libraries/libu2f-host/patches/0021-Github-Actions-do-not-run-scan-if-missing-credential.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

From 33cd26f945925d64e0ccef41d13be17e84f99f44 Mon Sep 17 00:00:00 2001
From: Gabriel Kihlman <g.kihlman@yubico.com>
Date: Tue, 23 Jun 2020 16:25:16 +0200
Subject: [PATCH 21/25] Github Actions: do not run scan if missing credentials

Also toggle workflow to fail if there are warnings.

Signed-off-by: Gustavo B. Schenkel <gustavo.schenkel@gmail.com>
---
 .github/workflows/scan.yml | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index ec6ba52..09f16ab 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -1,4 +1,5 @@
 name: static code analysis
+# Documentation: https://github.com/Yubico/yes-static-code-analysis
 
 on:
   push:
@@ -8,6 +9,7 @@ on:
 env:
   SCAN_IMG:
     yes-docker-local.artifactory.in.yubico.org/static-code-analysis/c:v1
+  SECRET: ${{ secrets.ARTIFACTORY_READER_TOKEN }}
 
 jobs:
   build:
@@ -16,17 +18,18 @@ jobs:
     steps:
     - uses: actions/checkout@master
 
-    - name: Prep scan
+    - name: Scan and fail on warnings
       run: |
-        docker login yes-docker-local.artifactory.in.yubico.org/ \
-             -u svc-static-code-analysis-reader \
-             -p ${{ secrets.ARTIFACTORY_READER_TOKEN }}
-        docker pull ${SCAN_IMG}
-
-    - name: Scan but do not fail on warnings
-      run: |
-        docker run -v${PWD}:/k -e COMPILE_DEPS="${COMPILE_DEPS}" \
-          -e PROJECT_NAME=${GITHUB_REPOSITORY#Yubico/} -t ${SCAN_IMG} || true
+        if [ "${SECRET}" != "" ]; then
+          docker login yes-docker-local.artifactory.in.yubico.org/ \
+            -u svc-static-code-analysis-reader -p ${SECRET}
+          docker pull ${SCAN_IMG}
+          docker run -v${PWD}:/k -e COMPILE_DEPS="${COMPILE_DEPS}" \
+            -e PROJECT_NAME=${GITHUB_REPOSITORY#Yubico/} \
+            -e PVS_IGNORE_WARNINGS=${PVS_IGNORE_WARNINGS} -t ${SCAN_IMG}
+        else
+          echo "No docker registry credentials, not scanning"
+        fi
 
     - uses: actions/upload-artifact@master
       if: failure()
-- 
2.32.0