ci: Changes to solve vulnerability (#80)

* ci: Changes to solve vulnerability * ci: deleting pull request target from sonar workflow * ci: removing other pull request target options * ci: adding pull request event trigger
BeyondTrust · Apr 15, 2024 · 945327f · 945327f
1 parent 1258cb9
commit 945327f
Show file tree

Hide file tree

Showing 5 changed files with 107 additions and 17 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,7 +1,10 @@
 name: CodeQL Static Analysis
 on:
-  pull_request_target:
-    types: [opened, synchronize]
+  pull_request:
+    branches: [main]
+  push:
+    branches:
+      - main
   workflow_dispatch:
 
 permissions:

diff --git a/.github/workflows/frogbot.yml b/.github/workflows/frogbot.yml
@@ -1,8 +1,13 @@
 name: Frogbot
 
 on:
-  pull_request_target:
-    types: [opened, synchronize]
+  pull_request:
+    branches: [main]
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
 permissions:
   pull-requests: write
   contents: read

diff --git a/.github/workflows/golint.yml b/.github/workflows/golint.yml
@@ -1,8 +1,8 @@
 name: Go Lint
 
 on:
-  pull_request_target:
-    types: [opened, synchronize]
+  pull_request:
+    branches: [main]
   push:
     branches:
       - main

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,8 +6,8 @@ env:
   SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
 
 on:
-  pull_request_target:
-    types: [opened, synchronize]
+  pull_request:
+    branches: [main]
   push:
     branches:
       - main
@@ -20,15 +20,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code on PR 
-        if: ${{ github.event_name == 'pull_request' ||  github.event_name == 'pull_request_target' }}
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.head_ref }} 
-
-      - name: Checkout code on Branch
-        if: ${{ github.event_name != 'pull_request' &&  github.event_name != 'pull_request_target' }}
+      - name: Checkout code
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
           fetch-depth: 0

diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
@@ -0,0 +1,90 @@
+name: Release
+
+env:
+  SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  unit-testing:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          fetch-depth: 0
+
+      - name: Build library
+        run: |
+          go build
+
+      - name: Run unit tests
+        run: |
+          cd api
+          go test -race -coverprofile=coverage.out -v ./...
+          go tool cover -func="coverage.out"
+
+      - name: Save unit tests coverage
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: coverage
+          path: api/coverage.out
+
+  sonarqube:
+    needs: unit-testing
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          fetch-depth: 0
+
+      - name: Download coverage
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: coverage
+
+      - name: SonarQube Scan on PR
+        if: ${{ github.actor != 'dependabot[bot]' && ( github.event_name == 'pull_request' ||  github.event_name == 'pull_request_target' ) }}
+        uses: sonarsource/sonarqube-scan-action@69c1a75940dec6249b86dace6b630d3a2ae9d2a7 # v2.0.1
+        with:
+          projectBaseDir: .
+          args: >
+            -Dsonar.projectKey=${{ github.event.repository.name }}
+            -Dsonar.pullrequest.key=${{ github.event.number }}
+            -Dsonar.pullrequest.branch=${{ github.head_ref }}
+            -Dsonar.pullrequest.base=${{ github.base_ref }}
+            -Dsonar.go.coverage.reportPaths=coverage.out
+            -Dsonar.exclusions=api/**/**_test.go,api/entities/**,api/logging/**,api/utils/**,TestClient.go,performancetest/PerformanceTest.go
+        env:
+          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
+          SONAR_HOST_URL: https://sonar.dev.beyondtrust.com
+
+      - name: SonarQube Scan on branch
+        if: ${{ github.actor != 'dependabot[bot]' && ( github.event_name != 'pull_request' &&  github.event_name != 'pull_request_target' ) }}
+        uses: sonarsource/sonarqube-scan-action@69c1a75940dec6249b86dace6b630d3a2ae9d2a7 # v2.0.1
+        with:
+          projectBaseDir: .
+          args: >
+            -Dsonar.projectKey=${{ github.event.repository.name }}
+            -Dsonar.go.coverage.reportPaths=coverage.out
+            -Dsonar.exclusions=api/**/**_test.go,api/entities/**,api/logging/**,api/utils/**,TestClient.go,performancetest/PerformanceTest.go
+        env:
+          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
+          SONAR_HOST_URL: https://sonar.dev.beyondtrust.com
+
+      - name: SonarQube Quality Gate check
+        if: ${{ github.actor != 'dependabot[bot]' }}
+        uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 # v1.1.0
+        timeout-minutes: 5
+        env:
+          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}