Bump actions/download-artifact from 2 to 4.1.7 in /.github/workflows #22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow will run CRA build a docker container, publish it to IBM Container Registry, and deploy it to IKS when a release is created | |
| # | |
| # To configure this workflow: | |
| # | |
| # 1. Ensure that your repository contains a Dockerfile | |
| # 2. Setup secrets in your repository by going to settings: Create ICR_NAMESPACE and IBM_CLOUD_API_KEY | |
| # 3. Change the values for the IBM_CLOUD_REGION, REGISTRY_HOSTNAME, IMAGE_NAME, IKS_CLUSTER, DEPLOYMENT_NAME, and PORT | |
| name: Run Code Risk Analyzer on PR | |
| # https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows | |
| on: pull_request | |
| # Edit to the branch(es) you want to build and deploy on each push. | |
| # branches: [ $default-branch ] | |
| # release: | |
| # types: [created] | |
| # Environment variables available to all jobs and steps in this workflow | |
| env: | |
| GITHUB_SHA: ${{ github.sha }} | |
| IBM_CLOUD_API_KEY: ${{ secrets.IBM_CLOUD_API_KEY }} | |
| IBM_CLOUD_REGION: us-south | |
| ICR_NAMESPACE: ${{ secrets.ICR_NAMESPACE }} | |
| REGISTRY_HOSTNAME: us.icr.io | |
| IMAGE_NAME: trader-gha-test | |
| IKS_CLUSTER: ${{ secrets.IKS_CLUSTER }} | |
| DEPLOYMENT_NAME: trader | |
| CLUSTER_NAMESPACE: trader-gha-test | |
| EVIDENCE_DIR: evidence-repo | |
| TOOLCHAIN_REGION: us-south | |
| TOOLCHAIN_ID: ${{ secrets.TOOLCHAIN_ID }} | |
| REGION_ID: dal08 | |
| jobs: | |
| cra-discovery: | |
| name: CRA discovery | |
| runs-on: ubuntu-latest | |
| container: icr.io/continuous-delivery/cra-discovery:release.1571 | |
| environment: production | |
| steps: | |
| - name: Update git | |
| run: | | |
| set -x +e | |
| uname -a | |
| git --version | |
| add-apt-repository ppa:git-core/ppa -y | |
| apt-get update | |
| apt-get install git -y | |
| git --version | |
| set -e | |
| - name: Checkout | |
| uses: actions/checkout@v2 | |
| - name: Get timestamp | |
| uses: actions/[email protected] | |
| id: author-date | |
| with: | |
| github-token: ${{secrets.GITHUB_TOKEN}} | |
| script: | | |
| const commit_details = await github.git.getCommit({owner: context.repo.owner, repo: context.repo.repo, commit_sha: context.sha}); | |
| return commit_details.data.author.date | |
| - name: Check timestamp | |
| run: echo $COMMITTED_AT | |
| env: | |
| COMMITTED_AT: ${{ steps.author-date.outputs.result }} | |
| - name: discovery | |
| continue-on-error: false | |
| env: | |
| DIRECTORY_NAME: . | |
| PIPELINE_DEBUG: 1 | |
| COMMITTED_AT: ${{ steps.author-date.outputs.result }} | |
| run: | | |
| set -x | |
| pwd | |
| API_ENDPOINT="https://cloud.ibm.com" | |
| OTC_BROKER_BASE_URL="https://otcbroker.devopsinsights.cloud.ibm.com" | |
| REPO_DIR_PATH="$GITHUB_WORKSPACE" | |
| echo "Fetching users's token" | |
| ibmcloud config --check-version false | |
| ibmcloud login -a $API_ENDPOINT -r $TOOLCHAIN_REGION --apikey $IBM_CLOUD_API_KEY | |
| export IBM_CLOUD_BEARER=$(ibmcloud iam oauth-tokens --output JSON | jq -r '.iam_token' | awk '{ print $2 }') | |
| echo "Fetching service urls for user's data" | |
| HTTP_RESPONSE=$(curl --silent --write-out "HTTPSTATUS:%{http_code}" \ | |
