From 18602b8325a6f884a81a6405b094bc2697ce2568 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 20 Mar 2023 10:54:30 +0100 Subject: [PATCH] build: update scan workflow - Update actions to their latest versions. - Use SHA to (potentially) allow enabling Dependabot. - Add Go Modules caching using `actions/setup-go` (supported since >=v3). - Add `--all-projects` flag to `snyk`. Signed-off-by: Hidde Beydals --- .github/workflows/scan.yaml | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index d78894e..10f8bf2 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -16,9 +16,10 @@ jobs: name: FOSSA runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Run FOSSA scan and upload build data - uses: fossa-contrib/fossa-action@v2 + uses: fossa-contrib/fossa-action@6728dc6fe9a068c648d080c33829ffbe56565023 # v2.0.0 with: # FOSSA Push-Only API Token fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de @@ -29,11 +30,15 @@ jobs: runs-on: ubuntu-latest if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository steps: - - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Setup Go - uses: actions/setup-gov3 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: 1.20.x + cache-dependency-path: | + **/go.sum + **/go.mod - name: Download modules run: | make tidy @@ -41,11 +46,11 @@ jobs: - name: Run Snyk to check for vulnerabilities continue-on-error: true run: | - snyk test --sarif-file-output=snyk.sarif + snyk test --all-projects --sarif-file-output=snyk.sarif env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7 with: sarif_file: snyk.sarif @@ -53,17 +58,20 @@ jobs: name: CodeQL runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: 1.20.x + cache-dependency-path: | + **/go.sum + **/go.mod - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7 with: languages: go - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7