From 87b130fa33d189f51a29103da46e6121626cf2d5 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Sat, 21 Mar 2026 11:50:54 +0100 Subject: [PATCH 1/8] chore: Refactor debug artifact upload feat: The top-level `fortify/github-action` no longer uploads debug artifacts; this is now handled through the `with-debug-upload-*.yml` sub-actions. This allows for supporting artifact upload on both GHES and github.com, and for users to utilize alternative upload steps with different storage providers. feat: Add `fortify/github-action/with-debug-upload-ghes` sub-action that runs the top-level action for performing the AST scan, followed by uploading debug artifacts (if debugging enabled) to GHES using `actions/upload-artifact@v3` feat: Add `fortify/github-action/with-debug-upload-github` sub-action that runs the top-level action for performing the AST scan, followed by uploading debug artifacts (if debugging enabled) to github.com using `actions/upload-artifact@v7` --- .github/workflows/publish.yml | 4 ++-- action.yml | 37 +++++++++++++++++++---------- with-debug-upload-ghes/action.yml | 35 +++++++++++++++++++++++++++ with-debug-upload-github/action.yml | 35 +++++++++++++++++++++++++++ 4 files changed, 96 insertions(+), 15 deletions(-) create mode 100644 with-debug-upload-ghes/action.yml create mode 100644 with-debug-upload-github/action.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d00baa0..c1eeeb4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check-out source code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Configure git run: | git config user.name github-actions @@ -33,7 +33,7 @@ jobs: needs: update-action-references steps: - name: Check-out source code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Generate and process release PR id: release_please diff --git a/action.yml b/action.yml index e68fdb4..90a93c9 100644 --- a/action.yml +++ b/action.yml @@ -1,26 +1,33 @@ name: 'Fortify AST Scan' -description: 'Find and fix vulnerabilities to build secure software with Fortify Code Security.' +description: 'Run Fortify AST Scan.' author: 'Fortify' inputs: debug: - description: 'Whether to generate and collect debug logs; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' + description: 'Whether to output debug artifacts; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' required: false default: 'false' debug-artifact-name: - description: 'Name for the debug artifacts archive; defaults to "fortify-debug-logs"' + description: 'Deprecated & ignored - This action no longer uploads debug artifacts; see the `with-debug-upload-*` sub-actions for uploading debug artifacts.' required: false - default: 'fortify-debug-logs' + default: 'fortify-debug-artifacts' debug-retention-days: - description: 'Number of days to retain debug artifacts; defaults to 1' + description: 'Deprecated & ignored - This action no longer uploads debug artifacts; see the `with-debug-upload-*` sub-actions for uploading debug artifacts.' required: false default: '1' +outputs: + upload-debug-artifacts: + description: '"true" if debug artifacts should be uploaded (inputs.debug==true or runner.debug==1)' + value: ${{ steps.set-outputs.outputs.upload-debug-artifacts }} + debug-artifacts-dir: + description: 'Path to the debug artifacts directory (env.FORTIFY_DATA_DIR)' + value: ${{ steps.set-outputs.outputs.debug-artifacts-dir }} runs: using: composite steps: - name: Set Fortify data directory run: echo "FORTIFY_DATA_DIR=${{ runner.temp }}/fortify-data" >> $GITHUB_ENV shell: bash - - uses: fortify/github-action/setup@main + - uses: fortify/github-action/setup@feat/configurable-debug-upload with: fcli: bootstrapped export-path: false @@ -32,13 +39,17 @@ runs: GITHUB_TOKEN: ${{ github.token }} SAST_EXPORT_EXTRA_OPTS: --publish=true ${{ env.SAST_EXPORT_EXTRA_OPTS || '' }} DEBRICKED_EXPORT_EXTRA_OPTS: --publish=true ${{ env.DEBRICKED_EXPORT_EXTRA_OPTS || '' }} - - name: Upload debug logs - if: ${{ always() && (inputs.debug == 'true' || runner.debug == '1') }} - uses: actions/upload-artifact@v4 - with: - name: ${{ inputs.debug-artifact-name }}-${{ github.job }} - path: ${{ env.FORTIFY_DATA_DIR }} - retention-days: ${{ inputs.debug-retention-days }} + - name: Set action outputs + if: always() # Ensure outputs are set even if the previous step fails, so that debug artifacts can be uploaded when enabled + id: set-outputs + run: | + if [ "${{ inputs.debug }}" = "true" ] || [ "${{ runner.debug }}" = "1" ]; then + echo "upload-debug-artifacts=true" >> $GITHUB_OUTPUT + else + echo "upload-debug-artifacts=false" >> $GITHUB_OUTPUT + fi + echo "debug-artifacts-dir=${FORTIFY_DATA_DIR}" >> $GITHUB_OUTPUT + shell: bash branding: icon: 'shield' diff --git a/with-debug-upload-ghes/action.yml b/with-debug-upload-ghes/action.yml new file mode 100644 index 0000000..f37fb97 --- /dev/null +++ b/with-debug-upload-ghes/action.yml @@ -0,0 +1,35 @@ +name: 'Fortify AST Scan (with debug upload - GHES)' +description: 'Run Fortify AST Scan and upload debug artifacts using actions/upload-artifact@v3 (GHES-compatible).' +author: 'Fortify' +inputs: + debug: + description: 'Whether to generate & collect debug artifacts; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' + required: false + default: 'false' + debug-artifact-name: + description: 'Name for the debug artifacts archive; defaults to "fortify-debug-artifacts"' + required: false + default: 'fortify-debug-artifacts' + debug-retention-days: + description: 'Number of days to retain debug artifacts; defaults to 1 due to sensitivity of data' + required: false + default: '1' + +runs: + using: composite + steps: + - name: Run Fortify AST Scan + id: run_ast_scan + uses: fortify/github-action@feat/configurable-debug-upload + with: + debug: ${{ inputs.debug }} + debug-artifact-name: ${{ inputs.debug-artifact-name }} + debug-retention-days: ${{ inputs.debug-retention-days }} + + - name: Upload debug artifacts (GHES) + if: ${{ always() && steps.run_ast_scan.outputs.upload-debug-artifacts == 'true' }} + uses: actions/upload-artifact@v3 + with: + name: ${{ inputs.debug-artifact-name }}-${{ github.job }} + path: ${{ steps.run_ast_scan.outputs.debug-artifacts-dir }} + retention-days: ${{ inputs.debug-retention-days }} diff --git a/with-debug-upload-github/action.yml b/with-debug-upload-github/action.yml new file mode 100644 index 0000000..3ea2b4c --- /dev/null +++ b/with-debug-upload-github/action.yml @@ -0,0 +1,35 @@ +name: 'Fortify AST Scan (with debug upload - GitHub.com)' +description: 'Run Fortify AST Scan and upload debug artifacts using actions/upload-artifact@v7 (GitHub.com).' +author: 'Fortify' +inputs: + debug: + description: 'Whether to generate & collect debug artifacts; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' + required: false + default: 'false' + debug-artifact-name: + description: 'Name for the debug artifacts archive; defaults to "fortify-debug-artifacts"' + required: false + default: 'fortify-debug-artifacts' + debug-retention-days: + description: 'Number of days to retain debug artifacts; defaults to 1 due to sensitivity of data' + required: false + default: '1' + +runs: + using: composite + steps: + - name: Run Fortify AST Scan + id: run_ast_scan + uses: fortify/github-action@feat/configurable-debug-upload + with: + debug: ${{ inputs.debug }} + debug-artifact-name: ${{ inputs.debug-artifact-name }} + debug-retention-days: ${{ inputs.debug-retention-days }} + + - name: Upload debug artifacts (github.com) + if: ${{ always() && steps.run_ast_scan.outputs.upload-debug-artifacts == 'true' }} + uses: actions/upload-artifact@v7 + with: + name: ${{ inputs.debug-artifact-name }}-${{ github.job }} + path: ${{ steps.run_ast_scan.outputs.debug-artifacts-dir }} + retention-days: ${{ inputs.debug-retention-days }} From 6c7dff7abc20805aa011d69e703b5445505d6cf2 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Sat, 21 Mar 2026 13:48:43 +0100 Subject: [PATCH 2/8] ci: Use allowed action version --- .github/workflows/publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c1eeeb4..97c7a5e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -43,7 +43,7 @@ jobs: - name: Publish v{major}.