| -X GET "${OTC_BROKER_BASE_URL}/globalauth/toolchainids/${TOOLCHAIN_ID}" \ | |
| --header "Authorization: Bearer ${IBM_CLOUD_BEARER}") | |
| HTTP_STATUS=$(echo $HTTP_RESPONSE | tr -d '\n' | sed -e 's/.*HTTPSTATUS://') | |
| if [ "$HTTP_STATUS" -eq 401 -o "$HTTP_STATUS" -eq 403 ]; then | |
| echo "" | |
| echo "Error authenticating user for toolchain_id: ${TOOLCHAIN_ID}" | |
| echo "Please verify the Devops Insights card has been added to your toolchain and the api-key has access." | |
| exit 1 | |
| fi | |
| if [ "$HTTP_STATUS" -ne 200 ]; then | |
| echo "" | |
| echo "Error! Please try again." | |
| exit 1 | |
| fi | |
| HTTP_BODY=$(echo $HTTP_RESPONSE | sed -e 's/HTTPSTATUS\:.*//g') | |
| gitsecureUrl=$(echo ${HTTP_BODY} | jq -r '.service_urls.gitsecure') | |
| if [ -z "$gitsecureUrl" -o "$gitsecureUrl" = "null" ]; then | |
| echo "" | |
| echo "Error IBM Code Risk Analyzer is not supported in ${REGION_ID}" | |
| exit 1 | |
| fi | |
| echo "Repo URL: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY" | |
| echo "Branch: $GITHUB_REF" | |
| echo "Commit id: $GITHUB_SHA" | |
| /usr/local/bin/discovery \ | |
| -giturl "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \ | |
| -gitbranch "$GITHUB_REF" \ | |
| -repodir $REPO_DIR_PATH \ | |
| -rigapi "${gitsecureUrl}" \ | |
| -commitid "$GITHUB_SHA" \ | |
| -commitTimestamp "$COMMITTED_AT" \ | |
| -toolchainid "${TOOLCHAIN_ID}" | |
| cra-vulnerability-scan: | |
| name: cra-vulnerability-scan | |
| runs-on: ubuntu-latest | |
| needs: cra-discovery | |
| container: icr.io/continuous-delivery/cra-vulnerability:release.1561 | |
| environment: production | |
| outputs: | |
| cra-vulnerability-scan-result: ${{ steps.remediation.outputs.cra-vulnerability-scan-result }} | |
| steps: | |
| - name: Update git | |
| run: | | |
| set -x +e | |
| uname -a | |
| git --version | |
| add-apt-repository ppa:git-core/ppa -y | |
| apt-get update | |
| apt-get install git -y | |
| git --version | |
| set -e | |
| - name: Checkout | |
| uses: actions/checkout@v2 | |
| - name: Get timestamp | |
| uses: actions/[email protected] | |
| id: author-date | |
| with: | |
| github-token: ${{secrets.GITHUB_TOKEN}} | |
| script: | | |
| const commit_details = await github.git.getCommit({owner: context.repo.owner, repo: context.repo.repo, commit_sha: context.sha}); | |
| return commit_details.data.author.date | |
| - name: Check timestamp | |
| run: echo $COMMITTED_AT | |
| env: | |
| COMMITTED_AT: ${{ steps.author-date.outputs.result }} | |
| - name: remediation | |
| id: remediation | |
| continue-on-error: false | |
| env: | |
| DIRECTORY_NAME: . | |
| PIPELINE_DEBUG: 1 | |
| COMMITTED_AT: ${{ steps.author-date.outputs.result }} | |
| run: | | |
| set -x | |
| API_ENDPOINT="https://cloud.ibm.com" | |
| OTC_BROKER_BASE_URL="https://otcbroker.devopsinsights.cloud.ibm.com" | |
| REPO_DIR_PATH="$GITHUB_WORKSPACE" | |
| ls -la | |
| ls -la $REPO_DIR_PATH | |
| echo "Fetching users's token" | |
| ibmcloud config --check-version false | |
| ibmcloud login -a $API_ENDPOINT -r $TOOLCHAIN_REGION --apikey $IBM_CLOUD_API_KEY | |
| export IBM_CLOUD_BEARER=$(ibmcloud iam oauth-tokens --output JSON | jq -r '.iam_token' | awk '{ print $2 }') | |
