New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds generic sbt node snyk workflow #11
Changes from 2 commits
5ad3553
2d42b44
165178a
8d51820
1c7bd54
9b44635
7c34166
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
name: SBT Node Snyk | ||
|
||
on: | ||
workflow_call: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I see in https://github.com/guardian/workflow-frontend/pull/356/files we're setting this up to be called on push to any branch. I think the guidance in the past has been to run There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @jfsoul, this is a good point. Our workflows diverged from that recommendation due to failing checks against PRs which were nothing to do with the content of the PR. As many of our projects have outstanding vulnerabilities which need resolving, the test function would always provide a failing result. This was unhelpful and indicated an issue to developers unfamiliar with this process. As it represented a problem with overall codebase and not the PR specifically we felt it wasn't relevant to have as a PR check. We therefore thought it would be preferable to exclude the test check and only run monitor, the results of which can be reviewed in the Snyk dashboard. It would be interesting to know how other teams addressed these concerns. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. After discussing offline I realise now that workflow-frontend will actually only be running this workflow on pushes to main - we've just commented that restriction out for testing. I do think there's value in |
||
inputs: | ||
DEBUG: | ||
type: string | ||
required: false | ||
secrets: | ||
SNYK_TOKEN: | ||
required: true | ||
|
||
jobs: | ||
security: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout branch | ||
uses: actions/checkout@v2 | ||
|
||
- name: Setup debug var | ||
run: echo INPUT_DEBUG=${{ inputs.DEBUG }} >> $GITHUB_ENV | ||
shell: bash | ||
|
||
- uses: snyk/actions/setup@0.3.0 | ||
- uses: actions/setup-node@v2 | ||
with: | ||
node-version-file: '.nvmrc' | ||
|
||
- uses: actions/setup-java@v2 | ||
with: | ||
java-version: "11" | ||
distribution: "adopt" | ||
|
||
- name: Snyk monitor | ||
run: snyk monitor --all-projects ${INPUT_DEBUG:+ -d} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I haven't used Relatedly, there's potentially other CLI flags we'd want to consider supporting like There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose this isn't just
Node
, so we might want to rename. Although I think at least in terms of clarity it might be preferable to separate the 2 actions?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What would you recommend we rename it to? My intention was to create a generic Snyk workflow which would match the general setup of our projects i.e. SBT with Node. If a project has one language then the existing Snyk actions could be used, unless we also wanted to create our own versions for reusability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I misread this initially so my comment isn't really valid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe something like
Simple Snyk monitor for SBT + Node
?