From da9028bf2e9e53cfa07a25a64a3bcbcf233e0569 Mon Sep 17 00:00:00 2001 From: strangelookingnerd <49242855+strangelookingnerd@users.noreply.github.com> Date: Tue, 23 Jul 2024 14:56:44 +0200 Subject: [PATCH 1/4] Enable Jenkins Security Scan --- .github/workflows/jenkins-security-scan.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/jenkins-security-scan.yml diff --git a/.github/workflows/jenkins-security-scan.yml b/.github/workflows/jenkins-security-scan.yml new file mode 100644 index 00000000..6fc0b2b5 --- /dev/null +++ b/.github/workflows/jenkins-security-scan.yml @@ -0,0 +1,21 @@ +name: Jenkins Security Scan + +on: + push: + branches: + - main + pull_request: + types: [ opened, synchronize, reopened ] + workflow_dispatch: + +permissions: + security-events: write + contents: read + actions: read + +jobs: + security-scan: + uses: jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2 + with: + java-cache: 'maven' # Optionally enable use of a build dependency cache. Specify 'maven' or 'gradle' as appropriate. + # java-version: 21 # Optionally specify what version of Java to set up for the build, or remove to use a recent default. From 77a3b4f2b5765ed84584aad7e446181c0070aa8a Mon Sep 17 00:00:00 2001 From: strangelookingnerd <49242855+strangelookingnerd@users.noreply.github.com> Date: Tue, 23 Jul 2024 18:35:50 +0200 Subject: [PATCH 2/4] Update .github/workflows/jenkins-security-scan.yml Co-authored-by: Yahav Itschak --- .github/workflows/jenkins-security-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/jenkins-security-scan.yml b/.github/workflows/jenkins-security-scan.yml index 6fc0b2b5..a0b45704 100644 --- a/.github/workflows/jenkins-security-scan.yml +++ b/.github/workflows/jenkins-security-scan.yml @@ -4,8 +4,8 @@ on: push: branches: - main - pull_request: - types: [ opened, synchronize, reopened ] + pull_request_target: + types: [labeled] workflow_dispatch: permissions: From 2d2e121f04418929b24c6ac3d1ccc8fcdd52adbf Mon Sep 17 00:00:00 2001 From: strangelookingnerd <49242855+strangelookingnerd@users.noreply.github.com> Date: Tue, 23 Jul 2024 18:35:57 +0200 Subject: [PATCH 3/4] Update .github/workflows/jenkins-security-scan.yml Co-authored-by: Yahav Itschak --- .github/workflows/jenkins-security-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/jenkins-security-scan.yml b/.github/workflows/jenkins-security-scan.yml index a0b45704..8de125bd 100644 --- a/.github/workflows/jenkins-security-scan.yml +++ b/.github/workflows/jenkins-security-scan.yml @@ -15,6 +15,7 @@ permissions: jobs: security-scan: + if: (contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'push') && github.repository_owner != 'jenkinsci' uses: jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2 with: java-cache: 'maven' # Optionally enable use of a build dependency cache. Specify 'maven' or 'gradle' as appropriate. From cd7de4b77480f6e7a4ec15c67368cb6043f05899 Mon Sep 17 00:00:00 2001 From: strangelookingnerd <49242855+strangelookingnerd@users.noreply.github.com> Date: Tue, 23 Jul 2024 18:36:03 +0200 Subject: [PATCH 4/4] Update .github/workflows/jenkins-security-scan.yml Co-authored-by: Yahav Itschak --- .github/workflows/jenkins-security-scan.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/jenkins-security-scan.yml b/.github/workflows/jenkins-security-scan.yml index 8de125bd..8b1e172e 100644 --- a/.github/workflows/jenkins-security-scan.yml +++ b/.github/workflows/jenkins-security-scan.yml @@ -18,5 +18,4 @@ jobs: if: (contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'push') && github.repository_owner != 'jenkinsci' uses: jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2 with: - java-cache: 'maven' # Optionally enable use of a build dependency cache. Specify 'maven' or 'gradle' as appropriate. - # java-version: 21 # Optionally specify what version of Java to set up for the build, or remove to use a recent default. + java-cache: 'maven'