/common-github-actions/.github/workflows/polaris-sast.yml@main
	needs: checkout
	secrets: inherit
	with:
	github-event-name: ${{ inputs.github-event-name }}
	github-branch-name: ${{ inputs.github-branch-name }}
	language: ${{ inputs.language }}
	polaris-application-name: ${{ inputs.polaris-application-name }}
	polaris-project-name: ${{ inputs.polaris-project-name }}
	polaris-working-directory: ${{ inputs.polaris-working-directory }}
	polaris-config-path: ${{ inputs.polaris-config-path }}
	polaris-coverity-config-path: ${{ inputs.polaris-coverity-config-path }}
	polaris-coverity-clean-command: ${{ inputs.polaris-coverity-clean-command }}
	polaris-coverity-build-command: ${{ inputs.polaris-coverity-build-command }}
	polaris-coverity-args: ${{ inputs.polaris-coverity-args }}
	polaris-detect-search-depth: ${{ inputs.polaris-detect-search-depth }}
	polaris-detect-args: ${{ inputs.polaris-detect-args }}
	polaris-assessment-mode: ${{ inputs.polaris-assessment-mode }}
	wait-for-scan: ${{ inputs.wait-for-scan }}
	polaris-fail-on-high: ${{ inputs.polaris-fail-on-high }}
	polaris-fail-on-critical: ${{ inputs.polaris-fail-on-critical }}

	package-binary:
	name: 'Creating packaged binaries'
	# TODO: Add packaging steps – rpm, deb, MSI, dpkg + signing + SHA
	runs-on: ubuntu-latest
	if: ${{ success() && inputs.package-binaries == true }}
	needs: ci-build
	steps:
	- name: 'Create packaged binaries'
	run: echo "Creating packaged binaries"

	# TODO: Add habitat build steps from plan.sh for various packages/platforms/machine archs, optionally publish to Builder, then optionally test with grype
	habitat-build:
	name: 'Creating Habitat packages'
	runs-on: ubuntu-latest
	if: ${{ success() && inputs.habitat-build == true }}
	needs: package-binary
	steps:
	- name: 'Create Habitat packages'
	run: echo "Creating Habitat packages"
	# TODO: add flag for any params needed
	habitat-publish:
	name: 'Publishing Habitat packages to Builder'
	runs-on: ubuntu-latest
	if: ${{ success() && inputs.publish-habitat-packages == true }}
	needs: habitat-build
	steps:
	- name: 'Publishing Habitat packages to Builder'
	run: echo "Publishing Habitat packages to Builder"

	habitat-grype-scan-linux:
	# this workflow installs a specified Chef Habitat package and runs a Grype security scan against it.
	# It supports multiple OS runners (Linux, Windows, MacOS) and allows dynamic input of package details.
	# The results of the Grype scan are uploaded as artifacts for further analysis.

	# Example hab pkg install command:
	# hab pkg install core/7zip/24.09/20250708070501 --channel base-2025 --auth HAB_PERSONAL_ACCESS_TOKEN
	# -z, --auth <AUTH_TOKEN> Authentication token for Builder [env: HAB_AUTH_TOKEN=]
	# --binlink-dir <BINLINK_DIR> Binlink all binaries from installed package(s) into BINLINK_DIR [env: HAB_BINLINK_DIR=] [default: /bin]
	# -u, --url <BLDR_URL> Specify an alternate Builder endpoint. If not specified, the value will be taken from the HAB_BLDR_URL environment variable if defined. (default: https://bldr.habitat.sh)
	# -c, --channel <CHANNEL> Install from the specified release channel [env: HAB_BLDR_CHANNEL=] [default: stable]

	# Example hab pkg download command (we do not use this in the workflow but it's here for reference; allows --target):
	# hab pkg download core/nginx/<VERSION>/<RELEASE> \
	# --channel stable \
	# --target x86_64-linux \
	# --download-directory /tmp/habitat_packages
	name: 'Grype scan of Habitat packages'
	runs-on: ubuntu-latest
	if: ${{ success() && inputs.habitat-grype-scan == true && inputs.publish-habitat-runner_os == 'ubuntu-latest' }}
	# TODO: make this a matrix operation
	needs: habitat-publish
	steps:
	- name: Install Chef Habitat (MacOS and Linux)
	run: \|
	curl https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh \| sudo bash

