From 1f8c6a04a47cc65169b484e5da47ae4e9c353561 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Thu, 15 Jan 2026 20:15:18 +0100 Subject: [PATCH 01/15] Add options to upload SAST scan results to GitHub and PR comments --- .github/workflows/sast_scan.yaml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index 9a7c6f7..9e78d92 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -7,6 +7,16 @@ on: required: false type: string default: 'NONE' + upload_results_to_ghas: + description: 'Upload the scan results to GitHub Advanced Security' + required: false + type: boolean + default: true + upload_results_to_pr: + description: 'Upload the scan results as a comment on the pull request' + required: false + type: boolean + default: false jobs: codebase-scan: @@ -16,6 +26,7 @@ jobs: contents: read security-events: write actions: read + pull-requests: write steps: - name: Checkout code @@ -43,7 +54,14 @@ jobs: - name: Upload scan results to GitHub uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10 - if: always() + if: ${{ inputs.upload_results_to_ghas }} with: sarif_file: 'trivy-results.sarif' category: 'trivy-sast' + + - name: Upload scan results to PR + uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 + if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} + with: + header: '## SAST Scan Results' + path: 'trivy-results.sarif' From 7ffadd408078581b97cf59ae048206768d423153 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Thu, 15 Jan 2026 20:20:07 +0100 Subject: [PATCH 02/15] Upload SAST scan result to GHAction summary --- .github/workflows/sast_scan.yaml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index 9e78d92..6f6f629 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -64,4 +64,19 @@ jobs: if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} with: header: '## SAST Scan Results' - path: 'trivy-results.sarif' + path: 'trivy-results.sarif' + + - name: Publish Trivy Output to Summary + if: ${{ !inputs.upload_results_to_ghas }} + run: | + if [[ -s trivy-results.sarif ]]; then + { + echo "### Security Output" + echo "
Click to expand" + echo "" + echo '```terraform' + cat trivy-results.sarif + echo '```' + echo "
" + } >> $GITHUB_STEP_SUMMARY + fi From fd47e5fab25f750a85fbcf9a03fbc7189cf4faaa Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Thu, 15 Jan 2026 20:52:47 +0100 Subject: [PATCH 03/15] Switch to junit results approach --- .github/workflows/notify_on_slack.yml | 71 +++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/notify_on_slack.yml diff --git a/.github/workflows/notify_on_slack.yml b/.github/workflows/notify_on_slack.yml new file mode 100644 index 0000000..b3d7724 --- /dev/null +++ b/.github/workflows/notify_on_slack.yml @@ -0,0 +1,71 @@ +name: Send Slack notification +on: + workflow_call: + +jobs: + notify: + name: Notify about pre-staging deployment + runs-on: ubuntu-latest + + steps: + - name: Map users + id: map-actor-to-slack + uses: icalia-actions/map-github-actor@e568d1dd6023e406a1db36db4e1e0b92d9dd7824 # v0.0.2 + with: + actor-map: ${{ vars.SLACK_GITHUB_USERS_MAP }} + default-mapping: C067BD0377F + + - name: Post to a Slack channel + id: slack + uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1 + with: + channel-id: 'C067BD0377F' + payload: | + { + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": "Pull Request ${{ env.PR_NUMBER }} pre-staging deployment", + "emoji": true + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Status:*\n${{ needs.deploy.result == 'success' && ':white_check_mark: Success' || ':x: Failure '}}" + }, + { + "type": "mrkdwn", + "text": "*Pull Request:*\n" + }, + { + "type": "mrkdwn", + "text": "*Workflow run:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View>" + } + ] + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Author:*\n<@${{ steps.map-actor-to-slack.outputs.actor-mapping }}>" + }, + { + "type": "mrkdwn", + "text": "*Commit SHA:*\n<${{ github.server_url }}/${{ github.repository }}/commit/${{ github.event.pull_request.head.sha }}|${{ github.event.pull_request.head.sha }}>" + }, + { + "type": "mrkdwn", + "text": "*Deployed to:*\n" + } + ] + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_GHBOT_TOKEN }} \ No newline at end of file From 8f14bbd8ec9469484410afaef7b38df55d02ebaf Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Thu, 15 Jan 2026 20:56:34 +0100 Subject: [PATCH 04/15] Check junit approach --- .github/workflows/sast_scan.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index 6f6f629..b35a6d2 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -61,13 +61,19 @@ jobs: - name: Upload scan results to PR uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 - if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} + if: false with: header: '## SAST Scan Results' path: 'trivy-results.sarif' + - name: Publish Test Report + uses: mikepenz/action-junit-report@v5 + if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} + with: + report_paths: '**/trivy-results.sarif' + - name: Publish Trivy Output to Summary - if: ${{ !inputs.upload_results_to_ghas }} + if: ${{ false }} run: | if [[ -s trivy-results.sarif ]]; then { From 5316ce912dd2efd1a09774b49272888094badc76 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Thu, 15 Jan 2026 20:59:49 +0100 Subject: [PATCH 05/15] Add PR comment with tests result --- .github/workflows/sast_scan.