Skip to content

Update fossid_integration_stateless_diffscan.yml (#49) #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sbarre01 wants to merge 1 commit into from
Closed

Update fossid_integration_stateless_diffscan.yml (#49) #52

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 40 additions & 2 deletions .github/workflows/fossid_integration_stateless_diffscan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,22 @@

on:
workflow_call:
inputs:
base_ref: # NEW: optional explicit base ref
description: 'Base ref for diff (e.g. develop). Empty = auto-detect.'
required: false
type: string
default: ''
compare_ref: # NEW: optional explicit compare ref
description: 'Compare ref/SHA for diff. Empty = auto-detect.'
required: false
type: string
default: ''
pr_number: # NEW: PR number (for fetching fork commits)
description: 'PR number (used to fetch fork head ref). Empty = not needed.'
required: false
type: string
default: ''
secrets:
FOSSID_CONTAINER_USERNAME:
required: true
Expand All @@ -24,8 +40,22 @@
steps:
- name: Checkout Code
uses: actions/checkout@v5
with:
fetch-depth: 0 # Full clone to ensure base ref is available

# NEW STEP: container runs as different user than checkout — mark safe
- name: Mark workspace safe
if: inputs.pr_number != ''
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

# NEW STEP: fetch the fork PR's head commits (not in origin by default)
- name: Fetch PR head ref
if: inputs.pr_number != ''
env:
PR_NUMBER: ${{ inputs.pr_number }}
run: git fetch origin pull/$PR_NUMBER/head

- name: Checkout ignore projects file

Check warning

Code scanning / CodeQL

Checkout of untrusted code in a trusted context Medium

Potential unsafe checkout of untrusted pull request on privileged workflow.
uses: actions/checkout@v5
with:
repository: rdkcentral/build_tools_workflows
Expand All @@ -33,16 +63,24 @@
ignore_projects_fossid
ref: develop
path: tools

- name: Run fossid-toolbox
env:
FOSSID_HOST_USERNAME: ${{ secrets.FOSSID_HOST_USERNAME }}
FOSSID_HOST_TOKEN: ${{ secrets.FOSSID_HOST_TOKEN }}
BASE_REF: ${{ inputs.base_ref }}
COMPARE_REF: ${{ inputs.compare_ref }}
run: |
# NEW: build explicit ref args when provided, otherwise let fossid auto-detect
REF_ARGS=""
if [ -n "$BASE_REF" ] && [ -n "$COMPARE_REF" ]; then
REF_ARGS="--base-ref origin/$BASE_REF --compare-ref $COMPARE_REF"
fi
fossid \
diffscan \
--fossid-host $FOSSID_HOST_USERNAME \
--fossid-token $FOSSID_HOST_TOKEN \
--format github \
--fail \
--ignore-projects tools/ignore_projects_fossid
--ignore-projects tools/ignore_projects_fossid \
$REF_ARGS