chore(deps): bump google-github-actions/auth from 2 to 3 (#3) #37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/test-workflows.yml | |
| # Purpose: Test and validate all reusable workflows | |
| # This workflow validates the reusable workflows to ensure they work correctly | |
| name: π§ͺ Test Reusable Workflows | |
| on: | |
| push: | |
| branches: [ main ] | |
| paths: | |
| - '.github/workflows/**' | |
| - '.github/actions/**' | |
| pull_request: | |
| branches: [ main ] | |
| paths: | |
| - '.github/workflows/**' | |
| - '.github/actions/**' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| validate-yaml: | |
| name: β Validate YAML Syntax | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: π₯ Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: π οΈ Install YAML tooling | |
| run: | | |
| python3 -m pip install --upgrade pip | |
| python3 -m pip install --quiet pyyaml | |
| - name: π Validate Workflow YAML | |
| run: | | |
| echo "π Validating workflow YAML files..." | |
| for file in .github/workflows/*.yml; do | |
| echo "Validating $file" | |
| python3 -c "import yaml; yaml.safe_load(open('$file', 'r'))" | |
| echo "β $file is valid" | |
| done | |
| - name: π Validate Action YAML | |
| run: | | |
| echo "π Validating action YAML files..." | |
| for file in .github/actions/*/action.yml; do | |
| echo "Validating $file" | |
| python3 -c "import yaml; yaml.safe_load(open('$file', 'r'))" | |
| echo "β $file is valid" | |
| done | |
| security-scan: | |
| name: π Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: π₯ Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: π Check for hardcoded secrets | |
| run: | | |
| echo "π Scanning for potential secrets..." | |
| SCAN_RESULTS=$(grep -R -n -i -E "(password|secret|token)[[:space:]]*[:=][[:space:]]*[^[:space:]\$]" .github/workflows/ .github/actions/ 2>/dev/null || true) | |
| # Ignore references to GitHub secrets, documented descriptions, and other safe patterns | |
| FILTERED_RESULTS=$(echo "$SCAN_RESULTS" | | |
| grep -vi -E '^[[:space:]]*#' | | |
| grep -vi -E '\\b(description|example|placeholder)\\b' | | |
| grep -vi -E 'hashfiles\(|github\\.token|GITHUB_TOKEN|SLACK_WEBHOOK_URL|AWS_(ACCESS|SECRET)_KEY|SNYK_TOKEN|AZURE_CREDENTIALS|KUBECONFIG' | | |
| grep -vi -E 'id-token:[[:space:]]+write' | | |
| grep -vi -E 'server-password:[[:space:]]+MAVEN_PASSWORD' | | |
| grep -vi -E 'SCAN_RESULTS=|FILTERED_RESULTS=|grep -vi -E' | | |
| grep -vi -E '^$' || true) | |
| if [ -n "$FILTERED_RESULTS" ]; then | |
| echo "β οΈ Potential secrets found in workflow files" | |
| echo "$FILTERED_RESULTS" | |
| exit 1 | |
| else | |
| echo "β No hardcoded secrets found" | |
| fi | |
| - name: π Check for SHA-pinned actions | |
| run: | | |
| echo "π Checking for SHA-pinned actions..." | |
| for file in .github/workflows/*.yml .github/actions/*/action.yml; do | |
| if grep -q "uses:.*@[a-f0-9]\{40\}" "$file"; then | |
| echo "β $file uses SHA-pinned actions" | |
| else | |
| echo "β οΈ $file may not use SHA-pinned actions" | |
| fi | |
| done | |
| test-composite-actions: | |
| name: π§ Test Composite Actions | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: π₯ Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: π§ Test Java & Maven Setup | |
| uses: ./.github/actions/setup-java-maven | |
| with: | |
| java-version: '25' | |
| maven-version: '3.8.8' | |
| - name: β Verify Java Setup | |
| run: | | |
| java -version | |
| mvn -version | |
| echo "β Java and Maven setup verified" | |
| validate-workflow-structure: | |
| name: π Validate Workflow Structure | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: π₯ Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: π Check workflow files exist | |
| run: | | |
| echo "π Checking required workflow files..." | |
| required_workflows=( | |
| "java-ci-secure.yml" | |
| "auto-tag-enhanced.yml" | |
| "auto-delete-branch-enhanced.yml" | |
| "dependabot-auto-merge-enhanced.yml" | |
| "release-workflows.yml" | |
| ) | |
| for workflow in "${required_workflows[@]}"; do | |
| if [ -f ".github/workflows/$workflow" ]; then | |
| echo "β $workflow exists" | |
| else | |
| echo "β $workflow missing" | |
| exit 1 | |
| fi | |
| done | |
| - name: π Check action files exist | |
| run: | | |
| echo "π Checking required action files..." | |
| required_actions=( | |
| "setup-java-maven/action.yml" | |
| "docker-build-push/action.yml" | |
| ) | |
| for action in "${required_actions[@]}"; do | |
| if [ -f ".github/actions/$action" ]; then | |
| echo "β $action exists" | |
| else | |
| echo "β $action missing" | |
| exit 1 | |
| fi | |
| done | |
| - name: π Validate workflow_call triggers | |
| run: | | |
| echo "π Checking workflow_call triggers..." | |
| for file in .github/workflows/*.yml; do | |
| if grep -q "workflow_call:" "$file"; then | |
| echo "β $file has workflow_call trigger" | |
| else | |
| echo "β οΈ $file may not be reusable (no workflow_call)" | |
| fi | |
| done |