Skip to content

HSEC-2024-0003: reserve id #112

HSEC-2024-0003: reserve id

HSEC-2024-0003: reserve id #112

name: Check advisories
on:
- pull_request
jobs:
tools_changed:
continue-on-error: true
runs-on: ubuntu-22.04
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
- id: skip_check
uses: fkirc/[email protected]
with:
concurrent_skipping: "never"
skip_after_successful_duplicate: "true"
paths: '["code/**"]'
do_not_skip: '["push", "workflow_dispatch", "schedule"]'
advisories_changed:
continue-on-error: true
runs-on: ubuntu-22.04
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
changed_files: ${{ steps.process-changed-files.outputs.out }}
steps:
- id: skip_check
uses: fkirc/[email protected]
with:
concurrent_skipping: "never"
skip_after_successful_duplicate: "true"
paths: '["advisories/**", "EXAMPLE_ADVISORY.md"]'
do_not_skip: '["push", "workflow_dispatch", "schedule"]'
- id: process-changed-files
name: Extract matched files list
env:
PATHS_RESULT: ${{ steps.skip_check.outputs.paths_result }}
run: |
echo -n 'out=' >> "$GITHUB_OUTPUT"
# See https://github.com/fkirc/skip-duplicate-actions#paths_result
printenv PATHS_RESULT \
| jq --compact-output .global.matched_files >> "$GITHUB_OUTPUT"
code_hash:
name: Compute code directory hash
runs-on: ubuntu-22.04
outputs:
code_hash: ${{ steps.code-hash.outputs.code-hash }}
steps:
- name: git checkout
uses: actions/checkout@v4
- id: code-hash
run: |
code_hash=$(git rev-parse HEAD:code)
echo "code-hash=$code_hash" >> "$GITHUB_OUTPUT"
populate_cache:
name: Populate cache
uses: ./.github/workflows/call-nix.yml
with:
cache-key: hsec-tools-${{ needs.code_hash.outputs.code_hash }}
check_advisories:
name: Invoke check-advisories workflow
needs: [tools_changed, advisories_changed, code_hash, populate_cache]
if: ${{ needs.tools_changed.outputs.should_skip == 'true' && needs.advisories_changed.outputs.should_skip != 'true' }}
uses: ./.github/workflows/call-check-advisories.yml
with:
fetch-key: hsec-tools-${{ needs.code_hash.outputs.code_hash }}
changed-advisories: ${{ needs.advisories_changed.outputs.changed_files }}