repos/docker-dnsmasq
4
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 6 Activity

feat(ci): Update .gitea/workflows/ci.yml #15

Merged
luke merged 2 commits from luke-patch-1 into main 2025-06-08 10:47:32 +02:00
Conversation 2 Commits 2 Files Changed 1 +15 -6
luke commented 2025-06-08 10:44:32 +02:00
Owner
Copy Link

Okay, I will review the provided Git diff and explain the proposed changes. Here's a breakdown:

File: .gitea/workflows/ci.yml

This file defines the CI (Continuous Integration) workflow for the Gitea repository. The workflow is triggered on certain events (likely pushes and pull requests).

Changes:

  1. Hadolint Action:

    • The change introduces a name field to the hadolint-action step, renaming it to "Run Hadolint". This improves the readability of the workflow execution logs.

  2. SonarQube Scan (Commented Out):

    • The SonarQube Scan action is commented out. This means that the SonarQube static analysis will no longer be performed as part of the CI workflow for now. The environment variables SONAR_HOST_URL and SONAR_TOKEN were used to authenticate with SonarQube and are now also commented out.

  3. Snyk SAST Scan:

    • A new step called "Snyk SAST Scan" is added. This step uses the snyk/actions/python@master action to perform static application security testing (SAST) using Snyk.
    • It uses the SNYK_TOKEN secret to authenticate with Snyk.
    • The args parameter is set to snyk code test --all-projects --exclude=.archive. This tells Snyk to scan all projects in the repository for security vulnerabilities and to exclude the .archive directory from the scan.

Summary:

The primary changes are the addition of a Snyk SAST scan and the temporary removal of the SonarQube scan from the CI workflow. Hadolint was updated with a name to provide clarity. The Snyk scan performs static analysis to identify potential security vulnerabilities directly in the codebase. The SonarQube scan is commented out, possibly for temporary reasons such as configuration issues, cost optimization, or replacement by the Snyk SAST scan.

Okay, I will review the provided Git diff and explain the proposed changes. Here's a breakdown: **File:** `.gitea/workflows/ci.yml` This file defines the CI (Continuous Integration) workflow for the Gitea repository. The workflow is triggered on certain events (likely pushes and pull requests). **Changes:** 1. **Hadolint Action:** * The change introduces a `name` field to the `hadolint-action` step, renaming it to "Run Hadolint". This improves the readability of the workflow execution logs. 2. **SonarQube Scan (Commented Out):** * The SonarQube Scan action is commented out. This means that the SonarQube static analysis will no longer be performed as part of the CI workflow *for now*. The environment variables `SONAR_HOST_URL` and `SONAR_TOKEN` were used to authenticate with SonarQube and are now also commented out. 3. **Snyk SAST Scan:** * A new step called "Snyk SAST Scan" is added. This step uses the `snyk/actions/python@master` action to perform static application security testing (SAST) using Snyk. * It uses the `SNYK_TOKEN` secret to authenticate with Snyk. * The `args` parameter is set to `snyk code test --all-projects --exclude=.archive`. This tells Snyk to scan all projects in the repository for security vulnerabilities and to exclude the `.archive` directory from the scan. **Summary:** The primary changes are the addition of a Snyk SAST scan and the temporary removal of the SonarQube scan from the CI workflow. Hadolint was updated with a name to provide clarity. The Snyk scan performs static analysis to identify potential security vulnerabilities directly in the codebase. The SonarQube scan is commented out, possibly for temporary reasons such as configuration issues, cost optimization, or replacement by the Snyk SAST scan.
luke added 1 commit 2025-06-08 10:44:33 +02:00
Update .gitea/workflows/ci.yml
Some checks failed
Validate PR Title / validate (pull_request) Successful in 4s
Details
CI / ci (pull_request) Failing after 21s
Details
6532c8a155
ai-review-bot commented 2025-06-08 10:44:39 +02:00
Member
Copy Link

Decision: Reject
Change Score: 2/10

This change proposes to replace the SonarQube scan with a Snyk SAST scan, and also adds a Snyk vulnerability scan.

Here's what's wrong:

  1. Commented-out Code: The SonarQube scan is commented out. If you're removing it, remove it completely. Don't leave commented-out code lying around.
  2. Beta version: The Snyk action uses master which is considered a beta version, this should be avoided.

