Skip to content

fix(gitguardian): add gitGuardian ignore file to fix FP on secret detection #4332

fix(gitguardian): add gitGuardian ignore file to fix FP on secret detection

fix(gitguardian): add gitGuardian ignore file to fix FP on secret detection #4332

Workflow file for this run

name: validate-prs
on:
pull_request_target:
types: [opened, synchronize, edited, reopened]
branches:
- master
jobs:
title-check:
runs-on: ubuntu-latest
env:
ERROR_MSG: "The PR title does not match the required format: <type>(<scope>): <title>"
TITLE: ${{ github.event.pull_request.title }}
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
sparse-checkout: |
.github/scripts/pr-issue-info/get_title_types.py
.github/pr-title-types.yaml
.github/scripts/pr-issue-info/title-fail.md
- name: Print PR Title
run: echo "$TITLE"
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.x"
- name: Install dependencies
run: python3 -m pip install --upgrade pip pyyaml
- name: Check PR Title
env:
FILE_PATH: .github/pr-title-types.yaml
run: |
regex=$(python3 .github/scripts/pr-issue-info/get_title_types.py)
echo "Title regex: $regex"
echo "$TITLE" | grep -Pq "$regex" || (echo "$ERROR_MSG" && echo "TITLE_CHECK_FAILED=true" >> $GITHUB_ENV)
- name: Check for comment tag
if: env.TITLE_CHECK_FAILED != 'true'
run: |
comments=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" \
-X GET "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments")
if echo "$comments" | grep -q "title_check"; then
echo "TAG_EXISTS=true" >> $GITHUB_ENV
else
echo "TAG_EXISTS=false" >> $GITHUB_ENV
fi
- name: Delete comment if title is fixed
if: env.TAG_EXISTS == 'true'
uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411
with:
message: |
Deleting comment, please refresh the page...
comment_tag: title_check
mode: delete
GITHUB_TOKEN: ${{ secrets.KICS_BOT_PAT }}
- name: Add comment if title fails
if: env.TITLE_CHECK_FAILED == 'true'
uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411
with:
filePath: .github/scripts/pr-issue-info/title-fail.md
comment_tag: title_check
mode: recreate
create_if_not_exists: true
GITHUB_TOKEN: ${{ secrets.KICS_BOT_PAT }}
- name: Workflow failed
if: env.TITLE_CHECK_FAILED == 'true'
run: exit 1
labels-check:
runs-on: ubuntu-latest
env:
BODY: ${{ github.event.pull_request.body }}
LABELS: ${{ toJson(github.event.pull_request.labels) }}
TITLE: ${{ github.event.pull_request.title }}
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
sparse-checkout: |
.github/scripts/pr-issue-info/get_keywords.py
.github/keywords.yaml
- name: Get username
run: echo "USERNAME=${{ github.event.pull_request.user.login }}" >> $GITHUB_ENV
- name: Install JQ
run: sudo apt-get install jq
- name: Check user username
run: |
response=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" "https://api.github.com/orgs/Checkmarx/teams/kics/members")
team_members=$(echo "$response" | jq -r '.[].login')
if [[ "$USERNAME" == "dependabot[bot]" ]] || echo "${team_members[@]}" | grep -Pq "^$USERNAME$"; then
echo "Contributor belongs to Checkmarx organization."
is_member="true"
else
echo "Contributor does not belong to Checkmarx organization."
is_member="false"
fi
echo "IS_MEMBER=$is_member" >> $GITHUB_ENV
- name: Add community label if user does not belong to Checkmarx Organization
run: |
if [[ "$IS_MEMBER" == "false" ]]; then
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["community"]}'
fi
- name: Add feature or feature request label
run: |
if [[ "$TITLE" == feat* ]]; then
if [[ "$IS_MEMBER" == "true" ]]; then
echo "Adding 'feature' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["feature"]}'
else
echo "Adding 'feature request' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["feature request"]}'
fi
else
if echo "$LABELS" | grep -q "feature request"; then
echo "Removing 'feature request' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/feature%20request
elif echo "$LABELS" | grep -q "feature"; then
echo "Removing 'feature' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/feature
fi
fi
- name: Add documentation label
run: |
if [[ "$TITLE" == docs* ]]; then
echo "Adding 'documentation' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["documentation"]}'
else
if echo "$LABELS" | grep -q "documentation"; then
echo "Removing 'documentation' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/documentation
fi
fi
- name: Add bug label
run: |
if echo "$TITLE $BODY" | grep -iqP "(\\b|_)bugs?(\\b|_)"; then
echo "Adding 'bug' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["bug"]}'
else
if echo "$LABELS" | grep -q "bug"; then
echo "Removing 'bug' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/bug
fi
fi
- name: Add query label
run: |
if echo "$TITLE $BODY" | grep -iqP "(\\b|_)quer(y|ies)(\\b|_)"; then
echo "Adding 'query' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["query"]}'
else
if echo "$LABELS" | grep -q "query"; then
echo "Removing 'query' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/query
fi
fi
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.x"
- name: Install dependencies
run: python3 -m pip install --upgrade pip pyyaml
- name: Check title for keywords of platforms and cloud providers to add labels
run: |
keywords=$(python3 .github/scripts/pr-issue-info/get_keywords.py)
eval "$keywords"
declare -p keywords
declare -a labels_to_add=()
for keyword in "${!keywords[@]}"; do
if echo "$TITLE $BODY" | grep -iPq "(\\b|_)$keyword(\\b|_)"; then
labels_to_add+=("${keywords[$keyword]}")
fi
done
mapfile -t current_labels < <(echo "$LABELS" | jq -r '.[].name')
echo "Current labels: ${current_labels[@]}"
echo "Labels to add: ${labels_to_add[@]}"
echo "Labels: $LABELS"
for keyword in "${!keywords[@]}"; do
label=${keywords[$keyword]}
if [[ ! " ${labels_to_add[@]} " =~ " ${label} " ]] && [[ " ${current_labels[@]} " =~ " ${label} " ]]; then
echo "Removing '$label' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/$label
elif [[ " ${labels_to_add[@]} " =~ " ${label} " ]] && [[ ! " ${current_labels[@]} " =~ " ${label} " ]]; then
echo "Adding '$label' label..."
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d "{\"labels\": [\"$label\"]}"
fi
done