-
Notifications
You must be signed in to change notification settings - Fork 0
[codex] Add checked-in GitHub Actions consumer workflow example #38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
85 changes: 85 additions & 0 deletions
85
tools/sbom-diff-and-risk/examples/github-actions-consumer.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| # Example only. | ||
| # Copy this file into a consumer repository under .github/workflows/ if useful. | ||
| # This repository does not run this file as a workflow. | ||
| # Production PyPI publishing for sbom-diff-and-risk is intentionally deferred; | ||
| # install from a GitHub Release asset or local checkout instead. | ||
|
|
||
| name: Dependency diff review | ||
|
|
||
| on: | ||
| pull_request: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| dependency-diff: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out consumer repository | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: "3.x" | ||
|
|
||
| - name: Download sbom-diff-and-risk release wheel | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| run: | | ||
| mkdir -p .tooling/sbom-diff-risk | ||
| gh release download v0.6.0 \ | ||
| --repo stacknil/scientific-computing-toolkit \ | ||
| --pattern "sbom_diff_and_risk-0.6.0-py3-none-any.whl" \ | ||
| --dir .tooling/sbom-diff-risk | ||
|
|
||
| - name: Install sbom-diff-risk | ||
| run: | | ||
| python -m pip install \ | ||
| .tooling/sbom-diff-risk/sbom_diff_and_risk-0.6.0-py3-none-any.whl | ||
|
|
||
| - name: Compare dependency evidence | ||
| run: | | ||
| mkdir -p outputs | ||
| sbom-diff-risk compare \ | ||
| --before path/to/before-sbom.json \ | ||
| --after path/to/after-sbom.json \ | ||
| --format auto \ | ||
| --out-json outputs/report.json \ | ||
| --out-md outputs/report.md \ | ||
| --summary-json outputs/summary.json \ | ||
| --out-sarif outputs/report.sarif | ||
|
|
||
| - name: Apply local summary threshold | ||
| run: | | ||
| python - <<'PY' | ||
| import json | ||
| from pathlib import Path | ||
|
|
||
| summary = json.loads( | ||
| Path("outputs/summary.json").read_text(encoding="utf-8") | ||
| ) | ||
| risk_counts = summary["risk_counts"] | ||
|
|
||
| max_new_packages = 2 | ||
| new_package_count = risk_counts.get("new_package", 0) | ||
| print(f"new_package={new_package_count}") | ||
|
|
||
| if new_package_count > max_new_packages: | ||
| raise SystemExit( | ||
| f"new_package count exceeds local threshold: {max_new_packages}" | ||
| ) | ||
| PY | ||
|
|
||
| - name: Upload dependency diff outputs | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: dependency-diff-outputs | ||
| path: | | ||
| outputs/report.json | ||
| outputs/report.md | ||
| outputs/summary.json | ||
| outputs/report.sarif | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If
new_package_countexceeds the threshold, the prior step exits non-zero, and this upload step is skipped because GitHub Actions applies a defaultsuccess()condition to steps without an explicit status check. In that common policy-failure scenario, the workflow dropsreport.json,report.md,summary.json, andreport.sarif, which prevents reviewers from inspecting the exact failure output; add an explicit condition such asif: ${{ always() }}(or!cancelled()) on the upload step to retain artifacts for failed runs.Useful? React with 👍 / 👎.