Merge pull request #944 from fluxcd/build/codeql-on-push

.github/workflows/bootstrap.yaml

@@ -2,12 +2,14 @@ name: bootstrap
 
 on:
   push:
-    branches:
-      - '*'
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
 
 jobs:
   github:
     runs-on: ubuntu-latest
+    if: ${{ github.repository_owner == 'fluxcd' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v2

.github/workflows/docs.yaml

@@ -1,9 +1,8 @@
 name: Publish docs via GitHub Pages
+
 on:
   push:
-    branches:
-      - docs*
-      - main
+    branches: [ 'docs*', main ]
 
 jobs:
   build:

.github/workflows/e2e.yaml

@@ -1,10 +1,10 @@
 name: e2e
 
 on:
-  pull_request:
   push:
-    branches:
-      - main
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
 
 jobs:
   kind:

.github/workflows/rebase.yaml

@@ -2,9 +2,9 @@ name: rebase
 
 on:
   pull_request:
-    types: [opened]
+    types: [ opened ]
   issue_comment:
-    types: [created]
+    types: [ created ]
 
 jobs:
   rebase:

.github/workflows/release.yaml

@@ -2,8 +2,7 @@ name: release
 
 on:
   push:
-    tags:
-      - '*'
+    tags: [ '*' ]
 
 jobs:
   goreleaser:

.github/workflows/scan.yaml

@@ -0,0 +1,55 @@
+name: Scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '18 10 * * 3'
+
+jobs:
+  fossa:
+    name: FOSSA
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run FOSSA scan and upload build data
+        uses: fossa-contrib/fossa-action@v1
+        with:
+          # FOSSA Push-Only API Token
+          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
+          github-token: ${{ github.token }}
+
+  snyk:
+    name: Snyk
+    runs-on: ubuntu-latest
+    if: ${{ github.repository_owner == 'fluxcd' }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/golang@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: snyk.sarif
+
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: go
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v1
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1

.github/workflows/scan.yml

@@ -1,44 +0,0 @@
-name: scan
-on:
-  push:
-  pull_request:
-    branches: [main]
-
-jobs:
-  analyze:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
-        with:
-          go-version: 1.15.x
-      - name: FOSSA Analysis
-        if: github.event_name == 'pull_request'
-        uses: fossa-contrib/fossa-action@v1
-        with:
-          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
-          github-token: ${{ github.token }}
-      - name: CodeQL Init
-        if: github.event_name == 'pull_request'
-        uses: github/codeql-action/init@v1
-        with:
-          languages: "go"
-      - name: CodeQL Autobuild
-        if: github.event_name == 'pull_request'
-        uses: github/codeql-action/autobuild@v1
-      - name: CodeQL Analysis
-        if: github.event_name == 'pull_request'
-        uses: github/codeql-action/analyze@v1
-      - name: Snyk Init
-        if: github.event_name == 'push'
-        uses: snyk/actions/setup@master
-      - name: Snyk Analysis
-        if: github.event_name == 'push'
-        run: snyk test --sarif-file-output=snyk.sarif
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-      - name: Snyk Upload result to GitHub Code Scanning
-        if: github.event_name == 'push'
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: snyk.sarif

docs/internal/release.md

@@ -130,7 +130,7 @@ Upgrade procedure:
 
 `fluxcd/flux2`:
 
-1. Update the `github.com/fluxcd/*-controller/api` version in `flux2/go.mod` (automated with [GitHub Actions](../../.github/workflows/update.yml))
+1. Update the `github.com/fluxcd/*-controller/api` version in `flux2/go.mod` (automated with [GitHub Actions](../../.github/workflows/update.yaml))
 1. Update the `github.com/fluxcd/pkg/*` version in `flux2/go.mod`
 1. Update the `k8s.io/*` and `github.com/fluxcd/pkg/runtime` version in `flux2/go.mod`