	- name: Configure Habitat (MacOS and Linux)
	run: \|
	# Add Habitat to PATH (for current session and future steps if needed, though install.sh usually handles symlinks)
	echo "/hab/bin" >> $GITHUB_PATH

	# Accept the license
	echo "HAB_LICENSE=accept-no-persist" >> $GITHUB_ENV

	# Create the necessary directory structure for license file
	sudo mkdir -p /hab/accepted-licenses/
	sudo touch /hab/accepted-licenses/habitat

	- name: Install Grype (Linux and MacOS)
	continue-on-error: true
	run: \|
	curl -sSfL https://get.anchore.io/grype \| sh -s -- -b /usr/local/bin

	- name: Install Habitat Package under test (example core/nginx on MacOS and Linux)
	run: \|
	PACKAGE="${{ inputs.publish-habitat-hab_package }}"
	if [ -n "${{ inputs.publish-habitat-hab_version }}" ]; then
	PACKAGE="${PACKAGE}/${{ inputs.publish-habitat-hab_version }}"
	fi
	if [ -n "${{ inputs.publish-habitat-hab_release }}" ]; then
	PACKAGE="${PACKAGE}/${{ inputs.publish-habitat-hab_release }}"
	fi

	INSTALL_CMD="sudo hab pkg install ${PACKAGE}"

	if [ -n "${{ inputs.publish-habitat-hab_channel }}" ]; then
	INSTALL_CMD="${INSTALL_CMD} --channel ${{ inputs.publish-habitat-hab_channel }}"
	fi

	AUTH_TOKEN="${{ inputs.publish-habitat-hab_auth_token }}"
	if [ -z "${AUTH_TOKEN}" ]; then
	AUTH_TOKEN="${{ secrets.HAB_PUBLIC_BLDR_PAT }}"
	echo "Using token from repository secret"
	else
	echo "Using token from workflow input"
	fi
	# if [ -n "${AUTH_TOKEN}" ]; then
	# INSTALL_CMD="${INSTALL_CMD} --auth ${AUTH_TOKEN}"
	# fi

	echo "Installing: ${INSTALL_CMD}"
	eval ${INSTALL_CMD}

	- name: Run Grype Scan on Habitat Package
	timeout-minutes: 15 # Sets a 15-minute timeout for this specific step
	run: \|
	# Find the installed package path. 'hab pkg path' returns the path to the latest installed version.
	PKG_PATH=$(hab pkg path ${{ inputs.publish-habitat-hab_package }})
	# run grype in runner
	grype dir:$PKG_PATH --name ${{ inputs.publish-habitat-hab_package }}
	# run grype to output to file (which is uploaded to the job as an artifact)
	OUTPUT_FILE="grype-results-ubuntu-${{ inputs.publish-habitat-hab_package }}.txt"
	OUTPUT_FILE="${OUTPUT_FILE//\//-}"
	echo $OUTPUT_FILE
	grype dir:$PKG_PATH --name ${{ inputs.publish-habitat-hab_package }} > $OUTPUT_FILE
	echo "OUTPUT_FILE=$OUTPUT_FILE" >> $GITHUB_ENV

	- name: Upload Grype Scan Results
	uses: actions/upload-artifact@v4
	with:
	name: grype-results-ubuntu-${{ env.OUTPUT_FILE }}
	path: ${{ env.OUTPUT_FILE }}

	habitat-grype-scan-windows:
	name: 'Grype scan of Habitat packages (Windows)'
	runs-on: windows-latest
	if: ${{ success() && inputs.habitat-grype-scan == true && inputs.publish-habitat-runner_os == 'windows-latest' }}
	# TODO: make this a matrix operation
	needs: habitat-publish
	steps:
	- name: Install Chef Habitat (Windows)
	run: \|
	choco install habitat