| echo "Fetching service urls for user's data" | |
| HTTP_RESPONSE=$(curl --silent --write-out "HTTPSTATUS:%{http_code}" \ | |
| -X GET "${OTC_BROKER_BASE_URL}/globalauth/toolchainids/${TOOLCHAIN_ID}" \ | |
| --header "Authorization: Bearer ${IBM_CLOUD_BEARER}") | |
| HTTP_STATUS=$(echo $HTTP_RESPONSE | tr -d '\n' | sed -e 's/.*HTTPSTATUS://') | |
| if [ "$HTTP_STATUS" -eq 401 -o "$HTTP_STATUS" -eq 403 ]; then | |
| echo "" | |
| echo "Error authenticating user for toolchain_id: ${TOOLCHAIN_ID}" | |
| echo "Please verify the Devops Insights card has been added to your toolchain and the api-key has access." | |
| exit 1 | |
| fi | |
| if [ "$HTTP_STATUS" -ne 200 ]; then | |
| echo "" | |
| echo "Error! Please try again." | |
| exit 1 | |
| fi | |
| HTTP_BODY=$(echo $HTTP_RESPONSE | sed -e 's/HTTPSTATUS\:.*//g') | |
| gitsecureUrl=$(echo ${HTTP_BODY} | jq -r '.service_urls.gitsecure') | |
| if [ -z "$gitsecureUrl" -o "$gitsecureUrl" = "null" ]; then | |
| echo "" | |
| echo "Error IBM Code Risk Analyzer is not supported in ${REGION_ID}" | |
| exit 1 | |
| fi | |
| vcuratorUrl=$(echo ${HTTP_BODY} | jq -r '.service_urls.vcurator') | |
| if [ -z "$vcuratorUrl" -o "$vcuratorUrl" = "null" ]; then | |
| echo "Error fetching the vcurator url." | |
| exit 1 | |
| fi | |
| touch results-status.txt | |
| /gitsecure/vulnerability-task \ | |
| -giturl "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \ | |
| -gitbranch "$GITHUB_REF" \ | |
| -rigserviceapi "${gitsecureUrl}" \ | |
| -runid "$GITHUB_RUN_ID" \ | |
| -commitid "$GITHUB_SHA" \ | |
| -security_advisory_svc "${vcuratorUrl}" \ | |
| -results_status "./results-status.txt" \ | |
| -results_evidence "./gitsecure-vulnerability-results.json" \ | |
| -toolchainid "${TOOLCHAIN_ID}" \ | |
| -comment_md "./vulnerability-comment.md" | |
| ls -la | |
| RESULT=$(cat results-status.txt) | |
| echo "RESULT=$RESULT" | |
| cat gitsecure-vulnerability-results.json | |
| cat vulnerability-comment.md | |
| echo "::set-output name=cra-vulnerability-scan-result::${RESULT}" | |
| if [ $RESULT != 'success' ]; then | |
| echo "Scan failed." | |
| exit 1 | |
| fi | |
| - name: Upload results | |
| if: always() | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: comment_md | |
| path: vulnerability-comment.md | |
| cra-vulnerability-scan-comment: | |
| name: cra-vulnerability-scan-comment | |
| if: always() | |
| runs-on: ubuntu-latest | |
| needs: cra-vulnerability-scan | |
| container: icr.io/continuous-delivery/cra-comm-editor:release.1519 | |
| environment: production | |
| steps: | |
| - name: Download results | |
| uses: actions/[email protected] | |
| with: | |
| name: comment_md | |
| - name: Add comment | |
| env: | |
| TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.number }} | |
| run: | | |
| set -x +e | |
| COMMENT_FP="./vulnerability-comment.md" | |
| /usr/local/bin/comm-editor \ | |
| -repo-url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \ | |
| -pr-url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/pull/$PR_NUMBER" \ | |
| -token "$TOKEN" \ | |
| -comment-fp "$COMMENT_FP" \ | |
| -project-id "" \ | |
| -scm-type "github" | |
| COMM_RESULT=$? | |
| if [ "$COMM_RESULT" != "0" ]; then | |
