From 4624b6ee62744ca391d05d29c1f4bee1f7e1e941 Mon Sep 17 00:00:00 2001 From: Vibhu Agarwal Date: Wed, 4 Mar 2020 19:31:12 +0530 Subject: [PATCH 001/844] Update python-publish.yml --- ci/python-publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index d5f3859d10..a7438ff7f3 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -22,6 +22,7 @@ jobs: run: | python -m pip install --upgrade pip pip install setuptools wheel twine + pip install -r requirements.txt - name: Build and publish env: TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} From 9b42288206b387b1b6d78ae4156efbde99bdf882 Mon Sep 17 00:00:00 2001 From: Vibhu Agarwal Date: Tue, 26 May 2020 17:52:59 +0530 Subject: [PATCH 002/844] Update python-publish.yml --- ci/python-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index a7438ff7f3..736fae86eb 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -22,7 +22,7 @@ jobs: run: | python -m pip install --upgrade pip pip install setuptools wheel twine - pip install -r requirements.txt + if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - name: Build and publish env: TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} From af32ab05c611fe486ba27bf7fc52c0a307212fac Mon Sep 17 00:00:00 2001 From: Marcono1234 Date: Wed, 3 Jun 2020 23:16:28 +0200 Subject: [PATCH 003/844] Improve maven.yml --- ci/maven.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/maven.yml b/ci/maven.yml index c8aeb3a277..86f73091e1 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -21,4 +21,4 @@ jobs: with: java-version: 1.8 - name: Build with Maven - run: mvn -B package --file pom.xml + run: mvn --batch-mode --update-snapshots verify From 1de1e6c7776ea1f5be322861138d9954b833ff1a Mon Sep 17 00:00:00 2001 From: Kanitkorn Sujautra Date: Sun, 7 Jun 2020 00:51:49 +0900 Subject: [PATCH 004/844] Make NPM_TOKEN consistent with GITHUB_TOKEN It was `npm_token` before, but for GitHub it's `GITHUB_TOKEN`. This makes them be the same, all-cap case. --- ci/npm-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 861e37239f..aa47c4e2db 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -30,7 +30,7 @@ jobs: - run: npm ci - run: npm publish env: - NODE_AUTH_TOKEN: ${{secrets.npm_token}} + NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} publish-gpr: needs: build From 194e973f907b13ca11a6f211d6dc4257a12a2619 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Domen=20Ko=C5=BEar?= Date: Wed, 8 Jul 2020 15:19:01 +0200 Subject: [PATCH 005/844] ci: add Nix action --- ci/nix.yml | 25 ++ ci/properties/nix.properties.json | 6 + icons/nix.svg | 513 ++++++++++++++++++++++++++++++ 3 files changed, 544 insertions(+) create mode 100644 ci/nix.yml create mode 100644 ci/properties/nix.properties.json create mode 100644 icons/nix.svg diff --git a/ci/nix.yml b/ci/nix.yml new file mode 100644 index 0000000000..e5213e00c0 --- /dev/null +++ b/ci/nix.yml @@ -0,0 +1,25 @@ +name: Nix + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2.3.1 + - name: Install Nix + uses: cachix/install-nix-action@v10 + - name: Install Cachix + - uses: cachix/cachix-action@v6 + with: + # Once you generate a binary cache on https://app.cachix.org, you'll need to insert the name of the cache here + name: mycache + signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' + - name: Run nix-build + run: nix-build + - name: Check nix-shell works + run: nix-shell --run "echo OK" \ No newline at end of file diff --git a/ci/properties/nix.properties.json b/ci/properties/nix.properties.json new file mode 100644 index 0000000000..3a90d75d77 --- /dev/null +++ b/ci/properties/nix.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Nix", + "description": "Build Nix project", + "iconName": "nix", + "categories": ["Nix"] +} diff --git a/icons/nix.svg b/icons/nix.svg new file mode 100644 index 0000000000..9a70a14739 --- /dev/null +++ b/icons/nix.svg @@ -0,0 +1,513 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + From 349e3dde9514886ed5acdac5c7636a47cbfd70dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Domen=20Ko=C5=BEar?= Date: Thu, 24 Sep 2020 11:57:59 +0200 Subject: [PATCH 006/844] nix: review feedback --- ci/nix.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ci/nix.yml b/ci/nix.yml index e5213e00c0..b42fe3ea19 100644 --- a/ci/nix.yml +++ b/ci/nix.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. name: Nix on: @@ -12,9 +16,9 @@ jobs: steps: - uses: actions/checkout@v2.3.1 - name: Install Nix - uses: cachix/install-nix-action@v10 + uses: cachix/install-nix-action@95a8068e317b8def9482980abe762f36c77ccc99 - name: Install Cachix - - uses: cachix/cachix-action@v6 + - uses: cachix/cachix-action@490a246fbc7f92208d309eeb54383a4d828cedc1 with: # Once you generate a binary cache on https://app.cachix.org, you'll need to insert the name of the cache here name: mycache From 459c27dca6dbcf59f6a611e638005f470c1c8b6d Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Thu, 17 Jun 2021 14:28:48 +0530 Subject: [PATCH 007/844] workflow schema validation --- script/validate-data/index.ts | 45 +- script/validate-data/workflow-schema.json | 1110 +++++++++++++++++++++ 2 files changed, 1141 insertions(+), 14 deletions(-) create mode 100644 script/validate-data/workflow-schema.json diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 81048f8e7f..857a149fdc 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -38,7 +38,6 @@ const propertiesSchema = { }, } } - async function checkWorkflows(folders: string[]): Promise { const result: WorkflowWithErrors[] = [] @@ -65,30 +64,48 @@ async function checkWorkflows(folders: string[]): Promise return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string): Promise { - let workflowErrors: WorkflowWithErrors = { - id: workflowPath, - errors: [] - } - +async function validateWorkflowProperties(propertiesPath: string) : Promise { try { - const workflowFileContent = await fs.readFile(workflowPath, "utf8"); - safeLoad(workflowFileContent); // Validate yaml parses without error - + let errors = [] const propertiesFileContent = await fs.readFile(propertiesPath, "utf8") const properties: WorkflowProperties = JSON.parse(propertiesFileContent) let v = new validator(); const res = v.validate(properties, propertiesSchema) - workflowErrors.errors = res.errors.map(e => e.toString()) - + errors = res.errors.map(e => e.toString()) if (properties.iconName && !properties.iconName.startsWith("octicon")) { try { await fs.access(`../../icons/${properties.iconName}.svg`) } catch (e) { - workflowErrors.errors.push(`No icon named ${properties.iconName} found`) + errors.push(`No icon named ${properties.iconName} found`) } } + return errors + } + catch (e) { + throw e + } +} + +async function checkWorkflow(workflowPath: string, propertiesPath: string): Promise { + let workflowErrors: WorkflowWithErrors = { + id: workflowPath, + errors: [] + } + + try { + workflowErrors.errors = await validateWorkflowProperties(propertiesPath) + + const workflowFileContent = await fs.readFile(workflowPath, "utf8"); + const workflow = safeLoad(workflowFileContent); // Validate yaml parses without error + + let workflowValidator = new validator(); + const workflowSchema = require("./workflow-schema.json"); + + const workflowValidationResult = workflowValidator.validate(workflow, workflowSchema) + const workflowValidationErrors = workflowValidationResult.errors.map(e => e.toString()) + workflowErrors.errors = workflowErrors.errors.concat(workflowValidationErrors) + } catch (e) { workflowErrors.errors.push(e.toString()) } @@ -116,4 +133,4 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom error(`Unhandled error while syncing workflows: ${e}`); setFailed(`Unhandled error`) } -})(); +})(); \ No newline at end of file diff --git a/script/validate-data/workflow-schema.json b/script/validate-data/workflow-schema.json new file mode 100644 index 0000000000..39340f63a1 --- /dev/null +++ b/script/validate-data/workflow-schema.json @@ -0,0 +1,1110 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions", + "definitions": { + "architecture": { + "type": "string", + "enum": ["ARM32", "x64", "x86"] + }, + "branch": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestbranchestags", + "$ref": "#/definitions/globs", + "description": "When using the push and pull_request events, you can configure a workflow to run on specific branches or tags. If you only define only tags or only branches, the workflow won't run for events affecting the undefined Git ref.\nThe branches, branches-ignore, tags, and tags-ignore keywords accept glob patterns that use the * and ** wildcard characters to match more than one branch or tag name. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.\nThe patterns defined in branches and tags are evaluated against the Git ref's name. For example, defining the pattern mona/octocat in branches will match the refs/heads/mona/octocat Git ref. The pattern releases/** will match the refs/heads/releases/10 Git ref.\nYou can use two types of filters to prevent a workflow from running on pushes and pull requests to tags and branches:\n- branches or branches-ignore - You cannot use both the branches and branches-ignore filters for the same event in a workflow. Use the branches filter when you need to filter branches for positive matches and exclude branches. Use the branches-ignore filter when you only need to exclude branch names.\n- tags or tags-ignore - You cannot use both the tags and tags-ignore filters for the same event in a workflow. Use the tags filter when you need to filter tags for positive matches and exclude tags. Use the tags-ignore filter when you only need to exclude tag names.\nYou can exclude tags and branches using the ! character. The order that you define patterns matters.\n- A matching negative pattern (prefixed with !) after a positive match will exclude the Git ref.\n- A matching positive pattern after a negative match will include the Git ref again." + }, + "configuration": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + }, + { + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/configuration" + } + }, + { + "type": "array", + "items": { + "$ref": "#/definitions/configuration" + }, + "additionalItems": false + } + ] + }, + "container": { + "type": "object", + "properties": { + "image": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerimage", + "description": "The Docker image to use as the container to run the action. The value can be the Docker Hub image name or a public docker registry name.", + "type": "string" + }, + "env": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerenv", + "$ref": "#/definitions/env", + "description": "Sets an array of environment variables in the container." + }, + "ports": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerports", + "description": "Sets an array of ports to expose on the container.", + "type": "array", + "items": { + "oneOf": [ + { + "type": "number" + }, + { + "type": "string" + } + ] + }, + "minItems": 1, + "additionalItems": false + }, + "volumes": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainervolumes", + "description": "Sets an array of volumes for the container to use. You can use volumes to share data between services or other steps in a job. You can specify named Docker volumes, anonymous Docker volumes, or bind mounts on the host.\nTo specify a volume, you specify the source and destination path: :\nThe is a volume name or an absolute path on the host machine, and is an absolute path in the container.", + "type": "array", + "items": { + "type": "string", + "pattern": "^[^:]+:[^:]+$" + }, + "minItems": 1, + "additionalItems": false + }, + "options": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions", + "description": "Additional Docker container resource options. For a list of options, see https://docs.docker.com/engine/reference/commandline/create/#options.", + "type": "string" + } + }, + "required": ["image"], + "additionalProperties": false + }, + "defaults": { + "type": "object", + "properties": { + "run": { + "type": "object", + "properties": { + "shell": { + "$ref": "#/definitions/shell" + }, + "working-directory": { + "$ref": "#/definitions/working-directory" + } + }, + "minProperties": 1, + "additionalProperties": false + } + }, + "minProperties": 1, + "additionalProperties": false + }, + "env": { + "type": "object", + "additionalProperties": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + }, + { + "type": "boolean" + } + ] + }, + "minProperties": 1 + }, + "environment": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "object", + "properties": { + "name": {"type": "string"}, + "url": {"type": "string"} + } + } + ] + }, + "event": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows", + "type": "string", + "enum": [ + "check_run", + "check_suite", + "create", + "delete", + "deployment", + "deployment_status", + "fork", + "gollum", + "issue_comment", + "issues", + "label", + "member", + "milestone", + "page_build", + "project", + "project_card", + "project_column", + "public", + "pull_request", + "pull_request_review", + "pull_request_review_comment", + "push", + "registry_package", + "release", + "status", + "watch", + "repository_dispatch" + ] + }, + "eventObject": { + "oneOf": [ + { + "type": "object" + }, + { + "type": "null" + } + ], + "additionalProperties": true + }, + "globs": { + "type": "array", + "items": { + "type": "string", + "minLength": 1 + }, + "minItems": 1, + "additionalItems": false + }, + "machine": { + "type": "string", + "enum": ["linux", "macos", "windows"] + }, + "name": { + "type": "string", + "pattern": "^[_a-zA-Z][a-zA-Z0-9_-]*$" + }, + "gitpermissionenums": { + "type": "string", + "enum": [ + "read", + "write", + "none" + ] + }, + "gitpermissions": { + "type": "object", + "properties": { + "actions" : { + "$ref": "#/definitions/gitpermissionenums" + }, + "checks" : { + "$ref": "#/definitions/gitpermissionenums" + }, + "contents": { + "$ref": "#/definitions/gitpermissionenums" + }, + "deployments": { + "$ref": "#/definitions/gitpermissionenums" + }, + "issues": { + "$ref": "#/definitions/gitpermissionenums" + }, + "packages": { + "$ref": "#/definitions/gitpermissionenums" + }, + "pull-requests": { + "$ref": "#/definitions/gitpermissionenums" + }, + "repository-projects": { + "$ref": "#/definitions/gitpermissionenums" + }, + "security-events": { + "$ref": "#/definitions/gitpermissionenums" + }, + "statuses": { + "$ref": "#/definitions/gitpermissionenums" + } + } + }, + "path": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpaths", + "$ref": "#/definitions/globs", + "description": "When using the push and pull_request events, you can configure a workflow to run when at least one file does not match paths-ignore or at least one modified file matches the configured paths. Path filters are not evaluated for pushes to tags.\nThe paths-ignore and paths keywords accept glob patterns that use the * and ** wildcard characters to match more than one path name. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.\nYou can exclude paths using two types of filters. You cannot use both of these filters for the same event in a workflow.\n- paths-ignore - Use the paths-ignore filter when you only need to exclude path names.\n- paths - Use the paths filter when you need to filter paths for positive matches and exclude paths." + }, + "ref": { + "properties": { + "branches": { + "$ref": "#/definitions/branch" + }, + "branches-ignore": { + "$ref": "#/definitions/branch" + }, + "tags": { + "$ref": "#/definitions/branch" + }, + "tags-ignore": { + "$ref": "#/definitions/branch" + }, + "paths": { + "$ref": "#/definitions/path" + }, + "paths-ignore": { + "$ref": "#/definitions/path" + } + }, + "oneOf": [ + { + "type": "object", + "allOf": [ + { + "not": { + "required": ["branches", "branches-ignore"] + } + }, + { + "not": { + "required": ["tags", "tags-ignore"] + } + }, + { + "not": { + "required": ["paths", "paths-ignore"] + } + } + ] + }, + { + "type": "null" + } + ] + }, + "shell": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell", + "description": "You can override the default shell settings in the runner's operating system using the shell keyword. You can use built-in shell keywords, or you can define a custom set of shell options.", + "type": "string", + "anyOf": [ + { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#custom-shell" + }, + { + "enum": ["bash", "pwsh", "python", "sh", "cmd", "powershell"] + } + ] + }, + "types": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onevent_nametypes", + "description": "Selects the types of activity that will trigger a workflow run. Most GitHub events are triggered by more than one type of activity. For example, the event for the release resource is triggered when a release is published, unpublished, created, edited, deleted, or prereleased. The types keyword enables you to narrow down activity that causes the workflow to run. When only one activity type triggers a webhook event, the types keyword is unnecessary.\nYou can use an array of event types. For more information about each event and their activity types, see https://help.github.com/en/articles/events-that-trigger-workflows#webhook-events.", + "type": "array", + "minItems": 1, + "additionalItems": false + }, + "working-directory": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun", + "description": "Using the working-directory keyword, you can specify the working directory of where to run the command.", + "type": "string" + } + }, + "properties": { + "name": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#name", + "description": "The name of your workflow. GitHub displays the names of your workflows on your repository's actions page. If you omit this field, GitHub sets the name to the workflow's filename.", + "type": "string" + }, + "on": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#on", + "description": "The name of the GitHub event that triggers the workflow. You can provide a single event string, array of events, array of event types, or an event configuration map that schedules a workflow or restricts the execution of a workflow to specific files, tags, or branch changes. For a list of available events, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows.", + "oneOf": [ + { + "$ref": "#/definitions/event" + }, + { + "type": "array", + "items": { + "$ref": "#/definitions/event" + }, + "minItems": 1, + "additionalItems": false + }, + { + "type": "object", + "properties": { + "check_run": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#check-run-event-check_run", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the check_run event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/checks/runs.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "created", + "rerequested", + "completed", + "requested_action" + ] + }, + "default": [ + "created", + "rerequested", + "completed", + "requested_action" + ] + } + } + }, + "check_suite": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#check-suite-event-check_suite", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the check_suite event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/checks/suites/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["completed", "requested", "rerequested"] + }, + "default": ["completed", "requested", "rerequested"] + } + } + }, + "create": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#create-event-create", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone creates a branch or tag, which triggers the create event. For information about the REST API, see https://developer.github.com/v3/git/refs/#create-a-reference." + }, + "delete": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#delete-event-delete", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone deletes a branch or tag, which triggers the delete event. For information about the REST API, see https://developer.github.com/v3/git/refs/#delete-a-reference." + }, + "deployment": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#deployment-event-deployment", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone creates a deployment, which triggers the deployment event. Deployments created with a commit SHA may not have a Git ref. For information about the REST API, see https://developer.github.com/v3/repos/deployments/." + }, + "deployment_status": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#deployment-status-event-deployment_status", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime a third party provides a deployment status, which triggers the deployment_status event. Deployments created with a commit SHA may not have a Git ref. For information about the REST API, see https://developer.github.com/v3/repos/deployments/#create-a-deployment-status." + }, + "fork": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#fork-event-fork", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime when someone forks a repository, which triggers the fork event. For information about the REST API, see https://developer.github.com/v3/repos/forks/#create-a-fork." + }, + "gollum": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#gollum-event-gollum", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow when someone creates or updates a Wiki page, which triggers the gollum event." + }, + "issue_comment": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#issue-comment-event-issue_comment", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the issue_comment event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/comments/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "edited", "deleted"] + }, + "default": ["created", "edited", "deleted"] + } + } + }, + "issues": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#issues-event-issues", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the issues event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "opened", + "edited", + "deleted", + "transferred", + "pinned", + "unpinned", + "closed", + "reopened", + "assigned", + "unassigned", + "labeled", + "unlabeled", + "locked", + "unlocked", + "milestoned", + "demilestoned" + ] + }, + "default": [ + "opened", + "edited", + "deleted", + "transferred", + "pinned", + "unpinned", + "closed", + "reopened", + "assigned", + "unassigned", + "labeled", + "unlabeled", + "locked", + "unlocked", + "milestoned", + "demilestoned" + ] + } + } + }, + "label": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#label-event-label", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the label event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/labels/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "edited", "deleted"] + }, + "default": ["created", "edited", "deleted"] + } + } + }, + "member": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#member-event-member", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the member event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/repos/collaborators/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["added", "edited", "deleted"] + }, + "default": ["added", "edited", "deleted"] + } + } + }, + "milestone": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#milestone-event-milestone", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the milestone event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/milestones/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "closed", "opened", "edited", "deleted"] + }, + "default": [ + "created", + "closed", + "opened", + "edited", + "deleted" + ] + } + } + }, + "page_build": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#page-build-event-page_build", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone pushes to a GitHub Pages-enabled branch, which triggers the page_build event. For information about the REST API, see https://developer.github.com/v3/repos/pages/." + }, + "project": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-event-project", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the project event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "created", + "updated", + "closed", + "reopened", + "edited", + "deleted" + ] + }, + "default": [ + "created", + "updated", + "closed", + "reopened", + "edited", + "deleted" + ] + } + } + }, + "project_card": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-card-event-project_card", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the project_card event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/cards.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "created", + "moved", + "converted", + "edited", + "deleted" + ] + }, + "default": [ + "created", + "moved", + "converted", + "edited", + "deleted" + ] + } + } + }, + "project_column": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-column-event-project_column", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the project_column event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/columns.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "updated", "moved", "deleted"] + }, + "default": ["created", "updated", "moved", "deleted"] + } + } + }, + "public": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#public-event-public", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone makes a private repository public, which triggers the public event. For information about the REST API, see https://developer.github.com/v3/repos/#edit." + }, + "pull_request": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-event-pull_request", + "$ref": "#/definitions/ref", + "description": "Runs your workflow anytime the pull_request event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "assigned", + "unassigned", + "labeled", + "unlabeled", + "opened", + "edited", + "closed", + "reopened", + "synchronize", + "ready_for_review", + "locked", + "unlocked", + "review_requested", + "review_request_removed" + ] + }, + "default": ["opened", "synchronize", "reopened"] + } + }, + "patternProperties": { + "^(branche|tag|path)s(-ignore)?$": { + "type": "array" + } + }, + "additionalProperties": false + }, + "pull_request_review": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-review-event-pull_request_review", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the pull_request_review event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls/reviews.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["submitted", "edited", "dismissed"] + }, + "default": ["submitted", "edited", "dismissed"] + } + } + }, + "pull_request_review_comment": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-review-comment-event-pull_request_review_comment", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime a comment on a pull request's unified diff is modified, which triggers the pull_request_review_comment event. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls/comments.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "edited", "deleted"] + }, + "default": ["created", "edited", "deleted"] + } + } + }, + "push": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#push-event-push", + "description": "Runs your workflow when someone pushes to a repository branch, which triggers the push event.\nNote: The webhook payload available to GitHub Actions does not include the added, removed, and modified attributes in the commit object. You can retrieve the full commit object using the REST API. For more information, see https://developer.github.com/v3/repos/commits/#get-a-single-commit.", + "type": "object", + "$ref": "#/definitions/ref", + "patternProperties": { + "^(branche|tag|path)s(-ignore)?$": { + "type": "array", + "items" : { + "type" : "string" + } + } + }, + "additionalProperties": false + }, + "release": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#release-event-release", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the release event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/repos/releases/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "published", + "unpublished", + "created", + "edited", + "deleted", + "prereleased", + "released" + ] + }, + "default": [ + "published", + "unpublished", + "created", + "edited", + "deleted", + "prereleased", + "released" + ] + } + } + }, + "status": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#status-event-status", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the status of a Git commit changes, which triggers the status event. For information about the REST API, see https://developer.github.com/v3/repos/statuses/." + }, + "watch": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#watch-event-watch", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the watch event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/activity/starring/." + }, + "repository_dispatch": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#external-events-repository_dispatch", + "$ref": "#/definitions/eventObject", + "description": "You can use the GitHub API to trigger a webhook event called repository_dispatch when you want to trigger a workflow for activity that happens outside of GitHub. For more information, see https://developer.github.com/v3/repos/#create-a-repository-dispatch-event.\nTo trigger the custom repository_dispatch webhook event, you must send a POST request to a GitHub API endpoint and provide an event_type name to describe the activity type. To trigger a workflow run, you must also configure your workflow to use the repository_dispatch event." + }, + "schedule": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#scheduled-events-schedule", + "description": "You can schedule a workflow to run at specific UTC times using POSIX cron syntax (https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). Scheduled workflows run on the latest commit on the default or base branch. The shortest interval you can run scheduled workflows is once every 5 minutes.\nNote: GitHub Actions does not support the non-standard syntax @yearly, @monthly, @weekly, @daily, @hourly, and @reboot.\nYou can use crontab guru (https://crontab.guru/). to help generate your cron syntax and confirm what time it will run. To help you get started, there is also a list of crontab guru examples (https://crontab.guru/examples.html).", + "type": "array", + "items": { + "type": "object", + "properties": { + "cron": { + "$comment": "https://stackoverflow.com/a/57639657/4044345", + "oneOf": [ + { + "pattern": "cron-(.)+" + }, + { + "type": "string", + "pattern": "^(((\\d+,)+\\d+|((\\d+|\\*)\\/\\d+)|(\\d+-\\d+)|\\d+|\\*) ?){5,7}$" + } + ] + } + }, + "additionalProperties": false + }, + "minItems": 1, + "additionalItems": false + } + }, + "additionalProperties": false + } + ] + }, + "env": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#env", + "$ref": "#/definitions/env", + "description": "A map of environment variables that are available to all jobs and steps in the workflow." + }, + "defaults": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#defaults", + "$ref": "#/definitions/defaults", + "description": "A map of default settings that will apply to all jobs in the workflow." + }, + "jobs": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobs", + "description": "A workflow run is made up of one or more jobs. Jobs run in parallel by default. To run jobs sequentially, you can define dependencies on other jobs using the jobs..needs keyword.\nEach job runs in a fresh instance of the virtual environment specified by runs-on.\nYou can run an unlimited number of jobs as long as you are within the workflow usage limits. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#usage-limits.", + "type": "object", + "patternProperties": { + "^[_a-zA-Z][a-zA-Z0-9_-]*$": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_id", + "description": "Each job must have an id to associate with the job. The key job_id is a string and its value is a map of the job's configuration data. You must replace with a string that is unique to the jobs object. The must start with a letter or _ and contain only alphanumeric characters, -, or _.", + "type": "object", + "properties": { + "name": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idname", + "description": "The name of the job displayed on GitHub.", + "type": "string" + }, + "needs": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idneeds", + "description": "Identifies any jobs that must complete successfully before this job will run. It can be a string or array of strings. If a job fails, all jobs that need it are skipped unless the jobs use a conditional statement that causes the job to continue.", + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/name" + }, + "minItems": 1, + "additionalItems": false + }, + { + "$ref": "#/definitions/name" + } + ] + }, + "permissions" : { + "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions", + "description": "You can modify the default permissions granted to the GITHUB_TOKEN, adding or removing access as required, so that you only allow the minimum required access", + "oneOf": [ + { + "const": "read-all|write-all" + }, + { + "type" : "object", + "$ref": "#/definitions/gitpermissions" + } + ] + }, + "runs-on": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idruns-on", + "description": "The type of machine to run the job on. The machine can be either a GitHub-hosted runner, or a self-hosted runner.", + "oneOf": [ + { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#github-hosted-runners", + "type": "string", + "enum": [ + "${{ matrix.os }}", + "macos-latest", + "macos-10.15", + "self-hosted", + "ubuntu-16.04", + "ubuntu-18.04", + "ubuntu-latest", + "windows-latest", + "windows-2019" + ] + }, + { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#self-hosted-runners", + "type": "array", + "oneOf": [ + { + "items": [ + { + "const": "self-hosted" + } + ] + }, + { + "items": [ + { + "const": "self-hosted" + }, + { + "$ref": "#/definitions/machine" + } + ] + }, + { + "items": [ + { + "const": "self-hosted" + }, + { + "$ref": "#/definitions/architecture" + } + ] + }, + { + "items": [ + { + "const": "self-hosted" + }, + { + "$ref": "#/definitions/machine" + }, + { + "$ref": "#/definitions/architecture" + } + ] + }, + { + "items": [ + { + "const": "self-hosted" + }, + { + "$ref": "#/definitions/architecture" + }, + { + "$ref": "#/definitions/machine" + } + ] + } + ], + "additionalItems": false + } + ] + }, + "outputs": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjobs_idoutputs", + "description": "A map of outputs for a job. Job outputs are available to all downstream jobs that depend on this job.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "environment": { + "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment", + "$ref": "#/definitions/environment", + "description": "The environment that the job references" + }, + "env": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idenv", + "$ref": "#/definitions/env", + "description": "A map of environment variables that are available to all steps in the job." + }, + "defaults": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_iddefaults", + "$ref": "#/definitions/defaults", + "description": "A map of default settings that will apply to all steps in the job." + }, + "if": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idif", + "description": "You can use the if conditional to prevent a job from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "type": "string" + }, + "steps": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idsteps", + "description": "A job contains a sequence of tasks called steps. Steps can run commands, run setup tasks, or run an action in your repository, a public repository, or an action published in a Docker registry. Not all steps run actions, but all actions run as a step. Each step runs in its own process in the virtual environment and has access to the workspace and filesystem. Because steps run in their own process, changes to environment variables are not preserved between steps. GitHub provides built-in steps to set up and complete a job.\n", + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsid", + "description": "A unique identifier for the step. You can use the id to reference the step in contexts. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "type": "string" + }, + "if": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsif", + "description": "You can use the if conditional to prevent a step from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "type": "string" + }, + "name": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsname", + "description": "A name for your step to display on GitHub.", + "type": "string" + }, + "uses": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses", + "description": "Selects an action to run as part of a step in your job. An action is a reusable unit of code. You can use an action defined in the same repository as the workflow, a public repository, or in a published Docker container image (https://hub.docker.com/).\nWe strongly recommend that you include the version of the action you are using by specifying a Git ref, SHA, or Docker tag number. If you don't specify a version, it could break your workflows or cause unexpected behavior when the action owner publishes an update.\n- Using the commit SHA of a released action version is the safest for stability and security.\n- Using the specific major action version allows you to receive critical fixes and security patches while still maintaining compatibility. It also assures that your workflow should still work.\n- Using the master branch of an action may be convenient, but if someone releases a new major version with a breaking change, your workflow could break.\nSome actions require inputs that you must set using the with keyword. Review the action's README file to determine the inputs required.\nActions are either JavaScript files or Docker containers. If the action you're using is a Docker container you must run the job in a Linux virtual environment. For more details, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", + "type": "string" + }, + "run": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsrun", + "description": "Runs command-line programs using the operating system's shell. If you do not provide a name, the step name will default to the text specified in the run command.\nCommands run using non-login shells by default. You can choose a different shell and customize the shell used to run commands. For more information, see https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#using-a-specific-shell.\nEach run keyword represents a new process and shell in the virtual environment. When you provide multi-line commands, each line runs in the same shell.", + "type": "string" + }, + "working-directory": { + "$ref": "#/definitions/working-directory" + }, + "shell": { + "$ref": "#/definitions/shell" + }, + "with": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswith", + "$ref": "#/definitions/env", + "description": "A map of the input parameters defined by the action. Each input parameter is a key/value pair. Input parameters are set as environment variables. The variable is prefixed with INPUT_ and converted to upper case.", + "properties": { + "args": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithargs", + "type": "string" + }, + "entrypoint": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithentrypoint", + "type": "string" + } + } + }, + "env": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsenv", + "$ref": "#/definitions/env", + "description": "Sets environment variables for steps to use in the virtual environment. You can also set environment variables for the entire workflow or a job." + }, + "continue-on-error": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error", + "description": "Prevents a job from failing when a step fails. Set to true to allow a job to pass when this step fails.", + "type": "boolean", + "default": false + }, + "timeout-minutes": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes", + "description": "The maximum number of minutes to run the step before killing the process.", + "type": "number" + } + }, + "dependencies": { + "working-directory": ["run"], + "shell": ["run"] + }, + "additionalProperties": false + }, + "minItems": 1, + "additionalItems": false + }, + "timeout-minutes": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes", + "description": "The maximum number of minutes to let a workflow run before GitHub automatically cancels it. Default: 360", + "type": "number", + "default": 360 + }, + "strategy": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategy", + "description": "A strategy creates a build matrix for your jobs. You can define different variations of an environment to run each job in.", + "type": "object", + "properties": { + "matrix": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix", + "description": "A build matrix is a set of different configurations of the virtual environment. For example you might run a job against more than one supported version of a language, operating system, or tool. Each configuration is a copy of the job that runs and reports a status.\nYou can specify a matrix by supplying an array for the configuration options. For example, if the GitHub virtual environment supports Node.js versions 6, 8, and 10 you could specify an array of those versions in the matrix.\nWhen you define a matrix of operating systems, you must set the required runs-on keyword to the operating system of the current job, rather than hard-coding the operating system name. To access the operating system name, you can use the matrix.os context parameter to set runs-on. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "type": "object", + "patternProperties": { + "^(in|ex)clude$": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#example-including-configurations-in-a-matrix-build", + "type": "array", + "items": { + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/configuration" + } + }, + "minItems": 1, + "additionalItems": false + } + }, + "additionalProperties": { + "type": "array", + "items": { + "$ref": "#/definitions/configuration" + }, + "minItems": 1, + "additionalItems": false + }, + "minProperties": 1 + }, + "fail-fast": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast", + "description": "When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true", + "type": "boolean", + "default": true + }, + "max-parallel": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymax-parallel", + "description": "The maximum number of jobs that can run simultaneously when using a matrix job strategy. By default, GitHub will maximize the number of jobs run in parallel depending on the available runners on GitHub-hosted virtual machines.", + "type": "number" + } + }, + "additionalProperties": false + }, + "continue-on-error": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error", + "description": "Prevents a workflow run from failing when a job fails. Set to true to allow a workflow run to pass when this job fails.", + "oneOf": [ + { + "type": "boolean" + }, + { + "type": "string" + } + ] + }, + "container": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainer", + "description": "A container to run any steps in a job that don't already specify a container. If you have steps that use both script and container actions, the container actions will run as sibling containers on the same network with the same volume mounts.\nIf you do not set a container, all steps will run directly on the host specified by runs-on unless a step refers to an action configured to run in a container.", + "type": "object", + "additionalProperties": { + "oneOf": [ + { + "type": "string" + }, + { + "$ref": "#/definitions/container" + } + ] + } + }, + "services": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idservices", + "description": "Additional containers to host services for a job in a workflow. These are useful for creating databases or cache services like redis. The runner on the virtual machine will automatically create a network and manage the life cycle of the service containers.\nWhen you use a service container for a job or your step uses container actions, you don't need to set port information to access the service. Docker automatically exposes all ports between containers on the same network.\nWhen both the job and the action run in a container, you can directly reference the container by its hostname. The hostname is automatically mapped to the service name.\nWhen a step does not use a container action, you must access the service using localhost and bind the ports.", + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/container" + } + } + }, + "required": ["runs-on", "steps"], + "additionalProperties": false + } + }, + "minProperties": 1, + "additionalProperties": false + } + }, + "required": ["on", "jobs"], + "additionalProperties": false + } \ No newline at end of file From aa1dc148f7524d8c4fd43530ff38fe5e223bc35d Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Thu, 24 Jun 2021 10:00:51 +0530 Subject: [PATCH 008/844] Create manual.yml --- .github/workflows/manual.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/workflows/manual.yml diff --git a/.github/workflows/manual.yml b/.github/workflows/manual.yml new file mode 100644 index 0000000000..3045613d40 --- /dev/null +++ b/.github/workflows/manual.yml @@ -0,0 +1,18 @@ +name: Aparna Validate This +on: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@v2 + - name: Setup Node + uses: actions/setup-node@v2 + - name: Run validator + uses: aparna-ravindra/workflow-template-validator@v0.4 + with: + path-to-workflow-yaml: './ci,./automation' + path-to-properties-json: './ci/properties,./automation/properties' + path-to-icons: './icons' From ee8dc59f492b7e0964d95beb6fac208d54fee245 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Thu, 24 Jun 2021 10:34:31 +0530 Subject: [PATCH 009/844] Create workflow_input.yml --- .github/workflows/workflow_input.yml | 30 ++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/workflow_input.yml diff --git a/.github/workflows/workflow_input.yml b/.github/workflows/workflow_input.yml new file mode 100644 index 0000000000..47f24e11ff --- /dev/null +++ b/.github/workflows/workflow_input.yml @@ -0,0 +1,30 @@ +# This is a basic workflow that is manually triggered + +name: Manual workflow + +# Controls when the action will run. Workflow runs when manually triggered using the UI +# or API. +on: + workflow_dispatch: + # Inputs the workflow accepts. + inputs: + name: + # Friendly description to be shown in the UI instead of 'name' + description: 'Person to greet' + # Default value if no value is explicitly provided + default: 'World' + # Input has to be provided for the workflow to run + required: true + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "greet" + greet: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Runs a single command using the runners shell + - name: Send greeting + run: echo "Hello ${{ github.event.inputs.name }}" From 4ae4e4dcb0f858b5390163bb9c052cf1fc7dbbe9 Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Thu, 22 Jul 2021 15:29:31 +0530 Subject: [PATCH 010/844] workflow schema --- script/validate-data/workflow-schema.json | 2062 +++++++++++---------- 1 file changed, 1098 insertions(+), 964 deletions(-) diff --git a/script/validate-data/workflow-schema.json b/script/validate-data/workflow-schema.json index 39340f63a1..b3e7b8c67b 100644 --- a/script/validate-data/workflow-schema.json +++ b/script/validate-data/workflow-schema.json @@ -1,17 +1,112 @@ { - "$schema": "http://json-schema.org/draft-07/schema", - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions", - "definitions": { - "architecture": { - "type": "string", - "enum": ["ARM32", "x64", "x86"] + "$schema": "http://json-schema.org/draft-07/schema", + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions", + "definitions": { + "architecture": { + "type": "string", + "enum": ["ARM32", "x64", "x86"] + }, + "branch": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestbranchestags", + "$ref": "#/definitions/globs", + "description": "When using the push and pull_request events, you can configure a workflow to run on specific branches or tags. If you only define only tags or only branches, the workflow won't run for events affecting the undefined Git ref.\nThe branches, branches-ignore, tags, and tags-ignore keywords accept glob patterns that use the * and ** wildcard characters to match more than one branch or tag name. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.\nThe patterns defined in branches and tags are evaluated against the Git ref's name. For example, defining the pattern mona/octocat in branches will match the refs/heads/mona/octocat Git ref. The pattern releases/** will match the refs/heads/releases/10 Git ref.\nYou can use two types of filters to prevent a workflow from running on pushes and pull requests to tags and branches:\n- branches or branches-ignore - You cannot use both the branches and branches-ignore filters for the same event in a workflow. Use the branches filter when you need to filter branches for positive matches and exclude branches. Use the branches-ignore filter when you only need to exclude branch names.\n- tags or tags-ignore - You cannot use both the tags and tags-ignore filters for the same event in a workflow. Use the tags filter when you need to filter tags for positive matches and exclude tags. Use the tags-ignore filter when you only need to exclude tag names.\nYou can exclude tags and branches using the ! character. The order that you define patterns matters.\n- A matching negative pattern (prefixed with !) after a positive match will exclude the Git ref.\n- A matching positive pattern after a negative match will include the Git ref again." + }, + "configuration": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + }, + { + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/configuration" + } + }, + { + "type": "array", + "items": { + "$ref": "#/definitions/configuration" + }, + "additionalItems": false + } + ] + }, + "container": { + "type": "object", + "properties": { + "image": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerimage", + "description": "The Docker image to use as the container to run the action. The value can be the Docker Hub image name or a public docker registry name.", + "type": "string" + }, + "env": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerenv", + "$ref": "#/definitions/env", + "description": "Sets an array of environment variables in the container." + }, + "ports": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerports", + "description": "Sets an array of ports to expose on the container.", + "type": "array", + "items": { + "oneOf": [ + { + "type": "number" + }, + { + "type": "string" + } + ] + }, + "minItems": 1, + "additionalItems": false + }, + "volumes": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainervolumes", + "description": "Sets an array of volumes for the container to use. You can use volumes to share data between services or other steps in a job. You can specify named Docker volumes, anonymous Docker volumes, or bind mounts on the host.\nTo specify a volume, you specify the source and destination path: :\nThe is a volume name or an absolute path on the host machine, and is an absolute path in the container.", + "type": "array", + "items": { + "type": "string", + "pattern": "^[^:]+:[^:]+$" + }, + "minItems": 1, + "additionalItems": false + }, + "options": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions", + "description": "Additional Docker container resource options. For a list of options, see https://docs.docker.com/engine/reference/commandline/create/#options.", + "type": "string" + } }, - "branch": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestbranchestags", - "$ref": "#/definitions/globs", - "description": "When using the push and pull_request events, you can configure a workflow to run on specific branches or tags. If you only define only tags or only branches, the workflow won't run for events affecting the undefined Git ref.\nThe branches, branches-ignore, tags, and tags-ignore keywords accept glob patterns that use the * and ** wildcard characters to match more than one branch or tag name. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.\nThe patterns defined in branches and tags are evaluated against the Git ref's name. For example, defining the pattern mona/octocat in branches will match the refs/heads/mona/octocat Git ref. The pattern releases/** will match the refs/heads/releases/10 Git ref.\nYou can use two types of filters to prevent a workflow from running on pushes and pull requests to tags and branches:\n- branches or branches-ignore - You cannot use both the branches and branches-ignore filters for the same event in a workflow. Use the branches filter when you need to filter branches for positive matches and exclude branches. Use the branches-ignore filter when you only need to exclude branch names.\n- tags or tags-ignore - You cannot use both the tags and tags-ignore filters for the same event in a workflow. Use the tags filter when you need to filter tags for positive matches and exclude tags. Use the tags-ignore filter when you only need to exclude tag names.\nYou can exclude tags and branches using the ! character. The order that you define patterns matters.\n- A matching negative pattern (prefixed with !) after a positive match will exclude the Git ref.\n- A matching positive pattern after a negative match will include the Git ref again." + "required": ["image"], + "additionalProperties": false + }, + "defaults": { + "type": "object", + "properties": { + "run": { + "type": "object", + "properties": { + "shell": { + "$ref": "#/definitions/shell" + }, + "working-directory": { + "$ref": "#/definitions/working-directory" + } + }, + "minProperties": 1, + "additionalProperties": false + } }, - "configuration": { + "minProperties": 1, + "additionalProperties": false + }, + "env": { + "type": "object", + "additionalProperties": { "oneOf": [ { "type": "string" @@ -20,441 +115,329 @@ "type": "number" }, { - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/configuration" - } - }, - { - "type": "array", - "items": { - "$ref": "#/definitions/configuration" - }, - "additionalItems": false + "type": "boolean" } ] }, - "container": { - "type": "object", - "properties": { - "image": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerimage", - "description": "The Docker image to use as the container to run the action. The value can be the Docker Hub image name or a public docker registry name.", + "minProperties": 1 + }, + "environment": { + "oneOf": [ + { "type": "string" }, - "env": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerenv", - "$ref": "#/definitions/env", - "description": "Sets an array of environment variables in the container." - }, - "ports": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerports", - "description": "Sets an array of ports to expose on the container.", - "type": "array", - "items": { - "oneOf": [ - { - "type": "number" - }, - { - "type": "string" - } - ] - }, - "minItems": 1, - "additionalItems": false - }, - "volumes": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainervolumes", - "description": "Sets an array of volumes for the container to use. You can use volumes to share data between services or other steps in a job. You can specify named Docker volumes, anonymous Docker volumes, or bind mounts on the host.\nTo specify a volume, you specify the source and destination path: :\nThe is a volume name or an absolute path on the host machine, and is an absolute path in the container.", - "type": "array", - "items": { - "type": "string", - "pattern": "^[^:]+:[^:]+$" - }, - "minItems": 1, - "additionalItems": false - }, - "options": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions", - "description": "Additional Docker container resource options. For a list of options, see https://docs.docker.com/engine/reference/commandline/create/#options.", - "type": "string" - } - }, - "required": ["image"], - "additionalProperties": false - }, - "defaults": { - "type": "object", - "properties": { - "run": { + { "type": "object", "properties": { - "shell": { - "$ref": "#/definitions/shell" - }, - "working-directory": { - "$ref": "#/definitions/working-directory" - } - }, - "minProperties": 1, - "additionalProperties": false + "name": {"type": "string"}, + "url": {"type": "string"} + } } + ] + }, + "event": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows", + "type": "string", + "enum": [ + "check_run", + "check_suite", + "create", + "delete", + "deployment", + "deployment_status", + "fork", + "gollum", + "issue_comment", + "issues", + "label", + "member", + "milestone", + "page_build", + "project", + "project_card", + "project_column", + "public", + "pull_request", + "pull_request_review", + "pull_request_review_comment", + "push", + "registry_package", + "release", + "status", + "watch", + "repository_dispatch", + "workflow_dispatch", + "workflow_run" + ] + }, + "eventObject": { + "oneOf": [ + { + "type": "object" }, - "minProperties": 1, - "additionalProperties": false + { + "type": "null" + } + ], + "additionalProperties": true + }, + "globs": { + "type": "array", + "items": { + "type": "string", + "minLength": 1 }, - "env": { + "minItems": 1, + "additionalItems": false + }, + "machine": { + "type": "string", + "enum": ["linux", "macos", "windows"] + }, + "name": { + "type": "string", + "pattern": "^[_a-zA-Z][a-zA-Z0-9_-]*$" + }, + "gitpermissionenums": { + "type": "string", + "enum": [ + "read", + "write", + "none" + ] + }, + "gitpermissions": { "type": "object", - "additionalProperties": { - "oneOf": [ - { - "type": "string" + "properties": { + "actions" : { + "$ref": "#/definitions/gitpermissionenums" }, - { - "type": "number" + "checks" : { + "$ref": "#/definitions/gitpermissionenums" }, - { - "type": "boolean" + "contents": { + "$ref": "#/definitions/gitpermissionenums" + }, + "deployments": { + "$ref": "#/definitions/gitpermissionenums" + }, + "issues": { + "$ref": "#/definitions/gitpermissionenums" + }, + "packages": { + "$ref": "#/definitions/gitpermissionenums" + }, + "pull-requests": { + "$ref": "#/definitions/gitpermissionenums" + }, + "repository-projects": { + "$ref": "#/definitions/gitpermissionenums" + }, + "security-events": { + "$ref": "#/definitions/gitpermissionenums" + }, + "statuses": { + "$ref": "#/definitions/gitpermissionenums" } - ] + } + }, + "path": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpaths", + "$ref": "#/definitions/globs", + "description": "When using the push and pull_request events, you can configure a workflow to run when at least one file does not match paths-ignore or at least one modified file matches the configured paths. Path filters are not evaluated for pushes to tags.\nThe paths-ignore and paths keywords accept glob patterns that use the * and ** wildcard characters to match more than one path name. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.\nYou can exclude paths using two types of filters. You cannot use both of these filters for the same event in a workflow.\n- paths-ignore - Use the paths-ignore filter when you only need to exclude path names.\n- paths - Use the paths filter when you need to filter paths for positive matches and exclude paths." + }, + "ref": { + "properties": { + "branches": { + "$ref": "#/definitions/branch" + }, + "branches-ignore": { + "$ref": "#/definitions/branch" + }, + "tags": { + "$ref": "#/definitions/branch" }, - "minProperties": 1 + "tags-ignore": { + "$ref": "#/definitions/branch" + }, + "paths": { + "$ref": "#/definitions/path" + }, + "paths-ignore": { + "$ref": "#/definitions/path" + } }, - "environment": { - "oneOf": [ + "oneOf": [ + { + "type": "object", + "allOf": [ { - "type": "string" + "not": { + "required": ["branches", "branches-ignore"] + } }, { - "type": "object", - "properties": { - "name": {"type": "string"}, - "url": {"type": "string"} + "not": { + "required": ["tags", "tags-ignore"] + } + }, + { + "not": { + "required": ["paths", "paths-ignore"] } } ] - }, - "event": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows", - "type": "string", - "enum": [ - "check_run", - "check_suite", - "create", - "delete", - "deployment", - "deployment_status", - "fork", - "gollum", - "issue_comment", - "issues", - "label", - "member", - "milestone", - "page_build", - "project", - "project_card", - "project_column", - "public", - "pull_request", - "pull_request_review", - "pull_request_review_comment", - "push", - "registry_package", - "release", - "status", - "watch", - "repository_dispatch" - ] - }, - "eventObject": { - "oneOf": [ - { - "type": "object" - }, - { - "type": "null" - } - ], - "additionalProperties": true - }, - "globs": { - "type": "array", - "items": { - "type": "string", - "minLength": 1 }, - "minItems": 1, - "additionalItems": false - }, - "machine": { - "type": "string", - "enum": ["linux", "macos", "windows"] - }, - "name": { - "type": "string", - "pattern": "^[_a-zA-Z][a-zA-Z0-9_-]*$" - }, - "gitpermissionenums": { - "type": "string", - "enum": [ - "read", - "write", - "none" - ] - }, - "gitpermissions": { - "type": "object", - "properties": { - "actions" : { - "$ref": "#/definitions/gitpermissionenums" - }, - "checks" : { - "$ref": "#/definitions/gitpermissionenums" - }, - "contents": { - "$ref": "#/definitions/gitpermissionenums" - }, - "deployments": { - "$ref": "#/definitions/gitpermissionenums" - }, - "issues": { - "$ref": "#/definitions/gitpermissionenums" - }, - "packages": { - "$ref": "#/definitions/gitpermissionenums" - }, - "pull-requests": { - "$ref": "#/definitions/gitpermissionenums" - }, - "repository-projects": { - "$ref": "#/definitions/gitpermissionenums" - }, - "security-events": { - "$ref": "#/definitions/gitpermissionenums" - }, - "statuses": { - "$ref": "#/definitions/gitpermissionenums" - } - } - }, - "path": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpaths", - "$ref": "#/definitions/globs", - "description": "When using the push and pull_request events, you can configure a workflow to run when at least one file does not match paths-ignore or at least one modified file matches the configured paths. Path filters are not evaluated for pushes to tags.\nThe paths-ignore and paths keywords accept glob patterns that use the * and ** wildcard characters to match more than one path name. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.\nYou can exclude paths using two types of filters. You cannot use both of these filters for the same event in a workflow.\n- paths-ignore - Use the paths-ignore filter when you only need to exclude path names.\n- paths - Use the paths filter when you need to filter paths for positive matches and exclude paths." - }, - "ref": { - "properties": { - "branches": { - "$ref": "#/definitions/branch" - }, - "branches-ignore": { - "$ref": "#/definitions/branch" - }, - "tags": { - "$ref": "#/definitions/branch" - }, - "tags-ignore": { - "$ref": "#/definitions/branch" - }, - "paths": { - "$ref": "#/definitions/path" - }, - "paths-ignore": { - "$ref": "#/definitions/path" - } + { + "type": "null" + } + ] + }, + "shell": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell", + "description": "You can override the default shell settings in the runner's operating system using the shell keyword. You can use built-in shell keywords, or you can define a custom set of shell options.", + "type": "string", + "anyOf": [ + { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#custom-shell" }, - "oneOf": [ - { - "type": "object", - "allOf": [ - { - "not": { - "required": ["branches", "branches-ignore"] - } - }, - { - "not": { - "required": ["tags", "tags-ignore"] - } - }, - { - "not": { - "required": ["paths", "paths-ignore"] - } - } - ] - }, - { - "type": "null" - } - ] - }, - "shell": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell", - "description": "You can override the default shell settings in the runner's operating system using the shell keyword. You can use built-in shell keywords, or you can define a custom set of shell options.", - "type": "string", - "anyOf": [ - { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#custom-shell" - }, - { - "enum": ["bash", "pwsh", "python", "sh", "cmd", "powershell"] - } - ] - }, - "types": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onevent_nametypes", - "description": "Selects the types of activity that will trigger a workflow run. Most GitHub events are triggered by more than one type of activity. For example, the event for the release resource is triggered when a release is published, unpublished, created, edited, deleted, or prereleased. The types keyword enables you to narrow down activity that causes the workflow to run. When only one activity type triggers a webhook event, the types keyword is unnecessary.\nYou can use an array of event types. For more information about each event and their activity types, see https://help.github.com/en/articles/events-that-trigger-workflows#webhook-events.", - "type": "array", - "minItems": 1, - "additionalItems": false - }, - "working-directory": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun", - "description": "Using the working-directory keyword, you can specify the working directory of where to run the command.", - "type": "string" - } + { + "enum": ["bash", "pwsh", "python", "sh", "cmd", "powershell"] + } + ] }, - "properties": { - "name": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#name", - "description": "The name of your workflow. GitHub displays the names of your workflows on your repository's actions page. If you omit this field, GitHub sets the name to the workflow's filename.", - "type": "string" - }, - "on": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#on", - "description": "The name of the GitHub event that triggers the workflow. You can provide a single event string, array of events, array of event types, or an event configuration map that schedules a workflow or restricts the execution of a workflow to specific files, tags, or branch changes. For a list of available events, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows.", - "oneOf": [ - { + "types": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onevent_nametypes", + "description": "Selects the types of activity that will trigger a workflow run. Most GitHub events are triggered by more than one type of activity. For example, the event for the release resource is triggered when a release is published, unpublished, created, edited, deleted, or prereleased. The types keyword enables you to narrow down activity that causes the workflow to run. When only one activity type triggers a webhook event, the types keyword is unnecessary.\nYou can use an array of event types. For more information about each event and their activity types, see https://help.github.com/en/articles/events-that-trigger-workflows#webhook-events.", + "type": "array", + "minItems": 1, + "additionalItems": false + }, + "working-directory": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun", + "description": "Using the working-directory keyword, you can specify the working directory of where to run the command.", + "type": "string" + } + }, + "properties": { + "name": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#name", + "description": "The name of your workflow. GitHub displays the names of your workflows on your repository's actions page. If you omit this field, GitHub sets the name to the workflow's filename.", + "type": "string" + }, + "on": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#on", + "description": "The name of the GitHub event that triggers the workflow. You can provide a single event string, array of events, array of event types, or an event configuration map that schedules a workflow or restricts the execution of a workflow to specific files, tags, or branch changes. For a list of available events, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows.", + "oneOf": [ + { + "$ref": "#/definitions/event" + }, + { + "type": "array", + "items": { "$ref": "#/definitions/event" }, - { - "type": "array", - "items": { - "$ref": "#/definitions/event" - }, - "minItems": 1, - "additionalItems": false - }, - { - "type": "object", - "properties": { - "check_run": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#check-run-event-check_run", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the check_run event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/checks/runs.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "created", - "rerequested", - "completed", - "requested_action" - ] - }, - "default": [ + "minItems": 1, + "additionalItems": false + }, + { + "type": "object", + "properties": { + "check_run": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#check-run-event-check_run", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the check_run event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/checks/runs.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ "created", "rerequested", "completed", "requested_action" ] - } + }, + "default": [ + "created", + "rerequested", + "completed", + "requested_action" + ] } - }, - "check_suite": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#check-suite-event-check_suite", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the check_suite event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/checks/suites/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["completed", "requested", "rerequested"] - }, - "default": ["completed", "requested", "rerequested"] - } + } + }, + "check_suite": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#check-suite-event-check_suite", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the check_suite event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/checks/suites/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["completed", "requested", "rerequested"] + }, + "default": ["completed", "requested", "rerequested"] } - }, - "create": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#create-event-create", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone creates a branch or tag, which triggers the create event. For information about the REST API, see https://developer.github.com/v3/git/refs/#create-a-reference." - }, - "delete": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#delete-event-delete", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone deletes a branch or tag, which triggers the delete event. For information about the REST API, see https://developer.github.com/v3/git/refs/#delete-a-reference." - }, - "deployment": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#deployment-event-deployment", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone creates a deployment, which triggers the deployment event. Deployments created with a commit SHA may not have a Git ref. For information about the REST API, see https://developer.github.com/v3/repos/deployments/." - }, - "deployment_status": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#deployment-status-event-deployment_status", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime a third party provides a deployment status, which triggers the deployment_status event. Deployments created with a commit SHA may not have a Git ref. For information about the REST API, see https://developer.github.com/v3/repos/deployments/#create-a-deployment-status." - }, - "fork": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#fork-event-fork", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime when someone forks a repository, which triggers the fork event. For information about the REST API, see https://developer.github.com/v3/repos/forks/#create-a-fork." - }, - "gollum": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#gollum-event-gollum", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow when someone creates or updates a Wiki page, which triggers the gollum event." - }, - "issue_comment": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#issue-comment-event-issue_comment", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the issue_comment event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/comments/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - }, - "default": ["created", "edited", "deleted"] - } + } + }, + "create": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#create-event-create", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone creates a branch or tag, which triggers the create event. For information about the REST API, see https://developer.github.com/v3/git/refs/#create-a-reference." + }, + "delete": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#delete-event-delete", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone deletes a branch or tag, which triggers the delete event. For information about the REST API, see https://developer.github.com/v3/git/refs/#delete-a-reference." + }, + "deployment": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#deployment-event-deployment", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone creates a deployment, which triggers the deployment event. Deployments created with a commit SHA may not have a Git ref. For information about the REST API, see https://developer.github.com/v3/repos/deployments/." + }, + "deployment_status": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#deployment-status-event-deployment_status", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime a third party provides a deployment status, which triggers the deployment_status event. Deployments created with a commit SHA may not have a Git ref. For information about the REST API, see https://developer.github.com/v3/repos/deployments/#create-a-deployment-status." + }, + "fork": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#fork-event-fork", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime when someone forks a repository, which triggers the fork event. For information about the REST API, see https://developer.github.com/v3/repos/forks/#create-a-fork." + }, + "gollum": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#gollum-event-gollum", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow when someone creates or updates a Wiki page, which triggers the gollum event." + }, + "issue_comment": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#issue-comment-event-issue_comment", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the issue_comment event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/comments/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "edited", "deleted"] + }, + "default": ["created", "edited", "deleted"] } - }, - "issues": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#issues-event-issues", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the issues event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "opened", - "edited", - "deleted", - "transferred", - "pinned", - "unpinned", - "closed", - "reopened", - "assigned", - "unassigned", - "labeled", - "unlabeled", - "locked", - "unlocked", - "milestoned", - "demilestoned" - ] - }, - "default": [ + } + }, + "issues": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#issues-event-issues", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the issues event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ "opened", "edited", "deleted", @@ -472,84 +455,94 @@ "milestoned", "demilestoned" ] - } + }, + "default": [ + "opened", + "edited", + "deleted", + "transferred", + "pinned", + "unpinned", + "closed", + "reopened", + "assigned", + "unassigned", + "labeled", + "unlabeled", + "locked", + "unlocked", + "milestoned", + "demilestoned" + ] } - }, - "label": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#label-event-label", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the label event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/labels/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - }, - "default": ["created", "edited", "deleted"] - } + } + }, + "label": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#label-event-label", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the label event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/labels/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "edited", "deleted"] + }, + "default": ["created", "edited", "deleted"] } - }, - "member": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#member-event-member", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the member event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/repos/collaborators/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["added", "edited", "deleted"] - }, - "default": ["added", "edited", "deleted"] - } + } + }, + "member": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#member-event-member", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the member event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/repos/collaborators/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["added", "edited", "deleted"] + }, + "default": ["added", "edited", "deleted"] } - }, - "milestone": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#milestone-event-milestone", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the milestone event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/milestones/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "closed", "opened", "edited", "deleted"] - }, - "default": [ - "created", - "closed", - "opened", - "edited", - "deleted" - ] - } + } + }, + "milestone": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#milestone-event-milestone", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the milestone event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/milestones/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "closed", "opened", "edited", "deleted"] + }, + "default": [ + "created", + "closed", + "opened", + "edited", + "deleted" + ] } - }, - "page_build": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#page-build-event-page_build", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone pushes to a GitHub Pages-enabled branch, which triggers the page_build event. For information about the REST API, see https://developer.github.com/v3/repos/pages/." - }, - "project": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-event-project", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the project event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "created", - "updated", - "closed", - "reopened", - "edited", - "deleted" - ] - }, - "default": [ + } + }, + "page_build": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#page-build-event-page_build", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone pushes to a GitHub Pages-enabled branch, which triggers the page_build event. For information about the REST API, see https://developer.github.com/v3/repos/pages/." + }, + "project": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-event-project", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the project event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ "created", "updated", "closed", @@ -557,157 +550,216 @@ "edited", "deleted" ] - } + }, + "default": [ + "created", + "updated", + "closed", + "reopened", + "edited", + "deleted" + ] } - }, - "project_card": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-card-event-project_card", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the project_card event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/cards.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "created", - "moved", - "converted", - "edited", - "deleted" - ] - }, - "default": [ + } + }, + "project_card": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-card-event-project_card", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the project_card event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/cards.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ "created", "moved", "converted", "edited", "deleted" ] - } + }, + "default": [ + "created", + "moved", + "converted", + "edited", + "deleted" + ] + } + } + }, + "project_column": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-column-event-project_column", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the project_column event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/columns.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "updated", "moved", "deleted"] + }, + "default": ["created", "updated", "moved", "deleted"] + } + } + }, + "public": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#public-event-public", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone makes a private repository public, which triggers the public event. For information about the REST API, see https://developer.github.com/v3/repos/#edit." + }, + "pull_request": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-event-pull_request", + "$ref": "#/definitions/ref", + "description": "Runs your workflow anytime the pull_request event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "assigned", + "unassigned", + "labeled", + "unlabeled", + "opened", + "edited", + "closed", + "reopened", + "synchronize", + "ready_for_review", + "locked", + "unlocked", + "review_requested", + "review_request_removed" + ] + }, + "default": ["opened", "synchronize", "reopened"] } }, - "project_column": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-column-event-project_column", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the project_column event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/columns.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "updated", "moved", "deleted"] - }, - "default": ["created", "updated", "moved", "deleted"] - } + "patternProperties": { + "^(branche|tag|path)s(-ignore)?$": { + "type": "array" } }, - "public": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#public-event-public", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone makes a private repository public, which triggers the public event. For information about the REST API, see https://developer.github.com/v3/repos/#edit." + "additionalProperties": false + }, + "pull_request_review": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-review-event-pull_request_review", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the pull_request_review event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls/reviews.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["submitted", "edited", "dismissed"] + }, + "default": ["submitted", "edited", "dismissed"] + } + } + }, + "pull_request_review_comment": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-review-comment-event-pull_request_review_comment", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime a comment on a pull request's unified diff is modified, which triggers the pull_request_review_comment event. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls/comments.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "edited", "deleted"] + }, + "default": ["created", "edited", "deleted"] + } + } + }, + "push": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#push-event-push", + "description": "Runs your workflow when someone pushes to a repository branch, which triggers the push event.\nNote: The webhook payload available to GitHub Actions does not include the added, removed, and modified attributes in the commit object. You can retrieve the full commit object using the REST API. For more information, see https://developer.github.com/v3/repos/commits/#get-a-single-commit.", + "type": "object", + "$ref": "#/definitions/ref", + "patternProperties": { + "^(branche|tag|path)s(-ignore)?$": { + "type": "array", + "items" : { + "type" : "string" + } + } }, - "pull_request": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-event-pull_request", - "$ref": "#/definitions/ref", - "description": "Runs your workflow anytime the pull_request event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "assigned", - "unassigned", - "labeled", - "unlabeled", - "opened", - "edited", - "closed", - "reopened", - "synchronize", - "ready_for_review", - "locked", - "unlocked", - "review_requested", - "review_request_removed" - ] - }, - "default": ["opened", "synchronize", "reopened"] - } - }, - "patternProperties": { + "additionalProperties": false + }, + "pull_request_target": { + "$comment": "https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target", + "$ref": "#/definitions/ref", + "additionalProperties": false, + "description": "This event is similar to pull_request, except that it runs in the context of the base repository of the pull request, rather than in the merge commit. This means that you can more safely make your secrets available to the workflows triggered by the pull request, because only workflows defined in the commit on the base repository are run. For example, this event allows you to create workflows that label and comment on pull requests, based on the contents of the event payload.", + "patternProperties": { "^(branche|tag|path)s(-ignore)?$": { - "type": "array" } - }, - "additionalProperties": false }, - "pull_request_review": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-review-event-pull_request_review", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the pull_request_review event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls/reviews.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", - "properties": { + "properties": { "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["submitted", "edited", "dismissed"] - }, - "default": ["submitted", "edited", "dismissed"] + "$ref": "#/definitions/types", + "default": [ + "opened", + "synchronize", + "reopened" + ], + "items": { + "enum": [ + "assigned", + "unassigned", + "labeled", + "unlabeled", + "opened", + "edited", + "closed", + "reopened", + "synchronize", + "ready_for_review", + "locked", + "unlocked", + "review_requested", + "review_request_removed" + ], + "type": "string" + } } - } - }, - "pull_request_review_comment": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-review-comment-event-pull_request_review_comment", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime a comment on a pull request's unified diff is modified, which triggers the pull_request_review_comment event. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls/comments.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", - "properties": { + } + }, + "registry_package": { + "$comment": "https://help.github.com/en/actions/reference/events-that-trigger-workflows#registry-package-event-registry_package", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime a package is published or updated. For more information, see https://help.github.com/en/github/managing-packages-with-github-packages.", + "properties": { "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - }, - "default": ["created", "edited", "deleted"] - } - } - }, - "push": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#push-event-push", - "description": "Runs your workflow when someone pushes to a repository branch, which triggers the push event.\nNote: The webhook payload available to GitHub Actions does not include the added, removed, and modified attributes in the commit object. You can retrieve the full commit object using the REST API. For more information, see https://developer.github.com/v3/repos/commits/#get-a-single-commit.", - "type": "object", - "$ref": "#/definitions/ref", - "patternProperties": { - "^(branche|tag|path)s(-ignore)?$": { - "type": "array", - "items" : { - "type" : "string" + "$ref": "#/definitions/types", + "default": [ + "published", + "updated" + ], + "items": { + "enum": [ + "published", + "updated" + ], + "type": "string" } } - }, - "additionalProperties": false - }, - "release": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#release-event-release", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the release event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/repos/releases/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "published", - "unpublished", - "created", - "edited", - "deleted", - "prereleased", - "released" - ] - }, - "default": [ + } + }, + "release": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#release-event-release", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the release event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/repos/releases/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ "published", "unpublished", "created", @@ -716,395 +768,477 @@ "prereleased", "released" ] - } + }, + "default": [ + "published", + "unpublished", + "created", + "edited", + "deleted", + "prereleased", + "released" + ] } + } + }, + "status": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#status-event-status", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the status of a Git commit changes, which triggers the status event. For information about the REST API, see https://developer.github.com/v3/repos/statuses/." + }, + "watch": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#watch-event-watch", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the watch event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/activity/starring/." + }, + "repository_dispatch": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#external-events-repository_dispatch", + "$ref": "#/definitions/eventObject", + "description": "You can use the GitHub API to trigger a webhook event called repository_dispatch when you want to trigger a workflow for activity that happens outside of GitHub. For more information, see https://developer.github.com/v3/repos/#create-a-repository-dispatch-event.\nTo trigger the custom repository_dispatch webhook event, you must send a POST request to a GitHub API endpoint and provide an event_type name to describe the activity type. To trigger a workflow run, you must also configure your workflow to use the repository_dispatch event." + }, + "schedule": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#scheduled-events-schedule", + "description": "You can schedule a workflow to run at specific UTC times using POSIX cron syntax (https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). Scheduled workflows run on the latest commit on the default or base branch. The shortest interval you can run scheduled workflows is once every 5 minutes.\nNote: GitHub Actions does not support the non-standard syntax @yearly, @monthly, @weekly, @daily, @hourly, and @reboot.\nYou can use crontab guru (https://crontab.guru/). to help generate your cron syntax and confirm what time it will run. To help you get started, there is also a list of crontab guru examples (https://crontab.guru/examples.html).", + "type": "array", + "items": { + "type": "object", + "properties": { + "cron": { + "$comment": "https://stackoverflow.com/a/57639657/4044345", + "oneOf": [ + { + "pattern": "cron-(.)+" + } + ] + } + }, + "additionalProperties": false }, - "status": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#status-event-status", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the status of a Git commit changes, which triggers the status event. For information about the REST API, see https://developer.github.com/v3/repos/statuses/." - }, - "watch": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#watch-event-watch", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the watch event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/activity/starring/." - }, - "repository_dispatch": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#external-events-repository_dispatch", - "$ref": "#/definitions/eventObject", - "description": "You can use the GitHub API to trigger a webhook event called repository_dispatch when you want to trigger a workflow for activity that happens outside of GitHub. For more information, see https://developer.github.com/v3/repos/#create-a-repository-dispatch-event.\nTo trigger the custom repository_dispatch webhook event, you must send a POST request to a GitHub API endpoint and provide an event_type name to describe the activity type. To trigger a workflow run, you must also configure your workflow to use the repository_dispatch event." - }, - "schedule": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#scheduled-events-schedule", - "description": "You can schedule a workflow to run at specific UTC times using POSIX cron syntax (https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). Scheduled workflows run on the latest commit on the default or base branch. The shortest interval you can run scheduled workflows is once every 5 minutes.