From 1c6df3a5fd91c2147cd44edcd8f0cc3d336773ef Mon Sep 17 00:00:00 2001 From: Tomas Gonzalez Date: Wed, 18 Jun 2025 17:44:55 -0400 Subject: [PATCH 1/4] move workflow to container --- .github/workflows/git-diffscan.yml | 55 +++++++++++++++--------------- 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/.github/workflows/git-diffscan.yml b/.github/workflows/git-diffscan.yml index 5535780..e0f6ecb 100644 --- a/.github/workflows/git-diffscan.yml +++ b/.github/workflows/git-diffscan.yml @@ -1,5 +1,5 @@ # This workflow runs on Pull Requests opened against MAIN. -# It will scan the incoming HEAD branch with Workbench. +# It will scan only those files touched by the incoming HEAD branch. # If Pending IDs or Policy Violations are found, the PR will be blocked. name: Scan Diff of Incoming PRs @@ -18,15 +18,6 @@ jobs: WORKBENCH_TOKEN: ${{ secrets.WORKBENCH_TOKEN }} steps: - - name: Checkout Workbench CLI - uses: actions/checkout@v4 - with: - repository: tomgonzo/workbench-cli - path: fossid-tools - - - name: Install Workbench CLI - run: pip install ./fossid-tools - - name: Checkout Target Repo uses: actions/checkout@v4 with: @@ -39,24 +30,34 @@ jobs: git fetch origin ${{ github.base_ref }}:${{ github.base_ref }} git fetch origin ${{ github.head_ref }}:${{ github.head_ref }} git branch -a - + - name: Scan Files Changed by PR - working-directory: target-repo - run: | - workbench-cli scan-git-diff \ - --project-name $GITHUB_REPOSITORY \ - --scan-name Diff-$GITHUB_HEAD_REF \ - --base-ref $GITHUB_BASE_REF \ - --compare-ref $GITHUB_HEAD_REF \ - --run-dependency-analysis \ - --autoid-file-licenses \ - --autoid-file-copyrights \ - --show-scan-metrics - - - name: Evaluate Gates run: | - workbench-cli evaluate-gates \ + docker run --rm \ + -v $GITHUB_WORKSPACE/target-repo:/scan_target:ro \ + -w /scan_target \ + ghcr.io/tomgonzo/workbench-cli:latest \ + --api-url ${{ env.WORKBENCH_URL }} \ + --api-user ${{ env.WORKBENCH_USER }} \ + --api-token ${{ env.WORKBENCH_TOKEN }} \ + scan-git-diff \ --project-name $GITHUB_REPOSITORY \ --scan-name Diff-$GITHUB_HEAD_REF \ - --fail-on-pending \ - --fail-on-policy + --base-ref ${{ github.base_ref }} \ + --compare-ref ${{ github.head_ref }} \ + --run-dependency-analysis \ + --autoid-file-licenses \ + --autoid-file-copyrights \ + --show-scan-metrics + + - name: Evaluate Gates + run: | + docker run ghcr.io/tomgonzo/workbench-cli:latest \ + --api-url ${{ env.WORKBENCH_URL }} \ + --api-user ${{ env.WORKBENCH_USER }} \ + --api-token ${{ env.WORKBENCH_TOKEN }} \ + evaluate-gates \ + --project-name $GITHUB_REPOSITORY \ + --scan-name Diff-$GITHUB_HEAD_REF \ + --fail-on-pending \ + --fail-on-policy From 58377c27d24d6fe896eec94ec4ec9c0787bdf937 Mon Sep 17 00:00:00 2001 From: Tomas Gonzalez Date: Wed, 18 Jun 2025 17:46:14 -0400 Subject: [PATCH 2/4] fix docker run --- .github/workflows/git-diffscan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/git-diffscan.yml b/.github/workflows/git-diffscan.yml index e0f6ecb..e60db34 100644 --- a/.github/workflows/git-diffscan.yml +++ b/.github/workflows/git-diffscan.yml @@ -33,8 +33,8 @@ jobs: - name: Scan Files Changed by PR run: | - docker run --rm \ - -v $GITHUB_WORKSPACE/target-repo:/scan_target:ro \ + docker run \ + -v $GITHUB_WORKSPACE/target-repo:/scan_target \ -w /scan_target \ ghcr.io/tomgonzo/workbench-cli:latest \ --api-url ${{ env.WORKBENCH_URL }} \ From 34a898f09f653ac0efd29061bd83d81d76e452b8 Mon Sep 17 00:00:00 2001 From: Tomas Gonzalez Date: Wed, 18 Jun 2025 18:05:08 -0400 Subject: [PATCH 3/4] workflow edits --- .github/workflows/git-diffscan-container.yml | 89 ++++++++++++++++++++ .github/workflows/git-diffscan.yml | 53 ++++++------ 2 files changed, 117 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/git-diffscan-container.yml diff --git a/.github/workflows/git-diffscan-container.yml b/.github/workflows/git-diffscan-container.yml new file mode 100644 index 0000000..77589d0 --- /dev/null +++ b/.github/workflows/git-diffscan-container.yml @@ -0,0 +1,89 @@ +# Alternative workflow using container approach with pre-built archive +# This workflow runs on Pull Requests opened against MAIN. +# It will scan only those files touched by the incoming HEAD branch using containers. +# If Pending IDs or Policy Violations are found, the PR will be blocked. + +name: Scan Diff of Incoming PRs (Container Archive Approach) + +on: + pull_request: + branches: + - main + +jobs: + workbench-scan: + runs-on: ubuntu-latest + env: + WORKBENCH_URL: ${{ secrets.WORKBENCH_URL }} + WORKBENCH_USER: ${{ secrets.WORKBENCH_USER }} + WORKBENCH_TOKEN: ${{ secrets.WORKBENCH_TOKEN }} + + steps: + - name: Checkout Target Repo + uses: actions/checkout@v4 + with: + path: target-repo + fetch-depth: 0 # Fetch all history for all branches and tags + + - name: Fetch Base and Head Branches + working-directory: target-repo + run: | + git fetch origin ${{ github.base_ref }}:${{ github.base_ref }} + git fetch origin ${{ github.head_ref }}:${{ github.head_ref }} + git branch -a + + - name: Create Archive of Changed Files + working-directory: target-repo + id: create-diff-archive + run: | + # Get the list of changed files and create archive + CHANGED_FILES=$(git diff --name-only --diff-filter=d ${{ github.base_ref }} ${{ github.head_ref }}) + + if [ -z "$CHANGED_FILES" ]; then + echo "✅ No changed files found - creating empty marker" + echo "has_changes=false" >> $GITHUB_OUTPUT + else + echo "Changed files:" + echo "$CHANGED_FILES" + echo "$CHANGED_FILES" | zip -@ ../diff-archive.zip + echo "has_changes=true" >> $GITHUB_OUTPUT + echo "Archive created: ../diff-archive.zip" + ls -la ../diff-archive.zip + fi + + - name: Scan Files Changed by PR + if: steps.create-diff-archive.outputs.has_changes == 'true' + run: | + docker run --rm \ + -v $GITHUB_WORKSPACE/diff-archive.zip:/scan_target/diff-archive.zip:ro \ + ghcr.io/tomgonzo/workbench-cli:latest \ + --api-url ${{ env.WORKBENCH_URL }} \ + --api-user ${{ env.WORKBENCH_USER }} \ + --api-token ${{ env.WORKBENCH_TOKEN }} \ + scan \ + --project-name $GITHUB_REPOSITORY \ + --scan-name DiffContainer-$GITHUB_HEAD_REF \ + --path /scan_target/diff-archive.zip \ + --run-dependency-analysis \ + --autoid-file-licenses \ + --autoid-file-copyrights \ + --no-wait \ + --show-scan-metrics + + - name: No Changes Detected + if: steps.creatediff-archive.outputs.has_changes == 'false' + run: echo "✅ No changed files detected - skipping scan" + + - name: Evaluate Gates + if: steps.creatediff-archive.outputs.has_changes == 'true' + run: | + docker run --rm \ + ghcr.io/tomgonzo/workbench-cli:latest \ + --api-url ${{ env.WORKBENCH_URL }} \ + --api-user ${{ env.WORKBENCH_USER }} \ + --api-token ${{ env.WORKBENCH_TOKEN }} \ + evaluate-gates \ + --project-name $GITHUB_REPOSITORY \ + --scan-name DiffContainer-$GITHUB_HEAD_REF \ + --fail-on-pending \ + --fail-on-policy \ No newline at end of file diff --git a/.github/workflows/git-diffscan.yml b/.github/workflows/git-diffscan.yml index e60db34..d7af066 100644 --- a/.github/workflows/git-diffscan.yml +++ b/.github/workflows/git-diffscan.yml @@ -18,6 +18,15 @@ jobs: WORKBENCH_TOKEN: ${{ secrets.WORKBENCH_TOKEN }} steps: + - name: Checkout Workbench CLI + uses: actions/checkout@v4 + with: + repository: tomgonzo/workbench-cli + path: fossid-tools + + - name: Install Workbench CLI + run: pip install ./fossid-tools + - name: Checkout Target Repo uses: actions/checkout@v4 with: @@ -32,32 +41,26 @@ jobs: git branch -a - name: Scan Files Changed by PR + working-directory: target-repo run: | - docker run \ - -v $GITHUB_WORKSPACE/target-repo:/scan_target \ - -w /scan_target \ - ghcr.io/tomgonzo/workbench-cli:latest \ - --api-url ${{ env.WORKBENCH_URL }} \ - --api-user ${{ env.WORKBENCH_USER }} \ - --api-token ${{ env.WORKBENCH_TOKEN }} \ - scan-git-diff \ - --project-name $GITHUB_REPOSITORY \ - --scan-name Diff-$GITHUB_HEAD_REF \ - --base-ref ${{ github.base_ref }} \ - --compare-ref ${{ github.head_ref }} \ - --run-dependency-analysis \ - --autoid-file-licenses \ - --autoid-file-copyrights \ - --show-scan-metrics + workbench-cli scan-git-diff \ + --project-name $GITHUB_REPOSITORY \ + --scan-name Diff-$GITHUB_HEAD_REF \ + --base-ref ${{ github.base_ref }} \ + --compare-ref ${{ github.head_ref }} \ + --run-dependency-analysis \ + --autoid-file-licenses \ + --autoid-file-copyrights \ + --id-reuse \ + --id-reuse-type project \ + --id-reuse-source $GITHUB_REPOSITORY \ + --no-wait \ + --show-scan-metrics - name: Evaluate Gates run: | - docker run ghcr.io/tomgonzo/workbench-cli:latest \ - --api-url ${{ env.WORKBENCH_URL }} \ - --api-user ${{ env.WORKBENCH_USER }} \ - --api-token ${{ env.WORKBENCH_TOKEN }} \ - evaluate-gates \ - --project-name $GITHUB_REPOSITORY \ - --scan-name Diff-$GITHUB_HEAD_REF \ - --fail-on-pending \ - --fail-on-policy + workbench-cli evaluate-gates \ + --project-name $GITHUB_REPOSITORY \ + --scan-name Diff-$GITHUB_HEAD_REF \ + --fail-on-pending \ + --fail-on-policy From 9e5a0d1ed188b3f22fb0fea9356bed1cde5dda52 Mon Sep 17 00:00:00 2001 From: Tomas Gonzalez Date: Wed, 18 Jun 2025 18:06:50 -0400 Subject: [PATCH 4/4] oops --- .github/workflows/git-diffscan-container.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/git-diffscan-container.yml b/.github/workflows/git-diffscan-container.yml index 77589d0..68aa6f5 100644 --- a/.github/workflows/git-diffscan-container.yml +++ b/.github/workflows/git-diffscan-container.yml @@ -71,11 +71,11 @@ jobs: --show-scan-metrics - name: No Changes Detected - if: steps.creatediff-archive.outputs.has_changes == 'false' + if: steps.create-diff-archive.outputs.has_changes == 'false' run: echo "✅ No changed files detected - skipping scan" - name: Evaluate Gates - if: steps.creatediff-archive.outputs.has_changes == 'true' + if: steps.create-diff-archive.outputs.has_changes == 'true' run: | docker run --rm \ ghcr.io/tomgonzo/workbench-cli:latest \