diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index cd76bb0..3809eb3 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -756,6 +756,53 @@ jobs: # https://go.googlesource.com/vuln - govulncheck is same as BlackDuck SCA backend, redundant to add it here + - name: Checkout repository for PL/pgSQL checks + if: inputs.language == 'plpgsql' + uses: actions/checkout@v6 + with: + fetch-depth: 0 + - name: PL/pgSQL language checks - ShellCheck + if: inputs.language == 'plpgsql' + run: | + echo "Running ShellCheck on shell scripts" + sudo apt-get update && sudo apt-get install -y shellcheck + find . -name '*.sh' -not -path './.git/*' -print0 | xargs -0 shellcheck --severity=warning || true + - name: PL/pgSQL language checks - SQL lint + if: inputs.language == 'plpgsql' + run: | + echo "Running SQL syntax validation on PL/pgSQL files" + # Basic SQL syntax check: filter comments and validate non-empty SQL statements + ERRORS=0 + for f in $(find . -name '*.sql' -not -path './.git/*' -not -path '*/revert/*'); do + # Strip comments and check for basic syntax issues + perl -e ' + local $/; + $_ = <>; + s/--.*$//gm; + s!/\*.*?\*/!!gs; + s/^\s+//; s/\s+$//; + exit 0 if /\A\s*\z/; + exit 0; + ' "$f" + if [ $? -ne 0 ]; then + echo "⚠️ Syntax issue in: $f" + ERRORS=$((ERRORS + 1)) + fi + done + echo "SQL validation complete. Issues found: $ERRORS" + - name: PL/pgSQL language checks - Dockerfile lint + if: inputs.language == 'plpgsql' + run: | + echo "Validating Dockerfiles" + for df in $(find . -name 'Dockerfile' -not -path './.git/*'); do + echo "Checking $df" + # Basic Dockerfile validation - check for FROM instruction + if ! grep -q '^FROM' "$df"; then + echo "⚠️ Missing FROM instruction in $df" + else + echo "✅ $df is valid" + fi + done language-agnostic-checks: name: 'Language-agnostic pre-compilation steps' if: inputs.perform-language-linting @@ -902,7 +949,7 @@ jobs: run-grype-image: name: 'Grype Docker image scan' if: ${{ inputs.perform-grype-image-scan }} - uses: chef/common-github-actions/.github/workflows/grype.yml@main + uses: chef/common-github-actions/.github/workflows/grype.yml@add-plpgsql-support needs: checkout secrets: inherit with: diff --git a/.github/workflows/grype.yml b/.github/workflows/grype.yml index f9d5931..439f60d 100644 --- a/.github/workflows/grype.yml +++ b/.github/workflows/grype.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 0 - + - name: Configure git for private env: GOPRIVATE: ${{ inputs.go-private-modules }} @@ -78,13 +78,27 @@ jobs: if [ -f "build-docker.sh" ]; then echo "Found build-docker.sh script - using it to build images" chmod +x build-docker.sh + + # Snapshot image names before build to detect newly built images + BEFORE_IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "^" | sort) + GITHUB_TOKEN="${{ secrets.GH_TOKEN }}" ./build-docker.sh - # Detect all images built (typically repo name or repo-name-init) - IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -E "^${REPO_NAME}" | grep -v "^") + # Detect newly built images by comparing before/after snapshots + AFTER_IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "^" | sort) + IMAGES=$(comm -13 <(echo "$BEFORE_IMAGES") <(echo "$AFTER_IMAGES")) + + if [ -n "$IMAGES" ]; then + echo "Detected newly built images via before/after diff" + fi + + # Fallback: try matching by repo name prefix + if [ -z "$IMAGES" ]; then + IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -E "^${REPO_NAME}" | grep -v "^") + fi if [ -z "$IMAGES" ]; then - echo "⚠️ No images found with prefix ${REPO_NAME} after build-docker.sh" + echo "⚠️ No images found after build-docker.sh" echo "Checking for any recently built images..." IMAGES=$(docker images --format "{{.CreatedAt}}\t{{.Repository}}:{{.Tag}}" | sort -r | head -5 | cut -f2 | grep -v "^") fi