How to effectively use with mono repos?

[gaby]

Hello,

I currently have the following workflow:

name: Gosec Security Scan

on:
  push:
    branches:
      - "master"
      - "main"
    paths-ignore:
      - "**.md"
      - LICENSE
      - ".github/ISSUE_TEMPLATE/*.yml"
      - ".github/dependabot.yml"
  pull_request:
    branches:
      - "*"
    paths-ignore:
      - "**.md"
      - LICENSE
      - ".github/ISSUE_TEMPLATE/*.yml"
      - ".github/dependabot.yml"

jobs:
  detect-changes:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.changed-files.outputs.all_changed_files }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Changed Files
        uses: tj-actions/changed-files@v41
        id: changed-files
        with:
          files_ignore: |
            .github/**
            **.md
          json: true
          escape_json: false
          dir_names: true
          dir_names_exclude_current_dir: true

  gosec-scan:
    runs-on: ubuntu-latest
    needs: detect-changes
    env:
      GO111MODULE: on
    strategy:
      matrix:
        modules: ${{ fromJSON(needs.detect-changes.outputs.matrix) }}
    steps:
      - name: Fetch Repository
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version: '^1.21.x'
          check-latest: true
          cache: false
      - name: Install gosec
        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
      - name: Run gosec
        working-directory: ${{ matrix.modules }}
        run: gosec ./...

In a monorepo with the following structure:

.github/
module1/
-- module1/go.mod
module2/
-- module2/go.mod
module3/
-- module3/go.mod
-- -- module3/tests/otherfiles
go.mod
go.sum

Which works fine, but sometimes the modules can have subdirectories (ex. module3) and this is where the workflow doesnt work. For me to run gosec the directory needs to have a go.mod file.

If I change one of the files in module3/tests/ it will try to run gosec against module3/tests instead of module3 and fail.

Not sure if this is doable with this action, new feature, or make sense as a different action perharps changed-directories ?

[jackton1]

Hi @gaby, based on your description I’ll suggest setting the dir_names_max_depth input to 1

    # Limit the directory output to a maximum depth e.g 
    # `test/test1/test2` with max depth of `2` returns `test/test1`. 
    # Type: string
    dir_names_max_depth: ''

For more options see: Inputs documentation

[gaby]

@jackton1 Thank you, that fixed my issue