Release notes preview

Below is a preview of the release notes if your PR gets merged.

3.0.0 (2024-12-02)

⚠ BREAKING CHANGES

• static-analysis: The action path has been updated, requiring repositories to update their workflows

• From: open-turo/actions-security/static-analysis/semgrep@v2
• To: open-turo/actions-security/static-analysis@v3

Renovate Bot will create pull requests for repositories referencing @v2 to help with the transition.

Features

• static-analysis: refactor semgrep action path (842c747)

Miscellaneous

• deps: update dependency node to v18.20.4 (7d91d9b)
• deps: update dependency node to v22 (3484024)
• deps: update lacework/lw-scanner-action action to v1.4.3 (e6d46fa)
• deps: update pre-commit hook alessandrojcm/commitlint-pre-commit-hook to v9.19.0 (9584d89)
• deps: update pre-commit hook pre-commit/pre-commit-hooks to v5 (33abebe)
• deps: update pre-commit hook rhysd/actionlint to v1.7.3 (966955d)
• deps: update pre-commit hook rhysd/actionlint to v1.7.4 (a867114)
• deps: update thollander/actions-comment-pull-request action to v3 (2ee40ca)

Breaking changes file docs/breaking-changes/v3.md

Breaking Changes for v3

Introduction

The v3 version of the open-turo/actions-security repository introduces a significant refactoring of the Semgrep configuration path. These changes are designed to enhance maintainability and consistency across consuming repositories. However, this update may require action from repositories using older configurations to prevent workflow disruptions.

Breaking Change Details

1. Refactored Path for security-scan.yaml

• What Changed:

  • The action.yaml file for Semgrep has been moved from:

    open-turo/actions-security/static-analysis/semgrep@v1

    to:

    open-turo/actions-security/static-analysis@v3

• Impact:

  • Any workflow file referencing the old path (static-analysis/semgrep@v1) will fail to locate the action and result in pipeline failures.

Migration Instructions

Step 1: Update Workflow Files

1. Locate all GitHub Actions workflow files in your repository referencing static-analysis/semgrep.
2. Update the uses field to point to the new path:

   - uses: open-turo/actions-security/static-analysis@v3

Step 2: Validate Workflow

1. After updating the workflow, run the GitHub Actions pipeline to ensure it works as expected.
2. Monitor the pipeline logs for any issues related to the Semgrep action.

Troubleshooting

Common Errors

• Error: Failed to locate action: open-turo/actions-security/static-analysis/semgrep@v1

  • Solution: Update the uses field to open-turo/actions-security/static-analysis@v2.

• Error: Workflow file is invalid: Unexpected value 'semgrep-app-token'

  • Solution: Ensure the required secrets are configured correctly in your repository:
    • Add SEMGREPAPP_TOKEN under _Settings > Secrets and variables > Actions.

Debugging Tips

• Verify that your workflow file points to static-analysis@v3.
• Ensure that your repository has the latest version of the open-turo/actions-security action.

Example Workflow File

Below is an example of an updated GitHub Action workflow file using v3:

name: Security scan
on:
  pull_request: {}
  workflow_dispatch: {}
  push:
    branches: [main]
jobs:
  code-scan:
    name: Security scan
    runs-on: [self-hosted, general-ubuntu]
    steps:
      - uses: actions/checkout@v4
      - uses: open-turo/actions-security/static-analysis@v3
        with:
          semgrep-app-token: ${{ secrets.SEMGREP_APP_TOKEN }}

Cleanup:
This is no longer required. Closing the PR.