fix(exclusions): excluding results against files in the scanners dire… #599
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ASH - Core Pipeline | |
| on: | |
| push: | |
| branches: | |
| - "*" | |
| tags: | |
| - "*" | |
| pull_request: | |
| branches: | |
| - "*" | |
| workflow_dispatch: {} | |
| env: | |
| PYTHON_VERSION: "3.12" | |
| COLUMNS: 160 | |
| jobs: | |
| build: | |
| # strategy: | |
| # matrix: | |
| # runner: | |
| # # - macos-14 # Docker support on this runner is not working yet, still no options for ARM in hosted :-( | |
| # - ubuntu-latest | |
| name: ASH - Build & Scan | |
| runs-on: ubuntu-latest | |
| env: | |
| IMG_NAME: ${{ github.repository }} | |
| ARCH: ubuntu-latest | |
| SUMMARY_FILE: "ASH Scan Results Summary.md" | |
| permissions: | |
| actions: read | |
| checks: write | |
| contents: read | |
| id-token: write | |
| security-events: write | |
| pull-requests: write | |
| statuses: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup docker | |
| if: runner.os == 'macos' | |
| run: | | |
| brew install docker | |
| docker info | |
| - name: Set up Docker Buildx | |
| if: runner.os == 'macos' | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| platforms: "linux/${{ env.ARCH }}" | |
| - name: Run ASH against itself | |
| id: ash | |
| run: |- | |
| ./ash \ | |
| --build-target ci \ | |
| --source-dir $(pwd) \ | |
| --output-dir .ash/ash_output \ | |
| --inspect \ | |
| --no-fail-on-findings \ | |
| --verbose | |
| - name: Update step summary | |
| if: success() || failure() # always run even if the previous step fails | |
| continue-on-error: false | |
| run: |- | |
| # Add the Markdown summary to the step summary | |
| cat .ash/ash_output/reports/ash.summary.md >> "${GITHUB_STEP_SUMMARY}" | |
| tree .ash/ash_output | |
| - name: Post ASH MarkdownReporter output as PR comment | |
| uses: mshick/add-pr-comment@v2 | |
| # This does not work for fork runs without setting up a proxy | |
| # Info: https://github.com/mshick/add-pr-comment#proxy-for-fork-based-prshttps://github.com/mshick/add-pr-comment#proxy-for-fork-based-prs | |
| if: github.repository_owner == 'awslabs' && (success() || failure()) # always run even if the previous step fails | |
| continue-on-error: true | |
| with: | |
| message-path: .ash/ash_output/reports/ash.summary.md | |
| - name: Collect .ash/ash_output artifact | |
| uses: actions/upload-artifact@v4 | |
| if: success() || failure() # always run even if the previous step fails | |
| continue-on-error: true | |
| with: | |
| name: ash_output | |
| path: .ash/ash_output | |
| if-no-files-found: error | |
| - name: Publish JUnit Test Report | |
| uses: mikepenz/action-junit-report@v5 | |
| if: success() || failure() # always run even if the previous step fails | |
| continue-on-error: true | |
| with: | |
| report_paths: "**/ash.junit.xml" | |
| include_passed: true | |
| update_check: true | |
| check_name: ASH Scan JUnit Test Report | |
| - name: Upload ASH SARIF file | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: success() || failure() # always run even if the previous step fails | |
| continue-on-error: false | |
| with: | |
| sarif_file: .ash/ash_output/reports/ash.sarif | |
| wait-for-processing: true | |
| category: ash | |
| # Unit tests have been moved to a separate workflow file: unit-tests.yml | |
| # This allows for better parallelization and matrix testing across platforms | |
| build-docs: | |
| name: Build documentation | |
| needs: [] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref != 'refs/heads/main') | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Poetry | |
| run: | | |
| curl -sSL https://install.python-poetry.org | python3 - | |
| echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: "poetry" | |
| - name: Install Poetry | |
| run: | | |
| curl -sSL https://install.python-poetry.org | python3 - | |
| echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| poetry config virtualenvs.create true | |
| poetry config virtualenvs.in-project true | |
| - name: Install dependencies | |
| run: poetry install | |
| - name: Build documentation | |
| run: poetry run mkdocs build --clean | |
| deploy-docs: | |
| name: Deploy documentation | |
| needs: [] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Poetry | |
| run: | | |
| curl -sSL https://install.python-poetry.org | python3 - | |
| echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: "poetry" | |
| - name: Install Poetry | |
| run: | | |
| curl -sSL https://install.python-poetry.org | python3 - | |
| echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| poetry config virtualenvs.create true | |
| poetry config virtualenvs.in-project true | |
| - name: Install dependencies | |
| run: poetry install | |
| - name: Deploy documentation | |
| run: poetry run mkdocs gh-deploy --clean --force |