{"id":20637812,"url":"https://github.com/oss-review-toolkit/ort-ci-github-action","last_synced_at":"2025-04-15T21:51:42.672Z","repository":{"id":63946063,"uuid":"500759806","full_name":"oss-review-toolkit/ort-ci-github-action","owner":"oss-review-toolkit","description":"Run ORT in your GitHub action workflow to do licensing, security and best practices checks and generate reports/SBOMs ","archived":false,"fork":false,"pushed_at":"2025-02-26T06:57:55.000Z","size":71,"stargazers_count":29,"open_issues_count":7,"forks_count":11,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-29T01:51:46.703Z","etag":null,"topics":["actions","ci","cyclonedx","github-action","github-actions","license-checking","ospo","sbom","sbom-generator","spdx"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oss-review-toolkit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-07T08:46:01.000Z","updated_at":"2025-02-28T12:45:51.000Z","dependencies_parsed_at":"2024-06-04T07:54:19.578Z","dependency_job_id":"d77421bc-5673-4432-b74e-31b77ce7961e","html_url":"https://github.com/oss-review-toolkit/ort-ci-github-action","commit_stats":{"total_commits":2,"total_committers":1,"mean_commits":2.0,"dds":0.0,"last_synced_commit":"e238c9f7ee62beba523451bc8860c85f4c1a602d"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oss-review-toolkit%2Fort-ci-github-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oss-review-toolkit%2Fort-ci-github-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oss-review-toolkit%2Fort-ci-github-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oss-review-toolkit%2Fort-ci-github-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oss-review-toolkit","download_url":"https://codeload.github.com/oss-review-toolkit/ort-ci-github-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248837231,"owners_count":21169374,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","ci","cyclonedx","github-action","github-actions","license-checking","ospo","sbom","sbom-generator","spdx"],"created_at":"2024-11-16T15:15:55.751Z","updated_at":"2025-04-15T21:51:42.653Z","avatar_url":"https://github.com/oss-review-toolkit.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# GitHub Action for ORT\n\nRun licensing, security and best practices checks and generate reports/SBOMs using [ORT][ort].\n\n## Usage\n\nSee [action.yml](action.yml)\n\n### Basic\n\n```yaml\njobs:\n  ort:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Use HTTPS instead of SSH for Git cloning\n        run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n      - name: Checkout project\n        uses: actions/checkout@v3\n      - name: Run GitHub Action for ORT\n        uses: oss-review-toolkit/ort-ci-github-action@v1\n```\n\nAlternatively, you can also use ORT to download the project sources using Git, Git-repo, Mercurial or Subversion.\n\n```yaml\njobs:\n  ort:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Use HTTPS instead of SSH for Git cloning\n        run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n      - name: Run GitHub Action for ORT\n        uses: oss-review-toolkit/ort-ci-github-action@v1\n        with:\n          vcs-url: 'https://github.com/jshttp/mime-types.git'\n```\n\n### Scenarios\n\n- [Run ORT and analyze only specified package managers](#Run-ORT-and-analyze-only-specified-package-managers)\n- [Run ORT with labels](#Run-ORT-with-labels)\n- [Run ORT and fail job on policy violations or security issues](#Run-ORT-and-fail-job-on-policy-violations-or-security-issues)\n- [Run ORT on private repositories](#Run-ORT-on-private-repositories)\n- [Run ORT on multiple repositories using a matrix](#Run-ORT-on-multiple-repositories-using-a-matrix)\n- [Run ORT with a custom global configuration](#Run-ORT-with-a-custom-global-configuration)\n- [Run ORT with a custom Docker image](#Run-ORT-with-a-custom-Docker-image)\n- [Run ORT with PostgreSQL database](#Run-ORT-with-PostgreSQL-database)\n- [Run only parts of the GitHub Action for ORT](#Run-only-parts-of-the-GitHub-Action-for-ORT)\n\n#### Run ORT and analyze only specified package managers\n\n```yaml\njobs:\n  ort:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Use HTTPS instead of SSH for Git cloning\n        run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n      - name: Checkout project\n        uses: actions/checkout@v3\n        with:\n          repository: 'jshttp/mime-types'\n      - name: Run GitHub Action for ORT\n        uses: oss-review-toolkit/ort-ci-github-action@v1\n        with:\n          allow-dynamic-versions: 'true'\n          ort-cli-args: '-P ort.analyzer.enabledPackageManagers=NPM,Yarn,Yarn2'\n```\n\n#### Run ORT with labels\n\nUse labels to track scan related info or execute policy rules for specific product, delivery or organization.