build(deps): bump anchore/scan-action from 3 to 4 (#163)

Bumps [anchore/scan-action](https://github.com/anchore/scan-action) from 3 to 4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anchore/scan-action/releases">anchore/scan-action's releases</a>.</em></p> <blockquote> <h2>v4.0.0</h2> <h2>New in scan-action v4.0.0</h2> <ul> <li>Update Grype to v0.79.2 (<a href="https://redirect.github.com/anchore/scan-action/issues/338">#338</a>) [<a href="https://github.com/anchore-actions-token-generator">anchore-actions-token-generator</a>]</li> <li>Download Grype on Windows (<a href="https://redirect.github.com/anchore/scan-action/issues/336">#336</a>) [<a href="https://github.com/willmurphyscode">willmurphyscode</a>] (<a href="https://redirect.github.com/anchore/scan-action/issues/315">#315</a>) [<a href="https://github.com/kzantow">kzantow</a>]</li> <li>Bump Node to v20 (<a href="https://redirect.github.com/anchore/scan-action/issues/295">#295</a>) [<a href="https://github.com/ViacheslavKudinov">ViacheslavKudinov</a>]</li> </ul> <h2>v3.6.4</h2> <h2>New in scan-action v3.6.4</h2> <ul> <li>Update Grype to v0.74.4 (<a href="https://redirect.github.com/anchore/scan-action/issues/279">#279</a>) [<a href="https://github.com/anchore-actions-token-generator">anchore-actions-token-generator</a>]</li> </ul> <h2>v3.6.3</h2> <h2>New in scan-action v3.6.3</h2> <ul> <li>chore: migrate action to use node v20.11.0 (Iron) FROM node v16.x.x (<a href="https://redirect.github.com/anchore/scan-action/issues/278">#278</a>) [<a href="https://github.com/spiffcs">spiffcs</a>]</li> </ul> <h2>v3.6.2</h2> <h2>New in scan-action v3.6.2</h2> <ul> <li>chore(deps): update Grype to v0.74.3 (<a href="https://redirect.github.com/anchore/scan-action/issues/275">#275</a>) [<a href="https://github.com/anchore-actions-token-generator">anchore-actions-token-generator</a>]</li> </ul> <h2>v3.6.1</h2> <h2>New in scan-action v3.6.1</h2> <ul> <li>chore(deps): update Grype to v0.74.2 (<a href="https://redirect.github.com/anchore/scan-action/issues/272">#272</a>) [<a href="https://github.com/anchore-actions-token-generator">anchore-actions-token-generator</a>]</li> <li>chore(deps-dev): bump prettier from 3.2.2 to 3.2.4 (<a href="https://redirect.github.com/anchore/scan-action/issues/270">#270</a>) [<a href="https://github.com/dependabot">dependabot</a>]</li> </ul> <h2>v3.6.0</h2> <h2>New in scan-action v3.6.0</h2> <ul> <li>chore(deps): update Grype to v0.74.1 (<a href="https://redirect.github.com/anchore/scan-action/issues/271">#271</a>) [<a href="https://github.com/anchore-actions-token-generator">anchore-actions-token-generator</a>]</li> <li>chore(deps-dev): bump prettier from 3.1.1 to 3.2.2 (<a href="https://redirect.github.com/anchore/scan-action/issues/268">#268</a>) [<a href="https://github.com/dependabot">dependabot</a>]</li> </ul> <h2>v3.5.0</h2> <h2>New in scan-action v3.5.0</h2> <ul> <li>chore(deps): update Grype to v0.74.0 (<a href="https://redirect.github.com/anchore/scan-action/issues/267">#267</a>) [<a href="https://github.com/anchore-actions-token-generator">anchore-actions-token-generator</a>]</li> <li>chore(deps): bump <code>@actions/core</code> from 1.10.0 to 1.10.1 (<a href="https://redirect.github.com/anchore/scan-action/issues/262">#262</a>) [<a href="https://github.com/dependabot">dependabot</a>]</li> </ul> <h2>v3.4.0</h2> <h2>New in scan-action v3.4.0</h2> <ul> <li>chore(deps-dev): bump tslib from 2.5.0 to 2.6.2 (<a href="https://redirect.github.com/anchore/scan-action/issues/258">#258</a>) [<a href="https://github.com/dependabot">dependabot</a>]</li> <li>chore(deps-dev): bump <code>@vercel/ncc</code> from 0.36.1 to 0.38.1 (<a href="https://redirect.github.com/anchore/scan-action/issues/261">#261</a>) [<a href="https://github.com/dependabot">dependabot</a>]</li> <li>chore(deps): update Grype to v0.73.5 (<a href="https://redirect.github.com/anchore/scan-action/issues/264">#264</a>) [<a href="https://github.com/anchore-actions-token-generator">anchore-actions-token-generator</a>]</li> <li>Add support for the <code>--vex</code> flag (<a href="https://redirect.github.com/anchore/scan-action/issues/254">#254</a>) [<a href="https://github.com/ferozsalam">ferozsalam</a>]</li> </ul> <h2>v3.3.8</h2> <h2>New in scan-action v3.3.8</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anchore/scan-action/blob/main/CHANGELOG.md">anchore/scan-action's changelog</a>.