{minor} tag if: steps.release_please.outputs.release_created - uses: richardsimko/update-tag@v1 + uses: richardsimko/update-tag@aab2434e9a5040687874aa39d1c6377ec0cb0d94 with: tag_name: v${{steps.release_please.outputs.major}}.${{steps.release_please.outputs.minor}} env: @@ -51,7 +51,7 @@ jobs: - name: Publish v{major} tag if: steps.release_please.outputs.release_created - uses: richardsimko/update-tag@v1 + uses: richardsimko/update-tag@aab2434e9a5040687874aa39d1c6377ec0cb0d94 with: tag_name: v${{steps.release_please.outputs.major}} env: From 6121da478e739094e8bb87fb0cda98cfaa641f94 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Sat, 21 Mar 2026 14:27:11 +0100 Subject: [PATCH 3/8] docs: Update usage text --- README.md | 36 +++++++++++++++++++++++++++++--- USAGE.md | 34 ++++++++++++++++++++++++++++-- doc-resources/repo-intro.md | 2 +- doc-resources/repo-usage-text.md | 34 ++++++++++++++++++++++++++++-- 4 files changed, 98 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 571c7b6..7f32bf0 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ The `fortify/github-action` GitHub Action allows for easy integration of OpenTex As such, this GitHub Action automatically benefits from new features and bug fixes as they are introduced in fcli, although there are options to use a fixed fcli version in case you need more stability. At the time of writing, the fcli `ci` action provides out-of-the-box support for Static Application Security Testing (SAST) and Software Composition Analysis (SCA); support for Dynamic or Mobile Application Security Testing (DAST & MAST) may be added in the future. -Apart from the top-level `fortify/github-action` for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products. +Apart from the top-level `fortify/github-action` (and related `fortify/github-action/with-debug-upload-*` sub-actions) for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products. @@ -42,13 +42,28 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - - uses: fortify/github-action@v3 # Run Fortify scans + # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of + # the following: + # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: + # uses: fortify/github-action/with-debug-upload-github@v3 + # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: + # uses: fortify/github-action/with-debug-upload-ghes@v3 + # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: + # uses: fortify/github-action@v3 + - uses: fortify/github-action/with-debug-upload-github@v3 + name: Run Fortify Scan + id: fortify_scan env: FOD_URL: ${{ vars.FOD_URL }} FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }} FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }} # FOD_RELEASE: MyApp:main # Optional: defaults to repo:branch # FCLI_BOOTSTRAP_VERSION: v3.15 # Optional if you prefer stability over latest + # - name: Upload Fortify debug artifacts (custom) + # if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} + # uses: + # with: + # path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` #### OpenText Application Security (Fortify Software Security Center) @@ -71,12 +86,27 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - - uses: fortify/github-action@v3 # Run Fortify scans + # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of + # the following: + # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: + # uses: fortify/github-action/with-debug-upload-github@v3 + # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: + # uses: fortify/github-action/with-debug-upload-ghes@v3 + # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: + # uses: fortify/github-action@v3 + - uses: fortify/github-action/with-debug-upload-github@v3 + name: Run Fortify Scan + id: fortify_scan env: SSC_URL: ${{ vars.SSC_URL }} SSC_TOKEN: ${{ secrets.SSC_TOKEN }} SC_SAST_TOKEN: ${{ secrets.SC_SAST_TOKEN }} # SSC_APPVERSION: MyApp:main # Optional: defaults to repo:branch + # - name: Upload Fortify debug artifacts (custom) + # if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} + # uses: + # with: + # path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` #### Custom workflow diff --git a/USAGE.md b/USAGE.md index d97f35c..45e2895 100644 --- a/USAGE.md +++ b/USAGE.md @@ -28,13 +28,28 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - - uses: fortify/github-action@v3 # Run Fortify scans + # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of + # the following: + # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: + # uses: fortify/github-action/with-debug-upload-github@v3 + # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: + # uses: fortify/github-action/with-debug-upload-ghes@v3 + # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: + # uses: fortify/github-action@v3 + - uses: fortify/github-action/with-debug-upload-github@v3 + name: Run Fortify Scan + id: fortify_scan env: FOD_URL: ${{ vars.FOD_URL }} FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }} FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }} # FOD_RELEASE: MyApp:main # Optional: defaults to repo:branch # FCLI_BOOTSTRAP_VERSION: v3.15 # Optional if you prefer stability over latest + # - name: Upload Fortify debug artifacts (custom) + # if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} + # uses: + # with: + # path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` #### OpenText Application Security (Fortify Software Security Center) @@ -57,12 +72,27 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - - uses: fortify/github-action@v3 # Run Fortify scans + # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of + # the following: + # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: + # uses: fortify/github-action/with-debug-upload-github@v3 + # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: + # uses: fortify/github-action/with-debug-upload-ghes@v3 + # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: + # uses: fortify/github-action@v3 + - uses: fortify/github-action/with-debug-upload-github@v3 + name: Run Fortify Scan + id: fortify_scan env: SSC_URL: ${{ vars.SSC_URL }} SSC_TOKEN: ${{ secrets.SSC_TOKEN }} SC_SAST_TOKEN: ${{ secrets.SC_SAST_TOKEN }} # SSC_APPVERSION: MyApp:main # Optional: defaults to repo:branch + # - name: Upload Fortify debug artifacts (custom) + # if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} + # uses: + # with: + # path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` #### Custom workflow diff --git a/doc-resources/repo-intro.md b/doc-resources/repo-intro.md index 9eac509..584ab7b 100644 --- a/doc-resources/repo-intro.md +++ b/doc-resources/repo-intro.md @@ -2,7 +2,7 @@ The `fortify/github-action` GitHub Action allows for easy integration of OpenTex As such, this GitHub Action automatically benefits from new features and bug fixes as they are introduced in fcli, although there are options to use a fixed fcli version in case you need more stability. At the time of writing, the fcli `ci` action provides out-of-the-box support for Static Application