Skip to content

[run-as-non-root-security-context-pod-level] runAsNonRoot does not necessarily comes directly after securityContext #2923

[run-as-non-root-security-context-pod-level] runAsNonRoot does not necessarily comes directly after securityContext

[run-as-non-root-security-context-pod-level] runAsNonRoot does not necessarily comes directly after securityContext #2923

name: semgrep-scanner benchmarks
on:
workflow_dispatch:
push:
branches: [release]
pull_request:
branches: [develop, release]
jobs:
trigger:
# do not run automatically if rule is posted from the playground (can still be started manually)
# PRs posted by first time contributors already need approval as well
if: github.actor != 'semgrep-dev-pr-bot'
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- id: changed-files
name: get changed files
env:
HEAD_REF: ${{ github.head_ref }}
run: |
CHANGED_FILES=$(git diff --name-only origin/develop origin/$HEAD_REF | xargs -0 | sed '/^$/d' | sed -r '/^(.github|bash|generic|json|problem-based-packs|scripts|stats|trusted_python|yaml)/d' | sed -n '/.*yaml/p' | tr '\n' ' ')
echo "changed_files=$CHANGED_FILES" >> $GITHUB_ENV
- id: print-changed-files
name: debugging step - print changed files
env:
CHANGED_FILES: ${{ env.changed_files }}
run: |
echo "$CHANGED_FILES"
- id: changed-langs
name: get changed langs
env:
CHANGED_FILES: ${{ env.changed_files }}
run: |
CHANGED_LANGS=$(echo "$CHANGED_FILES" | sed 's/ /\n/g' | sed 's/^\([^/]*\).*/\1/' | sort -u | tr '\n' ' ')
echo "changed_langs=$CHANGED_LANGS" >> $GITHUB_ENV
CHANGED_LANG_COUNT=$(echo "$CHANGED_LANGS" | wc -w)
echo "changed_lang_count=$CHANGED_LANG_COUNT" >> $GITHUB_ENV
- name: Trigger semgrep-scanner argo workflow on push to release
if: github.event_name == 'push'
env:
GH_REF: ${{ github.ref }}
REPO_NAME: ${{ github.event.repository.name }}
run: |
curl -X POST https://argo.corp.r2c.dev/api/v1/events/security-research/initiate-scan-on-push -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{ \"repo\": \"$REPO_NAME\", \"branch\" : \"$GH_REF\"}"
- name: Trigger semgrep-scanner argo workflow on PR to develop or release
env:
CHANGED_FILES: ${{ env.changed_files }}
CHANGED_LANGS: ${{ env.changed_langs }}
HEAD_REF: ${{ github.head_ref }}
REPO_NAME: ${{ github.event.repository.name }}
PR_HEAD_SHA: ${{github.event.pull_request.head.sha}}
if: github.event_name == 'pull_request' && env.changed_lang_count > 0
run: |
curl -X POST https://argoworkflows-dev2.corp.r2c.dev/api/v1/events/security-research/initiate-scan-argo -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"branch\" : \"$HEAD_REF\", \"repo\" : \"$REPO_NAME\", \"commit\" : \"$PR_HEAD_SHA\", \"changed_files\" : \"$CHANGED_FILES\" , \"langs\" : \"$CHANGED_LANGS\"}"