| echo "Error posting comment to pull request" | |
| exit 1 | |
| fi | |
| cra-cis-check: | |
| name: cra-cis-check | |
| runs-on: ubuntu-latest | |
| needs: cra-discovery | |
| container: icr.io/continuous-delivery/cra-cis:release.1567 | |
| environment: production | |
| outputs: | |
| cra-cis-check-result: ${{ steps.cis.outputs.cra-cis-check-result }} | |
| steps: | |
| - name: Update git | |
| run: | | |
| set -x +e | |
| uname -a | |
| git --version | |
| add-apt-repository ppa:git-core/ppa -y | |
| apt-get update | |
| apt-get install git -y | |
| git --version | |
| set -e | |
| - name: Checkout | |
| uses: actions/checkout@v2 | |
| - name: cis | |
| id: cis | |
| continue-on-error: false | |
| env: | |
| DIRECTORY_NAME: . | |
| PIPELINE_DEBUG: 1 | |
| run: | | |
| set -x | |
| API_ENDPOINT="https://cloud.ibm.com" | |
| OTC_BROKER_BASE_URL="https://otcbroker.devopsinsights.cloud.ibm.com" | |
| REPO_DIR_PATH="$GITHUB_WORKSPACE" | |
| whoami | |
| echo "Home is $HOME" | |
| ls -la /github/home/ | |
| echo "Fetching users's token" | |
| ibmcloud config --check-version false | |
| ls -la /github/home/ | |
| ls -la /github/home/.bluemix | |
| ibmcloud login -a $API_ENDPOINT -r $TOOLCHAIN_REGION --apikey $IBM_CLOUD_API_KEY | |
| export IBM_CLOUD_BEARER=$(ibmcloud iam oauth-tokens --output JSON | jq -r '.iam_token' | awk '{ print $2 }') | |
| echo "Fetching service urls for user's data" | |
| HTTP_RESPONSE=$(curl --silent --write-out "HTTPSTATUS:%{http_code}" \ | |
| -X GET "${OTC_BROKER_BASE_URL}/globalauth/toolchainids/${TOOLCHAIN_ID}" \ | |
| --header "Authorization: Bearer ${IBM_CLOUD_BEARER}") | |
| HTTP_STATUS=$(echo $HTTP_RESPONSE | tr -d '\n' | sed -e 's/.*HTTPSTATUS://') | |
| if [ "$HTTP_STATUS" -eq 401 -o "$HTTP_STATUS" -eq 403 ]; then | |
| echo "" | |
| echo "Error authenticating user for toolchain_id: ${TOOLCHAIN_ID}" | |
| echo "Please verify the Devops Insights card has been added to your toolchain and the api-key has access." | |
| exit 1 | |
| fi | |
| if [ "$HTTP_STATUS" -ne 200 ]; then | |
| echo "" | |
| echo "Error! Please try again." | |
| exit 1 | |
| fi | |
| HTTP_BODY=$(echo $HTTP_RESPONSE | sed -e 's/HTTPSTATUS\:.*//g') | |
| gitsecureUrl=$(echo ${HTTP_BODY} | jq -r '.service_urls.gitsecure') | |
| if [ -z "$gitsecureUrl" -o "$gitsecureUrl" = "null" ]; then | |
| echo "" | |
| echo "Error IBM Code Risk Analyzer is not supported in ${REGION_ID}" | |
| exit 1 | |
| fi | |
| touch results-status.txt | |
| /usr/local/bin/deploy-analytic \ | |
| -giturl "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \ | |
| -gitbranch "$GITHUB_REF" \ | |
| -repodir $REPO_DIR_PATH \ | |
| -apiservice "${gitsecureUrl}" \ | |
| -runid "$GITHUB_RUN_ID" \ | |
| -commitid "$GITHUB_SHA" \ | |
| -results_status "./results-status.txt" \ | |
| -results_evidence "./gitsecure-cis-results.json" \ | |
| -toolchainid "${TOOLCHAIN_ID}" \ | |
| -comment_md "./gitsecure-cis-comment.md" | |
| ls -la | |
| RESULT=$(cat results-status.txt) | |
| echo "RESULT=$RESULT" | |
| cat gitsecure-cis-results.json | |
| cat gitsecure-cis-comment.md | |
| echo "::set-output name=cra-cis-check-result::${RESULT}" | |
| if [ $RESULT != 'success' ]; then | |
| echo "Scan failed." | |
