Skip to content
PR Merge Check - Javelin Python

Fix sdk examples #234

Sign in to view logs

Fix sdk examples

Fix sdk examples #234

Workflow file for this run

.github/workflows/pr-check.yml at 7cf2a54
name: PR Merge Check - Javelin Python
on:
pull_request:
types:
- opened
- synchronize
- reopened
branches:
- "main"
merge_group:
types:
- checks_requested
env:
PY_LINT_CFG: ".flake8"
LINT_REPORT_FILE: "lint-report"
PY_VER: 3.11.8
PR_CHECK_PREFIX: "feat:|fix:|devops:|Merge|Revert|build\\(deps\\)|\\[Snyk\\]|Bump"
GH_SEC_REPORT: false
TRIVY_SEVERITY: "HIGH,CRITICAL"
TRIVY_REPORT_FILE: "trivy-scan-result"
jobs:
javelin-commit-check:
permissions:
contents: 'read'
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false
- name: Get the last commit message
id: commit_message
run: |
COMMIT_MESSAGE=$(git show -s --format=%s)
echo "message=${COMMIT_MESSAGE}" >> ${GITHUB_OUTPUT}
- name: Commit Message Check
shell: bash
env:
COMMIT_MESSAGE: "${{ steps.commit_message.outputs.message }}"
run: |-
CLEAN_COMMIT_MESSAGE=$(echo '${{ env.COMMIT_MESSAGE }}' | sed "s|\"||g")
if [[ "${CLEAN_COMMIT_MESSAGE}" =~ ^(${{ env.PR_CHECK_PREFIX }}) ]]; then
echo "Commit message is valid....!"
else
echo "Commit message does not contain required keywords....!"
exit 1
fi
javelin-lint-check:
permissions:
contents: 'read'
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup Python Version
uses: actions/setup-python@v5
with:
python-version: ${{ env.PY_VER }}
cache: 'pip'
- name: Python Lint Check
shell: bash
run: |-
pip install flake8
flake8 . --config=${{ env.PY_LINT_CFG }} --output-file=${{ env.LINT_REPORT_FILE }}.json
- name: Upload Lint Report
uses: actions/upload-artifact@v4
with:
name: ${{ env.LINT_REPORT_FILE }}
path: ${{ env.LINT_REPORT_FILE }}.json
retention-days: 1
javelin-trivy-scan:
permissions:
contents: 'read'
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: true
- name: Trivy Scan - GitHub Security Report
if: ${{ env.GH_SEC_REPORT == 'true' }}
uses: aquasecurity/[email protected]
with:
ignore-unfixed: true
scan-type: "fs"
cache: "true"
format: "sarif"
output: "${{ env.TRIVY_REPORT_FILE }}.sarif"
severity: "${{ env.TRIVY_SEVERITY }}"
- name: Upload Report - GitHub Security Report
if: ${{ env.GH_SEC_REPORT == 'true' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "${{ env.TRIVY_REPORT_FILE }}.sarif"
- name: Trivy Scan - Text Security Report
if: ${{ env.GH_SEC_REPORT == 'false' }}
uses: aquasecurity/[email protected]
with:
ignore-unfixed: true
scan-type: "fs"
cache: "true"
format: "table"
output: "${{ env.TRIVY_REPORT_FILE }}.txt"
severity: "${{ env.TRIVY_SEVERITY }}"
- name: Report Check - Text Security Report
if: ${{ env.GH_SEC_REPORT == 'false' }}
id: report_check
shell: bash
run: |-
if [[ -s ${{ env.TRIVY_REPORT_FILE }}.txt ]] ; then
echo "report_file=available" >> ${GITHUB_OUTPUT}
else
echo "report_file=unavailable" >> ${GITHUB_OUTPUT}
fi
cat ${{ env.TRIVY_REPORT_FILE }}.txt
- name: Upload Report - Text Security Report
if: ${{ env.GH_SEC_REPORT == 'false' && steps.report_check.outputs.report_file == 'available' }}
uses: actions/upload-artifact@v4
with:
name: "${{ env.TRIVY_REPORT_FILE }}"
path: "${{ env.TRIVY_REPORT_FILE }}.txt"
if-no-files-found: error
retention-days: 1
- name: Failing the Job
if: ${{ steps.report_check.outputs.report_file == 'available' }}
shell: bash
run: |-
echo "Vulnerabilities Found.....!"
exit 1