\nNote: GitHub Actions does not support the non-standard syntax @yearly, @monthly, @weekly, @daily, @hourly, and @reboot.\nYou can use crontab guru (https://crontab.guru/). to help generate your cron syntax and confirm what time it will run. To help you get started, there is also a list of crontab guru examples (https://crontab.guru/examples.html).", - "type": "array", - "items": { + "minItems": 1, + "additionalItems": false + }, + "workflow_dispatch": { + "$comment": "https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/", + "description": "You can now create workflows that are manually triggered with the new workflow_dispatch event. You will then see a 'Run workflow' button on the Actions tab, enabling you to easily trigger a run.", + "properties": { + "inputs": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputs", + "description": "Input parameters allow you to specify data that the action expects to use during runtime. GitHub stores input parameters as environment variables. Input ids with uppercase letters are converted to lowercase during runtime. We recommended using lowercase input ids.", "type": "object", - "properties": { - "cron": { - "$comment": "https://stackoverflow.com/a/57639657/4044345", - "oneOf": [ - { - "pattern": "cron-(.)+" - }, - { - "type": "string", - "pattern": "^(((\\d+,)+\\d+|((\\d+|\\*)\\/\\d+)|(\\d+-\\d+)|\\d+|\\*) ?){5,7}$" - } - ] + "patternProperties": { + "^[_a-zA-Z][a-zA-Z0-9_-]*$": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_id", + "description": "A string identifier to associate with the input. The value of is a map of the input's metadata. The must be a unique identifier within the inputs object. The must start with a letter or _ and contain only alphanumeric characters, -, or _.", + "type": "object", + "properties": { + "description": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_iddescription", + "description": "A string description of the input parameter.", + "type": "string" + }, + "deprecationMessage": { + "description": "A string shown to users using the deprecated input.", + "type": "string" + }, + "required": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_idrequired", + "description": "A boolean to indicate whether the action requires the input parameter. Set to true when the parameter is required.", + "type": "boolean" + }, + "default": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_iddefault", + "description": "A string representing the default value. The default value is used when an input parameter isn't specified in a workflow file.", + "type": "string" + } + }, + "required": [ + "description", + "required" + ], + "additionalProperties": false } }, "additionalProperties": false - }, - "minItems": 1, - "additionalItems": false + } } }, - "additionalProperties": false - } - ] - }, - "env": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#env", - "$ref": "#/definitions/env", - "description": "A map of environment variables that are available to all jobs and steps in the workflow." - }, - "defaults": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#defaults", - "$ref": "#/definitions/defaults", - "description": "A map of default settings that will apply to all jobs in the workflow." - }, - "jobs": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobs", - "description": "A workflow run is made up of one or more jobs. Jobs run in parallel by default. To run jobs sequentially, you can define dependencies on other jobs using the jobs..needs keyword.\nEach job runs in a fresh instance of the virtual environment specified by runs-on.\nYou can run an unlimited number of jobs as long as you are within the workflow usage limits. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#usage-limits.", - "type": "object", - "patternProperties": { - "^[_a-zA-Z][a-zA-Z0-9_-]*$": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_id", - "description": "Each job must have an id to associate with the job. The key job_id is a string and its value is a map of the job's configuration data. You must replace with a string that is unique to the jobs object. The must start with a letter or _ and contain only alphanumeric characters, -, or _.", - "type": "object", - "properties": { - "name": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idname", - "description": "The name of the job displayed on GitHub.", - "type": "string" - }, - "needs": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idneeds", - "description": "Identifies any jobs that must complete successfully before this job will run. It can be a string or array of strings. If a job fails, all jobs that need it are skipped unless the jobs use a conditional statement that causes the job to continue.", - "oneOf": [ - { - "type": "array", - "items": { - "$ref": "#/definitions/name" - }, - "minItems": 1, - "additionalItems": false - }, - { - "$ref": "#/definitions/name" - } - ] - }, - "permissions" : { - "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions", - "description": "You can modify the default permissions granted to the GITHUB_TOKEN, adding or removing access as required, so that you only allow the minimum required access", - "oneOf": [ - { - "const": "read-all|write-all" - }, - { - "type" : "object", - "$ref": "#/definitions/gitpermissions" - } - ] - }, - "runs-on": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idruns-on", - "description": "The type of machine to run the job on. The machine can be either a GitHub-hosted runner, or a self-hosted runner.", - "oneOf": [ - { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#github-hosted-runners", + "workflow_run": { + "$comment": "https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_run", + "$ref": "#/definitions/eventObject", + "description": "This event occurs when a workflow run is requested or completed, and allows you to execute a workflow based on the finished result of another workflow. For example, if your pull_request workflow generates build artifacts, you can create a new workflow that uses workflow_run to analyze the results and add a comment to the original pull request.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { "type": "string", "enum": [ - "${{ matrix.os }}", - "macos-latest", - "macos-10.15", - "self-hosted", - "ubuntu-16.04", - "ubuntu-18.04", - "ubuntu-latest", - "windows-latest", - "windows-2019" + "requested", + "completed" ] }, + "default": [ + "requested", + "completed" + ] + }, + "workflows": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + } + }, + "patternProperties": { + "^branches(-ignore)?$": {} + } + } + }, + "additionalProperties": false + } + ] + }, + "env": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#env", + "$ref": "#/definitions/env", + "description": "A map of environment variables that are available to all jobs and steps in the workflow." + }, + "defaults": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#defaults", + "$ref": "#/definitions/defaults", + "description": "A map of default settings that will apply to all jobs in the workflow." + }, + "jobs": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobs", + "description": "A workflow run is made up of one or more jobs. Jobs run in parallel by default. To run jobs sequentially, you can define dependencies on other jobs using the jobs..needs keyword.\nEach job runs in a fresh instance of the virtual environment specified by runs-on.\nYou can run an unlimited number of jobs as long as you are within the workflow usage limits. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#usage-limits.", + "type": "object", + "patternProperties": { + "^[_a-zA-Z][a-zA-Z0-9_-]*$": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_id", + "description": "Each job must have an id to associate with the job. The key job_id is a string and its value is a map of the job's configuration data. You must replace with a string that is unique to the jobs object. The must start with a letter or _ and contain only alphanumeric characters, -, or _.", + "type": "object", + "properties": { + "name": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idname", + "description": "The name of the job displayed on GitHub.", + "type": "string" + }, + "needs": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idneeds", + "description": "Identifies any jobs that must complete successfully before this job will run. It can be a string or array of strings. If a job fails, all jobs that need it are skipped unless the jobs use a conditional statement that causes the job to continue.", + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/name" + }, + "minItems": 1, + "additionalItems": false + }, + { + "$ref": "#/definitions/name" + } + ] + }, + "permissions" : { + "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions", + "description": "You can modify the default permissions granted to the GITHUB_TOKEN, adding or removing access as required, so that you only allow the minimum required access", + "oneOf": [ { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#self-hosted-runners", - "type": "array", - "oneOf": [ - { - "items": [ - { - "const": "self-hosted" - } - ] - }, - { - "items": [ - { - "const": "self-hosted" - }, - { - "$ref": "#/definitions/machine" - } - ] - }, - { - "items": [ - { - "const": "self-hosted" - }, - { - "$ref": "#/definitions/architecture" - } - ] - }, - { - "items": [ - { - "const": "self-hosted" - }, - { - "$ref": "#/definitions/machine" - }, - { - "$ref": "#/definitions/architecture" - } - ] - }, - { - "items": [ - { - "const": "self-hosted" - }, - { - "$ref": "#/definitions/architecture" - }, - { - "$ref": "#/definitions/machine" - } - ] - } - ], - "additionalItems": false + "const": "read-all|write-all" + }, + { + "type" : "object", + "$ref": "#/definitions/gitpermissions" } - ] - }, - "outputs": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjobs_idoutputs", - "description": "A map of outputs for a job. Job outputs are available to all downstream jobs that depend on this job.", - "type": "object", - "additionalProperties": { - "type": "string" + ] + }, + "runs-on": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idruns-on", + "description": "The type of machine to run the job on. The machine can be either a GitHub-hosted runner, or a self-hosted runner.", + "oneOf": [ + { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#github-hosted-runners", + "type": "string", + "enum": [ + "${{ matrix.os }}", + "macos-latest", + "macos-10.15", + "self-hosted", + "ubuntu-16.04", + "ubuntu-18.04", + "ubuntu-latest", + "windows-latest", + "windows-2019" + ] }, - "minProperties": 1 - }, - "environment": { - "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment", - "$ref": "#/definitions/environment", - "description": "The environment that the job references" - }, - "env": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idenv", - "$ref": "#/definitions/env", - "description": "A map of environment variables that are available to all steps in the job." - }, - "defaults": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_iddefaults", - "$ref": "#/definitions/defaults", - "description": "A map of default settings that will apply to all steps in the job." - }, - "if": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idif", - "description": "You can use the if conditional to prevent a job from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", - "type": "string" - }, - "steps": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idsteps", - "description": "A job contains a sequence of tasks called steps. Steps can run commands, run setup tasks, or run an action in your repository, a public repository, or an action published in a Docker registry. Not all steps run actions, but all actions run as a step. Each step runs in its own process in the virtual environment and has access to the workspace and filesystem. Because steps run in their own process, changes to environment variables are not preserved between steps. GitHub provides built-in steps to set up and complete a job.\n", - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsid", - "description": "A unique identifier for the step. You can use the id to reference the step in contexts. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", - "type": "string" - }, - "if": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsif", - "description": "You can use the if conditional to prevent a step from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", - "type": "string" - }, - "name": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsname", - "description": "A name for your step to display on GitHub.", - "type": "string" - }, - "uses": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses", - "description": "Selects an action to run as part of a step in your job. An action is a reusable unit of code. You can use an action defined in the same repository as the workflow, a public repository, or in a published Docker container image (https://hub.docker.com/).\nWe strongly recommend that you include the version of the action you are using by specifying a Git ref, SHA, or Docker tag number. If you don't specify a version, it could break your workflows or cause unexpected behavior when the action owner publishes an update.\n- Using the commit SHA of a released action version is the safest for stability and security.\n- Using the specific major action version allows you to receive critical fixes and security patches while still maintaining compatibility. It also assures that your workflow should still work.\n- Using the master branch of an action may be convenient, but if someone releases a new major version with a breaking change, your workflow could break.\nSome actions require inputs that you must set using the with keyword. Review the action's README file to determine the inputs required.\nActions are either JavaScript files or Docker containers. If the action you're using is a Docker container you must run the job in a Linux virtual environment. For more details, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", - "type": "string" + { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#self-hosted-runners", + "type": "array", + "oneOf": [ + { + "items": [ + { + "const": "self-hosted" + } + ] }, - "run": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsrun", - "description": "Runs command-line programs using the operating system's shell. If you do not provide a name, the step name will default to the text specified in the run command.\nCommands run using non-login shells by default. You can choose a different shell and customize the shell used to run commands. For more information, see https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#using-a-specific-shell.\nEach run keyword represents a new process and shell in the virtual environment. When you provide multi-line commands, each line runs in the same shell.", - "type": "string" + { + "items": [ + { + "const": "self-hosted" + }, + { + "$ref": "#/definitions/machine" + } + ] }, - "working-directory": { - "$ref": "#/definitions/working-directory" + { + "items": [ + { + "const": "self-hosted" + }, + { + "$ref": "#/definitions/architecture" + } + ] }, - "shell": { - "$ref": "#/definitions/shell" + { + "items": [ + { + "const": "self-hosted" + }, + { + "$ref": "#/definitions/machine" + }, + { + "$ref": "#/definitions/architecture" + } + ] }, - "with": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswith", - "$ref": "#/definitions/env", - "description": "A map of the input parameters defined by the action. Each input parameter is a key/value pair. Input parameters are set as environment variables. The variable is prefixed with INPUT_ and converted to upper case.", - "properties": { - "args": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithargs", - "type": "string" + { + "items": [ + { + "const": "self-hosted" }, - "entrypoint": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithentrypoint", - "type": "string" + { + "$ref": "#/definitions/architecture" + }, + { + "$ref": "#/definitions/machine" } + ] + } + ], + "additionalItems": false + } + ] + }, + "outputs": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjobs_idoutputs", + "description": "A map of outputs for a job. Job outputs are available to all downstream jobs that depend on this job.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "environment": { + "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment", + "$ref": "#/definitions/environment", + "description": "The environment that the job references" + }, + "env": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idenv", + "$ref": "#/definitions/env", + "description": "A map of environment variables that are available to all steps in the job." + }, + "defaults": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_iddefaults", + "$ref": "#/definitions/defaults", + "description": "A map of default settings that will apply to all steps in the job." + }, + "if": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idif", + "description": "You can use the if conditional to prevent a job from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "type": "string" + }, + "steps": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idsteps", + "description": "A job contains a sequence of tasks called steps. Steps can run commands, run setup tasks, or run an action in your repository, a public repository, or an action published in a Docker registry. Not all steps run actions, but all actions run as a step. Each step runs in its own process in the virtual environment and has access to the workspace and filesystem. Because steps run in their own process, changes to environment variables are not preserved between steps. GitHub provides built-in steps to set up and complete a job.\n", + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsid", + "description": "A unique identifier for the step. You can use the id to reference the step in contexts. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "type": "string" + }, + "if": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsif", + "description": "You can use the if conditional to prevent a step from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "type": "string" + }, + "name": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsname", + "description": "A name for your step to display on GitHub.", + "type": "string" + }, + "uses": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses", + "description": "Selects an action to run as part of a step in your job. An action is a reusable unit of code. You can use an action defined in the same repository as the workflow, a public repository, or in a published Docker container image (https://hub.docker.com/).\nWe strongly recommend that you include the version of the action you are using by specifying a Git ref, SHA, or Docker tag number. If you don't specify a version, it could break your workflows or cause unexpected behavior when the action owner publishes an update.\n- Using the commit SHA of a released action version is the safest for stability and security.\n- Using the specific major action version allows you to receive critical fixes and security patches while still maintaining compatibility. It also assures that your workflow should still work.\n- Using the master branch of an action may be convenient, but if someone releases a new major version with a breaking change, your workflow could break.\nSome actions require inputs that you must set using the with keyword. Review the action's README file to determine the inputs required.\nActions are either JavaScript files or Docker containers. If the action you're using is a Docker container you must run the job in a Linux virtual environment. For more details, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", + "type": "string" + }, + "run": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsrun", + "description": "Runs command-line programs using the operating system's shell. If you do not provide a name, the step name will default to the text specified in the run command.\nCommands run using non-login shells by default. You can choose a different shell and customize the shell used to run commands. For more information, see https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#using-a-specific-shell.\nEach run keyword represents a new process and shell in the virtual environment. When you provide multi-line commands, each line runs in the same shell.", + "type": "string" + }, + "working-directory": { + "$ref": "#/definitions/working-directory" + }, + "shell": { + "$ref": "#/definitions/shell" + }, + "with": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswith", + "$ref": "#/definitions/env", + "description": "A map of the input parameters defined by the action. Each input parameter is a key/value pair. Input parameters are set as environment variables. The variable is prefixed with INPUT_ and converted to upper case.", + "properties": { + "args": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithargs", + "type": "string" + }, + "entrypoint": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithentrypoint", + "type": "string" } - }, - "env": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsenv", - "$ref": "#/definitions/env", - "description": "Sets environment variables for steps to use in the virtual environment. You can also set environment variables for the entire workflow or a job." - }, - "continue-on-error": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error", - "description": "Prevents a job from failing when a step fails. Set to true to allow a job to pass when this step fails.", - "type": "boolean", - "default": false - }, - "timeout-minutes": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes", - "description": "The maximum number of minutes to run the step before killing the process.", - "type": "number" } }, - "dependencies": { - "working-directory": ["run"], - "shell": ["run"] + "env": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsenv", + "$ref": "#/definitions/env", + "description": "Sets environment variables for steps to use in the virtual environment. You can also set environment variables for the entire workflow or a job." }, - "additionalProperties": false + "continue-on-error": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error", + "description": "Prevents a job from failing when a step fails. Set to true to allow a job to pass when this step fails.", + "type": "boolean", + "default": false + }, + "timeout-minutes": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes", + "description": "The maximum number of minutes to run the step before killing the process.", + "type": "number" + } }, - "minItems": 1, - "additionalItems": false - }, - "timeout-minutes": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes", - "description": "The maximum number of minutes to let a workflow run before GitHub automatically cancels it. Default: 360", - "type": "number", - "default": 360 + "dependencies": { + "working-directory": ["run"], + "shell": ["run"] + }, + "additionalProperties": false }, - "strategy": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategy", - "description": "A strategy creates a build matrix for your jobs. You can define different variations of an environment to run each job in.", - "type": "object", - "properties": { - "matrix": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix", - "description": "A build matrix is a set of different configurations of the virtual environment. For example you might run a job against more than one supported version of a language, operating system, or tool. Each configuration is a copy of the job that runs and reports a status.\nYou can specify a matrix by supplying an array for the configuration options. For example, if the GitHub virtual environment supports Node.js versions 6, 8, and 10 you could specify an array of those versions in the matrix.\nWhen you define a matrix of operating systems, you must set the required runs-on keyword to the operating system of the current job, rather than hard-coding the operating system name. To access the operating system name, you can use the matrix.os context parameter to set runs-on. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", - "type": "object", - "patternProperties": { - "^(in|ex)clude$": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#example-including-configurations-in-a-matrix-build", - "type": "array", - "items": { - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/configuration" - } - }, - "minItems": 1, - "additionalItems": false - } - }, - "additionalProperties": { + "minItems": 1, + "additionalItems": false + }, + "timeout-minutes": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes", + "description": "The maximum number of minutes to let a workflow run before GitHub automatically cancels it. Default: 360", + "type": "number", + "default": 360 + }, + "strategy": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategy", + "description": "A strategy creates a build matrix for your jobs. You can define different variations of an environment to run each job in.", + "type": "object", + "properties": { + "matrix": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix", + "description": "A build matrix is a set of different configurations of the virtual environment. For example you might run a job against more than one supported version of a language, operating system, or tool. Each configuration is a copy of the job that runs and reports a status.\nYou can specify a matrix by supplying an array for the configuration options. For example, if the GitHub virtual environment supports Node.js versions 6, 8, and 10 you could specify an array of those versions in the matrix.\nWhen you define a matrix of operating systems, you must set the required runs-on keyword to the operating system of the current job, rather than hard-coding the operating system name. To access the operating system name, you can use the matrix.os context parameter to set runs-on. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "type": "object", + "patternProperties": { + "^(in|ex)clude$": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#example-including-configurations-in-a-matrix-build", "type": "array", "items": { - "$ref": "#/definitions/configuration" + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/configuration" + } }, "minItems": 1, "additionalItems": false - }, - "minProperties": 1 + } }, - "fail-fast": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast", - "description": "When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true", - "type": "boolean", - "default": true + "additionalProperties": { + "type": "array", + "items": { + "$ref": "#/definitions/configuration" + }, + "minItems": 1, + "additionalItems": false }, - "max-parallel": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymax-parallel", - "description": "The maximum number of jobs that can run simultaneously when using a matrix job strategy. By default, GitHub will maximize the number of jobs run in parallel depending on the available runners on GitHub-hosted virtual machines.", - "type": "number" - } + "minProperties": 1 }, - "additionalProperties": false + "fail-fast": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast", + "description": "When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true", + "type": "boolean", + "default": true + }, + "max-parallel": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymax-parallel", + "description": "The maximum number of jobs that can run simultaneously when using a matrix job strategy. By default, GitHub will maximize the number of jobs run in parallel depending on the available runners on GitHub-hosted virtual machines.", + "type": "number" + } }, - "continue-on-error": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error", - "description": "Prevents a workflow run from failing when a job fails. Set to true to allow a workflow run to pass when this job fails.", + "additionalProperties": false + }, + "continue-on-error": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error", + "description": "Prevents a workflow run from failing when a job fails. Set to true to allow a workflow run to pass when this job fails.", + "oneOf": [ + { + "type": "boolean" + }, + { + "type": "string" + } + ] + }, + "container": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainer", + "description": "A container to run any steps in a job that don't already specify a container. If you have steps that use both script and container actions, the container actions will run as sibling containers on the same network with the same volume mounts.\nIf you do not set a container, all steps will run directly on the host specified by runs-on unless a step refers to an action configured to run in a container.", + "type": "object", + "additionalProperties": { "oneOf": [ { - "type": "boolean" + "type": "string" }, { - "type": "string" + "$ref": "#/definitions/container" } ] - }, - "container": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainer", - "description": "A container to run any steps in a job that don't already specify a container. If you have steps that use both script and container actions, the container actions will run as sibling containers on the same network with the same volume mounts.\nIf you do not set a container, all steps will run directly on the host specified by runs-on unless a step refers to an action configured to run in a container.", - "type": "object", - "additionalProperties": { - "oneOf": [ - { - "type": "string" - }, - { - "$ref": "#/definitions/container" - } - ] - } - }, - "services": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idservices", - "description": "Additional containers to host services for a job in a workflow. These are useful for creating databases or cache services like redis. The runner on the virtual machine will automatically create a network and manage the life cycle of the service containers.\nWhen you use a service container for a job or your step uses container actions, you don't need to set port information to access the service. Docker automatically exposes all ports between containers on the same network.\nWhen both the job and the action run in a container, you can directly reference the container by its hostname. The hostname is automatically mapped to the service name.\nWhen a step does not use a container action, you must access the service using localhost and bind the ports.", - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/container" - } } }, - "required": ["runs-on", "steps"], - "additionalProperties": false - } - }, - "minProperties": 1, - "additionalProperties": false - } - }, - "required": ["on", "jobs"], - "additionalProperties": false - } \ No newline at end of file + "services": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idservices", + "description": "Additional containers to host services for a job in a workflow. These are useful for creating databases or cache services like redis. The runner on the virtual machine will automatically create a network and manage the life cycle of the service containers.\nWhen you use a service container for a job or your step uses container actions, you don't need to set port information to access the service. Docker automatically exposes all ports between containers on the same network.\nWhen both the job and the action run in a container, you can directly reference the container by its hostname. The hostname is automatically mapped to the service name.\nWhen a step does not use a container action, you must access the service using localhost and bind the ports.", + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/container" + } + } + }, + "required": ["runs-on", "steps"], + "additionalProperties": false + } + }, + "minProperties": 1, + "additionalProperties": false + } + }, + "required": ["on", "jobs"], + "additionalProperties": false +} \ No newline at end of file From db7bb321d0081adb40c03ba192e812adc02f952c Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Thu, 22 Jul 2021 15:34:39 +0530 Subject: [PATCH 011/844] Delete manual.yml --- .github/workflows/manual.yml | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 .github/workflows/manual.yml diff --git a/.github/workflows/manual.yml b/.github/workflows/manual.yml deleted file mode 100644 index 3045613d40..0000000000 --- a/.github/workflows/manual.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: Aparna Validate This -on: - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: checkout - uses: actions/checkout@v2 - - name: Setup Node - uses: actions/setup-node@v2 - - name: Run validator - uses: aparna-ravindra/workflow-template-validator@v0.4 - with: - path-to-workflow-yaml: './ci,./automation' - path-to-properties-json: './ci/properties,./automation/properties' - path-to-icons: './icons' From d2451b84c55acdfe57efa7e77486d16d7361a263 Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Thu, 22 Jul 2021 15:41:01 +0530 Subject: [PATCH 012/844] merge from main --- ci/maven.yml | 2 +- ci/nix.yml | 29 -- ci/npm-publish.yml | 4 +- ci/properties/nix.properties.json | 6 - ci/python-publish.yml | 17 +- icons/nix.svg | 513 ------------------------------ 6 files changed, 11 insertions(+), 560 deletions(-) delete mode 100644 ci/nix.yml delete mode 100644 ci/properties/nix.properties.json delete mode 100644 icons/nix.svg diff --git a/ci/maven.yml b/ci/maven.yml index 1ae5d62e87..923425b43e 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -22,4 +22,4 @@ jobs: java-version: '11' distribution: 'adopt' - name: Build with Maven - run: mvn --batch-mode --update-snapshots verify + run: mvn -B package --file pom.xml diff --git a/ci/nix.yml b/ci/nix.yml deleted file mode 100644 index b42fe3ea19..0000000000 --- a/ci/nix.yml +++ /dev/null @@ -1,29 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -name: Nix - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2.3.1 - - name: Install Nix - uses: cachix/install-nix-action@95a8068e317b8def9482980abe762f36c77ccc99 - - name: Install Cachix - - uses: cachix/cachix-action@490a246fbc7f92208d309eeb54383a4d828cedc1 - with: - # Once you generate a binary cache on https://app.cachix.org, you'll need to insert the name of the cache here - name: mycache - signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' - - name: Run nix-build - run: nix-build - - name: Check nix-shell works - run: nix-shell --run "echo OK" \ No newline at end of file diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 177192bdb1..0701ddb96f 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -30,7 +30,7 @@ jobs: - run: npm ci - run: npm publish env: - NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} + NODE_AUTH_TOKEN: ${{secrets.npm_token}} publish-gpr: needs: build @@ -47,4 +47,4 @@ jobs: - run: npm ci - run: npm publish env: - NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file diff --git a/ci/properties/nix.properties.json b/ci/properties/nix.properties.json deleted file mode 100644 index 3a90d75d77..0000000000 --- a/ci/properties/nix.properties.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "Nix", - "description": "Build Nix project", - "iconName": "nix", - "categories": ["Nix"] -} diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 2ac1e53e46..400548b518 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -26,12 +26,11 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install setuptools wheel twine - if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - - name: Build and publish - env: - TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} - TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} - run: | - python setup.py sdist bdist_wheel - twine upload dist/* + pip install build + - name: Build package + run: python -m build + - name: Publish package + uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29 + with: + user: __token__ + password: ${{ secrets.PYPI_API_TOKEN }} \ No newline at end of file diff --git a/icons/nix.svg b/icons/nix.svg deleted file mode 100644 index 9a70a14739..0000000000 --- a/icons/nix.svg +++ /dev/null @@ -1,513 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - image/svg+xml - - - - - - - - - - - - - - - - - - - - - - - - - - - From db54a4d59bc4f3a133a65a178c26b88b9e18a8a2 Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Thu, 22 Jul 2021 15:48:19 +0530 Subject: [PATCH 013/844] fixing runs-on --- ci/r.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/r.yml b/ci/r.yml index efc65874da..f257fbda6b 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -16,7 +16,7 @@ on: jobs: build: - runs-on: macOS-latest + runs-on: macos-latest strategy: matrix: r-version: [3.5, 3.6] From 648a6f0987aa771c615328c0b885352a2df6d5bc Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Thu, 22 Jul 2021 15:54:07 +0530 Subject: [PATCH 014/844] merge from main --- .github/workflows/workflow_input.yml | 30 ---------------------------- 1 file changed, 30 deletions(-) delete mode 100644 .github/workflows/workflow_input.yml diff --git a/.github/workflows/workflow_input.yml b/.github/workflows/workflow_input.yml deleted file mode 100644 index 47f24e11ff..0000000000 --- a/.github/workflows/workflow_input.yml +++ /dev/null @@ -1,30 +0,0 @@ -# This is a basic workflow that is manually triggered - -name: Manual workflow - -# Controls when the action will run. Workflow runs when manually triggered using the UI -# or API. -on: - workflow_dispatch: - # Inputs the workflow accepts. - inputs: - name: - # Friendly description to be shown in the UI instead of 'name' - description: 'Person to greet' - # Default value if no value is explicitly provided - default: 'World' - # Input has to be provided for the workflow to run - required: true - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "greet" - greet: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Runs a single command using the runners shell - - name: Send greeting - run: echo "Hello ${{ github.event.inputs.name }}" From c13101078d71df6287898a30cbed4c3273d0e9d5 Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Mon, 26 Jul 2021 14:26:37 +0530 Subject: [PATCH 015/844] reverting --- ci/npm-publish.yml | 2 +- ci/python-publish.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 0701ddb96f..025976d6e2 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -47,4 +47,4 @@ jobs: - run: npm ci - run: npm publish env: - NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 400548b518..1c69e34c0a 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -33,4 +33,5 @@ jobs: uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29 with: user: __token__ - password: ${{ secrets.PYPI_API_TOKEN }} \ No newline at end of file + password: ${{ secrets.PYPI_API_TOKEN }} + \ No newline at end of file From 461a5663897d7f872b7f8e0d6953c99ced7d73ec Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Mon, 26 Jul 2021 14:27:21 +0530 Subject: [PATCH 016/844] reverting --- ci/python-publish.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 1c69e34c0a..3bfabfc125 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -34,4 +34,3 @@ jobs: with: user: __token__ password: ${{ secrets.PYPI_API_TOKEN }} - \ No newline at end of file From e02c6fb241207dd30fef8f344a2df7574ee3db6a Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Wed, 28 Jul 2021 07:46:24 +0530 Subject: [PATCH 017/844] adding performance measure --- script/validate-data/index.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 81048f8e7f..cecaf6b194 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -4,6 +4,7 @@ import { safeLoad } from "js-yaml"; import { basename, extname, join } from "path"; import { Validator as validator } from "jsonschema"; import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; +import { performance } from 'perf_hooks'; interface WorkflowWithErrors { id: string; @@ -98,9 +99,12 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom (async function main() { try { const settings = require("./settings.json"); + var t0 = performance.now() const erroredWorkflows = await checkWorkflows( settings.folders ) + var t1 = performance.now() + info("Call to checkWorkflows took " + (t1 - t0) + " milliseconds.") if (erroredWorkflows.length > 0) { startGroup(`😟 - Found ${erroredWorkflows.length} workflows with errors:`); From 900a0204646df69c0d0d535eab4c8ef5a151abc6 Mon Sep 17 00:00:00 2001 From: fredster33 <64927044+fredster33@users.noreply.github.com> Date: Fri, 13 Aug 2021 17:09:48 -0700 Subject: [PATCH 018/844] Fix typo --- automation/greetings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index ee1cb11677..fed28b7e76 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users first issue' - pr-message: 'Message that will be displayed on users first pull request' + issue-message: 'Message that will be displayed on users' first issue' + pr-message: 'Message that will be displayed on users' first pull request' From d8d19f1d62ef5216f0e6b509af17d4a0cc32c3c7 Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Mon, 16 Aug 2021 15:36:31 +0530 Subject: [PATCH 019/844] extra validation for name and icon fields --- script/validate-data/index.ts | 84 +++++++++++++++++------------------ 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 162589b3bc..a448e794d6 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -4,10 +4,10 @@ import { safeLoad } from "js-yaml"; import { basename, extname, join } from "path"; import { Validator as validator } from "jsonschema"; import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; -import { performance } from 'perf_hooks'; interface WorkflowWithErrors { id: string; + name: string; errors: string[]; } @@ -21,7 +21,7 @@ interface WorkflowProperties { const propertiesSchema = { type: "object", properties: { - name: { type: "string", required: true }, + name: { type: "string", required: true , "minLength": 1}, description: { type: "string", required: true }, creator: { type: "string", required: false }, iconName: { type: "string", required: true }, @@ -39,9 +39,10 @@ const propertiesSchema = { }, } } + async function checkWorkflows(folders: string[]): Promise { const result: WorkflowWithErrors[] = [] - + const workflow_template_names : string[] = [] for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -54,9 +55,17 @@ async function checkWorkflows(folders: string[]): Promise const workflowFilePath = join(folder, e.name); const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) - const errors = await checkWorkflow(workflowFilePath, propertiesFilePath); - if (errors.errors.length > 0) { - result.push(errors) + const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath); + if(workflowWithErrors.name) { + if(workflow_template_names.includes(workflowWithErrors.name)) { + workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) + } + else { + workflow_template_names.push(workflowWithErrors.name) + } + } + if (workflowWithErrors.errors.length > 0) { + result.push(workflowWithErrors) } } } @@ -65,48 +74,42 @@ async function checkWorkflows(folders: string[]): Promise return result; } -async function validateWorkflowProperties(propertiesPath: string) : Promise { - try { - let errors = [] - const propertiesFileContent = await fs.readFile(propertiesPath, "utf8") - const properties: WorkflowProperties = JSON.parse(propertiesFileContent) - - let v = new validator(); - const res = v.validate(properties, propertiesSchema) - errors = res.errors.map(e => e.toString()) - if (properties.iconName && !properties.iconName.startsWith("octicon")) { - try { - await fs.access(`../../icons/${properties.iconName}.svg`) - } catch (e) { - errors.push(`No icon named ${properties.iconName} found`) - } - } - return errors - } - catch (e) { - throw e - } -} - async function checkWorkflow(workflowPath: string, propertiesPath: string): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, + name: null, errors: [] } try { - workflowErrors.errors = await validateWorkflowProperties(propertiesPath) - const workflowFileContent = await fs.readFile(workflowPath, "utf8"); - const workflow = safeLoad(workflowFileContent); // Validate yaml parses without error - - let workflowValidator = new validator(); - const workflowSchema = require("./workflow-schema.json"); - - const workflowValidationResult = workflowValidator.validate(workflow, workflowSchema) - const workflowValidationErrors = workflowValidationResult.errors.map(e => e.toString()) - workflowErrors.errors = workflowErrors.errors.concat(workflowValidationErrors) + safeLoad(workflowFileContent); // Validate yaml parses without error + + const propertiesFileContent = await fs.readFile(propertiesPath, "utf8") + const properties: WorkflowProperties = JSON.parse(propertiesFileContent) + if(properties.name && properties.name.trim.length > 0) { + workflowErrors.name = properties.name + } + let v = new validator(); + const res = v.validate(properties, propertiesSchema) + workflowErrors.errors = res.errors.map(e => e.toString()) + if (properties.iconName) { + if(!properties.iconName.startsWith("octicon ")) { + try { + await fs.access(`../../icons/${properties.iconName}.svg`) + } catch (e) { + workflowErrors.errors.push(`No icon named ${properties.iconName} found`) + } + } + else { + let iconName = properties.iconName.match(/octicon\s+(.*)/) + if(!iconName || !iconName[1] || iconName[1].length == 0) { + workflowErrors.errors.push(`No icon named ${properties.iconName} found`) + } + } + + } } catch (e) { workflowErrors.errors.push(e.toString()) } @@ -116,12 +119,9 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom (async function main() { try { const settings = require("./settings.json"); - var t0 = performance.now() const erroredWorkflows = await checkWorkflows( settings.folders ) - var t1 = performance.now() - info("Call to checkWorkflows took " + (t1 - t0) + " milliseconds.") if (erroredWorkflows.length > 0) { startGroup(`😟 - Found ${erroredWorkflows.length} workflows with errors:`); From c090ea2f1b31ba57b4e7024200b45435e931cce2 Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Mon, 16 Aug 2021 15:42:50 +0530 Subject: [PATCH 020/844] removing unused file --- script/validate-data/index.ts | 2 +- script/validate-data/workflow-schema.json | 1244 --------------------- 2 files changed, 1 insertion(+), 1245 deletions(-) delete mode 100644 script/validate-data/workflow-schema.json diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index a448e794d6..712efe1f41 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -137,4 +137,4 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom error(`Unhandled error while syncing workflows: ${e}`); setFailed(`Unhandled error`) } -})(); \ No newline at end of file +})(); diff --git a/script/validate-data/workflow-schema.json b/script/validate-data/workflow-schema.json deleted file mode 100644 index b3e7b8c67b..0000000000 --- a/script/validate-data/workflow-schema.json +++ /dev/null @@ -1,1244 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema", - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions", - "definitions": { - "architecture": { - "type": "string", - "enum": ["ARM32", "x64", "x86"] - }, - "branch": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestbranchestags", - "$ref": "#/definitions/globs", - "description": "When using the push and pull_request events, you can configure a workflow to run on specific branches or tags. If you only define only tags or only branches, the workflow won't run for events affecting the undefined Git ref.\nThe branches, branches-ignore, tags, and tags-ignore keywords accept glob patterns that use the * and ** wildcard characters to match more than one branch or tag name. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.\nThe patterns defined in branches and tags are evaluated against the Git ref's name. For example, defining the pattern mona/octocat in branches will match the refs/heads/mona/octocat Git ref. The pattern releases/** will match the refs/heads/releases/10 Git ref.\nYou can use two types of filters to prevent a workflow from running on pushes and pull requests to tags and branches:\n- branches or branches-ignore - You cannot use both the branches and branches-ignore filters for the same event in a workflow. Use the branches filter when you need to filter branches for positive matches and exclude branches. Use the branches-ignore filter when you only need to exclude branch names.\n- tags or tags-ignore - You cannot use both the tags and tags-ignore filters for the same event in a workflow. Use the tags filter when you need to filter tags for positive matches and exclude tags. Use the tags-ignore filter when you only need to exclude tag names.\nYou can exclude tags and branches using the ! character. The order that you define patterns matters.\n- A matching negative pattern (prefixed with !) after a positive match will exclude the Git ref.\n- A matching positive pattern after a negative match will include the Git ref again." - }, - "configuration": { - "oneOf": [ - { - "type": "string" - }, - { - "type": "number" - }, - { - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/configuration" - } - }, - { - "type": "array", - "items": { - "$ref": "#/definitions/configuration" - }, - "additionalItems": false - } - ] - }, - "container": { - "type": "object", - "properties": { - "image": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerimage", - "description": "The Docker image to use as the container to run the action. The value can be the Docker Hub image name or a public docker registry name.", - "type": "string" - }, - "env": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerenv", - "$ref": "#/definitions/env", - "description": "Sets an array of environment variables in the container." - }, - "ports": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerports", - "description": "Sets an array of ports to expose on the container.", - "type": "array", - "items": { - "oneOf": [ - { - "type": "number" - }, - { - "type": "string" - } - ] - }, - "minItems": 1, - "additionalItems": false - }, - "volumes": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainervolumes", - "description": "Sets an array of volumes for the container to use. You can use volumes to share data between services or other steps in a job. You can specify named Docker volumes, anonymous Docker volumes, or bind mounts on the host.\nTo specify a volume, you specify the source and destination path: :\nThe is a volume name or an absolute path on the host machine, and is an absolute path in the container.", - "type": "array", - "items": { - "type": "string", - "pattern": "^[^:]+:[^:]+$" - }, - "minItems": 1, - "additionalItems": false - }, - "options": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions", - "description": "Additional Docker container resource options. For a list of options, see https://docs.docker.com/engine/reference/commandline/create/#options.", - "type": "string" - } - }, - "required": ["image"], - "additionalProperties": false - }, - "defaults": { - "type": "object", - "properties": { - "run": { - "type": "object", - "properties": { - "shell": { - "$ref": "#/definitions/shell" - }, - "working-directory": { - "$ref": "#/definitions/working-directory" - } - }, - "minProperties": 1, - "additionalProperties": false - } - }, - "minProperties": 1, - "additionalProperties": false - }, - "env": { - "type": "object", - "additionalProperties": { - "oneOf": [ - { - "type": "string" - }, - { - "type": "number" - }, - { - "type": "boolean" - } - ] - }, - "minProperties": 1 - }, - "environment": { - "oneOf": [ - { - "type": "string" - }, - { - "type": "object", - "properties": { - "name": {"type": "string"}, - "url": {"type": "string"} - } - } - ] - }, - "event": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows", - "type": "string", - "enum": [ - "check_run", - "check_suite", - "create", - "delete", - "deployment", - "deployment_status", - "fork", - "gollum", - "issue_comment", - "issues", - "label", - "member", - "milestone", - "page_build", - "project", - "project_card", - "project_column", - "public", - "pull_request", - "pull_request_review", - "pull_request_review_comment", - "push", - "registry_package", - "release", - "status", - "watch", - "repository_dispatch", - "workflow_dispatch", - "workflow_run" - ] - }, - "eventObject": { - "oneOf": [ - { - "type": "object" - }, - { - "type": "null" - } - ], - "additionalProperties": true - }, - "globs": { - "type": "array", - "items": { - "type": "string", - "minLength": 1 - }, - "minItems": 1, - "additionalItems": false - }, - "machine": { - "type": "string", - "enum": ["linux", "macos", "windows"] - }, - "name": { - "type": "string", - "pattern": "^[_a-zA-Z][a-zA-Z0-9_-]*$" - }, - "gitpermissionenums": { - "type": "string", - "enum": [ - "read", - "write", - "none" - ] - }, - "gitpermissions": { - "type": "object", - "properties": { - "actions" : { - "$ref": "#/definitions/gitpermissionenums" - }, - "checks" : { - "$ref": "#/definitions/gitpermissionenums" - }, - "contents": { - "$ref": "#/definitions/gitpermissionenums" - }, - "deployments": { - "$ref": "#/definitions/gitpermissionenums" - }, - "issues": { - "$ref": "#/definitions/gitpermissionenums" - }, - "packages": { - "$ref": "#/definitions/gitpermissionenums" - }, - "pull-requests": { - "$ref": "#/definitions/gitpermissionenums" - }, - "repository-projects": { - "$ref": "#/definitions/gitpermissionenums" - }, - "security-events": { - "$ref": "#/definitions/gitpermissionenums" - }, - "statuses": { - "$ref": "#/definitions/gitpermissionenums" - } - } - }, - "path": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpaths", - "$ref": "#/definitions/globs", - "description": "When using the push and pull_request events, you can configure a workflow to run when at least one file does not match paths-ignore or at least one modified file matches the configured paths. Path filters are not evaluated for pushes to tags.\nThe paths-ignore and paths keywords accept glob patterns that use the * and ** wildcard characters to match more than one path name. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.\nYou can exclude paths using two types of filters. You cannot use both of these filters for the same event in a workflow.\n- paths-ignore - Use the paths-ignore filter when you only need to exclude path names.\n- paths - Use the paths filter when you need to filter paths for positive matches and exclude paths." - }, - "ref": { - "properties": { - "branches": { - "$ref": "#/definitions/branch" - }, - "branches-ignore": { - "$ref": "#/definitions/branch" - }, - "tags": { - "$ref": "#/definitions/branch" - }, - "tags-ignore": { - "$ref": "#/definitions/branch" - }, - "paths": { - "$ref": "#/definitions/path" - }, - "paths-ignore": { - "$ref": "#/definitions/path" - } - }, - "oneOf": [ - { - "type": "object", - "allOf": [ - { - "not": { - "required": ["branches", "branches-ignore"] - } - }, - { - "not": { - "required": ["tags", "tags-ignore"] - } - }, - { - "not": { - "required": ["paths", "paths-ignore"] - } - } - ] - }, - { - "type": "null" - } - ] - }, - "shell": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell", - "description": "You can override the default shell settings in the runner's operating system using the shell keyword. You can use built-in shell keywords, or you can define a custom set of shell options.", - "type": "string", - "anyOf": [ - { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#custom-shell" - }, - { - "enum": ["bash", "pwsh", "python", "sh", "cmd", "powershell"] - } - ] - }, - "types": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onevent_nametypes", - "description": "Selects the types of activity that will trigger a workflow run. Most GitHub events are triggered by more than one type of activity. For example, the event for the release resource is triggered when a release is published, unpublished, created, edited, deleted, or prereleased. The types keyword enables you to narrow down activity that causes the workflow to run. When only one activity type triggers a webhook event, the types keyword is unnecessary.\nYou can use an array of event types. For more information about each event and their activity types, see https://help.github.com/en/articles/events-that-trigger-workflows#webhook-events.", - "type": "array", - "minItems": 1, - "additionalItems": false - }, - "working-directory": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun", - "description": "Using the working-directory keyword, you can specify the working directory of where to run the command.", - "type": "string" - } - }, - "properties": { - "name": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#name", - "description": "The name of your workflow. GitHub displays the names of your workflows on your repository's actions page. If you omit this field, GitHub sets the name to the workflow's filename.", - "type": "string" - }, - "on": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#on", - "description": "The name of the GitHub event that triggers the workflow. You can provide a single event string, array of events, array of event types, or an event configuration map that schedules a workflow or restricts the execution of a workflow to specific files, tags, or branch changes. For a list of available events, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows.", - "oneOf": [ - { - "$ref": "#/definitions/event" - }, - { - "type": "array", - "items": { - "$ref": "#/definitions/event" - }, - "minItems": 1, - "additionalItems": false - }, - { - "type": "object", - "properties": { - "check_run": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#check-run-event-check_run", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the check_run event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/checks/runs.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "created", - "rerequested", - "completed", - "requested_action" - ] - }, - "default": [ - "created", - "rerequested", - "completed", - "requested_action" - ] - } - } - }, - "check_suite": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#check-suite-event-check_suite", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the check_suite event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/checks/suites/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["completed", "requested", "rerequested"] - }, - "default": ["completed", "requested", "rerequested"] - } - } - }, - "create": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#create-event-create", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone creates a branch or tag, which triggers the create event. For information about the REST API, see https://developer.github.com/v3/git/refs/#create-a-reference." - }, - "delete": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#delete-event-delete", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone deletes a branch or tag, which triggers the delete event. For information about the REST API, see https://developer.github.com/v3/git/refs/#delete-a-reference." - }, - "deployment": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#deployment-event-deployment", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone creates a deployment, which triggers the deployment event. Deployments created with a commit SHA may not have a Git ref. For information about the REST API, see https://developer.github.com/v3/repos/deployments/." - }, - "deployment_status": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#deployment-status-event-deployment_status", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime a third party provides a deployment status, which triggers the deployment_status event. Deployments created with a commit SHA may not have a Git ref. For information about the REST API, see https://developer.github.com/v3/repos/deployments/#create-a-deployment-status." - }, - "fork": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#fork-event-fork", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime when someone forks a repository, which triggers the fork event. For information about the REST API, see https://developer.github.com/v3/repos/forks/#create-a-fork." - }, - "gollum": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#gollum-event-gollum", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow when someone creates or updates a Wiki page, which triggers the gollum event." - }, - "issue_comment": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#issue-comment-event-issue_comment", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the issue_comment event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/comments/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - }, - "default": ["created", "edited", "deleted"] - } - } - }, - "issues": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#issues-event-issues", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the issues event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "opened", - "edited", - "deleted", - "transferred", - "pinned", - "unpinned", - "closed", - "reopened", - "assigned", - "unassigned", - "labeled", - "unlabeled", - "locked", - "unlocked", - "milestoned", - "demilestoned" - ] - }, - "default": [ - "opened", - "edited", - "deleted", - "transferred", - "pinned", - "unpinned", - "closed", - "reopened", - "assigned", - "unassigned", - "labeled", - "unlabeled", - "locked", - "unlocked", - "milestoned", - "demilestoned" - ] - } - } - }, - "label": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#label-event-label", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the label event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/labels/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - }, - "default": ["created", "edited", "deleted"] - } - } - }, - "member": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#member-event-member", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the member event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/repos/collaborators/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["added", "edited", "deleted"] - }, - "default": ["added", "edited", "deleted"] - } - } - }, - "milestone": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#milestone-event-milestone", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the milestone event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/milestones/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "closed", "opened", "edited", "deleted"] - }, - "default": [ - "created", - "closed", - "opened", - "edited", - "deleted" - ] - } - } - }, - "page_build": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#page-build-event-page_build", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone pushes to a GitHub Pages-enabled branch, which triggers the page_build event. For information about the REST API, see https://developer.github.com/v3/repos/pages/." - }, - "project": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-event-project", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the project event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "created", - "updated", - "closed", - "reopened", - "edited", - "deleted" - ] - }, - "default": [ - "created", - "updated", - "closed", - "reopened", - "edited", - "deleted" - ] - } - } - }, - "project_card": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-card-event-project_card", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the project_card event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/cards.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "created", - "moved", - "converted", - "edited", - "deleted" - ] - }, - "default": [ - "created", - "moved", - "converted", - "edited", - "deleted" - ] - } - } - }, - "project_column": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-column-event-project_column", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the project_column event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/columns.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "updated", "moved", "deleted"] - }, - "default": ["created", "updated", "moved", "deleted"] - } - } - }, - "public": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#public-event-public", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone makes a private repository public, which triggers the public event. For information about the REST API, see https://developer.github.com/v3/repos/#edit." - }, - "pull_request": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-event-pull_request", - "$ref": "#/definitions/ref", - "description": "Runs your workflow anytime the pull_request event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "assigned", - "unassigned", - "labeled", - "unlabeled", - "opened", - "edited", - "closed", - "reopened", - "synchronize", - "ready_for_review", - "locked", - "unlocked", - "review_requested", - "review_request_removed" - ] - }, - "default": ["opened", "synchronize", "reopened"] - } - }, - "patternProperties": { - "^(branche|tag|path)s(-ignore)?$": { - "type": "array" - } - }, - "additionalProperties": false - }, - "pull_request_review": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-review-event-pull_request_review", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the pull_request_review event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls/reviews.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["submitted", "edited", "dismissed"] - }, - "default": ["submitted", "edited", "dismissed"] - } - } - }, - "pull_request_review_comment": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-review-comment-event-pull_request_review_comment", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime a comment on a pull request's unified diff is modified, which triggers the pull_request_review_comment event. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls/comments.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - }, - "default": ["created", "edited", "deleted"] - } - } - }, - "push": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#push-event-push", - "description": "Runs your workflow when someone pushes to a repository branch, which triggers the push event.\nNote: The webhook payload available to GitHub Actions does not include the added, removed, and modified attributes in the commit object. You can retrieve the full commit object using the REST API. For more information, see https://developer.github.com/v3/repos/commits/#get-a-single-commit.", - "type": "object", - "$ref": "#/definitions/ref", - "patternProperties": { - "^(branche|tag|path)s(-ignore)?$": { - "type": "array", - "items" : { - "type" : "string" - } - } - }, - "additionalProperties": false - }, - "pull_request_target": { - "$comment": "https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target", - "$ref": "#/definitions/ref", - "additionalProperties": false, - "description": "This event is similar to pull_request, except that it runs in the context of the base repository of the pull request, rather than in the merge commit. This means that you can more safely make your secrets available to the workflows triggered by the pull request, because only workflows defined in the commit on the base repository are run. For example, this event allows you to create workflows that label and comment on pull requests, based on the contents of the event payload.", - "patternProperties": { - "^(branche|tag|path)s(-ignore)?$": { - } - }, - "properties": { - "types": { - "$ref": "#/definitions/types", - "default": [ - "opened", - "synchronize", - "reopened" - ], - "items": { - "enum": [ - "assigned", - "unassigned", - "labeled", - "unlabeled", - "opened", - "edited", - "closed", - "reopened", - "synchronize", - "ready_for_review", - "locked", - "unlocked", - "review_requested", - "review_request_removed" - ], - "type": "string" - } - } - } - }, - "registry_package": { - "$comment": "https://help.github.com/en/actions/reference/events-that-trigger-workflows#registry-package-event-registry_package", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime a package is published or updated. For more information, see https://help.github.com/en/github/managing-packages-with-github-packages.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "default": [ - "published", - "updated" - ], - "items": { - "enum": [ - "published", - "updated" - ], - "type": "string" - } - } - } - }, - "release": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#release-event-release", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the release event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/repos/releases/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "published", - "unpublished", - "created", - "edited", - "deleted", - "prereleased", - "released" - ] - }, - "default": [ - "published", - "unpublished", - "created", - "edited", - "deleted", - "prereleased", - "released" - ] - } - } - }, - "status": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#status-event-status", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the status of a Git commit changes, which triggers the status event. For information about the REST API, see https://developer.github.com/v3/repos/statuses/." - }, - "watch": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#watch-event-watch", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the watch event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/activity/starring/." - }, - "repository_dispatch": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#external-events-repository_dispatch", - "$ref": "#/definitions/eventObject", - "description": "You can use the GitHub API to trigger a webhook event called repository_dispatch when you want to trigger a workflow for activity that happens outside of GitHub. For more information, see https://developer.github.com/v3/repos/#create-a-repository-dispatch-event.\nTo trigger the custom repository_dispatch webhook event, you must send a POST request to a GitHub API endpoint and provide an event_type name to describe the activity type. To trigger a workflow run, you must also configure your workflow to use the repository_dispatch event." - }, - "schedule": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#scheduled-events-schedule", - "description": "You can schedule a workflow to run at specific UTC times using POSIX cron syntax (https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). Scheduled workflows run on the latest commit on the default or base branch. The shortest interval you can run scheduled workflows is once every 5 minutes.\nNote: GitHub Actions does not support the non-standard syntax @yearly, @monthly, @weekly, @daily, @hourly, and @reboot.\nYou can use crontab guru (https://crontab.guru/). to help generate your cron syntax and confirm what time it will run. To help you get started, there is also a list of crontab guru examples (https://crontab.guru/examples.html).", - "type": "array", - "items": { - "type": "object", - "properties": { - "cron": { - "$comment": "https://stackoverflow.com/a/57639657/4044345", - "oneOf": [ - { - "pattern": "cron-(.)+" - } - ] - } - }, - "additionalProperties": false - }, - "minItems": 1, - "additionalItems": false - }, - "workflow_dispatch": { - "$comment": "https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/", - "description": "You can now create workflows that are manually triggered with the new workflow_dispatch event. You will then see a 'Run workflow' button on the Actions tab, enabling you to easily trigger a run.", - "properties": { - "inputs": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputs", - "description": "Input parameters allow you to specify data that the action expects to use during runtime. GitHub stores input parameters as environment variables. Input ids with uppercase letters are converted to lowercase during runtime. We recommended using lowercase input ids.", - "type": "object", - "patternProperties": { - "^[_a-zA-Z][a-zA-Z0-9_-]*$": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_id", - "description": "A string identifier to associate with the input. The value of is a map of the input's metadata. The must be a unique identifier within the inputs object. The must start with a letter or _ and contain only alphanumeric characters, -, or _.", - "type": "object", - "properties": { - "description": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_iddescription", - "description": "A string description of the input parameter.", - "type": "string" - }, - "deprecationMessage": { - "description": "A string shown to users using the deprecated input.", - "type": "string" - }, - "required": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_idrequired", - "description": "A boolean to indicate whether the action requires the input parameter. Set to true when the parameter is required.", - "type": "boolean" - }, - "default": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_iddefault", - "description": "A string representing the default value. The default value is used when an input parameter isn't specified in a workflow file.", - "type": "string" - } - }, - "required": [ - "description", - "required" - ], - "additionalProperties": false - } - }, - "additionalProperties": false - } - } - }, - "workflow_run": { - "$comment": "https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_run", - "$ref": "#/definitions/eventObject", - "description": "This event occurs when a workflow run is requested or completed, and allows you to execute a workflow based on the finished result of another workflow. For example, if your pull_request workflow generates build artifacts, you can create a new workflow that uses workflow_run to analyze the results and add a comment to the original pull request.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "requested", - "completed" - ] - }, - "default": [ - "requested", - "completed" - ] - }, - "workflows": { - "type": "array", - "items": { - "type": "string" - }, - "minItems": 1 - } - }, - "patternProperties": { - "^branches(-ignore)?$": {} - } - } - }, - "additionalProperties": false - } - ] - }, - "env": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#env", - "$ref": "#/definitions/env", - "description": "A map of environment variables that are available to all jobs and steps in the workflow." - }, - "defaults": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#defaults", - "$ref": "#/definitions/defaults", - "description": "A map of default settings that will apply to all jobs in the workflow." - }, - "jobs": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobs", - "description": "A workflow run is made up of one or more jobs. Jobs run in parallel by default. To run jobs sequentially, you can define dependencies on other jobs using the jobs..needs keyword.\nEach job runs in a fresh instance of the virtual environment specified by runs-on.\nYou can run an unlimited number of jobs as long as you are within the workflow usage limits. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#usage-limits.", - "type": "object", - "patternProperties": { - "^[_a-zA-Z][a-zA-Z0-9_-]*$": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_id", - "description": "Each job must have an id to associate with the job. The key job_id is a string and its value is a map of the job's configuration data. You must replace with a string that is unique to the jobs object. The must start with a letter or _ and contain only alphanumeric characters, -, or _.", - "type": "object", - "properties": { - "name": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idname", - "description": "The name of the job displayed on GitHub.", - "type": "string" - }, - "needs": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idneeds", - "description": "Identifies any jobs that must complete successfully before this job will run. It can be a string or array of strings. If a job fails, all jobs that need it are skipped unless the jobs use a conditional statement that causes the job to continue.", - "oneOf": [ - { - "type": "array", - "items": { - "$ref": "#/definitions/name" - }, - "minItems": 1, - "additionalItems": false - }, - { - "$ref": "#/definitions/name" - } - ] - }, - "permissions" : { - "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions", - "description": "You can modify the default permissions granted to the GITHUB_TOKEN, adding or removing access as required, so that you only allow the minimum required access", - "oneOf": [ - { - "const": "read-all|write-all" - }, - { - "type" : "object", - "$ref": "#/definitions/gitpermissions" - } - ] - }, - "runs-on": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idruns-on", - "description": "The type of machine to run the job on. The machine can be either a GitHub-hosted runner, or a self-hosted runner.", - "oneOf": [ - { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#github-hosted-runners", - "type": "string", - "enum": [ - "${{ matrix.os }}", - "macos-latest", - "macos-10.15", - "self-hosted", - "ubuntu-16.04", - "ubuntu-18.04", - "ubuntu-latest", - "windows-latest", - "windows-2019" - ] - }, - { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#self-hosted-runners", - "type": "array", - "oneOf": [ - { - "items": [ - { - "const": "self-hosted" - } - ] - }, - { - "items": [ - { - "const": "self-hosted" - }, - { - "$ref": "#/definitions/machine" - } - ] - }, - { - "items": [ - { - "const": "self-hosted" - }, - { - "$ref": "#/definitions/architecture" - } - ] - }, - { - "items": [ - { - "const": "self-hosted" - }, - { - "$ref": "#/definitions/machine" - }, - { - "$ref": "#/definitions/architecture" - } - ] - }, - { - "items": [ - { - "const": "self-hosted" - }, - { - "$ref": "#/definitions/architecture" - }, - { - "$ref": "#/definitions/machine" - } - ] - } - ], - "additionalItems": false - } - ] - }, - "outputs": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjobs_idoutputs", - "description": "A map of outputs for a job. Job outputs are available to all downstream jobs that depend on this job.", - "type": "object", - "additionalProperties": { - "type": "string" - }, - "minProperties": 1 - }, - "environment": { - "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment", - "$ref": "#/definitions/environment", - "description": "The environment that the job references" - }, - "env": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idenv", - "$ref": "#/definitions/env", - "description": "A map of environment variables that are available to all steps in the job." - }, - "defaults": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_iddefaults", - "$ref": "#/definitions/defaults", - "description": "A map of default settings that will apply to all steps in the job." - }, - "if": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idif", - "description": "You can use the if conditional to prevent a job from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", - "type": "string" - }, - "steps": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idsteps", - "description": "A job contains a sequence of tasks called steps. Steps can run commands, run setup tasks, or run an action in your repository, a public repository, or an action published in a Docker registry. Not all steps run actions, but all actions run as a step. Each step runs in its own process in the virtual environment and has access to the workspace and filesystem. Because steps run in their own process, changes to environment variables are not preserved between steps. GitHub provides built-in steps to set up and complete a job.\n", - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsid", - "description": "A unique identifier for the step. You can use the id to reference the step in contexts. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", - "type": "string" - }, - "if": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsif", - "description": "You can use the if conditional to prevent a step from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", - "type": "string" - }, - "name": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsname", - "description": "A name for your step to display on GitHub.", - "type": "string" - }, - "uses": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses", - "description": "Selects an action to run as part of a step in your job. An action is a reusable unit of code. You can use an action defined in the same repository as the workflow, a public repository, or in a published Docker container image (https://hub.docker.com/).\nWe strongly recommend that you include the version of the action you are using by specifying a Git ref, SHA, or Docker tag number. If you don't specify a version, it could break your workflows or cause unexpected behavior when the action owner publishes an update.\n- Using the commit SHA of a released action version is the safest for stability and security.\n- Using the specific major action version allows you to receive critical fixes and security patches while still maintaining compatibility. It also assures that your workflow should still work.\n- Using the master branch of an action may be convenient, but if someone releases a new major version with a breaking change, your workflow could break.\nSome actions require inputs that you must set using the with keyword. Review the action's README file to determine the inputs required.\nActions are either JavaScript files or Docker containers. If the action you're using is a Docker container you must run the job in a Linux virtual environment. For more details, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", - "type": "string" - }, - "run": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsrun", - "description": "Runs command-line programs using the operating system's shell. If you do not provide a name, the step name will default to the text specified in the run command.\nCommands run using non-login shells by default. You can choose a different shell and customize the shell used to run commands. For more information, see https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#using-a-specific-shell.\nEach run keyword represents a new process and shell in the virtual environment. When you provide multi-line commands, each line runs in the same shell.", - "type": "string" - }, - "working-directory": { - "$ref": "#/definitions/working-directory" - }, - "shell": { - "$ref": "#/definitions/shell" - }, - "with": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswith", - "$ref": "#/definitions/env", - "description": "A map of the input parameters defined by the action. Each input parameter is a key/value pair. Input parameters are set as environment variables. The variable is prefixed with INPUT_ and converted to upper case.", - "properties": { - "args": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithargs", - "type": "string" - }, - "entrypoint": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithentrypoint", - "type": "string" - } - } - }, - "env": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsenv", - "$ref": "#/definitions/env", - "description": "Sets environment variables for steps to use in the virtual environment. You can also set environment variables for the entire workflow or a job." - }, - "continue-on-error": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error", - "description": "Prevents a job from failing when a step fails. Set to true to allow a job to pass when this step fails.", - "type": "boolean", - "default": false - }, - "timeout-minutes": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes", - "description": "The maximum number of minutes to run the step before killing the process.", - "type": "number" - } - }, - "dependencies": { - "working-directory": ["run"], - "shell": ["run"] - }, - "additionalProperties": false - }, - "minItems": 1, - "additionalItems": false - }, - "timeout-minutes": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes", - "description": "The maximum number of minutes to let a workflow run before GitHub automatically cancels it. Default: 360", - "type": "number", - "default": 360 - }, - "strategy": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategy", - "description": "A strategy creates a build matrix for your jobs. You can define different variations of an environment to run each job in.", - "type": "object", - "properties": { - "matrix": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix", - "description": "A build matrix is a set of different configurations of the virtual environment. For example you might run a job against more than one supported version of a language, operating system, or tool. Each configuration is a copy of the job that runs and reports a status.\nYou can specify a matrix by supplying an array for the configuration options. For example, if the GitHub virtual environment supports Node.js versions 6, 8, and 10 you could specify an array of those versions in the matrix.\nWhen you define a matrix of operating systems, you must set the required runs-on keyword to the operating system of the current job, rather than hard-coding the operating system name. To access the operating system name, you can use the matrix.os context parameter to set runs-on. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", - "type": "object", - "patternProperties": { - "^(in|ex)clude$": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#example-including-configurations-in-a-matrix-build", - "type": "array", - "items": { - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/configuration" - } - }, - "minItems": 1, - "additionalItems": false - } - }, - "additionalProperties": { - "type": "array", - "items": { - "$ref": "#/definitions/configuration" - }, - "minItems": 1, - "additionalItems": false - }, - "minProperties": 1 - }, - "fail-fast": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast", - "description": "When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true", - "type": "boolean", - "default": true - }, - "max-parallel": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymax-parallel", - "description": "The maximum number of jobs that can run simultaneously when using a matrix job strategy. By default, GitHub will maximize the number of jobs run in parallel depending on the available runners on GitHub-hosted virtual machines.", - "type": "number" - } - }, - "additionalProperties": false - }, - "continue-on-error": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error", - "description": "Prevents a workflow run from failing when a job fails. Set to true to allow a workflow run to pass when this job fails.", - "oneOf": [ - { - "type": "boolean" - }, - { - "type": "string" - } - ] - }, - "container": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainer", - "description": "A container to run any steps in a job that don't already specify a container. If you have steps that use both script and container actions, the container actions will run as sibling containers on the same network with the same volume mounts.\nIf you do not set a container, all steps will run directly on the host specified by runs-on unless a step refers to an action configured to run in a container.", - "type": "object", - "additionalProperties": { - "oneOf": [ - { - "type": "string" - }, - { - "$ref": "#/definitions/container" - } - ] - } - }, - "services": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idservices", - "description": "Additional containers to host services for a job in a workflow. These are useful for creating databases or cache services like redis. The runner on the virtual machine will automatically create a network and manage the life cycle of the service containers.\nWhen you use a service container for a job or your step uses container actions, you don't need to set port information to access the service. Docker automatically exposes all ports between containers on the same network.\nWhen both the job and the action run in a container, you can directly reference the container by its hostname. The hostname is automatically mapped to the service name.\nWhen a step does not use a container action, you must access the service using localhost and bind the ports.", - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/container" - } - } - }, - "required": ["runs-on", "steps"], - "additionalProperties": false - } - }, - "minProperties": 1, - "additionalProperties": false - } - }, - "required": ["on", "jobs"], - "additionalProperties": false -} \ No newline at end of file From 0d582377a8cb22e2c5e9cf382b2a95a1e9349ffd Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Mon, 16 Aug 2021 16:48:34 +0530 Subject: [PATCH 021/844] using regex to check for octicon --- script/validate-data/index.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 712efe1f41..720c85b461 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -95,7 +95,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom workflowErrors.errors = res.errors.map(e => e.toString()) if (properties.iconName) { - if(!properties.iconName.startsWith("octicon ")) { + if(! /^octicon\s+/.test(properties.iconName)) { try { await fs.access(`../../icons/${properties.iconName}.svg`) } catch (e) { @@ -103,8 +103,8 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom } } else { - let iconName = properties.iconName.match(/octicon\s+(.*)/) - if(!iconName || !iconName[1] || iconName[1].length == 0) { + let iconName = properties.iconName.match(/^octicon\s+(.*)/) + if(!iconName || iconName[1].split(".")[0].length <= 0) { workflowErrors.errors.push(`No icon named ${properties.iconName} found`) } } From ccf813d3fbb1f88dc5576c4c0ad63507846cc97a Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Tue, 17 Aug 2021 10:09:53 +0530 Subject: [PATCH 022/844] using set instead of array --- script/validate-data/index.ts | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 720c85b461..92b473e856 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -42,7 +42,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[]): Promise { const result: WorkflowWithErrors[] = [] - const workflow_template_names : string[] = [] + const workflow_template_names = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -56,13 +56,8 @@ async function checkWorkflows(folders: string[]): Promise const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath); - if(workflowWithErrors.name) { - if(workflow_template_names.includes(workflowWithErrors.name)) { - workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) - } - else { - workflow_template_names.push(workflowWithErrors.name) - } + if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { + workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) From 124226ff320d319386f638a0bcb5153b23c22335 Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Tue, 17 Aug 2021 10:28:22 +0530 Subject: [PATCH 023/844] using trim to check for blank names --- script/validate-data/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 92b473e856..8413653194 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -82,7 +82,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom const propertiesFileContent = await fs.readFile(propertiesPath, "utf8") const properties: WorkflowProperties = JSON.parse(propertiesFileContent) - if(properties.name && properties.name.trim.length > 0) { + if(properties.name && properties.name.trim().length > 0) { workflowErrors.name = properties.name } let v = new validator(); From 9d67bbed4a718e099487d32a57c6f3dc515dedf7 Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Tue, 17 Aug 2021 13:11:02 +0530 Subject: [PATCH 024/844] updating readme --- README.md | 20 +- script/validate-data/workflow-schema.json | 1244 --------------------- 2 files changed, 16 insertions(+), 1248 deletions(-) delete mode 100644 script/validate-data/workflow-schema.json diff --git a/README.md b/README.md index 2c2f1b5a26..67b394401c 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ These are the workflow files for helping people get started with GitHub Actions. ### Directory structure -* [ci](ci): solutions for Continuous Integration +* [ci](ci): solutions for Continuous Integration and Deployments * [automation](automation): solutions for automating workflows. * [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security) * [icons](icons): svg icons for the relevant template @@ -23,10 +23,22 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. ### Valid properties -* `name`: the name shown in onboarding +* `name`: the name shown in onboarding. This property is unique within the repository. * `description`: the description shown in onboarding -* `iconName`: the icon name in the relevant folder, for example `django` should have an icon `icons/django.svg`. Only SVG is supported at this time -* `categories`: the categories that it will be shown under +* `iconName`: the icon name in the relevant folder, for example `django` should have an icon `icons/django.svg`. Only SVG is supported at this time. Another option is to use [octicon](https://primer.style/octicons/). The format to use an octicon is `octicon <>`. Example: `octicon person` +* `creator`: creator of the template shown in onboarding. All the workflow templates from an author will have the same `creator` field. +* `categories`: the list categories that it will be shown under. Choose atleast one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml). When a user views the available templates, those templates that match the same language will feature more prominently. + +### Categories +* continuous-integration +* deployment +* testing +* code-quality +* code-review +* dependency-management +* monitoring +* Automation +* utilities ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: diff --git a/script/validate-data/workflow-schema.json b/script/validate-data/workflow-schema.json deleted file mode 100644 index b3e7b8c67b..0000000000 --- a/script/validate-data/workflow-schema.json +++ /dev/null @@ -1,1244 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema", - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions", - "definitions": { - "architecture": { - "type": "string", - "enum": ["ARM32", "x64", "x86"] - }, - "branch": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestbranchestags", - "$ref": "#/definitions/globs", - "description": "When using the push and pull_request events, you can configure a workflow to run on specific branches or tags. If you only define only tags or only branches, the workflow won't run for events affecting the undefined Git ref.