Skip to content
Security

feat(config): add config edit and jq-based config get #111

Sign in to view logs

feat(config): add config edit and jq-based config get

feat(config): add config edit and jq-based config get #111

Workflow file for this run

.github/workflows/security.yml at 833f1bc
# Copyright 2026 Phillip Cloud
# Licensed under the Apache License, Version 2.0
name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
changes:
name: Detect Changes
runs-on: ubuntu-latest
outputs:
go: ${{ steps.detect.outputs.go }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
sparse-checkout: .github/detect-go-changes.bash
sparse-checkout-cone-mode: false
persist-credentials: false
- name: Check for Go-related changes
id: detect
env:
GH_TOKEN: ${{ github.token }}
run: |
go=$(bash .github/detect-go-changes.bash \
"${{ github.event_name }}" \
"${{ github.event.pull_request.number }}" \
"${{ github.event.before }}" \
"${{ github.sha }}")
echo "go=$go" >> "$GITHUB_OUTPUT"
govulncheck:
name: Vulnerability Check
needs: changes
if: needs.changes.outputs.go == 'true'
runs-on: ubuntu-latest
concurrency:
group: security-govulncheck-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: cachix/install-nix-action@19effe9fe722874e6d46dd7182e4b8b7a43c4a99 # v31.10.0
- name: Run govulncheck
run: nix run '.#govulncheck'
osv-scanner:
name: OSV Scan
needs: changes
if: needs.changes.outputs.go == 'true'
runs-on: ubuntu-latest
concurrency:
group: security-osv-scanner-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: cachix/install-nix-action@19effe9fe722874e6d46dd7182e4b8b7a43c4a99 # v31.10.0
- name: Run osv-scanner
run: nix run '.#osv-scanner'
secrets:
name: Secret Scan
runs-on: ubuntu-latest
concurrency:
group: security-secrets-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
persist-credentials: false
- uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3.93.8
with:
extra_args: --only-verified
codeql:
name: CodeQL (Go)
needs: changes
if: needs.changes.outputs.go == 'true'
runs-on: ubuntu-latest
concurrency:
group: security-codeql-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
permissions:
security-events: write
env:
CGO_ENABLED: "0"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: "1.25"
- name: Initialize CodeQL
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
languages: go
build-mode: manual
- name: Build
run: go build ./...
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
result:
name: Security Result
if: always()
needs: [changes, govulncheck, osv-scanner, secrets, codeql]
runs-on: ubuntu-latest
steps:
- run: exit 1
if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')