From 03947f9ca6a1e0d7ee970b29956265d78b796945 Mon Sep 17 00:00:00 2001 From: Zhiwei Liang <121905282+zliang-akamai@users.noreply.github.com> Date: Fri, 20 Dec 2024 15:48:31 -0500 Subject: [PATCH] Add security workflows; combine lint and test workflows (#60) * Combine lint and test workflows * Add security workflows --- .github/workflows/codeql.yml | 39 +++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 19 ++++++++++++ .github/workflows/lint.yaml | 21 ------------- .github/workflows/tests.yaml | 15 ++++------ 4 files changed, 64 insertions(+), 30 deletions(-) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml delete mode 100644 .github/workflows/lint.yaml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..3a642d6 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,39 @@ +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '0 13 * * 5' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + security-events: write + + strategy: + fail-fast: false + matrix: + include: + - language: python + build-mode: none + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: security-and-quality + + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..9f07e05 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,19 @@ +name: 'Dependency review' +on: + pull_request: + branches: [ "main" ] + +permissions: + contents: read + pull-requests: write + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout repository' + uses: actions/checkout@v4 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 + with: + comment-summary-in-pr: on-failure diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml deleted file mode 100644 index eb84adc..0000000 --- a/.github/workflows/lint.yaml +++ /dev/null @@ -1,21 +0,0 @@ -name: Run Linter - -on: [ push, pull_request ] - -jobs: - lint: - runs-on: ubuntu-latest - steps: - - name: checkout repo - uses: actions/checkout@v4 - - - name: setup python 3 - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - - name: install dependencies - run: make getdeps && pip3 install -r requirements-dev.txt - - - name: run linter - run: make lint diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index ebad279..106488c 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -1,20 +1,14 @@ -name: Run Tests +name: Continues Integration on: [ push, pull_request, workflow_dispatch ] jobs: - run-tests: + lint-test: runs-on: ubuntu-latest steps: - name: checkout repo uses: actions/checkout@v4 - - name: update packages - run: sudo apt-get update -y - - - name: install make - run: sudo apt-get install -y build-essential - - name: setup python 3 uses: actions/setup-python@v5 with: @@ -24,4 +18,7 @@ jobs: run: make getdeps && pip3 install -r requirements-dev.txt - name: run tests - run: make test \ No newline at end of file + run: make test + + - name: run linter + run: make lint \ No newline at end of file