\nThe branches, branches-ignore, tags, and tags-ignore keywords accept glob patterns that use the * and ** wildcard characters to match more than one branch or tag name. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.\nThe patterns defined in branches and tags are evaluated against the Git ref's name. For example, defining the pattern mona/octocat in branches will match the refs/heads/mona/octocat Git ref. The pattern releases/** will match the refs/heads/releases/10 Git ref.\nYou can use two types of filters to prevent a workflow from running on pushes and pull requests to tags and branches:\n- branches or branches-ignore - You cannot use both the branches and branches-ignore filters for the same event in a workflow. Use the branches filter when you need to filter branches for positive matches and exclude branches. Use the branches-ignore filter when you only need to exclude branch names.\n- tags or tags-ignore - You cannot use both the tags and tags-ignore filters for the same event in a workflow. Use the tags filter when you need to filter tags for positive matches and exclude tags. Use the tags-ignore filter when you only need to exclude tag names.\nYou can exclude tags and branches using the ! character. The order that you define patterns matters.\n- A matching negative pattern (prefixed with !) after a positive match will exclude the Git ref.\n- A matching positive pattern after a negative match will include the Git ref again." - }, - "configuration": { - "oneOf": [ - { - "type": "string" - }, - { - "type": "number" - }, - { - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/configuration" - } - }, - { - "type": "array", - "items": { - "$ref": "#/definitions/configuration" - }, - "additionalItems": false - } - ] - }, - "container": { - "type": "object", - "properties": { - "image": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerimage", - "description": "The Docker image to use as the container to run the action. The value can be the Docker Hub image name or a public docker registry name.", - "type": "string" - }, - "env": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerenv", - "$ref": "#/definitions/env", - "description": "Sets an array of environment variables in the container." - }, - "ports": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerports", - "description": "Sets an array of ports to expose on the container.", - "type": "array", - "items": { - "oneOf": [ - { - "type": "number" - }, - { - "type": "string" - } - ] - }, - "minItems": 1, - "additionalItems": false - }, - "volumes": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainervolumes", - "description": "Sets an array of volumes for the container to use. You can use volumes to share data between services or other steps in a job. You can specify named Docker volumes, anonymous Docker volumes, or bind mounts on the host.\nTo specify a volume, you specify the source and destination path: :\nThe is a volume name or an absolute path on the host machine, and is an absolute path in the container.", - "type": "array", - "items": { - "type": "string", - "pattern": "^[^:]+:[^:]+$" - }, - "minItems": 1, - "additionalItems": false - }, - "options": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions", - "description": "Additional Docker container resource options. For a list of options, see https://docs.docker.com/engine/reference/commandline/create/#options.", - "type": "string" - } - }, - "required": ["image"], - "additionalProperties": false - }, - "defaults": { - "type": "object", - "properties": { - "run": { - "type": "object", - "properties": { - "shell": { - "$ref": "#/definitions/shell" - }, - "working-directory": { - "$ref": "#/definitions/working-directory" - } - }, - "minProperties": 1, - "additionalProperties": false - } - }, - "minProperties": 1, - "additionalProperties": false - }, - "env": { - "type": "object", - "additionalProperties": { - "oneOf": [ - { - "type": "string" - }, - { - "type": "number" - }, - { - "type": "boolean" - } - ] - }, - "minProperties": 1 - }, - "environment": { - "oneOf": [ - { - "type": "string" - }, - { - "type": "object", - "properties": { - "name": {"type": "string"}, - "url": {"type": "string"} - } - } - ] - }, - "event": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows", - "type": "string", - "enum": [ - "check_run", - "check_suite", - "create", - "delete", - "deployment", - "deployment_status", - "fork", - "gollum", - "issue_comment", - "issues", - "label", - "member", - "milestone", - "page_build", - "project", - "project_card", - "project_column", - "public", - "pull_request", - "pull_request_review", - "pull_request_review_comment", - "push", - "registry_package", - "release", - "status", - "watch", - "repository_dispatch", - "workflow_dispatch", - "workflow_run" - ] - }, - "eventObject": { - "oneOf": [ - { - "type": "object" - }, - { - "type": "null" - } - ], - "additionalProperties": true - }, - "globs": { - "type": "array", - "items": { - "type": "string", - "minLength": 1 - }, - "minItems": 1, - "additionalItems": false - }, - "machine": { - "type": "string", - "enum": ["linux", "macos", "windows"] - }, - "name": { - "type": "string", - "pattern": "^[_a-zA-Z][a-zA-Z0-9_-]*$" - }, - "gitpermissionenums": { - "type": "string", - "enum": [ - "read", - "write", - "none" - ] - }, - "gitpermissions": { - "type": "object", - "properties": { - "actions" : { - "$ref": "#/definitions/gitpermissionenums" - }, - "checks" : { - "$ref": "#/definitions/gitpermissionenums" - }, - "contents": { - "$ref": "#/definitions/gitpermissionenums" - }, - "deployments": { - "$ref": "#/definitions/gitpermissionenums" - }, - "issues": { - "$ref": "#/definitions/gitpermissionenums" - }, - "packages": { - "$ref": "#/definitions/gitpermissionenums" - }, - "pull-requests": { - "$ref": "#/definitions/gitpermissionenums" - }, - "repository-projects": { - "$ref": "#/definitions/gitpermissionenums" - }, - "security-events": { - "$ref": "#/definitions/gitpermissionenums" - }, - "statuses": { - "$ref": "#/definitions/gitpermissionenums" - } - } - }, - "path": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpaths", - "$ref": "#/definitions/globs", - "description": "When using the push and pull_request events, you can configure a workflow to run when at least one file does not match paths-ignore or at least one modified file matches the configured paths. Path filters are not evaluated for pushes to tags.\nThe paths-ignore and paths keywords accept glob patterns that use the * and ** wildcard characters to match more than one path name. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.\nYou can exclude paths using two types of filters. You cannot use both of these filters for the same event in a workflow.\n- paths-ignore - Use the paths-ignore filter when you only need to exclude path names.\n- paths - Use the paths filter when you need to filter paths for positive matches and exclude paths." - }, - "ref": { - "properties": { - "branches": { - "$ref": "#/definitions/branch" - }, - "branches-ignore": { - "$ref": "#/definitions/branch" - }, - "tags": { - "$ref": "#/definitions/branch" - }, - "tags-ignore": { - "$ref": "#/definitions/branch" - }, - "paths": { - "$ref": "#/definitions/path" - }, - "paths-ignore": { - "$ref": "#/definitions/path" - } - }, - "oneOf": [ - { - "type": "object", - "allOf": [ - { - "not": { - "required": ["branches", "branches-ignore"] - } - }, - { - "not": { - "required": ["tags", "tags-ignore"] - } - }, - { - "not": { - "required": ["paths", "paths-ignore"] - } - } - ] - }, - { - "type": "null" - } - ] - }, - "shell": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell", - "description": "You can override the default shell settings in the runner's operating system using the shell keyword. You can use built-in shell keywords, or you can define a custom set of shell options.", - "type": "string", - "anyOf": [ - { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#custom-shell" - }, - { - "enum": ["bash", "pwsh", "python", "sh", "cmd", "powershell"] - } - ] - }, - "types": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onevent_nametypes", - "description": "Selects the types of activity that will trigger a workflow run. Most GitHub events are triggered by more than one type of activity. For example, the event for the release resource is triggered when a release is published, unpublished, created, edited, deleted, or prereleased. The types keyword enables you to narrow down activity that causes the workflow to run. When only one activity type triggers a webhook event, the types keyword is unnecessary.\nYou can use an array of event types. For more information about each event and their activity types, see https://help.github.com/en/articles/events-that-trigger-workflows#webhook-events.", - "type": "array", - "minItems": 1, - "additionalItems": false - }, - "working-directory": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun", - "description": "Using the working-directory keyword, you can specify the working directory of where to run the command.", - "type": "string" - } - }, - "properties": { - "name": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#name", - "description": "The name of your workflow. GitHub displays the names of your workflows on your repository's actions page. If you omit this field, GitHub sets the name to the workflow's filename.", - "type": "string" - }, - "on": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#on", - "description": "The name of the GitHub event that triggers the workflow. You can provide a single event string, array of events, array of event types, or an event configuration map that schedules a workflow or restricts the execution of a workflow to specific files, tags, or branch changes. For a list of available events, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows.", - "oneOf": [ - { - "$ref": "#/definitions/event" - }, - { - "type": "array", - "items": { - "$ref": "#/definitions/event" - }, - "minItems": 1, - "additionalItems": false - }, - { - "type": "object", - "properties": { - "check_run": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#check-run-event-check_run", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the check_run event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/checks/runs.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "created", - "rerequested", - "completed", - "requested_action" - ] - }, - "default": [ - "created", - "rerequested", - "completed", - "requested_action" - ] - } - } - }, - "check_suite": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#check-suite-event-check_suite", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the check_suite event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/checks/suites/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["completed", "requested", "rerequested"] - }, - "default": ["completed", "requested", "rerequested"] - } - } - }, - "create": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#create-event-create", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone creates a branch or tag, which triggers the create event. For information about the REST API, see https://developer.github.com/v3/git/refs/#create-a-reference." - }, - "delete": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#delete-event-delete", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone deletes a branch or tag, which triggers the delete event. For information about the REST API, see https://developer.github.com/v3/git/refs/#delete-a-reference." - }, - "deployment": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#deployment-event-deployment", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone creates a deployment, which triggers the deployment event. Deployments created with a commit SHA may not have a Git ref. For information about the REST API, see https://developer.github.com/v3/repos/deployments/." - }, - "deployment_status": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#deployment-status-event-deployment_status", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime a third party provides a deployment status, which triggers the deployment_status event. Deployments created with a commit SHA may not have a Git ref. For information about the REST API, see https://developer.github.com/v3/repos/deployments/#create-a-deployment-status." - }, - "fork": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#fork-event-fork", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime when someone forks a repository, which triggers the fork event. For information about the REST API, see https://developer.github.com/v3/repos/forks/#create-a-fork." - }, - "gollum": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#gollum-event-gollum", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow when someone creates or updates a Wiki page, which triggers the gollum event." - }, - "issue_comment": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#issue-comment-event-issue_comment", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the issue_comment event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/comments/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - }, - "default": ["created", "edited", "deleted"] - } - } - }, - "issues": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#issues-event-issues", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the issues event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "opened", - "edited", - "deleted", - "transferred", - "pinned", - "unpinned", - "closed", - "reopened", - "assigned", - "unassigned", - "labeled", - "unlabeled", - "locked", - "unlocked", - "milestoned", - "demilestoned" - ] - }, - "default": [ - "opened", - "edited", - "deleted", - "transferred", - "pinned", - "unpinned", - "closed", - "reopened", - "assigned", - "unassigned", - "labeled", - "unlabeled", - "locked", - "unlocked", - "milestoned", - "demilestoned" - ] - } - } - }, - "label": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#label-event-label", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the label event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/labels/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - }, - "default": ["created", "edited", "deleted"] - } - } - }, - "member": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#member-event-member", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the member event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/repos/collaborators/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["added", "edited", "deleted"] - }, - "default": ["added", "edited", "deleted"] - } - } - }, - "milestone": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#milestone-event-milestone", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the milestone event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/milestones/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "closed", "opened", "edited", "deleted"] - }, - "default": [ - "created", - "closed", - "opened", - "edited", - "deleted" - ] - } - } - }, - "page_build": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#page-build-event-page_build", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone pushes to a GitHub Pages-enabled branch, which triggers the page_build event. For information about the REST API, see https://developer.github.com/v3/repos/pages/." - }, - "project": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-event-project", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the project event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "created", - "updated", - "closed", - "reopened", - "edited", - "deleted" - ] - }, - "default": [ - "created", - "updated", - "closed", - "reopened", - "edited", - "deleted" - ] - } - } - }, - "project_card": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-card-event-project_card", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the project_card event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/cards.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "created", - "moved", - "converted", - "edited", - "deleted" - ] - }, - "default": [ - "created", - "moved", - "converted", - "edited", - "deleted" - ] - } - } - }, - "project_column": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-column-event-project_column", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the project_column event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/columns.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "updated", "moved", "deleted"] - }, - "default": ["created", "updated", "moved", "deleted"] - } - } - }, - "public": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#public-event-public", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime someone makes a private repository public, which triggers the public event. For information about the REST API, see https://developer.github.com/v3/repos/#edit." - }, - "pull_request": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-event-pull_request", - "$ref": "#/definitions/ref", - "description": "Runs your workflow anytime the pull_request event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "assigned", - "unassigned", - "labeled", - "unlabeled", - "opened", - "edited", - "closed", - "reopened", - "synchronize", - "ready_for_review", - "locked", - "unlocked", - "review_requested", - "review_request_removed" - ] - }, - "default": ["opened", "synchronize", "reopened"] - } - }, - "patternProperties": { - "^(branche|tag|path)s(-ignore)?$": { - "type": "array" - } - }, - "additionalProperties": false - }, - "pull_request_review": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-review-event-pull_request_review", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the pull_request_review event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls/reviews.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["submitted", "edited", "dismissed"] - }, - "default": ["submitted", "edited", "dismissed"] - } - } - }, - "pull_request_review_comment": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-review-comment-event-pull_request_review_comment", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime a comment on a pull request's unified diff is modified, which triggers the pull_request_review_comment event. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls/comments.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - }, - "default": ["created", "edited", "deleted"] - } - } - }, - "push": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#push-event-push", - "description": "Runs your workflow when someone pushes to a repository branch, which triggers the push event.\nNote: The webhook payload available to GitHub Actions does not include the added, removed, and modified attributes in the commit object. You can retrieve the full commit object using the REST API. For more information, see https://developer.github.com/v3/repos/commits/#get-a-single-commit.", - "type": "object", - "$ref": "#/definitions/ref", - "patternProperties": { - "^(branche|tag|path)s(-ignore)?$": { - "type": "array", - "items" : { - "type" : "string" - } - } - }, - "additionalProperties": false - }, - "pull_request_target": { - "$comment": "https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target", - "$ref": "#/definitions/ref", - "additionalProperties": false, - "description": "This event is similar to pull_request, except that it runs in the context of the base repository of the pull request, rather than in the merge commit. This means that you can more safely make your secrets available to the workflows triggered by the pull request, because only workflows defined in the commit on the base repository are run. For example, this event allows you to create workflows that label and comment on pull requests, based on the contents of the event payload.", - "patternProperties": { - "^(branche|tag|path)s(-ignore)?$": { - } - }, - "properties": { - "types": { - "$ref": "#/definitions/types", - "default": [ - "opened", - "synchronize", - "reopened" - ], - "items": { - "enum": [ - "assigned", - "unassigned", - "labeled", - "unlabeled", - "opened", - "edited", - "closed", - "reopened", - "synchronize", - "ready_for_review", - "locked", - "unlocked", - "review_requested", - "review_request_removed" - ], - "type": "string" - } - } - } - }, - "registry_package": { - "$comment": "https://help.github.com/en/actions/reference/events-that-trigger-workflows#registry-package-event-registry_package", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime a package is published or updated. For more information, see https://help.github.com/en/github/managing-packages-with-github-packages.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "default": [ - "published", - "updated" - ], - "items": { - "enum": [ - "published", - "updated" - ], - "type": "string" - } - } - } - }, - "release": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#release-event-release", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the release event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/repos/releases/.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "published", - "unpublished", - "created", - "edited", - "deleted", - "prereleased", - "released" - ] - }, - "default": [ - "published", - "unpublished", - "created", - "edited", - "deleted", - "prereleased", - "released" - ] - } - } - }, - "status": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#status-event-status", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the status of a Git commit changes, which triggers the status event. For information about the REST API, see https://developer.github.com/v3/repos/statuses/." - }, - "watch": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#watch-event-watch", - "$ref": "#/definitions/eventObject", - "description": "Runs your workflow anytime the watch event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/activity/starring/." - }, - "repository_dispatch": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#external-events-repository_dispatch", - "$ref": "#/definitions/eventObject", - "description": "You can use the GitHub API to trigger a webhook event called repository_dispatch when you want to trigger a workflow for activity that happens outside of GitHub. For more information, see https://developer.github.com/v3/repos/#create-a-repository-dispatch-event.\nTo trigger the custom repository_dispatch webhook event, you must send a POST request to a GitHub API endpoint and provide an event_type name to describe the activity type. To trigger a workflow run, you must also configure your workflow to use the repository_dispatch event." - }, - "schedule": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#scheduled-events-schedule", - "description": "You can schedule a workflow to run at specific UTC times using POSIX cron syntax (https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). Scheduled workflows run on the latest commit on the default or base branch. The shortest interval you can run scheduled workflows is once every 5 minutes.\nNote: GitHub Actions does not support the non-standard syntax @yearly, @monthly, @weekly, @daily, @hourly, and @reboot.\nYou can use crontab guru (https://crontab.guru/). to help generate your cron syntax and confirm what time it will run. To help you get started, there is also a list of crontab guru examples (https://crontab.guru/examples.html).", - "type": "array", - "items": { - "type": "object", - "properties": { - "cron": { - "$comment": "https://stackoverflow.com/a/57639657/4044345", - "oneOf": [ - { - "pattern": "cron-(.)+" - } - ] - } - }, - "additionalProperties": false - }, - "minItems": 1, - "additionalItems": false - }, - "workflow_dispatch": { - "$comment": "https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/", - "description": "You can now create workflows that are manually triggered with the new workflow_dispatch event. You will then see a 'Run workflow' button on the Actions tab, enabling you to easily trigger a run.", - "properties": { - "inputs": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputs", - "description": "Input parameters allow you to specify data that the action expects to use during runtime. GitHub stores input parameters as environment variables. Input ids with uppercase letters are converted to lowercase during runtime. We recommended using lowercase input ids.", - "type": "object", - "patternProperties": { - "^[_a-zA-Z][a-zA-Z0-9_-]*$": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_id", - "description": "A string identifier to associate with the input. The value of is a map of the input's metadata. The must be a unique identifier within the inputs object. The must start with a letter or _ and contain only alphanumeric characters, -, or _.", - "type": "object", - "properties": { - "description": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_iddescription", - "description": "A string description of the input parameter.", - "type": "string" - }, - "deprecationMessage": { - "description": "A string shown to users using the deprecated input.", - "type": "string" - }, - "required": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_idrequired", - "description": "A boolean to indicate whether the action requires the input parameter. Set to true when the parameter is required.", - "type": "boolean" - }, - "default": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_iddefault", - "description": "A string representing the default value. The default value is used when an input parameter isn't specified in a workflow file.", - "type": "string" - } - }, - "required": [ - "description", - "required" - ], - "additionalProperties": false - } - }, - "additionalProperties": false - } - } - }, - "workflow_run": { - "$comment": "https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_run", - "$ref": "#/definitions/eventObject", - "description": "This event occurs when a workflow run is requested or completed, and allows you to execute a workflow based on the finished result of another workflow. For example, if your pull_request workflow generates build artifacts, you can create a new workflow that uses workflow_run to analyze the results and add a comment to the original pull request.", - "properties": { - "types": { - "$ref": "#/definitions/types", - "items": { - "type": "string", - "enum": [ - "requested", - "completed" - ] - }, - "default": [ - "requested", - "completed" - ] - }, - "workflows": { - "type": "array", - "items": { - "type": "string" - }, - "minItems": 1 - } - }, - "patternProperties": { - "^branches(-ignore)?$": {} - } - } - }, - "additionalProperties": false - } - ] - }, - "env": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#env", - "$ref": "#/definitions/env", - "description": "A map of environment variables that are available to all jobs and steps in the workflow." - }, - "defaults": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#defaults", - "$ref": "#/definitions/defaults", - "description": "A map of default settings that will apply to all jobs in the workflow." - }, - "jobs": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobs", - "description": "A workflow run is made up of one or more jobs. Jobs run in parallel by default. To run jobs sequentially, you can define dependencies on other jobs using the jobs..needs keyword.\nEach job runs in a fresh instance of the virtual environment specified by runs-on.\nYou can run an unlimited number of jobs as long as you are within the workflow usage limits. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#usage-limits.", - "type": "object", - "patternProperties": { - "^[_a-zA-Z][a-zA-Z0-9_-]*$": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_id", - "description": "Each job must have an id to associate with the job. The key job_id is a string and its value is a map of the job's configuration data. You must replace with a string that is unique to the jobs object. The must start with a letter or _ and contain only alphanumeric characters, -, or _.", - "type": "object", - "properties": { - "name": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idname", - "description": "The name of the job displayed on GitHub.", - "type": "string" - }, - "needs": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idneeds", - "description": "Identifies any jobs that must complete successfully before this job will run. It can be a string or array of strings. If a job fails, all jobs that need it are skipped unless the jobs use a conditional statement that causes the job to continue.", - "oneOf": [ - { - "type": "array", - "items": { - "$ref": "#/definitions/name" - }, - "minItems": 1, - "additionalItems": false - }, - { - "$ref": "#/definitions/name" - } - ] - }, - "permissions" : { - "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions", - "description": "You can modify the default permissions granted to the GITHUB_TOKEN, adding or removing access as required, so that you only allow the minimum required access", - "oneOf": [ - { - "const": "read-all|write-all" - }, - { - "type" : "object", - "$ref": "#/definitions/gitpermissions" - } - ] - }, - "runs-on": { - "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idruns-on", - "description": "The type of machine to run the job on. The machine can be either a GitHub-hosted runner, or a self-hosted runner.", - "oneOf": [ - { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#github-hosted-runners", - "type": "string", - "enum": [ - "${{ matrix.os }}", - "macos-latest", - "macos-10.15", - "self-hosted", - "ubuntu-16.04", - "ubuntu-18.04", - "ubuntu-latest", - "windows-latest", - "windows-2019" - ] - }, - { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#self-hosted-runners", - "type": "array", - "oneOf": [ - { - "items": [ - { - "const": "self-hosted" - } - ] - }, - { - "items": [ - { - "const": "self-hosted" - }, - { - "$ref": "#/definitions/machine" - } - ] - }, - { - "items": [ - { - "const": "self-hosted" - }, - { - "$ref": "#/definitions/architecture" - } - ] - }, - { - "items": [ - { - "const": "self-hosted" - }, - { - "$ref": "#/definitions/machine" - }, - { - "$ref": "#/definitions/architecture" - } - ] - }, - { - "items": [ - { - "const": "self-hosted" - }, - { - "$ref": "#/definitions/architecture" - }, - { - "$ref": "#/definitions/machine" - } - ] - } - ], - "additionalItems": false - } - ] - }, - "outputs": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjobs_idoutputs", - "description": "A map of outputs for a job. Job outputs are available to all downstream jobs that depend on this job.", - "type": "object", - "additionalProperties": { - "type": "string" - }, - "minProperties": 1 - }, - "environment": { - "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment", - "$ref": "#/definitions/environment", - "description": "The environment that the job references" - }, - "env": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idenv", - "$ref": "#/definitions/env", - "description": "A map of environment variables that are available to all steps in the job." - }, - "defaults": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_iddefaults", - "$ref": "#/definitions/defaults", - "description": "A map of default settings that will apply to all steps in the job." - }, - "if": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idif", - "description": "You can use the if conditional to prevent a job from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", - "type": "string" - }, - "steps": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idsteps", - "description": "A job contains a sequence of tasks called steps. Steps can run commands, run setup tasks, or run an action in your repository, a public repository, or an action published in a Docker registry. Not all steps run actions, but all actions run as a step. Each step runs in its own process in the virtual environment and has access to the workspace and filesystem. Because steps run in their own process, changes to environment variables are not preserved between steps. GitHub provides built-in steps to set up and complete a job.\n", - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsid", - "description": "A unique identifier for the step. You can use the id to reference the step in contexts. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", - "type": "string" - }, - "if": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsif", - "description": "You can use the if conditional to prevent a step from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", - "type": "string" - }, - "name": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsname", - "description": "A name for your step to display on GitHub.", - "type": "string" - }, - "uses": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses", - "description": "Selects an action to run as part of a step in your job. An action is a reusable unit of code. You can use an action defined in the same repository as the workflow, a public repository, or in a published Docker container image (https://hub.docker.com/).\nWe strongly recommend that you include the version of the action you are using by specifying a Git ref, SHA, or Docker tag number. If you don't specify a version, it could break your workflows or cause unexpected behavior when the action owner publishes an update.\n- Using the commit SHA of a released action version is the safest for stability and security.\n- Using the specific major action version allows you to receive critical fixes and security patches while still maintaining compatibility. It also assures that your workflow should still work.\n- Using the master branch of an action may be convenient, but if someone releases a new major version with a breaking change, your workflow could break.\nSome actions require inputs that you must set using the with keyword. Review the action's README file to determine the inputs required.\nActions are either JavaScript files or Docker containers. If the action you're using is a Docker container you must run the job in a Linux virtual environment. For more details, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", - "type": "string" - }, - "run": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsrun", - "description": "Runs command-line programs using the operating system's shell. If you do not provide a name, the step name will default to the text specified in the run command.\nCommands run using non-login shells by default. You can choose a different shell and customize the shell used to run commands. For more information, see https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#using-a-specific-shell.\nEach run keyword represents a new process and shell in the virtual environment. When you provide multi-line commands, each line runs in the same shell.", - "type": "string" - }, - "working-directory": { - "$ref": "#/definitions/working-directory" - }, - "shell": { - "$ref": "#/definitions/shell" - }, - "with": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswith", - "$ref": "#/definitions/env", - "description": "A map of the input parameters defined by the action. Each input parameter is a key/value pair. Input parameters are set as environment variables. The variable is prefixed with INPUT_ and converted to upper case.", - "properties": { - "args": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithargs", - "type": "string" - }, - "entrypoint": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithentrypoint", - "type": "string" - } - } - }, - "env": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsenv", - "$ref": "#/definitions/env", - "description": "Sets environment variables for steps to use in the virtual environment. You can also set environment variables for the entire workflow or a job." - }, - "continue-on-error": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error", - "description": "Prevents a job from failing when a step fails. Set to true to allow a job to pass when this step fails.", - "type": "boolean", - "default": false - }, - "timeout-minutes": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes", - "description": "The maximum number of minutes to run the step before killing the process.", - "type": "number" - } - }, - "dependencies": { - "working-directory": ["run"], - "shell": ["run"] - }, - "additionalProperties": false - }, - "minItems": 1, - "additionalItems": false - }, - "timeout-minutes": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes", - "description": "The maximum number of minutes to let a workflow run before GitHub automatically cancels it. Default: 360", - "type": "number", - "default": 360 - }, - "strategy": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategy", - "description": "A strategy creates a build matrix for your jobs. You can define different variations of an environment to run each job in.", - "type": "object", - "properties": { - "matrix": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix", - "description": "A build matrix is a set of different configurations of the virtual environment. For example you might run a job against more than one supported version of a language, operating system, or tool. Each configuration is a copy of the job that runs and reports a status.\nYou can specify a matrix by supplying an array for the configuration options. For example, if the GitHub virtual environment supports Node.js versions 6, 8, and 10 you could specify an array of those versions in the matrix.\nWhen you define a matrix of operating systems, you must set the required runs-on keyword to the operating system of the current job, rather than hard-coding the operating system name. To access the operating system name, you can use the matrix.os context parameter to set runs-on. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", - "type": "object", - "patternProperties": { - "^(in|ex)clude$": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#example-including-configurations-in-a-matrix-build", - "type": "array", - "items": { - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/configuration" - } - }, - "minItems": 1, - "additionalItems": false - } - }, - "additionalProperties": { - "type": "array", - "items": { - "$ref": "#/definitions/configuration" - }, - "minItems": 1, - "additionalItems": false - }, - "minProperties": 1 - }, - "fail-fast": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast", - "description": "When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true", - "type": "boolean", - "default": true - }, - "max-parallel": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymax-parallel", - "description": "The maximum number of jobs that can run simultaneously when using a matrix job strategy. By default, GitHub will maximize the number of jobs run in parallel depending on the available runners on GitHub-hosted virtual machines.", - "type": "number" - } - }, - "additionalProperties": false - }, - "continue-on-error": { - "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error", - "description": "Prevents a workflow run from failing when a job fails. Set to true to allow a workflow run to pass when this job fails.", - "oneOf": [ - { - "type": "boolean" - }, - { - "type": "string" - } - ] - }, - "container": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainer", - "description": "A container to run any steps in a job that don't already specify a container. If you have steps that use both script and container actions, the container actions will run as sibling containers on the same network with the same volume mounts.\nIf you do not set a container, all steps will run directly on the host specified by runs-on unless a step refers to an action configured to run in a container.", - "type": "object", - "additionalProperties": { - "oneOf": [ - { - "type": "string" - }, - { - "$ref": "#/definitions/container" - } - ] - } - }, - "services": { - "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idservices", - "description": "Additional containers to host services for a job in a workflow. These are useful for creating databases or cache services like redis. The runner on the virtual machine will automatically create a network and manage the life cycle of the service containers.\nWhen you use a service container for a job or your step uses container actions, you don't need to set port information to access the service. Docker automatically exposes all ports between containers on the same network.\nWhen both the job and the action run in a container, you can directly reference the container by its hostname. The hostname is automatically mapped to the service name.\nWhen a step does not use a container action, you must access the service using localhost and bind the ports.", - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/container" - } - } - }, - "required": ["runs-on", "steps"], - "additionalProperties": false - } - }, - "minProperties": 1, - "additionalProperties": false - } - }, - "required": ["on", "jobs"], - "additionalProperties": false -} \ No newline at end of file From 68b47b8e02dd3a52c7734255305a788590452dd8 Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Tue, 17 Aug 2021 14:08:33 +0530 Subject: [PATCH 025/844] fixing typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 67b394401c..da863fe4b9 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * `description`: the description shown in onboarding * `iconName`: the icon name in the relevant folder, for example `django` should have an icon `icons/django.svg`. Only SVG is supported at this time. Another option is to use [octicon](https://primer.style/octicons/). The format to use an octicon is `octicon <>`. Example: `octicon person` * `creator`: creator of the template shown in onboarding. All the workflow templates from an author will have the same `creator` field. -* `categories`: the list categories that it will be shown under. Choose atleast one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml). When a user views the available templates, those templates that match the same language will feature more prominently. +* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml). When a user views the available templates, those templates that match the same language will feature more prominently. ### Categories * continuous-integration From be437f0ba596ba083693bc5a928c5bf6f40fda88 Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Tue, 17 Aug 2021 14:09:22 +0530 Subject: [PATCH 026/844] fixing typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index da863fe4b9..4b5b9f879d 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * `name`: the name shown in onboarding. This property is unique within the repository. * `description`: the description shown in onboarding -* `iconName`: the icon name in the relevant folder, for example `django` should have an icon `icons/django.svg`. Only SVG is supported at this time. Another option is to use [octicon](https://primer.style/octicons/). The format to use an octicon is `octicon <>`. Example: `octicon person` +* `iconName`: the icon name in the relevant folder, for example, `django` should have an icon `icons/django.svg`. Only SVG is supported at this time. Another option is to use [octicon](https://primer.style/octicons/). The format to use an octicon is `octicon <>`. Example: `octicon person` * `creator`: creator of the template shown in onboarding. All the workflow templates from an author will have the same `creator` field. * `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml). When a user views the available templates, those templates that match the same language will feature more prominently. From 69184c7484fdc04189ae93557415ca14959cd5a7 Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Tue, 17 Aug 2021 07:29:02 -0700 Subject: [PATCH 027/844] Added Cloudrail according to instructions and existing examples --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index cb9305a9a1..f4db27757c 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,6 @@ { "name": "CodeQL Analysis", - "creator": "GitHub", + "creator": "Indeni", "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] From 188b52b51c31ac79b948c3b4a656b097920e9fe6 Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Tue, 17 Aug 2021 07:29:29 -0700 Subject: [PATCH 028/844] Adding Cloudrail according to documentation and examples --- code-scanning/cloudrail.yml | 58 +++++++++++++++++++ .../properties/cloudrail.properties.json | 7 +++ icons/cloudrail.svg | 53 +++++++++++++++++ 3 files changed, 118 insertions(+) create mode 100644 code-scanning/cloudrail.yml create mode 100644 code-scanning/properties/cloudrail.properties.json create mode 100644 icons/cloudrail.svg diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml new file mode 100644 index 0000000000..474b97a3f1 --- /dev/null +++ b/code-scanning/cloudrail.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: cloudrail + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + cloudrail: + name: Run Indeni Cloudrail on Terraform code with SARIF output + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v2 + + # For Terraform, Cloudrail requires the plan as input. So we generate it using + # the Terraform core binary. + - uses: hashicorp/setup-terraform@v1 + with: + terraform_version: v0.13.2 + + - run: terraform init + + - run: terraform plan -out=plan.out + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # Confirm we have the plan file + - run: stat plan.out + + - name: Run Cloudrail + uses: indeni/cloudrail-run-ga@v1.3 + with: + tf-plan-file: plan.out # This was created in a "terraform plan" step + cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app + cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() + # is needed to ensure the SARIF file is uploaded + if: always() + with: + sarif_file: cloudrail_results.sarif diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json new file mode 100644 index 0000000000..36181c2735 --- /dev/null +++ b/code-scanning/properties/cloudrail.properties.json @@ -0,0 +1,7 @@ +{ + "name": "cloudrail", + "creator": "Indeni Cloudrail", + "description": "Cloudrail, by Indeni, can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues. Cloudrail's output uses the SARIF format, which will surface the scan's results directly inside your pull request.", + "iconName": "cloudrail", + "categories": ["Code Scanning", "HCL"] +} diff --git a/icons/cloudrail.svg b/icons/cloudrail.svg new file mode 100644 index 0000000000..9aaf9c3d60 --- /dev/null +++ b/icons/cloudrail.svg @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + From 98bde3b31e53b969eeabcb5a94e5461d3fa0664c Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Tue, 17 Aug 2021 07:32:50 -0700 Subject: [PATCH 029/844] Oops --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index f4db27757c..cb9305a9a1 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,6 @@ { "name": "CodeQL Analysis", - "creator": "Indeni", + "creator": "GitHub", "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] From 8bec7d688737fc8c71bd141d429b55f2ced9065c Mon Sep 17 00:00:00 2001 From: rui Date: Wed, 18 Aug 2021 19:28:16 -0400 Subject: [PATCH 030/844] go: use go1.17 (#1045) Signed-off-by: Rui Chen Co-authored-by: Josh Gross --- ci/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go.yml b/ci/go.yml index 22a110a426..afff652f99 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -16,7 +16,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v2 with: - go-version: 1.16 + go-version: 1.17 - name: Build run: go build -v ./... From 07d3c6475745417e7b9c26f6689876ccf11675ab Mon Sep 17 00:00:00 2001 From: Robin Neatherway Date: Thu, 19 Aug 2021 12:42:33 +0100 Subject: [PATCH 031/844] Minor grammar fix --- code-scanning/properties/devskim.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/devskim.properties.json b/code-scanning/properties/devskim.properties.json index 0eab5c68f5..40fd52b0c2 100644 --- a/code-scanning/properties/devskim.properties.json +++ b/code-scanning/properties/devskim.properties.json @@ -1,7 +1,7 @@ { "name": "DevSkim", "creator": "Microsoft CST-E", - "description": "DevSkim is security linter that highlights common security issues in source code.", + "description": "DevSkim is a security linter that highlights common security issues in source code.", "iconName": "cst-logo", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Powershell", "Cobol", "Objective C", "PHP", "Ruby", "Rust", "SQL", "Swift", "Visual Basic"] } From 671fc9a635ceb98715aa869d6172317da7bb3b33 Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Mon, 23 Aug 2021 11:00:59 +0530 Subject: [PATCH 032/844] deployment as a category in properties.json --- ci/properties/alibabacloud.properties.json | 2 +- ci/properties/aws.properties.json | 2 +- ci/properties/azure.properties.json | 2 +- ci/properties/google.properties.json | 2 +- ci/properties/ibm.properties.json | 2 +- ci/properties/openshift.properties.json | 2 +- ci/properties/tencent.properties.json | 2 +- ci/properties/terraform.properties.json | 2 +- script/sync-ghes/index.ts | 15 +++++++++------ script/sync-ghes/settings.json | 10 ++++++++++ 10 files changed, 27 insertions(+), 14 deletions(-) diff --git a/ci/properties/alibabacloud.properties.json b/ci/properties/alibabacloud.properties.json index bbee6dfaab..f1e33f28c3 100644 --- a/ci/properties/alibabacloud.properties.json +++ b/ci/properties/alibabacloud.properties.json @@ -3,5 +3,5 @@ "description": "Deploy a container to Alibaba Cloud Container Service for Kubernetes (ACK).", "creator": "Alibaba Cloud", "iconName": "alibabacloud", - "categories": null + "categories": ["deployment"] } diff --git a/ci/properties/aws.properties.json b/ci/properties/aws.properties.json index b80775f1a7..33c3064f15 100644 --- a/ci/properties/aws.properties.json +++ b/ci/properties/aws.properties.json @@ -3,5 +3,5 @@ "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", - "categories": null + "categories": ["deployment"] } \ No newline at end of file diff --git a/ci/properties/azure.properties.json b/ci/properties/azure.properties.json index fd9d0d8630..4970936400 100644 --- a/ci/properties/azure.properties.json +++ b/ci/properties/azure.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": null + "categories": ["deployment"] } \ No newline at end of file diff --git a/ci/properties/google.properties.json b/ci/properties/google.properties.json index e2d917d3fa..ed69c5e97b 100644 --- a/ci/properties/google.properties.json +++ b/ci/properties/google.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", "iconName": "googlegke", - "categories": null + "categories": ["deployment"] } \ No newline at end of file diff --git a/ci/properties/ibm.properties.json b/ci/properties/ibm.properties.json index cfd03835e4..0c1efdcbbd 100644 --- a/ci/properties/ibm.properties.json +++ b/ci/properties/ibm.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to IBM Cloud Container Registry, and deploy to IBM Cloud Kubernetes Service.", "creator": "IBM", "iconName": "ibm", - "categories": null + "categories": ["deployment"] } \ No newline at end of file diff --git a/ci/properties/openshift.properties.json b/ci/properties/openshift.properties.json index 53538c716e..d500aa9009 100644 --- a/ci/properties/openshift.properties.json +++ b/ci/properties/openshift.properties.json @@ -3,5 +3,5 @@ "description": "Build a Docker-based project and deploy it to OpenShift.", "creator": "Red Hat", "iconName": "openshift", - "categories": [ "Dockerfile" ] + "categories": [ "deployment", "Dockerfile" ] } diff --git a/ci/properties/tencent.properties.json b/ci/properties/tencent.properties.json index ba579a19e2..465073e2b3 100644 --- a/ci/properties/tencent.properties.json +++ b/ci/properties/tencent.properties.json @@ -3,5 +3,5 @@ "description": "This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE).", "creator": "Tencent Cloud", "iconName": "tencentcloud", - "categories": null + "categories": ["deployment"] } \ No newline at end of file diff --git a/ci/properties/terraform.properties.json b/ci/properties/terraform.properties.json index bfeabdf3e9..9929d33da9 100644 --- a/ci/properties/terraform.properties.json +++ b/ci/properties/terraform.properties.json @@ -3,5 +3,5 @@ "description": "Set up Terraform CLI in your GitHub Actions workflow.", "creator": "HashiCorp", "iconName": "terraform", - "categories": null + "categories": ["deployment"] } diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 0fa34400bb..ea67432176 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -19,6 +19,8 @@ interface WorkflowProperties { iconName?: string; categories: string[] | null; + + creator?: string; } interface WorkflowsCheckResult { @@ -28,12 +30,14 @@ interface WorkflowsCheckResult { async function checkWorkflows( folders: string[], - enabledActions: string[] + enabledActions: string[], + partners: string[] ): Promise { const result: WorkflowsCheckResult = { compatibleWorkflows: [], incompatibleWorkflows: [], }; + const partnersSet = new Set(partners.map((x) => x.toLowerCase())); for (const folder of folders) { const dir = await fs.readdir(folder, { @@ -51,11 +55,10 @@ async function checkWorkflows( )); const iconName: string | undefined = workflowProperties["iconName"]; - const isBlankTemplate = workflowId === "blank"; - const partnerWorkflow = workflowProperties.categories === null; + const partnerWorkflow = workflowProperties.creator ? partnersSet.has(workflowProperties.creator.toLowerCase()) : false; const enabled = - (isBlankTemplate || !partnerWorkflow) && + !partnerWorkflow && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { @@ -90,7 +93,6 @@ async function checkWorkflow( ): Promise { // Create set with lowercase action names for easier, case-insensitive lookup const enabledActionsSet = new Set(enabledActions.map((x) => x.toLowerCase())); - try { const workflowFileContent = await fs.readFile(workflowPath, "utf8"); const workflow = safeLoad(workflowFileContent); @@ -126,7 +128,8 @@ async function checkWorkflow( const result = await checkWorkflows( settings.folders, - settings.enabledActions + settings.enabledActions, + settings.partners ); console.group( diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 050ea0a742..60b70ed245 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -16,5 +16,15 @@ "actions/starter-workflows", "actions/upload-artifact", "actions/upload-release-asset" + ], + "partners": [ + "Alibaba Cloud", + "Amazon Web Services", + "Microsoft Azure", + "Google Cloud", + "IBM", + "Red Hat", + "Tencent Cloud", + "HashiCorp" ] } From b2ac199660644065c2468dbf53cf85811f6d07de Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Mon, 23 Aug 2021 11:08:57 +0530 Subject: [PATCH 033/844] reordering categories --- ci/properties/openshift.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/openshift.properties.json b/ci/properties/openshift.properties.json index d500aa9009..1bc2ecabcb 100644 --- a/ci/properties/openshift.properties.json +++ b/ci/properties/openshift.properties.json @@ -3,5 +3,5 @@ "description": "Build a Docker-based project and deploy it to OpenShift.", "creator": "Red Hat", "iconName": "openshift", - "categories": [ "deployment", "Dockerfile" ] + "categories": ["Dockerfile","deployment" ] } From f5724905e59be4fea1e9005c20734660e07c36fe Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Mon, 23 Aug 2021 12:47:22 +0530 Subject: [PATCH 034/844] capitalizing category --- ci/properties/alibabacloud.properties.json | 2 +- ci/properties/aws.properties.json | 2 +- ci/properties/azure.properties.json | 2 +- ci/properties/google.properties.json | 2 +- ci/properties/ibm.properties.json | 2 +- ci/properties/openshift.properties.json | 2 +- ci/properties/tencent.properties.json | 2 +- ci/properties/terraform.properties.json | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/ci/properties/alibabacloud.properties.json b/ci/properties/alibabacloud.properties.json index f1e33f28c3..1ce285fc8c 100644 --- a/ci/properties/alibabacloud.properties.json +++ b/ci/properties/alibabacloud.properties.json @@ -3,5 +3,5 @@ "description": "Deploy a container to Alibaba Cloud Container Service for Kubernetes (ACK).", "creator": "Alibaba Cloud", "iconName": "alibabacloud", - "categories": ["deployment"] + "categories": ["Deployment"] } diff --git a/ci/properties/aws.properties.json b/ci/properties/aws.properties.json index 33c3064f15..10a7ed34f7 100644 --- a/ci/properties/aws.properties.json +++ b/ci/properties/aws.properties.json @@ -3,5 +3,5 @@ "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", - "categories": ["deployment"] + "categories": ["Deployment"] } \ No newline at end of file diff --git a/ci/properties/azure.properties.json b/ci/properties/azure.properties.json index 4970936400..362d5d13b5 100644 --- a/ci/properties/azure.properties.json +++ b/ci/properties/azure.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["deployment"] + "categories": ["Deployment"] } \ No newline at end of file diff --git a/ci/properties/google.properties.json b/ci/properties/google.properties.json index ed69c5e97b..c7f216fc01 100644 --- a/ci/properties/google.properties.json +++ b/ci/properties/google.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", "iconName": "googlegke", - "categories": ["deployment"] + "categories": ["Deployment"] } \ No newline at end of file diff --git a/ci/properties/ibm.properties.json b/ci/properties/ibm.properties.json index 0c1efdcbbd..42196907de 100644 --- a/ci/properties/ibm.properties.json +++ b/ci/properties/ibm.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to IBM Cloud Container Registry, and deploy to IBM Cloud Kubernetes Service.", "creator": "IBM", "iconName": "ibm", - "categories": ["deployment"] + "categories": ["Deployment"] } \ No newline at end of file diff --git a/ci/properties/openshift.properties.json b/ci/properties/openshift.properties.json index 1bc2ecabcb..54948c2bb6 100644 --- a/ci/properties/openshift.properties.json +++ b/ci/properties/openshift.properties.json @@ -3,5 +3,5 @@ "description": "Build a Docker-based project and deploy it to OpenShift.", "creator": "Red Hat", "iconName": "openshift", - "categories": ["Dockerfile","deployment" ] + "categories": ["Dockerfile","Deployment" ] } diff --git a/ci/properties/tencent.properties.json b/ci/properties/tencent.properties.json index 465073e2b3..32d0da71d8 100644 --- a/ci/properties/tencent.properties.json +++ b/ci/properties/tencent.properties.json @@ -3,5 +3,5 @@ "description": "This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE).", "creator": "Tencent Cloud", "iconName": "tencentcloud", - "categories": ["deployment"] + "categories": ["Deployment"] } \ No newline at end of file diff --git a/ci/properties/terraform.properties.json b/ci/properties/terraform.properties.json index 9929d33da9..12afabe7ac 100644 --- a/ci/properties/terraform.properties.json +++ b/ci/properties/terraform.properties.json @@ -3,5 +3,5 @@ "description": "Set up Terraform CLI in your GitHub Actions workflow.", "creator": "HashiCorp", "iconName": "terraform", - "categories": ["deployment"] + "categories": ["Deployment"] } From e56cb5c21591a7ad820f6c22de2e7d212ead898b Mon Sep 17 00:00:00 2001 From: aparna-ravindra Date: Tue, 24 Aug 2021 10:28:09 +0530 Subject: [PATCH 035/844] renaming variable --- script/sync-ghes/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index ea67432176..e37eca3e3e 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -55,10 +55,10 @@ async function checkWorkflows( )); const iconName: string | undefined = workflowProperties["iconName"]; - const partnerWorkflow = workflowProperties.creator ? partnersSet.has(workflowProperties.creator.toLowerCase()) : false; + const isPartnerWorkflow = workflowProperties.creator ? partnersSet.has(workflowProperties.creator.toLowerCase()) : false; const enabled = - !partnerWorkflow && + !isPartnerWorkflow && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From 7f3356b05c1b9819637ee9f05e560c498d923489 Mon Sep 17 00:00:00 2001 From: Dmitry Shibanov Date: Tue, 24 Aug 2021 17:31:06 +0300 Subject: [PATCH 036/844] update android, gradle and maven workflows to use caching from setup-java --- ci/android.yml | 1 + ci/gradle.yml | 3 ++- ci/maven.yml | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ci/android.yml b/ci/android.yml index 4bbc689631..3037b9ff1b 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -18,6 +18,7 @@ jobs: with: java-version: '11' distribution: 'adopt' + cache: gradle - name: Grant execute permission for gradlew run: chmod +x gradlew diff --git a/ci/gradle.yml b/ci/gradle.yml index 6e7e922b22..282983b61f 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -1,4 +1,4 @@ -# This workflow will build a Java project with Gradle +# This workflow will build a Java project with Gradle, cache/restore dependecies # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle name: Java CI with Gradle @@ -21,6 +21,7 @@ jobs: with: java-version: '11' distribution: 'adopt' + cache: gradle - name: Grant execute permission for gradlew run: chmod +x gradlew - name: Build with Gradle diff --git a/ci/maven.yml b/ci/maven.yml index 923425b43e..90ffc0a13c 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -1,4 +1,4 @@ -# This workflow will build a Java project with Maven +# This workflow will build a Java project with Maven, cache/restore dependecies # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven name: Java CI with Maven @@ -21,5 +21,6 @@ jobs: with: java-version: '11' distribution: 'adopt' + cache: maven - name: Build with Maven run: mvn -B package --file pom.xml From 138cc494633c38a75c8fb68b7b5ed40ebd7b27b0 Mon Sep 17 00:00:00 2001 From: Dmitry Shibanov Date: Tue, 24 Aug 2021 18:25:52 +0300 Subject: [PATCH 037/844] fix documentation for gradle and maven --- ci/gradle.yml | 2 +- ci/maven.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/gradle.yml b/ci/gradle.yml index 282983b61f..5ecabbaa11 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -1,4 +1,4 @@ -# This workflow will build a Java project with Gradle, cache/restore dependecies +# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle name: Java CI with Gradle diff --git a/ci/maven.yml b/ci/maven.yml index 90ffc0a13c..ac3b6de431 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -1,4 +1,4 @@ -# This workflow will build a Java project with Maven, cache/restore dependecies +# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven name: Java CI with Maven From 680b06affc863e6706b2b56707385cfc4c9534a4 Mon Sep 17 00:00:00 2001 From: Shubham Tiwari <64764738+tiwarishub@users.noreply.github.com> Date: Wed, 25 Aug 2021 00:13:11 +0530 Subject: [PATCH 038/844] Update node.js.properties.json --- ci/properties/node.js.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/node.js.properties.json b/ci/properties/node.js.properties.json index 6ab4c53072..d584575abe 100644 --- a/ci/properties/node.js.properties.json +++ b/ci/properties/node.js.properties.json @@ -2,5 +2,5 @@ "name": "Node.js", "description": "Build and test a Node.js project with npm.", "iconName": "nodejs", - "categories": ["JavaScript", "Node", "Npm"] + "categories": ["JavaScript", "Node", "npm"] } From e4eea0ea9c76248066af2849e9890460016f4454 Mon Sep 17 00:00:00 2001 From: Shubham Tiwari <64764738+tiwarishub@users.noreply.github.com> Date: Wed, 25 Aug 2021 00:17:17 +0530 Subject: [PATCH 039/844] Update npm-publish.properties.json --- ci/properties/npm-publish.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/npm-publish.properties.json b/ci/properties/npm-publish.properties.json index d253373b18..764dbf37bb 100644 --- a/ci/properties/npm-publish.properties.json +++ b/ci/properties/npm-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Node.js Package", "description": "Publishes a Node.js package to npm and GitHub Packages.", "iconName": "node-package-transparent", - "categories": ["JavaScript", "SDLC"] + "categories": ["JavaScript", "npm"] } From 973d29b6bf4000cbcfb47cb1b15ecf1fb42b4099 Mon Sep 17 00:00:00 2001 From: Shubham Tiwari <64764738+tiwarishub@users.noreply.github.com> Date: Wed, 25 Aug 2021 00:17:39 +0530 Subject: [PATCH 040/844] Update gem-push.properties.json --- ci/properties/gem-push.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/gem-push.properties.json b/ci/properties/gem-push.properties.json index c54e7b57d6..188d80aa95 100644 --- a/ci/properties/gem-push.properties.json +++ b/ci/properties/gem-push.properties.json @@ -2,5 +2,5 @@ "name": "Ruby Gem", "description": "Pushes a Ruby Gem to RubyGems and GitHub Package Registry.", "iconName": "ruby-gems", - "categories": ["Ruby", "SDLC"] + "categories": ["Ruby"] } From bb64945011c8c6fc09e043d4e1ac5c87567efb16 Mon Sep 17 00:00:00 2001 From: Shubham Tiwari <64764738+tiwarishub@users.noreply.github.com> Date: Wed, 25 Aug 2021 00:31:52 +0530 Subject: [PATCH 041/844] Update node.js.properties.json --- ci/properties/node.js.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/node.js.properties.json b/ci/properties/node.js.properties.json index d584575abe..557222a652 100644 --- a/ci/properties/node.js.properties.json +++ b/ci/properties/node.js.properties.json @@ -2,5 +2,5 @@ "name": "Node.js", "description": "Build and test a Node.js project with npm.", "iconName": "nodejs", - "categories": ["JavaScript", "Node", "npm"] + "categories": ["JavaScript", "npm"] } From 108dfef5d2f4348e0ce0a0b644a09f65ac2c5941 Mon Sep 17 00:00:00 2001 From: Cadu Ribeiro Date: Mon, 30 Aug 2021 16:42:14 -0300 Subject: [PATCH 042/844] Add a descriptive comment into stale.yml This PR adds a descriptive comment int "stale.yml" so user know what this does and how adjust. This can be helpful because user's can come to this workflow as a template directly from their issue page and this extra content will help them understand what is this. --- automation/stale.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/automation/stale.yml b/automation/stale.yml index 277380bad6..ff88dc0809 100644 --- a/automation/stale.yml +++ b/automation/stale.yml @@ -1,3 +1,8 @@ +# This workflow warns and then closes issues and PRs that have had no activity for a specified amount of time. +# +# You can adjust the behavior by modifying this file. +# For more information, see: +# https://github.com/actions/stale name: Mark stale issues and pull requests on: From ac64f9caf525d2edb32be9675873db463c01d1d8 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Thu, 2 Sep 2021 13:05:24 -0700 Subject: [PATCH 043/844] Secure workflows (#1) (#1072) * Restrict permissions for the GITHUB_TOKEN in .github/workflows/label-feature.yml * Restrict permissions for the GITHUB_TOKEN in .github/workflows/label-support.yml * Restrict permissions for the GITHUB_TOKEN in .github/workflows/stale.yml * Restrict permissions for the GITHUB_TOKEN in .github/workflows/sync_ghes.yaml * Restrict permissions for the GITHUB_TOKEN in .github/workflows/validate-data.yaml Co-authored-by: Step Security Co-authored-by: step-security[bot] <89328102+step-security[bot]@users.noreply.github.com> Co-authored-by: Step Security --- .github/workflows/label-feature.yml | 2 ++ .github/workflows/label-support.yml | 2 ++ .github/workflows/stale.yml | 3 +++ .github/workflows/sync_ghes.yaml | 2 ++ .github/workflows/validate-data.yaml | 2 ++ 5 files changed, 11 insertions(+) diff --git a/.github/workflows/label-feature.yml b/.github/workflows/label-feature.yml index 96ac8c1fff..d13cf877c9 100644 --- a/.github/workflows/label-feature.yml +++ b/.github/workflows/label-feature.yml @@ -5,6 +5,8 @@ on: jobs: build: + permissions: + issues: write runs-on: ubuntu-latest steps: - name: Close Issue diff --git a/.github/workflows/label-support.yml b/.github/workflows/label-support.yml index c6f2aa4de6..ea0f2401cc 100644 --- a/.github/workflows/label-support.yml +++ b/.github/workflows/label-support.yml @@ -5,6 +5,8 @@ on: jobs: build: + permissions: + issues: write runs-on: ubuntu-latest steps: - name: Close Issue diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index c116b932c8..217078a152 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,6 +7,9 @@ on: jobs: stale: + permissions: + issues: write + pull-requests: write runs-on: ubuntu-latest steps: diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync_ghes.yaml index a3c298a37f..946218f572 100644 --- a/.github/workflows/sync_ghes.yaml +++ b/.github/workflows/sync_ghes.yaml @@ -7,6 +7,8 @@ on: jobs: sync: + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 745bc25eb3..7d5c1ee949 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -6,6 +6,8 @@ on: jobs: validate-data: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From 7b64f441651d3005d0849daa72311c22052441d6 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Mon, 6 Sep 2021 11:04:54 +0530 Subject: [PATCH 044/844] Directory for deployments (#1071) * moving deployment templates * including deployment directory in scripts * validate categories script init * introducing scout * introducing workflow * Update validate-categories.yaml * Update validate-categories.yaml * Update validate-categories.yaml * Update validate.rb * Update validate.rb * Update validate.rb * Update validate.rb * Update validate-categories.yaml * Update validate-categories.yaml * Update validate-categories.yaml * Update validate.rb * Update validate-categories.yaml * Update validate-categories.yaml * Create test_comment.yaml * rename * using [enter] * testing newline * test * setting up variable * using echo -e * using join * testing space space new line * setting multi line in echo * removing checkout * setting rows-generator * fixing error * using join * commit * Update test_comment.yaml * escaping pipe * printing debug line * using %0A * Update validate-categories.yaml * Update validate.rb * Update validate.rb * removing debug * removing variable * Update validate.rb * Update validate-categories.yaml * Validate categories comment on pr (#32) * reverting deployment directory * checking for output * Categories validation two workflows (#34) comment on pr in a separate workflow * Categories validation two workflows (#35) using right dir name * Categories validation two workflows (#36) . * Categories validation two workflows (#37) fixing typo * adding if conditions * adding try catch * using console instead of echo * equating to upstream * moving deployment templates --- {ci => deployments}/alibabacloud.yml | 0 {ci => deployments}/aws.yml | 0 {ci => deployments}/azure.yml | 0 {ci => deployments}/google.yml | 0 {ci => deployments}/ibm.yml | 0 {ci => deployments}/openshift.yml | 0 {ci => deployments}/properties/alibabacloud.properties.json | 0 {ci => deployments}/properties/aws.properties.json | 0 {ci => deployments}/properties/azure.properties.json | 0 {ci => deployments}/properties/google.properties.json | 0 {ci => deployments}/properties/ibm.properties.json | 0 {ci => deployments}/properties/openshift.properties.json | 0 {ci => deployments}/properties/tencent.properties.json | 0 {ci => deployments}/properties/terraform.properties.json | 0 {ci => deployments}/tencent.yml | 0 {ci => deployments}/terraform.yml | 0 script/sync-ghes/settings.json | 3 ++- script/validate-data/settings.json | 3 ++- 18 files changed, 4 insertions(+), 2 deletions(-) rename {ci => deployments}/alibabacloud.yml (100%) rename {ci => deployments}/aws.yml (100%) rename {ci => deployments}/azure.yml (100%) rename {ci => deployments}/google.yml (100%) rename {ci => deployments}/ibm.yml (100%) rename {ci => deployments}/openshift.yml (100%) rename {ci => deployments}/properties/alibabacloud.properties.json (100%) rename {ci => deployments}/properties/aws.properties.json (100%) rename {ci => deployments}/properties/azure.properties.json (100%) rename {ci => deployments}/properties/google.properties.json (100%) rename {ci => deployments}/properties/ibm.properties.json (100%) rename {ci => deployments}/properties/openshift.properties.json (100%) rename {ci => deployments}/properties/tencent.properties.json (100%) rename {ci => deployments}/properties/terraform.properties.json (100%) rename {ci => deployments}/tencent.yml (100%) rename {ci => deployments}/terraform.yml (100%) diff --git a/ci/alibabacloud.yml b/deployments/alibabacloud.yml similarity index 100% rename from ci/alibabacloud.yml rename to deployments/alibabacloud.yml diff --git a/ci/aws.yml b/deployments/aws.yml similarity index 100% rename from ci/aws.yml rename to deployments/aws.yml diff --git a/ci/azure.yml b/deployments/azure.yml similarity index 100% rename from ci/azure.yml rename to deployments/azure.yml diff --git a/ci/google.yml b/deployments/google.yml similarity index 100% rename from ci/google.yml rename to deployments/google.yml diff --git a/ci/ibm.yml b/deployments/ibm.yml similarity index 100% rename from ci/ibm.yml rename to deployments/ibm.yml diff --git a/ci/openshift.yml b/deployments/openshift.yml similarity index 100% rename from ci/openshift.yml rename to deployments/openshift.yml diff --git a/ci/properties/alibabacloud.properties.json b/deployments/properties/alibabacloud.properties.json similarity index 100% rename from ci/properties/alibabacloud.properties.json rename to deployments/properties/alibabacloud.properties.json diff --git a/ci/properties/aws.properties.json b/deployments/properties/aws.properties.json similarity index 100% rename from ci/properties/aws.properties.json rename to deployments/properties/aws.properties.json diff --git a/ci/properties/azure.properties.json b/deployments/properties/azure.properties.json similarity index 100% rename from ci/properties/azure.properties.json rename to deployments/properties/azure.properties.json diff --git a/ci/properties/google.properties.json b/deployments/properties/google.properties.json similarity index 100% rename from ci/properties/google.properties.json rename to deployments/properties/google.properties.json diff --git a/ci/properties/ibm.properties.json b/deployments/properties/ibm.properties.json similarity index 100% rename from ci/properties/ibm.properties.json rename to deployments/properties/ibm.properties.json diff --git a/ci/properties/openshift.properties.json b/deployments/properties/openshift.properties.json similarity index 100% rename from ci/properties/openshift.properties.json rename to deployments/properties/openshift.properties.json diff --git a/ci/properties/tencent.properties.json b/deployments/properties/tencent.properties.json similarity index 100% rename from ci/properties/tencent.properties.json rename to deployments/properties/tencent.properties.json diff --git a/ci/properties/terraform.properties.json b/deployments/properties/terraform.properties.json similarity index 100% rename from ci/properties/terraform.properties.json rename to deployments/properties/terraform.properties.json diff --git a/ci/tencent.yml b/deployments/tencent.yml similarity index 100% rename from ci/tencent.yml rename to deployments/tencent.yml diff --git a/ci/terraform.yml b/deployments/terraform.yml similarity index 100% rename from ci/terraform.yml rename to deployments/terraform.yml diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 60b70ed245..eef1700c99 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -1,7 +1,8 @@ { "folders": [ "../../ci", - "../../automation" + "../../automation", + "../../deployments" ], "enabledActions": [ "actions/checkout", diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 1913e2fb5b..f7c08cfe96 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -1,6 +1,7 @@ { "folders": [ "../../ci", - "../../automation" + "../../automation", + "../../deployments" ] } \ No newline at end of file From fc748cc482ce4ec8c9a2766913fc4cb128e0d443 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Mon, 6 Sep 2021 15:25:04 +0000 Subject: [PATCH 045/844] add codeql workflow to ghes --- script/sync-ghes/settings.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index eef1700c99..e4f50fa00c 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,8 @@ "folders": [ "../../ci", "../../automation", - "../../deployments" + "../../deployments", + "../../code-scanning" ], "enabledActions": [ "actions/checkout", @@ -16,7 +17,8 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", - "actions/upload-release-asset" + "actions/upload-release-asset", + "github/codeql-action" ], "partners": [ "Alibaba Cloud", From 237e7737cee026d43e44c551a8676c64be6229f5 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Wed, 8 Sep 2021 11:52:12 +0530 Subject: [PATCH 046/844] restoring from main (#1078) --- ci/properties/rails-lint.properties.json | 6 +++++ ci/rails-lint.yml | 32 ++++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 ci/properties/rails-lint.properties.json create mode 100644 ci/rails-lint.yml diff --git a/ci/properties/rails-lint.properties.json b/ci/properties/rails-lint.properties.json new file mode 100644 index 0000000000..7a109a1ce7 --- /dev/null +++ b/ci/properties/rails-lint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Rails - Build and Run Linters", + "description": "Build Rails application and run linters", + "iconName": "ruby", + "categories": ["Ruby", "Rails"] +} diff --git a/ci/rails-lint.yml b/ci/rails-lint.yml new file mode 100644 index 0000000000..b2f8832eff --- /dev/null +++ b/ci/rails-lint.yml @@ -0,0 +1,32 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# This workflow will download a prebuilt Ruby version, install dependencies, and run linters +name: Build Rails and run linters + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] +jobs: + run-lint: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Setup Ruby and install gems + uses: ruby/setup-ruby@v1 + with: + bundler-cache: true + # Add or Replace any other security checks here + - name: Run security checks + run: | + bin/bundler-audit --update + bin/brakeman -q -w2 + # Add or Replace any other Linters here + - name: Run linters + run: | + bin/rubocop --parallel \ No newline at end of file From 41e3bc11ea093336b770562a40ecc3a635ab0f36 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Wed, 8 Sep 2021 07:26:24 +0100 Subject: [PATCH 047/844] Revert "add codeql workflow to ghes branch" --- script/sync-ghes/settings.json | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index e4f50fa00c..eef1700c99 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,8 +2,7 @@ "folders": [ "../../ci", "../../automation", - "../../deployments", - "../../code-scanning" + "../../deployments" ], "enabledActions": [ "actions/checkout", @@ -17,8 +16,7 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", - "actions/upload-release-asset", - "github/codeql-action" + "actions/upload-release-asset" ], "partners": [ "Alibaba Cloud", From e6aff964db94e534ef48eb04bdc7eea5e3383d0a Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Wed, 8 Sep 2021 09:54:15 +0100 Subject: [PATCH 048/844] add codeql workflow to ghes --- script/sync-ghes/settings.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index eef1700c99..e4f50fa00c 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,8 @@ "folders": [ "../../ci", "../../automation", - "../../deployments" + "../../deployments", + "../../code-scanning" ], "enabledActions": [ "actions/checkout", @@ -16,7 +17,8 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", - "actions/upload-release-asset" + "actions/upload-release-asset", + "github/codeql-action" ], "partners": [ "Alibaba Cloud", From 7aa19443113884c16be2b6c23964c0205bfbdb6e Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Wed, 8 Sep 2021 10:08:06 +0100 Subject: [PATCH 049/844] only run ghes sync checks on YML files --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index e37eca3e3e..95f70c0a28 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -45,7 +45,7 @@ async function checkWorkflows( }); for (const e of dir) { - if (e.isFile()) { + if (e.isFile() && extname(e.name) === ".yml") { const workflowFilePath = join(folder, e.name); const workflowId = basename(e.name, extname(e.name)); const workflowProperties: WorkflowProperties = require(join( From c2cc54a69e8f66b42dbbc3f29898787dba75c896 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Wed, 8 Sep 2021 10:28:14 +0100 Subject: [PATCH 050/844] only check nwo of supported actions --- script/sync-ghes/index.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 95f70c0a28..9edc70ee28 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -58,7 +58,7 @@ async function checkWorkflows( const isPartnerWorkflow = workflowProperties.creator ? partnersSet.has(workflowProperties.creator.toLowerCase()) : false; const enabled = - !isPartnerWorkflow && + !isPartnerWorkflow && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { @@ -104,7 +104,8 @@ async function checkWorkflow( if (!!step.uses) { // Check if allowed action const [actionName, _] = step.uses.split("@"); - if (!enabledActionsSet.has(actionName.toLowerCase())) { + const actionNwo = actionName.split("/").slice(0, 2).join("/"); + if (!enabledActionsSet.has(actionNwo.toLowerCase())) { console.info( `Workflow ${workflowPath} uses '${actionName}' which is not supported for GHES.` ); From 84a9757692582ede3202521198d6167a59fb4b77 Mon Sep 17 00:00:00 2001 From: Ninad Kavimandan Date: Thu, 9 Sep 2021 16:16:31 +0530 Subject: [PATCH 051/844] added `React` and `Angular` as categories to node (#1084) --- ci/properties/node.js.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/node.js.properties.json b/ci/properties/node.js.properties.json index 557222a652..c982d17554 100644 --- a/ci/properties/node.js.properties.json +++ b/ci/properties/node.js.properties.json @@ -2,5 +2,5 @@ "name": "Node.js", "description": "Build and test a Node.js project with npm.", "iconName": "nodejs", - "categories": ["JavaScript", "npm"] + "categories": ["JavaScript", "npm", "React", "Angular"] } From b33f57dde1750be442deab22c2430b07d636cbba Mon Sep 17 00:00:00 2001 From: tmash06 Date: Fri, 10 Sep 2021 04:45:29 +0900 Subject: [PATCH 052/844] Fixed a broken link to actions/upload-a-build-artifact in dotnet-desktop.yml. (#1074) Co-authored-by: Josh Gross --- ci/dotnet-desktop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 2e55b15519..0635779417 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -107,7 +107,7 @@ jobs: - name: Remove the pfx run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate - # Upload the MSIX package: https://github.com/marketplace/actions/upload-artifact + # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts uses: actions/upload-artifact@v2 with: From b671ee6c7bf976f49aa402423911466d733b218e Mon Sep 17 00:00:00 2001 From: Ruud Senden Date: Mon, 13 Sep 2021 10:13:58 +0200 Subject: [PATCH 053/844] Add original Fortify on Demand workflow --- code-scanning/fortify-on-demand.yml | 92 +++++++++++++++++++ .../fortify-on-demand.properties.json | 7 ++ icons/fortify.svg | 1 + 3 files changed, 100 insertions(+) create mode 100644 code-scanning/fortify-on-demand.yml create mode 100644 code-scanning/properties/fortify-on-demand.properties.json create mode 100644 icons/fortify.svg diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml new file mode 100644 index 0000000000..2baf56bc0d --- /dev/null +++ b/code-scanning/fortify-on-demand.yml @@ -0,0 +1,92 @@ +################################################################################################################################################ +# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# +# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # +# or contact our sales team, visit microfocus.com/appsecurity. # +# # +# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# +# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # +# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # +# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # +# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # +# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +################################################################################################################################################ + +name: Fortify on Demand Scan + +# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +on: + workflow_dispatch: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '24 18 * * 5' + +jobs: + FoD-SAST-Scan: + # Use the appropriate runner for building your source code. + # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + runs-on: ubuntu-latest + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v2 + + # Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool) + - name: Setup Java + uses: actions/setup-java@v1 + with: + java-version: 1.8 + + # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. + # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: + # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). + # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. + # ScanCentral has additional options that should be set for PHP and Python projects + # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. + # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ + - name: Download Fortify ScanCentral Client + uses: fortify/gha-setup-scancentral-client@v1 + - name: Package Code + Dependencies + run: scancentral package $PACKAGE_OPTS -o package.zip + env: + PACKAGE_OPTS: "-bt mvn" + + # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java + # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: + # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). + # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. + - name: Download Fortify on Demand Universal CI Tool + uses: fortify/gha-setup-fod-uploader@v1 + - name: Perform SAST Scan + run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" + env: + FOD_TENANT: ${{ secrets.FOD_TENANT }} + FOD_USER: ${{ secrets.FOD_USER }} + FOD_PAT: ${{ secrets.FOD_PAT }} + FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" + FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' + + # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. + # TODO: Review Action inputs. For most users, these will be the same as used in the Perform SAST Scan step. + - name: Download Results + uses: fortify/gha-fod-generate-sarif@1.1.0 + with: + base-url: https://ams.fortify.com + tenant: ${{ secrets.FOD_TENANT }} + user: ${{ secrets.FOD_USER }} + password: ${{ secrets.FOD_PAT }} + release-id: ${{ secrets.FOD_RELEASE_ID }} + output: ./sarif/output.sarif + + # Import Fortify on Demand results to GitHub Security Code Scanning + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./sarif/output.sarif diff --git a/code-scanning/properties/fortify-on-demand.properties.json b/code-scanning/properties/fortify-on-demand.properties.json new file mode 100644 index 0000000000..5a7ee5ec40 --- /dev/null +++ b/code-scanning/properties/fortify-on-demand.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Fortify on Demand Scan", + "creator": "Micro Focus", + "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", + "iconName": "fortify", + "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Go", "HTML", "Java", "JavaScript", "JSP", "Kotlin", "MXML", "Objective C", "PHP", "PL/SQL", "Python", "Ruby", "Scala", "Swift", "T-SQL", "TypeScript", "VBScript", "VB.NET", "Visual Basic", "XML"] +} diff --git a/icons/fortify.svg b/icons/fortify.svg new file mode 100644 index 0000000000..45a0d77f57 --- /dev/null +++ b/icons/fortify.svg @@ -0,0 +1 @@ + \ No newline at end of file From 99fae1ecb1b2463b453bd35393072e8385772cb2 Mon Sep 17 00:00:00 2001 From: Ruud Senden Date: Mon, 13 Sep 2021 10:29:38 +0200 Subject: [PATCH 054/844] Update Fortify on Demand workflow --- code-scanning/fortify-on-demand.yml | 34 ++++++++++++++--------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml index 2baf56bc0d..4e3c3b6408 100644 --- a/code-scanning/fortify-on-demand.yml +++ b/code-scanning/fortify-on-demand.yml @@ -17,10 +17,7 @@ name: Fortify on Demand Scan on: workflow_dispatch: push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] + branches: [ $default-branch ] schedule: - cron: '24 18 * * 5' @@ -29,13 +26,18 @@ jobs: # Use the appropriate runner for building your source code. # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: # Check out source code - name: Check Out Source Code uses: actions/checkout@v2 - # Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool) + # Java is required to run the various Fortify utilities. + # When scanning a Java application, please use the appropriate Java version for building your application. - name: Setup Java uses: actions/setup-java@v1 with: @@ -64,29 +66,27 @@ jobs: - name: Perform SAST Scan run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" env: + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" FOD_TENANT: ${{ secrets.FOD_TENANT }} FOD_USER: ${{ secrets.FOD_USER }} FOD_PAT: ${{ secrets.FOD_PAT }} FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} - FOD_URL: "https://ams.fortify.com/" - FOD_API_URL: "https://api.ams.fortify.com/" FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - # TODO: Review Action inputs. For most users, these will be the same as used in the Perform SAST Scan step. - - name: Download Results - uses: fortify/gha-fod-generate-sarif@1.1.0 + - name: Export results to GitHub-optimized SARIF + uses: fortify/gha-export-vulnerabilities@v1 with: - base-url: https://ams.fortify.com - tenant: ${{ secrets.FOD_TENANT }} - user: ${{ secrets.FOD_USER }} - password: ${{ secrets.FOD_PAT }} - release-id: ${{ secrets.FOD_RELEASE_ID }} - output: ./sarif/output.sarif + fod_base_url: "https://ams.fortify.com/" + fod_tenant: ${{ secrets.FOD_TENANT }} + fod_user: ${{ secrets.FOD_USER }} + fod_password: ${{ secrets.FOD_PAT }} + fod_release_id: ${{ secrets.FOD_RELEASE_ID }} # Import Fortify on Demand results to GitHub Security Code Scanning - name: Import Results uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ./sarif/output.sarif + sarif_file: ./gh-fortify-sast.sarif From 028df69d88fa6b986e3ec1f52b4ae52300e87c5a Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Tue, 14 Sep 2021 08:04:52 +0530 Subject: [PATCH 055/844] Added support for Java Frameworks, Spring and JSF to CI Templates. (#1087) --- ci/properties/gradle-publish.properties.json | 2 +- ci/properties/gradle.properties.json | 2 +- ci/properties/maven-publish.properties.json | 2 +- ci/properties/maven.properties.