Skip to content

feat: add SAST onboarding automation #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
witmicko wants to merge 12 commits into
base: main
Choose a base branch
from
Open

feat: add SAST onboarding automation #72

Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
ec21c3e
fix root changelog
witmicko Nov 26, 2025
89f2c4e
feat: add onboarding automation for new repos
witmicko Dec 2, 2025
ad24efa
update pr template
witmicko Dec 9, 2025
e283983
ci: update build command for codeql
witmicko Dec 9, 2025
acbbe22
update inputs handlign
witmicko Dec 9, 2025
10735dd
gh token fi
witmicko Dec 9, 2025
8f971de
actionlint fix
witmicko Dec 9, 2025
27e6a83
update branach handling move action file to templates
witmicko Dec 9, 2025
ecc9d0a
default to main on empty repo
witmicko Dec 9, 2025
ae1d8e4
fix empty repo runs
witmicko Dec 9, 2025
da090b6
fix empty repo runs
witmicko Dec 9, 2025
6d3ad6b
another repo edge hase handling
witmicko Dec 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
gh token fi
  • Loading branch information
@witmicko
witmicko committed Dec 9, 2025
commit 10735dd5d6900399cce2edc4f11015d970cd9280
8 changes: 4 additions & 4 deletions .github/workflows/onboard-new-repo.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,13 @@ jobs:
echo "base_branch=$BASE_BRANCH" >> $GITHUB_OUTPUT
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.ONBOARDING_TOKEN }}
Copy link

@cursor cursor bot Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Opt-out file check documented but never implemented

The PR body template instructs users to add a .github/no-security-scanner file to prevent future onboarding attempts, but the workflow never checks for this file's existence. The onboarding will proceed regardless of whether a team has opted out, making the documented opt-out mechanism non-functional.

Additional Locations (1)

Fix in Cursor Fix in Web


- name: Checkout target repository
uses: actions/checkout@v4
with:
repository: ${{ steps.target.outputs.repository }}
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ secrets.ONBOARDING_TOKEN }}
path: target-repo
ref: ${{ steps.target.outputs.base_branch }}
Copy link

@cursor cursor bot Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Opt-out file check documented but never implemented

The PR body template tells users to add a .github/no-security-scanner file to prevent future onboarding attempts, but the workflow never checks for this file's existence. Repositories that have opted out will still receive onboarding PRs, causing frustration for teams that explicitly declined the scanner.

Additional Locations (1)

Fix in Cursor Fix in Web


Expand Down Expand Up @@ -94,7 +94,7 @@ jobs:
- name: Create Pull Request
working-directory: target-repo
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.ONBOARDING_TOKEN }}
REPO_NAME: ${{ steps.target.outputs.repository }}
run: |
# Extract owner and repo name for URL construction
Expand All @@ -117,7 +117,7 @@ jobs:
- name: Output PR URL
working-directory: target-repo
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.ONBOARDING_TOKEN }}
run: |
PR_URL=$(gh pr view security/add-sast-scanner --json url -q .url)
echo "✅ Pull Request created: $PR_URL"
Expand Down