name: Security Audit on: pull_request: push: branches: - main schedule: - cron: "41 2 * * 2" workflow_dispatch: jobs: security-audit: runs-on: ubuntu-latest env: SECURITY_AUDIT_MODE: ci SECURITY_AUDIT_SCOPE: govoplan SECURITY_AUDIT_FAIL_ON_FINDINGS: "0" SECURITY_AUDIT_REQUIRE_TOOLS: "1" steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: path: govoplan - name: Configure SSH for repository bootstrap env: GOVOPLAN_RELEASE_SSH_KEY_B64: ${{ secrets.GOVOPLAN_RELEASE_SSH_KEY_B64 }} run: | mkdir -p ~/.ssh chmod 700 ~/.ssh if [ -z "${GOVOPLAN_RELEASE_SSH_KEY_B64:-}" ]; then echo "GOVOPLAN_RELEASE_SSH_KEY_B64 secret is required for git+ssh repository bootstrap." exit 1 fi printf '%s' "$GOVOPLAN_RELEASE_SSH_KEY_B64" | base64 -d > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 echo 'git.add-ideas.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDe48IOof2fJS1dTbJtLWQnWnr+JorZXKIFdOAM9ct8G' > ~/.ssh/known_hosts chmod 600 ~/.ssh/known_hosts - name: Bootstrap GovOPlaN repositories working-directory: govoplan run: python tools/repo/bootstrap-repositories.py --parent .. - name: Run security audit working-directory: govoplan run: tools/checks/security-audit/run.sh --mode "$SECURITY_AUDIT_MODE" --scope "$SECURITY_AUDIT_SCOPE" --reports-dir audit-reports - name: Upload audit reports if: always() uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 with: name: security-audit-reports path: govoplan/audit-reports