	# Set-ExecutionPolicy Bypass -Scope Process -Force;
	# [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
	# iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.ps1'))
	# $env:PATH += ";~\bin\hab-1.6.1245-20250905141844-x86_64-windows"
	# Write-Host "one"
	# ls ~/bin
	# Write-Host "two"
	# ls c:/users/runneradmin/bin
	# Write-Host "three"
	# ls c:/hab
	# ls "~\bin\hab-1.6.1245-20250905141844-x86_64-windows"

	# Write-Host "end"
	hab --version

	- name: Configure Habitat (Windows)
	run: \|
	# Accept the license
	echo "HAB_LICENSE=accept-no-persist" \| Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append

	# Create the necessary directory structure for license file
	New-Item -ItemType Directory -Force -Path "C:\hab\accepted-licenses"
	New-Item -ItemType File -Force -Path "C:\hab\accepted-licenses\habitat"

	- name: Install Grype (Windows)
	continue-on-error: true
	run: \|
	$ErrorActionPreference = 'Stop'
	# Download and install Grype for Windows
	$grypeVersion = (Invoke-RestMethod -Uri "https://api.github.com/repos/anchore/grype/releases/latest").tag_name
	$grypeUrl = "https://github.com/anchore/grype/releases/download/$grypeVersion/grype_$($grypeVersion.TrimStart('v'))_windows_amd64.zip"
	$grypeZip = "$env:TEMP\grype.zip"
	$grypeDir = "$env:TEMP\grype"

	# Download Grype
	Invoke-WebRequest -Uri $grypeUrl -OutFile $grypeZip

	# Extract Grype
	Expand-Archive -Path $grypeZip -DestinationPath $grypeDir -Force

	# Add Grype to PATH for subsequent steps
	echo "$grypeDir" \| Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append

	# Verify installation
	& "$grypeDir\grype.exe" version

	- name: Install Habitat Package under test (Windows)
	run: \|
	$Package = "${{ inputs.publish-habitat-hab_package }}"
	if ("${{ inputs.publish-habitat-hab_version }}" -ne "") {
	$Package = "${Package}/${{ inputs.publish-habitat-hab_version }}"
	}
	if ("${{ inputs.publish-habitat-hab_release }}" -ne "") {
	$Package = "${Package}/${{ inputs.publish-habitat-hab_release }}"
	}

	$InstallCmd = "hab pkg install ${Package}"

	if ("${{ inputs.publish-habitat-hab_channel }}" -ne "") {
	$InstallCmd = "${InstallCmd} --channel ${{ inputs.publish-habitat-hab_channel }}"
	}

	$AuthToken = "${{ inputs.publish-habitat-hab_auth_token }}"
	if ([string]::IsNullOrEmpty($AuthToken)) {
	$AuthToken = "${{ secrets.HAB_PUBLIC_BLDR_PAT }}"
	Write-Host "Using token from repository secret"
	} else {
	Write-Host "Using token from workflow input"
	}
	# if (-not [string]::IsNullOrEmpty($AuthToken)) {
	# $InstallCmd = "${InstallCmd} --auth ${AuthToken}"
	# }

	Write-Host "Installing: ${InstallCmd}"
	Invoke-Expression $InstallCmd

	- name: Run Grype Scan on Habitat Package (Windows)
	timeout-minutes: 15 # Sets a 15-minute timeout for this specific step
	run: \|
	# Find the installed package path. 'hab pkg path' returns the path to the latest installed version.
	$PkgPath = hab pkg path ${{ inputs.publish-habitat-hab_package }}
	# run grype in runner
	grype dir:$PkgPath --name ${{ inputs.publish-habitat-hab_package }}
	# run grype to output to file (which is uploaded to the job as an artifact)
	$OutputFile = "grype-results-windows-${{ inputs.publish-habitat-hab_package }}.txt"
	$OutputFile = $OutputFile -replace '/', '-'
	Write-Host $OutputFile
	grype dir:$PkgPath --name ${{ inputs.publish-habitat-hab_package }} \| Out-File -FilePath $OutputFile -Encoding utf8
	echo "OUTPUT_FILE=$OutputFile" \| Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append

