.github/workflows/push.yml

# SPDX-FileCopyrightText: 2022 WebReady Projects <https://github.com/wr-projects/>
#
# SPDX-License-Identifier: MIT
---
name: Pipeline - Push
on: push

permissions:
  actions: write
  contents: read
  pull-requests: read

jobs:

  gitguardian:
    name: GitGuardian Scanner
    runs-on: ubuntu-latest
    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}

    steps:
      # More info: https://github.com/step-security/harden-runner.
      - name: Harden Runner
        id: harden_runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.gitguardian.com:443
            github.com:443

      - name: Checkout & Authentication
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          persist-credentials: false
          fetch-depth: 0

      # More info: https://github.com/GitGuardian/ggshield-action
      - name: GitGuardian Scanner
        uses: GitGuardian/gg-shield-action@0cb2e309a0ce2cd43141dc998c28d9b225a7a1fe
        with:
          args: -v --all-policies
        env:
          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
          GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}

  # More info: https://github.com/marketplace/actions/anchore-sbom-action
  sbom:
    needs: [gitguardian]
    name: "SBOM"
    runs-on: ubuntu-latest
    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}

    steps:
      # More info: https://github.com/step-security/harden-runner.
      - name: Harden Runner
        id: harden_runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
        with:
          egress-policy: audit

      - name: Downloading Syft
        id: syft
        uses: anchore/sbom-action/download-syft@1ca97d9028b51809cf6d3c934c3e160716e1b605

      - name: Generate SBOM file
        uses: anchore/sbom-action@1ca97d9028b51809cf6d3c934c3e160716e1b605
        with:
          artifact-name: sbom.spdx
          format: spdx
          dependency-snapshot: true

      - name: Publish SBOM File
        uses: anchore/sbom-action/publish-sbom@1ca97d9028b51809cf6d3c934c3e160716e1b605
        with:
          sbom-artifact-match: ".*\\.spdx$"