This repository is meant to hold the setup for requesting actions to be used internally, for example together with the Internl Actions Marketplace.
- User creates a new issue in this repo
- The review team gets a notification about the new issue (using this action: issue-comment-tag)
- After manual review, the review team labels the issue with
security-check
- The workflow
Issue labeled security scan
is triggered, executing several automated checks. - The results of all the checks are added back into the request issue.
- After reviewing the results and approving them, the action repo can be forked into your actions organization and users can start using them.
Currently we run the following checks:
- Has the repo been setup with a CodeQL workflow?
- Has the repo been configured with Dependabot updates?
- If we fork the repo and enable Dependabot, do we get Security Alerts?
- If we fork the repo and enable CodeQL, do we get Security Alerts?
- If the action uses a container, we run a Trivy scan and check the alerts.
For configuration of the workflows in this repository, we use the following secrets:
Name | Example value | Description |
---|---|---|
ACTIONS_STEP_DEBUG | true | Get additional debugging logs in Actions |
GH_TOKEN | ghp_***************** | GitHub Token with enough access to fork the repos into a specific org |
Whenever a new issue is added to this repo, the new-issue.yml
workflow is triggered. For a description of what it does, check this blogpost.
These are the secrets that it uses:
Name | Example value | Description |
---|---|---|
PROJECT_ACCOUNT | rajbos | Account name under which the project is linked to |
PROJECT_NUMBER | 2 | The number of the project |
PROJECT_TOKEN | ghp_***************** | A token with access to add issues to the project |