chore: Add sub-actions for configurable debug artifact upload

.github/workflows/publish.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check-out source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Configure git
         run: |
           git config user.name github-actions
@@ -33,29 +33,27 @@ jobs:
     needs: update-action-references
     steps:
       - name: Check-out source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Generate and process release PR
         id: release_please
-        uses: googleapis/release-please-action@v4
+        uses: fortify/3rdparty-actions/actions/googleapis/release-please-action/v4@main
         with:
           release-type: simple
 
       - name: Publish v{major}.{minor} tag
         if: steps.release_please.outputs.release_created
-        uses: richardsimko/update-tag@v1
+        uses: fortify/3rdparty-actions/actions/richardsimko/update-tag/v1@main
         with:
           tag_name: v${{steps.release_please.outputs.major}}.${{steps.release_please.outputs.minor}}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+          github_token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Publish v{major} tag
         if: steps.release_please.outputs.release_created
-        uses: richardsimko/update-tag@v1
+        uses: fortify/3rdparty-actions/actions/richardsimko/update-tag/v1@main
         with:
           tag_name: v${{steps.release_please.outputs.major}}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Update release PR
         if: steps.release_please.outputs.pr

README.md

@@ -15,7 +15,7 @@ The `fortify/github-action` GitHub Action allows for easy integration of OpenTex
 
 As such, this GitHub Action automatically benefits from new features and bug fixes as they are introduced in fcli, although there are options to use a fixed fcli version in case you need more stability. At the time of writing, the fcli `ci` action provides out-of-the-box support for Static Application Security Testing (SAST) and Software Composition Analysis (SCA); support for Dynamic or Mobile Application Security Testing (DAST & MAST) may be added in the future.
 
-Apart from the top-level `fortify/github-action` for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products.
+Apart from the top-level `fortify/github-action` (and related `fortify/github-action/with-github-artifacts`, `fortify/github-action/with-ghes-artifacts`, and `fortify/github-action/without-artifacts` sub-actions) for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This `setup` action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products.
 
