generated from wr-projects/github-template
-
Notifications
You must be signed in to change notification settings - Fork 0
79 lines (68 loc) · 2.46 KB
/
push.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# SPDX-FileCopyrightText: 2022 WebReady Projects <https://github.com/wr-projects/>
#
# SPDX-License-Identifier: MIT
---
name: Pipeline - Push
on: push
permissions:
actions: write
contents: read
pull-requests: read
jobs:
gitguardian:
name: GitGuardian Scanner
runs-on: ubuntu-latest
if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.gitguardian.com:443
github.com:443
- name: Checkout & Authentication
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
persist-credentials: false
fetch-depth: 0
# More info: https://github.com/GitGuardian/ggshield-action
- name: GitGuardian Scanner
uses: GitGuardian/gg-shield-action@5a76f0fb3013bab9d8fbf749309a7b6408b3ec90
with:
args: -v --all-policies
env:
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
# More info: https://github.com/marketplace/actions/anchore-sbom-action
sbom:
needs: [gitguardian]
name: "SBOM"
runs-on: ubuntu-latest
if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit
- name: Downloading Syft
id: syft
uses: anchore/sbom-action/download-syft@5ecf649a417b8ae17dc8383dc32d46c03f2312df
- name: Generate SBOM file
uses: anchore/sbom-action@5ecf649a417b8ae17dc8383dc32d46c03f2312df
with:
artifact-name: sbom.spdx
format: spdx
dependency-snapshot: true
- name: Publish SBOM File
uses: anchore/sbom-action/publish-sbom@5ecf649a417b8ae17dc8383dc32d46c03f2312df
with:
sbom-artifact-match: ".*\\.spdx$"