feat(static-analysis): refactoring semgrep action path

open-turo · Dec 2, 2024 · 0b49805 · 0b49805
1 parent 9584d89
commit 0b49805
Show file tree

Hide file tree

Showing 5 changed files with 95 additions and 14 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -21,6 +21,6 @@ jobs:
       - uses: open-turo/actions-gha/test@v2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: ./static-analysis/semgrep
+      - uses: ./static-analysis/
         with:
           semgrep-app-token: ${{ secrets.SEMGREP_APP_TOKEN }}
diff --git a/README.md b/README.md
@@ -28,13 +28,13 @@ See usage [here](./docker-build/README.md#usage).
 
 Documentation is found [here](./docker-build/README.md).
 
-### action: [`static-analysis/semgrep`](./static-analysis/semgrep)
+### action: [`static-analysis`](./static-analysis/)
 
 Scan code changes for security vulnerabilities
 
-See usage [here](./static-analysis/semgrep/README.md#usage).
+See usage [here](./static-analysis/README.md#usage).
 
-Documentation is found [here](./static-analysis/semgrep/README.md).
+Documentation is found [here](./static-analysis/README.md).
 
 ## Get Help
 

diff --git a/docs/breaking-changes/v3.md b/docs/breaking-changes/v3.md
@@ -0,0 +1,82 @@
+# Breaking Changes for v3
+
+## Introduction
+
+The v3 version of the open-turo/actions-security repository introduces a significant refactoring of the Semgrep configuration path. These changes are designed to enhance maintainability and consistency across consuming repositories. However, this update may require action from repositories using older configurations to prevent workflow disruptions.
+
+## Breaking Change Details
+
+### 1. Refactored Path for security-scan.yaml
+
+- _What Changed_:
+
+  - The action.yaml file for Semgrep has been moved from:
+
+    open-turo/actions-security/static-analysis/semgrep@v1
+
+    _to:_
+
+    open-turo/actions-security/static-analysis@v3
+
+- _Impact_:
+  - Any workflow file referencing the old path (static-analysis/semgrep@v1) will fail to locate the action and result in pipeline failures.
+
+## Migration Instructions
+
+### Step 1: Update Workflow Files
+
+1. Locate all GitHub Actions workflow files in your repository referencing static-analysis/semgrep.
+2. Update the uses field to point to the new path:
+   ```yaml
+   - uses: open-turo/actions-security/static-analysis@v3
+   ```
+
+### Step 2: Validate Workflow
+
+1. After updating the workflow, run the GitHub Actions pipeline to ensure it works as expected.
+2. Monitor the pipeline logs for any issues related to the Semgrep action.
+
+---
+
+## Troubleshooting
+
+### Common Errors
+
+- _Error_: Failed to locate action: open-turo/actions-security/static-analysis/semgrep@v1
+
+  - _Solution_: Update the uses field to open-turo/actions-security/static-analysis@v2.
+
+- _Error_: Workflow file is invalid: Unexpected value 'semgrep-app-token'
+  - _Solution_: Ensure the required secrets are configured correctly in your repository:
+    - Add SEMGREP*APP_TOKEN under \_Settings > Secrets and variables > Actions*.
+
+---
+
+### Debugging Tips
+
+- Verify that your workflow file points to static-analysis@v3.
+- Ensure that your repository has the latest version of the open-turo/actions-security action.
+
+---
+
+## Example Workflow File
+
+Below is an example of an updated GitHub Action workflow file using v3:
+
+```yaml
+name: Security scan
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push:
+    branches: [main]
+jobs:
+  code-scan:
+    name: Security scan
+    runs-on: [self-hosted, general-ubuntu]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: open-turo/actions-security/static-analysis@v3
+        with:
+          semgrep-app-token: ${{ secrets.SEMGREP_APP_TOKEN }}
+```
diff --git a/static-analysis/semgrep/README.md → static-analysis/README.md b/static-analysis/semgrep/README.md → static-analysis/README.md
diff --git a/static-analysis/semgrep/action.yaml → static-analysis/action.yaml b/static-analysis/semgrep/action.yaml → static-analysis/action.yaml
@@ -14,14 +14,13 @@ runs:
     - name: Checkout
       if: ${{inputs.checkout-repo == 'true'}}
       uses: actions/checkout@v4
-    - run: echo "pausing checks"
+    - run: |
+        docker run --rm -v  "${PWD}:/src" \
+        -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \
+        -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \
+        -e SEMGREP_BRANCH=${GITHUB_REF} \
+        -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \
+        -e SEMGREP_PR_ID=${{github.event.pull_request.number}} \
+        returntocorp/semgrep:latest-nonroot \
+        semgrep ci
       shell: bash
-#        docker run --rm -v  "${PWD}:/src" \
-#        -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \
-#        -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \
-#        -e SEMGREP_BRANCH=${GITHUB_REF} \
-#        -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \
-#        -e SEMGREP_PR_ID=${{github.event.pull_request.number}} \
-#        returntocorp/semgrep:latest-nonroot \
-#        semgrep ci
-#      shell: bash