Standardize Github workflow structure

Author: jfrogdixit

.github/workflows/codeql.yml …ub/workflows/codeql-evidence-example.yml.github/workflows/codeql.yml renamed to .github/workflows/codeql-evidence-example.yml .github/workflows/codeql.yml renamed to .github/workflows/codeql-evidence-example.yml

@@ -1,5 +1,4 @@
-name : "CodeQL Analysis Workflow"
-
+name : "Codeql Evidence Integration example"
 on:
   workflow_dispatch:
 
@@ -8,11 +7,12 @@ permissions:
   contents: read
   actions: read
 
-
 jobs:
   codeql:
     name: Analyse
     runs-on: ubuntu-latest
+    env:
+      ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE: true
     strategy:
       fail-fast: false
       matrix:
@@ -23,73 +23,65 @@ jobs:
             queries_path: ./examples/codeql/queries/go
 
     steps:
-      - uses: actions/checkout@v4
-        with:
-          sparse-checkout: |
-            examples/codeql/**
-          sparse-checkout-cone-mode: false
-
-      - name: Set up CodeQL for ${{ matrix.language_details.name }}
-        uses: github/codeql-action/init@v3
-        with:
-          languages: ${{ matrix.language_details.name }}
-          config-file: examples/codeql/codeql-config.yml
-          queries: ${{ matrix.language_details.queries_path }}
-
-      - name: Setup Jfrog CLI for go
+      # Build and publish the packages to JFrog Artifactory
+      - name: Setup jfrog cli
         uses: jfrog/setup-jfrog-cli@v4
         env:
           JF_URL: ${{ vars.ARTIFACTORY_URL }}
           JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
-
-
-      - name: Setup Go
-        if: matrix.language_details.name == 'go'
-        uses: actions/setup-go@v5
-        with:
-          go-version: '1.24.3'
-
-
-      - name: Run CodeQL Analysis for ${{ matrix.language_details.name }}
-        uses: github/codeql-action/analyze@v3
+      - uses: actions/checkout@v4
         with:
-          category: "security-and-quality"
-          output: results-${{ matrix.language_details.name }}
-          upload: false
-
-      - name: Convert SARIF to Markdown
-        run: |
-          python ./examples/codeql/sarif_to_markdown.py \
-            results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}.sarif \
-            results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}-report.md
-
+          sparse-checkout: |
+            examples/codeql/**
+          sparse-checkout-cone-mode: false
       - name: Build and Publish ${{ matrix.language_details.name }} package
         env:
           GO_CODE_PATH: examples/codeql/go
           JS_CODE_PATH: examples/codeql/js
         run: |
           if [ ${{ matrix.language_details.name }} == 'go' ]; then
             cd $GO_CODE_PATH
-            # Configure JFrog CLI for Go
             jf go-config --repo-resolve=go-remote --repo-deploy=go-local \
               --server-id-deploy=setup-jfrog-cli-server \
-              --server-id-resolve=setup-jfrog-cli-server
-          
+              --server-id-resolve=setup-jfrog-cli-server          
             jf gp --build-name=my-go-build --build-number=${{ github.run_number }} v0.0.${{ github.run_number }}
             jf rt bp my-go-build ${{ github.run_number }}
           elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then
             cd $JS_CODE_PATH
             jf npm-config --repo-resolve=javascript-remote --repo-deploy=javascript-local \
               --server-id-deploy=setup-jfrog-cli-server \
               --server-id-resolve=setup-jfrog-cli-server
-          
             jf npm publish --build-name=my-javascript-build --build-number=${{ github.run_number }}
             jf rt bp my-javascript-build ${{ github.run_number }}
           fi
           cd -
         continue-on-error: true
 
