Skip to content
Snyk

chore: Adding GH Workflows #9

Sign in to view logs

chore: Adding GH Workflows

chore: Adding GH Workflows #9

Workflow file for this run

.github/workflows/snyk.yml at bf2f5ad
name: Snyk
on:
merge_group:
workflow_dispatch:
pull_request:
types:
- opened
- synchronize
push:
branches:
- main
schedule:
- cron: '30 0 1,15 * *'
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
jobs:
# Discover packages with changes for targeted scanning
discover-changed-packages:
name: Discover Changed Packages
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
has-changes: ${{ steps.set-matrix.outputs.has-changes }}
steps:
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
fetch-depth: 0
- name: Discover packages with changes
id: set-matrix
run: |
# For push events or scheduled runs, scan all packages
if [[ "${{ github.event_name }}" == "push" || "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
packages=$(find packages -maxdepth 1 -type d -name "auth0_*" | sed 's|^packages/||' | jq -R -s -c 'split("\n")[:-1]')
echo "Scanning all packages for ${{ github.event_name }} event"
else
# For PRs, only scan packages with changes
changed_files=$(git diff --name-only origin/main...HEAD)
changed_packages=$(echo "$changed_files" | grep '^packages/auth0_' | cut -d'/' -f2 | sort -u | jq -R -s -c 'split("\n")[:-1] | map(select(length > 0))')
packages="$changed_packages"
echo "Changed files: $changed_files"
echo "Scanning changed packages for PR: $packages"
fi
echo "matrix={\"package\":$packages}" >> $GITHUB_OUTPUT
if [ "$packages" = "[]" ]; then
echo "has-changes=false" >> $GITHUB_OUTPUT
else
echo "has-changes=true" >> $GITHUB_OUTPUT
fi
echo "Final packages to scan: $packages"
# Security scanning for packages with changes
security-scan:
name: Security Scan (${{ matrix.package }})
runs-on: ubuntu-latest
needs: discover-changed-packages
if: needs.discover-changed-packages.outputs.has-changes == 'true'
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.discover-changed-packages.outputs.matrix) }}
steps:
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Check for requirements.txt
working-directory: packages/${{ matrix.package }}
run: |
if [ ! -f "requirements.txt" ]; then
echo "❌ requirements.txt not found for ${{ matrix.package }}"
echo "Please ensure requirements.txt exists in the package directory"
exit 1
fi
echo "✅ Found requirements.txt for ${{ matrix.package }}"
echo "Dependencies to scan:"
head -5 requirements.txt
- name: Install dependencies
working-directory: packages/${{ matrix.package }}
run: |
echo "Installing dependencies for Snyk scan..."
pip install -r requirements.txt
echo "✅ Dependencies installed successfully"
- name: Install Snyk CLI
run: |
curl -Lo snyk "https://static.snyk.io/cli/latest/snyk-linux"
chmod +x snyk
sudo mv snyk /usr/local/bin/
- name: Run Snyk security scan
working-directory: packages/${{ matrix.package }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
echo "Running Snyk scan in $(pwd)"
echo "Python version: $(python3 --version)"
echo "Pip packages installed:"
pip3 list | grep -E "(authlib|requests|httpx|ada-url)" || echo "Some packages not found"
# Run Snyk test with debug output
snyk test --file=requirements.txt --package-manager=pip --command=python3 --debug || {
echo "Snyk test failed, trying with --allow-missing flag..."
snyk test --file=requirements.txt --package-manager=pip --command=python3 -- --allow-missing
}