Add coana-guardrail and coana-analysis workflows (#418)

nicknisi · web-flow · commit 8def89f4fcd8 · 2025-03-18T08:39:12.000-05:00
* Add updated coana workflows

* trigger CI

* fix guardrail for forks
diff --git a/.github/workflows/coana-analysis.yml b/.github/workflows/coana-analysis.yml
@@ -2,24 +2,27 @@ name: Coana Vulnerability Analysis
 
 on:
   schedule:
-    # every day at 12 AM
-    - cron: '0 0 * * *'
+    - cron: "0 3 * * *" # every day at 3 AM
   workflow_dispatch:
     inputs:
       tags:
-        description: 'Manually run vulnerability analysis'
+        description: "Manually run vulnerability analysis"
+      # Required by the return-dispatch action
+      distinct_id:
 
 jobs:
   coana-vulnerability-analysis:
     runs-on: ubuntu-latest
-    timeout-minutes: 60
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+
       - name: Run Coana CLI
         id: coana-cli
-        run: |
-          npx @coana-tech/cli run . \
-            --api-key ${{ secrets.COANA_API_KEY }} \
-            --repo-url https://github.com/${{github.repository}}
+        uses: docker://coana/coana:latest
+        with:
+          args: |
+            coana run . \
+              --api-key ${{ secrets.COANA_API_KEY }} \
+              --repo-url https://github.com/${{github.repository}}
diff --git a/.github/workflows/coana-guardrail.yml b/.github/workflows/coana-guardrail.yml
@@ -5,24 +5,27 @@ on: pull_request
 jobs:
   guardrail:
     runs-on: ubuntu-latest
-    timeout-minutes: 15
+
     steps:
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v44
-        with:
-          separator: ' '
- 
       - name: Checkout the ${{github.base_ref}} branch
         uses: actions/checkout@v4
         with:
           ref: ${{github.base_ref}} # checkout the base branch (usually master/main).
- 
+
+      - name: Fetch the PR branch
+        run: |
+          git fetch ${{ github.event.pull_request.head.repo.clone_url }} ${{ github.head_ref }}:${{ github.head_ref }} --depth=1
+
+      - name: Get list of changed files relative to the main/master branch
+        id: changed-files
+        run: |
+          echo "all_changed_files=$(git diff --name-only ${{ github.base_ref }} ${{ github.head_ref }} | tr '\n' ' ')" >> $GITHUB_OUTPUT
+
       - name: Use Node.js 20.x
         uses: actions/setup-node@v4
         with:
           node-version: 20.x
- 
+
       - name: Run Coana on the ${{github.base_ref}} branch
         run: |
           npx @coana-tech/cli run . \
@@ -31,16 +34,20 @@ jobs:
             -o /tmp/main-branch \
             --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \
             --lightweight-reachability \
- 
-      # Reset file permissions changed by Coana CLI.
+
+      # Reset file permissions.
+      # This is necessary because the Coana CLI may add
+      # new files with root ownership since it's using docker.
+      # These files will not be deleted by the clean step in checkout
+      # if the permissions are not reset.
       - name: Reset file permissions
         run: sudo chown -R $USER:$USER .
- 
+
       - name: Checkout the current branch
         uses: actions/checkout@v4
         with:
           clean: true
- 
+
       - name: Run Coana on the current branch
         run: |
           npx @coana-tech/cli run . \
@@ -49,12 +56,12 @@ jobs:
             -o /tmp/current-branch \
             --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \
             --lightweight-reachability \
- 
+
       - name: Run Report Comparison
         run: |
           npx @coana-tech/cli compare-reports \
             --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \
             /tmp/main-branch/coana-report.json \
             /tmp/current-branch/coana-report.json
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
