Skip to content

chore(ci): add bandit sast scanning #17

chore(ci): add bandit sast scanning

chore(ci): add bandit sast scanning #17

Workflow file for this run

name: CI
on:
push:
branches:
- master
pull_request:
permissions:
contents: write
packages: write
pull-requests: write
jobs:
changelog:
name: Changelog
if: github.event_name != 'pull_request'
runs-on: ubuntu-latest
outputs:
skipped: ${{ steps.changelog.outputs.skipped }}
tag: ${{ steps.changelog.outputs.tag }}
clean_changelog: ${{ steps.changelog.outputs.clean_changelog }}
version: ${{ steps.changelog.outputs.version }}
steps:
- uses: actions/checkout@v4
- name: Conventional Changelog Action
id: changelog
uses: TriPSs/conventional-changelog-action@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Create Release
uses: softprops/action-gh-release@v2
if: ${{ steps.changelog.outputs.skipped == 'false' }}
with:
name: ${{ steps.changelog.outputs.tag }}
tag_name: ${{ steps.changelog.outputs.tag }}
body: ${{ steps.changelog.outputs.clean_changelog }}
token: ${{ secrets.GITHUB_TOKEN }}
bandit:
name: SAST with Bandit
needs: changelog
if: github.event_name != 'pull_request' && needs.changelog.outputs.skipped == 'false'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.x'
- name: Install Bandit
run: pip install bandit
- name: Run Bandit
run: bandit -r linkedindumper.py --severity-level medium
deploy:
name: Deploy Image
needs: [changelog, bandit]
if: github.event_name != 'pull_request' && needs.changelog.outputs.skipped == 'false'
runs-on: ubuntu-latest
steps:
- name: Get repository name
id: get_repo
run: echo "REPO_NAME=$(echo ${{ github.repository }} | cut -d'/' -f2 | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Login to Dockerhub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- name: Extract version parts
id: extract_version
run: |
VERSION=${{ needs.changelog.outputs.version }}
MAJOR_MINOR=$(echo $VERSION | cut -d'.' -f1,2)
echo "MAJOR_MINOR_TAG=${MAJOR_MINOR}.x" >> $GITHUB_ENV
- name: Setup Docker Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
docker.io/${{ secrets.DOCKER_HUB_USERNAME }}/${{ env.REPO_NAME }}
tags: |
latest
${{ needs.changelog.outputs.version }}
${{ env.MAJOR_MINOR_TAG }}
- name: Build and Push Docker Image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5
with:
context: .
file: Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
release:
name: Release
needs: [changelog, bandit]
if: github.event_name != 'pull_request' && needs.changelog.outputs.skipped == 'false'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Debug Changelog Outputs
run: echo ${{ needs.changelog.outputs.tag }}
- name: Create Release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
tag_name: ${{ needs.changelog.outputs.tag }}
prerelease: false
draft: false
generate_release_notes: true
name: ${{ needs.changelog.outputs.tag }}
body: |
<details>
<summary>🤖 Autogenerated Conventional Changelog</summary>
${{ needs.changelog.outputs.clean_changelog }}
</details>