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ci/properties/gradle-publish.properties.json b/ci/properties/gradle-publish.properties.json index 90b7295585..3ec3f4f1cd 100644 --- a/ci/properties/gradle-publish.properties.json +++ b/ci/properties/gradle-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Java Package with Gradle", "description": "Build a Java Package using Gradle and publish to GitHub Packages.", "iconName": "gradle", - "categories": ["Java", "Gradle"] + "categories": ["Java", "Gradle", "Spring", "JSF"] } \ No newline at end of file diff --git a/ci/properties/gradle.properties.json b/ci/properties/gradle.properties.json index bfe1a6f045..c90f78f88e 100644 --- a/ci/properties/gradle.properties.json +++ b/ci/properties/gradle.properties.json @@ -2,5 +2,5 @@ "name": "Java with Gradle", "description": "Build and test a Java project using a Gradle wrapper script.", "iconName": "gradle", - "categories": ["Java", "Gradle"] + "categories": ["Java", "Gradle", "Spring", "JSF"] } diff --git a/ci/properties/maven-publish.properties.json b/ci/properties/maven-publish.properties.json index 2f59f41478..41f29159ee 100644 --- a/ci/properties/maven-publish.properties.json +++ b/ci/properties/maven-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Java Package with Maven", "description": "Build a Java Package using Maven and publish to GitHub Packages.", "iconName": "maven", - "categories": ["Java", "Maven"] + "categories": ["Java", "Maven", "Spring", "JSF"] } \ No newline at end of file diff --git a/ci/properties/maven.properties.json b/ci/properties/maven.properties.json index e322d04152..408647017f 100644 --- a/ci/properties/maven.properties.json +++ b/ci/properties/maven.properties.json @@ -2,5 +2,5 @@ "name": "Java with Maven", "description": "Build and test a Java project with Apache Maven.", "iconName": "maven", - "categories": ["Java", "Maven"] + "categories": ["Java", "Maven", "Spring", "JSF"] } From 6d89fb8045968bc5f12cd8989b25a9b6d04cfb3a Mon Sep 17 00:00:00 2001 From: Ruud Senden Date: Tue, 14 Sep 2021 08:56:36 +0200 Subject: [PATCH 056/844] Update Fortify on Demand supported languages --- code-scanning/properties/fortify-on-demand.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/fortify-on-demand.properties.json b/code-scanning/properties/fortify-on-demand.properties.json index 5a7ee5ec40..100b4bb1b3 100644 --- a/code-scanning/properties/fortify-on-demand.properties.json +++ b/code-scanning/properties/fortify-on-demand.properties.json @@ -3,5 +3,5 @@ "creator": "Micro Focus", "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", "iconName": "fortify", - "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Go", "HTML", "Java", "JavaScript", "JSP", "Kotlin", "MXML", "Objective C", "PHP", "PL/SQL", "Python", "Ruby", "Scala", "Swift", "T-SQL", "TypeScript", "VBScript", "VB.NET", "Visual Basic", "XML"] + "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"] } From 30715e86a480f31a76cecd9b66c04fd1de636d73 Mon Sep 17 00:00:00 2001 From: Ruud Senden Date: Tue, 14 Sep 2021 09:06:33 +0200 Subject: [PATCH 057/844] Add 3rd-party GitHub Actions disclaimer --- code-scanning/fortify-on-demand.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml index 4e3c3b6408..da200a602c 100644 --- a/code-scanning/fortify-on-demand.yml +++ b/code-scanning/fortify-on-demand.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + ################################################################################################################################################ # Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# # dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # From 48e2865d35bc0e139da46143e78789a0ff753060 Mon Sep 17 00:00:00 2001 From: Tim Etchells Date: Tue, 14 Sep 2021 11:11:27 -0700 Subject: [PATCH 058/844] Update OpenShift workflow to use GHCR by default (#6) - Simplifies required configuration since a registry account is now optional - Update a variety of comments - Use tools-installer to install oc - Other small changes towards a better UX Signed-off-by: Tim Etchells --- deployments/openshift.yml | 149 ++++++++++++++++++++------------------ 1 file changed, 78 insertions(+), 71 deletions(-) diff --git a/deployments/openshift.yml b/deployments/openshift.yml index ec5e0fb0bf..fd090a8197 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -3,61 +3,57 @@ # separate terms of service, privacy policy, and support # documentation. -### The OpenShift Starter workflow will: +# 💁 The OpenShift Starter workflow will: # - Checkout your repository -# - Perform a Docker build -# - Push the built image to an image registry +# - Perform a container image build +# - Push the built image to the GitHub Container Registry (GHCR) # - Log in to your OpenShift cluster -# - Create an OpenShift app from the image and expose it to the internet. - -### Before you begin: -# - Have write access to a container image registry such as quay.io or Dockerhub. -# - Have access to an OpenShift cluster. -# - For instructions to get started with OpenShift see https://www.openshift.com/try -# - The project you wish to add this workflow to should have a Dockerfile. -# - If you don't have a Dockerfile at the repository root, see the buildah-build step. -# - Builds from scratch are also available, but require more configuration. - -### To get the workflow running: -# 1. Add this workflow to your repository. -# 2. Edit the top-level 'env' section, which contains a list of environment variables that must be configured. -# 3. Create the secrets referenced in the 'env' section under your repository Settings. -# 4. Edit the 'branches' in the 'on' section to trigger the workflow on a push to your branch. -# 5. Commit and push your changes. - -# For a more sophisticated example, see https://github.com/redhat-actions/spring-petclinic/blob/main/.github/workflows/petclinic-sample.yaml -# Also see our GitHub organization, https://github.com/redhat-actions/ -# ▶️ See a video of how to set up this workflow at https://www.youtube.com/watch?v=6hgBO-1pKho +# - Create an OpenShift app from the image and expose it to the internet + +# ℹ️ Configure your repository and the workflow with the following steps: +# 1. Have access to an OpenShift cluster. Refer to https://www.openshift.com/try +# 2. Create the OPENSHIFT_SERVER and OPENSHIFT_TOKEN repository secrets. Refer to: +# - https://github.com/redhat-actions/oc-login#readme +# - https://docs.github.com/en/actions/reference/encrypted-secrets +# - https://cli.github.com/manual/gh_secret_set +# 3. (Optional) Edit the top-level 'env' section as marked with '🖊️' if the defaults are not suitable for your project. +# 4. (Optional) Edit the build-image step to build your project. +# The default build type is by using a Dockerfile at the root of the repository, +# but can be replaced with a different file, a source-to-image build, or a step-by-step buildah build. +# 5. Commit and push the workflow file to your default branch to trigger a workflow run. + +# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. name: OpenShift -# ⬇️ Modify the fields marked with ⬇️ to fit your project, and create any secrets that are referenced. -# https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets env: - # ⬇️ EDIT with your registry and registry path. - REGISTRY: quay.io/ - # ⬇️ EDIT with your registry username. - REGISTRY_USER: - REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} - - # ⬇️ EDIT to log into your OpenShift cluster and set up the context. + # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context. # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. + # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + # 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace. + OPENSHIFT_NAMESPACE: "" + + # 🖊️ EDIT to set a name for your OpenShift app, or a default one will be generated below. + APP_NAME: "" - # ⬇️ EDIT with any additional port your application should expose. - # By default, oc new-app action creates a service to the image's lowest numeric exposed port. + # 🖊️ EDIT with the port your application should be accessible on. + # If the container image exposes *exactly one* port, this can be left blank. + # Refer to the 'port' input of https://github.com/redhat-actions/oc-new-app APP_PORT: "" - # ⬇️ EDIT if you wish to set the kube context's namespace after login. Leave blank to use the default namespace. - OPENSHIFT_NAMESPACE: "" + # 🖊️ EDIT to change the image registry settings. + # Registries such as GHCR, Quay.io, and Docker Hub are supported. + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + IMAGE_REGISTRY_USER: ${{ github.actor }} + IMAGE_REGISTRY_PASSWORD: ${{ github.token }} - # If you wish to manually provide the APP_NAME and TAG, set them here, otherwise they will be auto-detected. - APP_NAME: "" - TAG: "" + # 🖊️ EDIT to specify custom tags for the container image, or default tags will be generated below. + IMAGE_TAGS: "" on: - # https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows push: # Edit to the branch(es) you want to build and deploy on each push. branches: [ $default-branch ] @@ -65,32 +61,40 @@ on: jobs: openshift-ci-cd: name: Build and deploy to OpenShift + # ubuntu-20.04 can also be used. runs-on: ubuntu-18.04 environment: production outputs: - ROUTE: ${{ steps.deploy-and-expose.outputs.route }} - SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} steps: - - name: Check if secrets exists + - name: Check for required secrets uses: actions/github-script@v3 with: script: | const secrets = { - REGISTRY_PASSWORD: `${{ secrets.REGISTRY_PASSWORD }}`, OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, }; + const GHCR = "ghcr.io"; + if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { + core.info(`Image registry is ${GHCR} - no registry password required`); + } + else { + core.info("A registry password is required"); + secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; + } + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { if (value.length === 0) { - core.warning(`Secret "${name}" is not set`); + core.error(`Secret "${name}" is not set`); return true; } core.info(`✔️ Secret "${name}" is set`); return false; - }); if (missingSecrets.length > 0) { @@ -104,48 +108,50 @@ jobs: core.info(`✅ All the required secrets are set`); } - - uses: actions/checkout@v2 + - name: Check out repository + uses: actions/checkout@v2 - name: Determine app name if: env.APP_NAME == '' run: | echo "APP_NAME=$(basename $PWD)" | tee -a $GITHUB_ENV - - name: Determine tag - if: env.TAG == '' + - name: Determine image tags + if: env.IMAGE_TAGS == '' run: | - echo "TAG=${GITHUB_SHA::7}" | tee -a $GITHUB_ENV + echo "IMAGE_TAGS=latest ${GITHUB_SHA::12}" | tee -a $GITHUB_ENV # https://github.com/redhat-actions/buildah-build#readme - name: Build from Dockerfile - id: image-build + id: build-image uses: redhat-actions/buildah-build@v2 with: image: ${{ env.APP_NAME }} - tags: ${{ env.TAG }} - # If you don't have a dockerfile, see: - # https://github.com/redhat-actions/buildah-build#scratch-build-inputs - # Otherwise, point this to your Dockerfile relative to the repository root. + tags: ${{ env.IMAGE_TAGS }} + + # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs + # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build + # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root. dockerfiles: | ./Dockerfile # https://github.com/redhat-actions/push-to-registry#readme - name: Push to registry - id: push-to-registry + id: push-image uses: redhat-actions/push-to-registry@v2 with: - image: ${{ steps.image-build.outputs.image }} - tags: ${{ steps.image-build.outputs.tags }} - registry: ${{ env.REGISTRY }} - username: ${{ env.REGISTRY_USER }} - password: ${{ env.REGISTRY_PASSWORD }} + image: ${{ steps.build-image.outputs.image }} + tags: ${{ steps.build-image.outputs.tags }} + registry: ${{ env.IMAGE_REGISTRY }} + username: ${{ env.IMAGE_REGISTRY_USER }} + password: ${{ env.IMAGE_REGISTRY_PASSWORD }} - # The path the image was pushed to is now stored in ${{ steps.push-to-registry.outputs.registry-path }} + # The path the image was pushed to is now stored in ${{ steps.push-image.outputs.registry-path }} - # oc-login works on all platforms, but oc must be installed first. - # The GitHub Ubuntu runner already includes oc. - # Otherwise, https://github.com/redhat-actions/openshift-tools-installer can be used to install oc, - # as well as many other tools. + - name: Install oc + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: 4 # https://github.com/redhat-actions/oc-login#readme - name: Log in to OpenShift @@ -163,18 +169,19 @@ jobs: uses: redhat-actions/oc-new-app@v1 with: app_name: ${{ env.APP_NAME }} - image: ${{ steps.push-to-registry.outputs.registry-path }} + image: ${{ steps.push-image.outputs.registry-path }} namespace: ${{ env.OPENSHIFT_NAMESPACE }} port: ${{ env.APP_PORT }} - - name: View application route + - name: Print application URL + env: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} run: | [[ -n ${{ env.ROUTE }} ]] || (echo "Determining application route failed in previous step"; exit 1) + echo echo "======================== Your application is available at: ========================" echo ${{ env.ROUTE }} echo "===================================================================================" echo echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\"" - env: - ROUTE: ${{ steps.deploy-and-expose.outputs.route }} - SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} From 149cf11287e993f8144ff44dd688d69f1036d73e Mon Sep 17 00:00:00 2001 From: Tim Etchells Date: Tue, 14 Sep 2021 11:52:30 -0700 Subject: [PATCH 059/844] Update github-script major version Co-authored-by: John Bohannon --- deployments/openshift.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/openshift.yml b/deployments/openshift.yml index fd090a8197..46ff961ddb 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -71,7 +71,7 @@ jobs: steps: - name: Check for required secrets - uses: actions/github-script@v3 + uses: actions/github-script@v4 with: script: | const secrets = { From 31751181512568e56185350649a5be65fb9c1523 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Wed, 15 Sep 2021 20:02:11 +0530 Subject: [PATCH 060/844] Addressing review comments - Renaming template and updating setup-ruby action version (#1086) * renaming template and updating setup-ruby action version * renaming rubyrails files * renaming rails files --- ci/properties/rails-lint.properties.json | 6 ------ ci/properties/rubyonrails-lint.properties.json | 6 ++++++ ci/{rails-lint.yml => rubyonrails-lint.yml} | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) delete mode 100644 ci/properties/rails-lint.properties.json create mode 100644 ci/properties/rubyonrails-lint.properties.json rename ci/{rails-lint.yml => rubyonrails-lint.yml} (87%) diff --git a/ci/properties/rails-lint.properties.json b/ci/properties/rails-lint.properties.json deleted file mode 100644 index 7a109a1ce7..0000000000 --- a/ci/properties/rails-lint.properties.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "Rails - Build and Run Linters", - "description": "Build Rails application and run linters", - "iconName": "ruby", - "categories": ["Ruby", "Rails"] -} diff --git a/ci/properties/rubyonrails-lint.properties.json b/ci/properties/rubyonrails-lint.properties.json new file mode 100644 index 0000000000..7dac4694c3 --- /dev/null +++ b/ci/properties/rubyonrails-lint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Rails - Install Dependencies and Run Linters", + "description": "Install dependencies and run linters on Rails application", + "iconName": "ruby", + "categories": ["Ruby", "Rails"] +} diff --git a/ci/rails-lint.yml b/ci/rubyonrails-lint.yml similarity index 87% rename from ci/rails-lint.yml rename to ci/rubyonrails-lint.yml index b2f8832eff..d95b70e637 100644 --- a/ci/rails-lint.yml +++ b/ci/rubyonrails-lint.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. # This workflow will download a prebuilt Ruby version, install dependencies, and run linters -name: Build Rails and run linters +name: Rails - Install dependencies and run linters on: push: @@ -18,7 +18,7 @@ jobs: uses: actions/checkout@v2 - name: Setup Ruby and install gems - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e with: bundler-cache: true # Add or Replace any other security checks here From dda42cb8f2514b6ee4e8cc0a860512821ffaa9f7 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Wed, 15 Sep 2021 20:04:06 +0530 Subject: [PATCH 061/844] Addition to categories to python templates (#1088) * addition to categories for python-app template * adding categories to pylint template * adding categories to python-package template Co-authored-by: Ashwin Sangem --- ci/properties/pylint.properties.json | 2 +- ci/properties/python-app.properties.json | 2 +- ci/properties/python-package.properties.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/properties/pylint.properties.json b/ci/properties/pylint.properties.json index c7d136342e..fc751ea02b 100644 --- a/ci/properties/pylint.properties.json +++ b/ci/properties/pylint.properties.json @@ -2,5 +2,5 @@ "name": "Pylint", "description": "Lint a Python application with pylint.", "iconName": "python", - "categories": ["Python"] + "categories": ["Python", "Bottle", "Flask"] } diff --git a/ci/properties/python-app.properties.json b/ci/properties/python-app.properties.json index 34e4a5780a..add4d8bfdf 100644 --- a/ci/properties/python-app.properties.json +++ b/ci/properties/python-app.properties.json @@ -2,5 +2,5 @@ "name": "Python application", "description": "Create and test a Python application.", "iconName": "python", - "categories": ["Python"] + "categories": ["Python", "Bottle", "Flask"] } diff --git a/ci/properties/python-package.properties.json b/ci/properties/python-package.properties.json index 4e09d40d5f..06052d9094 100644 --- a/ci/properties/python-package.properties.json +++ b/ci/properties/python-package.properties.json @@ -2,5 +2,5 @@ "name": "Python package", "description": "Create and test a Python package on multiple Python versions.", "iconName": "python", - "categories": ["Python"] + "categories": ["Python", "Bottle", "Flask"] } From df5ac56102886236863a9123780741504ddeb9a1 Mon Sep 17 00:00:00 2001 From: Shubham Tiwari <64764738+tiwarishub@users.noreply.github.com> Date: Thu, 16 Sep 2021 11:00:07 +0530 Subject: [PATCH 062/844] Adding category in the template property file (#1092) * adding category in the template property file * added category on ruby template --- ci/properties/ada.properties.json | 2 +- ci/properties/android.properties.json | 2 +- ci/properties/ant.properties.json | 2 +- ci/properties/c-cpp.properties.json | 2 +- ci/properties/clojure.properties.json | 2 +- ci/properties/cmake.properties.json | 2 +- ci/properties/crystal.properties.json | 2 +- ci/properties/d.properties.json | 2 +- ci/properties/dart.properties.json | 2 +- ci/properties/deno.properties.json | 2 +- ci/properties/django.properties.json | 2 +- ci/properties/docker-image.properties.json | 2 +- ci/properties/docker-publish.properties.json | 2 +- ci/properties/dotnet-desktop.properties.json | 2 +- ci/properties/dotnet.properties.json | 2 +- ci/properties/elixir.properties.json | 2 +- ci/properties/erlang.properties.json | 2 +- ci/properties/gem-push.properties.json | 2 +- ci/properties/go.properties.json | 2 +- ci/properties/gradle-publish.properties.json | 2 +- ci/properties/gradle.properties.json | 2 +- ci/properties/grunt.properties.json | 2 +- ci/properties/gulp.properties.json | 2 +- ci/properties/haskell.properties.json | 2 +- ci/properties/ios.properties.json | 1 + ci/properties/jekyll.properties.json | 2 +- ci/properties/laravel.properties.json | 1 + ci/properties/maven-publish.properties.json | 2 +- ci/properties/maven.properties.json | 2 +- ci/properties/msbuild.properties.json | 2 +- ci/properties/node.js.properties.json | 2 +- ci/properties/npm-publish.properties.json | 2 +- ci/properties/php.properties.json | 2 +- ci/properties/pylint.properties.json | 2 +- ci/properties/python-app.properties.json | 2 +- ci/properties/python-package-conda.properties.json | 2 +- ci/properties/python-package.properties.json | 2 +- ci/properties/python-publish.properties.json | 2 +- ci/properties/r.properties.json | 2 +- ci/properties/ruby.properties.json | 2 +- ci/properties/rubyonrails-lint.properties.json | 2 +- ci/properties/rust.properties.json | 2 +- ci/properties/scala.properties.json | 2 +- ci/properties/swift.properties.json | 2 +- ci/properties/webpack.properties.json | 2 +- deployments/properties/openshift.properties.json | 2 +- 46 files changed, 46 insertions(+), 44 deletions(-) diff --git a/ci/properties/ada.properties.json b/ci/properties/ada.properties.json index 71021d003c..c4c2b3a3a0 100644 --- a/ci/properties/ada.properties.json +++ b/ci/properties/ada.properties.json @@ -2,5 +2,5 @@ "name": "Ada", "description": "Build Ada project with GPRbuild.", "iconName": "ada", - "categories": ["Ada"] + "categories": ["Continuous integration", "Ada"] } diff --git a/ci/properties/android.properties.json b/ci/properties/android.properties.json index 29d293f1a5..a3ff2cdcea 100644 --- a/ci/properties/android.properties.json +++ b/ci/properties/android.properties.json @@ -2,5 +2,5 @@ "name": "Android CI", "description": "Build an Android project with Gradle.", "iconName": "android", - "categories": ["Java", "Mobile"] + "categories": ["Continuous integration", "Java", "Mobile"] } diff --git a/ci/properties/ant.properties.json b/ci/properties/ant.properties.json index 5a4d7a99e8..93d54738cf 100644 --- a/ci/properties/ant.properties.json +++ b/ci/properties/ant.properties.json @@ -2,5 +2,5 @@ "name": "Java with Ant", "description": "Build and test a Java project with Apache Ant.", "iconName": "ant", - "categories": ["Ant", "Java"] + "categories": ["Continuous integration", "Ant", "Java"] } diff --git a/ci/properties/c-cpp.properties.json b/ci/properties/c-cpp.properties.json index 5d2a2df038..2d214a4087 100644 --- a/ci/properties/c-cpp.properties.json +++ b/ci/properties/c-cpp.properties.json @@ -2,5 +2,5 @@ "name": "C/C++ with Make", "description": "Build and test a C/C++ project using Make.", "iconName": "c-cpp", - "categories": ["C", "C++"] + "categories": ["Continuous integration", "C", "C++"] } diff --git a/ci/properties/clojure.properties.json b/ci/properties/clojure.properties.json index 5a9e3ed163..f57dfdf3d2 100644 --- a/ci/properties/clojure.properties.json +++ b/ci/properties/clojure.properties.json @@ -2,5 +2,5 @@ "name": "Clojure", "description": "Build and test a Clojure project with Leiningen.", "iconName": "clojure", - "categories": ["Clojure", "Java"] + "categories": ["Continuous integration", "Clojure", "Java"] } diff --git a/ci/properties/cmake.properties.json b/ci/properties/cmake.properties.json index ac001c3b78..a7f5d0670d 100644 --- a/ci/properties/cmake.properties.json +++ b/ci/properties/cmake.properties.json @@ -2,5 +2,5 @@ "name": "CMake based projects", "description": "Build and test a CMake based project.", "iconName": "cmake", - "categories": ["C", "C++"] + "categories": ["Continuous integration", "C", "C++"] } \ No newline at end of file diff --git a/ci/properties/crystal.properties.json b/ci/properties/crystal.properties.json index bb058f760e..244adbf021 100644 --- a/ci/properties/crystal.properties.json +++ b/ci/properties/crystal.properties.json @@ -2,5 +2,5 @@ "name": "Crystal", "description": "Build and test a Crystal project.", "iconName": "crystal", - "categories": ["Crystal"] + "categories": ["Continuous integration", "Crystal"] } diff --git a/ci/properties/d.properties.json b/ci/properties/d.properties.json index 5c67054a57..8e51aa32a4 100644 --- a/ci/properties/d.properties.json +++ b/ci/properties/d.properties.json @@ -2,5 +2,5 @@ "name": "D", "description": "Build and test a D project with dub.", "iconName": "d", - "categories": [ "D" ] + "categories": ["Continuous integration", "D"] } diff --git a/ci/properties/dart.properties.json b/ci/properties/dart.properties.json index 022a003227..f4bf112eee 100644 --- a/ci/properties/dart.properties.json +++ b/ci/properties/dart.properties.json @@ -2,5 +2,5 @@ "name": "Dart", "description": "Build and test a Dart project with Pub.", "iconName": "dart", - "categories": ["Dart"] + "categories": ["Continuous integration", "Dart"] } diff --git a/ci/properties/deno.properties.json b/ci/properties/deno.properties.json index 8a2c76276c..6d4d653347 100644 --- a/ci/properties/deno.properties.json +++ b/ci/properties/deno.properties.json @@ -2,5 +2,5 @@ "name": "Deno", "description": "Test your Deno project", "iconName": "deno", - "categories": ["JavaScript", "TypeScript", "Deno"] + "categories": ["Continuous integration", "JavaScript", "TypeScript", "Deno"] } diff --git a/ci/properties/django.properties.json b/ci/properties/django.properties.json index 30154416e2..791fb21aa6 100644 --- a/ci/properties/django.properties.json +++ b/ci/properties/django.properties.json @@ -2,5 +2,5 @@ "name": "Django", "description": "Build and Test a Django Project", "iconName": "django", - "categories": ["Python", "Django"] + "categories": ["Continuous integration", "Python", "Django"] } diff --git a/ci/properties/docker-image.properties.json b/ci/properties/docker-image.properties.json index 8ad7552468..b13144ccb7 100644 --- a/ci/properties/docker-image.properties.json +++ b/ci/properties/docker-image.properties.json @@ -2,5 +2,5 @@ "name": "Docker image", "description": "Build a Docker image to deploy, run, or push to a registry.", "iconName": "docker", - "categories": ["Dockerfile"] + "categories": ["Continuous integration", "Dockerfile"] } diff --git a/ci/properties/docker-publish.properties.json b/ci/properties/docker-publish.properties.json index 1b36c0f0e9..890f4af341 100644 --- a/ci/properties/docker-publish.properties.json +++ b/ci/properties/docker-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Docker Container", "description": "Build, test and push Docker image to GitHub Packages.", "iconName": "docker", - "categories": ["Dockerfile"] + "categories": ["Continuous integration", "Dockerfile"] } diff --git a/ci/properties/dotnet-desktop.properties.json b/ci/properties/dotnet-desktop.properties.json index f6e1cb8428..bbe9d102a4 100644 --- a/ci/properties/dotnet-desktop.properties.json +++ b/ci/properties/dotnet-desktop.properties.json @@ -2,5 +2,5 @@ "name": ".NET Desktop", "description": "Build, test, sign and publish a desktop application built on .NET.", "iconName": "dotnet", - "categories": ["C#", "Visual Basic", "WPF", ".NET"] + "categories": ["Continuous integration", "C#", "Visual Basic", "WPF", ".NET"] } \ No newline at end of file diff --git a/ci/properties/dotnet.properties.json b/ci/properties/dotnet.properties.json index b3feafb9cf..d4f6eb2292 100644 --- a/ci/properties/dotnet.properties.json +++ b/ci/properties/dotnet.properties.json @@ -2,5 +2,5 @@ "name": ".NET", "description": "Build and test a .NET or ASP.NET Core project.", "iconName": "dotnet", - "categories": ["C#", "F#", "Visual Basic", "ASP", "ASP.NET", ".NET"] + "categories": ["Continuous integration", "C#", "F#", "Visual Basic", "ASP", "ASP.NET", ".NET"] } diff --git a/ci/properties/elixir.properties.json b/ci/properties/elixir.properties.json index 572992df13..6de4ea0c18 100644 --- a/ci/properties/elixir.properties.json +++ b/ci/properties/elixir.properties.json @@ -2,5 +2,5 @@ "name": "Elixir", "description": "Build and test an Elixir project with Mix.", "iconName": "elixir", - "categories": ["Elixir", "Erlang"] + "categories": ["Continuous integration", "Elixir", "Erlang"] } diff --git a/ci/properties/erlang.properties.json b/ci/properties/erlang.properties.json index d712b0564c..eba9af698f 100644 --- a/ci/properties/erlang.properties.json +++ b/ci/properties/erlang.properties.json @@ -2,5 +2,5 @@ "name": "Erlang", "description": "Build and test an Erlang project with rebar.", "iconName": "erlang", - "categories": ["Erlang"] + "categories": ["Continuous integration", "Erlang"] } diff --git a/ci/properties/gem-push.properties.json b/ci/properties/gem-push.properties.json index 188d80aa95..0002ac5867 100644 --- a/ci/properties/gem-push.properties.json +++ b/ci/properties/gem-push.properties.json @@ -2,5 +2,5 @@ "name": "Ruby Gem", "description": "Pushes a Ruby Gem to RubyGems and GitHub Package Registry.", "iconName": "ruby-gems", - "categories": ["Ruby"] + "categories": ["Continuous integration", "Ruby"] } diff --git a/ci/properties/go.properties.json b/ci/properties/go.properties.json index b96c0a1159..1187f94bb4 100644 --- a/ci/properties/go.properties.json +++ b/ci/properties/go.properties.json @@ -2,5 +2,5 @@ "name": "Go", "description": "Build a Go project.", "iconName": "go", - "categories": ["Go"] + "categories": ["Continuous integration", "Go"] } diff --git a/ci/properties/gradle-publish.properties.json b/ci/properties/gradle-publish.properties.json index 3ec3f4f1cd..0155310cb2 100644 --- a/ci/properties/gradle-publish.properties.json +++ b/ci/properties/gradle-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Java Package with Gradle", "description": "Build a Java Package using Gradle and publish to GitHub Packages.", "iconName": "gradle", - "categories": ["Java", "Gradle", "Spring", "JSF"] + "categories": ["Continuous integration", "Java", "Gradle", "Spring", "JSF"] } \ No newline at end of file diff --git a/ci/properties/gradle.properties.json b/ci/properties/gradle.properties.json index c90f78f88e..47d1ddb3ff 100644 --- a/ci/properties/gradle.properties.json +++ b/ci/properties/gradle.properties.json @@ -2,5 +2,5 @@ "name": "Java with Gradle", "description": "Build and test a Java project using a Gradle wrapper script.", "iconName": "gradle", - "categories": ["Java", "Gradle", "Spring", "JSF"] + "categories": ["Continuous integration", "Java", "Gradle", "Spring", "JSF"] } diff --git a/ci/properties/grunt.properties.json b/ci/properties/grunt.properties.json index c8a5b9f717..34a0a350dd 100644 --- a/ci/properties/grunt.properties.json +++ b/ci/properties/grunt.properties.json @@ -2,5 +2,5 @@ "name": "Grunt", "description": "Build a NodeJS project with npm and grunt.", "iconName": "grunt", - "categories": ["JavaScript", "TypeScript", "npm", "Grunt"] + "categories": ["Continuous integration", "JavaScript", "TypeScript", "npm", "Grunt"] } diff --git a/ci/properties/gulp.properties.json b/ci/properties/gulp.properties.json index 658325ba54..3b4201aaf5 100644 --- a/ci/properties/gulp.properties.json +++ b/ci/properties/gulp.properties.json @@ -2,5 +2,5 @@ "name": "Gulp", "description": "Build a NodeJS project with npm and gulp.", "iconName": "gulp", - "categories": ["JavaScript", "TypeScript", "npm", "Gulp"] + "categories": ["Continuous integration", "JavaScript", "TypeScript", "npm", "Gulp"] } diff --git a/ci/properties/haskell.properties.json b/ci/properties/haskell.properties.json index 2dedbf2e86..798d3d0bda 100644 --- a/ci/properties/haskell.properties.json +++ b/ci/properties/haskell.properties.json @@ -2,5 +2,5 @@ "name": "Haskell", "description": "Build and test a Haskell project with Cabal.", "iconName": "haskell", - "categories": ["Haskell"] + "categories": ["Continuous integration", "Haskell"] } diff --git a/ci/properties/ios.properties.json b/ci/properties/ios.properties.json index 0b3a9edd6d..f88edc969d 100644 --- a/ci/properties/ios.properties.json +++ b/ci/properties/ios.properties.json @@ -3,6 +3,7 @@ "description": "Build and test an iOS application using xcodebuild and any available iPhone simulator.", "iconName": "xcode", "categories": [ + "Continuous integration", "iOS", "Xcode" ] diff --git a/ci/properties/jekyll.properties.json b/ci/properties/jekyll.properties.json index 38cc6cd23d..bbe279cbea 100644 --- a/ci/properties/jekyll.properties.json +++ b/ci/properties/jekyll.properties.json @@ -2,5 +2,5 @@ "name": "Jekyll", "description": "Package a Jekyll site using the jekyll/builder Docker image.", "iconName": "jekyll", - "categories": ["HTML"] + "categories": ["Continuous integration", "HTML"] } diff --git a/ci/properties/laravel.properties.json b/ci/properties/laravel.properties.json index f10a4623af..1c2e4333b9 100644 --- a/ci/properties/laravel.properties.json +++ b/ci/properties/laravel.properties.json @@ -3,6 +3,7 @@ "description": "Test a Laravel project.", "iconName": "php", "categories": [ + "Continuous integration", "PHP", "Laravel" ] diff --git a/ci/properties/maven-publish.properties.json b/ci/properties/maven-publish.properties.json index 41f29159ee..2bc750fa4d 100644 --- a/ci/properties/maven-publish.properties.json +++ b/ci/properties/maven-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Java Package with Maven", "description": "Build a Java Package using Maven and publish to GitHub Packages.", "iconName": "maven", - "categories": ["Java", "Maven", "Spring", "JSF"] + "categories": ["Continuous integration", "Java", "Maven", "Spring", "JSF"] } \ No newline at end of file diff --git a/ci/properties/maven.properties.json b/ci/properties/maven.properties.json index 408647017f..be8f7bf636 100644 --- a/ci/properties/maven.properties.json +++ b/ci/properties/maven.properties.json @@ -2,5 +2,5 @@ "name": "Java with Maven", "description": "Build and test a Java project with Apache Maven.", "iconName": "maven", - "categories": ["Java", "Maven", "Spring", "JSF"] + "categories": ["Continuous integration", "Java", "Maven", "Spring", "JSF"] } diff --git a/ci/properties/msbuild.properties.json b/ci/properties/msbuild.properties.json index b90cad8c97..c189be20b1 100644 --- a/ci/properties/msbuild.properties.json +++ b/ci/properties/msbuild.properties.json @@ -2,5 +2,5 @@ "name": "MSBuild based projects", "description": "Build a MSBuild based project.", "iconName": "c-cpp", - "categories": ["C", "C++"] + "categories": ["Continuous integration", "C", "C++"] } \ No newline at end of file diff --git a/ci/properties/node.js.properties.json b/ci/properties/node.js.properties.json index c982d17554..32f53069ee 100644 --- a/ci/properties/node.js.properties.json +++ b/ci/properties/node.js.properties.json @@ -2,5 +2,5 @@ "name": "Node.js", "description": "Build and test a Node.js project with npm.", "iconName": "nodejs", - "categories": ["JavaScript", "npm", "React", "Angular"] + "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular"] } diff --git a/ci/properties/npm-publish.properties.json b/ci/properties/npm-publish.properties.json index 764dbf37bb..9371d7b4c2 100644 --- a/ci/properties/npm-publish.properties.json +++ b/ci/properties/npm-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Node.js Package", "description": "Publishes a Node.js package to npm and GitHub Packages.", "iconName": "node-package-transparent", - "categories": ["JavaScript", "npm"] + "categories": ["Continuous integration", "JavaScript", "npm"] } diff --git a/ci/properties/php.properties.json b/ci/properties/php.properties.json index 641e536f28..f345a28f56 100644 --- a/ci/properties/php.properties.json +++ b/ci/properties/php.properties.json @@ -2,5 +2,5 @@ "name": "PHP", "description": "Build and test a PHP application using Composer", "iconName": "php", - "categories": ["PHP", "Composer"] + "categories": ["Continuous integration", "PHP", "Composer"] } \ No newline at end of file diff --git a/ci/properties/pylint.properties.json b/ci/properties/pylint.properties.json index fc751ea02b..23c15dc02a 100644 --- a/ci/properties/pylint.properties.json +++ b/ci/properties/pylint.properties.json @@ -2,5 +2,5 @@ "name": "Pylint", "description": "Lint a Python application with pylint.", "iconName": "python", - "categories": ["Python", "Bottle", "Flask"] + "categories": ["Continuous integration", "Python", "Bottle", "Flask"] } diff --git a/ci/properties/python-app.properties.json b/ci/properties/python-app.properties.json index add4d8bfdf..1229b2961f 100644 --- a/ci/properties/python-app.properties.json +++ b/ci/properties/python-app.properties.json @@ -2,5 +2,5 @@ "name": "Python application", "description": "Create and test a Python application.", "iconName": "python", - "categories": ["Python", "Bottle", "Flask"] + "categories": ["Continuous integration", "Python", "Bottle", "Flask"] } diff --git a/ci/properties/python-package-conda.properties.json b/ci/properties/python-package-conda.properties.json index 1f6436db47..56007668b8 100644 --- a/ci/properties/python-package-conda.properties.json +++ b/ci/properties/python-package-conda.properties.json @@ -2,5 +2,5 @@ "name": "Python Package using Anaconda", "description": "Create and test a Python package on multiple Python versions using Anaconda for package management.", "iconName": "python", - "categories": ["Python"] + "categories": ["Continuous integration", "Python"] } diff --git a/ci/properties/python-package.properties.json b/ci/properties/python-package.properties.json index 06052d9094..8c9dbcfa62 100644 --- a/ci/properties/python-package.properties.json +++ b/ci/properties/python-package.properties.json @@ -2,5 +2,5 @@ "name": "Python package", "description": "Create and test a Python package on multiple Python versions.", "iconName": "python", - "categories": ["Python", "Bottle", "Flask"] + "categories": ["Continuous integration", "Python", "Bottle", "Flask"] } diff --git a/ci/properties/python-publish.properties.json b/ci/properties/python-publish.properties.json index 4fd9eceb68..9219e0f7ed 100644 --- a/ci/properties/python-publish.properties.json +++ b/ci/properties/python-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Python Package", "description": "Publish a Python Package to PyPI on release.", "iconName": "python", - "categories": ["Python"] + "categories": ["Continuous integration", "Python"] } diff --git a/ci/properties/r.properties.json b/ci/properties/r.properties.json index 84ba0ec9c5..9f83a25f81 100644 --- a/ci/properties/r.properties.json +++ b/ci/properties/r.properties.json @@ -2,5 +2,5 @@ "name": "R package", "description": "Create and test an R package on multiple R versions.", "iconName": "r", - "categories": ["R"] + "categories": ["Continuous integration", "R"] } diff --git a/ci/properties/ruby.properties.json b/ci/properties/ruby.properties.json index 904f12fd4a..894436b514 100644 --- a/ci/properties/ruby.properties.json +++ b/ci/properties/ruby.properties.json @@ -2,5 +2,5 @@ "name": "Ruby", "description": "Build and test a Ruby project with Rake.", "iconName": "ruby", - "categories": ["Ruby"] + "categories": ["Continuous integration", "Ruby"] } diff --git a/ci/properties/rubyonrails-lint.properties.json b/ci/properties/rubyonrails-lint.properties.json index 7dac4694c3..e6e5f6928e 100644 --- a/ci/properties/rubyonrails-lint.properties.json +++ b/ci/properties/rubyonrails-lint.properties.json @@ -2,5 +2,5 @@ "name": "Rails - Install Dependencies and Run Linters", "description": "Install dependencies and run linters on Rails application", "iconName": "ruby", - "categories": ["Ruby", "Rails"] + "categories": ["Continuous integration", "Ruby", "Rails"] } diff --git a/ci/properties/rust.properties.json b/ci/properties/rust.properties.json index 3a6dc02ae1..3e834d9589 100644 --- a/ci/properties/rust.properties.json +++ b/ci/properties/rust.properties.json @@ -2,5 +2,5 @@ "name": "Rust", "description": "Build and test a Rust project with Cargo.", "iconName": "rust", - "categories": ["Rust"] + "categories": ["Continuous integration", "Rust"] } \ No newline at end of file diff --git a/ci/properties/scala.properties.json b/ci/properties/scala.properties.json index a92fc7309a..34dde26dda 100644 --- a/ci/properties/scala.properties.json +++ b/ci/properties/scala.properties.json @@ -2,5 +2,5 @@ "name": "Scala", "description": "Build and test a Scala project with SBT.", "iconName": "scala", - "categories": ["Scala", "Java"] + "categories": ["Continuous integration", "Scala", "Java"] } diff --git a/ci/properties/swift.properties.json b/ci/properties/swift.properties.json index 9efd64515d..b26a264423 100644 --- a/ci/properties/swift.properties.json +++ b/ci/properties/swift.properties.json @@ -2,5 +2,5 @@ "name": "Swift", "description": "Build and test a Swift Package.", "iconName": "swift", - "categories": ["Swift"] + "categories": ["Continuous integration", "Swift"] } diff --git a/ci/properties/webpack.properties.json b/ci/properties/webpack.properties.json index 1e22ccb69c..6d8b1a548a 100644 --- a/ci/properties/webpack.properties.json +++ b/ci/properties/webpack.properties.json @@ -2,5 +2,5 @@ "name": "Webpack", "description": "Build a NodeJS project with npm and webpack.", "iconName": "webpack", - "categories": ["JavaScript", "TypeScript", "npm", "Webpack"] + "categories": ["Continuous integration", "JavaScript", "TypeScript", "npm", "Webpack"] } diff --git a/deployments/properties/openshift.properties.json b/deployments/properties/openshift.properties.json index 54948c2bb6..d08351fd3f 100644 --- a/deployments/properties/openshift.properties.json +++ b/deployments/properties/openshift.properties.json @@ -3,5 +3,5 @@ "description": "Build a Docker-based project and deploy it to OpenShift.", "creator": "Red Hat", "iconName": "openshift", - "categories": ["Dockerfile","Deployment" ] + "categories": ["Deployment", "Dockerfile"] } From 1cb322141e9482ee44e8a2756fd4dbc0135696aa Mon Sep 17 00:00:00 2001 From: Ninad Kavimandan Date: Thu, 16 Sep 2021 11:02:21 +0530 Subject: [PATCH 063/844] add `makefile` template (#1093) Co-authored-by: Ashwin Sangem --- ci/makefile.yml | 27 ++++++++++++++++++++++++++ ci/properties/makefile.properties.json | 6 ++++++ icons/makefile.svg | 1 + 3 files changed, 34 insertions(+) create mode 100644 ci/makefile.yml create mode 100644 ci/properties/makefile.properties.json create mode 100644 icons/makefile.svg diff --git a/ci/makefile.yml b/ci/makefile.yml new file mode 100644 index 0000000000..eafe622fd5 --- /dev/null +++ b/ci/makefile.yml @@ -0,0 +1,27 @@ +name: Makefile CI + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: configure + run: ./configure + + - name: Install dependencies + run: make + + - name: Run check + run: make check + + - name: Run distcheck + run: make distcheck diff --git a/ci/properties/makefile.properties.json b/ci/properties/makefile.properties.json new file mode 100644 index 0000000000..93ecf1ebd7 --- /dev/null +++ b/ci/properties/makefile.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Build projects with Make", + "description": "Build and test a project using Make.", + "iconName": "makefile", + "categories": ["Makefile"] +} diff --git a/icons/makefile.svg b/icons/makefile.svg new file mode 100644 index 0000000000..694ad2e226 --- /dev/null +++ b/icons/makefile.svg @@ -0,0 +1 @@ + \ No newline at end of file From 9095e7c9d55b5b9aca2cce211f0a7d6b4fe14371 Mon Sep 17 00:00:00 2001 From: Ninad Kavimandan Date: Thu, 16 Sep 2021 11:17:56 +0530 Subject: [PATCH 064/844] added prefix `npm-` (#1097) --- ci/{grunt.yml => npm-grunt.yml} | 0 ci/{gulp.yml => npm-gulp.yml} | 0 .../{grunt.properties.json => npm-grunt.properties.json} | 0 ci/properties/{gulp.properties.json => npm-gulp.properties.json} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename ci/{grunt.yml => npm-grunt.yml} (100%) rename ci/{gulp.yml => npm-gulp.yml} (100%) rename ci/properties/{grunt.properties.json => npm-grunt.properties.json} (100%) rename ci/properties/{gulp.properties.json => npm-gulp.properties.json} (100%) diff --git a/ci/grunt.yml b/ci/npm-grunt.yml similarity index 100% rename from ci/grunt.yml rename to ci/npm-grunt.yml diff --git a/ci/gulp.yml b/ci/npm-gulp.yml similarity index 100% rename from ci/gulp.yml rename to ci/npm-gulp.yml diff --git a/ci/properties/grunt.properties.json b/ci/properties/npm-grunt.properties.json similarity index 100% rename from ci/properties/grunt.properties.json rename to ci/properties/npm-grunt.properties.json diff --git a/ci/properties/gulp.properties.json b/ci/properties/npm-gulp.properties.json similarity index 100% rename from ci/properties/gulp.properties.json rename to ci/properties/npm-gulp.properties.json From 59daabb07b45f661e2931ea36d8f8a1e42963aa8 Mon Sep 17 00:00:00 2001 From: Ninad Kavimandan Date: Thu, 16 Sep 2021 11:19:17 +0530 Subject: [PATCH 065/844] support `AspNetCore` and `DotNetConsole` (#1096) Co-authored-by: Ashwin Sangem --- ci/properties/dotnet.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/dotnet.properties.json b/ci/properties/dotnet.properties.json index d4f6eb2292..1a466042c3 100644 --- a/ci/properties/dotnet.properties.json +++ b/ci/properties/dotnet.properties.json @@ -2,5 +2,5 @@ "name": ".NET", "description": "Build and test a .NET or ASP.NET Core project.", "iconName": "dotnet", - "categories": ["Continuous integration", "C#", "F#", "Visual Basic", "ASP", "ASP.NET", ".NET"] + "categories": ["Continuous integration", "C#", "F#", "Visual Basic", "ASP", "ASP.NET", ".NET", "AspNetCore", "DotNetConsole"] } From c36ea2c5605bf159b7a6ca8b8bc97c410accc036 Mon Sep 17 00:00:00 2001 From: Ninad Kavimandan Date: Thu, 16 Sep 2021 11:51:53 +0530 Subject: [PATCH 066/844] add `Continuous integration` to makefile props (#1100) --- ci/properties/makefile.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/makefile.properties.json b/ci/properties/makefile.properties.json index 93ecf1ebd7..209bf7025d 100644 --- a/ci/properties/makefile.properties.json +++ b/ci/properties/makefile.properties.json @@ -2,5 +2,5 @@ "name": "Build projects with Make", "description": "Build and test a project using Make.", "iconName": "makefile", - "categories": ["Makefile"] + "categories": ["Continuous integration", "Makefile"] } From 5e116cb9e84c5d4a3bea833aadc4494a4717c17d Mon Sep 17 00:00:00 2001 From: Manuel Boira Cuevas Date: Thu, 16 Sep 2021 10:47:05 +0200 Subject: [PATCH 067/844] Sysdig Secure Inline Scan with SARIF report to starter workflows --- .../properties/sysdig-scan.properties.json | 7 +++ code-scanning/sysdig-scan.yml | 43 +++++++++++++++++++ icons/sysdig.svg | 37 ++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 code-scanning/properties/sysdig-scan.properties.json create mode 100644 code-scanning/sysdig-scan.yml create mode 100644 icons/sysdig.svg diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json new file mode 100644 index 0000000000..02db691d9f --- /dev/null +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Sysdigh Inline Scan", + "creator": "Sysdig", + "description": "Performs analysis on locally built container image and posts the results in SARIF report", + "iconName": "cst-logo", + "categories": ["Image Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Powershell", "Cobol", "Objective C", "PHP", "Ruby", "Rust", "SQL", "Swift", "Visual Basic"] +} diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml new file mode 100644 index 0000000000..ea52006fe5 --- /dev/null +++ b/code-scanning/sysdig-scan.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Sysdig - Build, scan, push and upload sarif report + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + + - name: Build the Docker image + run: docker build . --file Dockerfile --tag ${{ github.head_ref }}:latest + + - name: Sysdig Secure Inline Scan + id: scan + uses: sysdiglabs/scan-action@v3 + with: + # Tag of the image to analyse + image-tag: "${{ github.head_ref }}:latest" + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }} + dockerfile-path: ./Dockerfile + input-type: docker-daemon + ignore-failed-scan: true + + - uses: github/codeql-action/upload-sarif@v1 + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarifReport } diff --git a/icons/sysdig.svg b/icons/sysdig.svg new file mode 100644 index 0000000000..e98d27dc7a --- /dev/null +++ b/icons/sysdig.svg @@ -0,0 +1,37 @@ + + + + + + + From 6dfa11d0c4c966b00c10cab65d484232008ec9cb Mon Sep 17 00:00:00 2001 From: Cadu Ribeiro Date: Fri, 17 Sep 2021 17:58:46 -0300 Subject: [PATCH 068/844] Add github/super-linter as starter workflow on CI (#1089) This commit adds github/super-linter as a starter workflow to execute several linters based on the user codebase on changed files. Co-authored-by: Josh Gross --- ci/properties/super-linter.properties.json | 6 +++++ ci/super-linter.yml | 29 ++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 ci/properties/super-linter.properties.json create mode 100644 ci/super-linter.yml diff --git a/ci/properties/super-linter.properties.json b/ci/properties/super-linter.properties.json new file mode 100644 index 0000000000..e070300454 --- /dev/null +++ b/ci/properties/super-linter.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Super Linter - Run Linters for several languages", + "description": "Run linters for several languages on your code base for changed files", + "iconName": "octicon check-circle", + "categories": ["code-quality", "code-review"] +} diff --git a/ci/super-linter.yml b/ci/super-linter.yml new file mode 100644 index 0000000000..bebd82dd26 --- /dev/null +++ b/ci/super-linter.yml @@ -0,0 +1,29 @@ +# This workflow executes several linters on changed files based on languages used in your code base whenever +# you push a code or open a pull request. +# +# You can adjust the behavior by modifying this file. +# For more information, see: +# https://github.com/github/super-linter +name: Lint Code Base + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] +jobs: + run-lint: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + - name: Lint Code Base + uses: github/super-linter@v4 + env: + VALIDATE_ALL_CODEBASE: false + DEFAULT_BRANCH: $default-branch + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 38d4e3bfd23aa791fd5906ba8479c09087f3da7e Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Mon, 20 Sep 2021 11:52:53 +0200 Subject: [PATCH 069/844] Added some extra comments, Github Actions V2 and changed env vars --- code-scanning/sysdig-scan.yml | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index ea52006fe5..58b4543d3c 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -20,24 +20,35 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@v2 - name: Build the Docker image - run: docker build . --file Dockerfile --tag ${{ github.head_ref }}:latest + # Tag image to be built + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below + run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest - name: Sysdig Secure Inline Scan id: scan uses: sysdiglabs/scan-action@v3 with: - # Tag of the image to analyse - image-tag: "${{ github.head_ref }}:latest" + # Tag of the image to analyse. + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above + image-tag: ${{ github.repository }}:latest # API token for Sysdig Scanning auth - sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}} + # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ + # US-East https://secure.sysdig.com + # US-West https://us2.app.sysdig.com + # EU https://eu1.app.sysdig.com + sysdig-secure-url: https://us2.app.sysdig.com dockerfile-path: ./Dockerfile input-type: docker-daemon ignore-failed-scan: true + # Sysdig inline scanner requires privileged rights + run-as-user: root - uses: github/codeql-action/upload-sarif@v1 + #Upload SARIF file if: always() with: - sarif_file: ${{ steps.scan.outputs.sarifReport } + sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file From e4091f2f55dfbfcd692d8e6444562bf0bd7e4e06 Mon Sep 17 00:00:00 2001 From: Ninad Kavimandan Date: Tue, 21 Sep 2021 13:35:26 +0530 Subject: [PATCH 070/844] add `Vue` to nodejs props (#1109) --- ci/properties/node.js.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/node.js.properties.json b/ci/properties/node.js.properties.json index 32f53069ee..7f68d8842d 100644 --- a/ci/properties/node.js.properties.json +++ b/ci/properties/node.js.properties.json @@ -2,5 +2,5 @@ "name": "Node.js", "description": "Build and test a Node.js project with npm.", "iconName": "nodejs", - "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular"] + "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"] } From 7d41cdb581da65551176526658e7d4d756ca3078 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 21 Sep 2021 11:03:21 +0200 Subject: [PATCH 071/844] Reviews from PR #1110 --- code-scanning/properties/sysdig-scan.properties.json | 4 ++-- code-scanning/sysdig-scan.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json index 02db691d9f..87c87cd44b 100644 --- a/code-scanning/properties/sysdig-scan.properties.json +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -2,6 +2,6 @@ "name": "Sysdigh Inline Scan", "creator": "Sysdig", "description": "Performs analysis on locally built container image and posts the results in SARIF report", - "iconName": "cst-logo", - "categories": ["Image Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Powershell", "Cobol", "Objective C", "PHP", "Ruby", "Rust", "SQL", "Swift", "Visual Basic"] + "iconName": "sysdig", + "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] } diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 58b4543d3c..49841d728e 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -29,7 +29,7 @@ jobs: - name: Sysdig Secure Inline Scan id: scan - uses: sysdiglabs/scan-action@v3 + uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 with: # Tag of the image to analyse. # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above From 9b4fcbf91135a5c58a6baa6eea122dad129c3dd1 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 21 Sep 2021 11:25:16 +0200 Subject: [PATCH 072/844] Adding 'Dockerfile' to category list --- code-scanning/properties/sysdig-scan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json index 87c87cd44b..09bbd7bb26 100644 --- a/code-scanning/properties/sysdig-scan.properties.json +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -3,5 +3,5 @@ "creator": "Sysdig", "description": "Performs analysis on locally built container image and posts the results in SARIF report", "iconName": "sysdig", - "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] + "categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] } From 55f65bcc15417680dcd248f288c788a0879a0db4 Mon Sep 17 00:00:00 2001 From: Fernando de Oliveira <5161098+fedeoliv@users.noreply.github.com> Date: Wed, 22 Sep 2021 08:07:22 -0300 Subject: [PATCH 073/844] Directory structure updated (#1112) Co-authored-by: Fernando de Oliveira <5161098+fernandoBRS@users.noreply.github.com> --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4b5b9f879d..77506d41bd 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,8 @@ These are the workflow files for helping people get started with GitHub Actions. ### Directory structure -* [ci](ci): solutions for Continuous Integration and Deployments +* [ci](ci): solutions for Continuous Integration workflows. +* [deployments](deployments): solutions for Deployment workflows. * [automation](automation): solutions for automating workflows. * [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security) * [icons](icons): svg icons for the relevant template From 97de22b47c64dfc718d0793874168c3fc08a1814 Mon Sep 17 00:00:00 2001 From: Ruud Senden Date: Wed, 22 Sep 2021 14:12:39 +0200 Subject: [PATCH 074/844] Update according to PR review comments --- code-scanning/fortify-on-demand.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml index da200a602c..d67d194897 100644 --- a/code-scanning/fortify-on-demand.yml +++ b/code-scanning/fortify-on-demand.yml @@ -24,7 +24,7 @@ on: push: branches: [ $default-branch ] schedule: - - cron: '24 18 * * 5' + - cron: $cron-weekly jobs: FoD-SAST-Scan: @@ -56,7 +56,7 @@ jobs: # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ - name: Download Fortify ScanCentral Client - uses: fortify/gha-setup-scancentral-client@v1 + uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 - name: Package Code + Dependencies run: scancentral package $PACKAGE_OPTS -o package.zip env: @@ -67,7 +67,7 @@ jobs: # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. - name: Download Fortify on Demand Universal CI Tool - uses: fortify/gha-setup-fod-uploader@v1 + uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 - name: Perform SAST Scan run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" env: @@ -82,7 +82,7 @@ jobs: # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - name: Export results to GitHub-optimized SARIF - uses: fortify/gha-export-vulnerabilities@v1 + uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b with: fod_base_url: "https://ams.fortify.com/" fod_tenant: ${{ secrets.FOD_TENANT }} From 5a1343bb22091fcb394e257bbfd53a5be55cabd9 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Thu, 23 Sep 2021 10:29:50 +0530 Subject: [PATCH 075/844] Adding template - Build Xcode project (#1095) * adding build for xcode * renaming template Co-authored-by: Ashwin Sangem --- ci/objective-c-xcode.yml | 30 +++++++++++++++++++ .../objective-c-xcode.properties.json | 6 ++++ 2 files changed, 36 insertions(+) create mode 100644 ci/objective-c-xcode.yml create mode 100644 ci/properties/objective-c-xcode.properties.json diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml new file mode 100644 index 0000000000..db009b0f17 --- /dev/null +++ b/ci/objective-c-xcode.yml @@ -0,0 +1,30 @@ +name: Xcode - Build and Analyze + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + name: Build and analyse default scheme using xcodebuild command + runs-on: macos-latest + + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Set Default Scheme + run: | + scheme_list=$(xcodebuild -list -json | tr -d "\n") + default=$(echo $scheme_list | ruby -e "require 'json'; puts JSON.parse(STDIN.gets)['project']['targets'][0]") + echo $default | cat >default + echo Using default scheme: $default + - name: Build + env: + scheme: ${{ 'default' }} + run: | + if [ $scheme = default ]; then scheme=$(cat default); fi + if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi + file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` + xcodebuild clean build analyze -scheme "$scheme" -"$filetype_parameter" "$file_to_build" | xcpretty && exit ${PIPESTATUS[0]} diff --git a/ci/properties/objective-c-xcode.properties.json b/ci/properties/objective-c-xcode.properties.json new file mode 100644 index 0000000000..e6068feb00 --- /dev/null +++ b/ci/properties/objective-c-xcode.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Xcode - Build and Analyze", + "description": "Build Xcode project using xcodebuild", + "iconName": "xcode", + "categories": ["Continuous integration", "Xcode", "Objective-C"] +} From 4a9a1680df0712aead69b443e6f41ef5a3aaff80 Mon Sep 17 00:00:00 2001 From: Randy Kleinman <76182417+rkleinman-hpe@users.noreply.github.com> Date: Fri, 24 Sep 2021 17:05:34 -0500 Subject: [PATCH 076/844] Update README grammar (#1123) substitue -> substitute --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 77506d41bd..f39892f31c 100644 --- a/README.md +++ b/README.md @@ -45,5 +45,5 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. These variables can be placed in the starter workflow and will be substituted as detailed below: * `$default-branch`: will substitute the branch from the repository, for example `main` and `master` -* `$protected-branches`: will substitue any protected branches from the repository. +* `$protected-branches`: will substitute any protected branches from the repository * `$cron-daily`: will substitute a valid but random time within the day From b58a4e21c6a523516a4c6d5d108a28281e9b7814 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Mon, 27 Sep 2021 20:32:30 +0100 Subject: [PATCH 077/844] start validating code-scanning workflows --- script/validate-data/index.ts | 2 +- script/validate-data/settings.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 8413653194..8153936963 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -49,7 +49,7 @@ async function checkWorkflows(folders: string[]): Promise }); for (const e of dir) { - if (e.isFile()) { + if (e.isFile() && extname(e.name) === ".yml") { const fileType = basename(e.name, extname(e.name)) const workflowFilePath = join(folder, e.name); diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index f7c08cfe96..01092cc3c1 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -2,6 +2,7 @@ "folders": [ "../../ci", "../../automation", - "../../deployments" + "../../deployments", + "../../code-scanning" ] } \ No newline at end of file From cb6678504a1584c607f7472df3c5ecc7ba72ad31 Mon Sep 17 00:00:00 2001 From: Ruud Senden Date: Tue, 28 Sep 2021 10:24:29 +0200 Subject: [PATCH 078/844] File renames as requested in PR comments --- code-scanning/{fortify-on-demand.yml => fortify.yml} | 0 .../{fortify-on-demand.properties.json => fortify.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename code-scanning/{fortify-on-demand.yml => fortify.yml} (100%) rename code-scanning/properties/{fortify-on-demand.properties.json => fortify.json} (100%) diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify.yml similarity index 100% rename from code-scanning/fortify-on-demand.yml rename to code-scanning/fortify.yml diff --git a/code-scanning/properties/fortify-on-demand.properties.json b/code-scanning/properties/fortify.json similarity index 100% rename from code-scanning/properties/fortify-on-demand.properties.json rename to code-scanning/properties/fortify.json From 70655750b2798ee5171c044e10795b992e27ee6f Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Tue, 28 Sep 2021 09:37:43 +0100 Subject: [PATCH 079/844] check for yml and yaml extensions --- script/validate-data/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 8153936963..84518d7453 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -49,7 +49,7 @@ async function checkWorkflows(folders: string[]): Promise }); for (const e of dir) { - if (e.isFile() && extname(e.name) === ".yml") { + if (e.isFile() && [".yml", ".yaml"].includes(extname(e.name))) { const fileType = basename(e.name, extname(e.name)) const workflowFilePath = join(folder, e.name); From f0b8c8ad72c009ca3093b9919e70a6325b49aa44 Mon Sep 17 00:00:00 2001 From: Gary Houbre Date: Tue, 28 Sep 2021 11:41:17 +0200 Subject: [PATCH 080/844] Starter workflow Symfony (#1069) * Add Symfony to starter Workflow * Added Properties from Symfony * Update symfony.yml * Update symfony.yml * Update symfony.yml * Fix Wrong Configuration * Review and fixing * Update Symfony Properties Category Co-authored-by: Ashwin Sangem --- ci/properties/symfony.properties.json | 10 +++++++ ci/symfony.yml | 39 +++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 ci/properties/symfony.properties.json create mode 100644 ci/symfony.yml diff --git a/ci/properties/symfony.properties.json b/ci/properties/symfony.properties.json new file mode 100644 index 0000000000..ea9a950834 --- /dev/null +++ b/ci/properties/symfony.properties.json @@ -0,0 +1,10 @@ +{ + "name": "Symfony", + "description": "Test a Symfony project.", + "iconName": "php", + "categories": [ + "Continuous integration", + "PHP", + "Symfony" + ] +} \ No newline at end of file diff --git a/ci/symfony.yml b/ci/symfony.yml new file mode 100644 index 0000000000..7d1ca7460f --- /dev/null +++ b/ci/symfony.yml @@ -0,0 +1,39 @@ +name: Symfony + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + symfony-tests: + runs-on: ubuntu-latest + steps: + # To automatically get bug fixes and new Php versions for shivammathur/setup-php, + # change this to (see https://github.com/shivammathur/setup-php#bookmark-versioning): + # uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28 + with: + php-version: '8.0' + - uses: actions/checkout@v2 + - name: Copy .env.test.local + run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" + - name: Cache Composer packages + id: composer-cache + uses: actions/cache@v2 + with: + path: vendor + key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} + restore-keys: | + ${{ runner.os }}-php- + - name: Install Dependencies + run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist + - name: Create Database + run: | + mkdir -p data + touch data/database.sqlite + - name: Execute tests (Unit and Feature tests) via PHPUnit + env: + DATABASE_URL: sqlite:///%kernel.project_dir%/data/database.sqlite + run: vendor/bin/phpunit From 7f30309ccedb0e3dee186e0ee58c232752a78e24 Mon Sep 17 00:00:00 2001 From: Fernando de Oliveira <5161098+fedeoliv@users.noreply.github.com> Date: Wed, 29 Sep 2021 02:02:01 -0300 Subject: [PATCH 081/844] Azure Data Factory CI starter workflow (#1111) * Azure Data Factory CI starter workflow * fix: data factory starter categories * fix: checkout step formatting * fix: data-factory-export targeting latest version * feature: latest adf validate and export versions * feature: Azure Data Factory tech_stack category for CI starter Co-authored-by: Fernando de Oliveira <5161098+fernandoBRS@users.noreply.github.com> --- ci/azure-data-factory.yml | 47 +++++++++++++++++++ .../azure-data-factory.properties.json | 7 +++ icons/azure-data-factory.svg | 1 + 3 files changed, 55 insertions(+) create mode 100644 ci/azure-data-factory.yml create mode 100644 ci/properties/azure-data-factory.properties.json create mode 100644 icons/azure-data-factory.svg diff --git a/ci/azure-data-factory.yml b/ci/azure-data-factory.yml new file mode 100644 index 0000000000..776e250c75 --- /dev/null +++ b/ci/azure-data-factory.yml @@ -0,0 +1,47 @@ +# Sample workflow to validate Azure Data Factory resources and export its ARM template as an artifact +# Note: Ensure you have the following package.json in the same directory of your ADF resources + +# { +# "scripts":{ +# "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index" +# }, +# "dependencies":{ +# "@microsoft/azure-data-factory-utilities":"^0.1.5" +# } +# } + +name: Data Factory CI + +on: + pull_request: + branches: [ $default-branch, $protected-branches ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Code checkout + uses: actions/checkout@v2 + + - name: Validate + uses: Azure/data-factory-validate-action@v1.1.3 + # with: + # path: # replace by the folder that contains the Data Factory resources and the package.json + + # Generate the ARM template into the destination folder, which is the same as selecting "Publish" from the UX. + # The ARM template generated isn't published to the live version of the factory. + - name: Export ARM Template + id: export + uses: Azure/data-factory-export-action@v1.1.0 + # with: + # path: # replace by the folder that contains the Data Factory resources and the package.json + + - name: Publish artifact + uses: actions/upload-artifact@v2 + with: + name: Data Factory package + path: ${{ steps.export.outputs.arm-template-directory }} + if-no-files-found: error diff --git a/ci/properties/azure-data-factory.properties.json b/ci/properties/azure-data-factory.properties.json new file mode 100644 index 0000000000..f1e7f5bfa1 --- /dev/null +++ b/ci/properties/azure-data-factory.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Azure Data Factory", + "creator": "Microsoft Azure", + "description": "Build and validate Azure Data Factory resources", + "iconName": "azure-data-factory", + "categories": ["Continuous integration", "Azure Data Factory"] +} diff --git a/icons/azure-data-factory.svg b/icons/azure-data-factory.svg new file mode 100644 index 0000000000..22373367da --- /dev/null +++ b/icons/azure-data-factory.svg @@ -0,0 +1 @@ +Icon-databases-126 \ No newline at end of file From 8c91a4c02f685e9ef8bf91b40cc51016d7b7e090 Mon Sep 17 00:00:00 2001 From: Sheldon Warkentin Date: Wed, 29 Sep 2021 13:45:57 -0600 Subject: [PATCH 082/844] Remoev mention of trial for Mayhem for API A free plan is now in place with a professional trial that may be opted into afterward. --- code-scanning/mayhem-for-api.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 0aab0b4601..59d66a003e 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -10,7 +10,7 @@ # To use this workflow, you will need to: # # 1. Create a Mayhem for API account at -# https://mayhem4api.forallsecure.com/signup (30-day free trial) +# https://mayhem4api.forallsecure.com/signup # # 2. Create a service account token `mapi organization service-account create # ` From 6b053712bee09ee0862f8768f1810139cc3a95c4 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Thu, 30 Sep 2021 07:31:43 +0530 Subject: [PATCH 083/844] Added dockerfile to relevant CD template categories. (#1136) * Added Dockerfile to Category for relevant CD templates. * Update terraform.properties.json --- deployments/properties/alibabacloud.properties.json | 2 +- deployments/properties/google.properties.json | 2 +- deployments/properties/ibm.properties.json | 2 +- deployments/properties/tencent.properties.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/deployments/properties/alibabacloud.properties.json b/deployments/properties/alibabacloud.properties.json index 1ce285fc8c..d416d88371 100644 --- a/deployments/properties/alibabacloud.properties.json +++ b/deployments/properties/alibabacloud.properties.json @@ -3,5 +3,5 @@ "description": "Deploy a container to Alibaba Cloud Container Service for Kubernetes (ACK).", "creator": "Alibaba Cloud", "iconName": "alibabacloud", - "categories": ["Deployment"] + "categories": ["Deployment", "Dockerfile"] } diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json index c7f216fc01..6318106491 100644 --- a/deployments/properties/google.properties.json +++ b/deployments/properties/google.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", "iconName": "googlegke", - "categories": ["Deployment"] + "categories": ["Deployment", "Dockerfile"] } \ No newline at end of file diff --git a/deployments/properties/ibm.properties.json b/deployments/properties/ibm.properties.json index 42196907de..8e5b047bca 100644 --- a/deployments/properties/ibm.properties.json +++ b/deployments/properties/ibm.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to IBM Cloud Container Registry, and deploy to IBM Cloud Kubernetes Service.", "creator": "IBM", "iconName": "ibm", - "categories": ["Deployment"] + "categories": ["Deployment", "Dockerfile"] } \ No newline at end of file diff --git a/deployments/properties/tencent.properties.json b/deployments/properties/tencent.properties.json index 32d0da71d8..df183561b1 100644 --- a/deployments/properties/tencent.properties.json +++ b/deployments/properties/tencent.properties.json @@ -3,5 +3,5 @@ "description": "This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE).", "creator": "Tencent Cloud", "iconName": "tencentcloud", - "categories": ["Deployment"] + "categories": ["Deployment", "Dockerfile"] } \ No newline at end of file From 02d91c6ccfbd5c7bfe25e397dfe80882a725b364 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Thu, 30 Sep 2021 10:19:20 +0530 Subject: [PATCH 084/844] checking for allowed category in validate-data script (#1131) * checking for allowed category * Update index.ts --- ci/properties/super-linter.properties.json | 2 +- script/validate-data/index.ts | 13 ++++++++----- script/validate-data/settings.json | 6 ++++++ 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/ci/properties/super-linter.properties.json b/ci/properties/super-linter.properties.json index e070300454..0be52e1411 100644 --- a/ci/properties/super-linter.properties.json +++ b/ci/properties/super-linter.properties.json @@ -2,5 +2,5 @@ "name": "Super Linter - Run Linters for several languages", "description": "Run linters for several languages on your code base for changed files", "iconName": "octicon check-circle", - "categories": ["code-quality", "code-review"] + "categories": ["Continuous integration", "code-quality", "code-review"] } diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 84518d7453..7dce3d1494 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -40,7 +40,7 @@ const propertiesSchema = { } } -async function checkWorkflows(folders: string[]): Promise { +async function checkWorkflows(folders: string[], allowed_categories: string[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() for (const folder of folders) { @@ -55,7 +55,7 @@ async function checkWorkflows(folders: string[]): Promise const workflowFilePath = join(folder, e.name); const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) - const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath); + const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } @@ -69,13 +69,12 @@ async function checkWorkflows(folders: string[]): Promise return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, errors: [] } - try { const workflowFileContent = await fs.readFile(workflowPath, "utf8"); safeLoad(workflowFileContent); // Validate yaml parses without error @@ -105,6 +104,10 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom } } + if (!workflowPath.endsWith("blank.yml") && (!properties.categories || + !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) { + workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`) + } } catch (e) { workflowErrors.errors.push(e.toString()) } @@ -115,7 +118,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders + settings.folders, settings.allowed_categories ) if (erroredWorkflows.length > 0) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 01092cc3c1..ce89e36947 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -4,5 +4,11 @@ "../../automation", "../../deployments", "../../code-scanning" + ], + "allowed_categories" : [ + "Continuous integration", + "Deployment", + "Code Scanning", + "Automation" ] } \ No newline at end of file From 7b9e3b68582d04b65cb955fb75c48342450b7f3b Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 1 Oct 2021 18:50:08 +0530 Subject: [PATCH 085/844] Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. --- ci/azure-data-factory.yml | 47 ------------------- .../azure-data-factory.properties.json | 7 --- icons/azure-data-factory.svg | 1 - 3 files changed, 55 deletions(-) delete mode 100644 ci/azure-data-factory.yml delete mode 100644 ci/properties/azure-data-factory.properties.json delete mode 100644 icons/azure-data-factory.svg diff --git a/ci/azure-data-factory.yml b/ci/azure-data-factory.yml deleted file mode 100644 index 776e250c75..0000000000 --- a/ci/azure-data-factory.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Sample workflow to validate Azure Data Factory resources and export its ARM template as an artifact -# Note: Ensure you have the following package.json in the same directory of your ADF resources - -# { -# "scripts":{ -# "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index" -# }, -# "dependencies":{ -# "@microsoft/azure-data-factory-utilities":"^0.1.5" -# } -# } - -name: Data Factory CI - -on: - pull_request: - branches: [ $default-branch, $protected-branches ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Code checkout - uses: actions/checkout@v2 - - - name: Validate - uses: Azure/data-factory-validate-action@v1.1.3 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - # Generate the ARM template into the destination folder, which is the same as selecting "Publish" from the UX. - # The ARM template generated isn't published to the live version of the factory. - - name: Export ARM Template - id: export - uses: Azure/data-factory-export-action@v1.1.0 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - - name: Publish artifact - uses: actions/upload-artifact@v2 - with: - name: Data Factory package - path: ${{ steps.export.outputs.arm-template-directory }} - if-no-files-found: error diff --git a/ci/properties/azure-data-factory.properties.json b/ci/properties/azure-data-factory.properties.json deleted file mode 100644 index f1e7f5bfa1..0000000000 --- a/ci/properties/azure-data-factory.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Azure Data Factory", - "creator": "Microsoft Azure", - "description": "Build and validate Azure Data Factory resources", - "iconName": "azure-data-factory", - "categories": ["Continuous integration", "Azure Data Factory"] -} diff --git a/icons/azure-data-factory.svg b/icons/azure-data-factory.svg deleted file mode 100644 index 22373367da..0000000000 --- a/icons/azure-data-factory.svg +++ /dev/null @@ -1 +0,0 @@ -Icon-databases-126 \ No newline at end of file From 596b345944af4fbcae1bdcfaca339abd10bd82ed Mon Sep 17 00:00:00 2001 From: Sarah Edwards Date: Fri, 1 Oct 2021 12:07:03 -0700 Subject: [PATCH 086/844] use env variables for user-set values (#1117) Co-authored-by: Josh Gross --- deployments/aws.yml | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/deployments/aws.yml b/deployments/aws.yml index 8b10116fa0..6a6643c98a 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -5,29 +5,40 @@ # # 1. Create an ECR repository to store your images. # For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. -# Replace the value of `ECR_REPOSITORY` in the workflow below with your repository's name. -# Replace the value of `aws-region` in the workflow below with your repository's region. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. # # 2. Create an ECS task definition, an ECS cluster, and an ECS service. # For example, follow the Getting Started guide on the ECS console: # https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun -# Replace the values for `service` and `cluster` in the workflow below with your service and cluster names. +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. # # 3. Store your ECS task definition as a JSON file in your repository. # The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. -# Replace the value of `task-definition` in the workflow below with your JSON file's name. -# Replace the value of `container-name` in the workflow below with the name of the container +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container # in the `containerDefinitions` section of the task definition. # # 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. # See the documentation for each action used below for the recommended IAM policies for this IAM user, # and best practices on handling the access key credentials. +name: Deploy to Amazon ECS + on: release: types: [created] -name: Deploy to Amazon ECS +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition jobs: deploy: @@ -44,7 +55,7 @@ jobs: with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-2 + aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr @@ -54,7 +65,6 @@ jobs: id: build-image env: ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - ECR_REPOSITORY: my-ecr-repo IMAGE_TAG: ${{ github.sha }} run: | # Build a docker container and @@ -68,14 +78,14 @@ jobs: id: task-def uses: aws-actions/amazon-ecs-render-task-definition@v1 with: - task-definition: task-definition.json - container-name: sample-app + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} image: ${{ steps.build-image.outputs.image }} - name: Deploy Amazon ECS task definition uses: aws-actions/amazon-ecs-deploy-task-definition@v1 with: task-definition: ${{ steps.task-def.outputs.task-definition }} - service: sample-app-service - cluster: default + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} wait-for-service-stability: true From c705225b8f52e676371b168efc00b6f60347c22d Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Mon, 4 Oct 2021 09:48:47 -0700 Subject: [PATCH 087/844] Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson --- code-scanning/cloudrail.yml | 2 +- code-scanning/properties/cloudrail.properties.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 474b97a3f1..9f95c5c754 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -43,7 +43,7 @@ jobs: - run: stat plan.out - name: Run Cloudrail - uses: indeni/cloudrail-run-ga@v1.3 + uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622 with: tf-plan-file: plan.out # This was created in a "terraform plan" step cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json index 36181c2735..830d966d4a 100644 --- a/code-scanning/properties/cloudrail.properties.json +++ b/code-scanning/properties/cloudrail.properties.json @@ -1,7 +1,7 @@ { "name": "cloudrail", "creator": "Indeni Cloudrail", - "description": "Cloudrail, by Indeni, can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues. Cloudrail's output uses the SARIF format, which will surface the scan's results directly inside your pull request.", + "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.", "iconName": "cloudrail", "categories": ["Code Scanning", "HCL"] } From 85d2a866f0a645ca63143b55efeabd510673b5d4 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Tue, 5 Oct 2021 11:22:46 +0530 Subject: [PATCH 088/844] removing "deployment" templates from sync-ghes (#1127) --- script/sync-ghes/settings.json | 1 - 1 file changed, 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index e4f50fa00c..9648ab449e 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,6 @@ "folders": [ "../../ci", "../../automation", - "../../deployments", "../../code-scanning" ], "enabledActions": [ From 2a1abda503bbc05d90f27f56dc0820c20dfdb17c Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 09:30:45 +0200 Subject: [PATCH 089/844] Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson --- code-scanning/properties/sysdig-scan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json index 09bbd7bb26..e61c2e1631 100644 --- a/code-scanning/properties/sysdig-scan.properties.json +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -2,6 +2,6 @@ "name": "Sysdigh Inline Scan", "creator": "Sysdig", "description": "Performs analysis on locally built container image and posts the results in SARIF report", - "iconName": "sysdig", + "iconName": "sysdig-scan", "categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] } From b7d9f15826dd424115512f2e638a9b1c952a3787 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 09:30:53 +0200 Subject: [PATCH 090/844] Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson --- code-scanning/properties/sysdig-scan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json index e61c2e1631..d39072e990 100644 --- a/code-scanning/properties/sysdig-scan.properties.json +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -1,5 +1,5 @@ { - "name": "Sysdigh Inline Scan", + "name": "Sysdig Inline Scan", "creator": "Sysdig", "description": "Performs analysis on locally built container image and posts the results in SARIF report", "iconName": "sysdig-scan", From b55a65157e3ea87ec372ce9a4c4fdbacf6c12f1b Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 10:39:56 +0200 Subject: [PATCH 091/844] Changed svg logo --- icons/sysdig.svg | 51 ++++++++++++++---------------------------------- 1 file changed, 15 insertions(+), 36 deletions(-) diff --git a/icons/sysdig.svg b/icons/sysdig.svg index e98d27dc7a..31101c8295 100644 --- a/icons/sysdig.svg +++ b/icons/sysdig.svg @@ -1,37 +1,16 @@ - - - - - - + + + + + + + + + + + + + From b258b332347865c37c04023d8a5b24a6289e1523 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 15:02:00 +0200 Subject: [PATCH 092/844] Rename sysdig.svg to sysdig-scan.svg --- icons/{sysdig.svg => sysdig-scan.svg} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename icons/{sysdig.svg => sysdig-scan.svg} (100%) diff --git a/icons/sysdig.svg b/icons/sysdig-scan.svg similarity index 100% rename from icons/sysdig.svg rename to icons/sysdig-scan.svg From 3c200bdb2180e82004d0c31c6d76685718232883 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 15:09:31 +0200 Subject: [PATCH 093/844] Switched svg logo (again) for a better fit --- icons/sysdig-scan.svg | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/icons/sysdig-scan.svg b/icons/sysdig-scan.svg index 31101c8295..85d5de0142 100644 --- a/icons/sysdig-scan.svg +++ b/icons/sysdig-scan.svg @@ -1,16 +1 @@ - - - - - - - - - - - - - - +Artboard 1 \ No newline at end of file From 6a1dba2d716a1156f1214755bd3e97f97189e0e8 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Tue, 5 Oct 2021 20:44:48 +0100 Subject: [PATCH 094/844] Rename fortify.json to fortify.properties.json --- .../properties/{fortify.json => fortify.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/properties/{fortify.json => fortify.properties.json} (100%) diff --git a/code-scanning/properties/fortify.json b/code-scanning/properties/fortify.properties.json similarity index 100% rename from code-scanning/properties/fortify.json rename to code-scanning/properties/fortify.properties.json From 2e38bc8da2eb1245a9e7426f57d9246d55d649f4 Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Wed, 6 Oct 2021 12:52:26 -0700 Subject: [PATCH 095/844] Correct character-case of "c" in Cloudrail --- code-scanning/cloudrail.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 9f95c5c754..00e270ad57 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -name: cloudrail +name: Cloudrail on: push: From cbd5b645f1a79cf3496950ff6d0b66ddf0b71542 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 8 Oct 2021 17:31:42 +0530 Subject: [PATCH 096/844] Merge pull request #1110 from manuelbcd/main (#1155) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd --- ci/azure-data-factory.yml | 47 --------- .../azure-data-factory.properties.json | 7 -- code-scanning/cloudrail.yml | 58 +++++++++++ code-scanning/fortify.yml | 97 +++++++++++++++++++ .../properties/cloudrail.properties.json | 7 ++ .../properties/fortify.properties.json | 7 ++ .../properties/sysdig-scan.properties.json | 7 ++ code-scanning/sysdig-scan.yml | 54 +++++++++++ deployments/aws.yml | 34 ++++--- icons/azure-data-factory.svg | 1 - icons/cloudrail.svg | 53 ++++++++++ icons/fortify.svg | 1 + icons/sysdig-scan.svg | 1 + script/sync-ghes/settings.json | 1 - 14 files changed, 307 insertions(+), 68 deletions(-) delete mode 100644 ci/azure-data-factory.yml delete mode 100644 ci/properties/azure-data-factory.properties.json create mode 100644 code-scanning/cloudrail.yml create mode 100644 code-scanning/fortify.yml create mode 100644 code-scanning/properties/cloudrail.properties.json create mode 100644 code-scanning/properties/fortify.properties.json create mode 100644 code-scanning/properties/sysdig-scan.properties.json create mode 100644 code-scanning/sysdig-scan.yml delete mode 100644 icons/azure-data-factory.svg create mode 100644 icons/cloudrail.svg create mode 100644 icons/fortify.svg create mode 100644 icons/sysdig-scan.svg diff --git a/ci/azure-data-factory.yml b/ci/azure-data-factory.yml deleted file mode 100644 index 776e250c75..0000000000 --- a/ci/azure-data-factory.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Sample workflow to validate Azure Data Factory resources and export its ARM template as an artifact -# Note: Ensure you have the following package.json in the same directory of your ADF resources - -# { -# "scripts":{ -# "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index" -# }, -# "dependencies":{ -# "@microsoft/azure-data-factory-utilities":"^0.1.5" -# } -# } - -name: Data Factory CI - -on: - pull_request: - branches: [ $default-branch, $protected-branches ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Code checkout - uses: actions/checkout@v2 - - - name: Validate - uses: Azure/data-factory-validate-action@v1.1.3 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - # Generate the ARM template into the destination folder, which is the same as selecting "Publish" from the UX. - # The ARM template generated isn't published to the live version of the factory. - - name: Export ARM Template - id: export - uses: Azure/data-factory-export-action@v1.1.0 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - - name: Publish artifact - uses: actions/upload-artifact@v2 - with: - name: Data Factory package - path: ${{ steps.export.outputs.arm-template-directory }} - if-no-files-found: error diff --git a/ci/properties/azure-data-factory.properties.json b/ci/properties/azure-data-factory.properties.json deleted file mode 100644 index f1e7f5bfa1..0000000000 --- a/ci/properties/azure-data-factory.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Azure Data Factory", - "creator": "Microsoft Azure", - "description": "Build and validate Azure Data Factory resources", - "iconName": "azure-data-factory", - "categories": ["Continuous integration", "Azure Data Factory"] -} diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml new file mode 100644 index 0000000000..9f95c5c754 --- /dev/null +++ b/code-scanning/cloudrail.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: cloudrail + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + cloudrail: + name: Run Indeni Cloudrail on Terraform code with SARIF output + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v2 + + # For Terraform, Cloudrail requires the plan as input. So we generate it using + # the Terraform core binary. + - uses: hashicorp/setup-terraform@v1 + with: + terraform_version: v0.13.2 + + - run: terraform init + + - run: terraform plan -out=plan.out + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # Confirm we have the plan file + - run: stat plan.out + + - name: Run Cloudrail + uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622 + with: + tf-plan-file: plan.out # This was created in a "terraform plan" step + cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app + cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() + # is needed to ensure the SARIF file is uploaded + if: always() + with: + sarif_file: cloudrail_results.sarif diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml new file mode 100644 index 0000000000..d67d194897 --- /dev/null +++ b/code-scanning/fortify.yml @@ -0,0 +1,97 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +################################################################################################################################################ +# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# +# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # +# or contact our sales team, visit microfocus.com/appsecurity. # +# # +# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# +# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # +# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # +# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # +# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # +# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +################################################################################################################################################ + +name: Fortify on Demand Scan + +# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +on: + workflow_dispatch: + push: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + FoD-SAST-Scan: + # Use the appropriate runner for building your source code. + # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v2 + + # Java is required to run the various Fortify utilities. + # When scanning a Java application, please use the appropriate Java version for building your application. + - name: Setup Java + uses: actions/setup-java@v1 + with: + java-version: 1.8 + + # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. + # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: + # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). + # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. + # ScanCentral has additional options that should be set for PHP and Python projects + # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. + # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ + - name: Download Fortify ScanCentral Client + uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 + - name: Package Code + Dependencies + run: scancentral package $PACKAGE_OPTS -o package.zip + env: + PACKAGE_OPTS: "-bt mvn" + + # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java + # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: + # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). + # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. + - name: Download Fortify on Demand Universal CI Tool + uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 + - name: Perform SAST Scan + run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" + env: + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" + FOD_TENANT: ${{ secrets.FOD_TENANT }} + FOD_USER: ${{ secrets.FOD_USER }} + FOD_PAT: ${{ secrets.FOD_PAT }} + FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} + FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' + + # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. + - name: Export results to GitHub-optimized SARIF + uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b + with: + fod_base_url: "https://ams.fortify.com/" + fod_tenant: ${{ secrets.FOD_TENANT }} + fod_user: ${{ secrets.FOD_USER }} + fod_password: ${{ secrets.FOD_PAT }} + fod_release_id: ${{ secrets.FOD_RELEASE_ID }} + + # Import Fortify on Demand results to GitHub Security Code Scanning + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./gh-fortify-sast.sarif diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json new file mode 100644 index 0000000000..830d966d4a --- /dev/null +++ b/code-scanning/properties/cloudrail.properties.json @@ -0,0 +1,7 @@ +{ + "name": "cloudrail", + "creator": "Indeni Cloudrail", + "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.", + "iconName": "cloudrail", + "categories": ["Code Scanning", "HCL"] +} diff --git a/code-scanning/properties/fortify.properties.json b/code-scanning/properties/fortify.properties.json new file mode 100644 index 0000000000..100b4bb1b3 --- /dev/null +++ b/code-scanning/properties/fortify.