\n\n```yaml\njobs:\n  ort:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Use HTTPS instead of SSH for Git cloning\n        run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n      - name: Checkout project\n        uses: actions/checkout@v3\n        with:\n          repository: 'jshttp/mime-types'\n      - name: Run GitHub Action for ORT\n        uses: oss-review-toolkit/ort-ci-github-action@v1\n        with:\n          allow-dynamic-versions: 'true'\n          ort-cli-analyze-args: \u003e\n            -l project=oss-project\n            -l dist=external\n            -l org=engineering-sdk-xyz-team-germany-berlin\n```\n\n### Run ORT and fail job on policy violations or security issues\n\nSet `fail-on` to fail the action if:\n- policy violations reported by Evaluator exceed the `severeRuleViolationThreshold` level.\n- security issues reported by the Advisor exceed the `severeIssueThreshold` level.\n\nBy default `severeRuleViolationThreshold` and `severeIssueThreshold` are set to `WARNING` \nbut you can change this to for example `ERROR` in your [config.yml][ort-config-yml].\n\n```yaml\njobs:\n  ort:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Use HTTPS instead of SSH for Git cloning\n        run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n      - name: Checkout project\n        uses: actions/checkout@v3\n        with:\n          repository: 'jshttp/mime-types'\n      - name: Run GitHub Action for ORT\n        uses: oss-review-toolkit/ort-ci-github-action@v1\n        with:\n          allow-dynamic-versions: 'true'\n          fail-on: 'violations'\n```\n\n#### Run ORT on private repositories\n\nTo run ORT on private Git repositories, we recommend to:\n- Set up an account with read-only access rights\n- Use a .netrc file, SSH keys or [GitHub tokens][gh-tokens] for authentication.\n\n```yaml\njobs:\n  ort:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout project\n        uses: actions/checkout@v3\n        with:\n          repository: 'jshttp/mime-types'\n      - name: Add .netrc\n        run: \u003e\n          default\n          login ${{ secrets.NETRC_LOGIN }}\n          password ${{ secrets.NETRC_PASSWORD }}\" \u003e ~/.netrc\n      - name: Add SSH key\n        run: |\n          mkdir -p ~/.ssh\n          echo \"${{ secrets.SSH_KEY }}\" \u003e ~/.ssh/id_github\n          echo \"${{ secrets.SSH_PUBLIC_KEY }}\" \u003e ~/.ssh/id_github.pub\n          chmod 600 ~/.ssh/id_github*\n          cat \u003e\u003e~/.ssh/config \u003c\u003cEND\n          Host github.com\n            HostName ssh.github.com\n            User git\n            Port 443\n            IdentityFile ~/.ssh/id_github\n            StrictHostKeyChecking no\n          END\n      - name: Run GitHub Action for ORT\n        uses: oss-review-toolkit/ort-ci-github-action@v1\n        with:\n          allow-dynamic-versions: 'true'\n```\n\n```yaml\njobs:\n  ort:\n    runs-on: [self-hosted, linux]\n    name: Run ORT\n\n    steps:\n      - name: Configure proxy server\n        run: |\n          https_proxy=\"http://proxy.example.com:3128/\"\n          http_proxy=\"http://proxy.example.com:3128/\"\n          printenv \u003e\u003e \"$GITHUB_ENV\"\n      - name: Use HTTPS with personal token always for Git cloning\n        run: |\n          git config --global url.\"https://oauth2:${{ secrets.PERSONAL_TOKEN_1 }}@github.com/\".insteadOf \"ssh://git@github.com/\"\n          git config --global url.\"https://oauth2:${{ secrets.PERSONAL_TOKEN_2 }}@git.example.com/\".insteadOf \"ssh://git@git.example.com/\"\n          git config --global url.\"https://oauth2:${{ secrets.PERSONAL_TOKEN_2 }}@git.example.com/\".insteadOf \"https://git.example.com/\"\n      - name: Checkout project\n        uses: actions/checkout@v3\n        with:\n          repository: 'example-org/alpha'\n          ref: 'master'\n          github-server-url: 'https://git.example.com'\n          token: ${{ secrets.PERSONAL_TOKEN_2 }}\n      - name: Run GitHub action for ORT\n        uses: oss-review-toolkit/ort-ci-github-action@v1\n        with:\n          ort-config-repository: 'https://oauth2:${{ secrets.PERSONAL_TOKEN_2 }}@git.example.com/ort-project/ort-config.git'\n          run: \u003e\n            cache-dependencies,\n            metadata-labels,\n            analyzer,\n            advisor,\n            reporter,\n            upload-results\n```\n\n#### Run ORT on multiple repositories using a matrix\n\n```yaml\njobs:\n  ort:\n    strategy:\n      fail-fast: false\n      matrix:\n        include:\n          - repository: example-org/alpha\n            sw-name: alpha\n          - repository: example-org/beta\n            sw-name: beta\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n        with:\n          repository: ${{ matrix.repository }}\n      - uses: oss-review-toolkit/ort-ci-github-action@v1\n        with:\n          sw-name: ${{ matrix.sw-name }}\n```\n\n### Run ORT with a custom global configuration\n\nUse `ort-config-repository` to specify the location of your ORT global configuration repository.