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index b35a6d2..00054cc 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -71,6 +71,8 @@ jobs: if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} with: report_paths: '**/trivy-results.sarif' + comment: true + - name: Publish Trivy Output to Summary if: ${{ false }} From 8231a9d2b31830bbb0ec0c693eaa5453a09fa4a5 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Thu, 15 Jan 2026 21:03:33 +0100 Subject: [PATCH 06/15] Improive pr comment --- .github/workflows/sast_scan.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index 00054cc..189db2e 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -27,6 +27,7 @@ jobs: security-events: write actions: read pull-requests: write + checks: write steps: - name: Checkout code @@ -71,8 +72,10 @@ jobs: if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} with: report_paths: '**/trivy-results.sarif' + check_name: 'SAST Scan Report' comment: true - + detailed_summary: true + - name: Publish Trivy Output to Summary if: ${{ false }} From 2aeb3ffa4dd8304df92ebef04f57ccc526cf3f0c Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Thu, 15 Jan 2026 21:18:31 +0100 Subject: [PATCH 07/15] Switch back to previous approach with PR comment --- .github/workflows/sast_scan.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index 189db2e..eb54916 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -62,14 +62,14 @@ jobs: - name: Upload scan results to PR uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 - if: false + if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} with: header: '## SAST Scan Results' path: 'trivy-results.sarif' - name: Publish Test Report uses: mikepenz/action-junit-report@v5 - if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} + if: false with: report_paths: '**/trivy-results.sarif' check_name: 'SAST Scan Report' @@ -78,7 +78,7 @@ jobs: - name: Publish Trivy Output to Summary - if: ${{ false }} + if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} run: | if [[ -s trivy-results.sarif ]]; then { From 56a3a0a14a48f6a49503d883d4d396ae6ceb0282 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Fri, 16 Jan 2026 13:47:45 +0100 Subject: [PATCH 08/15] Do not add scan report to run summary --- .github/workflows/sast_scan.yaml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index eb54916..d93b18b 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -75,19 +75,3 @@ jobs: check_name: 'SAST Scan Report' comment: true detailed_summary: true - - - - name: Publish Trivy Output to Summary - if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} - run: | - if [[ -s trivy-results.sarif ]]; then - { - echo "### Security Output" - echo "
Click to expand" - echo "" - echo '```terraform' - cat trivy-results.sarif - echo '```' - echo "
" - } >> $GITHUB_STEP_SUMMARY - fi From 7c3e67b547edce161bd4cab7014860bc02207132 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Thu, 15 Jan 2026 20:56:34 +0100 Subject: [PATCH 09/15] Check junit approach --- .github/workflows/sast_scan.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index 6f6f629..b35a6d2 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -61,13 +61,19 @@ jobs: - name: Upload scan results to PR uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 - if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} + if: false with: header: '## SAST Scan Results' path: 'trivy-results.sarif' + - name: Publish Test Report + uses: mikepenz/action-junit-report@v5 + if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} + with: + report_paths: '**/trivy-results.sarif' + - name: Publish Trivy Output to Summary - if: ${{ !inputs.upload_results_to_ghas }} + if: ${{ false }} run: | if [[ -s trivy-results.sarif ]]; then { From 1e7a3cc8dfa1f852fe24508fc118da26a041ce38 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Thu, 15 Jan 2026 20:59:49 +0100 Subject: [PATCH 10/15] Add PR comment with tests result --- .github/workflows/sast_scan.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index b35a6d2..00054cc 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -71,6 +71,8 @@ jobs: if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} with: report_paths: '**/trivy-results.sarif' + comment: true + - name: Publish Trivy Output to Summary if: ${{ false }} From e3d8df4e4efa1a2de22293dd88583961aab13604 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Thu, 15 Jan 2026 21:03:33 +0100 Subject: [PATCH 11/15] Improive pr comment --- .github/workflows/sast_scan.