Add the ability to manually launch the zap scanner (#691)

* Add zap scanning for DocumentServer * Set branch name as ref for manual trigger * Use master as default zap action branch * Move zap action to master branch * Fix token variable name * Small cosmetic fix * Modify zap action trigger condition Run zap scanner only when documentserver edition hit community and branch hit in `release/` or `hotfix/`
2023-12-19 11:45:12 +03:00 · 2023-12-19 11:45:12 +03:00 · 276c5da9f5
commit 276c5da9f5
parent 6fc2b27fcf
1 changed files with 26 additions and 0 deletions
--- a/.github/workflows/4testing-build.yml
+++ b/.github/workflows/4testing-build.yml
@ -101,6 +101,7 @@ jobs:
          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

      - name: Build 4testing
+        id: build-ds
        run: |
          set -eux

@ -145,4 +146,29 @@ jobs:

          docker buildx bake -f docker-bake.hcl ${{ matrix.image }} --push
          echo "DONE: Build success"
+
+          ### Set output for Zap scanner
+          ### NOTE: Output will be used only in release/hotfix branches
+          
+          echo "version=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "branch=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
        shell: bash
+
+      # Run scanner only when edition is community 
+      # and branch hit release/ or hotfix/
+      - name: Trigger zap manualy
+        if: >-
+             matrix.edition == '' &&
+             (startsWith(steps.build-ds.outputs.branch, 'release/') ||
+              startsWith(steps.build-ds.outputs.branch, 'hotfix/'))
+        env:
+          VERSION: ${{ steps.build-ds.outputs.version }}
+          BRANCH: ${{ steps.build-ds.outputs.branch }}
+          GITHUB_TOKEN: ${{ secrets.TOKEN }}
+        run: |
+            gh workflow run zap-ds.yaml \
+                 --repo ${{ github.repository }} \
+                 -f branch=${BRANCH} \
+                 -f version=${VERSION}
+        shell: bash
+