| exit 1 | |
| fi | |
| - name: Upload results | |
| uses: actions/upload-artifact@v2 | |
| if: always() | |
| with: | |
| name: cis_comment_md | |
| path: gitsecure-cis-comment.md | |
| cra-cis-check-comment: | |
| name: cra-cis-check-comment | |
| if: always() | |
| runs-on: ubuntu-latest | |
| needs: cra-cis-check | |
| container: icr.io/continuous-delivery/cra-comm-editor:release.1519 | |
| environment: production | |
| steps: | |
| - name: Download results | |
| uses: actions/[email protected] | |
| with: | |
| name: cis_comment_md | |
| - name: Add comment | |
| env: | |
| TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.number }} | |
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| run: | | |
| set -x +e | |
| COMMENT_FP="./gitsecure-cis-comment.md" | |
| /usr/local/bin/comm-editor \ | |
| -repo-url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \ | |
| -pr-url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/pull/$PR_NUMBER" \ | |
| -token "$TOKEN" \ | |
| -comment-fp "$COMMENT_FP" \ | |
| -project-id "" \ | |
| -scm-type "github" | |
| COMM_RESULT=$? | |
| if [ "$COMM_RESULT" != "0" ]; then | |
| echo "Error posting comment to pull request" | |
| exit 1 | |
| fi | |
| cra-bom: | |
| name: cra-bom | |
| runs-on: ubuntu-latest | |
| needs: cra-discovery | |
| container: icr.io/continuous-delivery/cra-bom:release.1497 | |
| environment: production | |
| outputs: | |
| cra-bom-result: ${{ steps.bom.outputs.cra-bom-result }} | |
| steps: | |
| - name: Update git | |
| run: | | |
| set -x +e | |
| uname -a | |
| git --version | |
| add-apt-repository ppa:git-core/ppa -y | |
| apt-get update | |
| apt-get install git -y | |
| git --version | |
| set -e | |
| - name: bom | |
| id: bom | |
| continue-on-error: false | |
| env: | |
| TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.number }} | |
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| TARGET_BRANCH: $GITHUB_BASE_REF | |
| DIRECTORY_NAME: . | |
| PIPELINE_DEBUG: 1 | |
| run: | | |
| set -x +e | |
| API_ENDPOINT="https://cloud.ibm.com" | |
| OTC_BROKER_BASE_URL="https://otcbroker.devopsinsights.cloud.ibm.com" | |
| REPO_DIR_PATH="$GITHUB_WORKSPACE" | |
| whoami | |
| CURRENT_USER=$(whoami) | |
| echo "Home is $HOME" | |
| sudo mkdir /github/home/.bluemix | |
| sudo chown -R $CURRENT_USER:$CURRENT_USER /github/home/.bluemix | |
| echo "Fetching users's token" | |
| #commented out due to permision error - Configuration error: mkdir /github/home/.bluemix: permission denied | |
| ibmcloud config --check-version false | |
| ibmcloud login -a $API_ENDPOINT -r $TOOLCHAIN_REGION --apikey $IBM_CLOUD_API_KEY | |
| export IBM_CLOUD_BEARER=$(ibmcloud iam oauth-tokens --output JSON | jq -r '.iam_token' | awk '{ print $2 }') | |
| echo "Fetching service urls for user's data" | |
| HTTP_RESPONSE=$(curl --silent --write-out "HTTPSTATUS:%{http_code}" \ | |
| -X GET "${OTC_BROKER_BASE_URL}/globalauth/toolchainids/${TOOLCHAIN_ID}" \ | |
| --header "Authorization: Bearer ${IBM_CLOUD_BEARER}") | |
| HTTP_STATUS=$(echo $HTTP_RESPONSE | tr -d '\n' | sed -e 's/.*HTTPSTATUS://') | |
| if [ "$HTTP_STATUS" -eq 401 -o "$HTTP_STATUS" -eq 403 ]; then | |
| echo "" | |
