Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 19 additions & 4 deletions .github/workflows/scan-and-report.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,17 @@ jobs:
- name: Send to verisimdb-data
if: steps.scan.outputs.scan_complete == 'true'
env:
DISPATCH_TOKEN: ${{ secrets.VERISIMDB_PAT || secrets.GITHUB_TOKEN }}
DISPATCH_TOKEN: ${{ secrets.VERISIMDB_PAT }}
run: |
# VERISIMDB_PAT is declared optional. Cross-repo dispatch is
# impossible with the workflow's own GITHUB_TOKEN (it is scoped
# to the calling repo), so without the PAT we skip rather than
# fail every consumer's Security Scan.
if [ -z "${DISPATCH_TOKEN}" ]; then
echo "::notice::VERISIMDB_PAT not configured; scan passed, skipping cross-repo dispatch to verisimdb-data"
exit 0
fi

REPO_NAME=$(basename $(pwd))

# Build the payload in a file: inlining the scan JSON on argv
Expand Down Expand Up @@ -73,9 +82,15 @@ jobs:
}}}' scan-result.json > dispatch-payload.json
fi

curl -sf -X POST \
# Capture the HTTP status so a rejected dispatch says *why*
# instead of a bare curl exit 22.
HTTP_STATUS=$(curl -s -o dispatch-response.json -w "%{http_code}" -X POST \
-H "Authorization: Bearer ${DISPATCH_TOKEN}" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/hyperpolymath/verisimdb-data/dispatches" \
--data @dispatch-payload.json
echo "Dispatched scan results for ${REPO_NAME} to verisimdb-data"
--data @dispatch-payload.json)
if [ "${HTTP_STATUS}" -ge 300 ]; then
echo "::error::verisimdb-data dispatch failed with HTTP ${HTTP_STATUS}: $(cat dispatch-response.json)"
exit 1
fi
echo "Dispatched scan results for ${REPO_NAME} to verisimdb-data (HTTP ${HTTP_STATUS})"
Loading