Merge pull request #28469 from backstage/rugvip/notes #35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync Snyk Monitoring | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: [master] | |
| paths: | |
| - '.github/workflows/sync_snyk-monitor.yml' | |
| - '**/.snyk' | |
| - '**/package.json' | |
| - 'yarn.lock' | |
| # This workflow synchronizes the packages in this repo along with policies in | |
| # each .snyk file with the remote state in our snyk org. It allows us to define | |
| # ignore policies in the .snyk files and then have them show up in the snyk web | |
| # UI, and also automatically adds any new packages that are created. | |
| permissions: | |
| contents: read | |
| jobs: | |
| sync: | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Monitor and Synchronize Snyk Policies | |
| uses: snyk/actions/node@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master | |
| with: | |
| command: monitor | |
| args: > | |
| --yarn-workspaces | |
| --org=backstage-dgh | |
| --strict-out-of-sync=false | |
| --remote-repo-url=https://github.com/backstage/backstage | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| NODE_OPTIONS: --max-old-space-size=7168 | |
| # Above we run the `monitor` command, this runs the `test` command which is | |
| # the one that generates the SARIF report that we can upload to GitHub. | |
| - name: Create Snyk report | |
| uses: snyk/actions/node@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master | |
| continue-on-error: true # To make sure that SARIF upload gets called | |
| with: | |
| args: > | |
| --yarn-workspaces | |
| --org=backstage-dgh | |
| --strict-out-of-sync=false | |
| --sarif-file-output=snyk.sarif | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| NODE_OPTIONS: --max-old-space-size=7168 | |
| - name: Upload Snyk report | |
| uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 | |
| with: | |
| sarif_file: snyk.sarif |