Include Scorecard annotations #730
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: MegaLinter | |
# yamllint disable-line rule:truthy | |
on: | |
# Triggers mega-linter when a pull_request event's activity type is opened, synchronize, or reopened by default. | |
pull_request: | |
branches: | |
- staging | |
workflow_dispatch: | |
permissions: | |
contents: read | |
env: | |
# Comment env block if you do not want to apply fixes | |
# Apply linter fixes configuration | |
APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) | |
APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) | |
APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) | |
concurrency: | |
group: ${{ github.ref }}-${{ github.workflow }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
name: MegaLinter | |
runs-on: ubuntu-22.04 | |
permissions: write-all | |
steps: | |
# Git Checkout | |
- name: Checkout Code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4 | |
with: | |
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN || github.token }} | |
fetch-depth: 0 | |
- name: "Import GPG key" | |
id: import-gpg | |
uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # pin@v6 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }} | |
git_user_signingkey: true | |
git_commit_gpgsign: true | |
# MegaLinter | |
- name: MegaLinter | |
id: ml | |
uses: oxsecurity/megalinter/flavors/javascript@d8c95fc6f2237031fb9e9322b0f97100168afa6e # [email protected] | |
env: | |
VALIDATE_ALL_CODEBASE: false | |
GITHUB_TOKEN: ${{ secrets.PAT || secrets.GITHUB_TOKEN || github.token }} | |
# Upload MegaLinter artifacts | |
- name: Archive production artifacts | |
if: always() | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # [email protected] | |
with: | |
name: MegaLinter reports | |
path: | | |
megalinter-reports | |
megalinter-reports/megalinter.log | |
# Create pull request if applicable (for now works only on PR from same repository, not from forks) | |
- name: Create Pull Request with applied fixes | |
id: cpr | |
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) | |
uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # pin@v5 | |
with: | |
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} | |
commit-message: "[MegaLinter] Apply linters automatic fixes" | |
title: "[MegaLinter] Apply linters automatic fixes" | |
labels: bot | |
- name: Create PR output | |
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) | |
run: | | |
echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" | |
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" | |
# Push new commit if applicable (for now works only on PR from same repository, not from forks) | |
- name: Prepare commit | |
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) | |
run: sudo chown -Rc $UID .git/ | |
- name: Commit and push applied linter fixes | |
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) | |
uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # pin@v5 | |
with: | |
branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} | |
commit_message: "[MegaLinter] Apply linters fixes" | |
commit_author: "${{ steps.import-gpg.outputs.name }} <${{ steps.import-gpg.outputs.email }}>" | |
commit_user_name: ${{ steps.import-gpg.outputs.name }} | |
commit_user_email: ${{ steps.import-gpg.outputs.email }} | |
- name: Check to see if the SARIF a was generated | |
id: sarif_file_exists | |
uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # [email protected] | |
with: | |
files: "megalinter-reports/megalinter-report.sarif" | |
- name: Upload MegaLinter scan results to GitHub Security tab | |
if: steps.sarif_file_exists.outputs.files_exists == 'true' | |
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # [email protected] | |
with: | |
sarif_file: "megalinter-reports/megalinter-report.sarif" |