removed github app repo dependency from the workflow files

veracode · Sep 26, 2023 · f2ffdfa · f2ffdfa
1 parent c955da4
commit f2ffdfa
Show file tree

Hide file tree

Showing 8 changed files with 131 additions and 80 deletions.
diff --git a/.github/workflows/action.yml b/.github/workflows/action.yml
@@ -0,0 +1,68 @@
+name: 'Organization workflow action'
+on:
+  workflow_call:
+    inputs:
+      run_id: 
+        description: 'ID of workflow run (provided via GitHub syntax `github.run_id`)'
+        required: true
+        type: string
+      repositroy_owner: 
+        description: 'repositroy_owner of original commit (provided by GitHub app via `github.event.client_payload.repository.owner`)'
+        required: true
+        type: string
+      repositroy_name: 
+        description: 'repositroy_name of original commit (provided by GitHub app via `github.event.client_payload.repository.name`)'
+        required: true
+        type: string
+      check_run_name: 
+        description: 'Name of check (Use `github.workflow` to use the name of the workflow)'
+        required: true
+        type: string
+      head_sha: 
+        description: 'head_sha of original commit (provided by GitHub app via `github.event.client_payload.sha`)'
+        required: true
+        type: string
+      github_token: 
+        description: 'github_token is a token (provided by GitHub app via `github.event.client_payload.token`)'
+        required: true
+        type: string
+      event_type:
+        description: 'event_type triggered by the GitHub App (provided by GitHub app via `github.event.client_payload.event_type`)'
+        required: true
+        type: string
+      default_organization_repository:
+        description: 'default_organization_repository will be workflow repo name where we will have all the workflow related config files'
+        required: true
+        type: string
+jobs:
+  reusable_workflow_job:
+    runs-on: ubuntu-latest
+    steps: 
+      # Create check run
+      - name: GitHub API Request to create a check
+        uses: octokit/request-action@v2.x
+        id: create_check_run
+        with:
+          route: POST /repos/{owner}/{repo}/check-runs
+          owner: ${{ inputs.repositroy_owner }}
+          repo: ${{ inputs.repositroy_name }}
+          name: ${{ inputs.check_run_name }}
+          head_sha: ${{ inputs.head_sha }}
+          status: in_progress
+          details_url: "https://github.com/${{ inputs.repositroy_owner}}/${{ inputs.default_organization_repository }}/actions/runs/${{ inputs.run_id }}"
+        env:
+          GITHUB_TOKEN: ${{ inputs.github_token }}
+      - name: Create metadata
+        id: create-metadata-json
+        run: |
+          echo '{
+            "check_run_type": "${{ inputs.event_type }}",
+            "repository_name": "${{ inputs.repositroy_name }}",
+            "check_run_id": ${{ fromJson(steps.create_check_run.outputs.data).id }}
+          }' > workflow-metadata.json
+        shell: bash
+      - name: Save metadata
+        uses: actions/upload-artifact@v3
+        with:
+          name: workflow-metadata
+          path: workflow-metadata.json
diff --git a/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml b/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml
@@ -8,19 +8,16 @@ on:
 
 jobs:
   register:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: GitHubVeracode/veracode-github-app@main
-        id: 'create_check_run'
-        with:
-          check_run_name: ${{ github.workflow }}
-          head_sha: ${{ github.event.client_payload.sha }}
-          repositroy_owner: ${{ github.event.client_payload.repository.owner }}
-          repositroy_name: ${{ github.event.client_payload.repository.name }}
-          status: 'in_progress'
-          event_type: ${{ github.event.client_payload.event_type }}
-          github_token: ${{ github.event.client_payload.token }}
-          default_organization_repository: 'veracode'
+    uses: ./.github/workflows/action.yml
+      with:
+        check_run_name: ${{ github.workflow }}
+        head_sha: ${{ github.event.client_payload.sha }}
+        repositroy_owner: ${{ github.event.client_payload.repository.owner }}
+        repositroy_name: ${{ github.event.client_payload.repository.name }}
+        event_type: ${{ github.event.client_payload.event_type }}
+        github_token: ${{ github.event.client_payload.token }}
+        default_organization_repository: 'veracode'
+        run_id: ${{ github.run_id }}
 