Security Testing (SAST) and Software Composition Analysis (SCA); support for Dynamic or Mobile Application Security Testing (DAST & MAST) may be added in the future. -Apart from the top-level `fortify/github-action` for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products. +Apart from the top-level `fortify/github-action` (and related `fortify/github-action/with-debug-upload-*` sub-actions) for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products. {{include:repo-usage-text.md}} diff --git a/doc-resources/repo-usage-text.md b/doc-resources/repo-usage-text.md index b0e794f..101f26c 100644 --- a/doc-resources/repo-usage-text.md +++ b/doc-resources/repo-usage-text.md @@ -20,13 +20,28 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - - uses: fortify/github-action@v3 # Run Fortify scans + # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of + # the following: + # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: + # uses: fortify/github-action/with-debug-upload-github@v3 + # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: + # uses: fortify/github-action/with-debug-upload-ghes@v3 + # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: + # uses: fortify/github-action@v3 + - uses: fortify/github-action/with-debug-upload-github@v3 + name: Run Fortify Scan + id: fortify_scan env: FOD_URL: ${{ vars.FOD_URL }} FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }} FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }} # FOD_RELEASE: MyApp:main # Optional: defaults to repo:branch # FCLI_BOOTSTRAP_VERSION: v3.15 # Optional if you prefer stability over latest + # - name: Upload Fortify debug artifacts (custom) + # if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} + # uses: + # with: + # path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` #### OpenText Application Security (Fortify Software Security Center) @@ -49,12 +64,27 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - - uses: fortify/github-action@v3 # Run Fortify scans + # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of + # the following: + # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: + # uses: fortify/github-action/with-debug-upload-github@v3 + # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: + # uses: fortify/github-action/with-debug-upload-ghes@v3 + # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: + # uses: fortify/github-action@v3 + - uses: fortify/github-action/with-debug-upload-github@v3 + name: Run Fortify Scan + id: fortify_scan env: SSC_URL: ${{ vars.SSC_URL }} SSC_TOKEN: ${{ secrets.SSC_TOKEN }} SC_SAST_TOKEN: ${{ secrets.SC_SAST_TOKEN }} # SSC_APPVERSION: MyApp:main # Optional: defaults to repo:branch + # - name: Upload Fortify debug artifacts (custom) + # if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} + # uses: + # with: + # path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` #### Custom workflow From 90322bc1fd334f2b14f415877c50de017bc1c502 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Mon, 20 Apr 2026 16:25:47 +0200 Subject: [PATCH 4/8] chore: Prepare for breaking v4 release --- README.md | 24 ++++++++++++------------ USAGE.md | 24 ++++++++++++------------ action.yml | 8 -------- doc-resources/repo-usage-text.md | 18 +++++++++--------- doc-resources/template-values.md | 2 +- update-action-refs.sh | 7 +++++-- with-debug-upload-ghes/action.yml | 2 -- with-debug-upload-github/action.yml | 2 -- 8 files changed, 39 insertions(+), 48 deletions(-) diff --git a/README.md b/README.md index 7f32bf0..b90a813 100644 --- a/README.md +++ b/README.md @@ -45,12 +45,12 @@ jobs: # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of # the following: # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: - # uses: fortify/github-action/with-debug-upload-github@v3 + # uses: fortify/github-action/with-debug-upload-github@v4 # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: - # uses: fortify/github-action/with-debug-upload-ghes@v3 + # uses: fortify/github-action/with-debug-upload-ghes@v4 # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: - # uses: fortify/github-action@v3 - - uses: fortify/github-action/with-debug-upload-github@v3 + # uses: fortify/github-action@v4 + - uses: fortify/github-action/with-debug-upload-github@v4 name: Run Fortify Scan id: fortify_scan env: @@ -89,12 +89,12 @@ jobs: # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of # the following: # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: - # uses: fortify/github-action/with-debug-upload-github@v3 + # uses: fortify/github-action/with-debug-upload-github@v4 # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: - # uses: fortify/github-action/with-debug-upload-ghes@v3 + # uses: fortify/github-action/with-debug-upload-ghes@v4 # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: - # uses: fortify/github-action@v3 - - uses: fortify/github-action/with-debug-upload-github@v3 + # uses: fortify/github-action@v4 + - uses: fortify/github-action/with-debug-upload-github@v4 name: Run Fortify Scan id: fortify_scan env: @@ -120,7 +120,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: fortify/github-action/setup@v3 + - uses: fortify/github-action/setup@v4 with: fcli: bootstrapped # Set up bootstrapped fcli version. May also specify specific version, but # then fcli may be downloaded twice (bootstrap version and requested version). @@ -137,9 +137,9 @@ jobs: Given that these GitHub Actions are just thin wrappers around `@fortify/setup` and `fcli`, detailed usage documentation is available on the fcli documentation website: -* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-fod.html) -* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-ssc.html) -* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/setup-action.html) +* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)](https://fortify.github.io/fcli/v3/ci/github/v4.0.x/ast-action-fod.html) +* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)](https://fortify.github.io/fcli/v3/ci/github/v4.0.x/ast-action-ssc.html) +* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v4.0.x/setup-action.html) diff --git a/USAGE.md b/USAGE.md index 45e2895..64359c1 100644 --- a/USAGE.md +++ b/USAGE.md @@ -31,12 +31,12 @@ jobs: # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of # the following: # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: - # uses: fortify/github-action/with-debug-upload-github@v3 + # uses: fortify/github-action/with-debug-upload-github@v4 # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: - # uses: fortify/github-action/with-debug-upload-ghes@v3 + # uses: fortify/github-action/with-debug-upload-ghes@v4 # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: - # uses: fortify/github-action@v3 - - uses: fortify/github-action/with-debug-upload-github@v3 + # uses: fortify/github-action@v4 + - uses: fortify/github-action/with-debug-upload-github@v4 name: Run Fortify Scan id: fortify_scan env: @@ -75,12 +75,12 @@ jobs: # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of # the following: # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: - # uses: fortify/github-action/with-debug-upload-github@v3 + # uses: fortify/github-action/with-debug-upload-github@v4 # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: - # uses: fortify/github-action/with-debug-upload-ghes@v3 + # uses: fortify/github-action/with-debug-upload-ghes@v4 # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: - # uses: fortify/github-action@v3 - - uses: fortify/github-action/with-debug-upload-github@v3 + # uses: fortify/github-action@v4 + - uses: fortify/github-action/with-debug-upload-github@v4 name: Run Fortify Scan id: fortify_scan env: @@ -106,7 +106,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: fortify/github-action/setup@v3 + - uses: fortify/github-action/setup@v4 with: fcli: bootstrapped # Set up bootstrapped fcli version. May also specify specific version, but # then fcli may be downloaded twice (bootstrap version and requested version). @@ -123,9 +123,9 @@ jobs: Given that these GitHub Actions are just thin wrappers around `@fortify/setup` and `fcli`, detailed usage documentation is available on the fcli documentation website: -* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-fod.html) -* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-ssc.html) -* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/setup-action.html) +* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)](https://fortify.github.io/fcli/v3/ci/github/v4.0.x/ast-action-fod.html) +* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)](https://fortify.github.io/fcli/v3/ci/github/v4.0.x/ast-action-ssc.html) +* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v4.0.x/setup-action.html) diff --git a/action.yml b/action.yml index 90a93c9..4d4dcbf 100644 --- a/action.yml +++ b/action.yml @@ -6,14 +6,6 @@ inputs: description: 'Whether to output debug artifacts; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' required: false default: 'false' - debug-artifact-name: - description: 'Deprecated & ignored - This action no longer uploads debug artifacts; see the `with-debug-upload-*` sub-actions for uploading debug artifacts.' - required: false - default: 'fortify-debug-artifacts' - debug-retention-days: - description: 'Deprecated & ignored - This action no longer uploads debug artifacts; see the `with-debug-upload-*` sub-actions for uploading debug artifacts.' - required: false - default: '1' outputs: upload-debug-artifacts: description: '"true" if debug artifacts should be uploaded (inputs.debug==true or runner.debug==1)' diff --git a/doc-resources/repo-usage-text.md b/doc-resources/repo-usage-text.md index 101f26c..46b124f 100644 --- a/doc-resources/repo-usage-text.md +++ b/doc-resources/repo-usage-text.md @@ -23,12 +23,12 @@ jobs: # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of # the following: # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: - # uses: fortify/github-action/with-debug-upload-github@v3 + # uses: fortify/github-action/with-debug-upload-github@v4 # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: - # uses: fortify/github-action/with-debug-upload-ghes@v3 + # uses: fortify/github-action/with-debug-upload-ghes@v4 # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: - # uses: fortify/github-action@v3 - - uses: fortify/github-action/with-debug-upload-github@v3 + # uses: fortify/github-action@v4 + - uses: fortify/github-action/with-debug-upload-github@v4 name: Run Fortify Scan id: fortify_scan env: @@ -67,12 +67,12 @@ jobs: # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of # the following: # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: - # uses: fortify/github-action/with-debug-upload-github@v3 + # uses: fortify/github-action/with-debug-upload-github@v4 # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: - # uses: fortify/github-action/with-debug-upload-ghes@v3 + # uses: fortify/github-action/with-debug-upload-ghes@v4 # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: - # uses: fortify/github-action@v3 - - uses: fortify/github-action/with-debug-upload-github@v3 + # uses: fortify/github-action@v4 + - uses: fortify/github-action/with-debug-upload-github@v4 name: Run Fortify Scan id: fortify_scan env: @@ -98,7 +98,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: fortify/github-action/setup@v3 + - uses: fortify/github-action/setup@v4 with: fcli: bootstrapped # Set up bootstrapped fcli version. May also specify specific version, but # then fcli may be downloaded twice (bootstrap version and requested version). diff --git a/doc-resources/template-values.md b/doc-resources/template-values.md index 0b0b3d9..b67bc47 100644 --- a/doc-resources/template-values.md +++ b/doc-resources/template-values.md @@ -11,4 +11,4 @@ https://github.com/fortify/github-action https://fortify.github.io/fcli/v3 # action-doc-version -v3.0.x +v4.0.x diff --git a/update-action-refs.sh b/update-action-refs.sh index 40daa86..4a91488 100755 --- a/update-action-refs.sh +++ b/update-action-refs.sh @@ -1,7 +1,10 @@ #!/bin/bash for f in $(find . -name 'action.yml'); do - if grep -qrlZ 'uses: fortify/github-action/' $f; then + if grep -qrlZ 'uses: fortify/github-action' $f; then echo "Updating $f: version $1" && \ - sed -r -i -e "s|(uses: fortify\/github-action\/[^@]+)@.*|\1@$1|g" "$f" + sed -r -i \ + -e "s|(uses: fortify\/github-action\/[^@]+)@.*|\1@$1|g" \ + -e "s|(uses: fortify\/github-action)@.*|\1@$1|g" \ + "$f" fi done diff --git a/with-debug-upload-ghes/action.yml b/with-debug-upload-ghes/action.yml index f37fb97..429eb37 100644 --- a/with-debug-upload-ghes/action.yml +++ b/with-debug-upload-ghes/action.yml @@ -23,8 +23,6 @@ runs: uses: fortify/github-action@feat/configurable-debug-upload with: debug: ${{ inputs.debug }} - debug-artifact-name: ${{ inputs.debug-artifact-name }} - debug-retention-days: ${{ inputs.debug-retention-days }} - name: Upload debug artifacts (GHES) if: ${{ always() && steps.run_ast_scan.outputs.upload-debug-artifacts == 'true' }} diff --git a/with-debug-upload-github/action.yml b/with-debug-upload-github/action.yml index 3ea2b4c..91c90bd 100644 --- a/with-debug-upload-github/action.yml +++ b/with-debug-upload-github/action.yml @@ -23,8 +23,6 @@ runs: uses: fortify/github-action@feat/configurable-debug-upload with: debug: ${{ inputs.debug }} - debug-artifact-name: ${{ inputs.debug-artifact-name }} - debug-retention-days: ${{ inputs.debug-retention-days }} - name: Upload debug artifacts (github.com) if: ${{ always() && steps.run_ast_scan.outputs.upload-debug-artifacts == 'true' }} From 63000e4ed0d650503c7504cdd4f238e089434fe1 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Mon, 20 Apr 2026 17:18:58 +0200 Subject: [PATCH 5/8] chore: Update workflow to use 3rdparty-actions repo --- .github/workflows/publish.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 97c7a5e..4c40f67 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -37,25 +37,23 @@ jobs: - name: Generate and process release PR id: release_please - uses: googleapis/release-please-action@v4 + uses: fortify/3rdparty-actions/actions/googleapis/release-please-action/v4@main with: release-type: simple - name: Publish v{major}.{minor} tag if: steps.release_please.outputs.release_created - uses: richardsimko/update-tag@aab2434e9a5040687874aa39d1c6377ec0cb0d94 + uses: fortify/3rdparty-actions/actions/richardsimko/update-tag/v1@main with: tag_name: v${{steps.release_please.outputs.major}}.