-
Notifications
You must be signed in to change notification settings - Fork 6
feat(fossa): switch OSS PR scan to native gdc-fossa-cli action #29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
7a0f479
affdefc
8334740
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,122 @@ | ||
| --- | ||
| name: "FOSSA PR scan" | ||
| description: "Run a native FOSSA analyze+test scan for a PR, reusing the gdc-fossa-cli container (no Jenkins)." | ||
| inputs: | ||
| branch: | ||
| description: "Branch reported to FOSSA for the analyze upload" | ||
| required: false | ||
| default: ${{ github.head_ref }} | ||
| scan-image: | ||
| description: "Default FOSSA scan container image (per-repo gdc_fossa.yaml scan_image overrides this)" | ||
| required: false | ||
| default: "020413372491.dkr.ecr.us-east-1.amazonaws.com/tools/gdc-fossa-cli:latest" | ||
| fossa-api-key: | ||
| description: "FOSSA API key (org GitHub secret FOSSA_API_KEY)" | ||
| required: true | ||
| npm-auth-token: | ||
| description: "NPM read token for private dependency resolution (org GitHub secret NPM_TOKEN)" | ||
| required: false | ||
| default: "" | ||
| github-token: | ||
| description: "GitHub PAT for private-repo dependency resolution (org GitHub secret TOKEN_GITHUB_YENKINS)" | ||
| required: false | ||
| default: "" | ||
| runs: | ||
| using: "composite" | ||
| steps: | ||
| - name: Checkout the PR | ||
| uses: actions/checkout@v7 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
| fetch-depth: 0 | ||
| - name: Get CodeArtifact token | ||
| uses: gooddata/github-actions-public/codeartifact/get-token@master | ||
| - name: Set up Maven settings | ||
| uses: s4u/maven-settings-action@v4.0.0 | ||
| with: | ||
| servers: | | ||
| [{ | ||
| "id": "infra1-gooddata", | ||
| "username": "aws", | ||
| "password": "${env.CODEARTIFACT_AUTH_TOKEN}" | ||
| }, | ||
| { | ||
| "id": "infra1-gooddata-snapshots", | ||
| "username": "aws", | ||
| "password": "${env.CODEARTIFACT_AUTH_TOKEN}" | ||
| }, | ||
| { | ||
| "id": "infra1-thirdparty", | ||
| "username": "aws", | ||
| "password": "${env.CODEARTIFACT_AUTH_TOKEN}" | ||
| }, | ||
| { | ||
| "id": "gdc-codeartifact", | ||
| "username": "aws", | ||
| "password": "${env.CODEARTIFACT_AUTH_TOKEN}" | ||
| }, | ||
| { | ||
| "id": "gdc-codeartifact-removed", | ||
| "username": "aws", | ||
| "password": "${env.CODEARTIFACT_AUTH_TOKEN}" | ||
| }, | ||
| { | ||
| "id": "gdc-gooddata-and-upstream", | ||
| "username": "aws", | ||
| "password": "${env.CODEARTIFACT_AUTH_TOKEN}" | ||
| }] | ||
| repositories: | | ||
| [{ | ||
| "id": "gdc-codeartifact", | ||
| "name": "gdc-codeartifact", | ||
| "url": "https://infra1-020413372491.d.codeartifact.us-east-1.amazonaws.com/maven/gooddata-and-upstream-repositories/", | ||
| "snapshots": {"enabled": "true"}, | ||
| "releases": {"enabled": "true"} | ||
| }, | ||
| { | ||
| "id": "gdc-codeartifact-removed", | ||
| "name": "gdc-codeartifact-removed", | ||
| "url": "https://infra1-020413372491.d.codeartifact.us-east-1.amazonaws.com/maven/upstream-removed/", | ||
| "snapshots": {"enabled": "true"}, | ||
| "releases": {"enabled": "true"} | ||
| }, | ||
| { | ||
| "id": "gdc-gooddata-and-upstream", | ||
| "name": "gdc-gooddata-and-upstream", | ||
| "url": "https://infra1-020413372491.d.codeartifact.us-east-1.amazonaws.com/maven/gooddata-and-upstream-repositories/", | ||
