Skip to content

Commit 06fa2e6

Browse files
authored
Update security workflows (#3373)
Problem: The security workflows are being moved to a centralized place. Solution: Update the workflows to use this new repo.
1 parent fa5bb0d commit 06fa2e6

File tree

2 files changed

+20
-47
lines changed

2 files changed

+20
-47
lines changed

.github/workflows/codeql-analysis.yml

Lines changed: 4 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -20,37 +20,12 @@ permissions:
2020
contents: read
2121

2222
jobs:
23-
analyze:
23+
codeql:
2424
permissions:
2525
packages: read
2626
actions: read # for github/codeql-action/init to get workflow details
2727
contents: read # for actions/checkout to fetch code
2828
security-events: write # for github/codeql-action/autobuild to send a status report
29-
name: Analyze (${{ matrix.language }})
30-
runs-on: ubuntu-24.04
31-
32-
strategy:
33-
fail-fast: false
34-
matrix:
35-
include:
36-
- language: go
37-
build-mode: autobuild
38-
- language: javascript-typescript
39-
build-mode: none
40-
41-
steps:
42-
- name: Checkout repository
43-
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
44-
45-
# Initializes the CodeQL tools for scanning.
46-
- name: Initialize CodeQL
47-
uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
48-
with:
49-
languages: ${{ matrix.language }}
50-
build-mode: ${{ matrix.build-mode }}
51-
queries: security-and-quality
52-
53-
- name: Perform CodeQL Analysis
54-
uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
55-
with:
56-
category: "/language:${{matrix.language}}"
29+
uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@v0.1
30+
with:
31+
requested_languages: go,javascript-typescript

.github/workflows/mend.yml

Lines changed: 16 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,23 @@ on:
44
push:
55
branches:
66
- main
7+
- release-*
78
tags:
89
- "v[0-9]+.[0-9]+.[0-9]+*"
910
paths-ignore:
1011
- design/**
1112
- deploy**
1213
- docs/**
1314
- examples/**
15+
pull_request:
16+
branches:
17+
- main
18+
- release-*
19+
paths-ignore:
20+
- design/**
21+
- deploy**
22+
- docs/**
23+
- examples/**
1424

1525
concurrency:
1626
group: ${{ github.ref_name }}-mend
@@ -20,22 +30,10 @@ permissions:
2030
contents: read
2131

2232
jobs:
23-
scan:
24-
name: Mend
25-
runs-on: ubuntu-24.04
33+
mend:
2634
if: ${{ github.event.repository.fork == false }}
27-
steps:
28-
- name: Checkout Repository
29-
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
30-
31-
- name: Download agent
32-
run: curl -LJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar
33-
34-
- name: Verify JAR
35-
run: jarsigner -verify wss-unified-agent.jar
36-
37-
- name: Scan and upload
38-
env:
39-
PRODUCT_NAME: nginx-gateway-fabric_${{ github.ref_name }}
40-
PROJECT_NAME: nginx-gateway-fabric
41-
run: java -jar wss-unified-agent.jar -noConfig true -wss.url ${{ secrets.WSS_URL }} -apiKey ${{ secrets.WSS_NGINX_TOKEN }} -product $PRODUCT_NAME -project $PROJECT_NAME -d .
35+
uses: nginxinc/compliance-rules/.github/workflows/mend.yml@v0.1
36+
secrets: inherit
37+
with:
38+
product_name: nginx-gateway-fabric_${{ github.ref_name }}
39+
project_name: nginx-gateway-fabric

0 commit comments

Comments
 (0)