${{steps.release_please.outputs.minor}} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Publish v{major} tag if: steps.release_please.outputs.release_created - uses: richardsimko/update-tag@aab2434e9a5040687874aa39d1c6377ec0cb0d94 + uses: fortify/3rdparty-actions/actions/richardsimko/update-tag/v1@main with: tag_name: v${{steps.release_please.outputs.major}} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Update release PR if: steps.release_please.outputs.pr From bf6b945b81e3b4a09bfce917e9337c0d7b68e702 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Wed, 22 Apr 2026 12:40:35 +0200 Subject: [PATCH 6/8] chore: Rename actions, provide backward compatibility for top-level action --- README.md | 61 ++++++++----------- USAGE.md | 59 ++++++++---------- action.yml | 51 +++++----------- doc-resources/repo-intro.md | 2 +- doc-resources/repo-usage-text.md | 57 ++++++++--------- doc-resources/template-values.md | 2 +- .../action.yml | 4 +- .../action.yml | 4 +- without-artifacts/action.yml | 44 +++++++++++++ 9 files changed, 141 insertions(+), 143 deletions(-) rename {with-debug-upload-ghes => with-ghes-artifacts}/action.yml (90%) rename {with-debug-upload-github => with-github-artifacts}/action.yml (90%) create mode 100644 without-artifacts/action.yml diff --git a/README.md b/README.md index b90a813..25a44d9 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ The `fortify/github-action` GitHub Action allows for easy integration of OpenTex As such, this GitHub Action automatically benefits from new features and bug fixes as they are introduced in fcli, although there are options to use a fixed fcli version in case you need more stability. At the time of writing, the fcli `ci` action provides out-of-the-box support for Static Application Security Testing (SAST) and Software Composition Analysis (SCA); support for Dynamic or Mobile Application Security Testing (DAST & MAST) may be added in the future. -Apart from the top-level `fortify/github-action` (and related `fortify/github-action/with-debug-upload-*` sub-actions) for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products. +Apart from the top-level `fortify/github-action` (and related `fortify/github-action/with-github-artifacts`, `fortify/github-action/with-ghes-artifacts`, and `fortify/github-action/without-artifacts` sub-actions) for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This `setup` action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products. @@ -42,28 +42,16 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of - # the following: - # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: - # uses: fortify/github-action/with-debug-upload-github@v4 - # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: - # uses: fortify/github-action/with-debug-upload-ghes@v4 - # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: - # uses: fortify/github-action@v4 - - uses: fortify/github-action/with-debug-upload-github@v4 + # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts + # to GitHub artifact storage (see artifact storage section below for alternative options) + - uses: fortify/github-action@v3.1 name: Run Fortify Scan - id: fortify_scan env: FOD_URL: ${{ vars.FOD_URL }} FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }} FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }} # FOD_RELEASE: MyApp:main # Optional: defaults to repo:branch # FCLI_BOOTSTRAP_VERSION: v3.15 # Optional if you prefer stability over latest - # - name: Upload Fortify debug artifacts (custom) - # if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} - # uses: - # with: - # path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` #### OpenText Application Security (Fortify Software Security Center) @@ -86,27 +74,15 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of - # the following: - # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: - # uses: fortify/github-action/with-debug-upload-github@v4 - # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: - # uses: fortify/github-action/with-debug-upload-ghes@v4 - # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: - # uses: fortify/github-action@v4 - - uses: fortify/github-action/with-debug-upload-github@v4 + # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts + # to GitHub artifact storage (see artifact storage section below for alternative options) + - uses: fortify/github-action@v3.1 name: Run Fortify Scan - id: fortify_scan env: SSC_URL: ${{ vars.SSC_URL }} SSC_TOKEN: ${{ secrets.SSC_TOKEN }} SC_SAST_TOKEN: ${{ secrets.SC_SAST_TOKEN }} # SSC_APPVERSION: MyApp:main # Optional: defaults to repo:branch - # - name: Upload Fortify debug artifacts (custom) - # if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} - # uses: - # with: - # path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` #### Custom workflow @@ -120,7 +96,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: fortify/github-action/setup@v4 + - uses: fortify/github-action/setup@v3.1 with: fcli: bootstrapped # Set up bootstrapped fcli version. May also specify specific version, but # then fcli may be downloaded twice (bootstrap version and requested version). @@ -133,13 +109,28 @@ jobs: fcli fod session logout ... ``` +### Artifact storage + +If debugging is enabled (either via the `debug: true` action input or by re-running the workflow with GitHub's "Enable debug logging" option), debug artifacts are collected during the scan and uploaded after the scan completes. + +The top-level `fortify/github-action` action uploads debug artifacts to GitHub.com artifact storage using `actions/upload-artifact@v7`. If this doesn't match your environment, the following sub-actions provide alternatives: + +| Sub-action | Description | +|---|---| +| `fortify/github-action` | Default. Uploads to GitHub.com artifact storage using `actions/upload-artifact@v7`. | +| `fortify/github-action/with-github-artifacts` | Identical to the default; use this when you want to make the artifact storage choice explicit in your workflow. | +| `fortify/github-action/with-ghes-artifacts` | Uploads to GHES-compatible artifact storage using `actions/upload-artifact@v3`. Use this on GitHub Enterprise Server. | +| `fortify/github-action/without-artifacts` | Does not upload artifacts. Exposes `upload-debug-artifacts` and `debug-artifacts-dir` outputs so you can add your own upload step targeting any storage backend. | + ### Detailed Documentation Given that these GitHub Actions are just thin wrappers around `@fortify/setup` and `fcli`, detailed usage documentation is available on the fcli documentation website: -* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)](https://fortify.github.io/fcli/v3/ci/github/v4.0.x/ast-action-fod.html) -* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)](https://fortify.github.io/fcli/v3/ci/github/v4.0.x/ast-action-ssc.html) -* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v4.0.x/setup-action.html) +* `fortify/github-action` (default — GitHub.com artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-ssc.html) +* `fortify/github-action/with-github-artifacts` (explicit GitHub.com artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-ssc.html) +* `fortify/github-action/with-ghes-artifacts` (GHES-compatible artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-ghes-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-ghes-artifacts-ssc.html) +* `fortify/github-action/without-artifacts` (custom artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-ssc.html) +* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/setup-action.html) diff --git a/USAGE.md b/USAGE.md index 64359c1..27cf74f 100644 --- a/USAGE.md +++ b/USAGE.md @@ -28,28 +28,16 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of - # the following: - # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: - # uses: fortify/github-action/with-debug-upload-github@v4 - # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: - # uses: fortify/github-action/with-debug-upload-ghes@v4 - # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: - # uses: fortify/github-action@v4 - - uses: fortify/github-action/with-debug-upload-github@v4 + # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts + # to GitHub artifact storage (see artifact