@@ -41,6 +41,16 @@ name: CI flow containing PR checks for main & release, v2
4141on :
4242 workflow_call :
4343 inputs :
44+ github-token :
45+ description : ' GitHub token for private repo access (pass secrets.GH_TOKEN or secrets.GITHUB_TOKEN, auto-detected if not provided)'
46+ required : false
47+ type : string
48+ default : ' '
49+ github-event-name :
50+ description : ' GitHub event name (pass github.event_name from calling workflow for PR comment detection)'
51+ required : false
52+ type : string
53+ default : ' '
4454 application :
4555 # NEW IN 1.0.7
4656 description : ' Application set in repository custom properties, typically primaryApplication'
146156 required : false
147157 type : boolean
148158 default : false
159+ grype-image-skip-aws :
160+ description : ' Skip Grype image scan on AWS ECR images to avoid rate limits (assumes these images are scanned with Amazon ECR scan or Trivy)'
161+ required : false
162+ type : boolean
163+ default : false
149164 build :
150165 description : ' CI Build (language-specific)'
151166 required : false
474489 # type: string
475490
476491env :
492+ GITHUB_TOKEN_TO_USE : ${{ inputs.github-token != '' && inputs.github-token || secrets.GH_TOKEN != '' && secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}
477493 PRIMARY_APPLICATION : ${{ inputs.application }} # was 'default' # Custom repo property [primaryApplication]: chef360, automate, infra-server, habitat, supermarket, licensing, downloads, chef-client, inspec, chef-workstation (or derivatives like habitat-builder)
478494 REPO_VISIBILITY : ${{ github.event.repository.visibility }}
479495 REPO_NAME : ${{ github.event.repository.name }}
@@ -509,7 +525,7 @@ jobs:
509525 echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV
510526 continue-on-error : true
511527 env :
512- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
528+ GITHUB_TOKEN : ${{ env.GITHUB_TOKEN_TO_USE }}
513529
514530 - name : generate-filename-slug
515531 # description: Generate a simple slug based on repo and date for use in any output artifacts
@@ -713,7 +729,7 @@ jobs:
713729 if : inputs.language == 'go'
714730 env :
715731 GOPRIVATE : ${{ inputs.go-private-modules }}
716- run : git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
732+ run : git config --global url."https://${{ env.GITHUB_TOKEN_TO_USE }}@github.com/".insteadOf "https://github.com/"
717733 - name : Go linting and security checks
718734 if : inputs.language == 'go'
719735 run : echo "Running Go linting and security checks"
@@ -884,12 +900,13 @@ jobs:
884900 run-grype-image :
885901 name : ' Grype Docker image scan'
886902 if : ${{ inputs.perform-grype-image-scan }}
887- uses : chef/common-github-actions/.github/workflows/grype.yml@main
903+ uses : chef/common-github-actions/.github/workflows/grype.yml@sandhi/fixes-for-chef-org
888904 needs : checkout
889905 secrets : inherit
890906 with :
891907 fail-grype-on-high : ${{ inputs.grype-image-fail-on-high }}
892908 fail-grype-on-critical : ${{ inputs.grype-image-fail-on-critical }}
909+ grype-image-skip-aws : ${{ inputs.grype-image-skip-aws }}
893910
894911 # run-srcclr:
895912 # if: ${{ inputs.perform-srcclr-scan == true }}
@@ -922,7 +939,7 @@ jobs:
922939 if : inputs.language == 'go'
923940 env :
924941 GOPRIVATE : ${{ inputs.go-private-modules }}
925- run : git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
942+ run : git config --global url."https://${{ env.GITHUB_TOKEN_TO_USE }}@github.com/".insteadOf "https://github.com/"
926943 - name : ' Go build'
927944 if : ${{ inputs.language == 'go' && env.GA_BUILD_PROFILE == 'cli' }}
928945 continue-on-error : true
@@ -1194,7 +1211,7 @@ jobs:
11941211 fetch-depth : 0
11951212
11961213 - name : Configure git for private
1197- run : git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
1214+ run : git config --global url."https://${{ env.GITHUB_TOKEN_TO_USE }}@github.com/".insteadOf "https://github.com/"
11981215
11991216 - name : Install build tools for Erlang
12001217 if : inputs.language == 'erlang'
@@ -1271,7 +1288,7 @@ jobs:
12711288 polaris_application_name : " ${{ inputs.polaris-application-name }}"
12721289 # project name schema: <Solution>-<Product>-<Module If Applicable>-<Optional Numeric Suffix If Needed>
12731290 polaris_project_name : ${{ inputs.polaris-project-name }} # typically GitHub repo name
1274- polaris_assessment_types : " SAST" # or "CI" or "SOURCE_UPLOAD", a license type
1291+ polaris_assessment_types : ${{ inputs.github-event-name == 'pull_request' && 'CI' || ' SAST' }} # CI mode for PRs (incremental), SAST for full scans
12751292 # new in 1.0.7, OPTIONAL FIELDS
12761293 project_directory : ${{ inputs.polaris-working-directory }}
12771294 detect_config_path : ${{ inputs.polaris-config-path != '' && inputs.polaris-config-path || null}}
@@ -1281,7 +1298,7 @@ jobs:
12811298 coverity_args : ${{ inputs.polaris-coverity-args != '' && inputs.polaris-coverity-args || null }}
12821299 detect_search_depth : ${{ inputs.polaris-detect-search-depth != '' && inputs.polaris-detect-search-depth || null }}
12831300 detect_args : ${{ inputs.polaris-detect-args != '' && inputs.polaris-detect-args || null }}
1284- polaris_assessment_mode : ${{ inputs.polaris-assessment-mode }}
1301+ polaris_assessment_types : " SAST " # or "CI" or "SOURCE_UPLOAD", a license type
12851302 # TODO: warning in GA - polaris_assessment_mode is deprecated. Use polaris_test_sast_location=remote and/or polaris_test_sca_location=remote for source upload scans instead.
12861303 polaris_waitForScan : ' true' # ${{ inputs.polaris-wait-for-scan }} # defaults to true - is this a boolean or string?
12871304 # not yet enabled from https://github.com/prgs-community/githubactions-securityscans/blob/main/polaris/README.md
@@ -1291,7 +1308,9 @@ jobs:
12911308 # include_diagnostics: ${{ inputs.polaris-diagnostic }}
12921309 # mark_build_status: ${{ inputs.polaris-mark-build-status != '' && inputs.polaris-mark-build-status || null }}
12931310 # pr-comment-severities: "CRITICAL,HIGH"
1294- github_token : ${{ secrets.GITHUB_TOKEN }}
1311+ polaris_prComment_enabled : ${{ inputs.github-event-name == 'pull_request' && 'true' || 'false' }}
1312+ # polaris_prComment_severities: "CRITICAL,HIGH"
1313+ github_token : ${{ env.GITHUB_TOKEN_TO_USE }}
12951314
12961315 # options from Jan's (FlowMon. GitLab)
12971316 # polaris_prComment_enabled: ${{ github.event_name == 'pull_request' && 'true' || 'false' }}
0 commit comments