| echo "Error authenticating user for toolchain_id: ${TOOLCHAIN_ID}" | |
| echo "Please verify the Devops Insights card has been added to your toolchain and the api-key has access." | |
| exit 1 | |
| fi | |
| if [ "$HTTP_STATUS" -ne 200 ]; then | |
| echo "" | |
| echo "Error! Please try again." | |
| exit 1 | |
| fi | |
| HTTP_BODY=$(echo $HTTP_RESPONSE | sed -e 's/HTTPSTATUS\:.*//g') | |
| gitsecureUrl=$(echo ${HTTP_BODY} | jq -r '.service_urls.gitsecure') | |
| if [ -z "$gitsecureUrl" -o "$gitsecureUrl" = "null" ]; then | |
| echo "" | |
| echo "Error IBM Code Risk Analyzer is not supported in ${REGION_ID}" | |
| exit 1 | |
| fi | |
| uiUrl=$(echo ${HTTP_BODY} | jq -r '.service_urls.controlcenter') | |
| if [ -z "$uiUrl" -o "$uiUrl" = "null" ]; then | |
| echo "Error fetching the ui url." | |
| exit 1 | |
| fi | |
| echo "Current dir: $(pwd)" | |
| echo "changing permissions for $(pwd)" | |
| sudo chown -R $CURRENT_USER:$CURRENT_USER $(pwd) | |
| touch results-status.txt | |
| echo "BASE_SHA $BASE_SHA" | |
| echo "TARGET_BRANCH $TARGET_BRANCH" | |
| echo "GITHUB_BASE_REF $GITHUB_BASE_REF" | |
| echo "GITHUB_HEAD_REF $GITHUB_HEAD_REF" | |
| echo "GITHUB_REF $GITHUB_REF" | |
| /gitsecure/bom-task \ | |
| -giturl "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \ | |
| -gitbranch "$GITHUB_REF" \ | |
| -rigserviceapi ${gitsecureUrl} \ | |
| -ui_url ${uiUrl} \ | |
| -pr "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/pull/$PR_NUMBER" \ | |
| -runid "$GITHUB_RUN_ID" \ | |
| -commitid "$GITHUB_SHA" \ | |
| -target_commitid "$BASE_SHA" \ | |
| -target_branch "$GITHUB_BASE_REF" \ | |
| -results_status "./results-status.txt" \ | |
| -results_evidence "./gitsecure-bom-results.json" \ | |
| -toolchainid "${TOOLCHAIN_ID}" \ | |
| -comment_md "./gitsecure-bom-comment.md" | |
| ls -la | |
| RESULT=$(cat results-status.txt) | |
| echo "RESULT=$RESULT" | |
| cat gitsecure-bom-results.json | |
| cat gitsecure-bom-comment.md | |
| echo "::set-output name=cra-bom-result::${RESULT}" | |
| if [ $RESULT != 'success' ]; then | |
| echo "Scan failed." | |
| exit 1 | |
| fi | |
| - name: Upload results | |
| uses: actions/upload-artifact@v2 | |
| if: always() | |
| with: | |
| name: bom_comment_md | |
| path: gitsecure-bom-comment.md | |
| cra-bom-comment: | |
| name: cra-bom-comment | |
| if: always() | |
| runs-on: ubuntu-latest | |
| needs: cra-bom | |
| container: icr.io/continuous-delivery/cra-comm-editor:release.1519 | |
| environment: production | |
| steps: | |
| - name: Download results | |
| uses: actions/[email protected] | |
| with: | |
| name: bom_comment_md | |
| - name: Add comment | |
| env: | |
| TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.number }} | |
| run: | | |
| set -x +e | |
| COMMENT_FP="./gitsecure-bom-comment.md" | |
| /usr/local/bin/comm-editor \ | |
| -repo-url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \ | |
| -pr-url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/pull/$PR_NUMBER" \ | |
| -token "$TOKEN" \ | |
| -comment-fp "$COMMENT_FP" \ | |
| -project-id "" \ | |
| -scm-type "github" | |
| COMM_RESULT=$? | |
| if [ "$COMM_RESULT" != "0" ]; then | |
| echo "Error posting comment to pull request" | |
| exit 1 | |
| fi |