| "snapshots": {"enabled": "true"}, | ||
| "releases": {"enabled": "true"} | ||
| }, | ||
| { | ||
| "id": "central", | ||
| "name": "central", | ||
| "url": "https://repo.maven.apache.org/maven2/", | ||
| "snapshots": {"enabled": "true"}, | ||
| "releases": {"enabled": "true"} | ||
| }] | ||
| pluginRepositories: | | ||
| [{ | ||
| "id": "gdc-codeartifact", | ||
| "name": "gdc-codeartifact", | ||
| "url": "https://infra1-020413372491.d.codeartifact.us-east-1.amazonaws.com/maven/gooddata-and-upstream-repositories/", | ||
| "snapshots": {"enabled": "true"}, | ||
| "releases": {"enabled": "true"} | ||
| }, | ||
| { | ||
| "id": "central", | ||
| "name": "central", | ||
| "url": "https://repo.maven.apache.org/maven2/", | ||
| "snapshots": {"enabled": "true"}, | ||
| "releases": {"enabled": "true"} | ||
| }] | ||
| githubServer: false | ||
| - name: Run FOSSA scan | ||
| shell: bash | ||
| env: | ||
| FOSSA_API_KEY: ${{ inputs.fossa-api-key }} | ||
| NPM_AUTH_TOKEN: ${{ inputs.npm-auth-token }} | ||
| GITHUB_PULL_TOKEN: ${{ inputs.github-token }} | ||
| SCAN_IMAGE_DEFAULT: ${{ inputs.scan-image }} | ||
| FOSSA_BRANCH: ${{ inputs.branch }} | ||
| REPO_NAME: ${{ github.event.repository.name }} | ||
| run: bash ${{ github.action_path }}/scan.sh |
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,106 @@ | ||||||
| #!/usr/bin/env bash | ||||||
| # Native port of `cish fossa-scanning` scan loop. Reproduces the Jenkins | ||||||
| # docker-run invocation of fossa_scanning_tool inside the gdc-fossa-cli image. | ||||||
| # | ||||||
| # Auth uses org GitHub Actions secrets (no Vault): NPM_AUTH_TOKEN for npm, and a | ||||||
| # GitHub PAT (GITHUB_PULL_TOKEN) wired through a git insteadOf rewrite so the | ||||||
| # in-container dependency resolution can fetch private gooddata repos over HTTPS | ||||||
| # (replaces the Jenkins SSH-agent approach). | ||||||
| set -euo pipefail | ||||||
|
|
||||||
| : "${FOSSA_API_KEY:?FOSSA_API_KEY is required}" | ||||||
| : "${REPO_NAME:?REPO_NAME is required}" | ||||||
| NPM_AUTH_TOKEN="${NPM_AUTH_TOKEN:-}" | ||||||
| GITHUB_PULL_TOKEN="${GITHUB_PULL_TOKEN:-}" | ||||||
| CODEARTIFACT_AUTH_TOKEN="${CODEARTIFACT_AUTH_TOKEN:-}" | ||||||
| SCAN_IMAGE_DEFAULT="${SCAN_IMAGE_DEFAULT:?SCAN_IMAGE_DEFAULT is required}" | ||||||
| FOSSA_BRANCH="${FOSSA_BRANCH:-}" | ||||||
|
|
||||||
| src_dir="${GITHUB_WORKSPACE:-$PWD}" | ||||||
| work_dir="${RUNNER_TEMP:-$PWD}/fossa-pr-scan" | ||||||
| mkdir -p "${PWD}/build-output" "${work_dir}" | ||||||
|
|
||||||
| # --- npm auth (mounted into the container as ~/.npmrc) --- | ||||||
| # Jenkins used the public registry with an auth token; npm interpolates the | ||||||
| # NPM_AUTH_TOKEN env var (also passed into the container) at runtime. | ||||||
| npmrc="${work_dir}/npmrc" | ||||||
| if [ -n "${NPM_AUTH_TOKEN}" ]; then | ||||||
| printf '//registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}\n' > "${npmrc}" | ||||||
| else | ||||||
| : > "${npmrc}" | ||||||
| fi | ||||||
|
|
||||||
| # --- git auth for private gooddata deps (mounted into the container) --- | ||||||
| # Rewrite ssh/https gooddata URLs to token-authenticated HTTPS so go/npm/maven | ||||||
| # can resolve private dependencies in-container. The token is embedded in a | ||||||
| # throwaway gitconfig on the ephemeral runner. | ||||||
| gitconfig="${work_dir}/gitconfig" | ||||||
| : > "${gitconfig}" | ||||||
