backport-pr-12611 (#12620) #537
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: FOSSA Scanning | |
on: | |
# List the branches that must be scanned when a push event happens. | |
push: | |
branches: ["master", "release-*"] | |
# For manual scans. | |
workflow_dispatch: | |
permissions: | |
# Basic read access needed. | |
contents: read | |
# Required to authenticate in EIO's Vault. | |
id-token: write | |
jobs: | |
fossa-scanning: | |
# For when running in EIO's provided runners. More details are available in | |
# https://github.com/rancherlabs/eio/wiki/GitHub-Actions-Runners . | |
runs-on: org-${{ github.repository_owner_id }}-amd64-k8s | |
# Use the BCI Node.js container when running in EIO's provided runners, | |
# because the Node.js runtime is needed. If using public GH provided runners, | |
# a container isn't necessary, because they already provide the runtime, but | |
# the BCI image can still be used anyway. | |
container: registry.suse.com/bci/nodejs:20 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
# The FOSSA token is shared between all repos in Rancher's GH org. It can | |
# be used directly and there is no need to request specific access to EIO. | |
- name: Read FOSSA token | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/org/rancher/fossa/push token | FOSSA_API_KEY_PUSH_ONLY | |
- name: FOSSA scan | |
uses: fossas/fossa-action@main | |
with: | |
api-key: ${{ env.FOSSA_API_KEY_PUSH_ONLY }} | |
# Only runs the scan and do not provide/returns any results back to the | |
# pipeline. | |
run-tests: false |