\nIf `ort-config-revision` is not automatically latest state of configuration repository will be used.\n\nAlternatively, you can also place your ORT global configuration files in `~/.ort/config` \nprior to running GitHub Action for ORT.\n\n```yaml\njobs:\n  ort:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Use HTTPS instead of SSH for Git cloning\n        run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n      - name: Checkout project\n        uses: actions/checkout@v3\n        with:\n          repository: 'jshttp/mime-types'\n      - name: Run GitHub Action for ORT\n        uses: oss-review-toolkit/ort-ci-github-action@v1\n        with:\n          ort-config-repository: 'https://github.com/oss-review-toolkit/ort-config'\n          ort-config-revision: 'e4ae8f0a2d0415e35d80df0f48dd95c90a992514'\n```\n\n### Run ORT with a custom Docker image\n\n```yaml\njobs:\n  ort:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Use HTTPS instead of SSH for Git cloning\n        run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n      - name: Checkout project\n        uses: actions/checkout@v3\n      - name: Run GitHub Action for ORT\n        uses: oss-review-toolkit/ort-ci-github-action@v1\n        with:\n          image: 'my-org/ort-images/ort:latest'\n```\n\n### Run ORT with PostgreSQL database\n\nORT supports using a PostgreSQL database to caching scan data to speed-up scans.\n\nUse the following [action secrets at GitHub org or repository level][gh-action-secrets] to specified the database to use:\n- `POSTGRES_URL`: 'jdbc:postgresql://ort-db.example.com:5432/ort'\n- `POSTGRES_USERNAME`: 'ort-db-username'\n- `POSTGRES_PASSWORD`: 'ort-db-password'\n\nNext, pass these secrets to GitHub Action for ORT:\n\n```yaml\njobs:\n  ort:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Use HTTPS instead of SSH for Git cloning\n        run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n      - name: Checkout project\n        uses: actions/checkout@v3\n        with:\n          repository: 'jshttp/mime-types'\n          ref: '2.1.35'\n      - name: Run GitHub Action for ORT\n        uses: oss-review-toolkit/ort-ci-github-action@v1\n        with:\n          db-url: ${{ secrets.POSTGRES_URL }}\n          db-username: ${{ secrets.POSTGRES_USERNAME }}\n          db-password: ${{ secrets.POSTGRES_PASSWORD }}\n          run: 'cache-dependencies,analyzer,scanner,evaluator,advisor,reporter,upload-results'\n          sw-name: 'Mime Types'\n          sw-version: '2.1.35'\n```\n\n### Run only parts of the GitHub Action for ORT\n\n```yaml\njobs:\n  ort:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout project\n        uses: actions/checkout@v3\n      - name: Run GitHub Action for ORT\n        uses: oss-review-toolkit/ort-ci-github-action@v1\n        with:\n          run: \u003e\n            cache-dependencies,\n            metadata-labels,\n            analyzer,\n            advisor,\n            reporter,\n            upload-results,\n            upload-evaluation-result\n```\n\n# Want to Help or have Questions?\n\nAll contributions are welcome. If you are interested in contributing, please read our\n[contributing guide][ort-contributing-md], and to get quick answers\nto any of your questions we recommend you [join our Slack community][ort-slack].\n\n# License\n\nCopyright (C) 2020-2022 [The ORT Project Authors](./NOTICE).\n\nSee the [LICENSE](./LICENSE) file in the root of this project for license details.\n\nOSS Review Toolkit (ORT) is a [Linux Foundation project][lf] and part of [ACT][act].\n\n[act]: https://automatecompliance.org/\n[gh-action-secrets]: https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository\n[gh-tokens]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token\n[ort]: https://github.com/oss-review-toolkit/ort\n[ort-config-yml]: https://github.com/oss-review-toolkit/ort/blob/main/model/src/main/resources/reference.yml\n[ort-contributing-md]: https://github.com/oss-review-toolkit/.github/blob/main/CONTRIBUTING.md\n[ort-slack]: http://slack.oss-review-toolkit.org\n[lf]: https://www.linuxfoundation.org\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foss-review-toolkit%2Fort-ci-github-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foss-review-toolkit%2Fort-ci-github-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foss-review-toolkit%2Fort-ci-github-action/lists"}