storage section below for alternative options) + - uses: fortify/github-action@v3.1 name: Run Fortify Scan - id: fortify_scan env: FOD_URL: ${{ vars.FOD_URL }} FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }} FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }} # FOD_RELEASE: MyApp:main # Optional: defaults to repo:branch # FCLI_BOOTSTRAP_VERSION: v3.15 # Optional if you prefer stability over latest - # - name: Upload Fortify debug artifacts (custom) - # if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} - # uses: - # with: - # path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` #### OpenText Application Security (Fortify Software Security Center) @@ -72,27 +60,15 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of - # the following: - # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: - # uses: fortify/github-action/with-debug-upload-github@v4 - # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: - # uses: fortify/github-action/with-debug-upload-ghes@v4 - # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: - # uses: fortify/github-action@v4 - - uses: fortify/github-action/with-debug-upload-github@v4 + # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts + # to GitHub artifact storage (see artifact storage section below for alternative options) + - uses: fortify/github-action@v3.1 name: Run Fortify Scan - id: fortify_scan env: SSC_URL: ${{ vars.SSC_URL }} SSC_TOKEN: ${{ secrets.SSC_TOKEN }} SC_SAST_TOKEN: ${{ secrets.SC_SAST_TOKEN }} # SSC_APPVERSION: MyApp:main # Optional: defaults to repo:branch - # - name: Upload Fortify debug artifacts (custom) - # if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} - # uses: - # with: - # path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` #### Custom workflow @@ -106,7 +82,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: fortify/github-action/setup@v4 + - uses: fortify/github-action/setup@v3.1 with: fcli: bootstrapped # Set up bootstrapped fcli version. May also specify specific version, but # then fcli may be downloaded twice (bootstrap version and requested version). @@ -119,13 +95,28 @@ jobs: fcli fod session logout ... ``` +### Artifact storage + +If debugging is enabled (either via the `debug: true` action input or by re-running the workflow with GitHub's "Enable debug logging" option), debug artifacts are collected during the scan and uploaded after the scan completes. + +The top-level `fortify/github-action` action uploads debug artifacts to GitHub.com artifact storage using `actions/upload-artifact@v7`. If this doesn't match your environment, the following sub-actions provide alternatives: + +| Sub-action | Description | +|---|---| +| `fortify/github-action` | Default. Uploads to GitHub.com artifact storage using `actions/upload-artifact@v7`. | +| `fortify/github-action/with-github-artifacts` | Identical to the default; use this when you want to make the artifact storage choice explicit in your workflow. | +| `fortify/github-action/with-ghes-artifacts` | Uploads to GHES-compatible artifact storage using `actions/upload-artifact@v3`. Use this on GitHub Enterprise Server. | +| `fortify/github-action/without-artifacts` | Does not upload artifacts. Exposes `upload-debug-artifacts` and `debug-artifacts-dir` outputs so you can add your own upload step targeting any storage backend. | + ### Detailed Documentation Given that these GitHub Actions are just thin wrappers around `@fortify/setup` and `fcli`, detailed usage documentation is available on the fcli documentation website: -* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)](https://fortify.github.io/fcli/v3/ci/github/v4.0.x/ast-action-fod.html) -* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)](https://fortify.github.io/fcli/v3/ci/github/v4.0.x/ast-action-ssc.html) -* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v4.0.x/setup-action.html) +* `fortify/github-action` (default — GitHub.com artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-ssc.html) +* `fortify/github-action/with-github-artifacts` (explicit GitHub.com artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-ssc.html) +* `fortify/github-action/with-ghes-artifacts` (GHES-compatible artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-ghes-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-ghes-artifacts-ssc.html) +* `fortify/github-action/without-artifacts` (custom artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-ssc.html) +* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/setup-action.html) diff --git a/action.yml b/action.yml index 4d4dcbf..14b2a5b 100644 --- a/action.yml +++ b/action.yml @@ -1,48 +1,29 @@ name: 'Fortify AST Scan' -description: 'Run Fortify AST Scan.' +description: 'Run Fortify AST Scan and upload debug artifacts using actions/upload-artifact@v7 (GitHub.com).' author: 'Fortify' inputs: debug: - description: 'Whether to output debug artifacts; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' + description: 'Whether to generate & collect debug artifacts; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' required: false default: 'false' -outputs: - upload-debug-artifacts: - description: '"true" if debug artifacts should be uploaded (inputs.debug==true or runner.debug==1)' - value: ${{ steps.set-outputs.outputs.upload-debug-artifacts }} - debug-artifacts-dir: - description: 'Path to the debug artifacts directory (env.FORTIFY_DATA_DIR)' - value: ${{ steps.set-outputs.outputs.debug-artifacts-dir }} + debug-artifact-name: + description: 'Name for the debug artifacts archive; defaults to "fortify-debug-artifacts"' + required: false + default: 'fortify-debug-artifacts' + debug-retention-days: + description: 'Number of days to retain debug artifacts; defaults to 1 due to sensitivity of data' + required: false + default: '1' + runs: using: composite steps: - - name: Set Fortify data directory - run: echo "FORTIFY_DATA_DIR=${{ runner.temp }}/fortify-data" >> $GITHUB_ENV - shell: bash - - uses: fortify/github-action/setup@feat/configurable-debug-upload + uses: fortify/github-action/with-github-artifacts@feat/configurable-debug-upload with: - fcli: bootstrapped - export-path: false - - run: | - mkdir -p "${FORTIFY_DATA_DIR}" && cd "${FORTIFY_DATA_DIR}" - "${FCLI_CMD}" action run ci --debug=${{ inputs.debug == 'true' || runner.debug == '1' }} - shell: bash - env: - GITHUB_TOKEN: ${{ github.token }} - SAST_EXPORT_EXTRA_OPTS: --publish=true ${{ env.SAST_EXPORT_EXTRA_OPTS || '' }} - DEBRICKED_EXPORT_EXTRA_OPTS: --publish=true ${{ env.DEBRICKED_EXPORT_EXTRA_OPTS || '' }} - - name: Set action outputs - if: always() # Ensure outputs are set even if the previous step fails, so that debug artifacts can be uploaded when enabled - id: set-outputs - run: | - if [ "${{ inputs.debug }}" = "true" ] || [ "${{ runner.debug }}" = "1" ]; then - echo "upload-debug-artifacts=true" >> $GITHUB_OUTPUT - else - echo "upload-debug-artifacts=false" >> $GITHUB_OUTPUT - fi - echo "debug-artifacts-dir=${FORTIFY_DATA_DIR}" >> $GITHUB_OUTPUT - shell: bash - + debug: ${{ inputs.debug }} + debug-artifact-name: ${{ inputs.debug-artifact-name }} + debug-retention-days: ${{ inputs.debug-retention-days }} + branding: icon: 'shield' color: 'blue' diff --git a/doc-resources/repo-intro.md b/doc-resources/repo-intro.md index 584ab7b..35f2cf9 100644 --- a/doc-resources/repo-intro.md +++ b/doc-resources/repo-intro.md @@ -2,7 +2,7 @@ The `fortify/github-action` GitHub Action allows for easy integration of OpenTex As such, this GitHub Action automatically benefits from new features and bug fixes as