chore(deps): update dependency centralized-templates to v34.10.0 #73

Workflow file for this run

.github/workflows/codeql-analysis.yaml at 80c505c

	# THIS CODE WAS AUTOGENERATED. DO NOT MODIFY THIS FILE DIRECTLY
	# THE SOURCE CODE LIVES IN A DIFFERENT REPOSITORY:
	# - centralized-templates
	# FILE STEWARD: @pleo-io/security

	name: CodeQL Analysis

	on:
	push:
	branches:
	- main
	- master
	- develop
	pull_request:
	branches:
	- main
	- master
	- develop

	env:
	language_Kotlin: "java"
	language_Java: "java"
	language_Go: "go"
	language_Python: "python"
	language_JavaScript: "javascript"
	language_TypeScript: "javascript"
	WORKING_LANGUAGE: ""
	CONFIG_FILE: ""
	RUN_ON_DEFAULT_BRANCH: true
	GRADLE_SCRIPT_PATH: ./gradlew
	setWizCliDepsScanPath: .
	setWizCliDepsPolicy: Pleo-Default-vulnerabilities-policy
	runWizCliDepsScan: false

	jobs:
	preflight:
	name: Determine if CodeQL should run
	runs-on: ubuntu-latest
	outputs:
	should_run_analyze: ${{ steps.maybe_skip_analyze.outputs.should_run_analyze }}
	should_run_wiz_cli: ${{ steps.maybe_skip_wiz_cli.outputs.should_run_wiz_cli }}
	working_language: ${{steps.working_language_step.outputs.WORKING_LANGUAGE}}
	steps:
	- uses: winterjung/split@a211a1c46e35fcdc4097d59dd6282d4a9859651b # v2
	id: split
	with:
	msg: ${{ github.repository }}
	separator: "/"
	- id: get_default_branch
	name: Determine our default branch
	uses: octokit/[email protected]
	with:
	route: GET /repos/{owner}/{repo}
	owner: ${{ github.repository_owner }}
	repo: ${{ steps.split.outputs._1 }}
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- id: set_default_branch
	name: Set our default branch
	run: echo "DEFAULT_BRANCH=${{ fromJson(steps.get_default_branch.outputs.data).default_branch }}" >> "$GITHUB_ENV"
	- id: maybe_skip_analyze
	name: Check if analyze should run
	shell: bash
	run: \|
	if [[ "${{ env.RUN_ON_DEFAULT_BRANCH }}" == "false" && "${{ github.ref }}" == "refs/heads/${{ env.DEFAULT_BRANCH }}" && "${{ github.event_name }}" == "push" ]]; then
	echo "Skipping CodeQL analysis on main branch due to configuration"
	echo "should_run_analyze=false" >> "$GITHUB_OUTPUT"
	else
	echo "Running CodeQL analysis"
	echo "should_run_analyze=true" >> "$GITHUB_OUTPUT"
	fi
	- id: maybe_skip_wiz_cli
	name: Check if Wiz-CLI Deps Scan should run
	shell: bash
	run: \|
	if [[ "${{ env.runWizCliDepsScan }}" == "true" ]]; then
	echo "should_run_wiz_cli=true" >> "$GITHUB_OUTPUT"
	else
	echo "should_run_wiz_cli=false" >> "$GITHUB_OUTPUT"
	fi
	- id: working_language_step
	name: We check if the repository language is supported by CodeQL
	run: echo "WORKING_LANGUAGE=${{env[format('language_{0}', github.event.repository.language)]}}" >> "$GITHUB_OUTPUT"

	wiz-cli:
	name: Scan Dependencies with Wiz CLI
	if: ${{ needs.preflight.outputs.should_run_wiz_cli == 'true'}}
	needs:
	- preflight
	runs-on: ubuntu-latest
	defaults:
	run:
	shell: bash
	steps:
	- name: Check out repository
	uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4

	- name: Check latest version of Wiz CLI
	id: version_check
	run: \|
	raw_output=$(curl -sL https://wizcli.app.wiz.io/latest/wizcli-version)
	LATEST_VERSION=$(echo "$raw_output" \| grep -oP '"\K[^-]*' \| head -1)
	COMPLETE_VERSION=$(echo "$raw_output" \| grep -oP '(?<=").*?(?=")')
	echo "version=$LATEST_VERSION" >> "$GITHUB_OUTPUT"
	echo "complete_version=$COMPLETE_VERSION" >> "$GITHUB_OUTPUT"

	- name: Cache Wiz CLI
	uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
	id: cache_wizcli
	with:
	path: wizcli-${{ steps.version_check.outputs.version }}
	key: wizcli-${{ steps.version_check.outputs.version }}

	- name: Download Wiz CLI
	if: steps.cache_wizcli.outputs.cache-hit != 'true'
	run: curl -o wizcli-${{ steps.version_check.outputs.version }} https://wizcli.app.wiz.io/${{ steps.version_check.outputs.complete_version }}/wizcli && chmod +x wizcli-${{ steps.version_check.outputs.version }}

	- name: Authenticate to Wiz
	env:
	WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
	WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
	run: ./wizcli-${{ steps.version_check.outputs.version }} auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"

	- name: Run wiz CLI Dependency Scan
	run: ./wizcli-${{ steps.version_check.outputs.version }} dir scan --path "${{ env.setWizCliDepsScanPath }}" --policy "${{ env.setWizCliDepsPolicy }}"

	analyze-code:
	name: Analyze code with CodeQL
	if: ${{ (needs.preflight.outputs.should_run_analyze == 'true') && (needs.preflight.outputs.working_language != '')}}
	needs:
	- preflight
	runs-on: codeql-runner
	timeout-minutes: 30
	permissions:
	actions: read
	contents: read
	security-events: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
	- name: Set Working Language
	run: echo "WORKING_LANGUAGE=${{needs.preflight.outputs.working_language}}" >> "$GITHUB_ENV"
	# Set up a JDK environment for building, testing and releasing.
	- name: Set up JDK 17
	uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
	if: ${{ env.WORKING_LANGUAGE == 'java' }}
	with:
	java-version: 17
	distribution: temurin

	# Allow caching Gradle executions to further speed up CI/CD steps invoking Gradle.
	- name: Setup Gradle
	uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
	if: ${{ env.WORKING_LANGUAGE == 'java' }}
	with:
	gradle-version: wrapper
	cache-read-only: true

	# Set up a Node environment for JS/TS/Node client generation.
	- name: Set up Node 20
	uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
	if: ${{ env.WORKING_LANGUAGE == 'javascript' }}
	with:
	node-version: 20

	# Initializes the CodeQL tools for scanning.
	- name: Initialize CodeQL
	uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
	with:
	languages: ${{ github.event.repository.language }}
	ram: 4096
	queries: security-and-quality
	tools: latest
	config-file: ${{ env.CONFIG_FILE }}

	- name: Gradle Build
	run: ${{ env.GRADLE_SCRIPT_PATH }} classes testClasses --stacktrace -Dorg.gradle.jvmargs=-Xmx4g -Dorg.gradle.parallel=true
	if: ${{ env.WORKING_LANGUAGE == 'java' }}
	env:
	GITHUB_TOKEN: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
	GRADLE_READ_KEY: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
	JOB_RUNR_REPO_PASSWORD: ${{ secrets.JOB_RUNR_REPO_PASSWORD }}

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
	with:
	ram: 4096

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency centralized-templates to v34.10.0 #73

Workflow file

chore(deps): update dependency centralized-templates to v34.10.0 #73

Jobs

Run details

Workflow file for this run