query(terraform): unrestricted_security_group_ingress #254
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: validate-issues | |
on: | |
issues: | |
types: [opened, edited, reopened] | |
jobs: | |
title-check: | |
runs-on: ubuntu-latest | |
env: | |
BODY: ${{ github.event.issue.body }} | |
TITLE: ${{ github.event.issue.title }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
persist-credentials: false | |
sparse-checkout: | | |
.github/scripts/pr-issue-info/issue-fail.md | |
.github/scripts/pr-issue-info/get_title_types.py | |
.github/issue-title-types.yaml | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: "3.x" | |
- name: Install dependencies | |
run: python3 -m pip install --upgrade pip pyyaml | |
- name: Check issue title | |
env: | |
FILE_PATH: .github/issue-title-types.yaml | |
run: | | |
regex=$(python3 .github/scripts/pr-issue-info/get_title_types.py) | |
echo "Title regex: $regex" | |
echo "$TITLE" | grep -Pq "$regex" || (echo "$ERROR_MSG" && echo "TITLE_CHECK_FAILED=true" >> $GITHUB_ENV) | |
- name: Check for comment tag | |
if: env.TITLE_CHECK_FAILED != 'true' | |
run: | | |
comments=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" \ | |
-X GET "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/comments") | |
if echo "$comments" | grep -q "title_check"; then | |
echo "TAG_EXISTS=true" >> $GITHUB_ENV | |
else | |
echo "TAG_EXISTS=false" >> $GITHUB_ENV | |
fi | |
- name: Delete comment if title is fixed | |
if: env.TAG_EXISTS == 'true' | |
uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411 | |
with: | |
message: | | |
Deleting comment, please refresh the page... | |
comment_tag: title_check | |
mode: delete | |
GITHUB_TOKEN: ${{ secrets.KICS_BOT_PAT }} | |
- name: Add comment if title fails | |
if: env.TITLE_CHECK_FAILED == 'true' | |
uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411 | |
with: | |
filePath: .github/scripts/pr-issue-info/issue-fail.md | |
comment_tag: title_check | |
mode: recreate | |
create_if_not_exists: true | |
GITHUB_TOKEN: ${{ secrets.KICS_BOT_PAT }} | |
- name: Workflow failed | |
if: env.TITLE_CHECK_FAILED == 'true' | |
run: exit 1 | |
labels-check: | |
runs-on: ubuntu-latest | |
env: | |
BODY: ${{ github.event.issue.body }} | |
LABELS: ${{ toJson(github.event.issue.labels) }} | |
TITLE: ${{ github.event.issue.title }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
persist-credentials: false | |
sparse-checkout: | | |
.github/scripts/pr-issue-info/get_keywords.py | |
.github/keywords.yaml | |
- name: Install JQ | |
run: sudo apt-get install jq | |
- name: Get username | |
run: echo "USERNAME=${{ github.event.issue.user.login }}" >> $GITHUB_ENV | |
- name: Check user username | |
run: | | |
response=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" "https://api.github.com/orgs/Checkmarx/teams/kics/members") | |
team_members=$(echo "$response" | jq -r '.[].login') | |
if echo "${team_members[@]}" | grep -Pq "^$USERNAME$"; then | |
echo "Contributor belongs to Checkmarx organization" | |
is_member="true" | |
else | |
echo "Contributor does not belong to Checkmarx organization" | |
is_member="false" | |
fi | |
echo "IS_MEMBER=$is_member" >> $GITHUB_ENV | |
- name: Add community label if user does not belong to Checkmarx Organization | |
run: | | |
if [[ "$IS_MEMBER" == "false" ]]; then | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["community"]}' | |
fi | |
- name: Add feature or feature request label | |
run: | | |
if [[ "$TITLE" == feat* ]] || echo "$TITLE $BODY" | grep -iqP "feature request" || echo "$BODY" | grep -iqP "Is your feature request related to a problem? Please describe." || echo "$BODY" | grep -iqP "Describe the solution you'd like" || echo "$BODY" | grep -iqP "Describe alternatives you've considered" || echo "$BODY" | grep -iqP "Additional context"; then | |
if [[ "$IS_MEMBER" == "true" ]]; then | |
echo "Adding 'feature' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["feature"]}' | |
else | |
echo "Adding 'feature request' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["feature request"]}' | |
fi | |
else | |
if echo "$LABELS" | grep -q "feature request"; then | |
echo "Removing 'feature request' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/feature%20request | |
elif echo "$LABELS" | grep -q "feature"; then | |
echo "Removing 'feature' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/feature | |
fi | |
fi | |
- name: Add bug label | |
run: | | |
if echo "$TITLE $BODY" | grep -iqP "(\\b|_)bugs?(\\b|_)" || echo "$BODY" | grep -iqP "steps to reproduce" || echo "$BODY" | grep -iqP "actual behavior" || echo "$BODY" | grep -iqP "expected behavior"; then | |
echo "Adding 'bug' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["bug"]}' | |
else | |
if echo "$LABELS" | grep -q "bug"; then | |
echo "Removing 'bug' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/bug | |
fi | |
fi | |
- name: Add query label | |
run: | | |
if echo "$TITLE $BODY" | grep -iqP "(\\b|_)quer(y|ies)(\\b|_)" || echo "$BODY" | grep -iqP "### Platform" || echo "$BODY" | grep -iqP "### Provider"; then | |
echo "Adding 'query' label... " | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["query"]}' | |
else | |
if echo "$LABELS" | grep -q "query"; then | |
echo "Removing 'query' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/query | |
fi | |
fi | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: "3.x" | |
- name: Install dependencies | |
run: python3 -m pip install --upgrade pip pyyaml | |
- name: Check title for keywords of platforms and cloud providers to add labels | |
run: | | |
keywords=$(python3 .github/scripts/pr-issue-info/get_keywords.py) | |
eval "$keywords" | |
declare -p keywords | |
declare -a labels_to_add=() | |
for keyword in "${!keywords[@]}"; do | |
if echo "$TITLE $BODY" | grep -iPq "(\\b|_)$keyword(\\b|_)"; then | |
labels_to_add+=("${keywords[$keyword]}") | |
fi | |
done | |
mapfile -t current_labels < <(echo "$LABELS" | jq -r '.[].name') | |
for keyword in "${!keywords[@]}"; do | |
label=${keywords[$keyword]} | |
if [[ ! " ${labels_to_add[@]} " =~ " ${label} " ]] && [[ " ${current_labels[@]} " =~ " ${label} " ]]; then | |
echo "Removing '$label' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/$label | |
elif [[ " ${labels_to_add[@]} " =~ " ${label} " ]] && [[ ! " ${current_labels[@]} " =~ " ${label} " ]]; then | |
echo "Adding '$label' label..." | |
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d "{\"labels\": [\"$label\"]}" | |
fi | |
done |