sample-autonomous-cloud-coding-agents/.github/workflows/security.yml at main · aws-samples/sample-autonomous-cloud-coding-agents · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
name: Security

on:
  workflow_dispatch: {}
  schedule:
    # Weekly: Monday 12:00 UTC
    - cron: "0 12 * * 1"

concurrency:
  group: security-suite
  cancel-in-progress: false

permissions:
  actions: none
  attestations: none
  checks: none
  contents: none
  deployments: none
  discussions: none
  id-token: none
  issues: none
  models: none
  packages: none
  pages: none
  pull-requests: none
  repository-projects: none
  security-events: none
  statuses: none

jobs:
  security:
    name: Monorepo security suite
    runs-on: ubuntu-latest
    timeout-minutes: 120
    permissions:
      contents: read
      issues: write
    env:
      CI: "true"
      MISE_EXPERIMENTAL: "1"
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      AQUA_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Install mise
        uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
        with:
          cache: true

      - name: Setup Node.js
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 22.x

      - name: Install dependencies
        run: mise run install

      - name: Run security suite
        id: scan
        run: mise run security 2>&1 | tee security-log.txt
        continue-on-error: true

      - name: Open issue on failure
        if: steps.scan.outcome == 'failure'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail
          short="${GITHUB_SHA:0:7}"
          body_file="$(mktemp)"
          {
            echo "The root \`mise run security\` suite failed in GitHub Actions. Use the log tail below and reproduce locally with the same command."
            echo ""
            echo "| Field | Value |"
            echo "| --- | --- |"
            echo "| Workflow run | [Security #${GITHUB_RUN_NUMBER}](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}) |"
            echo "| Ref | \`${GITHUB_REF}\` |"
            echo "| SHA | [\`${GITHUB_SHA}\`](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA}) |"
            echo "| Actor | @${GITHUB_ACTOR} |"
            echo "| Event | \`${GITHUB_EVENT_NAME}\` |"
            echo ""
            echo "### Log tail (last 200 lines)"
            echo ""
            echo '```text'
            tail -n 200 security-log.txt || true
            echo '```'
            echo ""
            echo "Close this issue after \`mise run security\` succeeds on \`${GITHUB_REF_NAME}\` (or the branch you merge to)."
          } > "${body_file}"

          gh issue create \
            --title "Security suite failed (${GITHUB_REF_NAME} @ ${short})" \
            --body-file "${body_file}"

      - name: Fail job if security suite failed
        if: steps.scan.outcome == 'failure'
        run: exit 1