refactor: update cctx status to object to split error message into error
and revert_error
#8282
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Linters and SAST | |
on: | |
push: | |
branches: | |
- develop | |
- release/* | |
tags: | |
- "*" | |
merge_group: | |
pull_request: | |
concurrency: | |
group: linters-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
gosec: | |
runs-on: ubuntu-22.04 | |
env: | |
GO111MODULE: on | |
steps: | |
- name: Checkout Source | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Run Gosec Security Scanner | |
uses: zeta-chain/[email protected] | |
with: | |
args: -exclude-generated -exclude-dir testutil ./... | |
lint: | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 15 | |
env: | |
GO111MODULE: on | |
steps: | |
- name: Checkout Source | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: '1.22' | |
- name: Run golangci-lint | |
uses: golangci/golangci-lint-action@v6 | |
with: | |
version: v1.59 | |
skip-cache: true | |
nosec_alert: | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 10 | |
env: | |
GO111MODULE: on | |
steps: | |
- name: Checkout Source | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Getting files updated in the PR | |
id: changed-files | |
uses: tj-actions/changed-files@v41 | |
with: | |
base_sha: ${{ github.event.pull_request.base.sha }} | |
- name: List all changed files | |
run: | | |
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
echo "$file was changed" | |
done | |
- name: Report nosec usage | |
run: | | |
nosec_list=() | |
nosec_detected=0 | |
echo "Changed files: ${{ steps.changed-files.outputs.all_changed_files }}" | |
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
# Skip this workflow file | |
if [ "$file" == ".github/workflows/sast-linters.yml" ] || [ "$file" == "changelog.md" ]; then | |
echo "Skipping nosec check for $file" | |
continue | |
fi | |
# Only consider additions of "nosec", marked by '+' | |
if git diff ${{ github.event.pull_request.base.sha }} $file | grep -q '^+.*nosec'; then | |
echo "nosec detected in $file" | |
nosec_list+=("$file,") | |
nosec_detected=1 | |
else | |
echo "nosec not detected in $file" | |
fi | |
done | |
nosec_list_string="${nosec_list[@]}" | |
nosec_list_string="${nosec_list_string%,}" | |
echo "nosec_files=$nosec_list_string" >> $GITHUB_ENV | |
echo "nosec_detected=$nosec_detected" >> $GITHUB_ENV | |
- name: Report nosec uses | |
uses: mshick/add-pr-comment@v2 | |
if: env.nosec_detected == 1 | |
with: | |
message: | | |
*!!!WARNING!!!* | |
`nosec` detected in the following files: ${{ env.nosec_files }} | |
Be very careful about using `#nosec` in code. It can be a quick way to suppress security warnings and move forward with development, it should be employed with caution. Suppressing warnings with #nosec can hide potentially serious vulnerabilities. Only use #nosec when you're absolutely certain that the security issue is either a false positive or has been mitigated in another way. | |
Only suppress a single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the #nosec annotation, e.g: /* #nosec G401 */ or //#nosec G201 G202 G203 | |
Broad `#nosec` annotations should be avoided, as they can hide other vulnerabilities. **The CI will block you from merging this PR until you remove `#nosec` annotations that do not target specific rules**. | |
Pay extra attention to the way `#nosec` is being used in the files listed above. | |
- name: Add Label | |
uses: actions/github-script@v6 | |
if: env.nosec_detected == 1 | |
with: | |
script: | | |
github.rest.issues.addLabels({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
labels: ["nosec"] | |
}) | |
- name: Check for '#nosec' without a specific rule | |
run: | | |
DIFF=$(git diff ${{ github.event.pull_request.base.sha }}) | |
echo "$DIFF" | grep -P '#nosec(?!(\sG\d{3}))(?![^\s\t])([\s\t]*|$)' && echo "nosec without specified rule found!" && exit 1 || exit 0 |