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index 00054cc..189db2e 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -27,6 +27,7 @@ jobs: security-events: write actions: read pull-requests: write + checks: write steps: - name: Checkout code @@ -71,8 +72,10 @@ jobs: if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} with: report_paths: '**/trivy-results.sarif' + check_name: 'SAST Scan Report' comment: true - + detailed_summary: true + - name: Publish Trivy Output to Summary if: ${{ false }} From 5ddd221f56aaaf6420623df1190f3ee92bada687 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Thu, 15 Jan 2026 21:18:31 +0100 Subject: [PATCH 12/15] Switch back to previous approach with PR comment --- .github/workflows/sast_scan.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index 189db2e..eb54916 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -62,14 +62,14 @@ jobs: - name: Upload scan results to PR uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 - if: false + if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} with: header: '## SAST Scan Results' path: 'trivy-results.sarif' - name: Publish Test Report uses: mikepenz/action-junit-report@v5 - if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} + if: false with: report_paths: '**/trivy-results.sarif' check_name: 'SAST Scan Report' @@ -78,7 +78,7 @@ jobs: - name: Publish Trivy Output to Summary - if: ${{ false }} + if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} run: | if [[ -s trivy-results.sarif ]]; then { From d3c841c26b21757f1e216ece64123da5c1180c93 Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Fri, 16 Jan 2026 13:47:45 +0100 Subject: [PATCH 13/15] Do not add scan report to run summary --- .github/workflows/sast_scan.yaml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index eb54916..d93b18b 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -75,19 +75,3 @@ jobs: check_name: 'SAST Scan Report' comment: true detailed_summary: true - - - - name: Publish Trivy Output to Summary - if: ${{ inputs.upload_results_to_pr && github.event_name == 'pull_request' }} - run: | - if [[ -s trivy-results.sarif ]]; then - { - echo "### Security Output" - echo "
Click to expand" - echo "" - echo '```terraform' - cat trivy-results.sarif - echo '```' - echo "
" - } >> $GITHUB_STEP_SUMMARY - fi From dda08c28266330d4affd58a74518b162c4c5da7c Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Fri, 16 Jan 2026 13:57:06 +0100 Subject: [PATCH 14/15] Revert "Merge branch 'fix-sast-no-gh-upload' of github.com:flowforge/github-actions-workflows into fix-sast-no-gh-upload" This reverts commit 6f786e5cb758eecd978320c14c1ab25deadcd0d4, reversing changes made to d3c841c26b21757f1e216ece64123da5c1180c93. --- .github/workflows/notify_on_slack.yml | 71 --------------------------- 1 file changed, 71 deletions(-) delete mode 100644 .github/workflows/notify_on_slack.yml diff --git a/.github/workflows/notify_on_slack.yml b/.github/workflows/notify_on_slack.yml deleted file mode 100644 index b3d7724..0000000 --- a/.github/workflows/notify_on_slack.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Send Slack notification -on: - workflow_call: - -jobs: - notify: - name: Notify about pre-staging deployment - runs-on: ubuntu-latest - - steps: - - name: Map users - id: map-actor-to-slack - uses: icalia-actions/map-github-actor@e568d1dd6023e406a1db36db4e1e0b92d9dd7824 # v0.0.2 - with: - actor-map: ${{ vars.SLACK_GITHUB_USERS_MAP }} - default-mapping: C067BD0377F - - - name: Post to a Slack channel - id: slack - uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1 - with: - channel-id: 'C067BD0377F' - payload: | - { - "blocks": [ - { - "type": "header", - "text": { - "type": "plain_text", - "text": "Pull Request ${{ env.PR_NUMBER }} pre-staging deployment", - "emoji": true - } - }, - { - "type": "section", - "fields": [ - { - "type": "mrkdwn", - "text": "*Status:*\n${{ needs.deploy.result == 'success' && ':white_check_mark: Success' || ':x: Failure '}}" - }, - { - "type": "mrkdwn", - "text": "*Pull Request:*\n" - }, - { - "type": "mrkdwn", - "text": "*Workflow run:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View>" - } - ] - }, - { - "type": "section", - "fields": [ - { - "type": "mrkdwn", - "text": "*Author:*\n<@${{ steps.map-actor-to-slack.outputs.actor-mapping }}>" - }, - { - "type": "mrkdwn", - "text": "*Commit SHA:*\n<${{ github.server_url }}/${{ github.repository }}/commit/${{ github.event.pull_request.head.sha }}|${{ github.event.pull_request.head.sha }}>" - }, - { - "type": "mrkdwn", - "text": "*Deployed to:*\n" - } - ] - } - ] - } - env: - SLACK_BOT_TOKEN: ${{ secrets.SLACK_GHBOT_TOKEN }} \ No newline at end of file From 00f454cd6461115565c2817dd0d3344a9889a09e Mon Sep 17 00:00:00 2001 From: PPawlowski Date: Fri, 16 Jan 2026 14:18:32 +0100 Subject: [PATCH 15/15] Remove junit publish step --- .github/workflows/sast_scan.yaml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml index d93b18b..b691138 100644 --- a/.github/workflows/sast_scan.yaml +++ b/.github/workflows/sast_scan.yaml @@ -66,12 +66,3 @@ jobs: with: header: '## SAST Scan Results' path: 'trivy-results.sarif' - - - name: Publish Test Report - uses: mikepenz/action-junit-report@v5 - if: false - with: - report_paths: '**/trivy-results.sarif' - check_name: 'SAST Scan Report' - comment: true - detailed_summary: true