t.behrendt/tas-actions
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Releases Activity

feat: mvp #1

Merged
t.behrendt merged 4 commits from mvp into main 2026-02-11 19:54:00 +01:00
Conversation 0 Commits 4 Files Changed 5 +171
5 changed files with 171 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
.gitea/workflows/cd.yaml Normal file
View File

@@ -0,0 +1,25 @@
name: CD
on:
push:
branches:
- main
workflow_dispatch:
jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.2
with:
fetch-depth: 0
- name: Increment tag
id: tag
uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@af46017d0af5fd6af4425f8e6961f14280a1acd1 # 0.1.26
with:
token: ${{ secrets.GITEA_TOKEN }}
- name: Push tag
uses: ./release-git-tag
with:
tag: ${{ steps.tag.outputs.new-tag }}

28
README.md
View File

@@ -1,2 +1,30 @@
# tas-actions # tas-actions
Reusable GitHub Actions for [TAS (Tea Advanced Security)](https://github.com/go-gitea/gitea): upload SARIF reports and gate CI on the API response.
## Actions
### [tas-upload-sarif](tas-upload-sarif/)
Uploads a SARIF report from a file to TAS and **fails the job** if the API returns `allowed: false`.
**Example workflow** (e.g. after a security scan that produces SARIF):
```yaml
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Run your scanner and produce SARIF (e.g. to results.sarif)
# - run: ./run-scanner --output results.sarif
- name: Upload SARIF to TAS and gate
uses: your-org/tas-actions/tas-upload-sarif@v1
with:
tas-base-url: 'https://tas.example.com'
sarif-file: 'results.sarif'
```
See [tas-upload-sarif/README.md](tas-upload-sarif/README.md) for all inputs and options.

4
renovate.json Normal file
View File

@@ -0,0 +1,4 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["local>t.behrendt/renovate-configs:action"]
}

48
tas-upload-sarif/README.md Normal file
View File

@@ -0,0 +1,48 @@
# TAS Upload SARIF
Reusable GitHub Action that uploads a SARIF report to [TAS (Tea Advanced Security)](https://github.com/go-gitea/gitea) and **fails the job** if the API responds with `allowed: false` (e.g. new findings above your policy).
## Inputs
| Input | Required | Description |
| -------------- | -------- | --------------------------------------------------------- |
| `tas-base-url` | Yes | Base URL of the TAS API (e.g. `https://tas.example.com`) |
| `sarif-file` | Yes | Path to the SARIF report file (JSON) |
| `owner` | No | Repository owner (default: `github.repository_owner`) |
| `repo` | No | Repository name (default: `github.event.repository.name`) |
| `branch` | No | Branch name (default: `github.ref_name`) |
## Usage
```yaml
- name: Upload SARIF to TAS and gate
uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1
with:
tas-base-url: "https://tas.example.com"
sarif-file: "results.sarif"
```
With explicit owner/repo/branch (e.g. for monorepos or custom refs):
```yaml
- uses: [your-org/tas-actions/tas-upload-sarif@v1](https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1)
with:
tas-base-url: ${{ vars.TAS_BASE_URL }}
sarif-file: 'scan-output.sarif'
owner: ${{ github.repository_owner}}
repo: ${{ github.event.repository.name }}
branch: ${{ github.head_ref }}
```
## Behavior
1. **POST**s the SARIF file to `{tas-base-url}/repos/{owner}/{repo}/branches/{branch}/reports`.
2. On HTTP non-200, the step fails and prints the response body.
3. On success, reads the JSON response:
- If `allowed` is `true`, the step succeeds.
- If `allowed` is `false`, the step **fails** and prints `reason` and the full response (e.g. `new_critical`, `new_high`, `new_findings`).
## Requirements
- **GitHub-hosted runners**: `curl` and `jq` are available by default.
- **Self-hosted runners**: ensure `curl` and `jq` are installed.

66
tas-upload-sarif/action.yml Normal file
View File

@@ -0,0 +1,66 @@
name: 'TAS Upload SARIF'
description: 'Upload a SARIF report to TAS (Tea Advanced Security) and fail the job if gating returns allowed: false'
inputs:
tas-base-url:
description: 'Base URL of the TAS API (e.g. https://tas.example.com)'
required: true
sarif-file:
description: 'Path to the SARIF report file (JSON)'
required: true
owner:
description: 'Repository owner (default: GitHub repository owner)'
required: false
repo:
description: 'Repository name (default: GitHub repository name)'
required: false
branch:
description: 'Branch name (default: current ref name, e.g. main)'
required: false
runs:
using: 'composite'
steps:
- name: Upload SARIF to TAS and gate
shell: bash
env:
OWNER: ${{ inputs.owner || github.repository_owner }}
REPO: ${{ inputs.repo || github.event.repository.name }}
BRANCH: ${{ inputs.branch || github.ref_name }}
BASE_URL: ${{ inputs.tas-base-url }}
SARIF_FILE: ${{ inputs.sarif-file }}
run: |
BASE_URL="${BASE_URL%/}"
URL="${BASE_URL}/repos/${OWNER}/${REPO}/branches/${BRANCH}/reports"
echo "Uploading SARIF to TAS: $URL"
if [[ ! -f "$SARIF_FILE" ]]; then
echo "::error::SARIF file not found: $SARIF_FILE"
exit 1
fi
RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$URL" \
-H "Content-Type: application/json" \
-d @"$SARIF_FILE")
HTTP_BODY=$(echo "$RESPONSE" | head -n -1)
HTTP_CODE=$(echo "$RESPONSE" | tail -n 1)
if [[ "$HTTP_CODE" != "200" ]]; then
echo "::error::TAS API returned HTTP $HTTP_CODE"
echo "$HTTP_BODY" | head -20
exit 1
fi
ALLOWED=$(echo "$HTTP_BODY" | jq -r '.allowed')
REASON=$(echo "$HTTP_BODY" | jq -r '.reason // empty')
if [[ "$ALLOWED" != "true" ]]; then
echo "::error::TAS gating failed (allowed: false). $REASON"
echo "::error::new_critical/new_high/new_medium/new_low are in the API response."
echo "$HTTP_BODY" | jq '.'
exit 1
fi
echo "TAS gating passed (allowed: true)."
if [[ -n "$REASON" ]]; then
echo "$REASON"
fi