From 666b710ce6c2551f12543d5518071a7d3817d6f5 Mon Sep 17 00:00:00 2001
From: Danil Titarenko <77471369+danilapog@users.noreply.github.com>
Date: Mon, 27 Nov 2023 17:07:39 +0300
Subject: [PATCH] Add scanning DocSpace with zap (#66)

* Add scanning DocSpace with zap

* Remove `set -e` cos it already have

* Refactoring: Zap as separate action

* Refactoring: remove useless output

* Cosmetic changes

* Remove zap and change repo name for manual run
---
 .github/workflows/main-build.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml
index 3fa7b97800..778b0421b3 100644
--- a/.github/workflows/main-build.yml
+++ b/.github/workflows/main-build.yml
@@ -2,6 +2,11 @@ name: 4testing multiarch-build
 
 on:
   workflow_dispatch:
+    inputs:
+      zap:
+        description: 'Run ZAP scanning after build?'
+        type: boolean
+
   repository_dispatch:
     types:
       - cron-trigger-action
@@ -46,6 +51,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
           
       - name: Build 4testing
+        id: build
         run: |
           cd .${DOCKER_PATH}
           if [ "${{ matrix.branch }}" = "develop" ]; then
@@ -58,4 +64,20 @@ jobs:
           --set *.args.GIT_BRANCH=${{ matrix.branch }} \
           --set *.platform=linux/amd64 \
           --push
+
+          echo "version=${DOCKER_TAG}" >> "$GITHUB_OUTPUT"
         shell: bash
+
+      - name: Run zap action if needed
+        env:
+          RUN_ZAP: ${{ github.event.inputs.zap || 'true' }}
+          GITHUB_TOKEN: ${{ secrets.TOKEN }}
+          VERSION: ${{ steps.build.outputs.version }}
+        shell: bash
+        run: |
+           if [[ ${{ matrix.branch }} =~ release || ${{ matrix.branch }} =~ hotfix && ${RUN_ZAP} == true ]]; then
+              gh workflow run zap-scan.yaml \
+                 --repo ONLYOFFICE/DocSpace \
+                 -f branch=${{ matrix.branch }} \
+                 -f version=${VERSION}
+           fi