Skip to content
Security

Security #17737

Sign in to view logs

Security

Security #17737

Workflow file for this run

.github/workflows/security.yml at fb4f384
---
name: Security
on:
pull_request:
types:
- unlabeled # if GitHub Actions stuck, add and remove "not ready" label to force rebuild
- opened
- reopened
- synchronize
push:
branches:
- main
- main-*
- releases/*
schedule:
- cron: "12 0 * * *"
# Do not run this workflow in parallel for any PR change.
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
cancel-in-progress: true
env:
GOPATH: /home/runner/go
GOCACHE: /home/runner/go/cache
GOLANGCI_LINT_CACHE: /home/runner/go/cache/lint
GOMODCACHE: /home/runner/go/mod
GOPROXY: https://proxy.golang.org
GOTOOLCHAIN: local
jobs:
security-scan:
name: Security scan
runs-on: ubuntu-22.04
timeout-minutes: 10
if: github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'not ready')
steps:
# TODO https://github.com/FerretDB/github-actions/issues/211
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # for `git describe` to work
lfs: false # LFS is used only by website
- name: Setup Go
uses: FerretDB/github-actions/setup-go@main
with:
cache-key: security
- name: Install Task
run: go generate -x
working-directory: tools
# https://github.com/aquasecurity/trivy/issues?q=is%3Aissue+%22permission+denied%22
- name: Create directory
run: mkdir -p tmp/trivy/fanal
- name: Scan
run: bin/task security
# disabled until https://github.com/actions/dependency-review-action/issues/459 is resolved
- name: Check dependencies for PRs
# if: github.event_name == 'pull_request'
if: false
uses: actions/dependency-review-action@v4
with:
allow-licenses: Apache-2.0, BSD-3-Clause, MIT