they are introduced in fcli, although there are options to use a fixed fcli version in case you need more stability. At the time of writing, the fcli `ci` action provides out-of-the-box support for Static Application Security Testing (SAST) and Software Composition Analysis (SCA); support for Dynamic or Mobile Application Security Testing (DAST & MAST) may be added in the future. -Apart from the top-level `fortify/github-action` (and related `fortify/github-action/with-debug-upload-*` sub-actions) for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products. +Apart from the top-level `fortify/github-action` (and related `fortify/github-action/with-github-artifacts`, `fortify/github-action/with-ghes-artifacts`, and `fortify/github-action/without-artifacts` sub-actions) for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This `setup` action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products. {{include:repo-usage-text.md}} diff --git a/doc-resources/repo-usage-text.md b/doc-resources/repo-usage-text.md index 46b124f..56433c7 100644 --- a/doc-resources/repo-usage-text.md +++ b/doc-resources/repo-usage-text.md @@ -20,28 +20,16 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of - # the following: - # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: - # uses: fortify/github-action/with-debug-upload-github@v4 - # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: - # uses: fortify/github-action/with-debug-upload-ghes@v4 - # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: - # uses: fortify/github-action@v4 - - uses: fortify/github-action/with-debug-upload-github@v4 + # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts + # to GitHub artifact storage (see artifact storage section below for alternative options) + - uses: fortify/github-action@v3.1 name: Run Fortify Scan - id: fortify_scan env: FOD_URL: ${{ vars.FOD_URL }} FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }} FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }} # FOD_RELEASE: MyApp:main # Optional: defaults to repo:branch # FCLI_BOOTSTRAP_VERSION: v3.15 # Optional if you prefer stability over latest - # - name: Upload Fortify debug artifacts (custom) - # if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} - # uses: - # with: - # path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` #### OpenText Application Security (Fortify Software Security Center) @@ -64,27 +52,15 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - # Run Fortify scans and upload debug artifacts if debugging is enabled; use one of - # the following: - # - Upload debug artifacts using github.com-compatible actions/upload-artifact@v7: - # uses: fortify/github-action/with-debug-upload-github@v4 - # - Upload debug artifacts using GHES-compatible actions/upload-artifact@v3: - # uses: fortify/github-action/with-debug-upload-ghes@v4 - # - Don't upload debug artifacts; use subsequent step to upload to alternative storage: - # uses: fortify/github-action@v4 - - uses: fortify/github-action/with-debug-upload-github@v4 + # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts + # to GitHub artifact storage (see artifact storage section below for alternative options) + - uses: fortify/github-action@v3.1 name: Run Fortify Scan - id: fortify_scan env: SSC_URL: ${{ vars.SSC_URL }} SSC_TOKEN: ${{ secrets.SSC_TOKEN }} SC_SAST_TOKEN: ${{ secrets.SC_SAST_TOKEN }} # SSC_APPVERSION: MyApp:main # Optional: defaults to repo:branch - # - name: Upload Fortify debug artifacts (custom) - # if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} - # uses: - # with: - # path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` #### Custom workflow @@ -98,7 +74,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: fortify/github-action/setup@v4 + - uses: fortify/github-action/setup@v3.1 with: fcli: bootstrapped # Set up bootstrapped fcli version. May also specify specific version, but # then fcli may be downloaded twice (bootstrap version and requested version). @@ -111,12 +87,27 @@ jobs: fcli fod session logout ... ``` +### Artifact storage + +If debugging is enabled (either via the `debug: true` action input or by re-running the workflow with GitHub's "Enable debug logging" option), debug artifacts are collected during the scan and uploaded after the scan completes. + +The top-level `fortify/github-action` action uploads debug artifacts to GitHub.com artifact storage using `actions/upload-artifact@v7`. If this doesn't match your environment, the following sub-actions provide alternatives: + +| Sub-action | Description | +|---|---| +| `fortify/github-action` | Default. Uploads to GitHub.com artifact storage using `actions/upload-artifact@v7`. | +| `fortify/github-action/with-github-artifacts` | Identical to the default; use this when you want to make the artifact storage choice explicit in your workflow. | +| `fortify/github-action/with-ghes-artifacts` | Uploads to GHES-compatible artifact storage using `actions/upload-artifact@v3`. Use this on GitHub Enterprise Server. | +| `fortify/github-action/without-artifacts` | Does not upload artifacts. Exposes `upload-debug-artifacts` and `debug-artifacts-dir` outputs so you can add your own upload step targeting any storage backend. | + ### Detailed Documentation Given that these GitHub Actions are just thin wrappers around `@fortify/setup` and `fcli`, detailed usage documentation is available on the fcli documentation website: -* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-fod.html) -* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-ssc.html) +* `fortify/github-action` (default — GitHub.com artifact upload): [FoD]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-fod.html) | [SSC]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-ssc.html) +* `fortify/github-action/with-github-artifacts` (explicit GitHub.com artifact upload): [FoD]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-with-github-artifacts-fod.html) | [SSC]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-with-github-artifacts-ssc.html) +* `fortify/github-action/with-ghes-artifacts` (GHES-compatible artifact upload): [FoD]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-with-ghes-artifacts-fod.html) | [SSC]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-with-ghes-artifacts-ssc.html) +* `fortify/github-action/without-artifacts` (custom artifact upload): [FoD]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-without-artifacts-fod.html) | [SSC]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-without-artifacts-ssc.html) * [`fortify/github-action/setup`]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/setup-action.html) diff --git a/doc-resources/template-values.md b/doc-resources/template-values.md index b67bc47..d685a1a 100644 --- a/doc-resources/template-values.md +++ b/doc-resources/template-values.md @@ -11,4 +11,4 @@ https://github.com/fortify/github-action https://fortify.github.io/fcli/v3 # action-doc-version -v4.0.x +v3.1.x diff --git a/with-debug-upload-ghes/action.yml b/with-ghes-artifacts/action.yml similarity index 90% rename from with-debug-upload-ghes/action.yml rename to with-ghes-artifacts/action.yml index 429eb37..83f6524 100644 --- a/with-debug-upload-ghes/action.yml +++ b/with-ghes-artifacts/action.yml @@ -1,4 +1,4 @@ -name: 'Fortify AST Scan (with debug upload - GHES)' +name: 'Fortify AST Scan (with GHES artifacts)' description: 'Run Fortify AST Scan and upload debug artifacts using actions/upload-artifact@v3 (GHES-compatible).' author: 'Fortify' inputs: @@ -20,7 +20,7 @@ runs: steps: - name: Run Fortify