Skip to content

fix: unblock first-invocation pipeline (git safe.directory, SetupTask resilience, workflow issues:write) #138

fix: unblock first-invocation pipeline (git safe.directory, SetupTask resilience, workflow issues:write)

fix: unblock first-invocation pipeline (git safe.directory, SetupTask resilience, workflow issues:write) #138

name: ASH Security Scan
on:
pull_request:
branches: [main]
permissions:
contents: read
pull-requests: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v46
with:
files: |
**/*.py
**/*.js
**/*.ts
**/*.yaml
**/*.yml
**/*.json
**/*.sh
**/Dockerfile*
**/requirements*.txt
**/package*.json
**/*.tf
**/*.tfvars
- name: Set up Python
if: steps.changed-files.outputs.any_changed == 'true'
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Install ASH
if: steps.changed-files.outputs.any_changed == 'true'
run: pip install git+https://github.com/awslabs/automated-security-helper.git@v3.5.3
- name: Copy changed files and config to scan directory
if: steps.changed-files.outputs.any_changed == 'true'
run: |
mkdir -p /tmp/ash-scan/.ash
cp .ash/.ash.yaml /tmp/ash-scan/.ash/.ash.yaml
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
if [ -f "$file" ]; then
mkdir -p "/tmp/ash-scan/$(dirname "$file")"
cp "$file" "/tmp/ash-scan/$file"
fi
done
- name: Run ASH scan
if: steps.changed-files.outputs.any_changed == 'true'
id: ash-scan
run: |
cd /tmp/ash-scan
ash --mode precommit --config .ash/.ash.yaml 2>&1 | tee /tmp/ash-output.log
continue-on-error: true
- name: Build PR comment
if: steps.changed-files.outputs.any_changed == 'true'
id: build-comment
run: |
COMMENT_FILE="/tmp/pr_comment.md"
SHA="${{ github.event.pull_request.head.sha }}"
SHORT_SHA="${SHA:0:7}"
TIMESTAMP=$(date -u +"%Y-%m-%d %H:%M:%S UTC")
echo "**ASH Security Scan** | Commit: \`${SHORT_SHA}\` | ${TIMESTAMP}" > "$COMMENT_FILE"
echo "" >> "$COMMENT_FILE"
if [ -f "/tmp/ash-scan/.ash/ash_output/reports/ash.summary.md" ]; then
# Use the markdown report ASH generates
cat "/tmp/ash-scan/.ash/ash_output/reports/ash.summary.md" >> "$COMMENT_FILE"
elif [ -f "/tmp/ash-output.log" ]; then
echo "### Scan Output" >> "$COMMENT_FILE"
echo "" >> "$COMMENT_FILE"
echo '```' >> "$COMMENT_FILE"
tail -50 /tmp/ash-output.log >> "$COMMENT_FILE"
echo '```' >> "$COMMENT_FILE"
else
echo "No scan results available." >> "$COMMENT_FILE"
fi
echo "" >> "$COMMENT_FILE"
echo "<!-- ASH-SECURITY-SCAN -->" >> "$COMMENT_FILE"
# Check for findings
if grep -q "Actionable findings detected!" /tmp/ash-output.log 2>/dev/null; then
echo "has_findings=true" >> $GITHUB_OUTPUT
else
echo "has_findings=false" >> $GITHUB_OUTPUT
fi
- name: Post or update PR comment
if: steps.changed-files.outputs.any_changed == 'true'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const body = fs.readFileSync('/tmp/pr_comment.md', 'utf8');
const prNumber = context.payload.pull_request.number;
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
});
const existing = comments.find(c =>
c.body.includes('<!-- ASH-SECURITY-SCAN -->')
);
if (existing) {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: existing.id,
body: body,
});
} else {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
body: body,
});
}
- name: Upload artifacts
if: steps.changed-files.outputs.any_changed == 'true' && always()
uses: actions/upload-artifact@v4
with:
name: ash-security-results
path: /tmp/ash-scan/.ash/
retention-days: 30
- name: Skip message
if: steps.changed-files.outputs.any_changed == 'false'
run: echo "No relevant files changed - skipping security scan"