forked from veracode/github-actions-integration
-
Notifications
You must be signed in to change notification settings - Fork 0
223 lines (199 loc) · 7.33 KB
/
veracode-default-build.yml
File metadata and controls
223 lines (199 loc) · 7.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
name: Veracode Build
on:
workflow_call:
inputs:
repository:
required: true
type: string
ref:
required: true
type: string
token:
required: true
type: string
event_name:
required: true
type: string
build_runs_on:
required: true
type: string
build_packager_image:
required: true
type: string
build_predependency_command:
required: true
type: string
ruby_version:
required: true
type: string
bundle_version:
required: true
type: string
default_runs_on:
required: true
type: string
debug:
required: false
type: string
jobs:
build-prepare:
runs-on: ${{ fromJSON(inputs.build_runs_on) }}
name: Build preparation
outputs:
runner_os: ${{ steps.identify_runner_os.outputs.runner_os }}
steps:
- name: Identify the runner OS
id: identify_runner_os
shell: bash
run: echo "runner_os=${{ runner.os }}" >> $GITHUB_OUTPUT
build-linux:
needs: build-prepare
runs-on: ${{ fromJSON(inputs.build_runs_on) }}
container:
image: ${{ inputs.build_packager_image }}
name: Build on Linux
if: contains(needs.build-prepare.outputs.runner_os, 'Linux')
env:
VERACODE_API_KEY_ID: '${{ secrets.VERACODE_API_ID }}'
VERACODE_API_KEY_SECRET: '${{ secrets.VERACODE_API_KEY }}'
steps:
- uses: actions/checkout@v4
with:
path: 'veracode-helper'
- uses: actions/checkout@v4
with:
repository: ${{ inputs.repository }}
ref: ${{ inputs.ref }}
token: ${{ inputs.token }}
path: 'source-code'
- name: Package the application
id: application_package_linux
shell: bash
run: |
if [[ ! -z "${{ inputs.build_predependency_command }}" ]]; then
echo "Executing Pre-Build Dependency.."
${{ inputs.build_predependency_command }}
else
echo "No Pre-Build Dependency provided."
fi
if [[ "${{ inputs.event_name }}" == *"ruby"* ]]; then
source /etc/profile.d/rvm.sh
rvm pkg install openssl
rvm install ruby-${{ inputs.ruby_version }}
fi
working_path=$(pwd)
echo "working_dir=$working_path" >> "$GITHUB_OUTPUT"
cd veracode-helper/helper/cli
cliFile=$(ls -1 *.tar.gz | head -n 1)
cliFileName=$(echo "$cliFile" | cut -c 1-$((${#cliFile}-7)))
tar -zxvf $cliFile
cd $cliFileName
export PATH="veracode-helper/helper/cli/$cliFileName:$PATH"
cd $working_path
if [[ "${{ inputs.event_name }}" == *"ruby"* ]]; then
gem install --install-dir source-code veracode
cd source-code
gem install bundler -v ${{ inputs.bundle_version }}
bundle install
cd ..
fi
PACKAGE_CMD="veracode package --source source-code --output veracode-artifacts --trust"
if [[ "${{ inputs.debug }}" == "true" ]]; then
PACKAGE_CMD="$PACKAGE_CMD --verbose"
fi
echo "Running: $PACKAGE_CMD"
eval "$PACKAGE_CMD"
# ---------------- Error handler ----------------
- name: Package error
if: failure()
run: |
echo "::error::Veracode static scan faced a problem. Please contact your Veracode administrator for more information."
# ---------------- Upload artifact ----------------
- uses: actions/upload-artifact@v4
with:
name: veracode-artifact
path: "${{ steps.application_package_linux.outputs.working_dir }}/veracode-artifacts/*"
if-no-files-found: error
build-windows:
needs: build-prepare
runs-on: ${{ fromJSON(inputs.build_runs_on) }}
name: Build on Windows
if: contains(needs.build-prepare.outputs.runner_os, 'Windows')
env:
VERACODE_API_KEY_ID: '${{ secrets.VERACODE_API_ID }}'
VERACODE_API_KEY_SECRET: '${{ secrets.VERACODE_API_KEY }}'
steps:
- uses: actions/checkout@v4
with:
path: 'veracode-helper'
- uses: actions/checkout@v4
with:
repository: ${{ inputs.repository }}
ref: ${{ inputs.ref }}
token: ${{ inputs.token }}
path: 'source-code'
- name: Install Veracode CLI
shell: pwsh
run: |
$cliFile = Get-ChildItem -Path "./veracode-helper/helper/cli" -Filter *.ps1 | Select-Object -First 1
Write-Host "Found CLI install script: $cliFile"
Set-ExecutionPolicy Bypass -Scope Process -Force
$ProgressPreference = "silentlyContinue"
& $cliFile.FullName
$VERACODE_CLI = Get-Command veracode | Select-Object -ExpandProperty Definition
echo "VERACODE_CLI=$VERACODE_CLI" | Out-File -FilePath $env:GITHUB_ENV -Append
- name: Ensure MSBuild available
shell: pwsh
run: |
try {
$msbuildAlreadyExists = Get-Command msbuild.exe -ErrorAction SilentlyContinue
} catch {
$msbuildAlreadyExists = $false
}
Write-Host "MSBuild install check: $msbuildAlreadyExists"
if (-not $msbuildAlreadyExists) {
$vswherePath = "${env:ProgramFiles(x86)}\Microsoft Visual Studio\Installer\vswhere.exe"
try {
if ([System.IO.File]::Exists($vswherePath)) {
Write-Host "vswherePath install check: $vswherePath"
$msbuildPath = & $vswherePath -latest -requires Microsoft.Component.MSBuild -find MSBuild\**\Bin\MSBuild.exe
if ($msbuildPath) {
$msbuildDir = [System.IO.Path]::GetDirectoryName($msbuildPath)
Write-Host "msbuildDir install check: $msbuildDir"
# Persist path across steps
"$msbuildDir" | Out-File -FilePath $env:GITHUB_PATH -Append -Encoding utf8
Write-Host "MSBuild path exported to GITHUB_PATH: $msbuildDir"
}
}
} catch {
Write-Host "vswhere catch block executed."
}
}
- name: Run Veracode CLI Package
id: application_package_windows
shell: pwsh
run: |
$working_path = (Get-Location).Path
"working_dir=$working_path" | Out-File -FilePath $env:GITHUB_OUTPUT -Append -Encoding utf8
$packageArgs = @(
"package",
"--source", "source-code",
"--output", "veracode-artifacts",
"--trust"
)
if ("${{ inputs.debug }}" -eq "true") {
$packageArgs += "--verbose"
}
Write-Host "Running: veracode $($packageArgs -join ' ')"
& $env:VERACODE_CLI @packageArgs
# ---------------- Error handler ----------------
- name: Package error
if: failure()
run: |
echo "::error::Veracode static scan faced a problem. Please contact your Veracode administrator for more information."
# ---------------- Upload artifact ----------------
- uses: actions/upload-artifact@v4
with:
name: veracode-artifact
path: "${{ steps.application_package_windows.outputs.working_dir }}/veracode-artifacts/*"
if-no-files-found: error