Enhance artifact download options in prisma.yml #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow uses actions that are not certified by GitHub. | ||
| # They are provided by a third-party and are governed by | ||
| # separate terms of service, privacy policy, and support | ||
| # documentation. | ||
| # A sample workflow that checks for security issues using | ||
| # the Prisma Cloud Infrastructure as Code Scan Action on | ||
| # the IaC files present in the repository. | ||
| # The results are uploaded to GitHub Security Code Scanning | ||
| # | ||
| # For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action | ||
| name: Prisma Cloud IaC Scan | ||
| on: | ||
| push: | ||
| branches: [ "main" ] | ||
| pull_request: | ||
| # The branches below must be a subset of the branches above | ||
| branches: [ "main" ] | ||
| schedule: | ||
| - cron: '25 16 * * 0' | ||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| prisma_cloud_iac_scan: | ||
| permissions: | ||
| contents: read # for actions/checkout to fetch code | ||
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | ||
| actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | ||
| runs-on: ubuntu-latest | ||
| name: Run Prisma Cloud IaC Scan to check | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - id: iac-scan | ||
| name: Run Scan on CFT files in the repository | ||
| uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 | ||
| with: | ||
| # You will need Prisma Cloud API Access Token | ||
| # More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action | ||
| prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }} | ||
| access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }} | ||
| secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }} | ||
| # Scan sources on Prisma Cloud are uniquely identified by their name | ||
| asset_name: 'my-asset-name' | ||
| # The service need to know the type of IaC being scanned | ||
| template_type: 'CFT' | ||
| - name: Upload SARIF file | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| # Results are generated only on a success or failure | ||
| # this is required since GitHub by default won't run the next step | ||
| # when the previous one has failed. | ||
| # And alternative it to add `continue-on-error: true` to the previous step | ||
| if: success() || failure() | ||
| with: | ||
| # The SARIF Log file name is configurable on scan action | ||
| # therefore the file name is best read from the steps output | ||
| sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }} | ||
| - name: Download a Build Artifact | ||
| uses: actions/download-artifact@v7.0.0 | ||
| with: | ||
| # Name of the artifact to download. If unspecified, all artifacts for the run are downloaded. | ||
| name: # optional | ||
| # IDs of the artifacts to download, comma-separated. Either inputs `artifact-ids` or `name` can be used, but not both. | ||
| artifact-ids: # optional | ||
| # Destination path. Supports basic tilde expansion. Defaults to $GITHUB_WORKSPACE | ||
| path: # optional | ||
| # A glob pattern matching the artifacts that should be downloaded. Ignored if name is specified. | ||
| pattern: # optional | ||
| # When multiple artifacts are matched, this changes the behavior of the destination directories. If true, the downloaded artifacts will be in the same directory specified by path. If false, the downloaded artifacts will be extracted into individual named directories within the specified path. | ||
| merge-multiple: # optional, default is false | ||
| # The GitHub token used to authenticate with the GitHub API. This is required when downloading artifacts from a different repository or from a different workflow run. If this is not specified, the action will attempt to download artifacts from the current repository and the current workflow run. | ||
| github-token: # optional | ||
| # The repository owner and the repository name joined together by "/". If github-token is specified, this is the repository that artifacts will be downloaded from. | ||
| repository: # optional, default is ${{ github.repository }} | ||
| # The id of the workflow run where the desired download artifact was uploaded from. If github-token is specified, this is the run that artifacts will be downloaded from. | ||
| run-id: # optional, default is ${{ github.run_id }} | ||
