Skip to content

Commit

Permalink
add actionlint and trivy analyzers
Browse files Browse the repository at this point in the history
  • Loading branch information
ben-manes committed Mar 24, 2024
1 parent 3d84225 commit 5b8e837
Show file tree
Hide file tree
Showing 7 changed files with 85 additions and 12 deletions.
3 changes: 2 additions & 1 deletion .github/actions/run-gradle/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Run Gradle
description: Sets up Gradle JDKs and runs Gradle
inputs:
arguments:
required: true
required: false
description: Gradle arguments
java:
required: true
Expand Down Expand Up @@ -83,6 +83,7 @@ runs:
gradle-home-cache-cleanup: true
gradle-home-cache-strict-match: true
- name: Run ${{ inputs.arguments }}
if: ${{ inputs.arguments != '' }}
env:
JAVA_HOME: ${{ steps.setup-gradle-jdk.outputs.path }}
ORG_GRADLE_PROJECT_org.gradle.java.installations.auto-download: 'false'
Expand Down
24 changes: 24 additions & 0 deletions .github/workflows/actionlint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: actionlint
permissions: read-all
on: [ push, pull_request ]

jobs:
actionlint:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: actionlint
uses: reviewdog/action-actionlint@c6ee1eb0a5d47b2af53a203652b5dac0b6c4016e # v1.43.0
env:
SHELLCHECK_OPTS: -e SC2001 -e SC2035 -e SC2046 -e SC2061 -e SC2086 -e SC2156
with:
reporter: github-check
github_token: ${{ secrets.GITHUB_TOKEN }}
2 changes: 2 additions & 0 deletions .github/workflows/benchmarks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ jobs:
github.event_name == 'push'
&& github.event.repository.fork == false
&& endsWith(github.ref, github.event.repository.default_branch)
continue-on-error: true
with:
auth: ${{ secrets.GIST_TOKEN }}
gist_description: Compute JMH Results
Expand All @@ -76,6 +77,7 @@ jobs:
github.event_name == 'push'
&& github.event.repository.fork == false
&& endsWith(github.ref, github.event.repository.default_branch)
continue-on-error: true
with:
auth: ${{ secrets.GIST_TOKEN }}
gist_description: Get/Put JMH Results
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecards-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,13 @@ jobs:
api.osv.dev:443
api.securityscorecards.dev:443
bestpractices.coreinfrastructure.org:443
bestpractices.dev:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
sigstore-tuf-root.storage.googleapis.com:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: Checkout code
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
Expand Down
28 changes: 20 additions & 8 deletions .github/workflows/spelling.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,25 @@ permissions: read-all
on: [ push, pull_request ]

jobs:
spellcheck:
name: Check spelling
misspell:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Misspell
uses: reviewdog/action-misspell@32cdac969bc45951d79b89420a60c9b0102cf6ed # v1.16.0
with:
reporter: github-check
github_token: ${{ secrets.GITHUB_TOKEN }}

typos:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
Expand All @@ -15,11 +32,6 @@ jobs:
allowed-endpoints: >
github.com:443
objects.githubusercontent.com:443
raw.githubusercontent.com:443
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Install
run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b .
- name: Spell Check with Misspell
run: ./misspell -error .
- name: Spell Check with Typos
- name: Typos
uses: crate-ci/typos@bcafd462cb07ef7ba57e34abf458fe20767e808b # v1.19.0
34 changes: 34 additions & 0 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: trivy
permissions: read-all
on: [ push, pull_request ]

jobs:
trivy:
runs-on: ubuntu-20.04
permissions:
checks: write
actions: read
contents: read
security-events: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
ghcr.io:443
github.com:443
pkg-containers.githubusercontent.com:443
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
with:
scan-type: fs
format: sarif
output: trivy-results.sarif
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
sarif_file: trivy-results.sarif
4 changes: 2 additions & 2 deletions gradle/libs.versions.toml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
[versions]
asm = "9.6"
asm = "9.7"
auto-value = "1.10.4"
awaitility = "4.2.1"
bcel = "6.8.2"
Expand Down Expand Up @@ -33,7 +33,7 @@ felix-framework = "7.0.5"
felix-scr = "2.2.10"
findsecbugs = "1.13.0"
flip-tables = "1.1.1"
forbidden-apis = "3.6"
forbidden-apis = "3.7"
google-java-format = "1.21.0"
guava = "33.1.0-jre"
guice = "6.0.0"
Expand Down

0 comments on commit 5b8e837

Please sign in to comment.