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Fortify on Demand Scan", + "creator": "Micro Focus", + "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", + "iconName": "fortify", + "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"] +} diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json new file mode 100644 index 0000000000..d39072e990 --- /dev/null +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Sysdig Inline Scan", + "creator": "Sysdig", + "description": "Performs analysis on locally built container image and posts the results in SARIF report", + "iconName": "sysdig-scan", + "categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] +} diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml new file mode 100644 index 0000000000..49841d728e --- /dev/null +++ b/code-scanning/sysdig-scan.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Sysdig - Build, scan, push and upload sarif report + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Build the Docker image + # Tag image to be built + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below + run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest + + - name: Sysdig Secure Inline Scan + id: scan + uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 + with: + # Tag of the image to analyse. + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above + image-tag: ${{ github.repository }}:latest + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}} + # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ + # US-East https://secure.sysdig.com + # US-West https://us2.app.sysdig.com + # EU https://eu1.app.sysdig.com + sysdig-secure-url: https://us2.app.sysdig.com + dockerfile-path: ./Dockerfile + input-type: docker-daemon + ignore-failed-scan: true + # Sysdig inline scanner requires privileged rights + run-as-user: root + + - uses: github/codeql-action/upload-sarif@v1 + #Upload SARIF file + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file diff --git a/deployments/aws.yml b/deployments/aws.yml index 8b10116fa0..6a6643c98a 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -5,29 +5,40 @@ # # 1. Create an ECR repository to store your images. # For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. -# Replace the value of `ECR_REPOSITORY` in the workflow below with your repository's name. -# Replace the value of `aws-region` in the workflow below with your repository's region. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. # # 2. Create an ECS task definition, an ECS cluster, and an ECS service. # For example, follow the Getting Started guide on the ECS console: # https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun -# Replace the values for `service` and `cluster` in the workflow below with your service and cluster names. +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. # # 3. Store your ECS task definition as a JSON file in your repository. # The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. -# Replace the value of `task-definition` in the workflow below with your JSON file's name. -# Replace the value of `container-name` in the workflow below with the name of the container +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container # in the `containerDefinitions` section of the task definition. # # 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. # See the documentation for each action used below for the recommended IAM policies for this IAM user, # and best practices on handling the access key credentials. +name: Deploy to Amazon ECS + on: release: types: [created] -name: Deploy to Amazon ECS +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition jobs: deploy: @@ -44,7 +55,7 @@ jobs: with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-2 + aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr @@ -54,7 +65,6 @@ jobs: id: build-image env: ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - ECR_REPOSITORY: my-ecr-repo IMAGE_TAG: ${{ github.sha }} run: | # Build a docker container and @@ -68,14 +78,14 @@ jobs: id: task-def uses: aws-actions/amazon-ecs-render-task-definition@v1 with: - task-definition: task-definition.json - container-name: sample-app + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} image: ${{ steps.build-image.outputs.image }} - name: Deploy Amazon ECS task definition uses: aws-actions/amazon-ecs-deploy-task-definition@v1 with: task-definition: ${{ steps.task-def.outputs.task-definition }} - service: sample-app-service - cluster: default + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} wait-for-service-stability: true diff --git a/icons/azure-data-factory.svg b/icons/azure-data-factory.svg deleted file mode 100644 index 22373367da..0000000000 --- a/icons/azure-data-factory.svg +++ /dev/null @@ -1 +0,0 @@ -Icon-databases-126 \ No newline at end of file diff --git a/icons/cloudrail.svg b/icons/cloudrail.svg new file mode 100644 index 0000000000..9aaf9c3d60 --- /dev/null +++ b/icons/cloudrail.svg @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + diff --git a/icons/fortify.svg b/icons/fortify.svg new file mode 100644 index 0000000000..45a0d77f57 --- /dev/null +++ b/icons/fortify.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/sysdig-scan.svg b/icons/sysdig-scan.svg new file mode 100644 index 0000000000..85d5de0142 --- /dev/null +++ b/icons/sysdig-scan.svg @@ -0,0 +1 @@ +Artboard 1 \ No newline at end of file diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index e4f50fa00c..9648ab449e 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,6 @@ "folders": [ "../../ci", "../../automation", - "../../deployments", "../../code-scanning" ], "enabledActions": [ From ad91ff259d7cecd18ae3822a3276cd861b05fd5d Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 11 Oct 2021 14:58:21 +0530 Subject: [PATCH 097/844] AWS template also used Docker --- deployments/properties/aws.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/aws.properties.json b/deployments/properties/aws.properties.json index 10a7ed34f7..1b5955a173 100644 --- a/deployments/properties/aws.properties.json +++ b/deployments/properties/aws.properties.json @@ -3,5 +3,5 @@ "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Dockerfile"] +} From 6b14bf21cbdaa4a53dd4b2254999f6b8e4116e77 Mon Sep 17 00:00:00 2001 From: Sarah Edwards Date: Mon, 11 Oct 2021 12:53:15 -0700 Subject: [PATCH 098/844] trigger on push instead of release (#1157) Co-authored-by: Josh Gross --- deployments/alibabacloud.yml | 7 ++++--- deployments/aws.yml | 7 ++++--- deployments/azure.yml | 7 ++++--- deployments/google.yml | 7 ++++--- deployments/ibm.yml | 7 ++++--- deployments/tencent.yml | 7 ++++--- 6 files changed, 24 insertions(+), 18 deletions(-) diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 9ccc0333b9..ded91780b0 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -1,5 +1,5 @@ # This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR), -# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when a release is created. +# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the $default-branch branch. # # To use this workflow, you will need to complete the following set-up steps: # @@ -20,8 +20,9 @@ name: Build and Deploy to ACK on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow. env: diff --git a/deployments/aws.yml b/deployments/aws.yml index 6a6643c98a..dab851f906 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -1,5 +1,5 @@ # This workflow will build and push a new container image to Amazon ECR, -# and then will deploy a new task definition to Amazon ECS, when a release is created +# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. # # To use this workflow, you will need to complete the following set-up steps: # @@ -27,8 +27,9 @@ name: Deploy to Amazon ECS on: - release: - types: [created] + push: + branches: + - $default-branch env: AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 diff --git a/deployments/azure.yml b/deployments/azure.yml index 0262b4920f..904ff2545c 100644 --- a/deployments/azure.yml +++ b/deployments/azure.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a release is created. +# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan @@ -16,8 +16,9 @@ # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions # For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples on: - release: - types: [created] + push: + branches: + - $default-branch env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name diff --git a/deployments/google.yml b/deployments/google.yml index 5e803edba5..267d3cb7bd 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when a release is created +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -13,8 +13,9 @@ name: Build and Deploy to GKE on: - release: - types: [created] + push: + branches: + - $default-branch env: PROJECT_ID: ${{ secrets.GKE_PROJECT }} diff --git a/deployments/ibm.yml b/deployments/ibm.yml index a8502cdd0c..216b04d587 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when a release is created +# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -9,8 +9,9 @@ name: Build and Deploy to IKS on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 0be339e181..83bde94579 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE). +# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE) when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -16,8 +16,9 @@ name: Tencent Kubernetes Engine on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow env: From ffef54a02cbf054ebab8ea72d504f2653e697196 Mon Sep 17 00:00:00 2001 From: Abir Majumdar Date: Fri, 15 Oct 2021 08:37:05 -0400 Subject: [PATCH 099/844] Adding MobSF starter workflow --- code-scanning/mobsf.yml | 36 ++++++ .../properties/mobsf.properties.json | 14 +++ icons/mobsf.svg | 114 ++++++++++++++++++ 3 files changed, 164 insertions(+) create mode 100644 code-scanning/mobsf.yml create mode 100644 code-scanning/properties/mobsf.properties.json create mode 100644 icons/mobsf.svg diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml new file mode 100644 index 0000000000..1bd737b908 --- /dev/null +++ b/code-scanning/mobsf.yml @@ -0,0 +1,36 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: MobSF + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + + workflow_dispatch: + +jobs: + mobile-security: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup python + uses: actions/setup-python@v2 + with: + python-version: 3.8 + + - name: mobsfscan + uses: MobSF/mobsfscan@main + with: + args: . --sarif --output results.sarif || true + + - name: Upload mobsfscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/code-scanning/properties/mobsf.properties.json b/code-scanning/properties/mobsf.properties.json new file mode 100644 index 0000000000..6bca14ea0f --- /dev/null +++ b/code-scanning/properties/mobsf.properties.json @@ -0,0 +1,14 @@ +{ + "name": "mobsf", + "creator": "mobsf", + "description": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.", + "iconName": "mobsf", + "categories": [ + "Code Scanning", + "Java", + "Swift", + "Objective-C", + "Kotlin", + "Mobile" + ] +} \ No newline at end of file diff --git a/icons/mobsf.svg b/icons/mobsf.svg new file mode 100644 index 0000000000..46dd1544e7 --- /dev/null +++ b/icons/mobsf.svg @@ -0,0 +1,114 @@ + + + + From 6e44c89176192da113b52f836a4c538a30ba2656 Mon Sep 17 00:00:00 2001 From: Abir Majumdar Date: Fri, 15 Oct 2021 08:55:34 -0400 Subject: [PATCH 100/844] Adhering to pull request guidelines --- code-scanning/mobsf.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 1bd737b908..1da2611809 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -7,11 +7,11 @@ name: MobSF on: push: - branches: [ master ] + branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ master ] - - workflow_dispatch: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly jobs: mobile-security: @@ -25,7 +25,7 @@ jobs: with: python-version: 3.8 - - name: mobsfscan + - name: Run mobsfscan uses: MobSF/mobsfscan@main with: args: . --sarif --output results.sarif || true From 21775ad05bf2415ebd480c17a803fd8a83065a72 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Fri, 15 Oct 2021 15:32:54 -0700 Subject: [PATCH 101/844] Rename "azure.yml" to Node-specific name --- .../{azure.yml => azure-webapps-node.yml} | 30 +++++++++++++++---- ...son => azure-webapps-node.properties.json} | 0 2 files changed, 24 insertions(+), 6 deletions(-) rename deployments/{azure.yml => azure-webapps-node.yml} (81%) rename deployments/properties/{azure.properties.json => azure-webapps-node.properties.json} (100%) diff --git a/deployments/azure.yml b/deployments/azure-webapps-node.yml similarity index 81% rename from deployments/azure.yml rename to deployments/azure-webapps-node.yml index 0262b4920f..ab144ba8d7 100644 --- a/deployments/azure.yml +++ b/deployments/azure-webapps-node.yml @@ -25,23 +25,41 @@ env: NODE_VERSION: '10.x' # set this to the node version to use jobs: - build-and-deploy: - name: Build and Deploy + build: runs-on: ubuntu-latest - environment: production steps: - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} + + - name: Set up Node.js uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test run: | - # Build and test the project, then - # deploy to Azure Web App. npm install npm run build --if-present npm run test --if-present + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: node-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Production' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: node-app + - name: 'Deploy to Azure WebApp' uses: azure/webapps-deploy@v2 with: diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure-webapps-node.properties.json similarity index 100% rename from deployments/properties/azure.properties.json rename to deployments/properties/azure-webapps-node.properties.json From e59c11c494c0a2a443cf8577b496e63f618c8169 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Fri, 15 Oct 2021 15:33:45 -0700 Subject: [PATCH 102/844] Add templates and properties for other languages --- deployments/azure-webapps-container.yml | 59 ++++++++++++++++ deployments/azure-webapps-java-jar.yml | 56 ++++++++++++++++ deployments/azure-webapps-python.yml | 67 +++++++++++++++++++ .../azure-webapps-container.properties.json | 7 ++ .../azure-webapps-java-jar.properties.json | 7 ++ .../azure-webapps-python.properties.json | 7 ++ 6 files changed, 203 insertions(+) create mode 100644 deployments/azure-webapps-container.yml create mode 100644 deployments/azure-webapps-java-jar.yml create mode 100644 deployments/azure-webapps-python.yml create mode 100644 deployments/properties/azure-webapps-container.properties.json create mode 100644 deployments/properties/azure-webapps-java-jar.properties.json create mode 100644 deployments/properties/azure-webapps-python.properties.json diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml new file mode 100644 index 0000000000..b9dab0d1c0 --- /dev/null +++ b/deployments/azure-webapps-container.yml @@ -0,0 +1,59 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy a container to an Azure Web App + +env: + AZURE_WEBAPP_NAME: '' # set this to the name of your Azure Web App + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Log in to GitHub container registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Lowercase the repo name + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Build and push container image to registry + uses: docker/build-push-action@v2 + with: + push: true + tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} + file: ./Dockerfile + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Production' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Lowercase the repo name + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' \ No newline at end of file diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml new file mode 100644 index 0000000000..ae1cb87eb1 --- /dev/null +++ b/deployments/azure-webapps-java-jar.yml @@ -0,0 +1,56 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy JAR app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + JAVA_VERSION: '11' # set this to the Java version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Java version + uses: actions/setup-java@v1 + with: + java-version: ${{ env.JAVA_VERSION }} + + - name: Build with Maven + run: mvn clean install + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: java-app + path: '${{ github.workspace }}/target/*.jar' + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: Production + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: java-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: '*.jar' \ No newline at end of file diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml new file mode 100644 index 0000000000..a934a02e8d --- /dev/null +++ b/deployments/azure-webapps-python.yml @@ -0,0 +1,67 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions +# More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions + +name: Build and deploy Python app to Azure Web App - __sitename__ + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + PYTHON_VERSION: '11' # set this to the Python version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Python version + uses: actions/setup-python@v1 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Create and start virtual environment + run: | + python -m venv venv + source venv/bin/activate + + - name: Install dependencies + run: pip install -r requirements.txt + + # Optional: Add step to run tests here (PyTest, Django test suites, etc.) + + - name: Upload artifact for deployment jobs + uses: actions/upload-artifact@v2 + with: + name: python-app + path: | + . + !venv/ + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: '__slotname__' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: python-app + path: . + + - name: 'Deploy to Azure Web App' + uses: azure/webapps-deploy@v2 + id: deploy-to-webapp + with: + app-name: '__sitename__' + slot-name: '__slotname__' + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/properties/azure-webapps-container.properties.json b/deployments/properties/azure-webapps-container.properties.json new file mode 100644 index 0000000000..1335e3ac3e --- /dev/null +++ b/deployments/properties/azure-webapps-container.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a container to an Azure Web App", + "description": "Build a container and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file diff --git a/deployments/properties/azure-webapps-java-jar.properties.json b/deployments/properties/azure-webapps-java-jar.properties.json new file mode 100644 index 0000000000..f2418fafc8 --- /dev/null +++ b/deployments/properties/azure-webapps-java-jar.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a Java .jar app to an Azure Web App", + "description": "Build a Java project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file diff --git a/deployments/properties/azure-webapps-python.properties.json b/deployments/properties/azure-webapps-python.properties.json new file mode 100644 index 0000000000..f7498488ad --- /dev/null +++ b/deployments/properties/azure-webapps-python.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a Python app to an Azure Web App", + "description": "Build a Python app and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file From 4fad808870ff1d108b443339ba43616c6f88c6ca Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Fri, 15 Oct 2021 15:47:30 -0700 Subject: [PATCH 103/844] Add workflow for .NET Core --- deployments/azure-webapps-dotnet-core.yml | 59 +++++++++++++++++++ .../properties/azure-webapps-donet-core.json | 7 +++ 2 files changed, 66 insertions(+) create mode 100644 deployments/azure-webapps-dotnet-core.yml create mode 100644 deployments/properties/azure-webapps-donet-core.json diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml new file mode 100644 index 0000000000..532efc4684 --- /dev/null +++ b/deployments/azure-webapps-dotnet-core.yml @@ -0,0 +1,59 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy ASP.Net Core app to an Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + DOTNET_VERSION: '5' # set this to the .NET Core version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up .NET Core + uses: actions/setup-dotnet@v1 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: Build with dotnet + run: dotnet build --configuration Release + + - name: dotnet publish + run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: .net-app + path: ${{env.DOTNET_ROOT}}/myapp + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Production' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: .net-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/properties/azure-webapps-donet-core.json b/deployments/properties/azure-webapps-donet-core.json new file mode 100644 index 0000000000..3ac2f8cd3c --- /dev/null +++ b/deployments/properties/azure-webapps-donet-core.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a .NET Core app to an Azure Web App", + "description": "Build a .NET Core project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file From e6620ddc5b73399da7e03af6164e62d93790fe51 Mon Sep 17 00:00:00 2001 From: Rui Chen Date: Wed, 20 Oct 2021 00:02:48 -0400 Subject: [PATCH 104/844] python: update to use python 3.10 Signed-off-by: Rui Chen --- ci/pylint.yml | 4 ++-- ci/python-app.yml | 4 ++-- ci/python-package-conda.yml | 4 ++-- ci/python-package.yml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/pylint.yml b/ci/pylint.yml index 0805af74ad..e217f63897 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -9,10 +9,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.9 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: 3.10 - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-app.yml b/ci/python-app.yml index f6ad69af7b..30b2b8fe0b 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -16,10 +16,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.9 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: 3.10 - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 7bae7e2475..9bd6d2b617 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -10,10 +10,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.8 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.10 - name: Add conda to system path run: | # $CONDA is an environment variable pointing to the root of the miniconda directory diff --git a/ci/python-package.yml b/ci/python-package.yml index b079b1c7a1..9690811ad7 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -16,7 +16,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: [3.7, 3.8, 3.9] + python-version: [3.8, 3.9, 3.10] steps: - uses: actions/checkout@v2 From c765d6316fb380d15d81206ede83b0042cdac377 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Thu, 21 Oct 2021 14:27:06 +0530 Subject: [PATCH 105/844] Added new templates for 3 clouds. --- deployments/aws_docker.yml | 92 +++++++++++++++++++ deployments/aws_node.yml | 92 +++++++++++++++++++ deployments/azure_docker.yml | 51 ++++++++++ deployments/azure_node.yml | 51 ++++++++++ deployments/google_java.yml | 81 ++++++++++++++++ deployments/google_python.yml | 81 ++++++++++++++++ .../properties/aws_docker.properties.json | 7 ++ .../properties/aws_node.properties.json | 7 ++ .../properties/azure_docker.properties.json | 7 ++ .../properties/azure_node.properties.json | 7 ++ .../properties/google_java.properties.json | 7 ++ .../properties/google_python.properties.json | 7 ++ 12 files changed, 490 insertions(+) create mode 100644 deployments/aws_docker.yml create mode 100644 deployments/aws_node.yml create mode 100644 deployments/azure_docker.yml create mode 100644 deployments/azure_node.yml create mode 100644 deployments/google_java.yml create mode 100644 deployments/google_python.yml create mode 100644 deployments/properties/aws_docker.properties.json create mode 100644 deployments/properties/aws_node.properties.json create mode 100644 deployments/properties/azure_docker.properties.json create mode 100644 deployments/properties/azure_node.properties.json create mode 100644 deployments/properties/google_java.properties.json create mode 100644 deployments/properties/google_python.properties.json diff --git a/deployments/aws_docker.yml b/deployments/aws_docker.yml new file mode 100644 index 0000000000..dab851f906 --- /dev/null +++ b/deployments/aws_docker.yml @@ -0,0 +1,92 @@ +# This workflow will build and push a new container image to Amazon ECR, +# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. +# +# To use this workflow, you will need to complete the following set-up steps: +# +# 1. Create an ECR repository to store your images. +# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. +# +# 2. Create an ECS task definition, an ECS cluster, and an ECS service. +# For example, follow the Getting Started guide on the ECS console: +# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. +# +# 3. Store your ECS task definition as a JSON file in your repository. +# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container +# in the `containerDefinitions` section of the task definition. +# +# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. +# See the documentation for each action used below for the recommended IAM policies for this IAM user, +# and best practices on handling the access key credentials. + +name: Deploy to Amazon ECS + +on: + push: + branches: + - $default-branch + +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition + +jobs: + deploy: + name: Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build, tag, and push image to Amazon ECR + id: build-image + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + IMAGE_TAG: ${{ github.sha }} + run: | + # Build a docker container and + # push it to ECR so that it can + # be deployed to ECS. + docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . + docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" + + - name: Fill in the new image ID in the Amazon ECS task definition + id: task-def + uses: aws-actions/amazon-ecs-render-task-definition@v1 + with: + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} + image: ${{ steps.build-image.outputs.image }} + + - name: Deploy Amazon ECS task definition + uses: aws-actions/amazon-ecs-deploy-task-definition@v1 + with: + task-definition: ${{ steps.task-def.outputs.task-definition }} + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} + wait-for-service-stability: true diff --git a/deployments/aws_node.yml b/deployments/aws_node.yml new file mode 100644 index 0000000000..dab851f906 --- /dev/null +++ b/deployments/aws_node.yml @@ -0,0 +1,92 @@ +# This workflow will build and push a new container image to Amazon ECR, +# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. +# +# To use this workflow, you will need to complete the following set-up steps: +# +# 1. Create an ECR repository to store your images. +# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. +# +# 2. Create an ECS task definition, an ECS cluster, and an ECS service. +# For example, follow the Getting Started guide on the ECS console: +# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. +# +# 3. Store your ECS task definition as a JSON file in your repository. +# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container +# in the `containerDefinitions` section of the task definition. +# +# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. +# See the documentation for each action used below for the recommended IAM policies for this IAM user, +# and best practices on handling the access key credentials. + +name: Deploy to Amazon ECS + +on: + push: + branches: + - $default-branch + +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition + +jobs: + deploy: + name: Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build, tag, and push image to Amazon ECR + id: build-image + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + IMAGE_TAG: ${{ github.sha }} + run: | + # Build a docker container and + # push it to ECR so that it can + # be deployed to ECS. + docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . + docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" + + - name: Fill in the new image ID in the Amazon ECS task definition + id: task-def + uses: aws-actions/amazon-ecs-render-task-definition@v1 + with: + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} + image: ${{ steps.build-image.outputs.image }} + + - name: Deploy Amazon ECS task definition + uses: aws-actions/amazon-ecs-deploy-task-definition@v1 + with: + task-definition: ${{ steps.task-def.outputs.task-definition }} + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} + wait-for-service-stability: true diff --git a/deployments/azure_docker.yml b/deployments/azure_docker.yml new file mode 100644 index 0000000000..904ff2545c --- /dev/null +++ b/deployments/azure_docker.yml @@ -0,0 +1,51 @@ +# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan +# +# To configure this workflow: +# +# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. +# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings +# +# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +on: + push: + branches: + - $default-branch + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + NODE_VERSION: '10.x' # set this to the node version to use + +jobs: + build-and-deploy: + name: Build and Deploy + runs-on: ubuntu-latest + environment: production + steps: + - uses: actions/checkout@v2 + - name: Use Node.js ${{ env.NODE_VERSION }} + uses: actions/setup-node@v2 + with: + node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test + run: | + # Build and test the project, then + # deploy to Azure Web App. + npm install + npm run build --if-present + npm run test --if-present + - name: 'Deploy to Azure WebApp' + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/deployments/azure_node.yml b/deployments/azure_node.yml new file mode 100644 index 0000000000..904ff2545c --- /dev/null +++ b/deployments/azure_node.yml @@ -0,0 +1,51 @@ +# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan +# +# To configure this workflow: +# +# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. +# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings +# +# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +on: + push: + branches: + - $default-branch + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + NODE_VERSION: '10.x' # set this to the node version to use + +jobs: + build-and-deploy: + name: Build and Deploy + runs-on: ubuntu-latest + environment: production + steps: + - uses: actions/checkout@v2 + - name: Use Node.js ${{ env.NODE_VERSION }} + uses: actions/setup-node@v2 + with: + node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test + run: | + # Build and test the project, then + # deploy to Azure Web App. + npm install + npm run build --if-present + npm run test --if-present + - name: 'Deploy to Azure WebApp' + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/deployments/google_java.yml b/deployments/google_java.yml new file mode 100644 index 0000000000..267d3cb7bd --- /dev/null +++ b/deployments/google_java.yml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide diff --git a/deployments/google_python.yml b/deployments/google_python.yml new file mode 100644 index 0000000000..267d3cb7bd --- /dev/null +++ b/deployments/google_python.yml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide diff --git a/deployments/properties/aws_docker.properties.json b/deployments/properties/aws_docker.properties.json new file mode 100644 index 0000000000..1b5955a173 --- /dev/null +++ b/deployments/properties/aws_docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Amazon ECS", + "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "creator": "Amazon Web Services", + "iconName": "aws", + "categories": ["Deployment", "Dockerfile"] +} diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json new file mode 100644 index 0000000000..d099e52b1b --- /dev/null +++ b/deployments/properties/aws_node.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Amazon ECS", + "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "creator": "Amazon Web Services", + "iconName": "aws", + "categories": ["Deployment", "JavaScript", "npm"] +} diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json new file mode 100644 index 0000000000..a5fd8ea294 --- /dev/null +++ b/deployments/properties/azure_docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy Node.js to Azure Web App", + "description": "Build a Node.js project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Dockerfile"] +} \ No newline at end of file diff --git a/deployments/properties/azure_node.properties.json b/deployments/properties/azure_node.properties.json new file mode 100644 index 0000000000..90a371779a --- /dev/null +++ b/deployments/properties/azure_node.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy Node.js to Azure Web App", + "description": "Build a Node.js project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "JavaScript", "npm"] +} \ No newline at end of file diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json new file mode 100644 index 0000000000..cc17c3039d --- /dev/null +++ b/deployments/properties/google_java.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Build and Deploy to GKE", + "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "creator": "Google Cloud", + "iconName": "googlegke", + "categories": ["Deployment", "Java"] +} \ No newline at end of file diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json new file mode 100644 index 0000000000..3ded1a9c4b --- /dev/null +++ b/deployments/properties/google_python.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Build and Deploy to GKE", + "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "creator": "Google Cloud", + "iconName": "googlegke", + "categories": ["Deployment", "Python"] +} \ No newline at end of file From e3fc80f30e9fe153a43658a7b96ec53b75be6ac7 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Thu, 21 Oct 2021 08:59:43 +0000 Subject: [PATCH 106/844] Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. --- deployments/aws_docker.yml | 92 ------------------- deployments/aws_node.yml | 92 ------------------- deployments/azure_docker.yml | 51 ---------- deployments/azure_node.yml | 51 ---------- deployments/google_java.yml | 81 ---------------- deployments/google_python.yml | 81 ---------------- .../properties/aws_docker.properties.json | 7 -- .../properties/aws_node.properties.json | 7 -- .../properties/azure_docker.properties.json | 7 -- .../properties/azure_node.properties.json | 7 -- .../properties/google_java.properties.json | 7 -- .../properties/google_python.properties.json | 7 -- 12 files changed, 490 deletions(-) delete mode 100644 deployments/aws_docker.yml delete mode 100644 deployments/aws_node.yml delete mode 100644 deployments/azure_docker.yml delete mode 100644 deployments/azure_node.yml delete mode 100644 deployments/google_java.yml delete mode 100644 deployments/google_python.yml delete mode 100644 deployments/properties/aws_docker.properties.json delete mode 100644 deployments/properties/aws_node.properties.json delete mode 100644 deployments/properties/azure_docker.properties.json delete mode 100644 deployments/properties/azure_node.properties.json delete mode 100644 deployments/properties/google_java.properties.json delete mode 100644 deployments/properties/google_python.properties.json diff --git a/deployments/aws_docker.yml b/deployments/aws_docker.yml deleted file mode 100644 index dab851f906..0000000000 --- a/deployments/aws_docker.yml +++ /dev/null @@ -1,92 +0,0 @@ -# This workflow will build and push a new container image to Amazon ECR, -# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. -# -# To use this workflow, you will need to complete the following set-up steps: -# -# 1. Create an ECR repository to store your images. -# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. -# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. -# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. -# -# 2. Create an ECS task definition, an ECS cluster, and an ECS service. -# For example, follow the Getting Started guide on the ECS console: -# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun -# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. -# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. -# -# 3. Store your ECS task definition as a JSON file in your repository. -# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. -# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. -# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container -# in the `containerDefinitions` section of the task definition. -# -# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. -# See the documentation for each action used below for the recommended IAM policies for this IAM user, -# and best practices on handling the access key credentials. - -name: Deploy to Amazon ECS - -on: - push: - branches: - - $default-branch - -env: - AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 - ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name - ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name - ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name - ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition - # file, e.g. .aws/task-definition.json - CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the - # containerDefinitions section of your task definition - -jobs: - deploy: - name: Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ env.AWS_REGION }} - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - name: Build, tag, and push image to Amazon ECR - id: build-image - env: - ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - IMAGE_TAG: ${{ github.sha }} - run: | - # Build a docker container and - # push it to ECR so that it can - # be deployed to ECS. - docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . - docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" - - - name: Fill in the new image ID in the Amazon ECS task definition - id: task-def - uses: aws-actions/amazon-ecs-render-task-definition@v1 - with: - task-definition: ${{ env.ECS_TASK_DEFINITION }} - container-name: ${{ env.CONTAINER_NAME }} - image: ${{ steps.build-image.outputs.image }} - - - name: Deploy Amazon ECS task definition - uses: aws-actions/amazon-ecs-deploy-task-definition@v1 - with: - task-definition: ${{ steps.task-def.outputs.task-definition }} - service: ${{ env.ECS_SERVICE }} - cluster: ${{ env.ECS_CLUSTER }} - wait-for-service-stability: true diff --git a/deployments/aws_node.yml b/deployments/aws_node.yml deleted file mode 100644 index dab851f906..0000000000 --- a/deployments/aws_node.yml +++ /dev/null @@ -1,92 +0,0 @@ -# This workflow will build and push a new container image to Amazon ECR, -# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. -# -# To use this workflow, you will need to complete the following set-up steps: -# -# 1. Create an ECR repository to store your images. -# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. -# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. -# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. -# -# 2. Create an ECS task definition, an ECS cluster, and an ECS service. -# For example, follow the Getting Started guide on the ECS console: -# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun -# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. -# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. -# -# 3. Store your ECS task definition as a JSON file in your repository. -# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. -# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. -# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container -# in the `containerDefinitions` section of the task definition. -# -# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. -# See the documentation for each action used below for the recommended IAM policies for this IAM user, -# and best practices on handling the access key credentials. - -name: Deploy to Amazon ECS - -on: - push: - branches: - - $default-branch - -env: - AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 - ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name - ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name - ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name - ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition - # file, e.g. .aws/task-definition.json - CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the - # containerDefinitions section of your task definition - -jobs: - deploy: - name: Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ env.AWS_REGION }} - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - name: Build, tag, and push image to Amazon ECR - id: build-image - env: - ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - IMAGE_TAG: ${{ github.sha }} - run: | - # Build a docker container and - # push it to ECR so that it can - # be deployed to ECS. - docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . - docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" - - - name: Fill in the new image ID in the Amazon ECS task definition - id: task-def - uses: aws-actions/amazon-ecs-render-task-definition@v1 - with: - task-definition: ${{ env.ECS_TASK_DEFINITION }} - container-name: ${{ env.CONTAINER_NAME }} - image: ${{ steps.build-image.outputs.image }} - - - name: Deploy Amazon ECS task definition - uses: aws-actions/amazon-ecs-deploy-task-definition@v1 - with: - task-definition: ${{ steps.task-def.outputs.task-definition }} - service: ${{ env.ECS_SERVICE }} - cluster: ${{ env.ECS_CLUSTER }} - wait-for-service-stability: true diff --git a/deployments/azure_docker.yml b/deployments/azure_docker.yml deleted file mode 100644 index 904ff2545c..0000000000 --- a/deployments/azure_docker.yml +++ /dev/null @@ -1,51 +0,0 @@ -# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan -# -# To configure this workflow: -# -# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. -# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings -# -# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -on: - push: - branches: - - $default-branch - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the node version to use - -jobs: - build-and-deploy: - name: Build and Deploy - runs-on: ubuntu-latest - environment: production - steps: - - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODE_VERSION }} - - name: npm install, build, and test - run: | - # Build and test the project, then - # deploy to Azure Web App. - npm install - npm run build --if-present - npm run test --if-present - - name: 'Deploy to Azure WebApp' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/deployments/azure_node.yml b/deployments/azure_node.yml deleted file mode 100644 index 904ff2545c..0000000000 --- a/deployments/azure_node.yml +++ /dev/null @@ -1,51 +0,0 @@ -# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan -# -# To configure this workflow: -# -# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. -# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings -# -# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -on: - push: - branches: - - $default-branch - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the node version to use - -jobs: - build-and-deploy: - name: Build and Deploy - runs-on: ubuntu-latest - environment: production - steps: - - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODE_VERSION }} - - name: npm install, build, and test - run: | - # Build and test the project, then - # deploy to Azure Web App. - npm install - npm run build --if-present - npm run test --if-present - - name: 'Deploy to Azure WebApp' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/deployments/google_java.yml b/deployments/google_java.yml deleted file mode 100644 index 267d3cb7bd..0000000000 --- a/deployments/google_java.yml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide diff --git a/deployments/google_python.yml b/deployments/google_python.yml deleted file mode 100644 index 267d3cb7bd..0000000000 --- a/deployments/google_python.yml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide diff --git a/deployments/properties/aws_docker.properties.json b/deployments/properties/aws_docker.properties.json deleted file mode 100644 index 1b5955a173..0000000000 --- a/deployments/properties/aws_docker.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy to Amazon ECS", - "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", - "creator": "Amazon Web Services", - "iconName": "aws", - "categories": ["Deployment", "Dockerfile"] -} diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json deleted file mode 100644 index d099e52b1b..0000000000 --- a/deployments/properties/aws_node.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy to Amazon ECS", - "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", - "creator": "Amazon Web Services", - "iconName": "aws", - "categories": ["Deployment", "JavaScript", "npm"] -} diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json deleted file mode 100644 index a5fd8ea294..0000000000 --- a/deployments/properties/azure_docker.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy Node.js to Azure Web App", - "description": "Build a Node.js project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Dockerfile"] -} \ No newline at end of file diff --git a/deployments/properties/azure_node.properties.json b/deployments/properties/azure_node.properties.json deleted file mode 100644 index 90a371779a..0000000000 --- a/deployments/properties/azure_node.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy Node.js to Azure Web App", - "description": "Build a Node.js project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "JavaScript", "npm"] -} \ No newline at end of file diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json deleted file mode 100644 index cc17c3039d..0000000000 --- a/deployments/properties/google_java.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Build and Deploy to GKE", - "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", - "creator": "Google Cloud", - "iconName": "googlegke", - "categories": ["Deployment", "Java"] -} \ No newline at end of file diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json deleted file mode 100644 index 3ded1a9c4b..0000000000 --- a/deployments/properties/google_python.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Build and Deploy to GKE", - "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", - "creator": "Google Cloud", - "iconName": "googlegke", - "categories": ["Deployment", "Python"] -} \ No newline at end of file From 042eac38589af8f0329cea45533e79e4b75eb8ba Mon Sep 17 00:00:00 2001 From: David Verdeguer Date: Thu, 21 Oct 2021 22:11:00 +0200 Subject: [PATCH 107/844] Add ruby and update workflow --- code-scanning/codeql.yml | 3 +-- code-scanning/properties/codeql.properties.json | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index b32675e536..57b4b69ad9 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,8 +34,7 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - name: Checkout repository diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index cb9305a9a1..2919e981e0 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,7 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", - "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", + "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, Go and Ruby developers. \n ", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] + "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } From bafed29a86e2e7f904577674c70739ef99c7da55 Mon Sep 17 00:00:00 2001 From: Daniel Winsor Date: Thu, 21 Oct 2021 14:14:02 -0700 Subject: [PATCH 108/844] Add workflow for Microsoft C++ Code Analysis --- code-scanning/msvc.yml | 57 +++++++++++++++++++ code-scanning/properties/msvc.properties.json | 7 +++ icons/microsoft.svg | 34 +++++++++++ 3 files changed, 98 insertions(+) create mode 100644 code-scanning/msvc.yml create mode 100644 code-scanning/properties/msvc.properties.json create mode 100644 icons/microsoft.svg diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml new file mode 100644 index 0000000000..85cb4752d7 --- /dev/null +++ b/code-scanning/msvc.yml @@ -0,0 +1,57 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Find more information at: +# https://github.com/microsoft/msvc-code-analysis-action + +name: Microsoft C++ Code Analysis + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +env: + # Path to the CMake build directory. + build: '${{ github.workspace }}/build' + +jobs: + build: + steps: + # Configure project with CMake + - name: Configure CMake + uses: lukka/run-cmake@v3 + with: + buildDirectory: ${{ env.build }} + # Build is not require unless generated source files are used + buildWithCMake: false + cmakeGenerator: 'VS16Win64' + cmakeListsTxtPath: ${{ github.workspace }}/CMakeLists.txt + + # Run Microsoft Visual C++ code analysis + - name: Initialize MSVC Code Analysis + uses: microsoft/msvc-code-analysis-action + # Provide a unique ID to access the sarif output path + id: run-analysis + with: + cmakeBuildDirectory: ${{ env.build }} + # Ruleset file that will determine what checks will be run + ruleset: NativeRecommendRules.ruleset + + # Upload SARIF file to GitHub Code Scanning Alerts + - name: Upload SARIF to Github + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.run-analysis.outputs.sarif }} + + # Upload SARIF file as an Artifact to download and view + # - name: Upload SARIF as an Artifact + # uses: actions/upload-artifact@v2 + # with: + # name: sarif-file + # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/properties/msvc.properties.json b/code-scanning/properties/msvc.properties.json new file mode 100644 index 0000000000..03c4500bb0 --- /dev/null +++ b/code-scanning/properties/msvc.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Microsoft C++ Code Analysis", + "creator": "Microsoft", + "description": "Code Analysis with the Microsoft C & C++ Compiler for CMake base projects.", + "iconName": "microsoft", + "categories": ["Code Scanning", "C", "C++"] +} diff --git a/icons/microsoft.svg b/icons/microsoft.svg new file mode 100644 index 0000000000..990fa84fbf --- /dev/null +++ b/icons/microsoft.svg @@ -0,0 +1,34 @@ +microsoft + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From 9fccb15dc69faf8e0b7ce3d05701675a51d780d9 Mon Sep 17 00:00:00 2001 From: Daniel Winsor Date: Thu, 21 Oct 2021 16:18:11 -0700 Subject: [PATCH 109/844] Updated action to meet guidelines --- code-scanning/msvc.yml | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 85cb4752d7..c6bb29fb93 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -21,21 +21,23 @@ env: build: '${{ github.workspace }}/build' jobs: - build: + analyze: + name: Analyze + runs-on: windows-latest + steps: - # Configure project with CMake + - name: Checkout repository + uses: actions/checkout@v2 + - name: Configure CMake - uses: lukka/run-cmake@v3 - with: - buildDirectory: ${{ env.build }} - # Build is not require unless generated source files are used - buildWithCMake: false - cmakeGenerator: 'VS16Win64' - cmakeListsTxtPath: ${{ github.workspace }}/CMakeLists.txt + run: cmake -B ${{ env.build }} + + # Build is not required unless generated source files are used + # - name: Build CMake + # run: cmake --build ${{ env.build }} - # Run Microsoft Visual C++ code analysis - name: Initialize MSVC Code Analysis - uses: microsoft/msvc-code-analysis-action + uses: microsoft/msvc-code-analysis-action@502db28262ba134c9a621d5a509b9f7e696c99b6 # Provide a unique ID to access the sarif output path id: run-analysis with: @@ -44,7 +46,7 @@ jobs: ruleset: NativeRecommendRules.ruleset # Upload SARIF file to GitHub Code Scanning Alerts - - name: Upload SARIF to Github + - name: Upload SARIF to GitHub uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} From 40f0709bd652afee23c304a26984fb30dd82c869 Mon Sep 17 00:00:00 2001 From: Rui Chen Date: Fri, 22 Oct 2021 01:14:49 -0400 Subject: [PATCH 110/844] quote the version strings --- ci/pylint.yml | 9 +++++---- ci/python-app.yml | 2 +- ci/python-package.yml | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/ci/pylint.yml b/ci/pylint.yml index e217f63897..10c49c6d1d 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -4,15 +4,16 @@ on: [push] jobs: build: - runs-on: ubuntu-latest - + strategy: + matrix: + python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v2 - - name: Set up Python 3.10 + - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: - python-version: 3.10 + python-version: ${{ matrix.python-version }} - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-app.yml b/ci/python-app.yml index 30b2b8fe0b..2cfc2a36b5 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.10 + python-version: "3.10" - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-package.yml b/ci/python-package.yml index 9690811ad7..b0a63cf6a9 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -16,7 +16,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: [3.8, 3.9, 3.10] + python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v2 From 149db50d434d371436226749011c7e56fb556195 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Fri, 22 Oct 2021 09:33:24 +0100 Subject: [PATCH 111/844] correct typo in msvc.properties.json --- code-scanning/properties/msvc.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/msvc.properties.json b/code-scanning/properties/msvc.properties.json index 03c4500bb0..641d5e6be9 100644 --- a/code-scanning/properties/msvc.properties.json +++ b/code-scanning/properties/msvc.properties.json @@ -1,7 +1,7 @@ { "name": "Microsoft C++ Code Analysis", "creator": "Microsoft", - "description": "Code Analysis with the Microsoft C & C++ Compiler for CMake base projects.", + "description": "Code Analysis with the Microsoft C & C++ Compiler for CMake based projects.", "iconName": "microsoft", "categories": ["Code Scanning", "C", "C++"] } From dcdce00205973405ccc4e12ee599432018005edc Mon Sep 17 00:00:00 2001 From: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Date: Fri, 22 Oct 2021 10:54:14 +0200 Subject: [PATCH 112/844] Update codeql.properties.json --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index 2919e981e0..219f5170f8 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,7 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", - "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, Go and Ruby developers. \n ", + "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, Go and Ruby developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } From 4e20b526184631f70591dc040dbed47a83f712b3 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 22 Oct 2021 14:47:00 +0530 Subject: [PATCH 113/844] Sync partner_templates branch with main (#1184) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json * Correct character-case of "c" in Cloudrail * AWS template also used Docker * trigger on push instead of release (#1157) Co-authored-by: Josh Gross * Added new templates for 3 clouds. * Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. * Add workflow for Microsoft C++ Code Analysis * Updated action to meet guidelines * correct typo in msvc.properties.json Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd Co-authored-by: Daniel Winsor --- code-scanning/cloudrail.yml | 2 +- code-scanning/msvc.yml | 59 +++++++++++++++++++ code-scanning/properties/msvc.properties.json | 7 +++ deployments/alibabacloud.yml | 7 ++- deployments/aws.yml | 7 ++- deployments/azure.yml | 7 ++- deployments/google.yml | 7 ++- deployments/ibm.yml | 7 ++- deployments/properties/aws.properties.json | 4 +- deployments/tencent.yml | 7 ++- icons/microsoft.svg | 34 +++++++++++ 11 files changed, 127 insertions(+), 21 deletions(-) create mode 100644 code-scanning/msvc.yml create mode 100644 code-scanning/properties/msvc.properties.json create mode 100644 icons/microsoft.svg diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 9f95c5c754..00e270ad57 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -name: cloudrail +name: Cloudrail on: push: diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml new file mode 100644 index 0000000000..c6bb29fb93 --- /dev/null +++ b/code-scanning/msvc.yml @@ -0,0 +1,59 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Find more information at: +# https://github.com/microsoft/msvc-code-analysis-action + +name: Microsoft C++ Code Analysis + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +env: + # Path to the CMake build directory. + build: '${{ github.workspace }}/build' + +jobs: + analyze: + name: Analyze + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Configure CMake + run: cmake -B ${{ env.build }} + + # Build is not required unless generated source files are used + # - name: Build CMake + # run: cmake --build ${{ env.build }} + + - name: Initialize MSVC Code Analysis + uses: microsoft/msvc-code-analysis-action@502db28262ba134c9a621d5a509b9f7e696c99b6 + # Provide a unique ID to access the sarif output path + id: run-analysis + with: + cmakeBuildDirectory: ${{ env.build }} + # Ruleset file that will determine what checks will be run + ruleset: NativeRecommendRules.ruleset + + # Upload SARIF file to GitHub Code Scanning Alerts + - name: Upload SARIF to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.run-analysis.outputs.sarif }} + + # Upload SARIF file as an Artifact to download and view + # - name: Upload SARIF as an Artifact + # uses: actions/upload-artifact@v2 + # with: + # name: sarif-file + # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/properties/msvc.properties.json b/code-scanning/properties/msvc.properties.json new file mode 100644 index 0000000000..641d5e6be9 --- /dev/null +++ b/code-scanning/properties/msvc.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Microsoft C++ Code Analysis", + "creator": "Microsoft", + "description": "Code Analysis with the Microsoft C & C++ Compiler for CMake based projects.", + "iconName": "microsoft", + "categories": ["Code Scanning", "C", "C++"] +} diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 9ccc0333b9..ded91780b0 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -1,5 +1,5 @@ # This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR), -# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when a release is created. +# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the $default-branch branch. # # To use this workflow, you will need to complete the following set-up steps: # @@ -20,8 +20,9 @@ name: Build and Deploy to ACK on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow. env: diff --git a/deployments/aws.yml b/deployments/aws.yml index 6a6643c98a..dab851f906 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -1,5 +1,5 @@ # This workflow will build and push a new container image to Amazon ECR, -# and then will deploy a new task definition to Amazon ECS, when a release is created +# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. # # To use this workflow, you will need to complete the following set-up steps: # @@ -27,8 +27,9 @@ name: Deploy to Amazon ECS on: - release: - types: [created] + push: + branches: + - $default-branch env: AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 diff --git a/deployments/azure.yml b/deployments/azure.yml index 0262b4920f..904ff2545c 100644 --- a/deployments/azure.yml +++ b/deployments/azure.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a release is created. +# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan @@ -16,8 +16,9 @@ # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions # For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples on: - release: - types: [created] + push: + branches: + - $default-branch env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name diff --git a/deployments/google.yml b/deployments/google.yml index 5e803edba5..267d3cb7bd 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when a release is created +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -13,8 +13,9 @@ name: Build and Deploy to GKE on: - release: - types: [created] + push: + branches: + - $default-branch env: PROJECT_ID: ${{ secrets.GKE_PROJECT }} diff --git a/deployments/ibm.yml b/deployments/ibm.yml index a8502cdd0c..216b04d587 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when a release is created +# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -9,8 +9,9 @@ name: Build and Deploy to IKS on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/properties/aws.properties.json b/deployments/properties/aws.properties.json index 10a7ed34f7..1b5955a173 100644 --- a/deployments/properties/aws.properties.json +++ b/deployments/properties/aws.properties.json @@ -3,5 +3,5 @@ "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Dockerfile"] +} diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 0be339e181..83bde94579 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE). +# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE) when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -16,8 +16,9 @@ name: Tencent Kubernetes Engine on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow env: diff --git a/icons/microsoft.svg b/icons/microsoft.svg new file mode 100644 index 0000000000..990fa84fbf --- /dev/null +++ b/icons/microsoft.svg @@ -0,0 +1,34 @@ +microsoft + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From 281a35c5efb80a3e487989aaf181825136c93d66 Mon Sep 17 00:00:00 2001 From: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Date: Fri, 22 Oct 2021 11:37:35 +0200 Subject: [PATCH 114/844] Update code-scanning/properties/codeql.properties.json Co-authored-by: Arthur Baars --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index 219f5170f8..e9acea5476 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,7 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", - "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, Go and Ruby developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python and Ruby developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } From 3a3f99717d9571d5f89d1334e5cce9e6691a31bd Mon Sep 17 00:00:00 2001 From: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Date: Fri, 22 Oct 2021 11:40:38 +0200 Subject: [PATCH 115/844] Update codeql.properties.json --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index e9acea5476..f8082c7125 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,7 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", - "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python and Ruby developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } From 0f29a0acbb3cafbbe38e9aa926e80cb45a78392a Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 22 Oct 2021 15:12:17 +0530 Subject: [PATCH 116/844] Add files via upload --- deployments/aws_docker.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/aws_node.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/azure_docker.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/azure_node.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/google_java.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/google_python.yml | 81 +++++++++++++++++++++++++++++++++++ 6 files changed, 486 insertions(+) create mode 100644 deployments/aws_docker.yaml create mode 100644 deployments/aws_node.yaml create mode 100644 deployments/azure_docker.yaml create mode 100644 deployments/azure_node.yaml create mode 100644 deployments/google_java.yaml create mode 100644 deployments/google_python.yml diff --git a/deployments/aws_docker.yaml b/deployments/aws_docker.yaml new file mode 100644 index 0000000000..0c789fa541 --- /dev/null +++ b/deployments/aws_docker.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/aws_node.yaml b/deployments/aws_node.yaml new file mode 100644 index 0000000000..0c789fa541 --- /dev/null +++ b/deployments/aws_node.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/azure_docker.yaml b/deployments/azure_docker.yaml new file mode 100644 index 0000000000..0c789fa541 --- /dev/null +++ b/deployments/azure_docker.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/azure_node.yaml b/deployments/azure_node.yaml new file mode 100644 index 0000000000..0c789fa541 --- /dev/null +++ b/deployments/azure_node.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/google_java.yaml b/deployments/google_java.yaml new file mode 100644 index 0000000000..0c789fa541 --- /dev/null +++ b/deployments/google_java.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/google_python.yml b/deployments/google_python.yml new file mode 100644 index 0000000000..0c789fa541 --- /dev/null +++ b/deployments/google_python.yml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file From a3270e70de1372f795ccd0b5f6c234b62743de79 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 22 Oct 2021 15:13:09 +0530 Subject: [PATCH 117/844] Add files via upload --- deployments/properties/aws_dockerfile.properties.json | 7 +++++++ deployments/properties/aws_node.properties.json | 7 +++++++ deployments/properties/azure_docker.properties.json | 7 +++++++ deployments/properties/azure_node.properties.json | 7 +++++++ deployments/properties/google_java.properties.json | 7 +++++++ deployments/properties/google_python.properties.json | 7 +++++++ 6 files changed, 42 insertions(+) create mode 100644 deployments/properties/aws_dockerfile.properties.json create mode 100644 deployments/properties/aws_node.properties.json create mode 100644 deployments/properties/azure_docker.properties.json create mode 100644 deployments/properties/azure_node.properties.json create mode 100644 deployments/properties/google_java.properties.json create mode 100644 deployments/properties/google_python.properties.json diff --git a/deployments/properties/aws_dockerfile.properties.json b/deployments/properties/aws_dockerfile.properties.json new file mode 100644 index 0000000000..ca3ebc91f4 --- /dev/null +++ b/deployments/properties/aws_dockerfile.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Docker]Deploy to Amazon ECS", + "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "creator": "Amazon Web Services", + "iconName": "aws", + "categories": ["Deployment", "Dockerfile"] +} \ No newline at end of file diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json new file mode 100644 index 0000000000..0466c39203 --- /dev/null +++ b/deployments/properties/aws_node.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Node]Deploy to Amazon ECS", + "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "creator": "Amazon Web Services", + "iconName": "aws", + "categories": ["Deployment", "JavaScript", "npm"] +} \ No newline at end of file diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json new file mode 100644 index 0000000000..8fb260c727 --- /dev/null +++ b/deployments/properties/azure_docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Docker]Deploy Node.js to Azure Web App", + "description": "Build a Node.js project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Dockerfile"] +} \ No newline at end of file diff --git a/deployments/properties/azure_node.properties.json b/deployments/properties/azure_node.properties.json new file mode 100644 index 0000000000..f2124add76 --- /dev/null +++ b/deployments/properties/azure_node.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Node]Deploy Node.js to Azure Web App", + "description": "Build a Node.js project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "JavaScript", "npm"] +} \ No newline at end of file diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json new file mode 100644 index 0000000000..88e3c2ea2b --- /dev/null +++ b/deployments/properties/google_java.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Java]Build and Deploy to GKE", + "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "creator": "Google Cloud", + "iconName": "googlegke", + "categories": ["Deployment", "Java"] +} \ No newline at end of file diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json new file mode 100644 index 0000000000..ff8561cba7 --- /dev/null +++ b/deployments/properties/google_python.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Python]Build and Deploy to GKE", + "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "creator": "Google Cloud", + "iconName": "googlegke", + "categories": ["Deployment", "Python"] +} \ No newline at end of file From 4a9a12a0998bfea1d52c1ba1f04f2ed83165a434 Mon Sep 17 00:00:00 2001 From: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Date: Fri, 22 Oct 2021 11:52:12 +0200 Subject: [PATCH 118/844] Update codeql.properties.json --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index f8082c7125..ddb4627f49 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -3,5 +3,5 @@ "creator": "GitHub", "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } From d6e33d5f35d8477542daaac02ccc53b091deb0fe Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 15:48:49 +0530 Subject: [PATCH 119/844] fix dummy template names (#1185) --- deployments/azure_node.yaml | 81 ------------------- .../properties/aws_dockerfile.properties.json | 4 +- deployments/properties/azure.properties.json | 2 +- .../properties/azure_docker.properties.json | 4 +- .../properties/azure_node.properties.json | 7 -- .../properties/google_python.properties.json | 4 +- 6 files changed, 7 insertions(+), 95 deletions(-) delete mode 100644 deployments/azure_node.yaml delete mode 100644 deployments/properties/azure_node.properties.json diff --git a/deployments/azure_node.yaml b/deployments/azure_node.yaml deleted file mode 100644 index 0c789fa541..0000000000 --- a/deployments/azure_node.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/properties/aws_dockerfile.properties.json b/deployments/properties/aws_dockerfile.properties.json index ca3ebc91f4..e22ba4607f 100644 --- a/deployments/properties/aws_dockerfile.properties.json +++ b/deployments/properties/aws_dockerfile.properties.json @@ -1,6 +1,6 @@ { - "name": "[Specific Docker]Deploy to Amazon ECS", - "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "name": "[Specific Docker] Deploy dockerfile to Amazon EKS", + "description": "Deploy a container to an Amazon ECS.", "creator": "Amazon Web Services", "iconName": "aws", "categories": ["Deployment", "Dockerfile"] diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure.properties.json index 362d5d13b5..90a371779a 100644 --- a/deployments/properties/azure.properties.json +++ b/deployments/properties/azure.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] + "categories": ["Deployment", "JavaScript", "npm"] } \ No newline at end of file diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json index 8fb260c727..bbf4a81129 100644 --- a/deployments/properties/azure_docker.properties.json +++ b/deployments/properties/azure_docker.properties.json @@ -1,6 +1,6 @@ { - "name": "[Specific Docker]Deploy Node.js to Azure Web App", - "description": "Build a Node.js project and deploy it to an Azure Web App.", + "name": "[Specific Docker] Deploy Node.js to AKS", + "description": "Build a Node.js project and deploy it to AKS.", "creator": "Microsoft Azure", "iconName": "azure", "categories": ["Deployment", "Dockerfile"] diff --git a/deployments/properties/azure_node.properties.json b/deployments/properties/azure_node.properties.json deleted file mode 100644 index f2124add76..0000000000 --- a/deployments/properties/azure_node.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Node]Deploy Node.js to Azure Web App", - "description": "Build a Node.js project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "JavaScript", "npm"] -} \ No newline at end of file diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json index ff8561cba7..21c631f02b 100644 --- a/deployments/properties/google_python.properties.json +++ b/deployments/properties/google_python.properties.json @@ -1,6 +1,6 @@ { - "name": "[Specific Python]Build and Deploy to GKE", - "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "name": "[Specific Python] Build and Deploy to GCE", + "description": "Build a docker container, publish it to Google compute engine.", "creator": "Google Cloud", "iconName": "googlegke", "categories": ["Deployment", "Python"] From c3f7e66294d486c8e262a3ac75dbb668b696bce8 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 15:53:33 +0530 Subject: [PATCH 120/844] Update azure_docker.properties.json --- deployments/properties/azure_docker.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json index bbf4a81129..2b7babf2d7 100644 --- a/deployments/properties/azure_docker.properties.json +++ b/deployments/properties/azure_docker.properties.json @@ -1,7 +1,7 @@ { - "name": "[Specific Docker] Deploy Node.js to AKS", + "name": "[Specific Docker] Deploy dockerfile to AKS", "description": "Build a Node.js project and deploy it to AKS.", "creator": "Microsoft Azure", "iconName": "azure", "categories": ["Deployment", "Dockerfile"] -} \ No newline at end of file +} From 1d19515d9576cc6df6a0e2beeaa7aa448cea7c58 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 15:58:29 +0530 Subject: [PATCH 121/844] Update google_java.properties.json --- deployments/properties/google_java.properties.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json index 88e3c2ea2b..0a87690efc 100644 --- a/deployments/properties/google_java.properties.json +++ b/deployments/properties/google_java.properties.json @@ -1,7 +1,7 @@ { - "name": "[Specific Java]Build and Deploy to GKE", - "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "name": "[Specific Java] Build and Deploy Java to GCE", + "description": "Build and deploy Java application to Google Compute engine.", "creator": "Google Cloud", "iconName": "googlegke", "categories": ["Deployment", "Java"] -} \ No newline at end of file +} From 1ff952c678c7ccb754cbcb5f33fc2d4e3478f2d4 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:00:12 +0530 Subject: [PATCH 122/844] Update aws_node.properties.json --- deployments/properties/aws_node.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json index 0466c39203..dd932f01b8 100644 --- a/deployments/properties/aws_node.properties.json +++ b/deployments/properties/aws_node.properties.json @@ -1,7 +1,7 @@ { "name": "[Specific Node]Deploy to Amazon ECS", - "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "description": "Deploy a Java app to Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", "categories": ["Deployment", "JavaScript", "npm"] -} \ No newline at end of file +} From ff38066101192d26bc67c20561c01f1f6f3c90e2 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:00:18 +0530 Subject: [PATCH 123/844] Create aws_node.properties.json From 62a3686226d6d270103408b1c31a7ed19cb4ca60 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:00:55 +0530 Subject: [PATCH 124/844] Rename aws_node.properties.json to aws_java.properties.json --- .../{aws_node.properties.json => aws_java.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployments/properties/{aws_node.properties.json => aws_java.properties.json} (100%) diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_java.properties.json similarity index 100% rename from deployments/properties/aws_node.properties.json rename to deployments/properties/aws_java.properties.json From a7e746ef4ebc6f9a54f1b0a34d33c8e5625589fa Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:01:43 +0530 Subject: [PATCH 125/844] Rename aws_node.yaml to aws_java.yaml --- deployments/{aws_node.yaml => aws_java.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename deployments/{aws_node.yaml => aws_java.yaml} (98%) diff --git a/deployments/aws_node.yaml b/deployments/aws_java.yaml similarity index 98% rename from deployments/aws_node.yaml rename to deployments/aws_java.yaml index 0c789fa541..267d3cb7bd 100644 --- a/deployments/aws_node.yaml +++ b/deployments/aws_java.yaml @@ -78,4 +78,4 @@ jobs: ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA ./kustomize build . | kubectl apply -f - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file + kubectl get services -o wide From 41027f9cb5d57b442d39278c6618552596e2969a Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:08:40 +0530 Subject: [PATCH 126/844] Update aws_dockerfile.properties.json --- deployments/properties/aws_dockerfile.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/aws_dockerfile.properties.json b/deployments/properties/aws_dockerfile.properties.json index e22ba4607f..dc886aee9a 100644 --- a/deployments/properties/aws_dockerfile.properties.json +++ b/deployments/properties/aws_dockerfile.properties.json @@ -1,7 +1,7 @@ { "name": "[Specific Docker] Deploy dockerfile to Amazon EKS", - "description": "Deploy a container to an Amazon ECS.", + "description": "Deploy a container to an Amazon EKS.", "creator": "Amazon Web Services", "iconName": "aws", "categories": ["Deployment", "Dockerfile"] -} \ No newline at end of file +} From 34a94290c1c9302a04c793a6e3493e69855a9c01 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:10:51 +0530 Subject: [PATCH 127/844] Update aws_java.properties.json --- deployments/properties/aws_java.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/aws_java.properties.json b/deployments/properties/aws_java.properties.json index dd932f01b8..070837bac2 100644 --- a/deployments/properties/aws_java.properties.json +++ b/deployments/properties/aws_java.properties.json @@ -1,6 +1,6 @@ { "name": "[Specific Node]Deploy to Amazon ECS", - "description": "Deploy a Java app to Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "description": "Deploy a Node app to Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", "categories": ["Deployment", "JavaScript", "npm"] From 2b39072b92cca434b145494f409ae8b72be3cac3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:11:39 +0530 Subject: [PATCH 128/844] Rename aws_java.properties.json to aws_node.properties.json --- .../{aws_java.properties.json => aws_node.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployments/properties/{aws_java.properties.json => aws_node.properties.json} (100%) diff --git a/deployments/properties/aws_java.properties.json b/deployments/properties/aws_node.properties.json similarity index 100% rename from deployments/properties/aws_java.properties.json rename to deployments/properties/aws_node.properties.json From 7b8fcf2d84798a1106efc90dcef79ed5fc0411a7 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:11:57 +0530 Subject: [PATCH 129/844] Rename aws_java.yaml to aws_node.yaml --- deployments/{aws_java.yaml => aws_node.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployments/{aws_java.yaml => aws_node.yaml} (100%) diff --git a/deployments/aws_java.yaml b/deployments/aws_node.yaml similarity index 100% rename from deployments/aws_java.yaml rename to deployments/aws_node.yaml From 4abed744e3963827eba227a342798d3526e9acc3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:12:34 +0530 Subject: [PATCH 130/844] Update azure_docker.properties.json --- deployments/properties/azure_docker.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json index 2b7babf2d7..840dcea46a 100644 --- a/deployments/properties/azure_docker.properties.json +++ b/deployments/properties/azure_docker.properties.json @@ -1,6 +1,6 @@ { "name": "[Specific Docker] Deploy dockerfile to AKS", - "description": "Build a Node.js project and deploy it to AKS.", + "description": "Build a dockerfile project and deploy it to AKS.", "creator": "Microsoft Azure", "iconName": "azure", "categories": ["Deployment", "Dockerfile"] From cd0b591526109d7aca2799ff3815105df7315544 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:13:36 +0530 Subject: [PATCH 131/844] Update google_python.properties.json --- deployments/properties/google_python.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json index 21c631f02b..31e5e4f3e3 100644 --- a/deployments/properties/google_python.properties.json +++ b/deployments/properties/google_python.properties.json @@ -1,7 +1,7 @@ { "name": "[Specific Python] Build and Deploy to GCE", - "description": "Build a docker container, publish it to Google compute engine.", + "description": "Build and deploy a python application to Google compute engine.", "creator": "Google Cloud", "iconName": "googlegke", "categories": ["Deployment", "Python"] -} \ No newline at end of file +} From 39293c24520b95f8e8d17bdfd4325f71a1bc0498 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 22 Oct 2021 16:24:02 +0530 Subject: [PATCH 132/844] Deleting gcp dummy templates. (#1186) --- deployments/google_java.yaml | 81 ------------------- deployments/google_python.yml | 81 ------------------- .../properties/google_java.properties.json | 7 -- .../properties/google_python.properties.json | 7 -- 4 files changed, 176 deletions(-) delete mode 100644 deployments/google_java.yaml delete mode 100644 deployments/google_python.yml delete mode 100644 deployments/properties/google_java.properties.json delete mode 100644 deployments/properties/google_python.properties.json diff --git a/deployments/google_java.yaml b/deployments/google_java.yaml deleted file mode 100644 index 0c789fa541..0000000000 --- a/deployments/google_java.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/google_python.yml b/deployments/google_python.yml deleted file mode 100644 index 0c789fa541..0000000000 --- a/deployments/google_python.yml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json deleted file mode 100644 index 0a87690efc..0000000000 --- a/deployments/properties/google_java.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Java] Build and Deploy Java to GCE", - "description": "Build and deploy Java application to Google Compute engine.", - "creator": "Google Cloud", - "iconName": "googlegke", - "categories": ["Deployment", "Java"] -} diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json deleted file mode 100644 index 31e5e4f3e3..0000000000 --- a/deployments/properties/google_python.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Python] Build and Deploy to GCE", - "description": "Build and deploy a python application to Google compute engine.", - "creator": "Google Cloud", - "iconName": "googlegke", - "categories": ["Deployment", "Python"] -} From 27ebc235eed1c6b89291b0a5b8a787321620aab8 Mon Sep 17 00:00:00 2001 From: Simona Cotin Date: Fri, 22 Oct 2021 13:00:26 +0200 Subject: [PATCH 133/844] Add partner templates for Azure Static Web Apps --- deployments/azure-staticwebapp.yml | 64 +++++++++++++++++++ .../azure-staticwebapp.properties.json | 7 ++ icons/azure-staticwebapp.svg | 17 +++++ 3 files changed, 88 insertions(+) create mode 100644 deployments/azure-staticwebapp.yml create mode 100644 deployments/properties/azure-staticwebapp.properties.json create mode 100644 icons/azure-staticwebapp.svg diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml new file mode 100644 index 0000000000..d170d57387 --- /dev/null +++ b/deployments/azure-staticwebapp.yml @@ -0,0 +1,64 @@ +# This workflow will build and push a web application to an Azure Static Web App when you change your code. +# +# This workflow assumes you have already created the target Azure Static Web App. +# For instructions see https://docs.microsoft.com/azure/static-web-apps/get-started-portal?tabs=vanilla-javascript +# +# To configure this workflow: +# +# 1. Set up a secret in your repository named AZURE_STATIC_WEB_APPS_API_TOKEN with the value of your Static Web Apps deployment token. +# For instructions on obtaining the deployment token see: https://docs.microsoft.com/azure/static-web-apps/deployment-token-management +# +# 3. Change the values for the APP_LOCATION, API_LOCATION and APP_ARTIFACT_LOCATION, AZURE_STATIC_WEB_APPS_API_TOKEN environment variables (below). +# For instructions on setting up the appropriate configuration values go to https://docs.microsoft.com/azure/static-web-apps/front-end-frameworks +name: Deploy web app to Azure Static Web Apps + +on: + push: + branches: + - $default-branch + pull_request: + types: [opened, synchronize, reopened, closed] + branches: + - $default-branch + +# Environment variables available to all jobs and steps in this workflow +env: + APP_LOCATION: "/" # location of your client code + API_LOCATION: "api" # location of your api source code - optional + APP_ARTIFACT_LOCATION: "build" # location of client code build output + AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app + +jobs: + build_and_deploy_job: + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') + runs-on: ubuntu-latest + name: Build and Deploy Job + steps: + - uses: actions/checkout@v2 + with: + submodules: true + - name: Build And Deploy + id: builddeploy + uses: Azure/static-web-apps-deploy@v1 + with: + azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app + repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) + action: "upload" + ###### Repository/Build Configurations - These values can be configured to match you app requirements. ###### + # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig + app_location: ${{ env.APP_LOCATION }} + api_location: ${{ env.API_LOCATION }} + app_artifact_location: ${{ env.APP_ARTIFACT_LOCATION }} + ###### End of Repository/Build Configurations ###### + + close_pull_request_job: + if: github.event_name == 'pull_request' && github.event.action == 'closed' + runs-on: ubuntu-latest + name: Close Pull Request Job + steps: + - name: Close Pull Request + id: closepullrequest + uses: Azure/static-web-apps-deploy@latest + with: + azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app + action: "close" diff --git a/deployments/properties/azure-staticwebapp.properties.json b/deployments/properties/azure-staticwebapp.properties.json new file mode 100644 index 0000000000..8bc5f6a365 --- /dev/null +++ b/deployments/properties/azure-staticwebapp.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy web app to Azure Static Web Apps", + "description": "Build and deploy web application to an Azure Static Web App.", + "creator": "Microsoft Azure", + "iconName": "azure-staticwebapp", + "categories": ["Deployment", "React", "Angular", "Vue", "Svelte", "Gatsby", "Next", "Nuxt", "Jekyll"] +} \ No newline at end of file diff --git a/icons/azure-staticwebapp.svg b/icons/azure-staticwebapp.svg new file mode 100644 index 0000000000..327517d7e0 --- /dev/null +++ b/icons/azure-staticwebapp.svg @@ -0,0 +1,17 @@ + + + + + + + + + + + + + + + + + \ No newline at end of file From a702d187d139aa4b2f22db55a7bcd8fb5d796027 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Sun, 24 Oct 2021 21:37:36 -0700 Subject: [PATCH 134/844] Add workflow and properties file for PHP --- deployments/azure-webapps-php.yml | 64 +++++++++++++++++++ .../azure-webapps-php.properties.json | 7 ++ 2 files changed, 71 insertions(+) create mode 100644 deployments/azure-webapps-php.yml create mode 100644 deployments/properties/azure-webapps-php.properties.json diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml new file mode 100644 index 0000000000..261184beb6 --- /dev/null +++ b/deployments/azure-webapps-php.yml @@ -0,0 +1,64 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy PHP app to Azure Web App - __sitename__ + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + NODE_VERSION: '10.x' # set this to the PHP version to use + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ env.NODE_VERSION }} + + - name: Check if composer.json exists + id: check_files + uses: andstor/file-existence-action@v1 + with: + files: 'composer.json' + + - name: Run composer install if composer.json exists + if: steps.check_files.outputs.files_exists == 'true' + run: composer validate --no-check-publish && composer install --prefer-dist --no-progress + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: php-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Production' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: php-app + + - name: 'Deploy to Azure Web App' + uses: azure/webapps-deploy@v2 + id: deploy-to-webapp + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/properties/azure-webapps-php.properties.json b/deployments/properties/azure-webapps-php.properties.json new file mode 100644 index 0000000000..42fd72404f --- /dev/null +++ b/deployments/properties/azure-webapps-php.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a PHP app to an Azure Web App", + "description": "Build a PHP app and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file From 704eb638ced8cd324890dcf8b1cbe0e21498e65c Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Sun, 24 Oct 2021 21:45:21 -0700 Subject: [PATCH 135/844] Updates from PR review --- deployments/azure-webapps-container.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-node.yml | 2 +- deployments/azure-webapps-php.yml | 8 ++++---- deployments/azure-webapps-python.yml | 9 ++++----- .../properties/azure-webapps-container.properties.json | 4 ++-- ...ps-donet-core.json => azure-webapps-dotnet-core.json} | 4 ++-- .../properties/azure-webapps-java-jar.properties.json | 4 ++-- .../properties/azure-webapps-node.properties.json | 4 ++-- deployments/properties/azure-webapps-php.properties.json | 4 ++-- .../properties/azure-webapps-python.properties.json | 4 ++-- 12 files changed, 24 insertions(+), 25 deletions(-) rename deployments/properties/{azure-webapps-donet-core.json => azure-webapps-dotnet-core.json} (78%) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index b9dab0d1c0..e2dec9835b 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -43,7 +43,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: 'Production' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 532efc4684..99489691fd 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: 'Production' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index ae1cb87eb1..a46026d3fd 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: Production + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index ab144ba8d7..f3221c215b 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -51,7 +51,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: 'Production' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 261184beb6..936e0db81a 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -46,7 +46,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: 'Production' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: @@ -59,6 +59,6 @@ jobs: uses: azure/webapps-deploy@v2 id: deploy-to-webapp with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index a934a02e8d..c4ba186db4 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -2,11 +2,11 @@ # More GitHub Actions for Azure: https://github.com/Azure/actions # More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions -name: Build and deploy Python app to Azure Web App - __sitename__ +name: Build and deploy Python app to Azure Web App env: AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - PYTHON_VERSION: '11' # set this to the Python version to use + PYTHON_VERSION: '3.8' # set this to the Python version to use on: push: @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: '__slotname__' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: @@ -62,6 +62,5 @@ jobs: uses: azure/webapps-deploy@v2 id: deploy-to-webapp with: - app-name: '__sitename__' - slot-name: '__slotname__' + app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/properties/azure-webapps-container.properties.json b/deployments/properties/azure-webapps-container.properties.json index 1335e3ac3e..fcd62b2b4e 100644 --- a/deployments/properties/azure-webapps-container.properties.json +++ b/deployments/properties/azure-webapps-container.properties.json @@ -3,5 +3,5 @@ "description": "Build a container and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Dockerfile"] +} diff --git a/deployments/properties/azure-webapps-donet-core.json b/deployments/properties/azure-webapps-dotnet-core.json similarity index 78% rename from deployments/properties/azure-webapps-donet-core.json rename to deployments/properties/azure-webapps-dotnet-core.json index 3ac2f8cd3c..9074a2ac77 100644 --- a/deployments/properties/azure-webapps-donet-core.json +++ b/deployments/properties/azure-webapps-dotnet-core.json @@ -3,5 +3,5 @@ "description": "Build a .NET Core project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "C#", "dotNetCore"] +} diff --git a/deployments/properties/azure-webapps-java-jar.properties.json b/deployments/properties/azure-webapps-java-jar.properties.json index f2418fafc8..6654463569 100644 --- a/deployments/properties/azure-webapps-java-jar.properties.json +++ b/deployments/properties/azure-webapps-java-jar.properties.json @@ -3,5 +3,5 @@ "description": "Build a Java project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Java"] +} diff --git a/deployments/properties/azure-webapps-node.properties.json b/deployments/properties/azure-webapps-node.properties.json index 362d5d13b5..f24fd0446a 100644 --- a/deployments/properties/azure-webapps-node.properties.json +++ b/deployments/properties/azure-webapps-node.