Conversation
…gescott@gmail.com>
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action | ||
|
|
||
| - name: PR Conventional Commit Validation | ||
| uses: ytanikin/PRConventionalCommits@1.1.0 # Use the PRConventionalCommits action to validate PR titles |
Check warning
Code scanning / Semgrep (reported by Codacy)
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
| fetch-depth: 0 # Fetch all history for all branches to ensure complete commit history is available | ||
|
|
||
| - name: Set up environment variables | ||
| run: | |
Check failure
Code scanning / Semgrep (reported by Codacy)
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner.
| fetch-depth: 0 # Fetch all history for all branches to ensure we have the full commit history | ||
|
|
||
| - name: Set up environment variables | ||
| run: | |
Check failure
Code scanning / Semgrep (reported by Codacy)
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner.
|
|
||
| # Step to set up environment variables required for the script. | ||
| - name: Set up environment variables | ||
| run: | |
Check failure
Code scanning / Semgrep (reported by Codacy)
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner.
| if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' | ||
| name: Analyze | ||
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | ||
| permissions: |
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all
| @@ -0,0 +1,36 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all
| @@ -0,0 +1,57 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all
| with: | ||
| fetch-depth: 0 # Fetch all history for all branches to ensure complete commit history is available | ||
|
|
||
| - name: Set up environment variables |
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure run commands are not vulnerable to shell injection
| @@ -0,0 +1,43 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all
| with: | ||
| fetch-depth: 0 # Fetch all history for all branches to ensure we have the full commit history | ||
|
|
||
| - name: Set up environment variables |
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure run commands are not vulnerable to shell injection
…gescott@gmail.com>
…gescott@gmail.com>
| uses: actions/setup-node@v3 | ||
| - name: Get Last Merged PR | ||
| id: get_merged_pr | ||
| uses: actions-ecosystem/action-get-merged-pull-request@v1 |
Check warning
Code scanning / Semgrep (reported by Codacy)
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
1 participant
This PR syncs workflows from the central-workflows repository. Signed-off-by: Scott busingescott@gmail.com