Security #19686

Workflow file for this run

.github/workflows/security.yml at f80bbd8

	---
	name: Security
	on:
	pull_request:
	types:
	- unlabeled # if GitHub Actions stuck, add and remove "not ready" label to force rebuild
	- opened
	- reopened
	- synchronize
	push:
	branches:
	- main
	- main-*
	- releases/*
	schedule:
	- cron: "12 0 * * *"

	# Do not run this workflow in parallel for any PR change.
	concurrency:
	group: ${{ github.workflow }}-${{ github.head_ref \|\| github.ref_name }}
	cancel-in-progress: true

	env:
	GOPATH: /home/runner/go
	GOCACHE: /home/runner/go/cache
	GOLANGCI_LINT_CACHE: /home/runner/go/cache/lint
	GOMODCACHE: /home/runner/go/mod
	GOPROXY: https://proxy.golang.org
	GOTOOLCHAIN: local

	jobs:
	security-scan:
	name: Security scan
	runs-on: ubuntu-22.04
	timeout-minutes: 10

	if: github.event_name != 'pull_request' \|\| !contains(github.event.pull_request.labels.*.name, 'not ready')

	steps:
	# TODO https://github.com/FerretDB/github-actions/issues/211
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0 # for `git describe` to work
	lfs: false # LFS is used only by website

	- name: Setup Go
	uses: FerretDB/github-actions/setup-go@main
	with:
	cache-key: security

	- name: Install Task
	run: go generate -x
	working-directory: tools

	# https://github.com/aquasecurity/trivy/issues?q=is%3Aissue+%22permission+denied%22
	- name: Create directory
	run: mkdir -p tmp/trivy/fanal

	- name: Scan
	run: bin/task security

	# disabled until https://github.com/actions/dependency-review-action/issues/459 is resolved
	- name: Check dependencies for PRs
	# if: github.event_name == 'pull_request'
	if: false
	uses: actions/dependency-review-action@v4
	with:
	allow-licenses: Apache-2.0, BSD-3-Clause, MIT

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security #19686

Workflow file

Security #19686

Jobs

Run details

Workflow file for this run