rl-secure.yml

name: RL-Secure Workflow
run-name: rl-scanner-only

on:
  merge_group:
  workflow_dispatch:
  push:
    branches: ['main']
  pull_request:
    types:
      - opened
      - synchronize

jobs:
  checkout-build-scan-only:
    runs-on: ubuntu-latest

    environment: security

    permissions:
      pull-requests: write
      id-token: write # This is required for requesting the JWT

    steps:
      - uses: actions/checkout@v4

      - name: Install npm dependencies
        run: npm ci

      - name: Build Dist Folder
        run: npm run build

      - name: Create tgz build artifact
        run: |
          tar -czvf auth0-spa-js.tgz *

      - name: Get Artifact Version
        id: get_version
        run: echo "::set-output name=version::$(cat .version)"

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.9'

      - name: Install Python dependencies
        run: |
          pip install --upgrade pip
          pip install -r scripts/requirements.txt

      - name: Configure test AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ secrets.TEST_AWS_ARN }}
          aws-region: us-east-2
          mask-aws-account-id: true

      - name: Run Reversing Labs Wrapper Scanner
        env:
          RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
          RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
          SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
        run: |
          python scripts/rl-wrapper.py \
            --artifact "$(pwd)/auth0-spa-js.tgz" \
            --name "${{ github.event.repository.name }}" \
            --version "${{ steps.get_version.outputs.version }}" \
            --repository "${{ github.repository }}" \
            --commit "${{ github.sha }}" \
            --build-env "github_action"
        continue-on-error: true