   pipeline_scan:
     needs: register

diff --git a/.github/workflows/binary-ready-veracode-sast-policy-scan.yml b/.github/workflows/binary-ready-veracode-sast-policy-scan.yml
@@ -8,19 +8,16 @@ on:
 
 jobs:
   register:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: GitHubVeracode/veracode-github-app@main
-        id: 'create_check_run'
-        with:
-          check_run_name: ${{ github.workflow }}
-          head_sha: ${{ github.event.client_payload.sha }}
-          repositroy_owner: ${{ github.event.client_payload.repository.owner }}
-          repositroy_name: ${{ github.event.client_payload.repository.name }}
-          status: 'in_progress'
-          event_type: ${{ github.event.client_payload.event_type }}
-          github_token: ${{ github.event.client_payload.token }}
-          default_organization_repository: 'veracode'
+    uses: ./.github/workflows/action.yml
+      with:
+        check_run_name: ${{ github.workflow }}
+        head_sha: ${{ github.event.client_payload.sha }}
+        repositroy_owner: ${{ github.event.client_payload.repository.owner }}
+        repositroy_name: ${{ github.event.client_payload.repository.name }}
+        event_type: ${{ github.event.client_payload.event_type }}
+        github_token: ${{ github.event.client_payload.token }}
+        default_organization_repository: 'veracode'
+        run_id: ${{ github.run_id }}
 
   policy_scan:
     needs: register

diff --git a/.github/workflows/veracode-code-analysis.yml b/.github/workflows/veracode-code-analysis.yml
@@ -8,19 +8,16 @@ on:
 
 jobs:
   register:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: GitHubVeracode/veracode-github-app@main
-        id: 'create_check_run'
-        with:
-          check_run_name: ${{ github.workflow }}
-          head_sha: ${{ github.event.client_payload.sha }}
-          repositroy_owner: ${{ github.event.client_payload.repository.owner }}
-          repositroy_name: ${{ github.event.client_payload.repository.name }}
-          status: 'in_progress'
-          event_type: ${{ github.event.client_payload.event_type }}
-          github_token: ${{ github.event.client_payload.token }}
-          default_organization_repository: 'veracode'
+    uses: ./.github/workflows/action.yml
+      with:
+        check_run_name: ${{ github.workflow }}
+        head_sha: ${{ github.event.client_payload.sha }}
+        repositroy_owner: ${{ github.event.client_payload.repository.owner }}
+        repositroy_name: ${{ github.event.client_payload.repository.name }}
+        event_type: ${{ github.event.client_payload.event_type }}
+        github_token: ${{ github.event.client_payload.token }}
+        default_organization_repository: 'veracode'
+        run_id: ${{ github.run_id }}
 
   build:
     needs: register

diff --git a/.github/workflows/veracode-iac-secrets-scan.yml b/.github/workflows/veracode-iac-secrets-scan.yml
@@ -8,19 +8,16 @@ on:
 
 jobs:
   register:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: GitHubVeracode/veracode-github-app@main
-        id: 'create_check_run'
-        with:
-          check_run_name: ${{ github.workflow }}
-          head_sha: ${{ github.event.client_payload.sha }}
-          repositroy_owner: ${{ github.event.client_payload.repository.owner }}
-          repositroy_name: ${{ github.event.client_payload.repository.name }}
-          status: 'in_progress'
-          event_type: ${{ github.event.client_payload.event_type }}
-          github_token: ${{ github.event.client_payload.token }}
-          default_organization_repository: 'veracode'
+    uses: ./.github/workflows/action.yml
+      with:
+        check_run_name: ${{ github.workflow }}
+        head_sha: ${{ github.event.client_payload.sha }}
+        repositroy_owner: ${{ github.event.client_payload.repository.owner }}
+        repositroy_name: ${{ github.event.client_payload.repository.name }}
+        event_type: ${{ github.event.client_payload.event_type }}
+        github_token: ${{ github.event.client_payload.token }}
+        default_organization_repository: 'veracode'
+        run_id: ${{ github.run_id }}
 
