chore: Adding GH Workflows #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Snyk | |
| on: | |
| merge_group: | |
| workflow_dispatch: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| push: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: '30 0 1,15 * *' | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} | |
| jobs: | |
| # First job to discover all packages dynamically | |
| discover-packages: | |
| name: Discover Packages | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' | |
| run: exit 0 | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
| - name: Discover packages | |
| id: set-matrix | |
| run: | | |
| packages=$(find packages -maxdepth 1 -type d -name "auth0_*" | sed 's|^packages/||' | jq -R -s -c 'split("\n")[:-1]') | |
| echo "matrix={\"package\":$packages}" >> $GITHUB_OUTPUT | |
| echo "Found packages: $packages" | |
| # Main security scanning job for each package | |
| security-scan: | |
| name: Security Scan (${{ matrix.package }}) | |
| runs-on: ubuntu-latest | |
| needs: discover-packages | |
| if: needs.discover-packages.outputs.matrix != '{"package":[]}' | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.discover-packages.outputs.matrix) }} | |
| steps: | |
| - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' | |
| run: exit 0 # Skip unnecessary test runs for dependabot and merge queues | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Prepare dependencies for Snyk scan | |
| working-directory: packages/${{ matrix.package }} | |
| run: | | |
| # Check if requirements.txt exists, if not, generate from Poetry | |
| if [ -f "requirements.txt" ]; then | |
| echo "Using existing requirements.txt for ${{ matrix.package }}" | |
| cp requirements.txt snyk-requirements.txt | |
| elif [ -f "pyproject.toml" ]; then | |
| echo "Generating requirements.txt from pyproject.toml for ${{ matrix.package }}" | |
| pip install poetry | |
| poetry export --format requirements.txt --output snyk-requirements.txt --without-hashes | |
| else | |
| echo "No dependency file found for ${{ matrix.package }}" | |
| exit 1 | |
| fi | |
| # Show what we're scanning | |
| echo "Dependencies to scan:" | |
| head -10 snyk-requirements.txt | |
| - name: Run Snyk security scan | |
| uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| args: --file=packages/${{ matrix.package }}/snyk-requirements.txt --package-manager=pip | |
| - name: Upload Snyk results to GitHub Code Scanning | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: snyk.sarif | |
| category: snyk-${{ matrix.package }} |