feat(ui): show table preview in ops tree overlay (#810) #328

Workflow file for this run

.github/workflows/security.yml at 9bf9d09

	# Copyright 2026 Phillip Cloud
	# Licensed under the Apache License, Version 2.0

	name: Security

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]

	permissions:
	contents: read

	jobs:
	changes:
	name: Detect Changes
	runs-on: ubuntu-latest
	outputs:
	go: ${{ steps.detect.outputs.go }}
	ci: ${{ steps.detect.outputs.ci }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
	with:
	egress-policy: block
	disable-telemetry: true
	allowed-endpoints: >
	api.github.com:443
	github.com:443

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
	with:
	sparse-checkout: .github/detect-ci-changes.bash
	sparse-checkout-cone-mode: false
	persist-credentials: false

	- name: Check for changes
	id: detect
	env:
	GH_TOKEN: ${{ github.token }}
	EVENT_NAME: ${{ github.event_name }}
	PR_NUMBER: ${{ github.event.pull_request.number }}
	BEFORE_SHA: ${{ github.event.before }}
	HEAD_SHA: ${{ github.sha }}
	run: \|
	bash .github/detect-ci-changes.bash \
	"$EVENT_NAME" "$PR_NUMBER" "$BEFORE_SHA" "$HEAD_SHA" >> "$GITHUB_OUTPUT"

	govulncheck:
	name: Vulnerability Check
	needs: changes
	if: needs.changes.outputs.go == 'true'
	runs-on: ubuntu-latest
	concurrency:
	group: security-govulncheck-${{ github.ref }}
	cancel-in-progress: ${{ github.event_name == 'pull_request' }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
	with:
	egress-policy: block
	disable-telemetry: true
	allowed-endpoints: >
	api.github.com:443
	cache.nixos.org:443
	github.com:443
	proxy.golang.org:443
	releases.nixos.org:443
	storage.googleapis.com:443
	vuln.go.dev:443

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
	with:
	persist-credentials: false

	- uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934 # v31.10.1

	- name: Run govulncheck
	run: nix run '.#govulncheck'

	osv-scanner:
	name: OSV Scan
	needs: changes
	if: needs.changes.outputs.go == 'true'
	runs-on: ubuntu-latest
	concurrency:
	group: security-osv-scanner-${{ github.ref }}
	cancel-in-progress: ${{ github.event_name == 'pull_request' }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
	with:
	egress-policy: block
	disable-telemetry: true
	allowed-endpoints: >
	api.github.com:443
	api.osv.dev:443
	cache.nixos.org:443
	github.com:443
	releases.nixos.org:443

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
	with:
	persist-credentials: false

	- uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934 # v31.10.1

	- name: Run osv-scanner
	run: nix run '.#osv-scanner'

	secrets:
	name: Secret Scan
	needs: changes
	if: needs.changes.outputs.ci == 'true'
	runs-on: ubuntu-latest
	concurrency:
	group: security-secrets-${{ github.ref }}
	cancel-in-progress: ${{ github.event_name == 'pull_request' }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
	with:
	egress-policy: block
	disable-telemetry: true
	allowed-endpoints: >
	ghcr.io:443
	github.com:443
	pkg-containers.githubusercontent.com:443

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
	with:
	fetch-depth: 0
	persist-credentials: false

	- uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3.93.8
	with:
	extra_args: --only-verified

	codeql:
	name: CodeQL (Go)
	needs: changes
	if: needs.changes.outputs.go == 'true'
	runs-on: ubuntu-latest
	concurrency:
	group: security-codeql-${{ github.ref }}
	cancel-in-progress: ${{ github.event_name == 'pull_request' }}
	permissions:
	security-events: write
	env:
	CGO_ENABLED: "0"
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
	with:
	egress-policy: block
	disable-telemetry: true
	allowed-endpoints: >
	api.github.com:443
	github.com:443
	proxy.golang.org:443
	release-assets.githubusercontent.com:443
	storage.googleapis.com:443

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
	with:
	persist-credentials: false

	- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
	with:
	go-version: "1.26"

	- name: Initialize CodeQL
	uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
	with:
	languages: go
	build-mode: manual

	- name: Build
	run: go build ./...

	- name: Perform CodeQL analysis
	uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0

	result:
	name: Security Result
	if: always()
	needs: [changes, govulncheck, osv-scanner, secrets, codeql]
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
	with:
	egress-policy: block
	disable-telemetry: true
	allowed-endpoints: >
	api.github.com:443
	github.com:443

	- run: exit 1
	if: contains(needs..result, 'failure') \|\| contains(needs..result, 'cancelled')

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(ui): show table preview in ops tree overlay (#810) #328

Workflow file

feat(ui): show table preview in ops tree overlay (#810) #328

Uh oh!

Workflow file for this run