fix: unblock first-invocation pipeline (git safe.directory, SetupTask resilience, workflow issues:write) #138
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ASH Security Scan | |
| on: | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@v46 | |
| with: | |
| files: | | |
| **/*.py | |
| **/*.js | |
| **/*.ts | |
| **/*.yaml | |
| **/*.yml | |
| **/*.json | |
| **/*.sh | |
| **/Dockerfile* | |
| **/requirements*.txt | |
| **/package*.json | |
| **/*.tf | |
| **/*.tfvars | |
| - name: Set up Python | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.10' | |
| - name: Install ASH | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| run: pip install git+https://github.com/awslabs/automated-security-helper.git@v3.5.3 | |
| - name: Copy changed files and config to scan directory | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| run: | | |
| mkdir -p /tmp/ash-scan/.ash | |
| cp .ash/.ash.yaml /tmp/ash-scan/.ash/.ash.yaml | |
| for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
| if [ -f "$file" ]; then | |
| mkdir -p "/tmp/ash-scan/$(dirname "$file")" | |
| cp "$file" "/tmp/ash-scan/$file" | |
| fi | |
| done | |
| - name: Run ASH scan | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| id: ash-scan | |
| run: | | |
| cd /tmp/ash-scan | |
| ash --mode precommit --config .ash/.ash.yaml 2>&1 | tee /tmp/ash-output.log | |
| continue-on-error: true | |
| - name: Build PR comment | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| id: build-comment | |
| run: | | |
| COMMENT_FILE="/tmp/pr_comment.md" | |
| SHA="${{ github.event.pull_request.head.sha }}" | |
| SHORT_SHA="${SHA:0:7}" | |
| TIMESTAMP=$(date -u +"%Y-%m-%d %H:%M:%S UTC") | |
| echo "**ASH Security Scan** | Commit: \`${SHORT_SHA}\` | ${TIMESTAMP}" > "$COMMENT_FILE" | |
| echo "" >> "$COMMENT_FILE" | |
| if [ -f "/tmp/ash-scan/.ash/ash_output/reports/ash.summary.md" ]; then | |
| # Use the markdown report ASH generates | |
| cat "/tmp/ash-scan/.ash/ash_output/reports/ash.summary.md" >> "$COMMENT_FILE" | |
| elif [ -f "/tmp/ash-output.log" ]; then | |
| echo "### Scan Output" >> "$COMMENT_FILE" | |
| echo "" >> "$COMMENT_FILE" | |
| echo '```' >> "$COMMENT_FILE" | |
| tail -50 /tmp/ash-output.log >> "$COMMENT_FILE" | |
| echo '```' >> "$COMMENT_FILE" | |
| else | |
| echo "No scan results available." >> "$COMMENT_FILE" | |
| fi | |
| echo "" >> "$COMMENT_FILE" | |
| echo "<!-- ASH-SECURITY-SCAN -->" >> "$COMMENT_FILE" | |
| # Check for findings | |
| if grep -q "Actionable findings detected!" /tmp/ash-output.log 2>/dev/null; then | |
| echo "has_findings=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_findings=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Post or update PR comment | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const body = fs.readFileSync('/tmp/pr_comment.md', 'utf8'); | |
| const prNumber = context.payload.pull_request.number; | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: prNumber, | |
| }); | |
| const existing = comments.find(c => | |
| c.body.includes('<!-- ASH-SECURITY-SCAN -->') | |
| ); | |
| if (existing) { | |
| await github.rest.issues.updateComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: existing.id, | |
| body: body, | |
| }); | |
| } else { | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: prNumber, | |
| body: body, | |
| }); | |
| } | |
| - name: Upload artifacts | |
| if: steps.changed-files.outputs.any_changed == 'true' && always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ash-security-results | |
| path: /tmp/ash-scan/.ash/ | |
| retention-days: 30 | |
| - name: Skip message | |
| if: steps.changed-files.outputs.any_changed == 'false' | |
| run: echo "No relevant files changed - skipping security scan" |