diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58c71a69..4da31e2f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,7 +42,7 @@ jobs: smoke-test: name: Smoke test (Python ${{ matrix.python }}) - if: github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'autorelease: pending') + if: "${{ github.event_name == 'pull_request' && contains(toJSON(github.event.pull_request.labels.*.name), 'autorelease: pending') }}" runs-on: ubuntu-latest strategy: fail-fast: false diff --git a/.github/workflows/coana-analysis.yml b/.github/workflows/coana-analysis.yml deleted file mode 100644 index cac82a7a..00000000 --- a/.github/workflows/coana-analysis.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Coana Vulnerability Analysis - -on: - schedule: - - cron: "0 3 * * *" # every day at 3 AM - workflow_dispatch: - inputs: - tags: - description: "Manually run vulnerability analysis" - # Required by the return-dispatch action - distinct_id: - -jobs: - coana-vulnerability-analysis: - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - name: Run Coana CLI - id: coana-cli - uses: docker://coana/coana:latest - with: - args: | - coana run . \ - --api-key ${{ secrets.COANA_API_KEY }} \ - --repo-url https://github.com/${{github.repository}} diff --git a/.github/workflows/coana-guardrail.yml b/.github/workflows/coana-guardrail.yml deleted file mode 100644 index 4d32ef1f..00000000 --- a/.github/workflows/coana-guardrail.yml +++ /dev/null @@ -1,67 +0,0 @@ -name: Coana Guardrail - -on: pull_request - -jobs: - guardrail: - runs-on: ubuntu-latest - - steps: - - name: Checkout the ${{github.base_ref}} branch - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - ref: ${{github.base_ref}} # checkout the base branch (usually master/main). - - - name: Fetch the PR branch - run: | - git fetch ${{ github.event.pull_request.head.repo.clone_url }} ${{ github.head_ref }}:${{ github.head_ref }} --depth=1 - - - name: Get list of changed files relative to the main/master branch - id: changed-files - run: | - echo "all_changed_files=$(git diff --name-only ${{ github.base_ref }} ${{ github.head_ref }} | tr '\n' ' ')" >> $GITHUB_OUTPUT - - - name: Use Node.js 24.x - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 - with: - node-version: 24.x - - - name: Run Coana on the ${{github.base_ref}} branch - run: | - npx @coana-tech/cli run . \ - --guardrail-mode \ - --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \ - -o /tmp/main-branch \ - --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \ - --lightweight-reachability \ - - # Reset file permissions. - # This is necessary because the Coana CLI may add - # new files with root ownership since it's using docker. - # These files will not be deleted by the clean step in checkout - # if the permissions are not reset. - - name: Reset file permissions - run: sudo chown -R $USER:$USER . - - - name: Checkout the current branch - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - clean: true - - - name: Run Coana on the current branch - run: | - npx @coana-tech/cli run . \ - --guardrail-mode \ - --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \ - -o /tmp/current-branch \ - --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \ - --lightweight-reachability \ - - - name: Run Report Comparison - run: | - npx @coana-tech/cli compare-reports \ - --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \ - /tmp/main-branch/coana-report.json \ - /tmp/current-branch/coana-report.json - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}