diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index ea41e2c..cf04db5 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -5,7 +5,7 @@ env: on: # Trigger 1: PR created on main or version branches (*.*) - pull_request: + pull_request_target: branches: - main - '*.*' @@ -36,21 +36,21 @@ jobs: - name: Determine branches for PR events id: determine-pr-branches - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request_target' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + HEAD_REF: ${{ github.head_ref }} run: | # For PR events, validate base branch and use head ref if valid base_ref="${{ github.base_ref }}" - head_ref="${{ github.head_ref }}" echo "Base branch: $base_ref" - echo "Head branch: $head_ref" + echo "Head branch: $HEAD_REF" if [[ "$base_ref" =~ ^[0-9]+\.[0-9]+$ ]] || [[ "$base_ref" == "main" ]]; then echo "Base branch matches allowed pattern (main or digit.digit)" - echo "branches=[\"$head_ref\"]" >> $GITHUB_OUTPUT + echo "branches=[\"$HEAD_REF\"]" >> $GITHUB_OUTPUT echo "output-branch-name=$base_ref" >> $GITHUB_OUTPUT - echo "Branches to scan: [$head_ref]" + echo "Branches to scan: [$HEAD_REF]" echo "Output files will use branch name: $base_ref" else echo "Base branch does not match allowed pattern - no branches to scan" @@ -60,17 +60,17 @@ jobs: - name: Get all upstream branches id: get-upstream-branches - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request_target' run: | # Get main branch and all version branches (*.*) - branches=$(git branch -r | grep -E 'origin/(main|[0-9]+\.[0-9]+)' | sed 's/origin\///' | tr '\n' ' ') + branches=$(git branch -r | grep -E 'origin/(main|[0-9]+\.[0-9]+)$' | sed 's/origin\///' | tr '\n' ' ') echo "Found upstream branches: $branches" echo "upstream-branches=$branches" >> $GITHUB_OUTPUT echo "output-branch-name=scheduled" >> $GITHUB_OUTPUT - name: Get completed workflows from previous day id: get-completed-workflows - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request_target' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -94,7 +94,7 @@ jobs: - name: Check for successful scan artifacts from previous day id: check-scan-artifacts - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request_target' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -144,7 +144,7 @@ jobs: - name: Determine security scan branches for scheduled runs id: determine-scheduled-security-scan-branches - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request_target' run: | upstream_branches="${{ steps.get-upstream-branches.outputs.upstream-branches }}" successful_branches="${{ steps.check-scan-artifacts.outputs.successful-security-scan-branches }}" @@ -181,7 +181,7 @@ jobs: - name: Determine global dependencies branches for scheduled runs id: determine-scheduled-global-dependencies-branches - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request_target' run: | upstream_branches="${{ steps.get-upstream-branches.outputs.upstream-branches }}" successful_branches="${{ steps.check-scan-artifacts.outputs.successful-global-dependencies-branches }}" @@ -257,6 +257,7 @@ jobs: # security scan scripts. So we download the latest one from main echo "Downloading latest security-scan.sh script from main branch" curl -sSL "https://raw.githubusercontent.com/${{ github.repository }}/main/scripts/security-scan.sh" -o scripts/security-scan.sh + sudo chmod +x scripts/security-scan.sh echo "Updated security-scan.sh to latest version from main" - name: Set up environment @@ -323,7 +324,7 @@ jobs: - name: Create Success Indicator File run: | # For PR events, use base_ref as output branch name, otherwise use actual branch - if [ "${{ github.event_name }}" = "pull_request" ]; then + if [ "${{ github.event_name }}" = "pull_request_target" ]; then output_branch="${{ needs.get-branches-to-scan.outputs.output-branch-name }}" else output_branch="${{ matrix.branch }}" @@ -333,8 +334,8 @@ jobs: - name: Upload Success Indicator File uses: actions/upload-artifact@v4 with: - name: scan-success-${{ matrix.target }}-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }} - path: scan-success-${{ matrix.target }}-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt + name: scan-success-${{ matrix.target }}-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }} + path: scan-success-${{ matrix.target }}-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt retention-days: 90 - name: Publish Scan Successful Metric @@ -379,7 +380,7 @@ jobs: targets=($(echo "$targets_json" | jq -r '.[]')) # For PR events, use base_ref as output branch name, otherwise use actual branch - if [ "${{ github.event_name }}" = "pull_request" ]; then + if [ "${{ github.event_name }}" = "pull_request_target" ]; then check_branch="${{ needs.get-branches-to-scan.outputs.output-branch-name }}" else check_branch="${{ matrix.branch }}" @@ -417,8 +418,8 @@ jobs: if: success() uses: actions/upload-artifact@v4 with: - name: scan-success-branch-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }} - path: scan-success-branch-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt + name: scan-success-branch-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }} + path: scan-success-branch-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt retention-days: 90 security-scan-global-dependencies: @@ -461,6 +462,7 @@ jobs: # security scan scripts. So we download the latest one from main echo "Downloading latest security-scan.sh script from main branch" curl -sSL "https://raw.githubusercontent.com/${{ github.repository }}/main/scripts/security-scan.sh" -o scripts/security-scan.sh + sudo chmod +x scripts/security-scan.sh echo "Updated security-scan.sh to latest version from main" - name: Install Security Scan Dependencies @@ -513,7 +515,7 @@ jobs: - name: Create Global Success Indicator File run: | # For PR events, use base_ref as output branch name, otherwise use actual branch - if [ "${{ github.event_name }}" = "pull_request" ]; then + if [ "${{ github.event_name }}" = "pull_request_target" ]; then output_branch="${{ needs.get-branches-to-scan.outputs.output-branch-name }}" else output_branch="${{ matrix.branch }}" @@ -523,8 +525,8 @@ jobs: - name: Upload Global Success Indicator File uses: actions/upload-artifact@v4 with: - name: global-scan-success-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }} - path: global-scan-success-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt + name: global-scan-success-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }} + path: global-scan-success-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt retention-days: 90 - name: Publish Failure Metrics