AST Scan id: run_ast_scan - uses: fortify/github-action@feat/configurable-debug-upload + uses: fortify/github-action/without-artifacts@feat/configurable-debug-upload with: debug: ${{ inputs.debug }} diff --git a/with-debug-upload-github/action.yml b/with-github-artifacts/action.yml similarity index 90% rename from with-debug-upload-github/action.yml rename to with-github-artifacts/action.yml index 91c90bd..0586386 100644 --- a/with-debug-upload-github/action.yml +++ b/with-github-artifacts/action.yml @@ -1,4 +1,4 @@ -name: 'Fortify AST Scan (with debug upload - GitHub.com)' +name: 'Fortify AST Scan (with GitHub artifacts)' description: 'Run Fortify AST Scan and upload debug artifacts using actions/upload-artifact@v7 (GitHub.com).' author: 'Fortify' inputs: @@ -20,7 +20,7 @@ runs: steps: - name: Run Fortify AST Scan id: run_ast_scan - uses: fortify/github-action@feat/configurable-debug-upload + uses: fortify/github-action/without-artifacts@feat/configurable-debug-upload with: debug: ${{ inputs.debug }} diff --git a/without-artifacts/action.yml b/without-artifacts/action.yml new file mode 100644 index 0000000..ba229dd --- /dev/null +++ b/without-artifacts/action.yml @@ -0,0 +1,44 @@ +name: 'Fortify AST Scan (without artifacts)' +description: 'Run Fortify AST Scan without uploading debug artifacts; use this sub-action to implement a custom debug artifact upload mechanism.' +author: 'Fortify' +inputs: + debug: + description: 'Whether to output debug artifacts; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' + required: false + default: 'false' +outputs: + upload-debug-artifacts: + description: '"true" if debug artifacts should be uploaded (inputs.debug==true or runner.debug==1)' + value: ${{ steps.set-outputs.outputs.upload-debug-artifacts }} + debug-artifacts-dir: + description: 'Path to the debug artifacts directory (env.FORTIFY_DATA_DIR)' + value: ${{ steps.set-outputs.outputs.debug-artifacts-dir }} +runs: + using: composite + steps: + - name: Set Fortify data directory + run: echo "FORTIFY_DATA_DIR=${{ runner.temp }}/fortify-data" >> $GITHUB_ENV + shell: bash + - uses: fortify/github-action/setup@feat/configurable-debug-upload + with: + fcli: bootstrapped + export-path: false + - run: | + mkdir -p "${FORTIFY_DATA_DIR}" && cd "${FORTIFY_DATA_DIR}" + "${FCLI_CMD}" action run ci --debug=${{ inputs.debug == 'true' || runner.debug == '1' }} + shell: bash + env: + GITHUB_TOKEN: ${{ github.token }} + SAST_EXPORT_EXTRA_OPTS: --publish=true ${{ env.SAST_EXPORT_EXTRA_OPTS || '' }} + DEBRICKED_EXPORT_EXTRA_OPTS: --publish=true ${{ env.DEBRICKED_EXPORT_EXTRA_OPTS || '' }} + - name: Set action outputs + if: always() # Ensure outputs are set even if the previous step fails, so that debug artifacts can be uploaded when enabled + id: set-outputs + run: | + if [ "${{ inputs.debug }}" = "true" ] || [ "${{ runner.debug }}" = "1" ]; then + echo "upload-debug-artifacts=true" >> $GITHUB_OUTPUT + else + echo "upload-debug-artifacts=false" >> $GITHUB_OUTPUT + fi + echo "debug-artifacts-dir=${FORTIFY_DATA_DIR}" >> $GITHUB_OUTPUT + shell: bash From 746344938dcb4b9b35997c50965fcff162c7bdbb Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Wed, 22 Apr 2026 12:54:11 +0200 Subject: [PATCH 7/8] chore: Usage major version in doc --- README.md | 6 +++--- USAGE.md | 6 +++--- doc-resources/repo-usage-text.md | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 25a44d9..3b7e5d6 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ jobs: - uses: actions/setup-@vX # Set up build tool(s) required to build your project # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts # to GitHub artifact storage (see artifact storage section below for alternative options) - - uses: fortify/github-action@v3.1 + - uses: fortify/github-action@v3 name: Run Fortify Scan env: FOD_URL: ${{ vars.FOD_URL }} @@ -76,7 +76,7 @@ jobs: - uses: actions/setup-@vX # Set up build tool(s) required to build your project # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts # to GitHub artifact storage (see artifact storage section below for alternative options) - - uses: fortify/github-action@v3.1 + - uses: fortify/github-action@v3 name: Run Fortify Scan env: SSC_URL: ${{ vars.SSC_URL }} @@ -96,7 +96,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: fortify/github-action/setup@v3.1 + - uses: fortify/github-action/setup@v3 with: fcli: bootstrapped # Set up bootstrapped fcli version. May also specify specific version, but # then fcli may be downloaded twice (bootstrap version and requested version). diff --git a/USAGE.md b/USAGE.md index 27cf74f..6ed55ef 100644 --- a/USAGE.md +++ b/USAGE.md @@ -30,7 +30,7 @@ jobs: - uses: actions/setup-@vX # Set up build tool(s) required to build your project # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts # to GitHub artifact storage (see artifact storage section below for alternative options) - - uses: fortify/github-action@v3.1 + - uses: fortify/github-action@v3 name: Run Fortify Scan env: FOD_URL: ${{ vars.FOD_URL }} @@ -62,7 +62,7 @@ jobs: - uses: actions/setup-@vX # Set up build tool(s) required to build your project # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts # to GitHub artifact storage (see artifact storage section below for alternative options) - - uses: fortify/github-action@v3.1 + - uses: fortify/github-action@v3 name: Run Fortify Scan env: SSC_URL: ${{ vars.SSC_URL }} @@ -82,7 +82,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: fortify/github-action/setup@v3.1 + - uses: fortify/github-action/setup@v3 with: fcli: bootstrapped # Set up bootstrapped fcli version. May also specify specific version, but # then fcli may be downloaded twice (bootstrap version and requested version). diff --git a/doc-resources/repo-usage-text.md b/doc-resources/repo-usage-text.md index 56433c7..81dbb29 100644 --- a/doc-resources/repo-usage-text.md +++ b/doc-resources/repo-usage-text.md @@ -22,7 +22,7 @@ jobs: - uses: actions/setup-@vX # Set up build tool(s) required to build your project # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts # to GitHub artifact storage (see artifact storage section below for alternative options) - - uses: fortify/github-action@v3.1 + - uses: fortify/github-action@v3 name: Run Fortify Scan env: FOD_URL: ${{ vars.FOD_URL }} @@ -54,7 +54,7 @@ jobs: - uses: actions/setup-@vX # Set up build tool(s) required to build your project # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts # to GitHub artifact storage (see artifact storage section below for alternative options) - - uses: fortify/github-action@v3.1 + - uses: fortify/github-action@v3 name: Run Fortify Scan env: SSC_URL: ${{ vars.SSC_URL }} @@ -74,7 +74,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: fortify/github-action/setup@v3.1 + - uses: fortify/github-action/setup@v3 with: fcli: bootstrapped # Set up bootstrapped fcli version. May also specify specific version, but # then fcli may be downloaded twice (bootstrap version and requested version). From 206532413f1a0da9b2aa8813043ad778bd2935e7 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Wed, 22 Apr 2026 12:57:56 +0200 Subject: [PATCH 8/8] chore: Fix action syntax --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 14b2a5b..93d5046 100644 --- a/action.yml +++ b/action.yml @@ -18,7 +18,7 @@ inputs: runs: using: composite steps: - uses: fortify/github-action/with-github-artifacts@feat/configurable-debug-upload + - uses: fortify/github-action/with-github-artifacts@feat/configurable-debug-upload with: debug: ${{ inputs.debug }} debug-artifact-name: ${{ inputs.debug-artifact-name }}