I suggest the following:

--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -13,7 +13,7 @@
           fetch-depth: 0
 
       - name: Run Hadolint
-        uses: hadolint/hadolint-action@v3.1.0
+        uses: hadolint/hadolint-action@v3.1.1
         with:
           dockerfile: Dockerfile
           output-file: hadolint.out
@@ -21,20 +21,14 @@
           no-fail: true
 
 
-      # - name: SonarQube Scan
-      #   uses: SonarSource/sonarqube-scan-action@v5.2.0
-      #   env:
-      #     SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
-      #     SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
-
       - name: Snyk SAST Scan
-        uses: snyk/actions/python@master
+        uses: snyk/actions/python@v1.12.0
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           # command: snyk
           args: snyk code test --all-projects --exclude=.archive
 
-      - name: Snyk Vulnerability Scan
-        uses: snyk/actions/python@master
+      - name: Snyk Vulnerability Scan,
+        uses: snyk/actions/python@v1.12.0
+
**Decision: Reject** **Change Score: 2/10** This change proposes to replace the SonarQube scan with a Snyk SAST scan, and also adds a Snyk vulnerability scan. Here's what's wrong: 1. **Commented-out Code:** The SonarQube scan is commented out. If you're removing it, remove it completely. Don't leave commented-out code lying around. 2. **Beta version:** The Snyk action uses `master` which is considered a beta version, this should be avoided. I suggest the following: ```diff --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -13,7 +13,7 @@ fetch-depth: 0 - name: Run Hadolint - uses: hadolint/hadolint-action@v3.1.0 + uses: hadolint/hadolint-action@v3.1.1 with: dockerfile: Dockerfile output-file: hadolint.out @@ -21,20 +21,14 @@ no-fail: true - # - name: SonarQube Scan - # uses: SonarSource/sonarqube-scan-action@v5.2.0 - # env: - # SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} - # SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} - - name: Snyk SAST Scan - uses: snyk/actions/python@master + uses: snyk/actions/python@v1.12.0 env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: # command: snyk args: snyk code test --all-projects --exclude=.archive - - name: Snyk Vulnerability Scan - uses: snyk/actions/python@master + - name: Snyk Vulnerability Scan, + uses: snyk/actions/python@v1.12.0 + ```
luke changed title from Update .gitea/workflows/ci.yml to feat(ci): Update .gitea/workflows/ci.yml 2025-06-08 10:45:35 +02:00
luke added 1 commit 2025-06-08 10:46:40 +02:00
Update .gitea/workflows/ci.yml
All checks were successful
Validate PR Title / validate (pull_request) Successful in 3s
Details
CI / ci (pull_request) Successful in 10s
Details
f615c9cc78
ai-review-bot commented 2025-06-08 10:46:45 +02:00
Member
Copy Link

Decision: Reject
Change Score: 2/10

This change proposes disabling SonarQube and Snyk SAST scans in the CI workflow. This is unacceptable. Disabling security and code quality checks without a clear justification is a step backwards in maintaining a healthy and secure codebase. Why are we removing these critical steps? What problem are we trying to solve?

I recommend keeping the SonarQube and Snyk SAST scans enabled. If there are issues with the scans, address those issues directly instead of disabling the checks.

If, for some reason, these checks must be disabled temporarily, the changes should be reverted after a fix. This change needs a lot more justification and explanation before it can be accepted.

**Decision: Reject** **Change Score: 2/10** This change proposes disabling SonarQube and Snyk SAST scans in the CI workflow. This is unacceptable. Disabling security and code quality checks without a clear justification is a step backwards in maintaining a healthy and secure codebase. Why are we removing these critical steps? What problem are we trying to solve? I recommend keeping the SonarQube and Snyk SAST scans enabled. If there are issues with the scans, address those issues directly instead of disabling the checks. If, for some reason, these checks must be disabled temporarily, the changes should be reverted after a fix. This change needs a lot more justification and explanation before it can be accepted.
luke merged commit 83fe18553d into main 2025-06-08 10:47:32 +02:00
luke deleted branch luke-patch-1 2025-06-08 10:47:33 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
documentation
Improvements or additions to documentation
duplicate
This issue or pull request already exists
enhancement
New feature or request
good first issue
Good for newcomers
help wanted
Extra attention is needed
invalid
This doesn't seem right
question
Further information is requested
wontfix
This will not be worked on
Compat/Breaking
Breaking change that won't be backward compatible
Kind/Bug
Something is not working
Kind/Documentation
Documentation changes
Kind/Enhancement
Improve existing functionality
Kind/Feature
New functionality
Kind/Security
This is security issue
Kind/Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
ai-review-bot gitea-actions-bot luke renovate-bot
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: repos/docker-dnsmasq#15
No description provided.
Delete Branch "luke-patch-1"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?