Create CodeQl.yml #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow uses actions that are not certified by GitHub. | |
| # They are provided by a third-party and are governed by | |
| # separate terms of service, privacy policy, and support | |
| # documentations. | |
| # Frogbot Scan and Fix does the following: | |
| # Automatically creates pull requests with fixes for vulnerable project dependencies. | |
| # Uses JFrog Xray to scan the project. | |
| # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot | |
| # Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md | |
| name: "Frogbot Scan and Fix" | |
| on: | |
| push: | |
| branches: [ "main" , "dev" , "frogbot"] | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| security-events: write | |
| id-token: write | |
| jobs: | |
| create-fix-pull-requests: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # IMPORTANT: | |
| # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix | |
| # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md | |
| - uses: jfrog/frogbot@v2 | |
| with: | |
| oidc-provider-name: mgm-demo | |
| oidc-audience: mgm-demo-aud | |
| env: | |
| # [Mandatory if the two conditions below are met] | |
| # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies | |
| # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. | |
| # | |
| # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore") | |
| # JF_INSTALL_DEPS_CMD: "" | |
| # [Mandatory] | |
| # JFrog platform URL | |
| JF_URL: https://${{ vars.JF_URL }}/ | |
| JFROG_CLI_LOG_LEVEL: DEBUG | |
| # [Mandatory if JF_USER and JF_PASSWORD are not provided] | |
| # JFrog access token with 'read' permissions on Xray service | |
| #JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} | |
| # [Mandatory if JF_ACCESS_TOKEN is not provided] | |
| # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD | |
| # JF_USER: ${{ secrets.JF_USER }} | |
| # [Mandatory if JF_ACCESS_TOKEN is not provided] | |
| # JFrog password. Must be provided with JF_USER | |
| # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} | |
| # [Mandatory] | |
| # The GitHub token automatically generated for the job | |
| JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # [Optional] | |
| # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository | |
| # in Artifactory, which proxies https://releases.jfrog.io/artifactory | |
| # The 'frogbot' executable and other tools it needs will be downloaded through this repository. | |
| # JF_RELEASES_REPO: "" | |
| # [Optional] | |
| # Frogbot will download the project dependencies, if they're not cached locally. To download the | |
| # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no | |
| # need to set this value, if it is set in the frogbot-config.yml file. | |
| # JF_DEPS_REPO: "" | |
| JF_PROJECT: ${{ vars.JF_PROJECT }} |