-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathci-main-pull-request-stub.yml
More file actions
127 lines (107 loc) · 8.06 KB
/
ci-main-pull-request-stub.yml
File metadata and controls
127 lines (107 loc) · 8.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# stub to call common GitHub Action (GA) as part of Continuous Integration (CI) Pull Request process checks for main branch
# inputs are described in the chef/common-github-actions/<GA.yml> with same name as this stub
#
# secrets are inherited from the calling workflow, typically SONAR_TOKEN, SONAR_HOST_URL, GH_TOKEN, AKEYLESS_JWT_ID, POLARIS_SERVER_URL and POLARIS_ACCESS_TOKEN
name: CI Pull Request on Main Branch
on:
pull_request:
branches: [ main, release/** ]
push:
branches: [ main, release/** ]
workflow_dispatch:
permissions:
contents: read
jobs:
call-ci-main-pr-check-pipeline:
# To pin to a specific version, change @main to a tag like @v1.0.7
# Available tags: https://github.com/chef/common-github-actions/tags
uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main # or use @v1.0.7
secrets: inherit
permissions:
id-token: write
contents: read
with:
visibility: ${{ github.event.repository.visibility }} # private, public, or internal
# go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/*
# if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest"
version: '1.0.0' # ${{ github.event.repository.version }}
detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release"
detect-version-source-parameter: '' # use for file name
language: 'go' # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting
# complexity-checks
perform-complexity-checks: true
# scc-version: 'main' # Version of SCC workflow (main, v1.0.7, etc.)
# scc-output-filename: 'scc-output.txt'
perform-language-linting: false # Perform language-specific linting and pre-compilation checks
# trufflehog secret scanning
perform-trufflehog-scan: true
# trufflehog-version: 'main' # Version of Trufflehog workflow (main, v1.0.7, etc.)
# trivy dependency and container scanning
perform-trivy-scan: true
# grype-version: 'main' # Version of Grype workflow for source/image scans (main, v1.0.7, etc.)
# grype-hab-version: 'main' # Version of Grype Habitat package scan workflow (main, v1.0.7, etc.)
# BlackDuck SAST (Polaris) and SCA scans (requires a build or download to do SAST)
# requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN
perform-blackduck-polaris: true
# polaris-version: 'main' # Version of Polaris SAST workflow (main, v1.0.7, etc.)
polaris-application-name: "Chef-Chef360" # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product
polaris-project-name: ${{ github.event.repository.name }}
# polaris-blackduck-executable: 'path/to/blackduck/binary'
# polaris-executable-detect-path: 'path/to/detect'
# NEW IN 1.0.7
polaris-working-directory: 'path/to/source' # Working directory for the scan, defaults to . but usually lang-dependent like ./src
# polaris-config-path: '' # Path to Detect configuration file, typically a file supplied at root level like ./detect-config.yml
# polaris-coverity-config-path: '' # Path to Coverity configuration file, typically a file supplied at root level like ./coverity.yml
# polaris-coverity-build-command: '' # Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install"
# polaris-coverity-clean-command: '' # Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean"
# polaris-coverity-args: '' # Additional Coverity arguments,can supply extra arguments like "--config-override capture.build.build-command=make
polaris-detect-search-depth: '5' # Detect search depth, blank but can be set to "3" to search up to 3 levels of subdirectories for code to scan'
# polaris-detect-args: '' # Additional Detect arguments, can supply extra arguments like "--detect.diagnostic=true"
polaris-assessment-mode: 'SAST' # Assessment mode (SAST, CI or SOURCE_UPLOAD)
wait-for-scan: 'true'
# perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language
build: false
# ga-build-profile: $chef-ga-build-profile
# language: $chef-ga-build-language # this will be removed from stub as autodetected in central GA
unit-tests: false
# perform SonarQube scan, with or wihout unit test coverage data
# requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com)
perform-sonarqube-scan: true
# perform-sonar-build: true
# build-profile: 'default'
# report-unit-test-coverage: true
perform-docker-scan: false # scan Dockerfile and built images with Docker Scout or Trivy; see repo custom properties matching "container"
# report to central developer dashboard
# quality-dashboard-version: 'main' # Version of quality dashboard workflow (main, v1.0.7, etc.)
report-to-atlassian-dashboard: false
quality-product-name: 'Chef-360' # product name for quality reporting, like Chef360, Courier, Inspec
# quality-product-name: ${{ github.event.repository.name }} # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec
# quality-sonar-app-name: 'YourSonarAppName'
# quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security
# quality-service-name: 'YourServiceOrRepoName'
# quality-junit-report: 'path/to/junit/report''
# perform Habitat-based and native packaging, publish to package repositories
package-binaries: false # Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA)
habitat-build: false # Create Habitat packages
publish-habitat-packages: false # Publish Habitat packages to Builder
publish-habitat-hab_package: false # Chef Habitat package to install (e.g., core/nginx)
publish-habitat-hab_version: "1.0.0" # Chef Habitat package version (optional)
publish-habitat-hab_release: "20240101010101" # Chef Habitat package release (optional)
publish-habitat-hab_channel: "stable" # Chef Habitat package channel (e.g., stable, base, base-2025); default is stable
publish-habitat-hab_auth_token: "" # Chef Habitat Builder authentication token (uses secret if not provided)
publish-habitat-runner_os: "ubuntu-latest" # OS runner for Habitat package publishing job, can also be windows-latest
habitat-grype-scan: false # Scan built Habitat packages with Grype for vulnerabilities
publish-packages: false # Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores)
# generate and export Software Bill of Materials (SBOM) in various formats
# sbom-version: 'main' # Version of SBOM workflow (main, v1.0.7, etc.)
generate-sbom: true
export-github-sbom: true # SPDX JSON artifact on job instance
perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above
blackduck-project-group-name: 'Chef-Chef360' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product'
blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name
generate-blackduck-sbom: false # obsolete, use perform-blackduck-sca-scan instead
generate-msft-sbom: false
license_scout: false # Run license scout for license compliance (uses .license_scout.yml)
# udf1: 'default' # user defined flag 1
# udf2: 'default' # user defined flag 2
# udf3: 'default' # user defined flag 3