diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml index 31bcb90..8d307c8 100644 --- a/.github/workflows/build-release.yml +++ b/.github/workflows/build-release.yml @@ -39,9 +39,13 @@ jobs: - name: Determine version id: version + env: + INPUT_VERSION: ${{ github.event.inputs.version }} + EVENT_NAME: ${{ github.event_name }} + PR_LABELS: ${{ join(github.event.pull_request.labels.*.name, ',') }} run: | - if [ -n "${{ github.event.inputs.version }}" ]; then - VERSION="${{ github.event.inputs.version }}" + if [ -n "$INPUT_VERSION" ]; then + VERSION="$INPUT_VERSION" echo "Using manually specified version: ${VERSION}" else # Get the latest semver tag (ignore 'latest' tag), or use 0.0.0 if no tags exist @@ -54,19 +58,18 @@ jobs: echo "Latest semver tag found: ${LATEST_TAG}" # Remove 'v' prefix if present LATEST_VERSION=${LATEST_TAG#v} - + # Parse version components IFS='.' read -r -a VERSION_PARTS <<< "$LATEST_VERSION" MAJOR=${VERSION_PARTS[0]:-0} MINOR=${VERSION_PARTS[1]:-0} PATCH=${VERSION_PARTS[2]:-0} - + # Determine bump type from PR labels BUMP_TYPE="patch" # Default to patch - if [ "${{ github.event_name }}" == "pull_request" ]; then - PR_LABELS="${{ join(github.event.pull_request.labels.*.name, ',') }}" + if [ "$EVENT_NAME" == "pull_request" ]; then echo "PR Labels: ${PR_LABELS}" - + if echo "${PR_LABELS}" | grep -q "major"; then BUMP_TYPE="major" elif echo "${PR_LABELS}" | grep -q "minor"; then @@ -75,9 +78,9 @@ jobs: BUMP_TYPE="patch" fi fi - + echo "Bump type: ${BUMP_TYPE}" - + # Increment version based on bump type case "${BUMP_TYPE}" in major) @@ -93,7 +96,7 @@ jobs: PATCH=$((PATCH + 1)) ;; esac - + VERSION="${MAJOR}.${MINOR}.${PATCH}" echo "Bumping from ${LATEST_VERSION} to ${VERSION} (${BUMP_TYPE})" fi diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 36e9fbd..8a2a544 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -68,22 +68,33 @@ jobs: - name: Send failure event to PostHog if: failure() + env: + COMMIT_SHA: ${{ github.sha }} + JOB_STATUS: ${{ job.status }} + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} + COMMIT_AUTHOR: ${{ github.event.head_commit.author.name }} + GH_REF: ${{ github.ref }} + GH_WORKFLOW: ${{ github.workflow }} + RUN_ID: ${{ github.run_id }} + RUN_NUMBER: ${{ github.run_number }} + JOB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + MATRIX_EXAMPLE: ${{ matrix.example }} run: | curl -X POST https://webhooks.us.posthog.com/public/webhooks/019a7a81-7961-0000-d3e3-b5f34cc2a32b \ -H "Content-Type: application/json" \ - -d '{ - "event": "posthog-examples-repo-test-failure", - "commitSha": "${{ github.sha }}", - "jobStatus": "${{ job.status }}", - "commitMessage": "${{ github.event.head_commit.message }}", - "commitAuthor": "${{ github.event.head_commit.author.name }}", - "ref": "${{ github.ref }}", - "workflow": "${{ github.workflow }}", - "runId": "${{ github.run_id }}", - "runNumber": "${{ github.run_number }}", - "jobUrl": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", - "matrixExample": "${{ matrix.example }}" - }' + -d "$(jq -n \ + --arg event "posthog-examples-repo-test-failure" \ + --arg commitSha "$COMMIT_SHA" \ + --arg jobStatus "$JOB_STATUS" \ + --arg commitMessage "$COMMIT_MESSAGE" \ + --arg commitAuthor "$COMMIT_AUTHOR" \ + --arg ref "$GH_REF" \ + --arg workflow "$GH_WORKFLOW" \ + --arg runId "$RUN_ID" \ + --arg runNumber "$RUN_NUMBER" \ + --arg jobUrl "$JOB_URL" \ + --arg matrixExample "$MATRIX_EXAMPLE" \ + '{event: $event, commitSha: $commitSha, jobStatus: $jobStatus, commitMessage: $commitMessage, commitAuthor: $commitAuthor, ref: $ref, workflow: $workflow, runId: $runId, runNumber: $runNumber, jobUrl: $jobUrl, matrixExample: $matrixExample}')" - uses: actions/upload-artifact@v4 if: always() diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 6db280e..1b9fbf0 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -70,22 +70,33 @@ jobs: - name: Send failure event to PostHog if: failure() + env: + COMMIT_SHA: ${{ github.sha }} + JOB_STATUS: ${{ job.status }} + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} + COMMIT_AUTHOR: ${{ github.event.head_commit.author.name }} + GH_REF: ${{ github.ref }} + GH_WORKFLOW: ${{ github.workflow }} + RUN_ID: ${{ github.run_id }} + RUN_NUMBER: ${{ github.run_number }} + JOB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + MATRIX_EXAMPLE: ${{ matrix.example }} run: | curl -X POST https://webhooks.us.posthog.com/public/webhooks/019a7a81-7961-0000-d3e3-b5f34cc2a32b \ -H "Content-Type: application/json" \ - -d '{ - "event": "posthog-examples-repo-test-failure", - "commitSha": "${{ github.sha }}", - "jobStatus": "${{ job.status }}", - "commitMessage": "${{ github.event.head_commit.message }}", - "commitAuthor": "${{ github.event.head_commit.author.name }}", - "ref": "${{ github.ref }}", - "workflow": "${{ github.workflow }}", - "runId": "${{ github.run_id }}", - "runNumber": "${{ github.run_number }}", - "jobUrl": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", - "example": "${{ matrix.example }}" - }' + -d "$(jq -n \ + --arg event "posthog-examples-repo-test-failure" \ + --arg commitSha "$COMMIT_SHA" \ + --arg jobStatus "$JOB_STATUS" \ + --arg commitMessage "$COMMIT_MESSAGE" \ + --arg commitAuthor "$COMMIT_AUTHOR" \ + --arg ref "$GH_REF" \ + --arg workflow "$GH_WORKFLOW" \ + --arg runId "$RUN_ID" \ + --arg runNumber "$RUN_NUMBER" \ + --arg jobUrl "$JOB_URL" \ + --arg example "$MATRIX_EXAMPLE" \ + '{event: $event, commitSha: $commitSha, jobStatus: $jobStatus, commitMessage: $commitMessage, commitAuthor: $commitAuthor, ref: $ref, workflow: $workflow, runId: $runId, runNumber: $runNumber, jobUrl: $jobUrl, example: $example}')" - uses: actions/upload-artifact@v4 if: always() diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..b6228b3 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,28 @@ +name: Security + +on: + pull_request: + push: + branches: + - main + +jobs: + semgrep-general: + name: Semgrep General + runs-on: ubuntu-24.04 + container: + image: returntocorp/semgrep + env: + SEMGREP_ENABLE_VERSION_CHECK: 'false' + steps: + - uses: actions/checkout@v4 + - run: | + semgrep \ + --config "p/owasp-top-ten" \ + --config "p/security-audit" \ + --config "p/trailofbits" \ + --config "p/github-actions" \ + --error \ + --metrics=off \ + --verbose \ + .