build: Adopt go.work and remove submodule replace statements #4923
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security Scan | |
on: | |
push: | |
branches: | |
- main | |
- release/** | |
pull_request: | |
branches: | |
- main | |
- release/** | |
paths-ignore: | |
- 'docs/**' | |
- 'grafana/**' | |
- '.changelog/**' | |
# cancel existing runs of the same workflow on the same ref | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
setup: | |
name: Setup | |
runs-on: ubuntu-latest | |
outputs: | |
compute-small: ${{ steps.setup-outputs.outputs.compute-small }} | |
compute-medium: ${{ steps.setup-outputs.outputs.compute-medium }} | |
compute-large: ${{ steps.setup-outputs.outputs.compute-large }} | |
compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }} | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- id: setup-outputs | |
name: Setup outputs | |
run: ./.github/scripts/get_runner_classes.sh | |
get-go-version: | |
uses: ./.github/workflows/reusable-get-go-version.yml | |
scan: | |
needs: | |
- setup | |
- get-go-version | |
runs-on: ${{ fromJSON(needs.setup.outputs.compute-xl) }} | |
# The first check ensures this doesn't run on community-contributed PRs, who | |
# won't have the permissions to run this job. | |
if: ${{ (github.repository != 'hashicorp/consul' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)) | |
&& (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }} | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
path: consul | |
- name: Get target path | |
id: get-target-path | |
run: | | |
echo $PWD | |
pwd | |
ls -al "$PWD/consul" | |
if [ "$PWD/consul" ]; then echo "SCAN_TARGET_PATH=$PWD/consul" >> $GITHUB_OUTPUT; else echo "not found"; fi | |
- name: Set up Go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
- name: Clone Security Scanner repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
repository: hashicorp/security-scanner | |
token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }} | |
path: security-scanner | |
ref: main | |
# Work around scanner action bug caused when target repo isn't rooted at current working directory. | |
# See https://github.com/hashicorp/consul/actions/runs/10926448170/job/30330341123?pr=21657#step:7:46 | |
# for example of issue. This causes the job to fail even though the scan completes successfully. | |
# Copying .git should allow the action to do what it wants w/ the target repo git config without | |
# corrupting the source repo's own tree, which is what would happen if we followed suit w/ other | |
# repos and cloned the scanner under the target repo root / current working directory. | |
- name: Copy consul/.git to working directory | |
run: cp -R consul/.git . | |
- name: Scan | |
id: scan | |
uses: ./security-scanner | |
with: | |
repository: ${{ steps.get-target-path.outputs.SCAN_TARGET_PATH }} | |
# See scan.hcl at repository root for config. | |
- name: SARIF Output | |
shell: bash | |
run: | | |
cat results.sarif | jq | |
- name: Upload SARIF file | |
uses: github/codeql-action/upload-sarif@8fd294e26a0e458834582b0fe4988d79966c7c0a # codeql-bundle-v2.18.4 | |
with: | |
sarif_file: results.sarif |