</em></p> <blockquote> <h1>Release Notes</h1> <h2>Version 2.0.2 - 2020-11-11</h2> <ul> <li>Update <code>actions/core</code> to use version <code>1.2.6</code> [(Issue <a href="https://redirect.github.com/anchore/scan-action/issues/71">#71</a>)](<a href="https://redirect.github.com/anchore/scan-action/issues/71">anchore/scan-action#71</a>)</li> </ul> <h2>Version 2.0.1 - 2020-02-11</h2> <p>Fixes:</p> <ul> <li>Removes unnecessary constraint in deduplication for SARIF reporting</li> <li>Allows defining and referencing the location of the SARIF report file</li> <li>Fixes multiple instances where undefined items in the reporting would break scanning</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anchore/scan-action/commit/d43cc1dfea6a99ed123bf8f3133f1797c9b44492"><code>d43cc1d</code></a> chore(deps): update Grype to v0.79.3 (<a href="https://redirect.github.com/anchore/scan-action/issues/341">#341</a>)</li> <li><a href="https://github.com/anchore/scan-action/commit/a2c96d38ddde62d4a2aa238844733fddd01399c9"><code>a2c96d3</code></a> chore(deps-dev): bump tslib from 2.6.2 to 2.6.3 (<a href="https://redirect.github.com/anchore/scan-action/issues/325">#325</a>)</li> <li><a href="https://github.com/anchore/scan-action/commit/7e49a1e6eaf54c02ecc8c071bd30dbb3beb1bde3"><code>7e49a1e</code></a> chore(deps-dev): bump prettier from 3.3.0 to 3.3.2 (<a href="https://redirect.github.com/anchore/scan-action/issues/327">#327</a>)</li> <li><a href="https://github.com/anchore/scan-action/commit/f207359fdefc9d060383773d27f14bb4a7c09bac"><code>f207359</code></a> chore(deps): bump actions/checkout from 4.1.6 to 4.1.7 (<a href="https://redirect.github.com/anchore/scan-action/issues/330">#330</a>)</li> <li><a href="https://github.com/anchore/scan-action/commit/9b502f28c7dd03ab87931c1eb9a872413868b8b8"><code>9b502f2</code></a> chore(deps-dev): bump lint-staged from 15.2.2 to 15.2.7 (<a href="https://redirect.github.com/anchore/scan-action/issues/329">#329</a>)</li> <li><a href="https://github.com/anchore/scan-action/commit/29a085af3d75de61093ce553ac2dbd8edd2e777b"><code>29a085a</code></a> chore(deps): bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (<a href="https://redirect.github.com/anchore/scan-action/issues/334">#334</a>)</li> <li><a href="https://github.com/anchore/scan-action/commit/7f46fbf85cadcd374ff60adb2df71eb0d1f41482"><code>7f46fbf</code></a> chore(deps-dev): bump eslint from 8.57.0 to 9.6.0 (<a href="https://redirect.github.com/anchore/scan-action/issues/335">#335</a>)</li> <li><a href="https://github.com/anchore/scan-action/commit/04b73ec0bba3de85519c4ec634bffedead788f96"><code>04b73ec</code></a> chore(deps): update Grype to v0.79.2 (<a href="https://redirect.github.com/anchore/scan-action/issues/338">#338</a>)</li> <li><a href="https://github.com/anchore/scan-action/commit/69a534f9ca3bf6bf67a9ab5614819217766f5e30"><code>69a534f</code></a> fix: download Grype directly on Windows (<a href="https://redirect.github.com/anchore/scan-action/issues/336">#336</a>)</li> <li><a href="https://github.com/anchore/scan-action/commit/d09e278f43e314a93efb4e6000ff0df6153e9333"><code>d09e278</code></a> chore(deps-dev): bump prettier from 3.2.5 to 3.3.0 (<a href="https://redirect.github.com/anchore/scan-action/issues/323">#323</a>)</li> <li>Additional commits viewable in <a href="https://github.com/anchore/scan-action/compare/v3...v4">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=anchore/scan-action&package-manager=github_actions&previous-version=3&new-version=4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: fabasoad <fabasoad@gmail.com>
fabasoad · Aug 2, 2024 · 91b1042 · 91b1042
1 parent 7f6edac
commit 91b1042
Show file tree

