WIP Libaaec 38 migrate from circle ci to GitHub actions to handle ci #32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Ensure Brakeman Passes | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| jobs: | |
| brakeman: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Step 1: Checkout the code | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| # Step 2: Set up Ruby | |
| - name: Set up Ruby | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| bundler-cache: true # Enable gem caching | |
| # Step 3: Install Dependencies | |
| - name: Install Dependencies | |
| run: bundle install | |
| # Step 4: Run Brakeman and Save Outputs | |
| - name: Run Brakeman (Human-readable and JSON outputs) | |
| run: | | |
| mkdir -p tmp | |
| bundle exec brakeman --no-exit-on-warn -o tmp/brakeman-output.json | |
| env: | |
| BRAKEMAN_FORMAT: json | |
| # Step 5: Debug Brakeman Output | |
| - name: Display Brakeman Report | |
| run: | | |
| echo "Brakeman Report (JSON):" | |
| cat tmp/brakeman-output.json || echo "Brakeman report is missing or empty." | |
| # Step 6: Upload the Brakeman Report | |
| - name: Upload Brakeman Report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: brakeman-report | |
| path: tmp/brakeman-output.json | |
| # Step 7: Fail if High-Severity Issues Detected | |
| - name: Fail on High-Severity Issues | |
| run: | | |
| HIGH_SEVERITY_COUNT=$(jq '.warnings | map(select(.confidence == "High")) | length' tmp/brakeman-output.json) | |
| echo "High severity issues: $HIGH_SEVERITY_COUNT" | |
| if [ "$HIGH_SEVERITY_COUNT" -gt 0 ]; then | |
| echo "Brakeman detected high-severity issues. Failing the job." | |
| exit 1 | |
| fi | |
| env: | |
| BRAKEMAN_FORMAT: json |