Adds generic sbt node snyk workflow #11
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| name: SBT Node Snyk | ||
|
|
||
| on: | ||
| workflow_call: | ||
|
There was a problem hiding this comment. I see in https://github.com/guardian/workflow-frontend/pull/356/files we're setting this up to be called on push to any branch. I think the guidance in the past has been to run There was a problem hiding this comment. @jfsoul, this is a good point. Our workflows diverged from that recommendation due to failing checks against PRs which were nothing to do with the content of the PR. As many of our projects have outstanding vulnerabilities which need resolving, the test function would always provide a failing result. This was unhelpful and indicated an issue to developers unfamiliar with this process. As it represented a problem with overall codebase and not the PR specifically we felt it wasn't relevant to have as a PR check. We therefore thought it would be preferable to exclude the test check and only run monitor, the results of which can be reviewed in the Snyk dashboard. It would be interesting to know how other teams addressed these concerns. There was a problem hiding this comment. After discussing offline I realise now that workflow-frontend will actually only be running this workflow on pushes to main - we've just commented that restriction out for testing. I do think there's value in |
||
| inputs: | ||
| DEBUG: | ||
| type: string | ||
| required: false | ||
| secrets: | ||
| SNYK_TOKEN: | ||
| required: true | ||
|
|
||
| jobs: | ||
| security: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout branch | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Setup debug var | ||
| run: echo INPUT_DEBUG=${{ inputs.DEBUG }} >> $GITHUB_ENV | ||
| shell: bash | ||
|
|
||
| - uses: snyk/actions/setup@0.3.0 | ||
| - uses: actions/setup-node@v2 | ||
| with: | ||
| node-version-file: '.nvmrc' | ||
|
|
||
| - uses: actions/setup-java@v2 | ||
| with: | ||
| java-version: "11" | ||
| distribution: "adopt" | ||
|
|
||
| - name: Snyk monitor | ||
| run: snyk monitor --all-projects ${INPUT_DEBUG:+ -d} | ||
|
There was a problem hiding this comment. I haven't used Relatedly, there's potentially other CLI flags we'd want to consider supporting like There was a problem hiding this comment.
|
||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose this isn't just
Node, so we might want to rename. Although I think at least in terms of clarity it might be preferable to separate the 2 actions?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What would you recommend we rename it to? My intention was to create a generic Snyk workflow which would match the general setup of our projects i.e. SBT with Node. If a project has one language then the existing Snyk actions could be used, unless we also wanted to create our own versions for reusability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I misread this initially so my comment isn't really valid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe something like
Simple Snyk monitor for SBT + Node?