-      - name: Attach Evidence Using JFrog CLI
+      # Set up CodeQL and run analysis
+      - name: Set up CodeQL for ${{ matrix.language_details.name }}
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language_details.name }}
+          config-file: examples/codeql/codeql-config.yml
+          queries: ${{ matrix.language_details.queries_path }}
+
+      - name: Run CodeQL Analysis for ${{ matrix.language_details.name }}
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "security-and-quality"
+          output: results-${{ matrix.language_details.name }}
+          upload: false
+
+      # This is an optional step to generate a custom markdown report
+      - name: Generate optional custom markdown report
+        if: env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true'
+        run: |
+          python ./examples/codeql/sarif_to_markdown.py \
+            results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}.sarif \
+            results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}-report.md
+
+      # Attaching the evidence to associated package
+      - name: Attach Evidence using JFrog CLI
         run: |
           jf config show
           if [ ${{ matrix.language_details.name }} == 'go' ]; then
@@ -98,20 +90,20 @@ jobs:
             --package-name "jfrog.com/mygobuild" \
             --package-version $PACKAGE_VERSION \
             --package-repo-name go-local \
-            --key "${{ secrets.CODEQL_SIGNING_KEY }}" \
-            --key-alias ${{ vars.CODEQL_KEY_ALIAS }} \
+            --key "${{ secrets.PRIVATE_KEY }}" \
+            --key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \
             --predicate "results-go/go.sarif" \
             --predicate-type "http://github.com/CodeQL/static-analysis" \
-            --markdown "results-go/go-report.md"
+            ${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "results-go/go-report.md"' || '' }}
           elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then
             PACKAGE_VERSION="0.0.1"
             jf evd create \
             --package-name my-javascript-build \
             --package-version $PACKAGE_VERSION \
             --package-repo-name javascript-local \
-            --key "${{ secrets.CODEQL_SIGNING_KEY }}" \
-            --key-alias ${{ vars.CODEQL_KEY_ALIAS }} \
+            --key "${{ secrets.PRIVATE_KEY }}" \
+            --key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \
             --predicate "results-javascript/javascript.sarif" \
             --predicate-type "http://github.com/CodeQL/static-analysis" \
-            --markdown "results-javascript/javascript-report.md"
+            ${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "results-javascript/javascript-report.md"' || '' }}
           fi

.github/workflows/dependabot-evidence-example.yml

@@ -1,4 +1,4 @@
-name: dependabot-evidence-example
+name: "Dependabot evidence integration example"
 on:
   workflow_dispatch:
 
@@ -14,50 +14,28 @@ jobs:
       IMAGE_NAME: 'dependabot-docker-image'
       BUILD_NAME: 'dependabot-evidence-eg'
       VERSION: ${{ github.run_number }}
-      REGISTRY_DOMAIN: ${{ vars.REGISTRY_DOMAIN }}
+      REGISTRY_DOMAIN: ${{ vars.JF_URL }}
+      ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE: true
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        
-      - name: Setup JFrog CLI
+      # Build and publish the packages to JFrog Artifactory
+      - name: Setup jfrog cli
         uses: jfrog/setup-jfrog-cli@v4
         env:
           JF_URL: ${{ vars.ARTIFACTORY_URL }}
           JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
-        
-      - name: Log in to Artifactory Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ vars.ARTIFACTORY_URL }}
-          username: ${{ secrets.JF_USER }}
-          password: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
+      - name: Checkout code
+        uses: actions/checkout@v4
       - name: Build and Push Docker Image to Artifactory
         run: |
           docker build -f ./examples/dependabot-alerts-example/Dockerfile . --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION
           jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=$VERSION
 
-      - name: Get Artifact Details
-        run: |
-          ARTIFACT_NAME="$REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION"
-          echo "ARTIFACT_NAME=$ARTIFACT_NAME" >> $GITHUB_ENV
-
-          IMAGE_ID=$(docker images --format "{{.ID}}" "$ARTIFACT_NAME")
-          echo "IMAGE_ID=$IMAGE_ID" >> $GITHUB_ENV
-
-          IMAGE_SIZE=$(docker images --format "{{.Size}}" "$ARTIFACT_NAME" | sed 's/MB//' | awk '{print $1 * 1024 * 1024}')
-          echo "IMAGE_SIZE=$IMAGE_SIZE" >> $GITHUB_ENV
-
-          echo "SCAN_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"" >> $GITHUB_ENV
-
+      # Fetch Dependabot Vulnerability Snapshot
+      # Github token with 'security_events: read' permission has to be provided
       - name: Fetch Dependabot Vulnerability Snapshot
-        id: dependabot_snapshot
         env: 
-          GH_TOKEN: ${{ secrets.TOKEN_GIT }}    # GitHub Token with 'security_events: read' permission is required
+          GH_TOKEN: ${{ secrets.GH_PAT }}
           OWNER: ${{ github.repository_owner }}
           REPO: ${{ github.event.repository.name }}
         run: |
@@ -76,27 +54,33 @@ jobs:
                 detectedAt: .created_at
               }
             ]' > result.json
-
           jq -n --argjson data "$(cat result.json)" '{ data: $data }' > dependabot.json
 
-      - name: Generate and Save Dependabot Markdown Report
+      # This is an optional step to generate a custom markdown report
+      - name: Generate optional custom markdown report
+        if: env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true'
         run: |
+          ARTIFACT_NAME="$REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION"
+          IMAGE_ID=$(docker images --format "{{.ID}}" "$ARTIFACT_NAME")
+          IMAGE_SIZE=$(docker images --format "{{.Size}}" "$ARTIFACT_NAME" | sed 's/MB//' | awk '{print $1 * 1024 * 1024}')
+          SCAN_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
           python ./examples/dependabot-alerts-example/markdown_helper.py \
             "dependabot.json" \
             "dependabot_report.md" \
-            "$ARTIFACT_NAME" \
+            "$REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION" \
             "$SCAN_DATE" \
             "$IMAGE_ID" \
             "$IMAGE_SIZE"
 