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Node"] +} diff --git a/deployments/properties/azure-webapps-php.properties.json b/deployments/properties/azure-webapps-php.properties.json index 42fd72404f..48554def48 100644 --- a/deployments/properties/azure-webapps-php.properties.json +++ b/deployments/properties/azure-webapps-php.properties.json @@ -3,5 +3,5 @@ "description": "Build a PHP app and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "PHP"] +} diff --git a/deployments/properties/azure-webapps-python.properties.json b/deployments/properties/azure-webapps-python.properties.json index f7498488ad..73f0cf5fbc 100644 --- a/deployments/properties/azure-webapps-python.properties.json +++ b/deployments/properties/azure-webapps-python.properties.json @@ -3,5 +3,5 @@ "description": "Build a Python app and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Python"] +} From b5113430d97e147627681b7acb9e8799b18338b0 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Sun, 24 Oct 2021 21:46:13 -0700 Subject: [PATCH 136/844] Fix EOF --- deployments/azure-webapps-container.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index e2dec9835b..66c49d841e 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -56,4 +56,4 @@ jobs: with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' \ No newline at end of file + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index a46026d3fd..8e4f5fb029 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -53,4 +53,4 @@ jobs: with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: '*.jar' \ No newline at end of file + package: '*.jar' From c78dd727e93078bf584efad509341f4758d7ad5a Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Sun, 24 Oct 2021 21:47:00 -0700 Subject: [PATCH 137/844] Use latest versions --- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-python.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 8e4f5fb029..45ec6f87b4 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -21,7 +21,7 @@ jobs: - uses: actions/checkout@v2 - name: Set up Java version - uses: actions/setup-java@v1 + uses: actions/setup-java@v2.3.1 with: java-version: ${{ env.JAVA_VERSION }} diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index c4ba186db4..7ad005e09e 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -22,7 +22,7 @@ jobs: - uses: actions/checkout@v2 - name: Set up Python version - uses: actions/setup-python@v1 + uses: actions/setup-python@v2.2.2 with: python-version: ${{ env.PYTHON_VERSION }} From 87a12c3391c7e723a2a49fd712ae8407d8c457dd Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 25 Oct 2021 19:30:04 +0530 Subject: [PATCH 138/844] Undo bug bash changes and Sync with the main branch (#1193) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json * Correct character-case of "c" in Cloudrail * AWS template also used Docker * trigger on push instead of release (#1157) Co-authored-by: Josh Gross * Added new templates for 3 clouds. * Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. * Add workflow for Microsoft C++ Code Analysis * Updated action to meet guidelines * correct typo in msvc.properties.json * Removed the dummy templates used in bug_bash. Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd Co-authored-by: Daniel Winsor --- deployments/aws_docker.yaml | 81 ------------------- deployments/aws_node.yaml | 81 ------------------- deployments/azure_docker.yaml | 81 ------------------- .../properties/aws_dockerfile.properties.json | 7 -- .../properties/aws_node.properties.json | 7 -- .../properties/azure_docker.properties.json | 7 -- 6 files changed, 264 deletions(-) delete mode 100644 deployments/aws_docker.yaml delete mode 100644 deployments/aws_node.yaml delete mode 100644 deployments/azure_docker.yaml delete mode 100644 deployments/properties/aws_dockerfile.properties.json delete mode 100644 deployments/properties/aws_node.properties.json delete mode 100644 deployments/properties/azure_docker.properties.json diff --git a/deployments/aws_docker.yaml b/deployments/aws_docker.yaml deleted file mode 100644 index 0c789fa541..0000000000 --- a/deployments/aws_docker.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/aws_node.yaml b/deployments/aws_node.yaml deleted file mode 100644 index 267d3cb7bd..0000000000 --- a/deployments/aws_node.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide diff --git a/deployments/azure_docker.yaml b/deployments/azure_docker.yaml deleted file mode 100644 index 0c789fa541..0000000000 --- a/deployments/azure_docker.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/properties/aws_dockerfile.properties.json b/deployments/properties/aws_dockerfile.properties.json deleted file mode 100644 index dc886aee9a..0000000000 --- a/deployments/properties/aws_dockerfile.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Docker] Deploy dockerfile to Amazon EKS", - "description": "Deploy a container to an Amazon EKS.", - "creator": "Amazon Web Services", - "iconName": "aws", - "categories": ["Deployment", "Dockerfile"] -} diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json deleted file mode 100644 index 070837bac2..0000000000 --- a/deployments/properties/aws_node.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Node]Deploy to Amazon ECS", - "description": "Deploy a Node app to Amazon ECS service powered by AWS Fargate or Amazon EC2.", - "creator": "Amazon Web Services", - "iconName": "aws", - "categories": ["Deployment", "JavaScript", "npm"] -} diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json deleted file mode 100644 index 840dcea46a..0000000000 --- a/deployments/properties/azure_docker.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Docker] Deploy dockerfile to AKS", - "description": "Build a dockerfile project and deploy it to AKS.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Dockerfile"] -} From 9ce2a5b56fdbf317dc8c33602b79858e9ecd8077 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 25 Oct 2021 21:16:06 +0530 Subject: [PATCH 139/844] Dummy azure templates for showcasing the CD Ordering Behavior (#1194) * Rename "azure.yml" to Node-specific name * Add templates and properties for other languages * Add workflow for .NET Core * Add workflow and properties file for PHP * Updates from PR review * Fix EOF * Use latest versions * Renamed the file appropriately. Co-authored-by: Jason Freeberg --- deployments/dummy-azure-webapps-container.yml | 59 +++++++++++++++++ .../dummy-azure-webapps-dotnet-core.yml | 59 +++++++++++++++++ deployments/dummy-azure-webapps-java-jar.yml | 56 ++++++++++++++++ ...azure.yml => dummy-azure-webapps-node.yml} | 30 +++++++-- deployments/dummy-azure-webapps-php.yml | 64 ++++++++++++++++++ deployments/dummy-azure-webapps-python.yml | 66 +++++++++++++++++++ ...my-azure-webapps-container.properties.json | 7 ++ ...-azure-webapps-dotnet-core.properties.json | 7 ++ ...mmy-azure-webapps-java-jar.properties.json | 7 ++ ... dummy-azure-webapps-node.properties.json} | 2 +- .../dummy-azure-webapps-php.properties.json | 7 ++ ...dummy-azure-webapps-python.properties.json | 7 ++ 12 files changed, 364 insertions(+), 7 deletions(-) create mode 100644 deployments/dummy-azure-webapps-container.yml create mode 100644 deployments/dummy-azure-webapps-dotnet-core.yml create mode 100644 deployments/dummy-azure-webapps-java-jar.yml rename deployments/{azure.yml => dummy-azure-webapps-node.yml} (82%) create mode 100644 deployments/dummy-azure-webapps-php.yml create mode 100644 deployments/dummy-azure-webapps-python.yml create mode 100644 deployments/properties/dummy-azure-webapps-container.properties.json create mode 100644 deployments/properties/dummy-azure-webapps-dotnet-core.properties.json create mode 100644 deployments/properties/dummy-azure-webapps-java-jar.properties.json rename deployments/properties/{azure.properties.json => dummy-azure-webapps-node.properties.json} (73%) create mode 100644 deployments/properties/dummy-azure-webapps-php.properties.json create mode 100644 deployments/properties/dummy-azure-webapps-python.properties.json diff --git a/deployments/dummy-azure-webapps-container.yml b/deployments/dummy-azure-webapps-container.yml new file mode 100644 index 0000000000..66c49d841e --- /dev/null +++ b/deployments/dummy-azure-webapps-container.yml @@ -0,0 +1,59 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy a container to an Azure Web App + +env: + AZURE_WEBAPP_NAME: '' # set this to the name of your Azure Web App + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Log in to GitHub container registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Lowercase the repo name + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Build and push container image to registry + uses: docker/build-push-action@v2 + with: + push: true + tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} + file: ./Dockerfile + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Lowercase the repo name + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' diff --git a/deployments/dummy-azure-webapps-dotnet-core.yml b/deployments/dummy-azure-webapps-dotnet-core.yml new file mode 100644 index 0000000000..99489691fd --- /dev/null +++ b/deployments/dummy-azure-webapps-dotnet-core.yml @@ -0,0 +1,59 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy ASP.Net Core app to an Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + DOTNET_VERSION: '5' # set this to the .NET Core version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up .NET Core + uses: actions/setup-dotnet@v1 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: Build with dotnet + run: dotnet build --configuration Release + + - name: dotnet publish + run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: .net-app + path: ${{env.DOTNET_ROOT}}/myapp + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: .net-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/dummy-azure-webapps-java-jar.yml b/deployments/dummy-azure-webapps-java-jar.yml new file mode 100644 index 0000000000..45ec6f87b4 --- /dev/null +++ b/deployments/dummy-azure-webapps-java-jar.yml @@ -0,0 +1,56 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy JAR app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + JAVA_VERSION: '11' # set this to the Java version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Java version + uses: actions/setup-java@v2.3.1 + with: + java-version: ${{ env.JAVA_VERSION }} + + - name: Build with Maven + run: mvn clean install + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: java-app + path: '${{ github.workspace }}/target/*.jar' + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: java-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: '*.jar' diff --git a/deployments/azure.yml b/deployments/dummy-azure-webapps-node.yml similarity index 82% rename from deployments/azure.yml rename to deployments/dummy-azure-webapps-node.yml index 904ff2545c..62f7a8f45f 100644 --- a/deployments/azure.yml +++ b/deployments/dummy-azure-webapps-node.yml @@ -26,23 +26,41 @@ env: NODE_VERSION: '10.x' # set this to the node version to use jobs: - build-and-deploy: - name: Build and Deploy + build: runs-on: ubuntu-latest - environment: production steps: - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} + + - name: Set up Node.js uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test run: | - # Build and test the project, then - # deploy to Azure Web App. npm install npm run build --if-present npm run test --if-present + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: node-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: node-app + - name: 'Deploy to Azure WebApp' uses: azure/webapps-deploy@v2 with: diff --git a/deployments/dummy-azure-webapps-php.yml b/deployments/dummy-azure-webapps-php.yml new file mode 100644 index 0000000000..58627668ff --- /dev/null +++ b/deployments/dummy-azure-webapps-php.yml @@ -0,0 +1,64 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy PHP app to Azure Web App + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + PHP_VERSION: '10.x' # set this to the PHP version to use + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ env.PHP_VERSION }} + + - name: Check if composer.json exists + id: check_files + uses: andstor/file-existence-action@v1 + with: + files: 'composer.json' + + - name: Run composer install if composer.json exists + if: steps.check_files.outputs.files_exists == 'true' + run: composer validate --no-check-publish && composer install --prefer-dist --no-progress + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: php-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: php-app + + - name: 'Deploy to Azure Web App' + uses: azure/webapps-deploy@v2 + id: deploy-to-webapp + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/dummy-azure-webapps-python.yml b/deployments/dummy-azure-webapps-python.yml new file mode 100644 index 0000000000..7ad005e09e --- /dev/null +++ b/deployments/dummy-azure-webapps-python.yml @@ -0,0 +1,66 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions +# More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions + +name: Build and deploy Python app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + PYTHON_VERSION: '3.8' # set this to the Python version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Python version + uses: actions/setup-python@v2.2.2 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Create and start virtual environment + run: | + python -m venv venv + source venv/bin/activate + + - name: Install dependencies + run: pip install -r requirements.txt + + # Optional: Add step to run tests here (PyTest, Django test suites, etc.) + + - name: Upload artifact for deployment jobs + uses: actions/upload-artifact@v2 + with: + name: python-app + path: | + . + !venv/ + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: python-app + path: . + + - name: 'Deploy to Azure Web App' + uses: azure/webapps-deploy@v2 + id: deploy-to-webapp + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/properties/dummy-azure-webapps-container.properties.json b/deployments/properties/dummy-azure-webapps-container.properties.json new file mode 100644 index 0000000000..fcd62b2b4e --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-container.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a container to an Azure Web App", + "description": "Build a container and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Dockerfile"] +} diff --git a/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json b/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json new file mode 100644 index 0000000000..9074a2ac77 --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a .NET Core app to an Azure Web App", + "description": "Build a .NET Core project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "C#", "dotNetCore"] +} diff --git a/deployments/properties/dummy-azure-webapps-java-jar.properties.json b/deployments/properties/dummy-azure-webapps-java-jar.properties.json new file mode 100644 index 0000000000..6654463569 --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-java-jar.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a Java .jar app to an Azure Web App", + "description": "Build a Java project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Java"] +} diff --git a/deployments/properties/azure.properties.json b/deployments/properties/dummy-azure-webapps-node.properties.json similarity index 73% rename from deployments/properties/azure.properties.json rename to deployments/properties/dummy-azure-webapps-node.properties.json index 90a371779a..905267edd4 100644 --- a/deployments/properties/azure.properties.json +++ b/deployments/properties/dummy-azure-webapps-node.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "JavaScript", "npm"] + "categories": ["Deployment", "JavaScript", "TypeScript", "npm"] } \ No newline at end of file diff --git a/deployments/properties/dummy-azure-webapps-php.properties.json b/deployments/properties/dummy-azure-webapps-php.properties.json new file mode 100644 index 0000000000..48554def48 --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-php.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a PHP app to an Azure Web App", + "description": "Build a PHP app and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "PHP"] +} diff --git a/deployments/properties/dummy-azure-webapps-python.properties.json b/deployments/properties/dummy-azure-webapps-python.properties.json new file mode 100644 index 0000000000..73f0cf5fbc --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-python.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a Python app to an Azure Web App", + "description": "Build a Python app and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Python"] +} From c0fe29b09da4d6c929909465c322ce67c7cf7a94 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 25 Oct 2021 22:06:21 +0530 Subject: [PATCH 140/844] Added Azure Id template back. (#1195) * Rename "azure.yml" to Node-specific name * Add templates and properties for other languages * Add workflow for .NET Core * Add workflow and properties file for PHP * Updates from PR review * Fix EOF * Use latest versions * Renamed the file appropriately. * Put the azure file back. * Added azure back. Co-authored-by: Jason Freeberg --- deployments/{dummy-azure-webapps-node.yml => azure.yml} | 0 ...y-azure-webapps-node.properties.json => azure.properties.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename deployments/{dummy-azure-webapps-node.yml => azure.yml} (100%) rename deployments/properties/{dummy-azure-webapps-node.properties.json => azure.properties.json} (100%) diff --git a/deployments/dummy-azure-webapps-node.yml b/deployments/azure.yml similarity index 100% rename from deployments/dummy-azure-webapps-node.yml rename to deployments/azure.yml diff --git a/deployments/properties/dummy-azure-webapps-node.properties.json b/deployments/properties/azure.properties.json similarity index 100% rename from deployments/properties/dummy-azure-webapps-node.properties.json rename to deployments/properties/azure.properties.json From 09b078fd769d655b44b5d6ce530d085d6b93cf13 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Mon, 25 Oct 2021 21:40:31 -0400 Subject: [PATCH 141/844] Update code-scanning/mobsf.yml Co-authored-by: Nick Fyson --- code-scanning/mobsf.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 1da2611809..689a1a0268 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -26,7 +26,7 @@ jobs: python-version: 3.8 - name: Run mobsfscan - uses: MobSF/mobsfscan@main + uses: MobSF/mobsfscan@a60d10a83af68e23e0b30611c6515da604f06f65 with: args: . --sarif --output results.sarif || true From ed8c87df74c93fb5c021586db8653c55e7d99e00 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Mon, 25 Oct 2021 21:40:48 -0400 Subject: [PATCH 142/844] Update code-scanning/properties/mobsf.properties.json Co-authored-by: Nick Fyson --- code-scanning/properties/mobsf.properties.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/properties/mobsf.properties.json b/code-scanning/properties/mobsf.properties.json index 6bca14ea0f..a6afbfa7f4 100644 --- a/code-scanning/properties/mobsf.properties.json +++ b/code-scanning/properties/mobsf.properties.json @@ -8,7 +8,6 @@ "Java", "Swift", "Objective-C", - "Kotlin", - "Mobile" + "Kotlin" ] } \ No newline at end of file From 767ba11df2322f72416beb52046b83f6d626a5bd Mon Sep 17 00:00:00 2001 From: Simona Cotin Date: Tue, 26 Oct 2021 13:15:05 +0200 Subject: [PATCH 143/844] update action version to v1 --- deployments/azure-staticwebapp.yml | 2 +- deployments/properties/azure-staticwebapp.properties.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index d170d57387..8e1faf7e2a 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -58,7 +58,7 @@ jobs: steps: - name: Close Pull Request id: closepullrequest - uses: Azure/static-web-apps-deploy@latest + uses: Azure/static-web-apps-deploy@v1 with: azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app action: "close" diff --git a/deployments/properties/azure-staticwebapp.properties.json b/deployments/properties/azure-staticwebapp.properties.json index 8bc5f6a365..a2552b06de 100644 --- a/deployments/properties/azure-staticwebapp.properties.json +++ b/deployments/properties/azure-staticwebapp.properties.json @@ -3,5 +3,5 @@ "description": "Build and deploy web application to an Azure Static Web App.", "creator": "Microsoft Azure", "iconName": "azure-staticwebapp", - "categories": ["Deployment", "React", "Angular", "Vue", "Svelte", "Gatsby", "Next", "Nuxt", "Jekyll"] -} \ No newline at end of file + "categories": ["Deployment", "React", "Angular", "Vue", "Svelte", "Gatsby", "Next", "Nuxt", "Jekyll", "Blazor"] +} From 83bdb0fcd6967ac99c2187051cd2e28defc282fb Mon Sep 17 00:00:00 2001 From: Daniel Winsor Date: Tue, 26 Oct 2021 21:37:36 -0700 Subject: [PATCH 144/844] Fixed typo in workflow that will cause every run to fail --- code-scanning/msvc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index c6bb29fb93..2cd7b0f851 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -43,7 +43,7 @@ jobs: with: cmakeBuildDirectory: ${{ env.build }} # Ruleset file that will determine what checks will be run - ruleset: NativeRecommendRules.ruleset + ruleset: NativeRecommendedRules.ruleset # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub From d9dc2c2f72f5b952d02905df5d9cbd586e8eb62b Mon Sep 17 00:00:00 2001 From: Daniel Winsor Date: Tue, 26 Oct 2021 21:48:19 -0700 Subject: [PATCH 145/844] Update commit SHA --- code-scanning/msvc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 2cd7b0f851..1503319e77 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -37,7 +37,7 @@ jobs: # run: cmake --build ${{ env.build }} - name: Initialize MSVC Code Analysis - uses: microsoft/msvc-code-analysis-action@502db28262ba134c9a621d5a509b9f7e696c99b6 + uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99 # Provide a unique ID to access the sarif output path id: run-analysis with: From 25f4fd1b5fec908829d2da20f4009f1d8074ef12 Mon Sep 17 00:00:00 2001 From: Mattias Cibien Date: Wed, 27 Oct 2021 16:24:24 +0200 Subject: [PATCH 146/844] Fix dotnet-desktop template Removed environment variable which is not currently used and makes the build fail --- ci/dotnet-desktop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 0635779417..c22b9982d6 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -105,7 +105,7 @@ jobs: # Remove the pfx - name: Remove the pfx - run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate + run: Remove-Item -path $env:Wap_Project_Directory\GitHubActionsWorkflow.pfx # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts From 3893e3d7c85c519d9c6125372276812811dbac3b Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 27 Oct 2021 12:20:09 -0700 Subject: [PATCH 147/844] Add setup instructions to the top --- deployments/azure-webapps-container.yml | 20 ++++++++++++++-- deployments/azure-webapps-dotnet-core.yml | 23 ++++++++++++++++--- deployments/azure-webapps-java-jar.yml | 20 ++++++++++++++-- deployments/azure-webapps-node.yml | 25 ++++++++++++-------- deployments/azure-webapps-php.yml | 28 ++++++++++++++++++----- deployments/azure-webapps-python.yml | 23 +++++++++++++++---- 6 files changed, 112 insertions(+), 27 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 66c49d841e..18cc860752 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -1,5 +1,21 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions +# This workflow will build and push a Docker container to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples name: Build and deploy a container to an Azure Web App diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 99489691fd..656136cd7c 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -1,10 +1,27 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions +# This workflow will build and push a .NET Core app to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and DOTNET_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples name: Build and deploy ASP.Net Core app to an Azure Web App env: AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root DOTNET_VERSION: '5' # set this to the .NET Core version to use on: @@ -56,4 +73,4 @@ jobs: with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 45ec6f87b4..48e9e888db 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -1,5 +1,21 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the JAVA_VERSION environment variable below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples name: Build and deploy JAR app to Azure Web App diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index f3221c215b..8c8025593d 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -1,23 +1,27 @@ -# This workflow will build and push a node.js application to an Azure Web App when a release is created. +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli # # To configure this workflow: # -# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. -# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials # -# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. # For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret # -# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables below. # -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + on: - release: - types: [created] + push: + branches: + - $default-branch + workflow_dispatch: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name @@ -61,6 +65,7 @@ jobs: name: node-app - name: 'Deploy to Azure WebApp' + id: deploy-to-webapp uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 936e0db81a..19af463001 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -1,7 +1,23 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and PHP_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples -name: Build and deploy PHP app to Azure Web App - __sitename__ +name: Build and deploy PHP app to Azure Web App on: push: @@ -12,7 +28,7 @@ on: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the PHP version to use + PHP_VERSION: '8.x' # set this to the PHP version to use jobs: build: @@ -24,7 +40,7 @@ jobs: - name: Setup PHP uses: shivammathur/setup-php@v2 with: - php-version: ${{ env.NODE_VERSION }} + php-version: ${{ env.PHP_VERSION }} - name: Check if composer.json exists id: check_files @@ -56,8 +72,8 @@ jobs: name: php-app - name: 'Deploy to Azure Web App' - uses: azure/webapps-deploy@v2 id: deploy-to-webapp + uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 7ad005e09e..208c8c12d2 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -1,6 +1,21 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions -# More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and PYTHON_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples name: Build and deploy Python app to Azure Web App @@ -59,8 +74,8 @@ jobs: path: . - name: 'Deploy to Azure Web App' - uses: azure/webapps-deploy@v2 id: deploy-to-webapp + uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} From e176cd52cd2a6c5e8a5f15a500af05a40748416c Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 27 Oct 2021 12:20:29 -0700 Subject: [PATCH 148/844] Add more tech stack metadata to the properties files --- ...tnet-core.json => azure-webapps-dotnet-core.properties.json} | 0 deployments/properties/azure-webapps-java-jar.properties.json | 2 +- deployments/properties/azure-webapps-node.properties.json | 2 +- deployments/properties/azure-webapps-python.properties.json | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) rename deployments/properties/{azure-webapps-dotnet-core.json => azure-webapps-dotnet-core.properties.json} (100%) diff --git a/deployments/properties/azure-webapps-dotnet-core.json b/deployments/properties/azure-webapps-dotnet-core.properties.json similarity index 100% rename from deployments/properties/azure-webapps-dotnet-core.json rename to deployments/properties/azure-webapps-dotnet-core.properties.json diff --git a/deployments/properties/azure-webapps-java-jar.properties.json b/deployments/properties/azure-webapps-java-jar.properties.json index 6654463569..289d95c011 100644 --- a/deployments/properties/azure-webapps-java-jar.properties.json +++ b/deployments/properties/azure-webapps-java-jar.properties.json @@ -3,5 +3,5 @@ "description": "Build a Java project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Java"] + "categories": ["Deployment", "Java", "Maven"] } diff --git a/deployments/properties/azure-webapps-node.properties.json b/deployments/properties/azure-webapps-node.properties.json index f24fd0446a..89a9542ee3 100644 --- a/deployments/properties/azure-webapps-node.properties.json +++ b/deployments/properties/azure-webapps-node.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Node"] + "categories": ["Deployment", "Javascript", "Typescript", "npm"] } diff --git a/deployments/properties/azure-webapps-python.properties.json b/deployments/properties/azure-webapps-python.properties.json index 73f0cf5fbc..391af32b4a 100644 --- a/deployments/properties/azure-webapps-python.properties.json +++ b/deployments/properties/azure-webapps-python.properties.json @@ -3,5 +3,5 @@ "description": "Build a Python app and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Python"] + "categories": ["Deployment", "Python", "Django", "Flask", "Pip"] } From e1ca1f58becaa3ee88a3b990b3504f0010b3749d Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 27 Oct 2021 12:23:24 -0700 Subject: [PATCH 149/844] typos --- deployments/azure-webapps-container.yml | 2 +- .../properties/azure-webapps-dotnet-core.properties.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 18cc860752..3fb2bbd32b 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -20,7 +20,7 @@ name: Build and deploy a container to an Azure Web App env: - AZURE_WEBAPP_NAME: '' # set this to the name of your Azure Web App + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App on: push: diff --git a/deployments/properties/azure-webapps-dotnet-core.properties.json b/deployments/properties/azure-webapps-dotnet-core.properties.json index 9074a2ac77..a9d5e20694 100644 --- a/deployments/properties/azure-webapps-dotnet-core.properties.json +++ b/deployments/properties/azure-webapps-dotnet-core.properties.json @@ -3,5 +3,5 @@ "description": "Build a .NET Core project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "C#", "dotNetCore"] + "categories": ["Deployment", "C#", "aspNetCore"] } From c3c12f195022fed5b024d1c014e36f3370119723 Mon Sep 17 00:00:00 2001 From: Abir Majumdar Date: Wed, 27 Oct 2021 15:35:18 -0400 Subject: [PATCH 150/844] Adding pmd --- code-scanning/pmd.yml | 58 ++++++++++++++++++++ code-scanning/properties/pmd.properties.json | 19 +++++++ 2 files changed, 77 insertions(+) create mode 100644 code-scanning/pmd.yml create mode 100644 code-scanning/properties/pmd.properties.json diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml new file mode 100644 index 0000000000..69596a4b9a --- /dev/null +++ b/code-scanning/pmd.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: pmd + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + mobile-security: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup python + uses: actions/setup-python@v2 + with: + python-version: 3.8 + + - name: Run Full PMD Analysis on Apex Code + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + id: pmd-full-analysis + uses: abirismyname/pmd@master + with: + analyse-all-code: 'true' + pmd-version: 'latest' + file-path: './src' + rules-path: 'rulesets/apex/quickstart.xml' + + # - name: Run Full PMD Analysis on Java Code + # if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + # id: pmd-full-analysis + # uses: abirismyname/pmd@master + # with: + # analyse-all-code: 'true' + # pmd-version: 'latest' + # file-path: './src' + # rules-path: 'rulesets/java/quickstart.xml' + + - name: Upload pmdscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: pmd-output.sarif + + - name: No PMD Errors? + run: | + if ${{ steps.pmd-full-analysis.outputs.error-found }} ${{ steps.pmd-partial-analysis.outputs.error-found }} + then + exit 3 + fi diff --git a/code-scanning/properties/pmd.properties.json b/code-scanning/properties/pmd.properties.json new file mode 100644 index 0000000000..86080221a3 --- /dev/null +++ b/code-scanning/properties/pmd.properties.json @@ -0,0 +1,19 @@ +{ + "name": "pmd", + "creator": "pmd", + "description": "PMD is a static source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, Salesforce.com Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.", + "iconName": "pmd", + "categories": [ + "Code Scanning", + "Java", + "JavaScript", + "Apex", + "Modelica", + "PLSQL", + "Apache Velocity", + "XML", + "XSl", + "Scala", + "Apex" + ] +} \ No newline at end of file From eeb84c9ae6f1844ca670440d5e8259830defcdfd Mon Sep 17 00:00:00 2001 From: Abir Majumdar Date: Thu, 28 Oct 2021 10:55:20 -0400 Subject: [PATCH 151/844] Adding Psalm PHP scanning to Starter Workflows --- .../properties/psalm.properties.json | 10 +++++++ code-scanning/psalm.yml | 30 +++++++++++++++++++ icons/psalm.svg | 23 ++++++++++++++ 3 files changed, 63 insertions(+) create mode 100644 code-scanning/properties/psalm.properties.json create mode 100644 code-scanning/psalm.yml create mode 100644 icons/psalm.svg diff --git a/code-scanning/properties/psalm.properties.json b/code-scanning/properties/psalm.properties.json new file mode 100644 index 0000000000..711fd394e8 --- /dev/null +++ b/code-scanning/properties/psalm.properties.json @@ -0,0 +1,10 @@ +{ + "name": "Psalm Security Scan", + "creator": "psalm", + "description": "Psalm is a static analysis tool for finding errors in PHP applications", + "iconName": "mobsf", + "categories": [ + "Code Scanning", + "PHP" + ] +} \ No newline at end of file diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml new file mode 100644 index 0000000000..b4c7aba254 --- /dev/null +++ b/code-scanning/psalm.yml @@ -0,0 +1,30 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Psalm Security Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + php-security: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Psalm Security Scan + uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 + + - name: Upload Security Analysis results to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/icons/psalm.svg b/icons/psalm.svg new file mode 100644 index 0000000000..3533e2dac3 --- /dev/null +++ b/icons/psalm.svg @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + + + + + + + + + + From 1d8891efc2151b2290b1d93e8489f9b1f41bd047 Mon Sep 17 00:00:00 2001 From: rui Date: Thu, 28 Oct 2021 11:37:36 -0400 Subject: [PATCH 152/844] r: use setup-r@1 and include r@4 for starter (#1169) * r: use setup-r@1 and include r@4 for starter Signed-off-by: Rui Chen * use sha instead of tag for external action Co-authored-by: Josh Gross Co-authored-by: Josh Gross --- ci/r.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/r.yml b/ci/r.yml index f257fbda6b..305c2cf45f 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -19,12 +19,12 @@ jobs: runs-on: macos-latest strategy: matrix: - r-version: [3.5, 3.6] + r-version: ['3.6.3', '4.1.1'] steps: - uses: actions/checkout@v2 - name: Set up R ${{ matrix.r-version }} - uses: r-lib/actions/setup-r@ffe45a39586f073cc2e9af79c4ba563b657dc6e3 + uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: r-version: ${{ matrix.r-version }} - name: Install dependencies From de6c8cbcf0d4f8f40042d425fe053a22ac4beaa7 Mon Sep 17 00:00:00 2001 From: gambtho Date: Thu, 28 Oct 2021 22:58:17 -0400 Subject: [PATCH 153/844] add aks starter --- deployments/aks.yml | 76 ++++++++++++++++++++++ deployments/properties/aks.properties.json | 7 ++ 2 files changed, 83 insertions(+) create mode 100644 deployments/aks.yml create mode 100644 deployments/properties/aks.properties.json diff --git a/deployments/aks.yml b/deployments/aks.yml new file mode 100644 index 0000000000..c235d289bb --- /dev/null +++ b/deployments/aks.yml @@ -0,0 +1,76 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository: +# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret) +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry) +# - PROJECT_NAME +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# +# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set +# any needed environment variables such as: +# - CHART_PATH +# - CHART_OVERRIDE_PATH +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please see the folllowing +# https://github.com/Azure/login +# https://github.com/Azure/aks-set-context +# https://github.com/marketplace/actions/azure-cli-action +# https://github.com/Azure/k8s-bake +# https://github.com/Azure/k8s-deploy + +on: [push] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Azure CLI script + uses: azure/CLI@v1 + with: + azcliversion: 2.29.1 + inlineScript: | + az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} + az acr build -t -t ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + + - uses: azure/aks-set-context@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + id: login + + - uses: azure/k8s-bake@v1 + with: + renderEngine: 'helm' + helmChart: ${{ env.CHART_PATH }} + overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} + overrides: | + replicas:2 + helm-version: 'latest' + id: bake + + - uses: Azure/k8s-deploy@v1 + with: + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.PROJECT_NAME }} diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json new file mode 100644 index 0000000000..22c55500f8 --- /dev/null +++ b/deployments/properties/aks.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to a AKS Cluster", + "description": "Deploy an application to a Azure Kubernetes Service Cluster", + "creator": "Microsoft Azure", + "iconName": "aks", + "categories": ["Deployment", "AKS", "Kompose", "Helm", "Kustomize", "Kubernetes"] +} From 644f0a59aa2237d2a0917ed946edecf98b27db5a Mon Sep 17 00:00:00 2001 From: gambtho Date: Thu, 28 Oct 2021 23:05:42 -0400 Subject: [PATCH 154/844] step names and registry path --- deployments/aks.yml | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/deployments/aks.yml b/deployments/aks.yml index c235d289bb..65e3782079 100644 --- a/deployments/aks.yml +++ b/deployments/aks.yml @@ -42,22 +42,24 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Azure CLI script + - name: Build image on ACR uses: azure/CLI@v1 with: azcliversion: 2.29.1 inlineScript: | - az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} - az acr build -t -t ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} + az acr build -t -t ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} - - uses: azure/aks-set-context@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - id: login + - name: Gets K8s context + uses: azure/aks-set-context@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + id: login - - uses: azure/k8s-bake@v1 + - name: Configure deployment + uses: azure/k8s-bake@v1 with: renderEngine: 'helm' helmChart: ${{ env.CHART_PATH }} @@ -67,10 +69,11 @@ jobs: helm-version: 'latest' id: bake + - name: Deploys application - uses: Azure/k8s-deploy@v1 with: manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | - ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} imagepullsecrets: | ${{ env.PROJECT_NAME }} From cde6fc6c141cfaa1441a95bbb8b7bbf53065b977 Mon Sep 17 00:00:00 2001 From: Tom Gamble Date: Mon, 1 Nov 2021 09:41:55 -0400 Subject: [PATCH 155/844] Update aks.properties.json --- deployments/properties/aks.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json index 22c55500f8..a5c9f63163 100644 --- a/deployments/properties/aks.properties.json +++ b/deployments/properties/aks.properties.json @@ -2,6 +2,6 @@ "name": "Deploy to a AKS Cluster", "description": "Deploy an application to a Azure Kubernetes Service Cluster", "creator": "Microsoft Azure", - "iconName": "aks", + "iconName": "azure", "categories": ["Deployment", "AKS", "Kompose", "Helm", "Kustomize", "Kubernetes"] } From 69f26d5fd6ff080f5e949cde398a9f46270ef32a Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 3 Nov 2021 17:58:38 -0700 Subject: [PATCH 156/844] Copy/paste error --- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- deployments/azure-webapps-python.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 48e9e888db..edb630e4fa 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 19af463001..0be746f374 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# This workflow will build and push a PHP application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 208c8c12d2..6cb093bed6 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# This workflow will build and push a Python application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli From a561392dff9de9a2623fb6de09e74b551e5d451e Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 3 Nov 2021 18:02:06 -0700 Subject: [PATCH 157/844] Update azure-webapps-container.yml --- deployments/azure-webapps-container.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 3fb2bbd32b..823a36f49f 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -39,7 +39,7 @@ jobs: uses: docker/setup-buildx-action@v1 - name: Log in to GitHub container registry - uses: docker/login-action@v1 + uses: docker/login-action@v1.10.0 with: registry: ghcr.io username: ${{ github.actor }} From 5354877aa04d5e0970f648f356bc9d9f0a9c94b7 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 3 Nov 2021 18:10:02 -0700 Subject: [PATCH 158/844] enable caching --- deployments/azure-webapps-java-jar.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index edb630e4fa..e533f3f5f4 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -40,6 +40,7 @@ jobs: uses: actions/setup-java@v2.3.1 with: java-version: ${{ env.JAVA_VERSION }} + cache: 'maven' - name: Build with Maven run: mvn clean install From 56c93ff7521bd818b4186cd504aba6e2b7b42643 Mon Sep 17 00:00:00 2001 From: rui Date: Mon, 8 Nov 2021 11:14:50 -0500 Subject: [PATCH 159/844] elixir: refresh dependencies (#1212) - setup action got renamed into `setup-beam` - update elixir and erlang versions --- ci/elixir.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index 3f64657060..afe01beb2f 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -15,10 +15,10 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Elixir - uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24 + uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: - elixir-version: '1.10.3' # Define the elixir version [required] - otp-version: '22.3' # Define the OTP version [required] + elixir-version: '1.12.3' # Define the elixir version [required] + otp-version: '24.1' # Define the OTP version [required] - name: Restore dependencies cache uses: actions/cache@v2 with: From d739e93e5ea8b39749d14c9c60f0002c99a0f924 Mon Sep 17 00:00:00 2001 From: Tom Gamble Date: Tue, 9 Nov 2021 07:01:43 -0500 Subject: [PATCH 160/844] Update aks.properties.json --- deployments/properties/aks.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json index a5c9f63163..a510f3e26b 100644 --- a/deployments/properties/aks.properties.json +++ b/deployments/properties/aks.properties.json @@ -3,5 +3,5 @@ "description": "Deploy an application to a Azure Kubernetes Service Cluster", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "AKS", "Kompose", "Helm", "Kustomize", "Kubernetes"] + "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes"] } From ec35be8871f419348e0b448a3a5a5e2987287522 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 10 Nov 2021 11:31:39 -0500 Subject: [PATCH 161/844] Update psalm.properties.json --- code-scanning/properties/psalm.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/psalm.properties.json b/code-scanning/properties/psalm.properties.json index 711fd394e8..cba67b416d 100644 --- a/code-scanning/properties/psalm.properties.json +++ b/code-scanning/properties/psalm.properties.json @@ -2,9 +2,9 @@ "name": "Psalm Security Scan", "creator": "psalm", "description": "Psalm is a static analysis tool for finding errors in PHP applications", - "iconName": "mobsf", + "iconName": "psalm", "categories": [ "Code Scanning", "PHP" ] -} \ No newline at end of file +} From 50fcc151be4d81289d1e466265954becdd3cb56f Mon Sep 17 00:00:00 2001 From: Tom Gamble Date: Fri, 12 Nov 2021 07:11:40 -0500 Subject: [PATCH 162/844] Update aks.properties.json --- deployments/properties/aks.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json index a510f3e26b..a228aa2435 100644 --- a/deployments/properties/aks.properties.json +++ b/deployments/properties/aks.properties.json @@ -1,7 +1,7 @@ { "name": "Deploy to a AKS Cluster", - "description": "Deploy an application to a Azure Kubernetes Service Cluster", + "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes"] + "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes, "Dockerfile"] } From 2f7dd7431854932290267a5ff770cd41b633e231 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 15 Nov 2021 13:40:30 +0530 Subject: [PATCH 163/844] Dummy azure templates (#1249) * Rename "azure.yml" to Node-specific name * Add templates and properties for other languages * Add workflow for .NET Core * Add workflow and properties file for PHP * Updates from PR review * Fix EOF * Use latest versions * Renamed the file appropriately. * Put the azure file back. * Added azure back. * Revert "Dummy azure templates for showcasing the CD Ordering Behavior (#1194)" This reverts commit 9ce2a5b56fdbf317dc8c33602b79858e9ecd8077. Co-authored-by: Jason Freeberg --- deployments/azure.yml | 30 ++------- deployments/dummy-azure-webapps-container.yml | 59 ----------------- .../dummy-azure-webapps-dotnet-core.yml | 59 ----------------- deployments/dummy-azure-webapps-java-jar.yml | 56 ---------------- deployments/dummy-azure-webapps-php.yml | 64 ------------------ deployments/dummy-azure-webapps-python.yml | 66 ------------------- deployments/properties/azure.properties.json | 2 +- ...my-azure-webapps-container.properties.json | 7 -- ...-azure-webapps-dotnet-core.properties.json | 7 -- ...mmy-azure-webapps-java-jar.properties.json | 7 -- .../dummy-azure-webapps-php.properties.json | 7 -- ...dummy-azure-webapps-python.properties.json | 7 -- 12 files changed, 7 insertions(+), 364 deletions(-) delete mode 100644 deployments/dummy-azure-webapps-container.yml delete mode 100644 deployments/dummy-azure-webapps-dotnet-core.yml delete mode 100644 deployments/dummy-azure-webapps-java-jar.yml delete mode 100644 deployments/dummy-azure-webapps-php.yml delete mode 100644 deployments/dummy-azure-webapps-python.yml delete mode 100644 deployments/properties/dummy-azure-webapps-container.properties.json delete mode 100644 deployments/properties/dummy-azure-webapps-dotnet-core.properties.json delete mode 100644 deployments/properties/dummy-azure-webapps-java-jar.properties.json delete mode 100644 deployments/properties/dummy-azure-webapps-php.properties.json delete mode 100644 deployments/properties/dummy-azure-webapps-python.properties.json diff --git a/deployments/azure.yml b/deployments/azure.yml index 62f7a8f45f..904ff2545c 100644 --- a/deployments/azure.yml +++ b/deployments/azure.yml @@ -26,41 +26,23 @@ env: NODE_VERSION: '10.x' # set this to the node version to use jobs: - build: + build-and-deploy: + name: Build and Deploy runs-on: ubuntu-latest + environment: production steps: - uses: actions/checkout@v2 - - - name: Set up Node.js + - name: Use Node.js ${{ env.NODE_VERSION }} uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} - - name: npm install, build, and test run: | + # Build and test the project, then + # deploy to Azure Web App. npm install npm run build --if-present npm run test --if-present - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 - with: - name: node-app - path: . - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: node-app - - name: 'Deploy to Azure WebApp' uses: azure/webapps-deploy@v2 with: diff --git a/deployments/dummy-azure-webapps-container.yml b/deployments/dummy-azure-webapps-container.yml deleted file mode 100644 index 66c49d841e..0000000000 --- a/deployments/dummy-azure-webapps-container.yml +++ /dev/null @@ -1,59 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy a container to an Azure Web App - -env: - AZURE_WEBAPP_NAME: '' # set this to the name of your Azure Web App - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Log in to GitHub container registry - uses: docker/login-action@v1 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Lowercase the repo name - run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Build and push container image to registry - uses: docker/build-push-action@v2 - with: - push: true - tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} - file: ./Dockerfile - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Lowercase the repo name - run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' diff --git a/deployments/dummy-azure-webapps-dotnet-core.yml b/deployments/dummy-azure-webapps-dotnet-core.yml deleted file mode 100644 index 99489691fd..0000000000 --- a/deployments/dummy-azure-webapps-dotnet-core.yml +++ /dev/null @@ -1,59 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy ASP.Net Core app to an Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - DOTNET_VERSION: '5' # set this to the .NET Core version to use - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Set up .NET Core - uses: actions/setup-dotnet@v1 - with: - dotnet-version: ${{ env.DOTNET_VERSION }} - - - name: Build with dotnet - run: dotnet build --configuration Release - - - name: dotnet publish - run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 - with: - name: .net-app - path: ${{env.DOTNET_ROOT}}/myapp - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: .net-app - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . diff --git a/deployments/dummy-azure-webapps-java-jar.yml b/deployments/dummy-azure-webapps-java-jar.yml deleted file mode 100644 index 45ec6f87b4..0000000000 --- a/deployments/dummy-azure-webapps-java-jar.yml +++ /dev/null @@ -1,56 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy JAR app to Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - JAVA_VERSION: '11' # set this to the Java version to use - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Set up Java version - uses: actions/setup-java@v2.3.1 - with: - java-version: ${{ env.JAVA_VERSION }} - - - name: Build with Maven - run: mvn clean install - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 - with: - name: java-app - path: '${{ github.workspace }}/target/*.jar' - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: java-app - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: '*.jar' diff --git a/deployments/dummy-azure-webapps-php.yml b/deployments/dummy-azure-webapps-php.yml deleted file mode 100644 index 58627668ff..0000000000 --- a/deployments/dummy-azure-webapps-php.yml +++ /dev/null @@ -1,64 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy PHP app to Azure Web App - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - PHP_VERSION: '10.x' # set this to the PHP version to use - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Setup PHP - uses: shivammathur/setup-php@v2 - with: - php-version: ${{ env.PHP_VERSION }} - - - name: Check if composer.json exists - id: check_files - uses: andstor/file-existence-action@v1 - with: - files: 'composer.json' - - - name: Run composer install if composer.json exists - if: steps.check_files.outputs.files_exists == 'true' - run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 - with: - name: php-app - path: . - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: php-app - - - name: 'Deploy to Azure Web App' - uses: azure/webapps-deploy@v2 - id: deploy-to-webapp - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . diff --git a/deployments/dummy-azure-webapps-python.yml b/deployments/dummy-azure-webapps-python.yml deleted file mode 100644 index 7ad005e09e..0000000000 --- a/deployments/dummy-azure-webapps-python.yml +++ /dev/null @@ -1,66 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions -# More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions - -name: Build and deploy Python app to Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - PYTHON_VERSION: '3.8' # set this to the Python version to use - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Set up Python version - uses: actions/setup-python@v2.2.2 - with: - python-version: ${{ env.PYTHON_VERSION }} - - - name: Create and start virtual environment - run: | - python -m venv venv - source venv/bin/activate - - - name: Install dependencies - run: pip install -r requirements.txt - - # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - - - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v2 - with: - name: python-app - path: | - . - !venv/ - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: python-app - path: . - - - name: 'Deploy to Azure Web App' - uses: azure/webapps-deploy@v2 - id: deploy-to-webapp - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure.properties.json index 905267edd4..90a371779a 100644 --- a/deployments/properties/azure.properties.json +++ b/deployments/properties/azure.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "JavaScript", "TypeScript", "npm"] + "categories": ["Deployment", "JavaScript", "npm"] } \ No newline at end of file diff --git a/deployments/properties/dummy-azure-webapps-container.properties.json b/deployments/properties/dummy-azure-webapps-container.properties.json deleted file mode 100644 index fcd62b2b4e..0000000000 --- a/deployments/properties/dummy-azure-webapps-container.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a container to an Azure Web App", - "description": "Build a container and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Dockerfile"] -} diff --git a/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json b/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json deleted file mode 100644 index 9074a2ac77..0000000000 --- a/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a .NET Core app to an Azure Web App", - "description": "Build a .NET Core project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "C#", "dotNetCore"] -} diff --git a/deployments/properties/dummy-azure-webapps-java-jar.properties.json b/deployments/properties/dummy-azure-webapps-java-jar.properties.json deleted file mode 100644 index 6654463569..0000000000 --- a/deployments/properties/dummy-azure-webapps-java-jar.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a Java .jar app to an Azure Web App", - "description": "Build a Java project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Java"] -} diff --git a/deployments/properties/dummy-azure-webapps-php.properties.json b/deployments/properties/dummy-azure-webapps-php.properties.json deleted file mode 100644 index 48554def48..0000000000 --- a/deployments/properties/dummy-azure-webapps-php.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a PHP app to an Azure Web App", - "description": "Build a PHP app and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "PHP"] -} diff --git a/deployments/properties/dummy-azure-webapps-python.properties.json b/deployments/properties/dummy-azure-webapps-python.properties.json deleted file mode 100644 index 73f0cf5fbc..0000000000 --- a/deployments/properties/dummy-azure-webapps-python.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a Python app to an Azure Web App", - "description": "Build a Python app and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Python"] -} From b1b3ae86ee9db474a243c896fea923eeae001d79 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 15 Nov 2021 13:47:17 +0530 Subject: [PATCH 164/844] Sync partner_templates with the main Branch. (#1250) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json * Correct character-case of "c" in Cloudrail * AWS template also used Docker * trigger on push instead of release (#1157) Co-authored-by: Josh Gross * Adding MobSF starter workflow * Adhering to pull request guidelines * python: update to use python 3.10 Signed-off-by: Rui Chen * Added new templates for 3 clouds. * Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. * Add ruby and update workflow * Add workflow for Microsoft C++ Code Analysis * Updated action to meet guidelines * quote the version strings * correct typo in msvc.properties.json * Update codeql.properties.json * Update code-scanning/properties/codeql.properties.json Co-authored-by: Arthur Baars * Update codeql.properties.json * Update codeql.properties.json * Update code-scanning/mobsf.yml Co-authored-by: Nick Fyson * Update code-scanning/properties/mobsf.properties.json Co-authored-by: Nick Fyson * Fixed typo in workflow that will cause every run to fail * Update commit SHA * r: use setup-r@1 and include r@4 for starter (#1169) * r: use setup-r@1 and include r@4 for starter Signed-off-by: Rui Chen * use sha instead of tag for external action Co-authored-by: Josh Gross Co-authored-by: Josh Gross * elixir: refresh dependencies (#1212) - setup action got renamed into `setup-beam` - update elixir and erlang versions Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd Co-authored-by: Abir Majumdar Co-authored-by: Rui Chen Co-authored-by: David Verdeguer Co-authored-by: Daniel Winsor Co-authored-by: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Co-authored-by: Arthur Baars Co-authored-by: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Co-authored-by: Marco Gario Co-authored-by: Andy McKay --- ci/elixir.yml | 6 +- ci/pylint.yml | 9 +- ci/python-app.yml | 4 +- ci/python-package-conda.yml | 4 +- ci/python-package.yml | 2 +- ci/r.yml | 4 +- code-scanning/codeql.yml | 3 +- code-scanning/mobsf.yml | 36 ++++++ code-scanning/msvc.yml | 6 +- .../properties/codeql.properties.json | 4 +- .../properties/mobsf.properties.json | 13 ++ icons/mobsf.svg | 114 ++++++++++++++++++ 12 files changed, 184 insertions(+), 21 deletions(-) create mode 100644 code-scanning/mobsf.yml create mode 100644 code-scanning/properties/mobsf.properties.json create mode 100644 icons/mobsf.svg diff --git a/ci/elixir.yml b/ci/elixir.yml index 3f64657060..afe01beb2f 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -15,10 +15,10 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Elixir - uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24 + uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: - elixir-version: '1.10.3' # Define the elixir version [required] - otp-version: '22.3' # Define the OTP version [required] + elixir-version: '1.12.3' # Define the elixir version [required] + otp-version: '24.1' # Define the OTP version [required] - name: Restore dependencies cache uses: actions/cache@v2 with: diff --git a/ci/pylint.yml b/ci/pylint.yml index 0805af74ad..10c49c6d1d 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -4,15 +4,16 @@ on: [push] jobs: build: - runs-on: ubuntu-latest - + strategy: + matrix: + python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v2 - - name: Set up Python 3.9 + - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: ${{ matrix.python-version }} - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-app.yml b/ci/python-app.yml index f6ad69af7b..2cfc2a36b5 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -16,10 +16,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.9 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: "3.10" - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 7bae7e2475..9bd6d2b617 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -10,10 +10,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.8 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.10 - name: Add conda to system path run: | # $CONDA is an environment variable pointing to the root of the miniconda directory diff --git a/ci/python-package.yml b/ci/python-package.yml index b079b1c7a1..b0a63cf6a9 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -16,7 +16,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: [3.7, 3.8, 3.9] + python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v2 diff --git a/ci/r.yml b/ci/r.yml index f257fbda6b..305c2cf45f 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -19,12 +19,12 @@ jobs: runs-on: macos-latest strategy: matrix: - r-version: [3.5, 3.6] + r-version: ['3.6.3', '4.1.1'] steps: - uses: actions/checkout@v2 - name: Set up R ${{ matrix.r-version }} - uses: r-lib/actions/setup-r@ffe45a39586f073cc2e9af79c4ba563b657dc6e3 + uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: r-version: ${{ matrix.r-version }} - name: Install dependencies diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index b32675e536..57b4b69ad9 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,8 +34,7 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - name: Checkout repository diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml new file mode 100644 index 0000000000..689a1a0268 --- /dev/null +++ b/code-scanning/mobsf.yml @@ -0,0 +1,36 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: MobSF + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + mobile-security: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup python + uses: actions/setup-python@v2 + with: + python-version: 3.8 + + - name: Run mobsfscan + uses: MobSF/mobsfscan@a60d10a83af68e23e0b30611c6515da604f06f65 + with: + args: . --sarif --output results.sarif || true + + - name: Upload mobsfscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index c6bb29fb93..f14ae3eda1 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -37,13 +37,13 @@ jobs: # run: cmake --build ${{ env.build }} - name: Initialize MSVC Code Analysis - uses: microsoft/msvc-code-analysis-action@502db28262ba134c9a621d5a509b9f7e696c99b6 + uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99 # Provide a unique ID to access the sarif output path id: run-analysis with: cmakeBuildDirectory: ${{ env.build }} # Ruleset file that will determine what checks will be run - ruleset: NativeRecommendRules.ruleset + ruleset: NativeRecommendedRules.ruleset # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub @@ -56,4 +56,4 @@ jobs: # uses: actions/upload-artifact@v2 # with: # name: sarif-file - # path: ${{ steps.run-analysis.outputs.sarif }} + # path: ${{ steps.run-analysis.outputs.sarif }} \ No newline at end of file diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index cb9305a9a1..ddb4627f49 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,7 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", - "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } diff --git a/code-scanning/properties/mobsf.properties.json b/code-scanning/properties/mobsf.properties.json new file mode 100644 index 0000000000..a6afbfa7f4 --- /dev/null +++ b/code-scanning/properties/mobsf.properties.json @@ -0,0 +1,13 @@ +{ + "name": "mobsf", + "creator": "mobsf", + "description": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.", + "iconName": "mobsf", + "categories": [ + "Code Scanning", + "Java", + "Swift", + "Objective-C", + "Kotlin" + ] +} \ No newline at end of file diff --git a/icons/mobsf.svg b/icons/mobsf.svg new file mode 100644 index 0000000000..46dd1544e7 --- /dev/null +++ b/icons/mobsf.svg @@ -0,0 +1,114 @@ + + + + From 4f8abda415d1c6f0876a9a8060aba95a43d871ab Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 15 Nov 2021 18:03:36 +0530 Subject: [PATCH 165/844] Updated the azure properties file to the main branch version. (#1251) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json * Correct character-case of "c" in Cloudrail * AWS template also used Docker * trigger on push instead of release (#1157) Co-authored-by: Josh Gross * Adding MobSF starter workflow * Adhering to pull request guidelines * python: update to use python 3.10 Signed-off-by: Rui Chen * Added new templates for 3 clouds. * Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. * Add ruby and update workflow * Add workflow for Microsoft C++ Code Analysis * Updated action to meet guidelines * quote the version strings * correct typo in msvc.properties.json * Update codeql.properties.json * Update code-scanning/properties/codeql.properties.json Co-authored-by: Arthur Baars * Update codeql.properties.json * Update codeql.properties.json * Update code-scanning/mobsf.yml Co-authored-by: Nick Fyson * Update code-scanning/properties/mobsf.properties.json Co-authored-by: Nick Fyson * Fixed typo in workflow that will cause every run to fail * Update commit SHA * r: use setup-r@1 and include r@4 for starter (#1169) * r: use setup-r@1 and include r@4 for starter Signed-off-by: Rui Chen * use sha instead of tag for external action Co-authored-by: Josh Gross Co-authored-by: Josh Gross * elixir: refresh dependencies (#1212) - setup action got renamed into `setup-beam` - update elixir and erlang versions * Updated to main branch version. Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd Co-authored-by: Abir Majumdar Co-authored-by: Rui Chen Co-authored-by: David Verdeguer Co-authored-by: Daniel Winsor Co-authored-by: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Co-authored-by: Arthur Baars Co-authored-by: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Co-authored-by: Marco Gario Co-authored-by: Andy McKay --- deployments/properties/azure.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure.properties.json index 90a371779a..362d5d13b5 100644 --- a/deployments/properties/azure.properties.json +++ b/deployments/properties/azure.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "JavaScript", "npm"] + "categories": ["Deployment"] } \ No newline at end of file From f61ca9907b39f2023bf9abaa26adc2e0c56193d8 Mon Sep 17 00:00:00 2001 From: Keegan Saunders Date: Fri, 12 Nov 2021 09:55:14 -0500 Subject: [PATCH 166/844] Add NowSecure starter workflow --- code-scanning/nowsecure.yml | 52 +++++++++++++++++++ .../properties/nowsecure.properties.json | 21 ++++++++ icons/nowsecure.svg | 21 ++++++++ 3 files changed, 94 insertions(+) create mode 100644 code-scanning/nowsecure.yml create mode 100644 code-scanning/properties/nowsecure.properties.json create mode 100644 icons/nowsecure.svg diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml new file mode 100644 index 0000000000..92126bdfde --- /dev/null +++ b/code-scanning/nowsecure.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# NowSecure: The Mobile Security Experts . +# +# To use this workflow, you must be an existing NowSecure customer with GitHub Advanced Security (GHAS) enabled for your +# repository. +# +# If you *are not* an existing customer, click here to contact us for licensing and pricing details: +# . +# +# Instructions: +# +# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and +# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit +# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub". +# +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. + +name: "NowSecure" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +jobs: + nowsecure: + name: NowSecure + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Build your application + run: ./gradlew assembleDebug # Update this to build your Android or iOS application + + - name: Run NowSecure + uses: nowsecure/nowsecure-action@3b439db31b6dce857b09f5222fd13ffc3159ad26 + with: + token: ${{ secrets.NS_TOKEN }} + app_file: app-debug.apk # Update this to a path to your .ipa or .apk + group_id: {{ groupId }} # Update this to your desired Platform group ID + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: NowSecure.sarif diff --git a/code-scanning/properties/nowsecure.properties.json b/code-scanning/properties/nowsecure.properties.json new file mode 100644 index 0000000000..dfc9f60940 --- /dev/null +++ b/code-scanning/properties/nowsecure.properties.json @@ -0,0 +1,21 @@ +{ + "name": "NowSecure", + "creator": "NowSecure", + "description": "The NowSecure Action delivers fast, accurate, automated security analysis of iOS and Android apps coded in any language", + "iconName": "nowsecure", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C", + "C", + "C++", + "C#", + "Rust", + "JavaScript", + "TypeScript", + "Node" + ] +} diff --git a/icons/nowsecure.svg b/icons/nowsecure.svg new file mode 100644 index 0000000000..0cec9f36d5 --- /dev/null +++ b/icons/nowsecure.svg @@ -0,0 +1,21 @@ + + + + + + + + From 214aeaaafe01dc791220ab91d9043e79d34db66f Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Tue, 16 Nov 2021 09:43:18 -0800 Subject: [PATCH 167/844] Update quickstart link --- deployments/azure-webapps-container.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- deployments/azure-webapps-python.yml | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 823a36f49f..407279e36e 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -1,7 +1,7 @@ # This workflow will build and push a Docker container to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-custom-container?tabs=dotnet&pivots=container-linux # # To configure this workflow: # diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 656136cd7c..fe81148ef8 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -1,7 +1,7 @@ # This workflow will build and push a .NET Core app to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?tabs=net60&pivots=development-environment-vscode # # To configure this workflow: # diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index e533f3f5f4..f3862509a1 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -1,7 +1,7 @@ # This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-java?tabs=javase&pivots=platform-linux # # To configure this workflow: # diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 0be746f374..c900dfa327 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -1,7 +1,7 @@ # This workflow will build and push a PHP application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-php?pivots=platform-linux # # To configure this workflow: # diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 6cb093bed6..216742f927 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -1,7 +1,7 @@ # This workflow will build and push a Python application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-python?tabs=bash&pivots=python-framework-flask # # To configure this workflow: # @@ -11,7 +11,7 @@ # 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. # For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret # -# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and PYTHON_VERSION environment variables below. +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the PYTHON_VERSION environment variables below. # # For more information on GitHub Actions for Azure: https://github.com/Azure/Actions # For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy From 11147495c0f5cbaf48672a428f8914c23b23f914 Mon Sep 17 00:00:00 2001 From: gambtho Date: Thu, 18 Nov 2021 07:30:10 -0500 Subject: [PATCH 168/844] variable cleanup and comment additions --- deployments/aks.yml | 3 ++- deployments/properties/aks.properties.json | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/deployments/aks.yml b/deployments/aks.yml index 65e3782079..08988ffc64 100644 --- a/deployments/aks.yml +++ b/deployments/aks.yml @@ -3,6 +3,7 @@ # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) # For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# https://github.com/Azure/aks-create-action # # To configure this workflow: # @@ -48,7 +49,7 @@ jobs: azcliversion: 2.29.1 inlineScript: | az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} - az acr build -t -t ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} - name: Gets K8s context uses: azure/aks-set-context@v1 diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json index a228aa2435..28f3725df2 100644 --- a/deployments/properties/aks.properties.json +++ b/deployments/properties/aks.properties.json @@ -3,5 +3,5 @@ "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes, "Dockerfile"] + "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"] } From 42dcf88eb9dde18e9c0b9e05840c92d47d26a28c Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Fri, 19 Nov 2021 16:41:15 +0100 Subject: [PATCH 169/844] add detekt workflow --- code-scanning/detekt.yml | 109 ++++++++++++++++++ .../properties/detekt.properties.json | 9 ++ icons/detekt.svg | 32 +++++ 3 files changed, 150 insertions(+) create mode 100644 code-scanning/detekt.yml create mode 100644 code-scanning/properties/detekt.properties.json create mode 100644 icons/detekt.svg diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml new file mode 100644 index 0000000000..0edc8b5bee --- /dev/null +++ b/code-scanning/detekt.yml @@ -0,0 +1,109 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your Kotlin source code using +# Detekt. +# +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event +# +# The workflow should work with no modifications, but you might like to use a +# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG +# environment variable. +name: Scan with Detekt + +on: + # Triggers the workflow on push or pull request events but only for default and protected branches + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +env: + # Release tag associated with version of Detekt to be installed + # SARIF support (required for this workflow) was introduced in Detekt v1.15.0 + DETEKT_RELEASE_TAG: v1.15.0 + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "scan" + scan: + name: Scan + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Gets the download URL associated with the $DETEKT_RELEASE_TAG + - name: Get Detekt download URL + id: detekt_info + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + DETEKT_DOWNLOAD_URL=$( gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' + query getReleaseAssetDownloadUrl($tagName: String!) { + repository(name: "detekt", owner: "detekt") { + release(tagName: $tagName) { + # it doesn't look like there is an alternative semantics for this with a specific SHA, is this release tag immutable? + releaseAssets(name: "detekt", first: 1) { + nodes { + downloadUrl + } + } + } + } + } + ' | \ + jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' ) + echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" + + # Sets up the detekt cli + - name: Setup Detekt + run: | + dest=$( mktemp -d ) + curl --request GET \ + --url ${{ steps.detekt_info.outputs.download_url }} \ + --silent \ + --location \ + --output $dest/detekt + chmod a+x $dest/detekt + echo $dest >> $GITHUB_PATH + + # Performs static analysis using Detekt + - name: Run Detekt + continue-on-error: true + run: | + detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json + + # Modifies the SARIF output produced by Detekt so that absolute URIs are relative + # This is so we can easily map results onto their source files + # This can be removed once relative URI support lands in Detekt: https://git.io/JLBbA + - name: Make artifact location URIs relative + continue-on-error: true + run: | + echo "$( + jq \ + --arg github_workspace ${{ github.workspace }} \ + '. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \ + ${{ github.workspace }}/detekt.sarif.json + )" > ${{ github.workspace }}/detekt.sarif.json + + # Uploads results to GitHub repository using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: ${{ github.workspace }}/detekt.sarif.json + checkout_path: ${{ github.workspace }} diff --git a/code-scanning/properties/detekt.properties.json b/code-scanning/properties/detekt.properties.json new file mode 100644 index 0000000000..d51a6ad75a --- /dev/null +++ b/code-scanning/properties/detekt.properties.json @@ -0,0 +1,9 @@ +{ + "name": "Detekt", + "creator": "Detekt", + "description": "Static code analysis for Kotlin", + "iconName": "detekt", + "categories": ["Code Scanning", "Kotlin"] +} + + \ No newline at end of file diff --git a/icons/detekt.svg b/icons/detekt.svg new file mode 100644 index 0000000000..152617078c --- /dev/null +++ b/icons/detekt.svg @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 52edf1b58088d3acb5c1444b65bf9988e1d1b498 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Fri, 19 Nov 2021 16:55:27 +0100 Subject: [PATCH 170/844] add a bunch of code scanning workflows --- code-scanning/42crunch.yml | 53 ++ code-scanning/anchore.yml | 39 + code-scanning/brakeman.yml | 51 ++ code-scanning/checkmarx.yml | 44 + code-scanning/codacy.yml | 54 ++ code-scanning/codescan.yml | 42 + code-scanning/njsscan.yml | 35 + code-scanning/ossar.yml | 49 ++ code-scanning/prisma.yml | 54 ++ .../properties/42crunch.properties.json | 7 + .../properties/anchore.properties.json | 7 + .../properties/brakeman.properties.json | 7 + .../properties/checkmarx.properties.json | 7 + .../properties/codacy.properties.json | 7 + .../properties/codescan.properties.json | 7 + .../properties/njsscan.properties.json | 7 + .../properties/ossar.properties.json | 7 + .../properties/prisma.properties.json | 7 + .../properties/rubocop.properties.json | 7 + .../securitycodescan.properties.json | 7 + .../properties/semgrep.properties.json | 7 + .../properties/shiftleft.properties.json | 7 + .../properties/snyk-container.properties.json | 7 + .../snyk-infrastructure.properties.json | 7 + .../properties/trivy.properties.json | 8 + .../properties/xanitizer.properties.json | 7 + code-scanning/rubocop.yml | 52 ++ code-scanning/securitycodescan.yml | 41 + code-scanning/semgrep.yml | 42 + code-scanning/shiftleft.yml | 47 ++ code-scanning/snyk-container.yml | 48 ++ code-scanning/snyk-infrastructure.yml | 47 ++ code-scanning/trivy.yml | 41 + code-scanning/xanitizer.yml | 92 +++ icons/42crunch.svg | 19 + icons/anchore.svg | 1 + icons/brakeman.svg | 464 +++++++++++ icons/checkmarx.svg | 14 + icons/codacy.svg | 16 + icons/codescan.svg | 69 ++ icons/njsscan.svg | 755 ++++++++++++++++++ icons/prisma.svg | 16 + icons/rubocop.svg | 1 + icons/securitycodescan.svg | 3 + icons/semgrep.svg | 4 + icons/shiftleft.svg | 6 + icons/snyk.svg | 31 + icons/trivy.svg | 93 +++ icons/xanitizer.svg | 50 ++ 49 files changed, 2493 insertions(+) create mode 100644 code-scanning/42crunch.yml create mode 100644 code-scanning/anchore.yml create mode 100644 code-scanning/brakeman.yml create mode 100644 code-scanning/checkmarx.yml create mode 100644 code-scanning/codacy.yml create mode 100644 code-scanning/codescan.yml create mode 100644 code-scanning/njsscan.yml create mode 100644 code-scanning/ossar.yml create mode 100644 code-scanning/prisma.yml create mode 100644 code-scanning/properties/42crunch.properties.json create mode 100644 code-scanning/properties/anchore.properties.json create mode 100644 code-scanning/properties/brakeman.properties.json create mode 100644 code-scanning/properties/checkmarx.properties.json create mode 100644 code-scanning/properties/codacy.properties.json create mode 100644 code-scanning/properties/codescan.properties.json create mode 100644 code-scanning/properties/njsscan.properties.json create mode 100644 code-scanning/properties/ossar.properties.json create mode 100644 code-scanning/properties/prisma.properties.json create mode 100644 code-scanning/properties/rubocop.properties.json create mode 100644 code-scanning/properties/securitycodescan.properties.json create mode 100644 code-scanning/properties/semgrep.properties.json create mode 100644 code-scanning/properties/shiftleft.properties.json create mode 100644 code-scanning/properties/snyk-container.properties.json create mode 100644 code-scanning/properties/snyk-infrastructure.properties.json create mode 100644 code-scanning/properties/trivy.properties.json create mode 100644 code-scanning/properties/xanitizer.properties.json create mode 100644 code-scanning/rubocop.yml create mode 100644 code-scanning/securitycodescan.yml create mode 100644 code-scanning/semgrep.yml create mode 100644 code-scanning/shiftleft.yml create mode 100644 code-scanning/snyk-container.yml create mode 100644 code-scanning/snyk-infrastructure.yml create mode 100644 code-scanning/trivy.yml create mode 100644 code-scanning/xanitizer.yml create mode 100644 icons/42crunch.svg create mode 100644 icons/anchore.svg create mode 100644 icons/brakeman.svg create mode 100644 icons/checkmarx.svg create mode 100644 icons/codacy.svg create mode 100644 icons/codescan.svg create mode 100644 icons/njsscan.svg create mode 100644 icons/prisma.svg create mode 100644 icons/rubocop.svg create mode 100644 icons/securitycodescan.svg create mode 100644 icons/semgrep.svg create mode 100644 icons/shiftleft.svg create mode 100644 icons/snyk.svg create mode 100644 icons/trivy.svg create mode 100644 icons/xanitizer.svg diff --git a/code-scanning/42crunch.yml b/code-scanning/42crunch.yml new file mode 100644 index 0000000000..1d44bf9d14 --- /dev/null +++ b/code-scanning/42crunch.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow locates REST API file contracts +# (Swagger or OpenAPI format, v2 and v3, JSON and YAML) +# and runs 200+ security checks on them using 42Crunch Security Audit technology. +# +# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# +# To use this workflow, you will need to complete the following setup steps. +# +# 1. Create a free 42Crunch account at https://platform.42crunch.com/register +# +# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# to create an API Token on the 42Crunch platform +# +# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm, +# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow +# +# If you have any questions or need help contact https://support.42crunch.com + +name: "42Crunch REST API Static Security Testing" + +# follow standard Code Scanning triggers +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rest-api-static-security-testing: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: 42Crunch REST API Static Security Testing + uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 + with: + # Please create free account at https://platform.42crunch.com/register + # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm + api-token: ${{ secrets.API_TOKEN }} + # Fail if any OpenAPI file scores lower than 75 + min-score: 75 + # Upload results to Github code scanning + upload-to-code-scanning: true + # Github token for uploading the results + github-token: ${{ github.token }} diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml new file mode 100644 index 0000000000..d90f68c07a --- /dev/null +++ b/code-scanning/anchore.yml @@ -0,0 +1,39 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security +# code scanning feature. For more information on the Anchore scan action usage +# and parameters, see https://github.com/anchore/scan-action. For more +# information on Anchore's container image scanning tool Grype, see +# https://github.com/anchore/grype +name: Anchore Container Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + Anchore-Build-Scan: + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled + uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd + with: + image: "localbuild/testimage:latest" + acs-report-enable: true + - name: Upload Anchore Scan Report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml new file mode 100644 index 0000000000..ae5215a33e --- /dev/null +++ b/code-scanning/brakeman.yml @@ -0,0 +1,51 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Brakeman with GitHub's Code Scanning feature +# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications + +name: Brakeman Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + brakeman-scan: + name: Brakeman Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Customize the ruby version depending on your needs + - name: Setup Ruby + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + with: + ruby-version: '2.7' + + - name: Setup Brakeman + env: + BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+ + run: | + gem install brakeman --version $BRAKEMAN_VERSION + + # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis + - name: Scan + continue-on-error: true + run: | + brakeman -f sarif -o output.sarif.json . + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml new file mode 100644 index 0000000000..ee97108cae --- /dev/null +++ b/code-scanning/checkmarx.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action + +name: CxFlow + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + runs-on: ubuntu-latest + + # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs + - name: Checkmarx CxFlow Action + uses: checkmarx-ts/checkmarx-cxflow-github-action@04e6403dbbfee0fd3fb076e5791202c31c54fe6b + with: + project: GithubActionTest + team: '\CxServer\SP\Checkmarx' + checkmarx_url: ${{ secrets.CHECKMARX_URL }} + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + # Upload the Report for CodeQL/Security Alerts + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: cx.sarif diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml new file mode 100644 index 0000000000..50185addd4 --- /dev/null +++ b/code-scanning/codacy.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + codacy-security-scan: + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v2 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml new file mode 100644 index 0000000000..5886843a56 --- /dev/null +++ b/code-scanning/codescan.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow requires that you have an existing account with codescan.io +# For more information about configuring your workflow, +# read our documentation at https://github.com/codescan-io/codescan-scanner-action +name: CodeScan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + CodeScan: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Cache files + uses: actions/cache@v2 + with: + path: | + ~/.sonar + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Run Analysis + uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12 + with: + login: ${{ secrets.CODESCAN_AUTH_TOKEN }} + organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} + projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: codescan.sarif diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml new file mode 100644 index 0000000000..8077f76ad6 --- /dev/null +++ b/code-scanning/njsscan.yml @@ -0,0 +1,35 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates njsscan with GitHub's Code Scanning feature +# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications + +name: njsscan sarif + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + njsscan: + runs-on: ubuntu-latest + name: njsscan code scanning + steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: nodejsscan scan + id: njsscan + uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 + with: + args: '. --sarif --output results.sarif || true' + - name: Upload njsscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml new file mode 100644 index 0000000000..b5aefa4b59 --- /dev/null +++ b/code-scanning/ossar.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates a collection of open source static analysis tools +# with GitHub code scanning. For documentation, or to provide feedback, visit +# https://github.com/github/ossar-action +name: OSSAR + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + OSSAR-Scan: + # OSSAR runs on windows-latest. + # ubuntu-latest and macos-latest support coming soon + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Ensure a compatible version of dotnet is installed. + # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. + # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. + # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. + # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: + # - name: Install .NET + # uses: actions/setup-dotnet@v1 + # with: + # dotnet-version: '3.1.x' + + # Run open source static analysis tools + - name: Run OSSAR + uses: github/ossar-action@v1 + id: ossar + + # Upload results to the Security tab + - name: Upload OSSAR results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml new file mode 100644 index 0000000000..5323d1b56f --- /dev/null +++ b/code-scanning/prisma.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow that checks for security issues using +# the Prisma Cloud Infrastructure as Code Scan Action on +# the IaC files present in the repository. +# The results are uploaded to GitHub Security Code Scanning +# +# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action + +name: Prisma Cloud IaC Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + prisma_cloud_iac_scan: + runs-on: ubuntu-latest + name: Run Prisma Cloud IaC Scan to check + steps: + - name: Checkout + uses: actions/checkout@v2 + - id: iac-scan + name: Run Scan on CFT files in the repository + uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 + with: + # You will need Prisma Cloud API Access Token + # More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action + prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }} + access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }} + secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }} + # Scan sources on Prisma Cloud are uniquely identified by their name + asset_name: 'my-asset-name' + # The service need to know the type of IaC being scanned + template_type: 'CFT' + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. + # And alternative it to add `continue-on-error: true` to the previous step + if: success() || failure() + with: + # The SARIF Log file name is configurable on scan action + # therefore the file name is best read from the steps output + sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }} diff --git a/code-scanning/properties/42crunch.properties.json b/code-scanning/properties/42crunch.properties.json new file mode 100644 index 0000000000..9fbeca98de --- /dev/null +++ b/code-scanning/properties/42crunch.properties.json @@ -0,0 +1,7 @@ +{ + "name": "42Crunch API Security Audit", + "creator": "42crunch", + "description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.", + "iconName": "42crunch", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/anchore.properties.json b/code-scanning/properties/anchore.properties.json new file mode 100644 index 0000000000..d997da473b --- /dev/null +++ b/code-scanning/properties/anchore.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Anchore Container Scan", + "creator": "Indeni Cloudrail", + "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.", + "iconName": "anchore", + "categories": ["Code Scanning", "dockerfile"] +} \ No newline at end of file diff --git a/code-scanning/properties/brakeman.properties.json b/code-scanning/properties/brakeman.properties.json new file mode 100644 index 0000000000..559791959f --- /dev/null +++ b/code-scanning/properties/brakeman.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Brakeman", + "creator": "Brakeman", + "description": "Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications.", + "iconName": "brakeman", + "categories": ["Code Scanning", "ruby"] +} \ No newline at end of file diff --git a/code-scanning/properties/checkmarx.properties.json b/code-scanning/properties/checkmarx.properties.json new file mode 100644 index 0000000000..473a10372b --- /dev/null +++ b/code-scanning/properties/checkmarx.properties.json @@ -0,0 +1,7 @@ +{ + "name": "CxSAST", + "creator": "Checkmarx", + "description": "Scan your code with Checkmarx CxSAST and see your results in the GitHub security tab.", + "iconName": "checkmarx", + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] +} \ No newline at end of file diff --git a/code-scanning/properties/codacy.properties.json b/code-scanning/properties/codacy.properties.json new file mode 100644 index 0000000000..4ee436227e --- /dev/null +++ b/code-scanning/properties/codacy.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Codacy Security Scan", + "creator": "Codacy", + "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.", + "iconName": "codacy", + "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"] +} \ No newline at end of file diff --git a/code-scanning/properties/codescan.properties.json b/code-scanning/properties/codescan.properties.json new file mode 100644 index 0000000000..74b66cad44 --- /dev/null +++ b/code-scanning/properties/codescan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "CodeScan", + "creator": "CodeScan Enterprises, LLC", + "description": "CodeScan allows for better visibility on your code quality checks based on your custom rulesets.", + "iconName": "codescan", + "categories": ["Code Scanning", "javascript", "apex"] +} \ No newline at end of file diff --git a/code-scanning/properties/njsscan.properties.json b/code-scanning/properties/njsscan.properties.json new file mode 100644 index 0000000000..c6510a16f5 --- /dev/null +++ b/code-scanning/properties/njsscan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "njsscan", + "creator": "NodeJSScan", + "description": "nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications.", + "iconName": "njsscan", + "categories": ["Code Scanning", "JavaScript", "TypeScript"] +} \ No newline at end of file diff --git a/code-scanning/properties/ossar.properties.json b/code-scanning/properties/ossar.properties.json new file mode 100644 index 0000000000..d295205654 --- /dev/null +++ b/code-scanning/properties/ossar.properties.json @@ -0,0 +1,7 @@ +{ + "name": "OSSAR", + "creator": "GitHub", + "description": "Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).", + "iconName": "octicon mark-github", + "categories": ["Code Scanning", "python", "javascript"] +} \ No newline at end of file diff --git a/code-scanning/properties/prisma.properties.json b/code-scanning/properties/prisma.properties.json new file mode 100644 index 0000000000..7d8be175e6 --- /dev/null +++ b/code-scanning/properties/prisma.