Dockerfile rule: Avoid using sudo #1649
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: semgrep-scanner benchmarks | |
on: | |
workflow_dispatch: | |
push: | |
branches: [release] | |
pull_request: | |
branches: [develop, release] | |
jobs: | |
trigger: | |
# do not run automatically if rule is posted from the playground (can still be started manually) | |
# PRs posted by first time contributors already need approval as well | |
if: github.actor != 'semgrep-dev-pr-bot' | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- id: changed-files | |
name: get changed files | |
env: | |
HEAD_REF: ${{ github.head_ref }} | |
run: | | |
CHANGED_FILES=$(git diff --name-only origin/develop origin/$HEAD_REF | xargs -0 | sed '/^$/d' | sed -r '/^(.github|bash|contrib|fingerprints|generic|json|problem-based-packs|scripts|stats|trusted_python|yaml)/d' | sed -n '/.*yaml/p' | tr '\n' ' ') | |
echo "changed_files=$CHANGED_FILES" >> $GITHUB_ENV | |
- id: print-changed-files | |
name: debugging step - print changed files | |
env: | |
CHANGED_FILES: ${{ env.changed_files }} | |
run: | | |
echo "$CHANGED_FILES" | |
- id: changed-langs | |
name: get changed langs | |
env: | |
CHANGED_FILES: ${{ env.changed_files }} | |
run: | | |
CHANGED_LANGS=$(echo "$CHANGED_FILES" | sed 's/ /\n/g' | sed 's/^\([^/]*\).*/\1/' | sort -u | tr '\n' ' ') | |
echo "changed_langs=$CHANGED_LANGS" >> $GITHUB_ENV | |
CHANGED_LANG_COUNT=$(echo "$CHANGED_LANGS" | wc -w) | |
echo "changed_lang_count=$CHANGED_LANG_COUNT" >> $GITHUB_ENV | |
- name: Trigger semgrep-scanner argo workflow on push to release | |
if: github.event_name == 'push' | |
env: | |
GH_REF: ${{ github.ref }} | |
REPO_NAME: ${{ github.event.repository.name }} | |
run: | | |
curl -X POST https://argo.corp.r2c.dev/api/v1/events/security-research/initiate-scan-on-push -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{ \"repo\": \"$REPO_NAME\", \"branch\" : \"$GH_REF\"}" | |
- name: Trigger semgrep-scanner argo workflow on PR to develop or release | |
env: | |
CHANGED_FILES: ${{ env.changed_files }} | |
CHANGED_LANGS: ${{ env.changed_langs }} | |
HEAD_REF: ${{ github.head_ref }} | |
REPO_NAME: ${{ github.event.repository.name }} | |
PR_HEAD_SHA: ${{github.event.pull_request.head.sha}} | |
if: | | |
github.event_name == 'pull_request' && | |
env.changed_lang_count > 0 | |
run: | | |
curl -X POST https://argoworkflows-dev.corp.r2c.dev/api/v1/events/security-research/initiate-scan-argo -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"branch\" : \"$HEAD_REF\", \"repo\" : \"$REPO_NAME\", \"commit\" : \"$PR_HEAD_SHA\", \"changed_files\" : \"$CHANGED_FILES\" , \"langs\" : \"$CHANGED_LANGS\"}" |