fix: update dependency constraints for security alerts #247
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Merge Check - Javelin Python | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| branches: | |
| - "main" | |
| merge_group: | |
| types: | |
| - checks_requested | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref }} | |
| cancel-in-progress: true | |
| env: | |
| PY_LINT_CFG: ".flake8" | |
| LINT_REPORT_FILE: "lint-report" | |
| PY_VER: 3.11.8 | |
| PR_CHECK_PREFIX: "feat:|fix:|devops:|Merge|Revert|build\\(deps\\)|\\[Snyk\\]|Bump" | |
| GH_SEC_REPORT: false | |
| TRIVY_SEVERITY: "HIGH,CRITICAL" | |
| TRIVY_REPORT_FILE: "trivy-scan-result" | |
| jobs: | |
| javelin-commit-check: | |
| permissions: | |
| contents: 'read' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| persist-credentials: false | |
| - name: Get the last commit message | |
| id: commit_message | |
| run: | | |
| COMMIT_MESSAGE=$(git show -s --format=%s) | |
| echo "message=${COMMIT_MESSAGE}" >> ${GITHUB_OUTPUT} | |
| - name: Commit Message Check | |
| shell: bash | |
| env: | |
| COMMIT_MESSAGE: "${{ steps.commit_message.outputs.message }}" | |
| run: |- | |
| CLEAN_COMMIT_MESSAGE=$(echo '${{ env.COMMIT_MESSAGE }}' | sed "s|\"||g") | |
| if [[ "${CLEAN_COMMIT_MESSAGE}" =~ ^(${{ env.PR_CHECK_PREFIX }}) ]]; then | |
| echo "Commit message is valid....!" | |
| else | |
| echo "Commit message does not contain required keywords....!" | |
| exit 1 | |
| fi | |
| javelin-lint-check: | |
| permissions: | |
| contents: 'read' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Python Version | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PY_VER }} | |
| cache: 'pip' | |
| - name: Python Lint Check | |
| shell: bash | |
| run: |- | |
| pip install flake8 | |
| flake8 . --config=${{ env.PY_LINT_CFG }} --output-file=${{ env.LINT_REPORT_FILE }}.json | |
| - name: Upload Lint Report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.LINT_REPORT_FILE }} | |
| path: ${{ env.LINT_REPORT_FILE }}.json | |
| retention-days: 1 | |
| javelin-trivy-scan: | |
| permissions: | |
| contents: 'read' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: true | |
| - name: Trivy Scan - GitHub Security Report | |
| if: ${{ env.GH_SEC_REPORT == 'true' }} | |
| uses: aquasecurity/[email protected] | |
| with: | |
| ignore-unfixed: true | |
| scan-type: "fs" | |
| cache: "true" | |
| format: "sarif" | |
| output: "${{ env.TRIVY_REPORT_FILE }}.sarif" | |
| severity: "${{ env.TRIVY_SEVERITY }}" | |
| - name: Upload Report - GitHub Security Report | |
| if: ${{ env.GH_SEC_REPORT == 'true' }} | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: "${{ env.TRIVY_REPORT_FILE }}.sarif" | |
| - name: Trivy Scan - Text Security Report | |
| if: ${{ env.GH_SEC_REPORT == 'false' }} | |
| uses: aquasecurity/[email protected] | |
| with: | |
| ignore-unfixed: true | |
| scan-type: "fs" | |
| cache: "true" | |
| format: "table" | |
| output: "${{ env.TRIVY_REPORT_FILE }}.txt" | |
| severity: "${{ env.TRIVY_SEVERITY }}" | |
| - name: Report Check - Text Security Report | |
| if: ${{ env.GH_SEC_REPORT == 'false' }} | |
| id: report_check | |
| shell: bash | |
| run: |- | |
| if [[ -s ${{ env.TRIVY_REPORT_FILE }}.txt ]] ; then | |
| echo "report_file=available" >> ${GITHUB_OUTPUT} | |
| else | |
| echo "report_file=unavailable" >> ${GITHUB_OUTPUT} | |
| fi | |
| cat ${{ env.TRIVY_REPORT_FILE }}.txt | |
| - name: Upload Report - Text Security Report | |
| if: ${{ env.GH_SEC_REPORT == 'false' && steps.report_check.outputs.report_file == 'available' }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: "${{ env.TRIVY_REPORT_FILE }}" | |
| path: "${{ env.TRIVY_REPORT_FILE }}.txt" | |
| if-no-files-found: error | |
| retention-days: 1 | |
| - name: Failing the Job | |
| if: ${{ steps.report_check.outputs.report_file == 'available' }} | |
| shell: bash | |
| run: |- | |
| echo "Vulnerabilities Found.....!" | |
| exit 1 | |
| javelin-build-check: | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Setting up the Package Version | |
| env: | |
| PY_VER_FILE: "pyproject.toml" | |
| RELEASE_NAME: "v1.1.1" | |
| shell: bash | |
| run: |- | |
| export RELEASE_VERSION=$(echo ${{ env.RELEASE_NAME }} | sed 's|^v||g') | |
| if cat ${{ env.PY_VER_FILE }} | grep 'version = "RELEASE_VERSION"' ; then | |
| sed -i "s|^version = \"RELEASE_VERSION\"|version = \"${RELEASE_VERSION}\"|g" ${{ env.PY_VER_FILE }} | |
| cat ${file} | |
| else | |
| echo "Version entry format is wrong in the ${{ env.PY_VER_FILE }} file...!" | |
| cat ${file} | |
| exit 1 | |
| fi | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PY_VER }} | |
| cache: 'pip' | |
| - name: Install Dependencies | |
| shell: bash | |
| run: |- | |
| pip install build | |
| - name: Build Package | |
| shell: bash | |
| run: |- | |
| python -m build |