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Prisma Cloud IaC Scan", + "creator": "Palo Alto Prisma Cloud", + "description": "Scan your Infrastructure as Code files with Prisma Cloud to detect security issues", + "iconName": "prisma", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/rubocop.properties.json b/code-scanning/properties/rubocop.properties.json new file mode 100644 index 0000000000..79f026bea7 --- /dev/null +++ b/code-scanning/properties/rubocop.properties.json @@ -0,0 +1,7 @@ +{ + "name": "RuboCop Linting", + "creator": "arthurnn", + "description": "A Ruby static code analyzer and formatter, based on the community Ruby style guide.", + "iconName": "rubocop", + "categories": ["Code Scanning", "ruby"] +} \ No newline at end of file diff --git a/code-scanning/properties/securitycodescan.properties.json b/code-scanning/properties/securitycodescan.properties.json new file mode 100644 index 0000000000..aa57969a02 --- /dev/null +++ b/code-scanning/properties/securitycodescan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SecurityCodeScan", + "creator": "@security-code-scan", + "description": "Vulnerability Patterns Detector for C# and VB.NET", + "iconName": "securitycodescan", + "categories": ["Code Scanning", "C#", "Visual Basic .NET"] +} \ No newline at end of file diff --git a/code-scanning/properties/semgrep.properties.json b/code-scanning/properties/semgrep.properties.json new file mode 100644 index 0000000000..5f74ed5358 --- /dev/null +++ b/code-scanning/properties/semgrep.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Semgrep", + "creator": "Returntocorp", + "description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.", + "iconName": "semgrep", + "categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"] +} \ No newline at end of file diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json new file mode 100644 index 0000000000..1cb36c9432 --- /dev/null +++ b/code-scanning/properties/shiftleft.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Scan", + "creator": "ShiftLeft", + "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.", + "iconName": "shiftleft", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/snyk-container.properties.json b/code-scanning/properties/snyk-container.properties.json new file mode 100644 index 0000000000..0b1ddb4cd5 --- /dev/null +++ b/code-scanning/properties/snyk-container.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Snyk Container", + "creator": "Snyk", + "description": "Detect vulnerabilities in your container images and surface the issues in GitHub code scanning.", + "iconName": "snyk", + "categories": ["Code Scanning", "dockerfile"] +} \ No newline at end of file diff --git a/code-scanning/properties/snyk-infrastructure.properties.json b/code-scanning/properties/snyk-infrastructure.properties.json new file mode 100644 index 0000000000..3680109ac4 --- /dev/null +++ b/code-scanning/properties/snyk-infrastructure.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Snyk Infrastructure as Code", + "creator": "Snyk", + "description": "Detect vulnerabilities in your infrastructure as code files and surface the issues in GitHub code scanning.", + "iconName": "snyk", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/trivy.properties.json b/code-scanning/properties/trivy.properties.json new file mode 100644 index 0000000000..4f9613ce21 --- /dev/null +++ b/code-scanning/properties/trivy.properties.json @@ -0,0 +1,8 @@ +{ + "name": "Trivy", + "creator": "Aqua Security", + "description": "Scan Docker container images for vulnerabilities in OS packages and language dependencies with Trivy from Aqua Security.", + "iconName": "trivy", + "categories": ["Code Scanning", "dockerfile"], + "enterprise_requirements": ["docker"] +} \ No newline at end of file diff --git a/code-scanning/properties/xanitizer.properties.json b/code-scanning/properties/xanitizer.properties.json new file mode 100644 index 0000000000..6e578c3930 --- /dev/null +++ b/code-scanning/properties/xanitizer.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Xanitizer", + "creator": "RIGS IT", + "description": "Automatically scan your code for vulnerabilities and generate compliance reports with the static security analysis tool Xanitizer (SAST).", + "iconName": "xanitizer", + "categories": ["Code Scanning", "javascript", "java", "scala", "typescript", "xml", "json"] +} \ No newline at end of file diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml new file mode 100644 index 0000000000..373d5b689d --- /dev/null +++ b/code-scanning/rubocop.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# pulled from repo +name: "Rubocop" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rubocop: + runs-on: ubuntu-latest + strategy: + fail-fast: false + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # If running on a self-hosted runner, check it meets the requirements + # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners + - name: Set up Ruby + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + with: + ruby-version: 2.6 + + # This step is not necessary if you add the gem to your Gemfile + - name: Install Code Scanning integration + run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install + + - name: Install dependencies + run: bundle install + + - name: Rubocop run + run: | + bash -c " + bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif + [[ $? -ne 2 ]] + " + + - name: Upload Sarif output + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: rubocop.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml new file mode 100644 index 0000000000..3063c7ad7e --- /dev/null +++ b/code-scanning/securitycodescan.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature +# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET + +name: SecurityCodeScan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + SCS: + runs-on: windows-latest + steps: + - uses: actions/checkout@v2 + - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 + - uses: microsoft/setup-msbuild@v1.0.2 + + - name: Set up projects for analysis + uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d + + - name: Restore dependencies + run: dotnet restore + + - name: Build + run: dotnet build --no-restore + + - name: Convert sarif for uploading to GitHub + uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 + + - name: Upload sarif + uses: github/codeql-action/upload-sarif@v1 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml new file mode 100644 index 0000000000..827387be55 --- /dev/null +++ b/code-scanning/semgrep.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow file requires a free account on Semgrep.dev to +# manage rules, file ignores, notifications, and more. +# +# See https://semgrep.dev/docs + +name: Semgrep + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + semgrep: + name: Scan + runs-on: ubuntu-latest + steps: + # Checkout project source + - uses: actions/checkout@v2 + + # Scan code using project's configuration on https://semgrep.dev/manage + - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + generateSarif: "1" + + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: semgrep.sarif + if: always() diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml new file mode 100644 index 0000000000..48b86d3d96 --- /dev/null +++ b/code-scanning/shiftleft.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Scan with GitHub's code scanning feature +# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft +# Visit https://slscan.io/en/latest/integrations/code-scan for help +name: SL Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + Scan-Build: + # Scan runs on ubuntu, mac and windows + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # Instructions + # 1. Setup JDK, Node.js, Python etc depending on your project type + # 2. Compile or build the project before invoking scan + # Example: mvn compile, or npm install or pip install goes here + # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url + + - name: Perform Scan + uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64 + env: + WORKSPACE: "" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SCAN_AUTO_BUILD: true + with: + output: reports + # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type + # type: credscan,java + # type: python + + - name: Upload report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: reports diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml new file mode 100644 index 0000000000..8ff2c9a4b8 --- /dev/null +++ b/code-scanning/snyk-container.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out the code, builds a container +# image using Docker and scans that image for vulnerabilities using +# Snyk. The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity +# issues, monitor images for newly disclosed vulnerabilities in Snyk and +# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ + +name: Snyk Container + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build a Docker image + run: docker build -t your/image-to-test . + - name: Run Snyk to check Docker image for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: your/image-to-test + args: --file=Dockerfile + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml new file mode 100644 index 0000000000..b79bf340e4 --- /dev/null +++ b/code-scanning/snyk-infrastructure.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your Infrastructure as Code Configuration files, +# such as Kubernetes, Helm & Terraform and scans them for any security issues. +# The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Infrastructure as Code + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Run Snyk to check configuration files for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + # Add the path to the configuration file that you would like to test. + # For example `deployment.yaml` for a Kubernetes deployment manifest + # or `main.tf` for a Terraform configuration file + file: your-file-to-test.yaml + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml new file mode 100644 index 0000000000..f778492b98 --- /dev/null +++ b/code-scanning/trivy.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: build + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + build: + name: Build + runs-on: "ubuntu-18.04" + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml new file mode 100644 index 0000000000..3bfb9ed68d --- /dev/null +++ b/code-scanning/xanitizer.yml @@ -0,0 +1,92 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it, +# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository. +# +# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action +# +# To use this basic workflow, you will need to complete the following setup steps: +# +# 1. The underlying Xanitizer, used in this workflow, needs a separate license file. +# Licenses are free of charge for open source projects and for educational usage. +# To get more information about the Xanitizer licenses and how to obtain a license file, +# please consult https://www.xanitizer.com/xanitizer-pricing/. +# +# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository. +# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. +# +# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action. +# Example: +# - name: Xanitizer Security Analysis +# uses: RIGS-IT/xanitizer-action@v1 +# with: +# license: ${{ secrets.XANITIZER_LICENSE }} +# +# 4. As a static application security testing (SAST) tool, +# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully. +# So you have to install all used libraries and build your project before running the security analysis, +# e.g. via `mvn compile` for Java or `npm install` for JavaScript + +name: "Xanitizer Security Analysis" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + workflow_dispatch: + +jobs: + xanitizer-security-analysis: + # Xanitizer runs on ubuntu-latest and windows-latest. + runs-on: ubuntu-latest + + steps: + # Check out the repository + - name: Checkout + uses: actions/checkout@v2 + + # Set up the correct Java version for your project + # Please comment out, if your project does not contain Java source code. + - name: Set up JDK 11 + uses: actions/setup-java@v1 + with: + java-version: 11 + + # Compile the code for Java projects and get all libraries, e.g. via Maven + # Please adapt, if your project uses another build system to compile Java source code. + # Please comment out, if your project does not contain Java source code. + - name: Compile Java code + run: mvn -B compile + + # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm + # Please adapt to run `npm install` in the correct directories. + # Please adapt, if your project uses another package manager for getting JavaScript libraries. + # Please comment out, if your project does not use a package manager for getting JavaScript libraries. + - name: Install JavaScript libraries + run: npm install + + # Run the security analysis with default settings + - name: Xanitizer Security Analysis + uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316 + with: + license: ${{ secrets.XANITIZER_LICENSE }} + + # Archiving the findings list reports + - uses: actions/upload-artifact@v2 + with: + name: Xanitizer-Reports + path: | + *-Findings-List.pdf + *-Findings-List.sarif + + # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: Xanitizer-Findings-List.sarif diff --git a/icons/42crunch.svg b/icons/42crunch.svg new file mode 100644 index 0000000000..96cd102e80 --- /dev/null +++ b/icons/42crunch.svg @@ -0,0 +1,19 @@ + + + + + + + + diff --git a/icons/anchore.svg b/icons/anchore.svg new file mode 100644 index 0000000000..2381f20af0 --- /dev/null +++ b/icons/anchore.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/brakeman.svg b/icons/brakeman.svg new file mode 100644 index 0000000000..ce91881e8f --- /dev/null +++ b/icons/brakeman.svg @@ -0,0 +1,464 @@ + +image/svg+xml \ No newline at end of file diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg new file mode 100644 index 0000000000..6bf5ad3708 --- /dev/null +++ b/icons/checkmarx.svg @@ -0,0 +1,14 @@ + + + + + + diff --git a/icons/codacy.svg b/icons/codacy.svg new file mode 100644 index 0000000000..736d60c261 --- /dev/null +++ b/icons/codacy.svg @@ -0,0 +1,16 @@ + + + +codacy-white + + + + + + + + + + + diff --git a/icons/codescan.svg b/icons/codescan.svg new file mode 100644 index 0000000000..5a44c2abaf --- /dev/null +++ b/icons/codescan.svg @@ -0,0 +1,69 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/njsscan.svg b/icons/njsscan.svg new file mode 100644 index 0000000000..a9989e872c --- /dev/null +++ b/icons/njsscan.svg @@ -0,0 +1,755 @@ + + + + diff --git a/icons/prisma.svg b/icons/prisma.svg new file mode 100644 index 0000000000..dfb5fdf5bb --- /dev/null +++ b/icons/prisma.svg @@ -0,0 +1,16 @@ + + + + + + + + + + + + + + + + diff --git a/icons/rubocop.svg b/icons/rubocop.svg new file mode 100644 index 0000000000..3add0567dc --- /dev/null +++ b/icons/rubocop.svg @@ -0,0 +1 @@ + diff --git a/icons/securitycodescan.svg b/icons/securitycodescan.svg new file mode 100644 index 0000000000..db0181ab34 --- /dev/null +++ b/icons/securitycodescan.svg @@ -0,0 +1,3 @@ + + + diff --git a/icons/semgrep.svg b/icons/semgrep.svg new file mode 100644 index 0000000000..1a3e2a9815 --- /dev/null +++ b/icons/semgrep.svg @@ -0,0 +1,4 @@ + + + + diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg new file mode 100644 index 0000000000..f8e944af3a --- /dev/null +++ b/icons/shiftleft.svg @@ -0,0 +1,6 @@ + + + + + + diff --git a/icons/snyk.svg b/icons/snyk.svg new file mode 100644 index 0000000000..8a934ac935 --- /dev/null +++ b/icons/snyk.svg @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/trivy.svg b/icons/trivy.svg new file mode 100644 index 0000000000..ba2d477b30 --- /dev/null +++ b/icons/trivy.svg @@ -0,0 +1,93 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/xanitizer.svg b/icons/xanitizer.svg new file mode 100644 index 0000000000..1d5fe169a5 --- /dev/null +++ b/icons/xanitizer.svg @@ -0,0 +1,50 @@ + +image/svg+xml \ No newline at end of file From 28856d6071d6bbeb7c0111aab7f0ef7f2b71bce1 Mon Sep 17 00:00:00 2001 From: Fedor Isakov Date: Fri, 19 Nov 2021 20:46:53 +0300 Subject: [PATCH 171/844] Update google deployment starter workflow --- deployments/google.yml | 47 ++++++++++--------- deployments/properties/google.properties.json | 2 +- 2 files changed, 27 insertions(+), 22 deletions(-) diff --git a/deployments/google.yml b/deployments/google.yml index 267d3cb7bd..bfb5de630b 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -4,11 +4,11 @@ # # 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. # -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# 2. Create and configure a Workload Identity Provider for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) # -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# 3. Change the values for the GAR_LOCATION, GKE_ZONE, GKE_CLUSTER, IMAGE, REPOSITORY and DEPLOYMENT_NAME environment variables (below). # -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke-kustomize name: Build and Deploy to GKE @@ -19,11 +19,17 @@ on: env: PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GAR_LOCATION: us-central1 # TODO: update region of the Artifact Registry GKE_CLUSTER: cluster-1 # TODO: update to cluster name GKE_ZONE: us-central1-c # TODO: update to cluster zone DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + REPOSITORY: samples # TODO: update to Artifact Registry docker repository IMAGE: static-site +permissions: + contents: 'read' + id-token: 'write' + jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy @@ -34,48 +40,47 @@ jobs: - name: Checkout uses: actions/checkout@v2 - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 + # Configure Workload Identity Federation and generate an access token. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@v0.4.0' with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker + token_format: 'access_token' + workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' + service_account: 'my-service-account@my-project.iam.gserviceaccount.com' + - name: Docker configuration + run: |- + echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 + - name: Set up GKE credentials + uses: google-github-actions/get-gke-credentials@v0.4.0 with: cluster_name: ${{ env.GKE_CLUSTER }} location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} # Build the Docker image - name: Build run: |- docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \ --build-arg GITHUB_SHA="$GITHUB_SHA" \ --build-arg GITHUB_REF="$GITHUB_REF" \ . - - # Push the Docker image to Google Container Registry + # Push the Docker image to Google Artifact Registry - name: Publish run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - + docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" # Set up kustomize - name: Set up Kustomize run: |- curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 chmod u+x ./kustomize - # Deploy the Docker image to the GKE cluster - name: Deploy run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + # replacing the image name in the k8s template + ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA ./kustomize build . | kubectl apply -f - kubectl rollout status deployment/$DEPLOYMENT_NAME kubectl get services -o wide diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json index 6318106491..f1bd883617 100644 --- a/deployments/properties/google.properties.json +++ b/deployments/properties/google.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", "iconName": "googlegke", - "categories": ["Deployment", "Dockerfile"] + "categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"] } \ No newline at end of file From 499e38bc3ee1fea3ced5760aa8d1668e781b768e Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Mon, 22 Nov 2021 20:35:15 +0530 Subject: [PATCH 172/844] Added starter workflow to help you get started with APIsec-Scan Actions. --- code-scanning/apisec-scan.yml | 63 +++++++++++++++++++ .../properties/apisec-scan.properties.json | 24 +++++++ icons/apisec.svg | 17 +++++ 3 files changed, 104 insertions(+) create mode 100644 code-scanning/apisec-scan.yml create mode 100644 code-scanning/properties/apisec-scan.properties.json create mode 100644 icons/apisec.svg diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml new file mode 100644 index 0000000000..55356ad11e --- /dev/null +++ b/code-scanning/apisec-scan.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# APIsec addresses the critical need to secure APIs before they reach production. +# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. +# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities. + +# How to Get Started with APIsec.ai +# 1. Schedule a demo at https://www.apisec.ai/request-a-demo . +# +# 2. Register your account at https://cloud.fxlabs.io/#/signup . +# +# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly. +# +# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions +# +# apisec-run-scan +# +# This action triggers the on-demand scans for projects registered in APIsec. +# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings. +# Else you can view the scan results from the project home page in APIsec Platform. +# The link to view the scan results is also displayed on the console on successful completion of action. + +# This is a starter workflow to help you get started with APIsec-Scan Actions + +name: APIsec + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the $default-branch branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + +jobs: + Trigger-APIsec-Scan: + runs-on: ubuntu-latest + + steps: + - name: APIsec Scan + uses: apisec-inc/apisec-run-scan@master + with: + # The APIsec username with which the scans will be executed + apisec-username: ${{ secrets.apisec_username }} + # The Password of the APIsec user with which the scans will be executed + apisec-password: ${{ secrets.apisec_password}} + # The name of the project for security scan + apisec-project: "VAmPI" + # The name of the sarif format result file The file is written only if this property is provided. + sarif-result-file: "apisec-results.sarif" + + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./apisec-results.sarif \ No newline at end of file diff --git a/code-scanning/properties/apisec-scan.properties.json b/code-scanning/properties/apisec-scan.properties.json new file mode 100644 index 0000000000..9e7db581b3 --- /dev/null +++ b/code-scanning/properties/apisec-scan.properties.json @@ -0,0 +1,24 @@ +{ + "name": "APIsec Scan", + "creator": "APIsec", + "description": "APIsec addresses the critical need to secure APIs before they reach production. APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.", + "iconName": "apisec", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/icons/apisec.svg b/icons/apisec.svg new file mode 100644 index 0000000000..664dfa93b1 --- /dev/null +++ b/icons/apisec.svg @@ -0,0 +1,17 @@ + + + Group + + + + \ No newline at end of file From 6439d558f42430c1a7e94c9ca7aa587dcbe8d1ed Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Mon, 22 Nov 2021 21:14:54 +0530 Subject: [PATCH 173/844] Updated the names as per the pull request checklist. --- code-scanning/apisec-scan.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 55356ad11e..67937ac1c8 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -32,21 +32,23 @@ on: # Triggers the workflow on push or pull request events but only for the $default-branch branch # Customize trigger events based on your DevSecOps processes. push: - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] pull_request: branches: [ $default-branch ] + schedule: + - cron: $cron-weekly # Allows you to run this workflow manually from the Actions tab workflow_dispatch: jobs: - Trigger-APIsec-Scan: + Trigger APIsec scan: runs-on: ubuntu-latest steps: - - name: APIsec Scan - uses: apisec-inc/apisec-run-scan@master + - name: APIsec scan + uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993 with: # The APIsec username with which the scans will be executed apisec-username: ${{ secrets.apisec_username }} @@ -57,7 +59,7 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - - name: Import Results + - name: Import results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ./apisec-results.sarif \ No newline at end of file From 0debae5ec754be64d660b4f9992796fa31f4f0db Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 23 Nov 2021 09:37:32 +0100 Subject: [PATCH 174/844] fix crunch42 template id so it overrides old template as required --- code-scanning/{42crunch.yml => crunch42.yml} | 0 .../{42crunch.properties.json => crunch42.properties.json} | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename code-scanning/{42crunch.yml => crunch42.yml} (100%) rename code-scanning/properties/{42crunch.properties.json => crunch42.properties.json} (90%) diff --git a/code-scanning/42crunch.yml b/code-scanning/crunch42.yml similarity index 100% rename from code-scanning/42crunch.yml rename to code-scanning/crunch42.yml diff --git a/code-scanning/properties/42crunch.properties.json b/code-scanning/properties/crunch42.properties.json similarity index 90% rename from code-scanning/properties/42crunch.properties.json rename to code-scanning/properties/crunch42.properties.json index 9fbeca98de..82ae816ec0 100644 --- a/code-scanning/properties/42crunch.properties.json +++ b/code-scanning/properties/crunch42.properties.json @@ -1,6 +1,6 @@ { "name": "42Crunch API Security Audit", - "creator": "42crunch", + "creator": "42Crunch", "description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.", "iconName": "42crunch", "categories": ["Code Scanning"] From c4dadecc05874dd13684bcea151993acf42199f7 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 23 Nov 2021 21:14:53 +0100 Subject: [PATCH 175/844] find a way to pin the SHA for detekt workflow template --- code-scanning/detekt.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 0edc8b5bee..a8610c32c4 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -53,21 +53,30 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - DETEKT_DOWNLOAD_URL=$( gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' + gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' query getReleaseAssetDownloadUrl($tagName: String!) { repository(name: "detekt", owner: "detekt") { release(tagName: $tagName) { - # it doesn't look like there is an alternative semantics for this with a specific SHA, is this release tag immutable? releaseAssets(name: "detekt", first: 1) { nodes { downloadUrl } } + tagCommit { + oid + } } } } - ' | \ - jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' ) + ' 1> gh_response.json + + DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json) + if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then + echo "Release tag doesn't match expected commit SHA" + exit 1 + fi + + DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" # Sets up the detekt cli From 8fd6550c33440825258777a9a357dabe11fd35b2 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 24 Nov 2021 14:20:00 -0800 Subject: [PATCH 176/844] Revert overwrite from upstream pull --- deployments/azure-webapps-node.yml | 32 +++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index a1330ccc78..fcfb75e23e 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -29,27 +29,45 @@ env: NODE_VERSION: '10.x' # set this to the node version to use jobs: - build-and-deploy: - name: Build and Deploy + build: runs-on: ubuntu-latest - environment: production steps: - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} + + - name: Set up Node.js uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test run: | - # Build and test the project, then - # deploy to Azure Web App. npm install npm run build --if-present npm run test --if-present + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: node-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: node-app + - name: 'Deploy to Azure WebApp' id: deploy-to-webapp uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} \ No newline at end of file From 278aa7a82e206a81e3a9057063117e4d94cf5356 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 24 Nov 2021 14:26:16 -0800 Subject: [PATCH 177/844] Add dependency caching for .NET, Node, PHP, and Python workflows --- deployments/azure-webapps-dotnet-core.yml | 8 ++++++++ deployments/azure-webapps-node.yml | 1 + deployments/azure-webapps-php.yml | 15 +++++++++++++++ deployments/azure-webapps-python.yml | 8 ++++++++ 4 files changed, 32 insertions(+) diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index fe81148ef8..7a2a84fa6c 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -41,6 +41,14 @@ jobs: uses: actions/setup-dotnet@v1 with: dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: Set up dependency caching for faster builds + uses: actions/cache@v2 + with: + path: ~/.nuget/packages + key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} + restore-keys: | + ${{ runner.os }}-nuget- - name: Build with dotnet run: dotnet build --configuration Release diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index fcfb75e23e..8546feafb6 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -38,6 +38,7 @@ jobs: uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} + cache: 'npm' - name: npm install, build, and test run: | diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index c900dfa327..ad351dceb8 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -48,6 +48,21 @@ jobs: with: files: 'composer.json' + - name: Get Composer Cache Directory + id: composer-cache + if: steps.check_files.outputs.files_exists == 'true' + run: | + echo "::set-output name=dir::$(composer config cache-files-dir)" + + - name: Set up dependency caching for faster installs + uses: actions/cache@v2 + if: steps.check_files.outputs.files_exists == 'true' + with: + path: ${{ steps.composer-cache.outputs.dir }} + key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} + restore-keys: | + ${{ runner.os }}-composer- + - name: Run composer install if composer.json exists if: steps.check_files.outputs.files_exists == 'true' run: composer validate --no-check-publish && composer install --prefer-dist --no-progress diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 216742f927..1212caaed7 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -46,6 +46,14 @@ jobs: python -m venv venv source venv/bin/activate + - name: Set up dependency caching for faster installs + uses: actions/cache@v2 + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} + restore-keys: | + ${{ runner.os }}-pip- + - name: Install dependencies run: pip install -r requirements.txt From 1a67e08a9eb41fc63c6d5ef750ed6e8f37a9595a Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 24 Nov 2021 15:58:25 -0800 Subject: [PATCH 178/844] Update azure-webapps-container.yml --- deployments/azure-webapps-container.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 407279e36e..7c7bb2a990 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -11,7 +11,14 @@ # 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. # For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret # -# 3. Change the value for the AZURE_WEBAPP_NAME. +# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions. +# +# 4. Create three app settings on your Azure Web app: +# DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io" +# DOCKER_REGISTRY_SERVER_USERNAME: Set this to the GitHub username or organization that owns the repository +# DOCKER_REGISTRY_SERVER_PASSWORD: Set this to the value of your PAT token from the previous step +# +# 5. Change the value for the AZURE_WEBAPP_NAME. # # For more information on GitHub Actions for Azure: https://github.com/Azure/Actions # For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy @@ -43,9 +50,9 @@ jobs: with: registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ github.token }} - - name: Lowercase the repo name + - name: Lowercase the repo name and username run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - name: Build and push container image to registry @@ -63,7 +70,7 @@ jobs: url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: - - name: Lowercase the repo name + - name: Lowercase the repo name and username run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - name: Deploy to Azure Web App From b4ee59804382c997e64cf73a3ef4469686644589 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Thu, 25 Nov 2021 10:03:14 +0000 Subject: [PATCH 179/844] use setup cache option instead of action --- deployments/azure-webapps-python.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 1212caaed7..cb19cdacc0 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -40,19 +40,12 @@ jobs: uses: actions/setup-python@v2.2.2 with: python-version: ${{ env.PYTHON_VERSION }} + cache: 'pip' - name: Create and start virtual environment run: | python -m venv venv source venv/bin/activate - - - name: Set up dependency caching for faster installs - uses: actions/cache@v2 - with: - path: ~/.cache/pip - key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} - restore-keys: | - ${{ runner.os }}-pip- - name: Install dependencies run: pip install -r requirements.txt From 3258466b267d3c4857b4f962fced64d71f920d35 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 29 Nov 2021 08:51:54 +0000 Subject: [PATCH 180/844] Adding commit sha for 3rd party actions --- deployments/azure-webapps-php.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index ad351dceb8..700f83aa8e 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -38,13 +38,13 @@ jobs: - uses: actions/checkout@v2 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc with: php-version: ${{ env.PHP_VERSION }} - name: Check if composer.json exists id: check_files - uses: andstor/file-existence-action@v1 + uses: andstor/file-existence-action@87d74d4732ddb824259d80c8a508c0124bf1c673 with: files: 'composer.json' From 1a37cd53451ca29b380e72f0f307050d81f9d589 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Fri, 19 Nov 2021 16:42:04 +0100 Subject: [PATCH 181/844] add veracode workflow --- .../properties/veracode.properties.json | 7 ++ code-scanning/veracode.yml | 66 +++++++++++++++++++ icons/veracode.svg | 1 + 3 files changed, 74 insertions(+) create mode 100644 code-scanning/properties/veracode.properties.json create mode 100644 code-scanning/veracode.yml create mode 100644 icons/veracode.svg diff --git a/code-scanning/properties/veracode.properties.json b/code-scanning/properties/veracode.properties.json new file mode 100644 index 0000000000..e42ac9f18c --- /dev/null +++ b/code-scanning/properties/veracode.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Veracode Static Analysis", + "creator": "Veracode", + "description": "Get fast feedback on flaws with Veracode Static Analysis and the pipeline scan. Break the build based on flaw severity and CWE category.", + "iconName": "veracode", + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "kotlin", "scala", "groovy", "tsql", "plsql", "perl", "cobol"] +} \ No newline at end of file diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml new file mode 100644 index 0000000000..31fa989643 --- /dev/null +++ b/code-scanning/veracode.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert + +name: Veracode Static Analysis Pipeline Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter + build-and-pipeline-scan: + # The type of runner that the job will run on + runs-on: ubuntu-latest + steps: + + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps + - uses: actions/checkout@v2 + with: + repository: '' + + - uses: vimtor/action-zip@5f1c4aa587ea41db1110df6a99981dbe19cee310 + with: + files: / + recursive: true + dest: veracode-pipeline-scan-results-to-sarif.zip + + - uses: actions/upload-artifact@v1 + with: + name: my-artifact + path: veracode-pipeline-scan-results-to-sarif.zip + + # download the Veracode Static Analysis Pipeline scan jar + - uses: wei/curl@012398a392d02480afa2720780031f8621d5f94c + with: + args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + - run: unzip -o pipeline-scan-LATEST.zip + + - uses: actions/setup-java@v1 + with: + java-version: 1.8 + - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-pipeline-scan-results-to-sarif.zip + continue-on-error: true + - uses: actions/upload-artifact@v1 + with: + name: ScanResults + path: results.json + - name: Convert pipeline scan output to SARIF format + id: convert + uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be + with: + pipeline-results-json: results.json + - uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif diff --git a/icons/veracode.svg b/icons/veracode.svg new file mode 100644 index 0000000000..6c70e79e44 --- /dev/null +++ b/icons/veracode.svg @@ -0,0 +1 @@ + \ No newline at end of file From b6299984305a9e6dfa939d1691051301339ed1d2 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 30 Nov 2021 09:56:40 +0100 Subject: [PATCH 182/844] replace unnecessary actions with shell commands --- code-scanning/veracode.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 31fa989643..64c732f07b 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -29,11 +29,7 @@ jobs: with: repository: '' - - uses: vimtor/action-zip@5f1c4aa587ea41db1110df6a99981dbe19cee310 - with: - files: / - recursive: true - dest: veracode-pipeline-scan-results-to-sarif.zip + - run: zip -r veracode-pipeline-scan-results-to-sarif.zip ./ - uses: actions/upload-artifact@v1 with: @@ -41,9 +37,7 @@ jobs: path: veracode-pipeline-scan-results-to-sarif.zip # download the Veracode Static Analysis Pipeline scan jar - - uses: wei/curl@012398a392d02480afa2720780031f8621d5f94c - with: - args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - run: unzip -o pipeline-scan-LATEST.zip - uses: actions/setup-java@v1 From 3f39a5a76b03f05e551caec5165369544e4bf35f Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Wed, 1 Dec 2021 13:27:02 +0530 Subject: [PATCH 183/844] Removed the unwanted space in actions file. Updated the logo to have only the shield portion. --- code-scanning/apisec-scan.yml | 1 - icons/apisec.svg | 16 ++++------------ 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 67937ac1c8..3aa06ca657 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -58,7 +58,6 @@ jobs: apisec-project: "VAmPI" # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - - name: Import results uses: github/codeql-action/upload-sarif@v1 with: diff --git a/icons/apisec.svg b/icons/apisec.svg index 664dfa93b1..8b2760bee2 100644 --- a/icons/apisec.svg +++ b/icons/apisec.svg @@ -1,17 +1,9 @@ - - Group + + Fill 11 - \ No newline at end of file From 4238ac653e5124c1e1f118cc0b0bd428b8973953 Mon Sep 17 00:00:00 2001 From: Myles Borins Date: Wed, 1 Dec 2021 14:38:35 -0500 Subject: [PATCH 184/844] chore: split npm publish into 2 workflows (#1281) Currently we suggest that folks dual publish to both npm + gpr. There are a large number of edge cases related to doing this and IMHO it is not the best practice. Let's make two separate workflows. --- ci/npm-publish-github-packages.yml | 36 +++++++++++++++++++ ci/npm-publish.yml | 21 ++--------- ...pm-publish-github-packages.properties.json | 6 ++++ ci/properties/npm-publish.properties.json | 2 +- 4 files changed, 45 insertions(+), 20 deletions(-) create mode 100644 ci/npm-publish-github-packages.yml create mode 100644 ci/properties/npm-publish-github-packages.properties.json diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml new file mode 100644 index 0000000000..09ff0b3cc7 --- /dev/null +++ b/ci/npm-publish-github-packages.yml @@ -0,0 +1,36 @@ +# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created +# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages + +name: Node.js Package + +on: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-node@v2 + with: + node-version: 16 + - run: npm ci + - run: npm test + + publish-gpr: + needs: build + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-node@v2 + with: + node-version: 16 + registry-url: $registry-url(npm) + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 025976d6e2..ef8c6905aa 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 with: - node-version: 14 + node-version: 16 - run: npm ci - run: npm test @@ -25,26 +25,9 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 with: - node-version: 14 + node-version: 16 registry-url: https://registry.npmjs.org/ - run: npm ci - run: npm publish env: NODE_AUTH_TOKEN: ${{secrets.npm_token}} - - publish-gpr: - needs: build - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 - with: - node-version: 14 - registry-url: $registry-url(npm) - - run: npm ci - - run: npm publish - env: - NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/ci/properties/npm-publish-github-packages.properties.json b/ci/properties/npm-publish-github-packages.properties.json new file mode 100644 index 0000000000..180b73aaeb --- /dev/null +++ b/ci/properties/npm-publish-github-packages.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Publish Node.js Package to GitHub Packages", + "description": "Publishes a Node.js package to GitHub Packages.", + "iconName": "node-package-transparent", + "categories": ["Continuous integration", "JavaScript", "npm"] +} diff --git a/ci/properties/npm-publish.properties.json b/ci/properties/npm-publish.properties.json index 9371d7b4c2..cc2c707177 100644 --- a/ci/properties/npm-publish.properties.json +++ b/ci/properties/npm-publish.properties.json @@ -1,6 +1,6 @@ { "name": "Publish Node.js Package", - "description": "Publishes a Node.js package to npm and GitHub Packages.", + "description": "Publishes a Node.js package to npm.", "iconName": "node-package-transparent", "categories": ["Continuous integration", "JavaScript", "npm"] } From ce771c75d8e1fe4b0075873cdcfb9b55117af9d9 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 1 Dec 2021 15:50:22 -0500 Subject: [PATCH 185/844] Referencing new official PMD github action --- code-scanning/pmd.yml | 52 ++++++++++++++----------------------------- 1 file changed, 17 insertions(+), 35 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 69596a4b9a..8689961c31 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -14,45 +14,27 @@ on: - cron: $cron-weekly jobs: - mobile-security: + pmd-code-scan: runs-on: ubuntu-latest - steps: - uses: actions/checkout@v2 - - - name: Setup python - uses: actions/setup-python@v2 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - python-version: 3.8 - - - name: Run Full PMD Analysis on Apex Code - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - id: pmd-full-analysis - uses: abirismyname/pmd@master + java-version: '11' + distribution: 'adopt' + cache: maven + - name: Run PMD + id: pmd + uses: pmd/pmd-github-action@v1 with: - analyse-all-code: 'true' - pmd-version: 'latest' - file-path: './src' - rules-path: 'rulesets/apex/quickstart.xml' - - # - name: Run Full PMD Analysis on Java Code - # if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - # id: pmd-full-analysis - # uses: abirismyname/pmd@master - # with: - # analyse-all-code: 'true' - # pmd-version: 'latest' - # file-path: './src' - # rules-path: 'rulesets/java/quickstart.xml' - - - name: Upload pmdscan report + rulesets: 'rulesets/java/quickstart.xml' + sourcePath: 'src/main/java' + - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: pmd-output.sarif - - - name: No PMD Errors? - run: | - if ${{ steps.pmd-full-analysis.outputs.error-found }} ${{ steps.pmd-partial-analysis.outputs.error-found }} - then - exit 3 - fi + sarif_file: pmd-report.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: pmd-report.sarif \ No newline at end of file From d2bba6f2d932e0692a43de925bef2c57274303c8 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 1 Dec 2021 16:03:49 -0500 Subject: [PATCH 186/844] Adding icon --- icons/pmd.svg | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 icons/pmd.svg diff --git a/icons/pmd.svg b/icons/pmd.svg new file mode 100644 index 0000000000..c0b3415db3 --- /dev/null +++ b/icons/pmd.svg @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file From 435b265ae0e53ff80428fe76b33752eb76074cac Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 1 Dec 2021 17:02:40 -0500 Subject: [PATCH 187/844] Removing dupe --- code-scanning/pmd.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 8689961c31..c876da5c09 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -34,7 +34,3 @@ jobs: uses: github/codeql-action/upload-sarif@v1 with: sarif_file: pmd-report.sarif - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: pmd-report.sarif \ No newline at end of file From a48ef3a64354a224371396a3b719d48f50ff67bb Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 1 Dec 2021 17:52:36 -0800 Subject: [PATCH 188/844] Update azure-webapps-node.yml (#1282) --- deployments/azure-webapps-node.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 8546feafb6..b7cb51f27b 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -26,7 +26,7 @@ on: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the node version to use + NODE_VERSION: '14.x' # set this to the node version to use jobs: build: @@ -71,4 +71,4 @@ jobs: with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} \ No newline at end of file + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} From 9920cac8e993e7080faf048ed69586c2e5aa8103 Mon Sep 17 00:00:00 2001 From: Marcel Wagner Date: Thu, 2 Dec 2021 04:51:29 +0100 Subject: [PATCH 189/844] Update text flow for cmake comment (#1054) --- ci/cmake.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ci/cmake.yml b/ci/cmake.yml index 16341407df..6c858b9198 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -12,9 +12,8 @@ env: jobs: build: - # The CMake configure and build commands are platform agnostic and should work equally - # well on Windows or Mac. You can convert this to a matrix build if you need - # cross-platform coverage. + # The CMake configure and build commands are platform agnostic and should work equally well on Windows or Mac. + # You can convert this to a matrix build if you need cross-platform coverage. # See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix runs-on: ubuntu-latest From f7b1f1515d467adea6cbb6ea0b0b419c69a3ef7b Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Thu, 2 Dec 2021 15:22:55 -0700 Subject: [PATCH 190/844] Use `gradle-build-action` in starter workflows (#1237) The `gradle-build-action` provides enhanced execution and caching functionality for Gradle. This change updates starter workflows to use `v2.0.0` of `gradle-build-action`. Improvements over invoking Gradle directly include: - Easier to run the workflow with a particular Gradle version - More sophisticated and more efficient caching of Gradle User Home between invocations - Detailed reporting of cache usage and cache configuration options - Automatic capture of Build Scan links Co-authored-by: Josh Gross --- ci/gradle-publish.yml | 12 ++++++++++-- ci/gradle.yml | 11 +++++++---- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index a74a1ce2eb..f24c004e5e 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. # This workflow will build a package using Gradle and then publish it to GitHub packages when a release is created # For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-gradle @@ -26,12 +30,16 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - run: gradle build + uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + with: + arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - run: gradle publish + uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + with: + arguments: publish env: USERNAME: ${{ github.actor }} TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ci/gradle.yml b/ci/gradle.yml index 5ecabbaa11..b83458c09c 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. # This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle @@ -21,8 +25,7 @@ jobs: with: java-version: '11' distribution: 'adopt' - cache: gradle - - name: Grant execute permission for gradlew - run: chmod +x gradlew - name: Build with Gradle - run: ./gradlew build + uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + with: + arguments: build From 649bca8dab3f93f2fa14671d79d813ef6d5e2c73 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Fri, 3 Dec 2021 10:33:18 -0500 Subject: [PATCH 191/844] Updating logo and adding sha to workflow --- code-scanning/pmd.yml | 2 +- icons/pmd.svg | 79 +++++++++++++++++++++++++++++++++++++++---- 2 files changed, 73 insertions(+), 8 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index c876da5c09..7920c88fde 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -26,7 +26,7 @@ jobs: cache: maven - name: Run PMD id: pmd - uses: pmd/pmd-github-action@v1 + uses: pmd/pmd-github-action@7ed79622882840855e297f090460face22328ece with: rulesets: 'rulesets/java/quickstart.xml' sourcePath: 'src/main/java' diff --git a/icons/pmd.svg b/icons/pmd.svg index c0b3415db3..bc1cb58fc8 100644 --- a/icons/pmd.svg +++ b/icons/pmd.svg @@ -1,8 +1,73 @@ - - - - - - + +image/svg+xml + + + + + - \ No newline at end of file + From 4e6641ed7425cb2c2e9beb20339a03b9955d286d Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Fri, 3 Dec 2021 13:19:43 -0500 Subject: [PATCH 192/844] Updating pmd logo --- icons/pmd.svg | 72 +++++++++++++++++---------------------------------- 1 file changed, 24 insertions(+), 48 deletions(-) diff --git a/icons/pmd.svg b/icons/pmd.svg index bc1cb58fc8..61f1842fd8 100644 --- a/icons/pmd.svg +++ b/icons/pmd.svg @@ -1,72 +1,48 @@ image/svg+xml + rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> From 60d206d0900a9e3b4de3779cb2f5277c6304c887 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 6 Dec 2021 09:05:19 -0800 Subject: [PATCH 193/844] Have the starter `docker-publish` action sign digests. (#1255) * Have the starter `docker-publish` action sign digests. This change installs `sigstore/cosign` using the `cosign-installer` action, and uses sigstore's "keyless" signing process to sign the resulting image digest using the action's identity token (see: `id-token: write`). Signed-off-by: Matt Moore * Fully qualify the digest, add setup-buildx-action as workaround * Drop --force, add public repo check * Use built-in 'private' bit --- ci/docker-publish.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index ab266efb81..3b55fce62e 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -29,11 +29,24 @@ jobs: permissions: contents: read packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write steps: - name: Checkout repository uses: actions/checkout@v2 + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} @@ -55,9 +68,26 @@ jobs: # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image + id: build-and-push uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc with: context: . push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + # Sign the resulting Docker image digest except on PRs and private repos + # The keyless signing process records signatures on the Rekor public + # transparency log, so signing is disabled for private repos by default + # to avoid leaking private data. If you wish to sign things anyways, + # then this check can be removed and --force can be added to the cosign + # command below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' && !github.event.repository.private }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance, and records it to the + # sigstore community Rekor transparency log. + run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} From 1c56988c5df7b85a0d1fbcbb4a2d6dcee44b7b51 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 7 Dec 2021 11:35:26 +0100 Subject: [PATCH 194/844] remove unnecessary uses of the upload-artifact action and improve input file name --- code-scanning/veracode.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 64c732f07b..e38fffd5d6 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -29,12 +29,7 @@ jobs: with: repository: '' - - run: zip -r veracode-pipeline-scan-results-to-sarif.zip ./ - - - uses: actions/upload-artifact@v1 - with: - name: my-artifact - path: veracode-pipeline-scan-results-to-sarif.zip + - run: zip -r veracode-scan-target.zip ./ # download the Veracode Static Analysis Pipeline scan jar - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip @@ -43,12 +38,8 @@ jobs: - uses: actions/setup-java@v1 with: java-version: 1.8 - - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-pipeline-scan-results-to-sarif.zip + - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip continue-on-error: true - - uses: actions/upload-artifact@v1 - with: - name: ScanResults - path: results.json - name: Convert pipeline scan output to SARIF format id: convert uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be From c059d06679620e5a2c8d2c74b677879420f0922a Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Tue, 7 Dec 2021 14:16:20 +0000 Subject: [PATCH 195/844] renaming azure template to fix the order --- ...azure-webapps-container.yml => azure-containerized-webapp.yml} | 0 deployments/{aks.yml => azure-kubernetes-service.yml} | 0 ...properties.json => azure-containerized-webapp.properties.json} | 0 ...s.properties.json => azure-kubernetes-service.properties.json} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename deployments/{azure-webapps-container.yml => azure-containerized-webapp.yml} (100%) rename deployments/{aks.yml => azure-kubernetes-service.yml} (100%) rename deployments/properties/{azure-webapps-container.properties.json => azure-containerized-webapp.properties.json} (100%) rename deployments/properties/{aks.properties.json => azure-kubernetes-service.properties.json} (100%) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-containerized-webapp.yml similarity index 100% rename from deployments/azure-webapps-container.yml rename to deployments/azure-containerized-webapp.yml diff --git a/deployments/aks.yml b/deployments/azure-kubernetes-service.yml similarity index 100% rename from deployments/aks.yml rename to deployments/azure-kubernetes-service.yml diff --git a/deployments/properties/azure-webapps-container.properties.json b/deployments/properties/azure-containerized-webapp.properties.json similarity index 100% rename from deployments/properties/azure-webapps-container.properties.json rename to deployments/properties/azure-containerized-webapp.properties.json diff --git a/deployments/properties/aks.properties.json b/deployments/properties/azure-kubernetes-service.properties.json similarity index 100% rename from deployments/properties/aks.properties.json rename to deployments/properties/azure-kubernetes-service.properties.json From 17c64f97fed1f39b1ec676d1b2446b0f0f772949 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Wed, 8 Dec 2021 05:01:06 +0000 Subject: [PATCH 196/844] resolving comments --- ...{azure-containerized-webapp.yml => azure-container-webapp.yml} | 0 ...app.properties.json => azure-container-webapp.properties.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename deployments/{azure-containerized-webapp.yml => azure-container-webapp.yml} (100%) rename deployments/properties/{azure-containerized-webapp.properties.json => azure-container-webapp.properties.json} (100%) diff --git a/deployments/azure-containerized-webapp.yml b/deployments/azure-container-webapp.yml similarity index 100% rename from deployments/azure-containerized-webapp.yml rename to deployments/azure-container-webapp.yml diff --git a/deployments/properties/azure-containerized-webapp.properties.json b/deployments/properties/azure-container-webapp.properties.json similarity index 100% rename from deployments/properties/azure-containerized-webapp.properties.json rename to deployments/properties/azure-container-webapp.properties.json From 00db25fc1e0c3432105036075404c4429dfda403 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 13 Dec 2021 12:17:02 -0800 Subject: [PATCH 197/844] Enable keyless signing for private repos. (#1295) Now that cosign 1.4 is out, we can perform keyless signing without panicking on private images (and without `--force` uploading to Rekor). Signed-off-by: Matt Moore --- ci/docker-publish.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 3b55fce62e..977635a1b4 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -42,6 +42,9 @@ jobs: - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + with: + cosign-release: 'v1.4.0' + # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx @@ -76,18 +79,15 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - # Sign the resulting Docker image digest except on PRs and private repos - # The keyless signing process records signatures on the Rekor public - # transparency log, so signing is disabled for private repos by default - # to avoid leaking private data. If you wish to sign things anyways, - # then this check can be removed and --force can be added to the cosign - # command below. + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' && !github.event.repository.private }} + if: ${{ github.event_name != 'pull_request' }} env: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance, and records it to the - # sigstore community Rekor transparency log. + # against the sigstore community Fulcio instance. run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} From 73a17a51b52614ac5865c750577d62c43ce3aa14 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Thu, 16 Dec 2021 10:55:17 +0000 Subject: [PATCH 198/844] deleting azure.yml --- deployments/azure.yml | 51 ------------------------------------------- 1 file changed, 51 deletions(-) delete mode 100644 deployments/azure.yml diff --git a/deployments/azure.yml b/deployments/azure.yml deleted file mode 100644 index 904ff2545c..0000000000 --- a/deployments/azure.yml +++ /dev/null @@ -1,51 +0,0 @@ -# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan -# -# To configure this workflow: -# -# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. -# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings -# -# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -on: - push: - branches: - - $default-branch - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the node version to use - -jobs: - build-and-deploy: - name: Build and Deploy - runs-on: ubuntu-latest - environment: production - steps: - - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODE_VERSION }} - - name: npm install, build, and test - run: | - # Build and test the project, then - # deploy to Azure Web App. - npm install - npm run build --if-present - npm run test --if-present - - name: 'Deploy to Azure WebApp' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} From 615c63babc0be77daa72c0eca79dbb9b4a60d606 Mon Sep 17 00:00:00 2001 From: Andreas Dangel Date: Mon, 20 Dec 2021 11:44:55 +0100 Subject: [PATCH 199/844] Update pmd to v1.1.0 Use pmd/pmd-github-action@6d98898be0d59f46ec37dafcea33d8f8f55acfd1 which is v1.1.0 Use temurin as java distribution --- code-scanning/pmd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 7920c88fde..ba895fe265 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -22,11 +22,11 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' cache: maven - name: Run PMD id: pmd - uses: pmd/pmd-github-action@7ed79622882840855e297f090460face22328ece + uses: pmd/pmd-github-action@6d98898be0d59f46ec37dafcea33d8f8f55acfd1 with: rulesets: 'rulesets/java/quickstart.xml' sourcePath: 'src/main/java' From 0b45ddae0d6a1bb5d2524384ae316a929f3d0e96 Mon Sep 17 00:00:00 2001 From: DhavalPatelPersistent Date: Fri, 24 Dec 2021 15:55:11 +0530 Subject: [PATCH 200/844] Update / Add "uses","project","teams","scanners","params" attributes. --- code-scanning/checkmarx.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index ee97108cae..c0785dab5a 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,14 +29,16 @@ jobs: - uses: actions/checkout@v2 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@04e6403dbbfee0fd3fb076e5791202c31c54fe6b + uses: checkmarx-ts/checkmarx-cxflow-github-action@master with: - project: GithubActionTest - team: '\CxServer\SP\Checkmarx' + project: ${{ secrets.CHECKMARX_PROJECT }} + team: ${{ secrets.CHECKMARX_TEAMS }} checkmarx_url: ${{ secrets.CHECKMARX_URL }} checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + scanners: sast + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 From 97020d0adc1a32ef799bcafcffa18b2297ca4da3 Mon Sep 17 00:00:00 2001 From: DhavalPatelPersistent <93903969+DhavalPatelPersistent@users.noreply.github.com> Date: Thu, 30 Dec 2021 16:39:28 +0530 Subject: [PATCH 201/844] Update checkmarx.yml Point to SHA instead for master --- code-scanning/checkmarx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index c0785dab5a..96b9897a58 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,7 +29,7 @@ jobs: - uses: actions/checkout@v2 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@master + uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 with: project: ${{ secrets.CHECKMARX_PROJECT }} team: ${{ secrets.CHECKMARX_TEAMS }} From 794e910e12b7f31ea222a4be4c11f8c7dd2bcf86 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 10 Dec 2021 17:49:59 +0000 Subject: [PATCH 202/844] add scorecards config --- .../properties/scorecards.properties.json | 10 +++ code-scanning/scorecards.yml | 74 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 code-scanning/properties/scorecards.properties.json create mode 100644 code-scanning/scorecards.yml diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json new file mode 100644 index 0000000000..54362eb9ae --- /dev/null +++ b/code-scanning/properties/scorecards.properties.json @@ -0,0 +1,10 @@ +{ + "name": "OSSF Scorecards supply-chain security analysis", + "creator": "Open Source Security Foundation (OpenSSF) - https://github.com/ossf", + "description": "Scorecards is a static analysis tool to assess the security posture of your project", + "iconName": "scorecards", + "categories": [ + "code-quality", "testing", + "supply-chain", "security", "scanning" + ] +} diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml new file mode 100644 index 0000000000..23dc0c1af7 --- /dev/null +++ b/code-scanning/scorecards.yml @@ -0,0 +1,74 @@ +name: Scorecards supply-chain security +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + # Weekly on Saturdays. + - cron: '30 1 * * 6' + push: + branches: [ $default-branch ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + + steps: + - name: "Checkout code" + uses: actions/checkout@v1 + + - name: "Run analysis" + # TODO: update with a hash once we have a release. + uses: ossf/scorecard-action@feat/rempol + with: + results_file: results.sarif + results_format: sarif + # For the token, + # 1. Create a PAT token at https://github.com/settings/tokens/new + # with the following read permissions: + # - Note: OSSF Scorecard read-only token + # - Expiration: No expiration + # - Scopes: + # * repo > public_repo + # * admin:org > read:org + # * admin:repo_hook > read:repo_hook + # * write:discussion > read:discussion + # + # Create and copy the token. + # + # 2. Create a new repository secret at https://github.com///settings/secrets/actions + # with the following settings: + # - Name: SCORECARD_TOKEN + # - Value: the value of the token created in step 1 above. + repo_token: ${{ secrets.SCORECARD_TOKEN }} + # The Scorecard team runs a weekly scan of public GitHub repositories in order to track + # the overall security health of the open source ecosystem. + # Setting `publish_results: true` replaces the results of the team's weelky scans, + # helping us scale by cutting down on repeated workflows and GitHub API requests. + # This option is needed to enable badges on the repo. + publish_results: true + + # Upload the results as artifacts. + # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts + # This is optional. + - name: "Upload artifact" + # Note: scorecard will flag this line if not pinned by hash. + uses: actions/upload-artifact@v2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + # This is required to visualize the results on GitHub website. + - name: "Upload to code-scanning" + # Note: scorecard will flag this line if not pinned by hash. + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif From 0e50194de868de89ba9545e296fc254c13aaf4cc Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 10 Dec 2021 17:56:35 +0000 Subject: [PATCH 203/844] use hash --- code-scanning/scorecards.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 23dc0c1af7..709da7e4af 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -24,8 +24,7 @@ jobs: uses: actions/checkout@v1 - name: "Run analysis" - # TODO: update with a hash once we have a release. - uses: ossf/scorecard-action@feat/rempol + uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b with: results_file: results.sarif results_format: sarif From a00db4437c100515400041ae9ec3d00bc4e3f0b2 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 16 Dec 2021 18:25:53 +0000 Subject: [PATCH 204/844] comments --- code-scanning/properties/scorecards.properties.json | 5 +---- code-scanning/scorecards.yml | 3 +-- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json index 54362eb9ae..d45274b9e4 100644 --- a/code-scanning/properties/scorecards.properties.json +++ b/code-scanning/properties/scorecards.properties.json @@ -3,8 +3,5 @@ "creator": "Open Source Security Foundation (OpenSSF) - https://github.com/ossf", "description": "Scorecards is a static analysis tool to assess the security posture of your project", "iconName": "scorecards", - "categories": [ - "code-quality", "testing", - "supply-chain", "security", "scanning" - ] + "categories": ["Code Scanning"] } diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 709da7e4af..27ffc2f31d 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -3,8 +3,7 @@ on: # Only the default branch is supported. branch_protection_rule: schedule: - # Weekly on Saturdays. - - cron: '30 1 * * 6' + - cron: $cron-weekly push: branches: [ $default-branch ] From a894da71d16be3f3b970d067d20d12cc1f23042f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 28 Dec 2021 17:49:56 +0000 Subject: [PATCH 205/844] pin actions --- code-scanning/scorecards.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 27ffc2f31d..88f47ee553 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -20,7 +20,9 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v1 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + with: + persist-credentials: false - name: "Run analysis" uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b @@ -56,8 +58,7 @@ jobs: # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts # This is optional. - name: "Upload artifact" - # Note: scorecard will flag this line if not pinned by hash. - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: SARIF file path: results.sarif @@ -66,7 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. # This is required to visualize the results on GitHub website. - name: "Upload to code-scanning" - # Note: scorecard will flag this line if not pinned by hash. - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 with: sarif_file: results.sarif From 9e49744dc2534cee2fbb4986f45287bfce589fb6 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 28 Dec 2021 18:13:49 +0000 Subject: [PATCH 206/844] url --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 88f47ee553..b04a28d739 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -42,7 +42,7 @@ jobs: # # Create and copy the token. # - # 2. Create a new repository secret at https://github.com///settings/secrets/actions + # 2. Create a new repository secret at https://github.com///settings/secrets/actions/new # with the following settings: # - Name: SCORECARD_TOKEN # - Value: the value of the token created in step 1 above. From f38127b0623a68a7a5faee31773d3adbb8bd3cfb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 22:51:32 +0000 Subject: [PATCH 207/844] update text --- code-scanning/scorecards.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index b04a28d739..c8f9993377 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -48,10 +48,12 @@ jobs: # - Value: the value of the token created in step 1 above. repo_token: ${{ secrets.SCORECARD_TOKEN }} # The Scorecard team runs a weekly scan of public GitHub repositories in order to track - # the overall security health of the open source ecosystem. + # the overall security health of the open source ecosystem. The results are publicly + # available as described at https://github.com/ossf/scorecard#public-data. # Setting `publish_results: true` replaces the results of the team's weelky scans, # helping us scale by cutting down on repeated workflows and GitHub API requests. - # This option is needed to enable badges on the repo. + # This option is needed to enable badges on the repo. If you're installing the action + # on a private repo, set it to `publish_results: false` or do not set the value at all. publish_results: true # Upload the results as artifacts. From 48edda6acad5d9b718bedba3c63e8198f1f7c08f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 22:56:18 +0000 Subject: [PATCH 208/844] reduce text --- code-scanning/scorecards.yml | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index c8f9993377..a647577b82 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -29,23 +29,8 @@ jobs: with: results_file: results.sarif results_format: sarif - # For the token, - # 1. Create a PAT token at https://github.com/settings/tokens/new - # with the following read permissions: - # - Note: OSSF Scorecard read-only token - # - Expiration: No expiration - # - Scopes: - # * repo > public_repo - # * admin:org > read:org - # * admin:repo_hook > read:repo_hook - # * write:discussion > read:discussion - # - # Create and copy the token. - # - # 2. Create a new repository secret at https://github.com///settings/secrets/actions/new - # with the following settings: - # - Name: SCORECARD_TOKEN - # - Value: the value of the token created in step 1 above. + # Read-only PAT token. To create it, follow the steps + # in https://github.com/ossf/scorecard-action/main#pat-token-creation repo_token: ${{ secrets.SCORECARD_TOKEN }} # The Scorecard team runs a weekly scan of public GitHub repositories in order to track # the overall security health of the open source ecosystem. The results are publicly @@ -56,9 +41,7 @@ jobs: # on a private repo, set it to `publish_results: false` or do not set the value at all. publish_results: true - # Upload the results as artifacts. - # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts - # This is optional. + # Upload the results as artifacts (optional). - name: "Upload artifact" uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: @@ -67,7 +50,6 @@ jobs: retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - # This is required to visualize the results on GitHub website. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 with: From 07be376c3a753560b12712d3e1c614031a2cf117 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 23:02:46 +0000 Subject: [PATCH 209/844] updates --- code-scanning/scorecards.yml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a647577b82..b9efa215d0 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -29,16 +29,13 @@ jobs: with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, follow the steps - # in https://github.com/ossf/scorecard-action/main#pat-token-creation + # Read-only PAT token. To create it, + # follow the steps in https://github.com/ossf/scorecard-action/blob/main#pat-token-creation. repo_token: ${{ secrets.SCORECARD_TOKEN }} - # The Scorecard team runs a weekly scan of public GitHub repositories in order to track - # the overall security health of the open source ecosystem. The results are publicly - # available as described at https://github.com/ossf/scorecard#public-data. - # Setting `publish_results: true` replaces the results of the team's weelky scans, - # helping us scale by cutting down on repeated workflows and GitHub API requests. - # This option is needed to enable badges on the repo. If you're installing the action - # on a private repo, set it to `publish_results: false` or do not set the value at all. + # Publish the results to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action/blob/main#publishing-results. + # If you are installing the action on a private repo, set it to `publish_results: false` + # or do not set the value at all. publish_results: true # Upload the results as artifacts (optional). From 7c57e8a703516f380383aedcc599bac86c30b6e2 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 23:07:26 +0000 Subject: [PATCH 210/844] updates --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index b9efa215d0..209dc377ca 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -35,7 +35,7 @@ jobs: # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action/blob/main#publishing-results. # If you are installing the action on a private repo, set it to `publish_results: false` - # or do not set the value at all. + # or comment out the following line. publish_results: true # Upload the results as artifacts (optional). From 40772919fb6683dd374c85974123e699aff4872c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 23:11:08 +0000 Subject: [PATCH 211/844] updates --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 209dc377ca..dbfbecdf19 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -30,10 +30,10 @@ jobs: results_file: results.sarif results_format: sarif # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action/blob/main#pat-token-creation. + # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. repo_token: ${{ secrets.SCORECARD_TOKEN }} # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action/blob/main#publishing-results. + # https://github.com/ossf/scorecard-action#publishing-results. # If you are installing the action on a private repo, set it to `publish_results: false` # or comment out the following line. publish_results: true From b73f59a3e8a02531a5ca5623bab1ad5387d8072d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 4 Jan 2022 18:08:50 +0000 Subject: [PATCH 212/844] add icon --- icons/scorecards.svg | 365 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 365 insertions(+) create mode 100644 icons/scorecards.svg diff --git a/icons/scorecards.svg b/icons/scorecards.svg new file mode 100644 index 0000000000..9db608c09f --- /dev/null +++ b/icons/scorecards.svg @@ -0,0 +1,365 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From d0dba5262b9d520abb5b6a16c3c7631df3414a9d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 4 Jan 2022 18:13:24 +0000 Subject: [PATCH 213/844] use v0.0.1 --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index dbfbecdf19..8b2346a65c 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b + uses: ossf/scorecard-action@175f59783fa96e44dd6fa96619ab7bdacab56b5c # v0.0.1 with: results_file: results.sarif results_format: sarif From f42f92e60ce9599cfd74f77191f8b0dfd5bbe08e Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Wed, 5 Jan 2022 09:50:26 -0800 Subject: [PATCH 214/844] Update erlang.yml Add token permissions --- ci/erlang.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ci/erlang.yml b/ci/erlang.yml index 25cb8939e7..3bebb1f03f 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -6,10 +6,14 @@ on: pull_request: branches: [ $default-branch ] +permissions: read-all + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest container: From 00e08539ca5ff25307997d8c845296376a1cd858 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 10 Jan 2022 23:19:46 +0000 Subject: [PATCH 215/844] prepare release --- code-scanning/scorecards.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 8b2346a65c..ba42ef0248 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,6 +17,8 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write + actions: read + contents: read steps: - name: "Checkout code" @@ -34,8 +36,8 @@ jobs: repo_token: ${{ secrets.SCORECARD_TOKEN }} # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. - # If you are installing the action on a private repo, set it to `publish_results: false` - # or comment out the following line. + # Note: for private repositories, the value of `publish_results` set here + # is ignored and defaults to false. publish_results: true # Upload the results as artifacts (optional). From b0f310cefc1cd8acd28eb8680356f1b084414f09 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 10 Jan 2022 23:52:58 +0000 Subject: [PATCH 216/844] update token name --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index ba42ef0248..6cbdaafed7 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -33,7 +33,7 @@ jobs: results_format: sarif # Read-only PAT token. To create it, # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_TOKEN }} + repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. # Note: for private repositories, the value of `publish_results` set here From f78e23c19de6d564883c07e34c2340f14f797048 Mon Sep 17 00:00:00 2001 From: shubham malik Date: Thu, 13 Jan 2022 11:12:14 +0530 Subject: [PATCH 217/844] Update trivy.yml --- code-scanning/trivy.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index f778492b98..307950e6de 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -14,8 +14,13 @@ on: schedule: - cron: $cron-weekly +permissions: read-all + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Build runs-on: "ubuntu-18.04" steps: From aa643dfa0c1ddbdc15fe80baa4c7bf5a60eca2a6 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 13 Jan 2022 22:29:39 +0000 Subject: [PATCH 218/844] bump hash --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 6cbdaafed7..a756c2b0b6 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@175f59783fa96e44dd6fa96619ab7bdacab56b5c # v0.0.1 + uses: ossf/scorecard-action@0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a # v1.0.0 with: results_file: results.sarif results_format: sarif From 1b10c28ff42916ad2a9d5f9566d39656df9e6372 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 14 Jan 2022 03:00:11 +0000 Subject: [PATCH 219/844] rem tabs and update comment --- code-scanning/scorecards.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a756c2b0b6..cbd0e01594 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -1,5 +1,5 @@ name: Scorecards supply-chain security -on: +on: # Only the default branch is supported. branch_protection_rule: schedule: @@ -19,7 +19,7 @@ jobs: security-events: write actions: read contents: read - + steps: - name: "Checkout code" uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 @@ -36,8 +36,8 @@ jobs: repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. - # Note: for private repositories, the value of `publish_results` set here - # is ignored and defaults to false. + # For private repositories, `publish_results` will automatically be set to `false`, + # regardless of the value entered here. publish_results: true # Upload the results as artifacts (optional). @@ -47,7 +47,7 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 From 588f02dade95e45435f1a970cde5258223b6f9ab Mon Sep 17 00:00:00 2001 From: Manuel Date: Sat, 15 Jan 2022 00:05:31 +0100 Subject: [PATCH 220/844] Switch java distribution from 'adopt' to 'temurin' (#1065) adopt is rebranded into temurin see https://blog.adoptopenjdk.net/2021/03/transition-to-eclipse-an-update/ --- ci/android.yml | 2 +- ci/ant.yml | 2 +- ci/gradle-publish.yml | 2 +- ci/gradle.yml | 2 +- ci/maven-publish.yml | 2 +- ci/maven.yml | 2 +- ci/scala.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/android.yml b/ci/android.yml index 3037b9ff1b..f289bd5c73 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -17,7 +17,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' cache: gradle - name: Grant execute permission for gradlew diff --git a/ci/ant.yml b/ci/ant.yml index 655a94c90e..0205d40359 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -20,6 +20,6 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' - name: Build with Ant run: ant -noinput -buildfile build.xml diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index f24c004e5e..26bc0df0f2 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -25,7 +25,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file diff --git a/ci/gradle.yml b/ci/gradle.yml index b83458c09c..cc63e9a087 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -24,7 +24,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' - name: Build with Gradle uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 with: diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 18dd937d4e..319f9a1194 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -21,7 +21,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file diff --git a/ci/maven.yml b/ci/maven.yml index ac3b6de431..f301fe093e 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -20,7 +20,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' cache: maven - name: Build with Maven run: mvn -B package --file pom.xml diff --git a/ci/scala.yml b/ci/scala.yml index 4a3c112725..af6b2ed0bc 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -17,6 +17,6 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' - name: Run tests run: sbt test From b224dd844994cf72698787cfaa6e91d3b9bcef14 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 14 Jan 2022 21:38:04 +0000 Subject: [PATCH 221/844] update icon --- code-scanning/scorecards.yml | 2 +- icons/scorecards.svg | 366 +---------------------------------- 2 files changed, 2 insertions(+), 366 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index cbd0e01594..2172aba65a 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a # v1.0.0 + uses: ossf/scorecard-action@f5a7da46837397de5331ea22ce0099e2bfe265d0 # v1.0.1 with: results_file: results.sarif results_format: sarif diff --git a/icons/scorecards.svg b/icons/scorecards.svg index 9db608c09f..9433c9195a 100644 --- a/icons/scorecards.svg +++ b/icons/scorecards.svg @@ -1,365 +1 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + \ No newline at end of file From 94100d1d4a908d4b49a2c82511353ec7b670cc07 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 14 Jan 2022 21:44:30 +0000 Subject: [PATCH 222/844] bump --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 2172aba65a..dbae3612ed 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@f5a7da46837397de5331ea22ce0099e2bfe265d0 # v1.0.1 + uses: ossf/scorecard-action@e3e75cf2ffbf9364bbff86cdbdf52b23176fe492 # v1.0.1 with: results_file: results.sarif results_format: sarif From f31e3a9c9dda4c8027904038d1e7e1c54695dc7d Mon Sep 17 00:00:00 2001 From: Beth G Date: Sat, 15 Jan 2022 07:11:46 +0100 Subject: [PATCH 223/844] Add Datadog Synthetics GitHub action to starter workflows (#1342) --- ci/datadog-synthetics.yml | 38 +++++++++++++++++++ .../datadog-synthetics.properties.json | 6 +++ icons/datadog.svg | 4 ++ 3 files changed, 48 insertions(+) create mode 100644 ci/datadog-synthetics.yml create mode 100644 ci/properties/datadog-synthetics.properties.json create mode 100644 icons/datadog.svg diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml new file mode 100644 index 0000000000..7056f87093 --- /dev/null +++ b/ci/datadog-synthetics.yml @@ -0,0 +1,38 @@ +# This workflow will trigger Datadog Synthetic tests within your Datadog organisation +# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# To get started: + +# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. +# 2. Start using the action within your workflow + +name: Run Datadog Synthetic tests + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + # Run Synthetic tests within your GitHub workflow. + # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci + - name: Run Datadog Synthetic tests + uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e + with: + api_key: ${{secrets.DD_API_KEY}} + app_key: ${{secrets.DD_APP_KEY}} + test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy + + diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json new file mode 100644 index 0000000000..5a4f74dce0 --- /dev/null +++ b/ci/properties/datadog-synthetics.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Datadog Synthetics", + "description": "Run Datadog Synthetic tests within your GitHub Actions workflow", + "iconName": "datadog", + "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"] +} diff --git a/icons/datadog.svg b/icons/datadog.svg new file mode 100644 index 0000000000..91cb3b6260 --- /dev/null +++ b/icons/datadog.svg @@ -0,0 +1,4 @@ + + + + From 11778e9eb06ef161f9f8fc44f9d82ca4b79675e3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Mon, 17 Jan 2022 13:17:29 +0530 Subject: [PATCH 224/844] Add check for GITHUB_TOKEN permissions (#1354) --- .github/pull_request_template.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 6494e8d2b4..752dd99eb6 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,6 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. +- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** From 5635bf05bcf0ed0db83494aca58ccaf979eed483 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Arko?= Date: Mon, 17 Jan 2022 12:34:33 -0800 Subject: [PATCH 225/844] Upgrade Rails workflow to true CI (#1353) * Upgrade Rails workflow to true CI The existing Rails CI example only runs linters, which is not continuous integration. This change brings the Rails example workflow up to par with the other web framework CI flows, like Django. This example is optimized for Rails 7, which does not include NodeJS, webpack, or yarn by default. No Rails application code changes are required for this flow to run the tests, and both minitest and rspec are supported via the `test` rake task. * add Rails icon * use env vars, hopefully * use the full hash for ruby/setup-ruby * remove PORT since services cannot use it * stop repeating identical step envs * resolve env var declaration error * update setup-ruby to the SHA of v1.92 * use setup-ruby SHA for lint job too Co-authored-by: Bishal Prasad --- .../rubyonrails-lint.properties.json | 6 -- ci/properties/rubyonrails.properties.json | 6 ++ ci/rubyonrails-lint.yml | 32 ---------- ci/rubyonrails.yml | 58 +++++++++++++++++++ icons/rails.svg | 1 + 5 files changed, 65 insertions(+), 38 deletions(-) delete mode 100644 ci/properties/rubyonrails-lint.properties.json create mode 100644 ci/properties/rubyonrails.properties.json delete mode 100644 ci/rubyonrails-lint.yml create mode 100644 ci/rubyonrails.yml create mode 100644 icons/rails.svg diff --git a/ci/properties/rubyonrails-lint.properties.json b/ci/properties/rubyonrails-lint.properties.json deleted file mode 100644 index e6e5f6928e..0000000000 --- a/ci/properties/rubyonrails-lint.properties.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "Rails - Install Dependencies and Run Linters", - "description": "Install dependencies and run linters on Rails application", - "iconName": "ruby", - "categories": ["Continuous integration", "Ruby", "Rails"] -} diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json new file mode 100644 index 0000000000..49b29a4ede --- /dev/null +++ b/ci/properties/rubyonrails.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Ruby on Rails continuous integration", + "description": "Build, lint, and test a Rails application", + "iconName": "rails", + "categories": ["Continuous integration", "Ruby", "Rails"] +} diff --git a/ci/rubyonrails-lint.yml b/ci/rubyonrails-lint.yml deleted file mode 100644 index d95b70e637..0000000000 --- a/ci/rubyonrails-lint.yml +++ /dev/null @@ -1,32 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# This workflow will download a prebuilt Ruby version, install dependencies, and run linters -name: Rails - Install dependencies and run linters - -on: - push: - branches: [ $default-branch ] - pull_request: - branches: [ $default-branch ] -jobs: - run-lint: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Setup Ruby and install gems - uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e - with: - bundler-cache: true - # Add or Replace any other security checks here - - name: Run security checks - run: | - bin/bundler-audit --update - bin/brakeman -q -w2 - # Add or Replace any other Linters here - - name: Run linters - run: | - bin/rubocop --parallel \ No newline at end of file diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml new file mode 100644 index 0000000000..b7b3624394 --- /dev/null +++ b/ci/rubyonrails.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. They are +# provided by a third-party and are governed by separate terms of service, +# privacy policy, and support documentation. +# +# This workflow will install a prebuilt Ruby version, install dependencies, and +# run tests and linters. +name: "Ruby on Rails CI" +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] +jobs: + test: + runs-on: ubuntu-latest + services: + postgres: + image: postgres:11-alpine + ports: + - "5432:5432" + env: + POSTGRES_DB: rails_test + POSTGRES_USER: rails + POSTGRES_PASSWORD: password + env: + RAILS_ENV: test + DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test" + steps: + - name: Checkout code + uses: actions/checkout@v2 + # Add or replace dependency steps here + - name: Install Ruby and gems + uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 + with: + bundler-cache: true + # Add or replace database setup steps here + - name: Set up database schema + run: bin/rails db:schema:load + # Add or replace test runners here + - name: Run tests + run: bin/rake + + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Install Ruby and gems + uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 + with: + bundler-cache: true + # Add or replace any other lints here + - name: Security audit dependencies + run: bin/bundler-audit --update + - name: Security audit application code + run: bin/brakeman -q -w2 + - name: Lint Ruby files + run: bin/rubocop --parallel diff --git a/icons/rails.svg b/icons/rails.svg new file mode 100644 index 0000000000..5e1f8f8009 --- /dev/null +++ b/icons/rails.svg @@ -0,0 +1 @@ + From ba97234b6070487094b58c0bd01959c47d29c20d Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Tue, 18 Jan 2022 14:07:26 -0800 Subject: [PATCH 226/844] Fix indentation error (#1356) --- deployments/azure-container-webapp.yml | 34 +++++++++++++------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 7c7bb2a990..57fe362ab8 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -62,21 +62,21 @@ jobs: tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} file: ./Dockerfile - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Lowercase the repo name and username + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - steps: - - name: Lowercase the repo name and username - run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' From a96d2407b59e6e123df45d05c846d2ae3073d6aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9sar=20Rom=C3=A1n?= Date: Wed, 19 Jan 2022 15:41:20 -0800 Subject: [PATCH 227/844] fix(ci): pylint.yml (#1108) ref: #636. `pylint` command does not work I've had success running the modified command [here](https://github.com/thecesrom/incendium/blob/project/.github/workflows/pylint.yml). Co-authored-by: Josh Gross --- ci/pylint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/pylint.yml b/ci/pylint.yml index 10c49c6d1d..7b555fee49 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -20,4 +20,4 @@ jobs: pip install pylint - name: Analysing the code with pylint run: | - pylint `ls -R|grep .py$|xargs` + pylint $(git ls-files '*.py') From ffa80e095edd0b21cda81cc3836cf3b7c863c355 Mon Sep 17 00:00:00 2001 From: Andrew Wiltshire <62200778+AW1534@users.noreply.github.com> Date: Thu, 20 Jan 2022 03:30:56 +0000 Subject: [PATCH 228/844] fixed grammatical error in node.js.yml (#1358) --- ci/node.js.