Merge pull request #2535 from ASFHyP3/dependabot/github_actions/ASFHy… #7642
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Static code analysis | |
permissions: | |
contents: read | |
on: push | |
jobs: | |
call-ruff-workflow: | |
# Docs: https://github.com/ASFHyP3/actions | |
uses: ASFHyP3/actions/.github/workflows/[email protected] | |
call-mypy-workflow: | |
uses: ASFHyP3/actions/.github/workflows/[email protected] | |
cfn-lint: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
security_environment: [ASF, EDC, JPL, JPL-public] | |
steps: | |
- uses: actions/[email protected] | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: 3.13 | |
- run: | | |
python -m pip install --upgrade pip | |
make install | |
- run: | | |
make security_environment=${{ matrix.security_environment }} cfn-lint | |
openapi-spec-validator: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/[email protected] | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: 3.13 | |
- run: | | |
python -m pip install --upgrade pip | |
make install | |
- run: make openapi-validate | |
statelint: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/[email protected] | |
- uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: 2.7 | |
- run: gem install statelint | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: 3.13 | |
- run: | | |
python -m pip install --upgrade pip | |
make install | |
- run: | | |
make render | |
sed -i 's/"Resource": "${.*}"/"Resource": "foo:bar"/' apps/step-function.json | |
statelint apps/step-function.json | |
snyk: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/[email protected] | |
- uses: snyk/actions/[email protected] | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: 3.13 | |
- run: | | |
python -m pip install --upgrade pip | |
make install | |
make render security_environment=EDC | |
- name: Run Snyk to check for vulnerabilities | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
run: | | |
snyk test --package-manager=pip --file=requirements-all.txt --severity-threshold=high | |
snyk iac test --severity-threshold=high | |
call-secrets-analysis-workflow: | |
uses: ASFHyP3/actions/.github/workflows/[email protected] |