-      - name: Create Dependabot Evidence
+      # Attaching the evidence to associated package
+      - name: Attach Evidence using JFrog CLI
         run: |
           jf evd create \
             --package-name $IMAGE_NAME \
             --package-version $VERSION \
             --package-repo-name $REPO_NAME \
-            --key "${{ secrets.TEST_PRVT_KEY }}" \
-            --key-alias ${{ vars.TEST_PUB_KEY_ALIAS }} \
+            --key "${{ secrets.PRIVATE_KEY }}" \
+            --key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \
             --predicate ./dependabot.json \
             --predicate-type http://Github.com/Dependabot/static-analysis \
-            --markdown dependabot_report.md
+            ${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "dependabot_report.md"' || '' }}

.github/workflows/trivy-evidence-example.yml

@@ -1,5 +1,4 @@
-name: trivy-evidence-example
-
+name: "Trivy evidence integration example"
 on:
   workflow_dispatch:
 
@@ -11,52 +10,56 @@ jobs:
   package-docker-image-with-trivy-evidence:
     runs-on: ubuntu-latest
     env:
-      REGISTRY_URL: ${{ vars.REGISTRY_DOMAIN }}
+      REGISTRY_DOMAIN: ${{ vars.JF_URL }}
       REPO_NAME: 'docker-trivy-repo'
       IMAGE_NAME: 'docker-trivy-image'
       VERSION: ${{ github.run_number }}
       BUILD_NAME: 'trivy-docker-build'
+      ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE: true
 
     steps:
-      - name: Install jfrog cli
+      # Build and publish the packages to JFrog Artifactory
+      - name: Setup jfrog cli
         uses: jfrog/setup-jfrog-cli@v4
         env:
           JF_URL: ${{ vars.ARTIFACTORY_URL }}
           JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
-
       - name: Checkout repository
         uses: actions/checkout@v4
-
-      - name: Build Docker Image
+      - name: Build and publish Docker Image to Artifactory
         run: |
-          docker build . --file ./examples/trivy-verify-example/Dockerfile --tag $REGISTRY_URL/$REPO_NAME/$IMAGE_NAME:$VERSION
+          docker build . --file ./examples/trivy-verify-example/Dockerfile --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION
+          echo "Pushing Docker Image to Artifactory"
+          jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=${{ github.run_number }}
+          echo "Pushing Docker Image to Artifactory completed"
+          echo "publishing build info"
+          jf rt build-publish $BUILD_NAME ${{ github.run_number }}
+
+      # Fetch Trivy Vulnerability Snapshot
       - name: Run Trivy
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ${{ env.REGISTRY_URL }}/${{ env.REPO_NAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
+          image-ref: ${{ env.REGISTRY_DOMAIN }}/${{ env.REPO_NAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
           severity: HIGH,CRITICAL
           format: json
           output: trivy-results.json
 
-      - name: Convert Trivy JSON Output to Markdown
-        run: python ./examples/trivy-verify-example/trivy_json_to_markdown_helper.py trivy-results.json
-
-      - name: Push Docker Image to Artifactory
-        run: |
-          echo "Pushing Docker image to Artifactory..."
-          jf rt docker-push $REGISTRY_URL/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=${{ github.run_number }}
-      - name: Publish Build Info
+      # This is an optional step to generate a custom markdown report
+      - name: Generate optional custom markdown report
+        if: env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true'
         run: |
-          jf rt build-publish $BUILD_NAME ${{ github.run_number }}
-      - name: Attach Evidence Using JFrog CLI
+          python ./examples/trivy-verify-example/trivy_json_to_markdown_helper.py trivy-results.json
+
+      # Attaching the evidence to associated package
+      - name: Attach evidence using jfrog cli
         run: |
+          ls -al
           jf evd create \
             --package-name $IMAGE_NAME \
             --package-version $VERSION \
             --package-repo-name $REPO_NAME \
-            --key "${{ secrets.TRIVY_TEST_PKEY }}" \
-            --key-alias ${{ vars.TRIVY_TEST_KEY }} \
+            --key "${{ secrets.PRIVATE_KEY }}" \
+            --key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \
             --predicate ./trivy-results.json \
             --predicate-type http://aquasec.com/trivy/security-scan \
-            --markdown trivy-results.md
-          echo "Trivy evidence attached to package"
+            ${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "trivy-results.md"' || '' }}

.gitignore

@@ -1,3 +1,4 @@
 /examples/sonar-scan-example/sonar-scanner-4.6.2.2472-linux/*
 /examples/sonar-scan-example/bin/*
-/examples/jira-transition-example/bin/*
+/examples/jira-transition-example/bin/*
+*.pem