Skip to content

Merge pull request #1200 from metal3-io/dependabot/github_actions/act… #366

Merge pull request #1200 from metal3-io/dependabot/github_actions/act…

Merge pull request #1200 from metal3-io/dependabot/github_actions/act… #366

Workflow file for this run

name: Kubesec
on:
push:
branches: [ main ]
schedule:
- cron: '30 7 * * 3'
permissions:
contents: read
jobs:
setup:
# This workflow is only of value to the metal3-io/cluster-api-provider-metal3 repository and
# would always fail in forks
if: github.repository == 'metal3-io/cluster-api-provider-metal3'
runs-on: ubuntu-20.04
permissions:
actions: read
contents: read
steps:
- name: Checkout code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Collect all yaml
id: list_yaml
run: |
LIST_YAML="$(find * -type f -name '*.yaml' ! -name "clusterctl-cluster.yaml")"
echo "::set-output name=value::$(IFS=$','; echo $LIST_YAML | jq -cnR '[inputs | select(length>0)]'; IFS=$'\n')"
outputs:
matrix: ${{ steps.list_yaml.outputs.value }}
lint:
needs: [ setup ]
name: Kubesec
runs-on: ubuntu-20.04
permissions:
actions: read
contents: read
security-events: write
strategy:
matrix:
value: ${{ fromJson(needs.setup.outputs.matrix) }}
steps:
- name: Checkout code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Run kubesec scanner
uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14
with:
input: ${{ matrix.value }}
format: template
template: template/sarif.tpl
output: ${{ matrix.value }}.sarif
exit-code: "0"
- name: Save result into a variable
id: save_result
run: echo "::set-output name=result::$(cat ${{ matrix.value }}.sarif | jq -c '.runs')"
- name: Upload Kubesec scan results to GitHub Security tab
if: ${{ steps.save_result.outputs.result != '[]' }}
uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
with:
sarif_file: ${{ matrix.value }}.sarif