	- name: Upload Grype Scan Results
	uses: actions/upload-artifact@v4
	with:
	name: grype-results-windows-${{ env.OUTPUT_FILE }}
	path: ${{ env.OUTPUT_FILE }}

	publish:
	name: 'Publishing packages'
	# TODO: Add binary publishing steps – container from Dockerfile to ECR, go-releaser binary to releases page,
	# omnibus to artifactory, gems, choco, homebrew, other app stores
	runs-on: ubuntu-latest
	if: ${{ success() && inputs.publish-packages == true }}
	needs: habitat-build
	steps:
	- name: 'Publishing packages'
	run: echo "Publishing packages"

	generate-sbom:
	name: 'Generating SBOM'
	# Create software bill-of-materials (SBOM) using SPDX format
	if: ${{ inputs.generate-sbom == true }}
	uses: chef/common-github-actions/.github/workflows/sbom.yml@main
	needs: checkout # TODO: fix set-application-version
	secrets: inherit
	with:
	github-event-name: ${{ inputs.github-event-name }}
	github-branch-name: ${{ inputs.github-branch-name }}
	version: ${{ inputs.version }}
	export-github-sbom: ${{ inputs.export-github-sbom }}
	perform-blackduck-sca-scan: ${{ inputs.perform-blackduck-sca-scan && github.event_name == 'push' }}}
	# generate-blackduck-sbom: ${{ inputs.generate-blackduck-sbom }} # obsolete, remove TODO
	blackduck-project-group-name: ${{ inputs.blackduck-project-group-name }}
	blackduck-project-name: ${{ inputs.blackduck-project-name }}
	generate-msft-sbom: ${{ inputs.generate-msft-sbom }}
	license_scout: ${{ inputs.license_scout }}
	go-private-modules: ${{ inputs.go-private-modules }}
	blackduck-force-low-accuracy-mode: ${{ inputs.blackduck-force-low-accuracy-mode }}
	run-bundle-install: ${{ inputs.run-bundle-install }} # Passed to sbom.yml to generate Gemfile.lock at runtime
	language: ${{ inputs.language }}
	ruby-app-directory: ${{ inputs.ruby-app-directory }}
	blackduck-fail-on-blocker: ${{ inputs.blackduck-fail-on-blocker }}
	blackduck-fail-on-critical: ${{ inputs.blackduck-fail-on-critical }}
	blackduck-fail-on-major: ${{ inputs.blackduck-fail-on-major }}

	quality-dashboard:
	name: 'Reporting to quality dashboard'
	needs: generate-sbom
	secrets: inherit
	permissions:
	id-token: write
	contents: read
	if: ${{ inputs.report-to-atlassian-dashboard == true && success() }}
	uses: chef/common-github-actions/.github/workflows/irfan-quality-dashboard.yml@main
	with:
	perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }}
	build-profile: ${{ inputs.build-profile }}
	language: ${{ inputs.language }}
	report-unit-test-coverage: ${{ inputs.report-unit-test-coverage }}
	report-to-atlassian-dashboard: ${{ inputs.report-to-atlassian-dashboard }}
	quality-product-name: ${{ inputs.quality-product-name }}
	quality-sonar-app-name: ${{ inputs.quality-sonar-app-name }}
	quality-testing-type: ${{ inputs.quality-testing-type }}
	quality-service-name: ${{ inputs.quality-service-name }}
	quality-junit-report: ${{ inputs.quality-junit-report }}
	visibility: ${{ inputs.visibility }}
	go-private-modules: ${{ inputs.go-private-modules }}
	udf1: ${{ inputs.udf1 }}
	udf2: ${{ inputs.udf2 }}
	udf3: ${{ inputs.udf3 }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

test #21

Workflow file

test #21

Uh oh!

Workflow file for this run

GitHub Actions / .github/workflows/ci-main-pull-request.yml