Hide file tree

Showing 9 changed files with 63 additions and 207 deletions.
diff --git a/.github/labels.yml b/.github/labels.yml
diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml
@@ -24,6 +24,14 @@ jobs:
       - name: Checkout ${{ github.repository }}
         uses: actions/checkout@v4
       - name: Setup Kitten
+        id: setup-kitten
+        continue-on-error: true
         uses: ./
       - name: Run script
+        if: ${{ steps.setup-kitten.outcome == 'success' }}
         run: kitten ./hello-world.ktn
+      - name: Validate outcome
+        run: |
+          if [ "${RUNNER_OS}" != "macOS" ] && [ "${{ steps.setup-kitten.outcome }}" = "failure" ]; then
+            exit 1
+          fi
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,29 +7,6 @@ on: # yamllint disable-line rule:truthy
       - "v*.*.*"
 
 jobs:
-  create-release:
-    name: Create release
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Get changelog
-        id: changelog
-        uses: simbo/changes-since-last-release-action@v1
-      - name: Create release
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ github.ref }}
-          name: ${{ github.ref_name }}
-          token: ${{ secrets.GITHUB_TOKEN }}
-          body: |
-            # Changelog
-
-            ${{ steps.changelog.outputs.log }}
-          draft: false
-          prerelease: false
-      - name: Bump tags
-        uses: fischerscode/tagger@v0
-        with:
-          prefix: v
+  github:
+    name: GitHub
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-github-release.yml@main
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -7,45 +7,10 @@ on: # yamllint disable-line rule:truthy
     branches:
       - main
 
-defaults:
-  run:
-    shell: sh
-
 jobs:
-  code-scanning:
-    name: Code scanning
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: "javascript"
-      - name: Perform CodeQL Analysis
-        id: codeql-analysis
-        uses: github/codeql-action/analyze@v3
-      - name: Upload to GHAS
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          category: "code-scanning"
-          sarif_file: "${{ steps.codeql-analysis.outputs.sarif-output }}"
-  directory-scanning:
-    name: Directory scanning
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
-      - name: Scan current project
-        id: scan-directory
-        uses: anchore/scan-action@v3
-        with:
-          by-cve: "true"
-          path: "."
-      - name: Upload to GHAS
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          category: "directory-scanning"
-          sarif_file: "${{ steps.scan-directory.outputs.sarif }}"
+  sast:
+    name: SAST
+    permissions:
+      contents: read
+      security-events: write
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-security-sast.yml@main
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
@@ -1,23 +1,13 @@
 ---
-name: Sync labels
+name: Labels
 
 on: # yamllint disable-line rule:truthy
   push:
     branches:
       - main
-    paths:
-      - .github/labels.yml
-      - .github/workflows/sync-labels.yml
-  workflow_dispatch:
+  workflow_dispatch: {}
 
 jobs:
-  sync-labels:
-    name: Sync labels
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
-      - name: Run Label Syncer
-        uses: micnncim/action-label-syncer@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  maintenance:
+    name: Maintenance
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-sync-labels.yml@main
diff --git a/.github/workflows/update-license.yml b/.github/workflows/update-license.yml
@@ -1,28 +1,11 @@
 ---
-name: Update license
+name: License
 
 on: # yamllint disable-line rule:truthy
   schedule:
     - cron: "0 5 1 1 *"
 
 jobs:
-  run:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: FantasticFiasco/action-update-license-year@v3
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          assignees: ${{ github.repository_owner }}
-          labels: enhancement
-          prTitle: Update license copyright year to {{currentYear}}
-          prBody: |
-            ## Changelog
-
-            - Update license copyright year to {{currentYear}}
-
-            ---
-
-            Powered by [FantasticFiasco/action-update-license-year](https://github.com/FantasticFiasco/action-update-license-year)
+  maintenance:
+    name: Maintenance
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-update-license.yml@main
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -5,16 +5,16 @@ minimum_pre_commit_version: 2.18.0
 repos:
   # Security
   - repo: https://github.com/Yelp/detect-secrets
-    rev: v1.4.0
+    rev: v1.5.0
     hooks:
       - id: detect-secrets
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.18.2
+    rev: v8.18.4
     hooks:
       - id: gitleaks
   # Markdown
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.39.0
+    rev: v0.41.0
     hooks:
       - id: markdownlint-fix
         stages: ["commit"]
@@ -26,11 +26,11 @@ repos:
         stages: ["push"]
   # GitHub Actions
   - repo: https://github.com/rhysd/actionlint
-    rev: v1.6.27
+    rev: v1.7.1
     hooks:
       - id: actionlint
         args: ["-pyflakes="]
-        stages: ["push"]
+        stages: ["commit"]
   # Other
   - repo: https://github.com/pre-commit/mirrors-prettier
     rev: v3.1.0
@@ -40,6 +40,10 @@ repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.6.0
     hooks:
+      - id: check-executables-have-shebangs
+        stages: ["commit"]
+      - id: check-shebang-scripts-are-executable
+        stages: ["commit"]
       - id: check-merge-conflict
       - id: check-json
         stages: ["push"]

diff --git a/README.md b/README.md
@@ -10,8 +10,9 @@ This action sets up a [Kitten](http://kittenlang.org/).
 