 
 <!-- START-INCLUDE:repo-usage-text.md -->
@@ -42,7 +42,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4            # Check out source code
       - uses: actions/setup-<build-tool>@vX  # Set up build tool(s) required to build your project
-      - uses: fortify/github-action@v3       # Run Fortify scans
+        # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts
+        # to GitHub artifact storage (see artifact storage section below for alternative options)
+      - uses: fortify/github-action@v3
+        name: Run Fortify Scan
         env:
           FOD_URL: ${{ vars.FOD_URL }}
           FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }}
@@ -71,7 +74,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4            # Check out source code
       - uses: actions/setup-<build-tool>@vX  # Set up build tool(s) required to build your project
-      - uses: fortify/github-action@v3       # Run Fortify scans
+        # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts
+        # to GitHub artifact storage (see artifact storage section below for alternative options)
+      - uses: fortify/github-action@v3
+        name: Run Fortify Scan
         env:
           SSC_URL: ${{ vars.SSC_URL }}
           SSC_TOKEN: ${{ secrets.SSC_TOKEN }}
@@ -103,13 +109,28 @@ jobs:
           fcli fod session logout ...
 ```
 
+### Artifact storage
+
+If debugging is enabled (either via the `debug: true` action input or by re-running the workflow with GitHub's "Enable debug logging" option), debug artifacts are collected during the scan and uploaded after the scan completes.
+
+The top-level `fortify/github-action` action uploads debug artifacts to github.com artifact storage using `actions/upload-artifact@v7`. If this doesn't match your environment, the following sub-actions provide alternatives:
+
+| Sub-action | Description |
+|---|---|
+| `fortify/github-action` | Default. Uploads to github.com artifact storage using `actions/upload-artifact@v7`. |
+| `fortify/github-action/with-github-artifacts` | Identical to the default; use this when you want to make the artifact storage choice explicit in your workflow. |
+| `fortify/github-action/with-ghes-artifacts` | Uploads to GHES-compatible artifact storage using `actions/upload-artifact@v3`. Use this on GitHub Enterprise Server. |
+| `fortify/github-action/without-artifacts` | Does not upload artifacts. Exposes `upload-debug-artifacts` and `debug-artifacts-dir` outputs so you can add your own upload step targeting any storage backend. |
+
 ### Detailed Documentation
 
 Given that these GitHub Actions are just thin wrappers around `@fortify/setup` and `fcli`, detailed usage documentation is available on the fcli documentation website:
 
-* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-fod.html)
-* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-ssc.html)
-* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/setup-action.html)
+* `fortify/github-action` (default — github.com artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-ssc.html)
+* `fortify/github-action/with-github-artifacts` (explicit github.com artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-ssc.html)
+* `fortify/github-action/with-ghes-artifacts` (GHES-compatible artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-ghes-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-ghes-artifacts-ssc.html)
+* `fortify/github-action/without-artifacts` (custom artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-ssc.html)
+* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/setup-action.html)
 
 <!-- END-INCLUDE:repo-usage-text.md -->
 

USAGE.md

@@ -28,7 +28,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4            # Check out source code
       - uses: actions/setup-<build-tool>@vX  # Set up build tool(s) required to build your project
-      - uses: fortify/github-action@v3       # Run Fortify scans
+        # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts
+        # to GitHub artifact storage (see artifact storage section below for alternative options)
+      - uses: fortify/github-action@v3
+        name: Run Fortify Scan
         env:
           FOD_URL: ${{ vars.FOD_URL }}
           FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }}
@@ -57,7 +60,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4            # Check out source code
       - uses: actions/setup-<build-tool>@vX  # Set up build tool(s) required to build your project
-      - uses: fortify/github-action@v3       # Run Fortify scans
+        # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts
+        # to GitHub artifact storage (see artifact storage section below for alternative options)
+      - uses: fortify/github-action@v3
+        name: Run Fortify Scan
         env:
           SSC_URL: ${{ vars.SSC_URL }}
           SSC_TOKEN: ${{ secrets.SSC_TOKEN }}
@@ -89,13 +95,28 @@ jobs:
           fcli fod session logout ...
 ```
 
+### Artifact storage
+
+If debugging is enabled (either via the `debug: true` action input or by re-running the workflow with GitHub's "Enable debug logging" option), debug artifacts are collected during the scan and uploaded after the scan completes.
+
+The top-level `fortify/github-action` action uploads debug artifacts to github.com artifact storage using `actions/upload-artifact@v7`. If this doesn't match your environment, the following sub-actions provide alternatives:
+
+| Sub-action | Description |
+|---|---|
+| `fortify/github-action` | Default. Uploads to github.com artifact storage using `actions/upload-artifact@v7`. |
+| `fortify/github-action/with-github-artifacts` | Identical to the default; use this when you want to make the artifact storage choice explicit in your workflow. |
+| `fortify/github-action/with-ghes-artifacts` | Uploads to GHES-compatible artifact storage using `actions/upload-artifact@v3`. Use this on GitHub Enterprise Server. |
+| `fortify/github-action/without-artifacts` | Does not upload artifacts. Exposes `upload-debug-artifacts` and `debug-artifacts-dir` outputs so you can add your own upload step targeting any storage backend. |
+
 ### Detailed Documentation
 
 Given that these GitHub Actions are just thin wrappers around `@fortify/setup` and `fcli`, detailed usage documentation is available on the fcli documentation website:
 
-* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-fod.html)
-* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-ssc.html)
-* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/setup-action.html)
+* `fortify/github-action` (default — github.com artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-ssc.html)
+* `fortify/github-action/with-github-artifacts` (explicit github.com artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-ssc.html)
+* `fortify/github-action/with-ghes-artifacts` (GHES-compatible artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-ghes-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-ghes-artifacts-ssc.html)
+* `fortify/github-action/without-artifacts` (custom artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-ssc.html)
+* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/setup-action.html)
 
