fix(gitguardian): add gitGuardian ignore file to fix FP on secret detection #4332
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: validate-prs | |
on: | |
pull_request_target: | |
types: [opened, synchronize, edited, reopened] | |
branches: | |
- master | |
jobs: | |
title-check: | |
runs-on: ubuntu-latest | |
env: | |
ERROR_MSG: "The PR title does not match the required format: <type>(<scope>): <title>" | |
TITLE: ${{ github.event.pull_request.title }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
persist-credentials: false | |
sparse-checkout: | | |
.github/scripts/pr-issue-info/get_title_types.py | |
.github/pr-title-types.yaml | |
.github/scripts/pr-issue-info/title-fail.md | |
- name: Print PR Title | |
run: echo "$TITLE" | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: "3.x" | |
- name: Install dependencies | |
run: python3 -m pip install --upgrade pip pyyaml | |
- name: Check PR Title | |
env: | |
FILE_PATH: .github/pr-title-types.yaml | |
run: | | |
regex=$(python3 .github/scripts/pr-issue-info/get_title_types.py) | |
echo "Title regex: $regex" | |
echo "$TITLE" | grep -Pq "$regex" || (echo "$ERROR_MSG" && echo "TITLE_CHECK_FAILED=true" >> $GITHUB_ENV) | |
- name: Check for comment tag | |
if: env.TITLE_CHECK_FAILED != 'true' | |
run: | | |
comments=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" \ | |
-X GET "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments") | |
if echo "$comments" | grep -q "title_check"; then | |
echo "TAG_EXISTS=true" >> $GITHUB_ENV | |
else | |
echo "TAG_EXISTS=false" >> $GITHUB_ENV | |
fi | |
- name: Delete comment if title is fixed | |
if: env.TAG_EXISTS == 'true' | |
uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411 | |
with: | |
message: | | |
Deleting comment, please refresh the page... | |
comment_tag: title_check | |
mode: delete | |
GITHUB_TOKEN: ${{ secrets.KICS_BOT_PAT }} | |
- name: Add comment if title fails | |
if: env.TITLE_CHECK_FAILED == 'true' | |
uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411 | |
with: | |
filePath: .github/scripts/pr-issue-info/title-fail.md | |
comment_tag: title_check | |
mode: recreate | |
create_if_not_exists: true | |
GITHUB_TOKEN: ${{ secrets.KICS_BOT_PAT }} | |
- name: Workflow failed | |
if: env.TITLE_CHECK_FAILED == 'true' | |
run: exit 1 | |
labels-check: | |
runs-on: ubuntu-latest | |
env: | |
BODY: ${{ github.event.pull_request.body }} | |
LABELS: ${{ toJson(github.event.pull_request.labels) }} | |
TITLE: ${{ github.event.pull_request.title }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
persist-credentials: false | |
sparse-checkout: | | |
.github/scripts/pr-issue-info/get_keywords.py | |
.github/keywords.yaml | |
- name: Get username | |
run: echo "USERNAME=${{ github.event.pull_request.user.login }}" >> $GITHUB_ENV | |
- name: Install JQ | |
run: sudo apt-get install jq | |
- name: Check user username | |
run: | | |
response=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" "https://api.github.com/orgs/Checkmarx/teams/kics/members") | |
team_members=$(echo "$response" | jq -r '.[].login') | |
if [[ "$USERNAME" == "dependabot[bot]" ]] || echo "${team_members[@]}" | grep -Pq "^$USERNAME$"; then | |
echo "Contributor belongs to Checkmarx organization." | |
is_member="true" | |
else | |
echo "Contributor does not belong to Checkmarx organization." | |
is_member="false" | |
fi | |
echo "IS_MEMBER=$is_member" >> $GITHUB_ENV | |
- name: Add community label if user does not belong to Checkmarx Organization | |
run: | | |
if [[ "$IS_MEMBER" == "false" ]]; then | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["community"]}' | |
fi | |
- name: Add feature or feature request label | |
run: | | |
if [[ "$TITLE" == feat* ]]; then | |
if [[ "$IS_MEMBER" == "true" ]]; then | |
echo "Adding 'feature' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["feature"]}' | |
else | |
echo "Adding 'feature request' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["feature request"]}' | |
fi | |
else | |
if echo "$LABELS" | grep -q "feature request"; then | |
echo "Removing 'feature request' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/feature%20request | |
elif echo "$LABELS" | grep -q "feature"; then | |
echo "Removing 'feature' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/feature | |
fi | |
fi | |
- name: Add documentation label | |
run: | | |
if [[ "$TITLE" == docs* ]]; then | |
echo "Adding 'documentation' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["documentation"]}' | |
else | |
if echo "$LABELS" | grep -q "documentation"; then | |
echo "Removing 'documentation' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/documentation | |
fi | |
fi | |
- name: Add bug label | |
run: | | |
if echo "$TITLE $BODY" | grep -iqP "(\\b|_)bugs?(\\b|_)"; then | |
echo "Adding 'bug' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["bug"]}' | |
else | |
if echo "$LABELS" | grep -q "bug"; then | |
echo "Removing 'bug' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/bug | |
fi | |
fi | |
- name: Add query label | |
run: | | |
if echo "$TITLE $BODY" | grep -iqP "(\\b|_)quer(y|ies)(\\b|_)"; then | |
echo "Adding 'query' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["query"]}' | |
else | |
if echo "$LABELS" | grep -q "query"; then | |
echo "Removing 'query' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/query | |
fi | |
fi | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: "3.x" | |
- name: Install dependencies | |
run: python3 -m pip install --upgrade pip pyyaml | |
- name: Check title for keywords of platforms and cloud providers to add labels | |
run: | | |
keywords=$(python3 .github/scripts/pr-issue-info/get_keywords.py) | |
eval "$keywords" | |
declare -p keywords | |
declare -a labels_to_add=() | |
for keyword in "${!keywords[@]}"; do | |
if echo "$TITLE $BODY" | grep -iPq "(\\b|_)$keyword(\\b|_)"; then | |
labels_to_add+=("${keywords[$keyword]}") | |
fi | |
done | |
mapfile -t current_labels < <(echo "$LABELS" | jq -r '.[].name') | |
echo "Current labels: ${current_labels[@]}" | |
echo "Labels to add: ${labels_to_add[@]}" | |
echo "Labels: $LABELS" | |
for keyword in "${!keywords[@]}"; do | |
label=${keywords[$keyword]} | |
if [[ ! " ${labels_to_add[@]} " =~ " ${label} " ]] && [[ " ${current_labels[@]} " =~ " ${label} " ]]; then | |
echo "Removing '$label' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/$label | |
elif [[ " ${labels_to_add[@]} " =~ " ${label} " ]] && [[ ! " ${current_labels[@]} " =~ " ${label} " ]]; then | |
echo "Adding '$label' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d "{\"labels\": [\"$label\"]}" | |
fi | |
done | |