 ## Prerequisites
 
-The following tools have to be installed for successful work of this GitHub action:
-[git](https://git-scm.com), [stack](https://docs.haskellstack.org/en/stable).
+None.
+
+> `macOS` is not supported at this moment
 
 ## Example usage
 

diff --git a/action.yml b/action.yml
@@ -8,39 +8,45 @@ branding:
 runs:
   using: "composite"
   steps:
+    - name: Fail
+      if: ${{ runner.os == 'macOS' }}
+      run: echo "::error::${RUNNER_OS} ${RUNNER_ARCH} is not supported" && exit 1
+      shell: sh
     - name: Collect info
       id: info
       run: |
-        KITTEN_EXEC_NAME=kitten
+        kitten_exec_name=kitten
         if [ "${RUNNER_OS}" = "Windows" ]; then
-          KITTEN_EXEC_NAME="${KITTEN_EXEC_NAME}.exe"
+          kitten_exec_name="${kitten_exec_name}.exe"
         fi
-        echo "KITTEN_EXEC_NAME=${KITTEN_EXEC_NAME}" >> "$GITHUB_OUTPUT"
-        KITTEN_INSTALLED=$(if command -v "${KITTEN_EXEC_NAME}" >/dev/null 2>&1; then echo true; else echo false; fi)
-        echo "KITTEN_INSTALLED=$KITTEN_INSTALLED" >> "$GITHUB_OUTPUT"
-        mkdir -p "$RUNNER_TEMP/kitten"
-        echo "KITTEN_PATH=${RUNNER_TEMP}/kitten" >> "$GITHUB_OUTPUT"
+        echo "kitten-exec-name=${kitten_exec_name}" >> "$GITHUB_OUTPUT"
+        kitten_installed=$(if command -v "${kitten_exec_name}" >/dev/null 2>&1; then echo true; else echo false; fi)
+        echo "kitten-installed=${kitten_installed}" >> "$GITHUB_OUTPUT"
+        stack_installed=$(if command -v stack >/dev/null 2>&1; then echo true; else echo false; fi)
+        echo "stack-installed=${stack_installed}" >> "$GITHUB_OUTPUT"
       shell: sh
-    - name: Clone Kitten repository
-      if: ${{ steps.info.outputs.KITTEN_INSTALLED == 'false' }}
-      env:
-        KITTEN_VERSION: 2bbc264d7f05c4a7d7b35d06773d1ab2f0623193 # pragma: allowlist secret
-      run: |
-        git clone https://github.com/evincarofautumn/kitten.git "${{ steps.info.outputs.KITTEN_PATH }}"
-        git reset --hard "${KITTEN_VERSION}"
+    - name: Setup Stack
+      if: ${{ steps.info.outputs.stack-installed == 'false' }}
+      run: curl -sSL https://get.haskellstack.org/ | sh
       shell: sh
-      working-directory: ${{ steps.info.outputs.KITTEN_PATH }}
+    - name: Clone Kitten repository
+      if: ${{ steps.info.outputs.kitten-installed == 'false' }}
+      uses: actions/checkout@v4
+      with:
+        repository: "evincarofautumn/kitten"
+        ref: "2bbc264d7f05c4a7d7b35d06773d1ab2f0623193" # pragma: allowlist secret
+        path: "kitten-repo"
     - name: Build Kitten
-      if: ${{ steps.info.outputs.KITTEN_INSTALLED == 'false' }}
+      if: ${{ steps.info.outputs.kitten-installed == 'false' }}
       run: |
         stack setup --stack-yaml stack.yaml
         stack build --stack-yaml stack.yaml
       shell: sh
-      working-directory: ${{ steps.info.outputs.KITTEN_PATH }}
+      working-directory: kitten-repo
     - name: Add Kitten to PATH
-      if: ${{ steps.info.outputs.KITTEN_INSTALLED == 'false' }}
+      if: ${{ steps.info.outputs.kitten-installed == 'false' }}
       run: |
-        exe_path=$(find "${{ steps.info.outputs.KITTEN_PATH }}/.stack-work/install" -name "${{ steps.info.outputs.KITTEN_EXEC_NAME }}")
+        exe_path=$(find "${GITHUB_WORKSPACE}/kitten-repo/.stack-work/install" -name "${{ steps.info.outputs.kitten-exec-name }}")
         bin_path=$(dirname "${exe_path}")
         echo "${bin_path}" >> "$GITHUB_PATH"
       shell: sh