 <!-- END-INCLUDE:repo-usage-text.md -->
 

action.yml

@@ -1,45 +1,29 @@
 name: 'Fortify AST Scan'
-description: 'Find and fix vulnerabilities to build secure software with Fortify Code Security.'
+description: 'Run Fortify AST Scan and upload debug artifacts using actions/upload-artifact@v7 (github.com).'
 author: 'Fortify'
 inputs:
   debug:
-    description: 'Whether to generate and collect debug logs; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.'
+    description: 'Whether to generate & collect debug artifacts; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.'
     required: false
     default: 'false'
   debug-artifact-name:
-    description: 'Name for the debug artifacts archive; defaults to "fortify-debug-logs"'
+    description: 'Name for the debug artifacts archive; defaults to "fortify-debug-artifacts"'
     required: false
-    default: 'fortify-debug-logs'
+    default: 'fortify-debug-artifacts'
   debug-retention-days:
-    description: 'Number of days to retain debug artifacts; defaults to 1'
+    description: 'Number of days to retain debug artifacts; defaults to 1 due to sensitivity of data'
     required: false
     default: '1'
+
 runs:
   using: composite
   steps:
-    - name: Set Fortify data directory
-      run: echo "FORTIFY_DATA_DIR=${{ runner.temp }}/fortify-data" >> $GITHUB_ENV
-      shell: bash
-    - uses: fortify/github-action/setup@main
-      with:
-        fcli: bootstrapped
-        export-path: false
-    - run: |
-        mkdir -p "${FORTIFY_DATA_DIR}" && cd "${FORTIFY_DATA_DIR}"
-        "${FCLI_CMD}" action run ci --debug=${{ inputs.debug == 'true' || runner.debug == '1' }}
-      shell: bash
-      env:
-        GITHUB_TOKEN: ${{ github.token }}
-        SAST_EXPORT_EXTRA_OPTS: --publish=true ${{ env.SAST_EXPORT_EXTRA_OPTS || '' }}
-        DEBRICKED_EXPORT_EXTRA_OPTS: --publish=true ${{ env.DEBRICKED_EXPORT_EXTRA_OPTS || '' }}
-    - name: Upload debug logs
-      if: ${{ always() && (inputs.debug == 'true' || runner.debug == '1') }}
-      uses: actions/upload-artifact@v4
+    - uses: fortify/github-action/with-github-artifacts@feat/configurable-debug-upload
       with:
-        name: ${{ inputs.debug-artifact-name }}-${{ github.job }}
-        path: ${{ env.FORTIFY_DATA_DIR }}
-        retention-days: ${{ inputs.debug-retention-days }}
-        
+        debug: ${{ inputs.debug }}
+        debug-artifact-name: ${{ inputs.debug-artifact-name }}
+        debug-retention-days: ${{ inputs.debug-retention-days }}
+
 branding:
   icon: 'shield'
   color: 'blue'

doc-resources/repo-intro.md

@@ -2,7 +2,7 @@ The `fortify/github-action` GitHub Action allows for easy integration of OpenTex
 
 As such, this GitHub Action automatically benefits from new features and bug fixes as they are introduced in fcli, although there are options to use a fixed fcli version in case you need more stability. At the time of writing, the fcli `ci` action provides out-of-the-box support for Static Application Security Testing (SAST) and Software Composition Analysis (SCA); support for Dynamic or Mobile Application Security Testing (DAST & MAST) may be added in the future.
 
-Apart from the top-level `fortify/github-action` for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products.
+Apart from the top-level `fortify/github-action` (and related `fortify/github-action/with-github-artifacts`, `fortify/github-action/with-ghes-artifacts`, and `fortify/github-action/without-artifacts` sub-actions) for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This `setup` action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products.
 
 {{include:repo-usage-text.md}}