   veracode-iac-secrets-scan:
     needs: [register]

diff --git a/.github/workflows/veracode-not-supported.yml b/.github/workflows/veracode-not-supported.yml
@@ -8,19 +8,16 @@ on:
 
 jobs:
   register:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: GitHubVeracode/veracode-github-app@main
-        id: 'create_check_run'
-        with:
-          check_run_name: ${{ github.workflow }}
-          head_sha: ${{ github.event.client_payload.sha }}
-          repositroy_owner: ${{ github.event.client_payload.repository.owner }}
-          repositroy_name: ${{ github.event.client_payload.repository.name }}
-          status: 'in_progress'
-          event_type: ${{ github.event.client_payload.event_type }}
-          github_token: ${{ github.event.client_payload.token }}
-          default_organization_repository: 'veracode'
+    uses: ./.github/workflows/action.yml
+      with:
+        check_run_name: ${{ github.workflow }}
+        head_sha: ${{ github.event.client_payload.sha }}
+        repositroy_owner: ${{ github.event.client_payload.repository.owner }}
+        repositroy_name: ${{ github.event.client_payload.repository.name }}
+        event_type: ${{ github.event.client_payload.event_type }}
+        github_token: ${{ github.event.client_payload.token }}
+        default_organization_repository: 'veracode'
+        run_id: ${{ github.run_id }}
 
   veracode-not-supported:
     needs: [register]

diff --git a/.github/workflows/veracode-sca-scan.yml b/.github/workflows/veracode-sca-scan.yml
@@ -8,19 +8,16 @@ on:
 
 jobs:
   register:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: GitHubVeracode/veracode-github-app@main
-        id: 'create_check_run'
-        with:
-          check_run_name: ${{ github.workflow }}
-          head_sha: ${{ github.event.client_payload.sha }}
-          repositroy_owner: ${{ github.event.client_payload.repository.owner }}
-          repositroy_name: ${{ github.event.client_payload.repository.name }}
-          status: 'in_progress'
-          event_type: ${{ github.event.client_payload.event_type }}
-          github_token: ${{ github.event.client_payload.token }}
-          default_organization_repository: 'veracode'
+    uses: ./.github/workflows/action.yml
+      with:
+        check_run_name: ${{ github.workflow }}
+        head_sha: ${{ github.event.client_payload.sha }}
+        repositroy_owner: ${{ github.event.client_payload.repository.owner }}
+        repositroy_name: ${{ github.event.client_payload.repository.name }}
+        event_type: ${{ github.event.client_payload.event_type }}
+        github_token: ${{ github.event.client_payload.token }}
+        default_organization_repository: 'veracode'
+        run_id: ${{ github.run_id }}
 
   veracode-sca-scan:
     needs: [register]

diff --git a/veracode.yml b/veracode.yml
@@ -5,6 +5,7 @@ veracode_sast_pipeline_scan:
   push:
     trigger: true
     branches_to_run:
+      - default_branch
     branches_to_exclude:
       - default_branch
   pull_request:
@@ -29,7 +30,7 @@ veracode_sast_policy_scan:
   # pull request event. Specifying both will only execute push event.
   # Leaving them both false means this will never run
   push:
-    trigger: false
+    trigger: true
     branches_to_run:
       - default_branch
     branches_to_exclude:
@@ -55,7 +56,7 @@ veracode_sca_scan:
   # pull request event. Specifying both will only execute push event.
   # Leaving them both false means this will never run
   push:
-    trigger: false
+    trigger: true
     branches_to_run:
       - "*"
     branches_to_exclude: