Implement OWASP issue campaign workflow with dry-run issue text artifacts#154
Merged
hdamker merged 3 commits intocamaraproject:mainfrom Mar 2, 2026
Merged
Conversation
…ext artifacts Add a new issue-based campaign workflow (campaign-owasp-linting.yml) that scans CAMARA sandbox/incubating API repositories for OWASP findings and opens one issue per affected repository using the existing campaign-finalize-issue-per-repo action. Implement new local action actions/read-owasp-compliance that runs Spectral in JSON mode against code/API_definitions, normalizes findings, supports rule profiles (api4-target and full-camara-owasp), and exposes structured outputs for templating and reporting: - json, summary, has_findings - finding_count, error_count, warning_count, files_checked Add campaign content under campaigns/owasp-linting: - README with run instructions, inputs, and output artifacts - issue-body.mustache with summary, detailed findings, rule guidance, and Commonalities references Implement required dry-run behavior to preserve full issue text per repository: - For each repo with findings in plan mode, upload dedicated artifact containing repo.txt, status.txt, issue-body.md - In aggregate job, merge per-repo issue text artifacts into plan-issue-texts.md - Upload plan-issue-texts.md as separate artifact and mention it in job summary This makes plan mode decision-ready by exposing exact issue bodies before apply, while keeping idempotent dedup behavior in apply mode.
…ions Add explicit precheck in campaign-owasp-linting run job to fail fast when BULK_CAMPAIGN_TOKEN is missing, and use the token for target repository checkout. Update campaign README with required FGPAT setup: - secret name: BULK_CAMPAIGN_TOKEN - repository access across target API repositories - Issues read/write and Contents read permissions Also set github-script repository discovery step to prefer BULK_CAMPAIGN_TOKEN with fallback to GITHUB_TOKEN.
Allow repository_filter to accept a comma-separated list of repository names in addition to a single name. Parse the input into a normalized set and include repos when any listed name matches. Also update workflow input description and campaign README with multi-repository example usage.
hdamker
force-pushed
the
feature/owasp-issue-campaign
branch
from
0693980 to
5839e1c
Compare
Contributor
Author
|
This PR was closed automatically by GitHub after its commits were accidentally pushed directly to main (due to incorrect local branch tracking). The direct push has been reverted and the changes are re-submitted in #157. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
What this PR does / why we need it:
This PR implements the OWASP issue campaign requested in #144.
It adds a new issue-based workflow to scan CAMARA API repositories and prepare/create one issue per affected repository with actionable schema-fix guidance.
Main additions:
campaign-owasp-linting.ymlactions/read-owasp-compliancerule_profile(api4-target,full-camara-owasp)campaigns/owasp-linting/Campaign behavior:
dry_run(plan) andapplymodessandbox-api-repository,incubating-api-repository)repository_filteraccepts single name or comma-separated listcampaign-finalize-issue-per-repoBULK_CAMPAIGN_TOKENvalidation + documented FGPAT requirementsDry-run output requirement from #144 is implemented:
repo.txt,status.txt,issue-body.md) for affected reposplan-issue-texts.mdfor reviewer/operator inspectionWhich issue(s) this PR fixes:
Fixes #144
Special notes for reviewers:
Please specifically review the generated issue text quality and completeness:
campaigns/owasp-linting/templates/issue-body.mustacheactions/read-owasp-compliance/src/index.jsValidation evidence (fork run):
plan/plan.md(summary/status)plan-issue-texts/plan-issue-texts.md(full planned issue text per affected repo)Changelog input
Additional documentation
campaigns/owasp-linting/README.md