| if [ -n "${GITHUB_PULL_TOKEN}" ]; then | ||||||
| cat > "${gitconfig}" <<EOF | ||||||
| [url "https://oauth2:${GITHUB_PULL_TOKEN}@github.com/gooddata/"] | ||||||
| insteadOf = ssh://git@github.com/gooddata/ | ||||||
| insteadOf = git@github.com:gooddata/ | ||||||
| insteadOf = https://github.com/gooddata/ | ||||||
| EOF | ||||||
| fi | ||||||
|
|
||||||
| # --- m2 settings (optional; only mounted if present) --- | ||||||
| m2_settings="${HOME}/.m2/settings.xml" | ||||||
|
|
||||||
| docker_pull() { docker pull "$1" >/dev/null; } | ||||||
|
|
||||||
| run_scan() { | ||||||
| local scan_img="$1" gdc_conf="$2" | ||||||
| local java_version="" conf_arg=() | ||||||
| local mount_args=() | ||||||
|
|
||||||
| if [ -n "${gdc_conf}" ] && [ -f "${gdc_conf}" ]; then | ||||||
| local rel_conf="${gdc_conf#${src_dir}/}" | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. π― Functional Correctness | π‘ Minor | β‘ Quick win Quote In π§ Proposed fix (SC2295)- local rel_conf="${gdc_conf#${src_dir}/}"
+ local rel_conf="${gdc_conf#"${src_dir}"/}"π Committable suggestion
Suggested change
π§° Toolsπͺ Shellcheck (0.11.0)[info] 59-59: Expansions inside ${..} need to be quoted separately, otherwise they match as patterns. (SC2295) π€ Prompt for AI AgentsSource: Linters/SAST tools |
||||||
| local img_override | ||||||
| img_override="$(yq -r '.scan_image | select(. != null)' "${gdc_conf}")" | ||||||
| [ -n "${img_override}" ] && scan_img="${img_override}" | ||||||
| java_version="$(yq -r '.java_version | select(. != null)' "${gdc_conf}")" | ||||||
| conf_arg=(--gdc-conf "${rel_conf}") | ||||||
| fi | ||||||
|
coderabbitai[bot] marked this conversation as resolved.
|
||||||
|
|
||||||
| docker_pull "${scan_img}" | ||||||
|
|
||||||
| mount_args=( | ||||||
| -v "${npmrc}:/home/fossa/.npmrc" | ||||||
| -v "${gitconfig}:/home/fossa/.gitconfig" | ||||||
| -v "${src_dir}:/home/fossa/sources/${REPO_NAME}" | ||||||
| -v "${PWD}/build-output:/home/fossa/build-output" | ||||||
| ) | ||||||
| if [ -f "${m2_settings}" ]; then | ||||||
| mount_args+=(-v "${m2_settings}:/home/fossa/.m2/settings.xml") | ||||||
| fi | ||||||
|
|
||||||
| docker run --rm \ | ||||||
| "${mount_args[@]}" \ | ||||||
| -e USER_UID="$(id -u)" \ | ||||||
| -e FOSSA_API_KEY -e NPM_AUTH_TOKEN \ | ||||||
| -e CODEARTIFACT_AUTH_TOKEN \ | ||||||
| -e JAVA_VERSION="${java_version}" \ | ||||||
| "${scan_img}" \ | ||||||
| fossa_scanning_tool -r "${REPO_NAME}" -o "not_found" -v -c analyze test \ | ||||||
| ${FOSSA_BRANCH:+-b "${FOSSA_BRANCH}"} \ | ||||||
| "${conf_arg[@]}" | ||||||
| } | ||||||
|
|
||||||
| # --- find gdc_fossa*.yaml configs; loop, or single scan if none --- | ||||||
| mapfile -t confs < <(find "${src_dir}" -type f -name "gdc_fossa*.yaml" | sort) | ||||||
| if [ "${#confs[@]}" -eq 0 ]; then | ||||||
| run_scan "${SCAN_IMAGE_DEFAULT}" "" | ||||||
| else | ||||||
| for conf in "${confs[@]}"; do | ||||||
| run_scan "${SCAN_IMAGE_DEFAULT}" "${conf}" | ||||||
| done | ||||||
| fi | ||||||
|
|
||||||
| # fossa_scanning_tool writes build-output/analyze_failed.txt on analyze failure | ||||||
| if [ -f "./build-output/analyze_failed.txt" ]; then | ||||||
| echo "ERROR: FOSSA analyze failed for some module(s); see logs above." | ||||||
| exit 1 | ||||||
| fi | ||||||
| echo "FOSSA scan completed." | ||||||
Uh oh!
There was an error while loading. Please reload this page.