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/node.js.yml b/ci/node.js.yml index 89b24fed53..8d1b9c7001 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -1,4 +1,4 @@ -# This workflow will do a clean install of node dependencies, cache/restore them, build the source code and run tests across different versions of node +# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node # For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions name: Node.js CI From eedf8fbcb38fafd48d3aa00644bd01325b89abaa Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Fri, 21 Jan 2022 12:23:16 -0800 Subject: [PATCH 229/844] Update erlang.yml Setting contents: read at workflow level, and removing from job level --- ci/erlang.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ci/erlang.yml b/ci/erlang.yml index 3bebb1f03f..fc11dacd13 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -6,14 +6,13 @@ on: pull_request: branches: [ $default-branch ] -permissions: read-all +permissions: + contents: read jobs: build: - permissions: - contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest container: From 41e7dd427d1cc358f8c78d1e511ba122d68f761e Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Mon, 24 Jan 2022 08:27:33 -0800 Subject: [PATCH 230/844] Scorecards: update hash to v1.0.2 We fixed a small issue and need to update the hash --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index dbae3612ed..618ce2890a 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e3e75cf2ffbf9364bbff86cdbdf52b23176fe492 # v1.0.1 + uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2 with: results_file: results.sarif results_format: sarif From 3b8f20ff6ffebfd48548a91beae21864b3bc56d9 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Wed, 26 Jan 2022 22:42:19 +0530 Subject: [PATCH 231/844] updated permission --- code-scanning/trivy.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 307950e6de..3d5373f22c 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -14,7 +14,8 @@ on: schedule: - cron: $cron-weekly -permissions: read-all +permissions: + contents: read jobs: build: From 7a56117f9857b2b4b87c448f9ba839d0e1549a47 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 27 Jan 2022 10:27:08 +0530 Subject: [PATCH 232/844] Rename node.js.yml to bishal-node.js.yml --- ci/{node.js.yml => bishal-node.js.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename ci/{node.js.yml => bishal-node.js.yml} (100%) diff --git a/ci/node.js.yml b/ci/bishal-node.js.yml similarity index 100% rename from ci/node.js.yml rename to ci/bishal-node.js.yml From c0b54905907ff685ff46b29437472d3ff5844709 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 27 Jan 2022 10:27:32 +0530 Subject: [PATCH 233/844] Rename ci/bishal-node.js.yml to node.js.yml --- ci/bishal-node.js.yml => node.js.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename ci/bishal-node.js.yml => node.js.yml (100%) diff --git a/ci/bishal-node.js.yml b/node.js.yml similarity index 100% rename from ci/bishal-node.js.yml rename to node.js.yml From 80404f48bc4162e425999b01ab82ec254a061371 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 27 Jan 2022 10:28:39 +0530 Subject: [PATCH 234/844] Rename node.js.yml to ci/node.js.yml --- node.js.yml => ci/node.js.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename node.js.yml => ci/node.js.yml (100%) diff --git a/node.js.yml b/ci/node.js.yml similarity index 100% rename from node.js.yml rename to ci/node.js.yml From 4f0f3e716db32badb9a62be949ebaa26967d0bca Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Thu, 27 Jan 2022 15:38:23 +0530 Subject: [PATCH 235/844] Update crunch42.yml --- code-scanning/crunch42.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 1d44bf9d14..e8e24472b8 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -33,8 +33,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: rest-api-static-security-testing: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From 1220bda7e4d820b469f0312332df5902cdf9257d Mon Sep 17 00:00:00 2001 From: Aarnav Pai <52203828+arnu515@users.noreply.github.com> Date: Thu, 27 Jan 2022 21:21:47 +0530 Subject: [PATCH 236/844] Fix version of `denoland/setup-deno` (#1369) * Fix version of `denoland/setup-deno` * Update deno.yml --- ci/deno.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/deno.yml b/ci/deno.yml index 38f231904c..25e9e2a510 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -24,7 +24,7 @@ jobs: - name: Setup Deno # uses: denoland/setup-deno@v1 - uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e9833173669 + uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e983317366 with: deno-version: v1.x From c005c55b8b1593cb6ccb3ad53cc595a3bdb532d3 Mon Sep 17 00:00:00 2001 From: Fedor Isakov Date: Sun, 30 Jan 2022 09:07:53 +0300 Subject: [PATCH 237/844] update google workflow (#1359) --- deployments/google.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/deployments/google.yml b/deployments/google.yml index bfb5de630b..003e53be29 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -26,16 +26,16 @@ env: REPOSITORY: samples # TODO: update to Artifact Registry docker repository IMAGE: static-site -permissions: - contents: 'read' - id-token: 'write' - jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest environment: production + permissions: + contents: 'read' + id-token: 'write' + steps: - name: Checkout uses: actions/checkout@v2 @@ -43,18 +43,24 @@ jobs: # Configure Workload Identity Federation and generate an access token. - id: 'auth' name: 'Authenticate to Google Cloud' - uses: 'google-github-actions/auth@v0.4.0' + uses: 'google-github-actions/auth@v0' with: token_format: 'access_token' workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' service_account: 'my-service-account@my-project.iam.gserviceaccount.com' + # Alternative option - authentication via credentials json + # - id: 'auth' + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + - name: Docker configuration run: |- echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev # Get the GKE credentials so we can deploy to the cluster - name: Set up GKE credentials - uses: google-github-actions/get-gke-credentials@v0.4.0 + uses: google-github-actions/get-gke-credentials@v0 with: cluster_name: ${{ env.GKE_CLUSTER }} location: ${{ env.GKE_ZONE }} From 8430b6f878f9e8318ab48462eeed25731396f568 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 31 Jan 2022 14:23:00 +0530 Subject: [PATCH 238/844] Update --- code-scanning/anchore.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index d90f68c07a..fcca708e99 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -20,8 +20,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout the code @@ -36,4 +42,4 @@ jobs: - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From 34d35389d179c8f3da46255ed31976853cb6ebcb Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 31 Jan 2022 14:23:00 +0530 Subject: [PATCH 239/844] updated gh_token permissions for anchore/scan-action --- code-scanning/anchore.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index d90f68c07a..fcca708e99 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -20,8 +20,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout the code @@ -36,4 +42,4 @@ jobs: - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From 890150c289fca8efec79fadc5f3df37820ecd855 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 31 Jan 2022 10:48:11 +0000 Subject: [PATCH 240/844] Fixing some code scanning workflows description --- code-scanning/properties/apisec-scan.properties.json | 2 +- code-scanning/properties/cloudrail.properties.json | 2 +- code-scanning/properties/pmd.properties.json | 5 ++--- code-scanning/properties/scorecards.properties.json | 6 +++--- 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/code-scanning/properties/apisec-scan.properties.json b/code-scanning/properties/apisec-scan.properties.json index 9e7db581b3..b0872c8dd4 100644 --- a/code-scanning/properties/apisec-scan.properties.json +++ b/code-scanning/properties/apisec-scan.properties.json @@ -1,7 +1,7 @@ { "name": "APIsec Scan", "creator": "APIsec", - "description": "APIsec addresses the critical need to secure APIs before they reach production. APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.", + "description": "APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.", "iconName": "apisec", "categories": [ "Code Scanning", diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json index 830d966d4a..e87f3cab3e 100644 --- a/code-scanning/properties/cloudrail.properties.json +++ b/code-scanning/properties/cloudrail.properties.json @@ -1,7 +1,7 @@ { "name": "cloudrail", "creator": "Indeni Cloudrail", - "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.", + "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues.", "iconName": "cloudrail", "categories": ["Code Scanning", "HCL"] } diff --git a/code-scanning/properties/pmd.properties.json b/code-scanning/properties/pmd.properties.json index 86080221a3..b96ecb75c0 100644 --- a/code-scanning/properties/pmd.properties.json +++ b/code-scanning/properties/pmd.properties.json @@ -1,7 +1,7 @@ { "name": "pmd", "creator": "pmd", - "description": "PMD is a static source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, Salesforce.com Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.", + "description": "PMD is a static source code analyzer. It supports Java, JavaScript, Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.", "iconName": "pmd", "categories": [ "Code Scanning", @@ -13,7 +13,6 @@ "Apache Velocity", "XML", "XSl", - "Scala", - "Apex" + "Scala" ] } \ No newline at end of file diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json index d45274b9e4..a98834c56c 100644 --- a/code-scanning/properties/scorecards.properties.json +++ b/code-scanning/properties/scorecards.properties.json @@ -1,7 +1,7 @@ { - "name": "OSSF Scorecards supply-chain security analysis", - "creator": "Open Source Security Foundation (OpenSSF) - https://github.com/ossf", - "description": "Scorecards is a static analysis tool to assess the security posture of your project", + "name": "OSSF Scorecards", + "creator": "Open Source Security Foundation (OpenSSF)", + "description": "Scorecards is a static supply-chain security analysis tool to assess the security posture of your project", "iconName": "scorecards", "categories": ["Code Scanning"] } From 776a96049686c7602b1fc0706bc21d1db9f7bfcc Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Mon, 31 Jan 2022 14:47:10 -0700 Subject: [PATCH 241/844] Update for `gradle-build-action@v2.1.2` release (#1375) --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 26bc0df0f2..0fecd235f4 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index cc63e9a087..bc64e5e350 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -26,6 +26,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 with: arguments: build From d71bfc344e4081dfbeb2fcca7cd8839ae5d06e31 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Tue, 1 Feb 2022 22:34:47 +0530 Subject: [PATCH 242/844] Create checkmarx.yml --- code-scanning/checkmarx.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 96b9897a58..d012bce5c8 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,10 +17,18 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) From a76776b484009a5dc3accadfb53dbbc4d953d9e2 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Wed, 2 Feb 2022 23:49:53 +0530 Subject: [PATCH 243/844] Update codacy.yml --- code-scanning/codacy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 50185addd4..4892930921 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Codacy Security Scan runs-on: ubuntu-latest steps: From e7b6150c5d5e51b08fd12c97dac956e3a2aff175 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Thu, 3 Feb 2022 13:54:14 +0530 Subject: [PATCH 244/844] Added underscore(_) in the name to fix yml errors caused by the empty spaces in the name --- code-scanning/apisec-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 3aa06ca657..65a6bafc79 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -43,7 +43,7 @@ on: jobs: - Trigger APIsec scan: + Trigger_APIsec_scan: runs-on: ubuntu-latest steps: From 98bd06c9adbcd9070c1ae4916193a9a898b2a7fa Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Thu, 3 Feb 2022 14:24:19 -0700 Subject: [PATCH 245/844] Update for gradle/gradle-build-action@v2.1.3 (#1384) --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 0fecd235f4..9fdc8516ea 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index bc64e5e350..fc8cf2fea8 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -26,6 +26,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: build From de41169eb0a60341cf326c9b790a79a99e147793 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 4 Feb 2022 09:45:26 +0530 Subject: [PATCH 246/844] Revert "Add Datadog Synthetics GitHub action to starter workflows (#1342)" (#1385) This reverts commit f31e3a9c9dda4c8027904038d1e7e1c54695dc7d. --- ci/datadog-synthetics.yml | 38 ------------------- .../datadog-synthetics.properties.json | 6 --- icons/datadog.svg | 4 -- 3 files changed, 48 deletions(-) delete mode 100644 ci/datadog-synthetics.yml delete mode 100644 ci/properties/datadog-synthetics.properties.json delete mode 100644 icons/datadog.svg diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml deleted file mode 100644 index 7056f87093..0000000000 --- a/ci/datadog-synthetics.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This workflow will trigger Datadog Synthetic tests within your Datadog organisation -# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# To get started: - -# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. -# 2. Start using the action within your workflow - -name: Run Datadog Synthetic tests - -on: - push: - branches: [ $default-branch ] - pull_request: - branches: [ $default-branch ] - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - # Run Synthetic tests within your GitHub workflow. - # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci - - name: Run Datadog Synthetic tests - uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e - with: - api_key: ${{secrets.DD_API_KEY}} - app_key: ${{secrets.DD_APP_KEY}} - test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy - - diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json deleted file mode 100644 index 5a4f74dce0..0000000000 --- a/ci/properties/datadog-synthetics.properties.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "Datadog Synthetics", - "description": "Run Datadog Synthetic tests within your GitHub Actions workflow", - "iconName": "datadog", - "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"] -} diff --git a/icons/datadog.svg b/icons/datadog.svg deleted file mode 100644 index 91cb3b6260..0000000000 --- a/icons/datadog.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - - From 5d03c86e2615ba04a2dcb4ec2ed2cd659eecdb98 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 4 Feb 2022 10:42:13 +0530 Subject: [PATCH 247/844] Added token permission for deployments/azure-staticwebapp.yml --- deployments/azure-staticwebapp.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index 8e1faf7e2a..5430f04688 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -28,8 +28,14 @@ env: APP_ARTIFACT_LOCATION: "build" # location of client code build output AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app +permissions: + contents: read + jobs: build_and_deploy_job: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') runs-on: ubuntu-latest name: Build and Deploy Job @@ -52,6 +58,8 @@ jobs: ###### End of Repository/Build Configurations ###### close_pull_request_job: + permissions: + contents: none if: github.event_name == 'pull_request' && github.event.action == 'closed' runs-on: ubuntu-latest name: Close Pull Request Job From d580918e060b0b513a57c8644e9712cd51e021bd Mon Sep 17 00:00:00 2001 From: Andreas Dangel Date: Thu, 10 Feb 2022 18:08:47 +0100 Subject: [PATCH 248/844] Update pmd to v1.2.0 * Use pmd/pmd-github-action@967a81f8b657c87f7c3e96b62301cb1a48efef29 which is v1.2.0 * Remove "cache: maven" setting, which fails if no pom.xml file is existing * Set parameter "analyzeModifiedFilesOnly: false" to prevent incomplete analysis results. See also https://github.com/pmd/pmd-github-action/issues/35 --- code-scanning/pmd.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index ba895fe265..06047344f7 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -23,13 +23,13 @@ jobs: with: java-version: '11' distribution: 'temurin' - cache: maven - name: Run PMD id: pmd - uses: pmd/pmd-github-action@6d98898be0d59f46ec37dafcea33d8f8f55acfd1 + uses: pmd/pmd-github-action@967a81f8b657c87f7c3e96b62301cb1a48efef29 with: rulesets: 'rulesets/java/quickstart.xml' sourcePath: 'src/main/java' + analyzeModifiedFilesOnly: false - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: From b88366bf0e067c779927710896ffd772d554574c Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:47:51 +0530 Subject: [PATCH 249/844] added token permissions --- code-scanning/snyk-infrastructure.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index b79bf340e4..be7c2f0566 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -21,8 +21,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From 2a4545affa629f8317733e2a81401b069cd07692 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:50:05 +0530 Subject: [PATCH 250/844] added github_token permissions --- code-scanning/xanitizer.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3bfb9ed68d..1e511aa853 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -42,9 +42,15 @@ on: - cron: $cron-weekly workflow_dispatch: +permissions: + contents: read + jobs: xanitizer-security-analysis: # Xanitizer runs on ubuntu-latest and windows-latest. + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: From 494ea2d29d4639345a238dc8a98c06abd89f4f4c Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:52:39 +0530 Subject: [PATCH 251/844] added github_token permissions --- code-scanning/powershell.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index dfbf452e2b..22e5ea78b3 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: PSScriptAnalyzer runs-on: ubuntu-latest steps: From 6e8e5830e94403d54495f803067dd7653dabb0d2 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:56:36 +0530 Subject: [PATCH 252/844] added token permissions --- deployments/azure-container-webapp.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 57fe362ab8..b6f339f5e3 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -35,6 +35,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -63,6 +66,8 @@ jobs: file: ./Dockerfile deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 4579cb5c54c0244e7ae7935f290bc26d979761ee Mon Sep 17 00:00:00 2001 From: Chris Gavin Date: Fri, 11 Feb 2022 15:03:41 +0000 Subject: [PATCH 253/844] Fix some workflows not being excluded from Enterprise syncing. --- code-scanning/properties/detekt.properties.json | 5 ++--- script/sync-ghes/index.ts | 3 +++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/detekt.properties.json b/code-scanning/properties/detekt.properties.json index d51a6ad75a..c133cc1354 100644 --- a/code-scanning/properties/detekt.properties.json +++ b/code-scanning/properties/detekt.properties.json @@ -3,7 +3,6 @@ "creator": "Detekt", "description": "Static code analysis for Kotlin", "iconName": "detekt", - "categories": ["Code Scanning", "Kotlin"] + "categories": ["Code Scanning", "Kotlin"], + "enterprise": false } - - \ No newline at end of file diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 9edc70ee28..608e73d63c 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -21,6 +21,8 @@ interface WorkflowProperties { categories: string[] | null; creator?: string; + + enterprise?: boolean; } interface WorkflowsCheckResult { @@ -59,6 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && + workflowProperties.enterprise !== false && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From 14ce90e99f9db28d05cc0a81e2b63370e034db38 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:13:30 +0530 Subject: [PATCH 254/844] added github_token permissions --- code-scanning/semgrep.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index 827387be55..f99d441f78 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -19,8 +19,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Scan runs-on: ubuntu-latest steps: From 63beace25d14ca0b8918b467dbfe7bc0f3281742 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:16:12 +0530 Subject: [PATCH 255/844] added github_token permission --- deployments/terraform.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 589f1f30fc..b7cbc3af7b 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -50,6 +50,9 @@ on: - $default-branch pull_request: +permissions: + contents: read + jobs: terraform: name: 'Terraform' From dc2daec13461e79d070e114e1c6acdedc695ca50 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:27:43 +0530 Subject: [PATCH 256/844] added token permissions --- ci/msbuild.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/msbuild.yml b/ci/msbuild.yml index 29b6acebc1..2cf2a8899e 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -11,6 +11,9 @@ env: # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix BUILD_CONFIGURATION: Release +permissions: + contents: read + jobs: build: runs-on: windows-latest From ccd26a97cbd594ff3af6632ba294d570b2e5c797 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:30:57 +0530 Subject: [PATCH 257/844] added token permissions --- ci/d.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/d.yml b/ci/d.yml index 6086681203..c78e2ceb85 100644 --- a/ci/d.yml +++ b/ci/d.yml @@ -10,6 +10,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From b90ea0582ae3866c2a11e47fc3708e4d97a5ad3f Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:43:26 +0530 Subject: [PATCH 258/844] Update veracode.yml --- code-scanning/veracode.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index e38fffd5d6..073d1b6b99 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -17,10 +17,16 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + jobs: # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter build-and-pipeline-scan: # The type of runner that the job will run on + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: From d50a73e3b85ca935b2a475373e3645a277b0757b Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:47:03 +0530 Subject: [PATCH 259/844] Update python-publish.yml --- ci/python-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 3bfabfc125..489d5e651e 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -12,6 +12,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: deploy: From fa522381039cec2072a9f83de5f7fd077faf57d4 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:57:42 +0530 Subject: [PATCH 260/844] Update gradle.yml --- ci/gradle.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/gradle.yml b/ci/gradle.yml index fc8cf2fea8..11b4ea617c 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -13,6 +13,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From d8a2673986720cf4f579448519c77a37d861d53e Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:59:51 +0530 Subject: [PATCH 261/844] Update prisma.yml --- code-scanning/prisma.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5323d1b56f..5b1148202e 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -21,8 +21,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: prisma_cloud_iac_scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: From fd8ffb3d9c4336e2e4584baebffce4196086e794 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:01:38 +0530 Subject: [PATCH 262/844] Update aws.yml --- deployments/aws.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/aws.yml b/deployments/aws.yml index dab851f906..65f445f89c 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -41,6 +41,9 @@ env: CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the # containerDefinitions section of your task definition +permissions: + contents: read + jobs: deploy: name: Deploy From d6dfba970ff1b09095fe860bf15860fbfc788840 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:03:20 +0530 Subject: [PATCH 263/844] Update deno.yml --- ci/deno.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/deno.yml b/ci/deno.yml index 25e9e2a510..6393f5ff38 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -14,6 +14,9 @@ on: pull_request: branches: [$default-branch] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest From baf5276476b911e377a006890698a2bfd211e47d Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:05:59 +0530 Subject: [PATCH 264/844] Update ruby.yml --- ci/ruby.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/ruby.yml b/ci/ruby.yml index f6ae1e3573..9f90687d14 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -13,6 +13,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: test: From 4333c79965dc3415883fbb3d4c4b2d4e6d6f2e3f Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:08:08 +0530 Subject: [PATCH 265/844] Update codacy.yml --- code-scanning/codacy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 50185addd4..4892930921 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Codacy Security Scan runs-on: ubuntu-latest steps: From b93e51dac62613e75ab7b232cead7c400368d461 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:11:47 +0530 Subject: [PATCH 266/844] Update msvc.yml --- code-scanning/msvc.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 1503319e77..83d457113a 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -20,8 +20,14 @@ env: # Path to the CMake build directory. build: '${{ github.workspace }}/build' +permissions: + contents: read + jobs: analyze: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Analyze runs-on: windows-latest From ab9bdce2e320816516a6b28bf58c3f503daa0bb3 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Mon, 14 Feb 2022 15:19:56 +0530 Subject: [PATCH 267/844] Update apisec-scan.yml --- code-scanning/apisec-scan.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 3aa06ca657..4737d0605f 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -42,8 +42,13 @@ on: workflow_dispatch: +permissions: + contents: read + jobs: Trigger APIsec scan: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -61,4 +66,4 @@ jobs: - name: Import results uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ./apisec-results.sarif \ No newline at end of file + sarif_file: ./apisec-results.sarif From f6474e2bfa207cc53531f4de21c1f9243ec7c46a Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Mon, 14 Feb 2022 15:23:03 +0530 Subject: [PATCH 268/844] Update brakeman.yml --- code-scanning/brakeman.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index ae5215a33e..d0b25ac9a3 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: brakeman-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Brakeman Scan runs-on: ubuntu-latest steps: From 394301af94ed4c4a052d067ef69a71885bc0a297 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 14 Feb 2022 10:11:33 +0000 Subject: [PATCH 269/844] Adding folder category check --- script/validate-data/index.ts | 17 ++++++++++++----- script/validate-data/settings.json | 18 ++++++++++++++++++ 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 7dce3d1494..6669b34056 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -1,7 +1,7 @@ #!/usr/bin/env npx ts-node import { promises as fs } from "fs"; import { safeLoad } from "js-yaml"; -import { basename, extname, join } from "path"; +import { basename, extname, join, dirname } from "path"; import { Validator as validator } from "jsonschema"; import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; @@ -40,7 +40,7 @@ const propertiesSchema = { } } -async function checkWorkflows(folders: string[], allowed_categories: string[]): Promise { +async function checkWorkflows(folders: string[], allowed_categories: string[], folder_category_map: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() for (const folder of folders) { @@ -55,7 +55,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[]): const workflowFilePath = join(folder, e.name); const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) - const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); + const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories, folder_category_map); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } @@ -69,7 +69,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[]): return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[]): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[], folder_category_map: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, @@ -104,10 +104,17 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow } } + var directoryName = dirname(workflowPath) + var folder_category = folder_category_map.find( folder_category => folder_category["name"] == directoryName)["category"] if (!workflowPath.endsWith("blank.yml") && (!properties.categories || !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) { workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`) } + + if(properties.categories && !properties.categories.some(category => category.toLowerCase() == folder_category.toLowerCase())) { + workflowErrors.errors.push(`Either workflow is not added to the correct directory or category specified is wrong. Allowed category for ${basename(directoryName)} directory is ${folder_category}`) + } + } catch (e) { workflowErrors.errors.push(e.toString()) } @@ -118,7 +125,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders, settings.allowed_categories + settings.folders, settings.allowed_categories, settings.folder_category_map ) if (erroredWorkflows.length > 0) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index ce89e36947..ab1ada30e5 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -10,5 +10,23 @@ "Deployment", "Code Scanning", "Automation" + ], + "folder_category_map": [ + { + "name": "../../ci", + "category": "Continuous integration" + }, + { + "name": "../../automation", + "category": "Automation" + }, + { + "name": "../../deployments", + "category": "Deployment" + }, + { + "name": "../../code-scanning", + "category": "Code Scanning" + } ] } \ No newline at end of file From aa4aa29543b6a72c397d9285abd94d91c41984fd Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Mon, 14 Feb 2022 15:51:06 +0530 Subject: [PATCH 270/844] Update stackhawk.yml --- code-scanning/stackhawk.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index 9701b1f865..af220c0810 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -37,8 +37,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: stackhawk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info name: StackHawk runs-on: ubuntu-20.04 steps: From 8bcdd73aa893896b02a33bf844682a4a632c099a Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:36:24 +0530 Subject: [PATCH 271/844] added github_token permission --- deployments/alibabacloud.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded91780b0..c7833059a8 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From db842e7ec591aa2ff0545d82f159c0719a0087d8 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:39:46 +0530 Subject: [PATCH 272/844] added github_token permission --- ci/scala.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/scala.yml b/ci/scala.yml index af6b2ed0bc..95c1957f95 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From f0d5cb15453edac00fb14288d0ca9ae895bf76b0 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:42:06 +0530 Subject: [PATCH 273/844] added token permission --- ci/python-app.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/python-app.yml b/ci/python-app.yml index 2cfc2a36b5..cdd6c6cd36 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -9,6 +9,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From 6706b36121ab6c4b497c145160f85b056fe12347 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Tue, 15 Feb 2022 16:04:39 +0530 Subject: [PATCH 274/844] Update njsscan.yml --- code-scanning/njsscan.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8077f76ad6..a6da087b9b 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: njsscan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: njsscan code scanning steps: From 3394a8e62f54f84b23c843b970d4ca143013db12 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Tue, 15 Feb 2022 16:38:05 +0530 Subject: [PATCH 275/844] Update mobsf.yml --- code-scanning/mobsf.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 689a1a0268..d8eaa9246b 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: mobile-security: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -33,4 +39,4 @@ jobs: - name: Upload mobsfscan report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From 6a5dc3a7538ff504a39f33cc73855ad4dedcf3e0 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:50:23 +0530 Subject: [PATCH 276/844] Update sysdig-scan.yml --- code-scanning/sysdig-scan.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 49841d728e..f9b29fc5ea 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -13,10 +13,17 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + checks: write # for sysdiglabs/scan-action to publish the checks + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -51,4 +58,4 @@ jobs: #Upload SARIF file if: always() with: - sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file + sarif_file: ${{ steps.scan.outputs.sarifReport }} From 93dc183837a934693bd89af6bf3e1ed076f9b958 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:55:16 +0530 Subject: [PATCH 277/844] Update r.yml --- ci/r.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/r.yml b/ci/r.yml index 305c2cf45f..456e5526e3 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -14,6 +14,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: macos-latest From 8c75e2d11fd9040bc7a3492d7bcfcb4c92a194d7 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:57:59 +0530 Subject: [PATCH 278/844] Update pmd.yml --- code-scanning/pmd.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 06047344f7..cf4b01d040 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: pmd-code-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From ed9202263d2954cd84dc11e0068ea5744268e8ab Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 18 Feb 2022 01:00:27 +0000 Subject: [PATCH 279/844] Update hash for scorecard's v1.0.4 release --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 618ce2890a..d63b4628cc 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2 + uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 with: results_file: results.sarif results_format: sarif From 300f303442f956de563b7f301f652d94acb60cde Mon Sep 17 00:00:00 2001 From: Atul Malaviya Date: Sun, 20 Feb 2022 02:18:18 -0600 Subject: [PATCH 280/844] Added PR trigger (#1448) --- ci/msbuild.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ci/msbuild.yml b/ci/msbuild.yml index 29b6acebc1..e650e2aa34 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -1,6 +1,10 @@ name: MSBuild -on: [push] +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] env: # Path to the solution file relative to the root of the project. From aafd23c138797490f77148df749cb66c609c825a Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Thu, 24 Feb 2022 10:26:04 +0000 Subject: [PATCH 281/844] review comments --- script/validate-data/index.ts | 21 ++++++++++----------- script/validate-data/settings.json | 8 +------- 2 files changed, 11 insertions(+), 18 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 6669b34056..c3b6fa93a5 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -69,7 +69,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[], f return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[], folder_category_map: object[]): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[], directory_category_map: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, @@ -105,16 +105,15 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow } var directoryName = dirname(workflowPath) - var folder_category = folder_category_map.find( folder_category => folder_category["name"] == directoryName)["category"] - if (!workflowPath.endsWith("blank.yml") && (!properties.categories || - !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) { - workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`) - } - - if(properties.categories && !properties.categories.some(category => category.toLowerCase() == folder_category.toLowerCase())) { - workflowErrors.errors.push(`Either workflow is not added to the correct directory or category specified is wrong. Allowed category for ${basename(directoryName)} directory is ${folder_category}`) + var directory_category = directory_category_map.find( folder_category => folder_category["name"] == directoryName)["category"] + if (!workflowPath.endsWith("blank.yml") && ((!properties.categories || properties.categories.length == 0 )|| + properties.categories[0].toLowerCase() !== directory_category.toLowerCase())) { + if(!properties.categories || properties.categories.length == 0) { + workflowErrors.errors.push(`Workflow categories cannot be null or empty`) + } else { + workflowErrors.errors.push(`The first category in properties.json categories must be "${directory_category}" for ${basename(directoryName)} directory workflow.`) + } } - } catch (e) { workflowErrors.errors.push(e.toString()) } @@ -125,7 +124,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders, settings.allowed_categories, settings.folder_category_map + settings.folders, settings.allowed_categories, settings.directory_category_map ) if (erroredWorkflows.length > 0) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index ab1ada30e5..2dd38987c9 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -5,13 +5,7 @@ "../../deployments", "../../code-scanning" ], - "allowed_categories" : [ - "Continuous integration", - "Deployment", - "Code Scanning", - "Automation" - ], - "folder_category_map": [ + "directory_category_map": [ { "name": "../../ci", "category": "Continuous integration" From 0b1f2442e511ac2e36f9c551899079d28f0fade5 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 14:58:57 +0100 Subject: [PATCH 282/844] Create sonarcloud.yml --- code-scanning/sonarcloud.yml | 51 ++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 code-scanning/sonarcloud.yml diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml new file mode 100644 index 0000000000..d15db93bc6 --- /dev/null +++ b/code-scanning/sonarcloud.yml @@ -0,0 +1,51 @@ +This workflow helps you trigger a SonarCloud analysis of your code. +name: SonarCloud analysis + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + + workflow_dispatch: + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + + - name: Analyze with SonarCloud + + # 1. Import your project to SonarCloud. + # 2. Import it on SonarCloud + # * Open sonarcloud.io, connect with your GitHub account and add your GitHub organization and your repository as a new project. + # * Please note that your project might be ready for AutoScan which means that it will be analysed without the need for GitHub Actions (it will be built automatically). + # * This behavior can be changed in Administration > Analysis Method. + # + # 3. Copy/paste the Projet Key and the Organization Key in the args below + # * On SonarCloud, click on Information at the bottom left + # 4. Generate a new token and add it to your Github's repository Secrets as SONAR_TOKEN + # * On SonarCloud, click on your avatar on top-right > My account > Security + + # You may pin to the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + uses: SonarSource/sonarcloud-github-action@v1.6 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments to the sonarcloud scanner + args: > + # Set the sonar.projectBaseDir analysis property + projectBaseDir: . # optional, default is . + # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) + -Dsonar.projectKey= # mandatory + # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu) + -Dsonar.organization= # mandatory + # Comma-separated paths to directories containing main source files. + -Dsonar.sources= # optional, default is project base directory + # Comma-separated paths to directories containing test source files. + -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + -Dsonar.verbose= # optional, default is false From b80e458c6205c8b77c2a7bd419be52d6a82fc64f Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:29:12 +0100 Subject: [PATCH 283/844] Added documentation links --- code-scanning/sonarcloud.yml | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index d15db93bc6..387f34cb92 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,4 +1,19 @@ -This workflow helps you trigger a SonarCloud analysis of your code. +# This workflow helps you trigger a SonarCloud analysis of your code. + +# 1. Login to SonarCloud.io using your GitHub account +# 2. Import your project on SonarCloud +# * Add your GitHub organization first, then add your repository as a new project. +# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically). +# * This behavior can be changed in Administration > Analysis Method. +# +# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below +# * You'll find those info on SonarCloud. Click on "Information" at the bottom left +# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN +# * On SonarCloud, click on your avatar on top-right > My account > Security + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + name: SonarCloud analysis on: @@ -15,18 +30,7 @@ jobs: steps: - - name: Analyze with SonarCloud - - # 1. Import your project to SonarCloud. - # 2. Import it on SonarCloud - # * Open sonarcloud.io, connect with your GitHub account and add your GitHub organization and your repository as a new project. - # * Please note that your project might be ready for AutoScan which means that it will be analysed without the need for GitHub Actions (it will be built automatically). - # * This behavior can be changed in Administration > Analysis Method. - # - # 3. Copy/paste the Projet Key and the Organization Key in the args below - # * On SonarCloud, click on Information at the bottom left - # 4. Generate a new token and add it to your Github's repository Secrets as SONAR_TOKEN - # * On SonarCloud, click on your avatar on top-right > My account > Security + - name: Analyze with SonarCloud # You may pin to the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 @@ -36,15 +40,15 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments to the sonarcloud scanner - args: > - # Set the sonar.projectBaseDir analysis property - projectBaseDir: . # optional, default is . + args: # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.projectKey= # mandatory # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.organization= # mandatory # Comma-separated paths to directories containing main source files. -Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + -Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. From c5a70f040535fbdb74601570225b59bc8516a3b7 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:29:42 +0100 Subject: [PATCH 284/844] Removed extra spaces --- code-scanning/sonarcloud.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 387f34cb92..3441617e4d 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -21,15 +21,13 @@ on: branches: [ master ] pull_request: branches: [ master ] - workflow_dispatch: jobs: Analysis: runs-on: ubuntu-latest - + steps: - - name: Analyze with SonarCloud # You may pin to the exact commit or the version. From 429537d3207f07a271ed289b60a664da53be9b86 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:36:07 +0100 Subject: [PATCH 285/844] Added workflow variables for branches --- code-scanning/sonarcloud.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 3441617e4d..97f364d726 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -18,9 +18,9 @@ name: SonarCloud analysis on: push: - branches: [ master ] + branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ master ] + branches: [ $default-branch ] workflow_dispatch: jobs: From b48f15df6228157c0181ee9fdca8f52f091a3703 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:36:37 +0100 Subject: [PATCH 286/844] Added space between paragraph --- code-scanning/sonarcloud.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 97f364d726..0b58f05254 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,6 +1,7 @@ # This workflow helps you trigger a SonarCloud analysis of your code. # 1. Login to SonarCloud.io using your GitHub account + # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. # * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically). @@ -8,6 +9,7 @@ # # 3. Copy/paste the Projet Key and the Organization Key in the args parameter below # * You'll find those info on SonarCloud. Click on "Information" at the bottom left + # 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN # * On SonarCloud, click on your avatar on top-right > My account > Security From fb2b1099ec558e4666229e557860eb8a8dd58ac7 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:39:07 +0100 Subject: [PATCH 287/844] Fixed intro text --- code-scanning/sonarcloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 0b58f05254..c4ab0e42f0 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,4 +1,4 @@ -# This workflow helps you trigger a SonarCloud analysis of your code. +# This workflow helps you trigger a SonarCloud analysis of your code and populates GitHub Code Scanning alerts with the vulnerabilities found. # 1. Login to SonarCloud.io using your GitHub account From d3fb4810d7ded6721dd323f60d1b3c63d901b307 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 2 Mar 2022 10:53:29 -0800 Subject: [PATCH 288/844] Add clj-holmes starter workflow --- code-scanning/clj-holmes.yml | 40 +++++++++++++++++++ .../properties/clj-holmes.properties.json | 10 +++++ icons/clj-holmes.svg | 1 + 3 files changed, 51 insertions(+) create mode 100644 code-scanning/clj-holmes.yml create mode 100644 code-scanning/properties/clj-holmes.properties.json create mode 100644 icons/clj-holmes.svg diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml new file mode 100644 index 0000000000..62364b3c2d --- /dev/null +++ b/code-scanning/clj-holmes.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: clj-holmes + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + clj-holmes: + name: Run clj-holmes scanning + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Scan code + uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb + with: + rules-repository: 'git://org/private-rules-repo#main' + output-type: 'sarif' + output-file: 'clj-holmes-results.sarif' + fail-on-result: 'false' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{github.workspace}}/clj-holmes-results.sarif \ No newline at end of file diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json new file mode 100644 index 0000000000..41950bb093 --- /dev/null +++ b/code-scanning/properties/clj-holmes.properties.json @@ -0,0 +1,10 @@ +{ + "name": "clj-holmes", + "creator": "Matheus Bernardes", + "description": "A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language.", + "iconName": "clj-holmes", + "categories": [ + "Code Scanning", + "clojure" + ] +} \ No newline at end of file diff --git a/icons/clj-holmes.svg b/icons/clj-holmes.svg new file mode 100644 index 0000000000..74459e5dd6 --- /dev/null +++ b/icons/clj-holmes.svg @@ -0,0 +1 @@ + \ No newline at end of file From 0d462e1c6b547f7df41b16f6ef94d08d27f26176 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 3 Mar 2022 22:43:12 +0530 Subject: [PATCH 289/844] Port reworked AKS templates to main (#1450) --- deployments/azure-kubernetes-service-helm.yml | 122 +++++++++++++++++ .../azure-kubernetes-service-kompose.yml | 111 ++++++++++++++++ .../azure-kubernetes-service-kustomize.yml | 117 ++++++++++++++++ deployments/azure-kubernetes-service.yml | 125 +++++++++++------- ...re-kubernetes-service-helm.properties.json | 7 + ...kubernetes-service-kompose.properties.json | 7 + ...bernetes-service-kustomize.properties.json | 7 + .../azure-kubernetes-service.properties.json | 6 +- 8 files changed, 449 insertions(+), 53 deletions(-) create mode 100644 deployments/azure-kubernetes-service-helm.yml create mode 100644 deployments/azure-kubernetes-service-kompose.yml create mode 100644 deployments/azure-kubernetes-service-kustomize.yml create mode 100644 deployments/properties/azure-kubernetes-service-helm.properties.json create mode 100644 deployments/properties/azure-kubernetes-service-kompose.properties.json create mode 100644 deployments/properties/azure-kubernetes-service-kustomize.properties.json diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml new file mode 100644 index 0000000000..506819d2a2 --- /dev/null +++ b/deployments/azure-kubernetes-service-helm.yml @@ -0,0 +1,122 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. +# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. +# - CHART_PATH (path to your helm chart) +# - CHART_OVERRIDE_PATH (path to your helm chart with override values) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Helm + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + CHART_PATH: "your-chart-path" + CHART_OVERRIDE_PATH: "your-chart-override-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Helm to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'helm' + helmChart: ${{ env.CHART_PATH }} + overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} + overrides: | + replicas:2 + helm-version: 'latest' + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml new file mode 100644 index 0000000000..1d33fe30e9 --- /dev/null +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -0,0 +1,111 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. +# Set your dockerComposeFile and kompose-version to suit your configuration. +# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kompose + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Kompose to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'kompose' + dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} + kompose-version: 'latest' + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml new file mode 100644 index 0000000000..51b7d69846 --- /dev/null +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -0,0 +1,117 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. +# Set your kustomizationPath and kubectl-version to suit your configuration. +# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kustomize + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + KUSTOMIZE_PATH: "your-kustomize-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Kustomize to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'kustomize' + kustomizationPath: ${{ env.KUSTOMIZE_PATH }} + kubectl-version: latest + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index 08988ffc64..e61e64ec51 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -1,80 +1,105 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) -# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal -# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal -# https://github.com/Azure/aks-create-action +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository: -# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret) +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): -# - AZURE_CONTAINER_REGISTRY (name of your container registry) -# - PROJECT_NAME +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# -# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set -# any needed environment variables such as: -# - CHART_PATH -# - CHART_OVERRIDE_PATH +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) # # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions # For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -# For more options with the actions used below please see the folllowing -# https://github.com/Azure/login -# https://github.com/Azure/aks-set-context -# https://github.com/marketplace/actions/azure-cli-action -# https://github.com/Azure/k8s-bake -# https://github.com/Azure/k8s-deploy +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS + +on: + push: + branches: + - $default-branch + workflow_dispatch: -on: [push] +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' jobs: build: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest steps: + # Checks out the repository this file is in - uses: actions/checkout@master - - name: Azure Login - uses: azure/login@v1 + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Build image on ACR - uses: azure/CLI@v1 - with: - azcliversion: 2.29.1 - inlineScript: | - az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} - az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} - - - name: Gets K8s context - uses: azure/aks-set-context@v1 + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - id: login + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds - - name: Configure deployment - uses: azure/k8s-bake@v1 + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 with: - renderEngine: 'helm' - helmChart: ${{ env.CHART_PATH }} - overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} - overrides: | - replicas:2 - helm-version: 'latest' - id: bake + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + # Deploys application based on given manifest file - name: Deploys application - - uses: Azure/k8s-deploy@v1 + uses: Azure/k8s-deploy@v3.0 with: - manifests: ${{ steps.bake.outputs.manifestsBundle }} + action: deploy + manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.PROJECT_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/properties/azure-kubernetes-service-helm.properties.json b/deployments/properties/azure-kubernetes-service-helm.properties.json new file mode 100644 index 0000000000..92478b306d --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-helm.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Helm", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Helm", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Helm", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service-kompose.properties.json b/deployments/properties/azure-kubernetes-service-kompose.properties.json new file mode 100644 index 0000000000..de246c3003 --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-kompose.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Kompose", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Kompose", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Kompose", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service-kustomize.properties.json b/deployments/properties/azure-kubernetes-service-kustomize.properties.json new file mode 100644 index 0000000000..bfc71cc9af --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-kustomize.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Kustomize", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Kustomize", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Kustomize", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service.properties.json b/deployments/properties/azure-kubernetes-service.properties.json index 28f3725df2..45d4a696e5 100644 --- a/deployments/properties/azure-kubernetes-service.properties.json +++ b/deployments/properties/azure-kubernetes-service.properties.json @@ -1,7 +1,7 @@ { - "name": "Deploy to a AKS Cluster", - "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials", + "name": "Deploy to AKS", + "description": "Deploy an application to an Azure Kubernetes Service cluster", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"] + "categories": ["Deployment", "Kubernetes", "Dockerfile"] } From ac7b3362da33824992eea1a04c15dccb84799abe Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Fri, 4 Mar 2022 05:59:55 +0000 Subject: [PATCH 290/844] removing unused variables --- script/validate-data/index.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index c3b6fa93a5..e54b6c1548 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -40,7 +40,7 @@ const propertiesSchema = { } } -async function checkWorkflows(folders: string[], allowed_categories: string[], folder_category_map: object[]): Promise { +async function checkWorkflows(folders: string[], folder_category_map: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() for (const folder of folders) { @@ -55,7 +55,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[], f const workflowFilePath = join(folder, e.name); const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) - const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories, folder_category_map); + const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, folder_category_map); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } @@ -69,7 +69,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[], f return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[], directory_category_map: object[]): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, directory_category_map: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, @@ -124,7 +124,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders, settings.allowed_categories, settings.directory_category_map + settings.folders, settings.directory_category_map ) if (erroredWorkflows.length > 0) { From c6cf518c753c35074eb20e53d641c91e6d87528d Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Fri, 4 Mar 2022 06:28:56 +0000 Subject: [PATCH 291/844] reaming directory to folder and added creator check for deployment templates --- script/validate-data/index.ts | 17 +++++++++++------ script/validate-data/settings.json | 2 +- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index e54b6c1548..da4d2d8d8d 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -14,6 +14,7 @@ interface WorkflowWithErrors { interface WorkflowProperties { name: string; description: string; + creator: string; iconName: string; categories: string[]; } @@ -69,7 +70,7 @@ async function checkWorkflows(folders: string[], folder_category_map: object[]): return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string, directory_category_map: object[]): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, folder_category_map: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, @@ -104,16 +105,20 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, direc } } - var directoryName = dirname(workflowPath) - var directory_category = directory_category_map.find( folder_category => folder_category["name"] == directoryName)["category"] + var folderName = dirname(workflowPath) + var folder_category = folder_category_map.find( folder_category => folder_category["name"] == folderName)["category"] if (!workflowPath.endsWith("blank.yml") && ((!properties.categories || properties.categories.length == 0 )|| - properties.categories[0].toLowerCase() !== directory_category.toLowerCase())) { + properties.categories[0].toLowerCase() !== folder_category.toLowerCase())) { if(!properties.categories || properties.categories.length == 0) { workflowErrors.errors.push(`Workflow categories cannot be null or empty`) } else { - workflowErrors.errors.push(`The first category in properties.json categories must be "${directory_category}" for ${basename(directoryName)} directory workflow.`) + workflowErrors.errors.push(`The first category in properties.json categories must be "${folder_category}" for ${basename(folderName)} folder workflow.`) } } + + if(folder_category.toLowerCase() == 'deployment' && !properties.creator) { + workflowErrors.errors.push(`The "creator" in properties.json must be present.`) + } } catch (e) { workflowErrors.errors.push(e.toString()) } @@ -124,7 +129,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, direc try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders, settings.directory_category_map + settings.folders, settings.folder_category_map ) if (erroredWorkflows.length > 0) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 2dd38987c9..7d3ecfefee 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -5,7 +5,7 @@ "../../deployments", "../../code-scanning" ], - "directory_category_map": [ + "folder_category_map": [ { "name": "../../ci", "category": "Continuous integration" From 023a52c48804fd4e0a7b11ad54367e7d645d8e25 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 7 Mar 2022 09:26:30 -0800 Subject: [PATCH 292/844] remove specifying permissions Co-authored-by: Nick Fyson --- code-scanning/clj-holmes.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 62364b3c2d..704a01e02c 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -13,6 +13,8 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly +permissions: + contents: read jobs: clj-holmes: From 90d3b1b63b0f9cbe985a3de257df4f43dd94b1a0 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 7 Mar 2022 09:27:40 -0800 Subject: [PATCH 293/844] Update tool description Co-authored-by: Nick Fyson --- code-scanning/properties/clj-holmes.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json index 41950bb093..71f29c09f5 100644 --- a/code-scanning/properties/clj-holmes.properties.json +++ b/code-scanning/properties/clj-holmes.properties.json @@ -1,7 +1,7 @@ { "name": "clj-holmes", "creator": "Matheus Bernardes", - "description": "A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language.", + "description": "A Static Application Security Testing tool to find vulnerable Clojure code via rules that use a simple pattern language.", "iconName": "clj-holmes", "categories": [ "Code Scanning", From af777b030efdf58461a737904e9307ad3e652562 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Tue, 8 Mar 2022 14:19:19 -0800 Subject: [PATCH 294/844] update permissions setting --- code-scanning/clj-holmes.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 704a01e02c..ca53f993b9 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -13,15 +13,12 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly -permissions: - contents: read jobs: clj-holmes: name: Run clj-holmes scanning runs-on: ubuntu-latest permissions: - actions: read contents: read security-events: write steps: @@ -39,4 +36,5 @@ jobs: - name: Upload analysis results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ${{github.workspace}}/clj-holmes-results.sarif \ No newline at end of file + sarif_file: ${{github.workspace}}/clj-holmes-results.sarif + ait-for-processing: true \ No newline at end of file From 5665b8b5b8c5bbb0de5142879029ce57022e219c Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 9 Mar 2022 11:18:14 -0800 Subject: [PATCH 295/844] Update code-scanning/clj-holmes.yml Co-authored-by: Nick Fyson --- code-scanning/clj-holmes.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index ca53f993b9..4150cbbb2e 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -14,6 +14,9 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: clj-holmes: name: Run clj-holmes scanning From f6596c95685b9d20a9cd83bf0d9df24153043b69 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:41:26 +0100 Subject: [PATCH 296/844] Update sonarcloud.yml --- code-scanning/sonarcloud.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index c4ab0e42f0..084feca2f8 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -4,14 +4,15 @@ # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. -# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically). +# * Please note that many languages are eligible for automatic analysis, which means that the analysis will start automatically without the need to set up GitHub Actions. # * This behavior can be changed in Administration > Analysis Method. # -# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below -# * You'll find those info on SonarCloud. Click on "Information" at the bottom left - -# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN -# * On SonarCloud, click on your avatar on top-right > My account > Security +# 3. Follow the SonarCloud's online tutorial +# * a. Copy/paste the Projet Key and the Organization Key in the args parameter below +# (You'll find those info on SonarCloud. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) # or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) From 8fd84d60c85e501ce9d34a7c694fda9f3822daab Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:42:52 +0100 Subject: [PATCH 297/844] Create sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 1 + 1 file changed, 1 insertion(+) create mode 100644 code-scanning/properties/sonarcloud.properties.json diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/code-scanning/properties/sonarcloud.properties.json @@ -0,0 +1 @@ + From 6f8fa063712f344fab4c84487b2c885fca2f61a3 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:45:15 +0100 Subject: [PATCH 298/844] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 8b13789179..88e2dbf8ac 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1 +1,7 @@ - +{ + "name": "SonarCloud Security Scan", + "creator": "SonarSource", + "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.", + "iconName": "sonarcloud", + "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"] +} From c944a105460e766a441f6bc07dc9f798bbb4bc1c Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 17:15:34 +0100 Subject: [PATCH 299/844] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 88e2dbf8ac..428d899b61 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1,7 +1,7 @@ { - "name": "SonarCloud Security Scan", - "creator": "SonarSource", - "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.", + "name": "SonarCloud", + "creator": "Sonar", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Free for open source projects", "iconName": "sonarcloud", - "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"] + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From d955f56f6791a99e9264a41707cd43f1ff228d67 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 17:17:43 +0100 Subject: [PATCH 300/844] Add files via upload --- icons/sonarcloud.svg | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 icons/sonarcloud.svg diff --git a/icons/sonarcloud.svg b/icons/sonarcloud.svg new file mode 100644 index 0000000000..5f946d2fa1 --- /dev/null +++ b/icons/sonarcloud.svg @@ -0,0 +1,20 @@ + + + + +SonarCloud icon + + + + From 46017054a3c90b341c23f8cb09c6a6bfa9046cb8 Mon Sep 17 00:00:00 2001 From: Jonathan Tamsut Date: Mon, 14 Mar 2022 07:35:28 -0700 Subject: [PATCH 301/844] Update `download-artifact` and `upload-artifact` from `v2` to `v3` (#1465) * migrate to v3 * update download-artifact --- ci/dotnet-desktop.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 ++-- deployments/azure-webapps-java-jar.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- deployments/azure-webapps-php.yml | 4 ++-- deployments/azure-webapps-python.yml | 4 ++-- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 0635779417..06ce344fd1 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: MSIX Package path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 83d457113a..0abb40937c 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -59,7 +59,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v2 + # uses: actions/upload-artifact@v3 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3bfb9ed68d..dc3c9ceed3 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -79,7 +79,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v3 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 7a2a84fa6c..ed45e220f9 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -57,7 +57,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -71,7 +71,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index f3862509a1..210fd90ff3 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -46,7 +46,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -60,7 +60,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b7cb51f27b..b6089d4ee7 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -47,7 +47,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: node-app path: . @@ -61,7 +61,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 700f83aa8e..a2dd57bf18 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -68,7 +68,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: php-app path: . @@ -82,7 +82,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index cb19cdacc0..8605e0a11a 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -53,7 +53,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: python-app path: | @@ -69,7 +69,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: python-app path: . From 002e1a441e4ada04aca6da6f20a4b1fd079548ed Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 6 Dec 2021 12:04:44 -0800 Subject: [PATCH 302/844] Support uppercase repository names with cosign. My previous PR didn't properly handle uppercase usernames (or repository names) when signing container images with `cosign`. It seems that the `docker buildx --push` doesn't like this either, but it's passed the output of the `docker/metadata-action` which seems to lowercase things. Fixes: https://github.com/actions/starter-workflows/issues/1293 Signed-off-by: Matt Moore --- ci/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 977635a1b4..ee2ec63f6a 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -90,4 +90,4 @@ jobs: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} + run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }} From c4cc28d92dcac4ba6ecd2d89ea90b5593363ef67 Mon Sep 17 00:00:00 2001 From: Mike Verbanic Date: Wed, 16 Mar 2022 15:00:00 -0400 Subject: [PATCH 303/844] feat: add google cloud run starter workflows (#1392) * feat: add google cloud run starter workflows * fix: pr comments * fix: pr comments * fix: properties naming * fix: docker registry path --- deployments/google-cloudrun-docker.yml | 114 ++++++++++++++++++ deployments/google-cloudrun-source.yml | 96 +++++++++++++++ .../google-cloudrun-docker.properties.json | 7 ++ .../google-cloudrun-source.properties.json | 7 ++ deployments/properties/google.properties.json | 2 +- icons/{googlegke.svg => google-cloud.svg} | 0 6 files changed, 225 insertions(+), 1 deletion(-) create mode 100644 deployments/google-cloudrun-docker.yml create mode 100644 deployments/google-cloudrun-source.yml create mode 100644 deployments/properties/google-cloudrun-docker.properties.json create mode 100644 deployments/properties/google-cloudrun-source.properties.json rename icons/{googlegke.svg => google-cloud.svg} (100%) diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml new file mode 100644 index 0000000000..b8d0511e2e --- /dev/null +++ b/deployments/google-cloudrun-docker.yml @@ -0,0 +1,114 @@ +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Authenticate Docker to Artifact Registry +# 3. Build a docker container +# 4. Publish it to Google Artifact Registry +# 5. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). +# +# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Build and Deploy to Cloud Run + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + token_format: 'access_token' + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' + + # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) + + # Authenticate Docker to Google Cloud Artifact Registry + - name: Docker Auth + id: docker-auth + uses: 'docker/login-action@v1' + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.access_token }}' + registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + + - name: Build and Push Container + run: |- + docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./ + docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + + # END - Docker auth and build + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If using a pre-built image, update the image name here + image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml new file mode 100644 index 0000000000..2916b454ef --- /dev/null +++ b/deployments/google-cloudrun-source.yml @@ -0,0 +1,96 @@ +# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Cloud Build cloudbuild.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Cloud Build +# roles/cloudbuild.builds.editor +# +# Cloud Storage +# roles/storage.objectAdmin +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the SERVICE and REGION environment variables (below). +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy +# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Deploy to Cloud Run from Source + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If required, update to the appropriate source folder + source: ./ + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/properties/google-cloudrun-docker.properties.json b/deployments/properties/google-cloudrun-docker.properties.json new file mode 100644 index 0000000000..b1a2b2b7ba --- /dev/null +++ b/deployments/properties/google-cloudrun-docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Build and Deploy to Cloud Run", + "description": "Build a Docker container, publish it to Google Artifact Registry, and deploy to Google Cloud Run.", + "creator": "Google Cloud", + "iconName": "google-cloud", + "categories": ["Deployment", "Containers", "Dockerfile", "Cloud Run", "Serverless"] +} diff --git a/deployments/properties/google-cloudrun-source.properties.json b/deployments/properties/google-cloudrun-source.properties.json new file mode 100644 index 0000000000..2735d80ce9 --- /dev/null +++ b/deployments/properties/google-cloudrun-source.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Cloud Run from Source", + "description": "Deploy to Google Cloud Run directly from source.", + "creator": "Google Cloud", + "iconName": "google-cloud", + "categories": ["Deployment", "Containers", "Cloud Run", "Serverless", "Buildpacks"] +} diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json index f1bd883617..e226385788 100644 --- a/deployments/properties/google.properties.json +++ b/deployments/properties/google.properties.json @@ -2,6 +2,6 @@ "name": "Build and Deploy to GKE", "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", - "iconName": "googlegke", + "iconName": "google-cloud", "categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"] } \ No newline at end of file diff --git a/icons/googlegke.svg b/icons/google-cloud.svg similarity index 100% rename from icons/googlegke.svg rename to icons/google-cloud.svg From 3b2d5d9c43c2889e9aaed43da59a7332ee5e51b7 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 17 Mar 2022 18:07:03 +0100 Subject: [PATCH 304/844] Added small fixes --- code-scanning/sonarcloud.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 084feca2f8..d627b961c9 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -13,6 +13,7 @@ # # * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN # (On SonarCloud, click on your avatar on top-right > My account > Security) +# (or go directly to https://sonarcloud.io/account/security/) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) # or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) @@ -44,13 +45,13 @@ jobs: args: # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.projectKey= # mandatory - # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu) + # Unique organization key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.organization= # mandatory # Comma-separated paths to directories containing main source files. - -Dsonar.sources= # optional, default is project base directory + #-Dsonar.sources= # optional, default is project base directory # When you need the analysis to take place in a directory other than the one from which it was launched - -Dsonar.projectBaseDir= # optional, default is . + #-Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. - -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ - # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - -Dsonar.verbose= # optional, default is false + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From 75a7f2983bbe23e5ab84449c61053dfc20206b74 Mon Sep 17 00:00:00 2001 From: Peeter Piegaze <61758048+peeter-piegaze-sonarsource@users.noreply.github.com> Date: Fri, 18 Mar 2022 11:13:00 +0100 Subject: [PATCH 305/844] Update sonarcloud.yml Fix phrasing/word-choice --- code-scanning/sonarcloud.yml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index d627b961c9..69eac6a647 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,19 +1,21 @@ -# This workflow helps you trigger a SonarCloud analysis of your code and populates GitHub Code Scanning alerts with the vulnerabilities found. +# This workflow helps you trigger a SonarCloud analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. # 1. Login to SonarCloud.io using your GitHub account # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. -# * Please note that many languages are eligible for automatic analysis, which means that the analysis will start automatically without the need to set up GitHub Actions. +# * Please note that many languages are eligible for automatic analysis, +# which means that the analysis will start automatically without the need to set up GitHub Actions. # * This behavior can be changed in Administration > Analysis Method. # -# 3. Follow the SonarCloud's online tutorial -# * a. Copy/paste the Projet Key and the Organization Key in the args parameter below -# (You'll find those info on SonarCloud. Click on "Information" at the bottom left) +# 3. Follow the SonarCloud in-product tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) # -# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN -# (On SonarCloud, click on your avatar on top-right > My account > Security) -# (or go directly to https://sonarcloud.io/account/security/) +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) # or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) @@ -34,14 +36,14 @@ jobs: steps: - name: Analyze with SonarCloud - # You may pin to the exact commit or the version. + # You can pin the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 uses: SonarSource/sonarcloud-github-action@v1.6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: - # Additional arguments to the sonarcloud scanner + # Additional arguments for the sonarcloud scanner args: # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.projectKey= # mandatory From 4657e39b91e5b80beea6f0cd14159141080b1f7d Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:39:54 +0530 Subject: [PATCH 306/844] Update azure-webapps-python.yml --- deployments/azure-webapps-python.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 8605e0a11a..6c43c1e85d 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -29,6 +29,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -61,6 +64,8 @@ jobs: !venv/ deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 4740e068c130da4a35f6c535f07f6154ea4a4f43 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:46:17 +0530 Subject: [PATCH 307/844] Update codescan.yml --- code-scanning/codescan.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 5886843a56..74a715659c 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: CodeScan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout repository From 3a1a8562bf027aa2426256a7c187344e6a48f3ab Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:49:21 +0530 Subject: [PATCH 308/844] Update snyk-container.yml --- code-scanning/snyk-container.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 8ff2c9a4b8..2373377fc7 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From bd76c74da653b228e83d45fea3d40d65a6197095 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:51:52 +0530 Subject: [PATCH 309/844] Update azure-webapps-php.yml --- deployments/azure-webapps-php.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index a2dd57bf18..a4442cffae 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -30,6 +30,9 @@ env: AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root PHP_VERSION: '8.x' # set this to the PHP version to use +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -74,6 +77,8 @@ jobs: path: . deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 18952126dca8c9b124ee6e15eed336f4a2f5e656 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:54:27 +0530 Subject: [PATCH 310/844] Update ossar.yml --- code-scanning/ossar.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index b5aefa4b59..f09b611736 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -17,10 +17,16 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: OSSAR-Scan: # OSSAR runs on windows-latest. # ubuntu-latest and macos-latest support coming soon + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: windows-latest steps: From 962b63852bcaf3eb7e38772047448700ada94d5f Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:56:24 +0530 Subject: [PATCH 311/844] Update alibabacloud.yml --- deployments/alibabacloud.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded91780b0..c7833059a8 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From a1fe90c10dbf737fb1787b358028b5e33641dcc0 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:00:04 +0530 Subject: [PATCH 312/844] Update tencent.yml --- deployments/tencent.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 83bde94579..165981a455 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -27,6 +27,9 @@ env: TKE_CLUSTER_ID: cls-mywebapp DEPLOYMENT_NAME: tke-test +permissions: + contents: read + jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy From ceada66602af669fcb1fee31ae307f1e47c85a2f Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:32:12 +0530 Subject: [PATCH 313/844] Update haskell.yml --- ci/haskell.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/haskell.yml b/ci/haskell.yml index c1d7dc7aeb..20dbb4cb20 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From 02fa52f6c02fc3004eb878379efba7e1b6d071b7 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:34:10 +0530 Subject: [PATCH 314/844] Update symfony.yml --- ci/symfony.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/symfony.yml b/ci/symfony.yml index 7d1ca7460f..ab80492a47 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: symfony-tests: runs-on: ubuntu-latest From c5f542db49696973e6dbe4fc4d83305434656a96 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:35:53 +0530 Subject: [PATCH 315/844] Update php.yml --- ci/php.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/php.yml b/ci/php.yml index 6acfdd17d8..4937d3e177 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From 53a9402455e3e377c93f0da9193a0f88b43645a7 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:39:47 +0530 Subject: [PATCH 316/844] Update azure-webapps-dotnet-core.yml --- deployments/azure-webapps-dotnet-core.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index ed45e220f9..758c6fabbb 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -30,6 +30,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -63,6 +66,8 @@ jobs: path: ${{env.DOTNET_ROOT}}/myapp deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 7b765747a5254b76a9408811ce5753c98f92a15f Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:41:42 +0530 Subject: [PATCH 317/844] Update azure-webapps-java-jar.yml --- deployments/azure-webapps-java-jar.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 210fd90ff3..50d26790de 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -29,6 +29,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -52,6 +55,8 @@ jobs: path: '${{ github.workspace }}/target/*.jar' deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 5e58bc6ef64e268fc508e06ed061209248c11423 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:47:46 +0530 Subject: [PATCH 318/844] Update azure-webapps-node.yml --- deployments/azure-webapps-node.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b6089d4ee7..07cd3617a1 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -28,6 +28,9 @@ env: AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root NODE_VERSION: '14.x' # set this to the node version to use +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -53,6 +56,8 @@ jobs: path: . deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 9ab1bbfdcc4ce2235ab206d529853732f82c40d2 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Mon, 21 Mar 2022 10:08:04 +0100 Subject: [PATCH 319/844] Added Github disclaimer --- code-scanning/sonarcloud.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 69eac6a647..d0cc73be42 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + # This workflow helps you trigger a SonarCloud analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. From f2990d6b8371d3c22b0f47639e92f844b1af0ccf Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Wed, 23 Mar 2022 09:54:13 -0600 Subject: [PATCH 320/844] Update to v2.1.4 of gradle-build-action (#1489) * Update to new version of gradle-build-action * Update to new version of gradle-build-action --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 9fdc8516ea..35f2d9c087 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index fc8cf2fea8..7e4ece545c 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -26,6 +26,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: build From e59567a947c1c63e8d7fcfb494c87e8e199ee44a Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 25 Mar 2022 16:03:59 +0530 Subject: [PATCH 321/844] Bringing back Datadog Synthetics workflow (#1503) * Revert "Revert "Add Datadog Synthetics GitHub action to starter workflows (#1342)" (#1385)" This reverts commit de41169eb0a60341cf326c9b790a79a99e147793. * Add creator --- ci/datadog-synthetics.yml | 38 +++++++++++++++++++ .../datadog-synthetics.properties.json | 7 ++++ icons/datadog.svg | 4 ++ 3 files changed, 49 insertions(+) create mode 100644 ci/datadog-synthetics.yml create mode 100644 ci/properties/datadog-synthetics.properties.json create mode 100644 icons/datadog.svg diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml new file mode 100644 index 0000000000..7056f87093 --- /dev/null +++ b/ci/datadog-synthetics.yml @@ -0,0 +1,38 @@ +# This workflow will trigger Datadog Synthetic tests within your Datadog organisation +# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# To get started: + +# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. +# 2. Start using the action within your workflow + +name: Run Datadog Synthetic tests + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + # Run Synthetic tests within your GitHub workflow. + # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci + - name: Run Datadog Synthetic tests + uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e + with: + api_key: ${{secrets.DD_API_KEY}} + app_key: ${{secrets.DD_APP_KEY}} + test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy + + diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json new file mode 100644 index 0000000000..edbb086006 --- /dev/null +++ b/ci/properties/datadog-synthetics.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Datadog Synthetics", + "description": "Run Datadog Synthetic tests within your GitHub Actions workflow", + "creator": "Datadog", + "iconName": "datadog", + "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"] +} diff --git a/icons/datadog.svg b/icons/datadog.svg new file mode 100644 index 0000000000..91cb3b6260 --- /dev/null +++ b/icons/datadog.svg @@ -0,0 +1,4 @@ + + + + From 3be3c5deec708a2becaca71ec12dce81ae3d6080 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Mon, 28 Mar 2022 09:47:44 +0530 Subject: [PATCH 322/844] Update cache action to v3 (#1507) --- ci/elixir.yml | 2 +- ci/haskell.yml | 2 +- ci/php.yml | 2 +- ci/symfony.yml | 2 +- code-scanning/codescan.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index afe01beb2f..525d175bb3 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -20,7 +20,7 @@ jobs: elixir-version: '1.12.3' # Define the elixir version [required] otp-version: '24.1' # Define the OTP version [required] - name: Restore dependencies cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: deps key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} diff --git a/ci/haskell.yml b/ci/haskell.yml index c1d7dc7aeb..b9b1d4ec6d 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -19,7 +19,7 @@ jobs: cabal-version: '3.2' - name: Cache - uses: actions/cache@v1 + uses: actions/cache@v3 env: cache-name: cache-cabal with: diff --git a/ci/php.yml b/ci/php.yml index 6acfdd17d8..4a1d36bd35 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -19,7 +19,7 @@ jobs: - name: Cache Composer packages id: composer-cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: vendor key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} diff --git a/ci/symfony.yml b/ci/symfony.yml index 7d1ca7460f..ba3d49c68d 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -21,7 +21,7 @@ jobs: run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" - name: Cache Composer packages id: composer-cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: vendor key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 5886843a56..ff376a9884 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -24,7 +24,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v2 - name: Cache files - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | ~/.sonar diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index ed45e220f9..d4690a53f4 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -43,7 +43,7 @@ jobs: dotnet-version: ${{ env.DOTNET_VERSION }} - name: Set up dependency caching for faster builds - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.nuget/packages key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index a2dd57bf18..f971d1c43d 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -55,7 +55,7 @@ jobs: echo "::set-output name=dir::$(composer config cache-files-dir)" - name: Set up dependency caching for faster installs - uses: actions/cache@v2 + uses: actions/cache@v3 if: steps.check_files.outputs.files_exists == 'true' with: path: ${{ steps.composer-cache.outputs.dir }} From 69cce6ad3afa0ae834dd79e191f20b0104b1dde8 Mon Sep 17 00:00:00 2001 From: Hiroyuki Onaka Date: Mon, 28 Mar 2022 19:39:18 +0900 Subject: [PATCH 323/844] Add env variable to set the Java distribution to use --- deployments/azure-webapps-java-jar.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 210fd90ff3..c211a0f44a 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -22,6 +22,7 @@ name: Build and deploy JAR app to Azure Web App env: AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App JAVA_VERSION: '11' # set this to the Java version to use + DISTRIBUTION: zulu # set this to the Java distribution on: push: @@ -40,6 +41,7 @@ jobs: uses: actions/setup-java@v2.3.1 with: java-version: ${{ env.JAVA_VERSION }} + distribution: ${{ env.DISTRIBUTION }} cache: 'maven' - name: Build with Maven From 1d9d6d7fb0a8a27ef98efbbfa9689cd14c906383 Mon Sep 17 00:00:00 2001 From: Thomas Boop <52323235+thboop@users.noreply.github.com> Date: Mon, 28 Mar 2022 13:10:48 -0400 Subject: [PATCH 324/844] Update Actions to node16 (#1469) * update actions * address merge conflicts * fix java updates * update github script * update cache to v3 Co-authored-by: Bishal Prasad --- .github/workflows/labeler-triage.yml | 2 +- .github/workflows/stale.yml | 2 +- .github/workflows/sync_ghes.yaml | 4 +- .github/workflows/validate-data.yaml | 4 +- automation/label.yml | 2 +- automation/stale.yml | 2 +- ci/ada.yml | 2 +- ci/android.yml | 4 +- ci/ant.yml | 4 +- ci/blank.yml | 2 +- ci/c-cpp.yml | 2 +- ci/clojure.yml | 2 +- ci/cmake.yml | 2 +- ci/crystal.yml | 2 +- ci/d.yml | 2 +- ci/dart.yml | 2 +- ci/deno.yml | 2 +- ci/django.yml | 4 +- ci/docker-image.yml | 2 +- ci/docker-publish.yml | 2 +- ci/dotnet-desktop.yml | 4 +- ci/dotnet.yml | 4 +- ci/elixir.yml | 62 +++++++++---------- ci/erlang.yml | 2 +- ci/gem-push.yml | 2 +- ci/go.yml | 4 +- ci/gradle-publish.yml | 4 +- ci/gradle.yml | 4 +- ci/haskell.yml | 2 +- ci/ios.yml | 2 +- ci/jekyll.yml | 2 +- ci/laravel.yml | 2 +- ci/makefile.yml | 2 +- ci/maven-publish.yml | 4 +- ci/maven.yml | 4 +- ci/msbuild.yml | 2 +- ci/node.js.yml | 4 +- ci/npm-grunt.yml | 4 +- ci/npm-gulp.yml | 4 +- ci/npm-publish-github-packages.yml | 8 +-- ci/npm-publish.yml | 8 +-- ci/objective-c-xcode.yml | 2 +- ci/php.yml | 2 +- ci/pylint.yml | 4 +- ci/python-app.yml | 4 +- ci/python-package-conda.yml | 4 +- ci/python-package.yml | 4 +- ci/python-publish.yml | 4 +- ci/r.yml | 2 +- ci/ruby.yml | 2 +- ci/rubyonrails.yml | 4 +- ci/rust.yml | 2 +- ci/scala.yml | 4 +- ci/super-linter.yml | 2 +- ci/swift.yml | 2 +- ci/symfony.yml | 2 +- ci/webpack.yml | 4 +- code-scanning/anchore.yml | 2 +- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/cloudrail.yml | 2 +- code-scanning/codacy.yml | 2 +- code-scanning/codeql.yml | 2 +- code-scanning/codescan.yml | 2 +- code-scanning/crunch42.yml | 2 +- code-scanning/detekt.yml | 2 +- code-scanning/devskim.yml | 2 +- code-scanning/flawfinder.yml | 2 +- code-scanning/fortify.yml | 7 ++- code-scanning/kubesec.yml | 2 +- code-scanning/mayhem-for-api.yml | 2 +- code-scanning/mobsf.yml | 4 +- code-scanning/msvc.yml | 2 +- code-scanning/njsscan.yml | 2 +- code-scanning/nowsecure.yml | 2 +- code-scanning/ossar.yml | 4 +- code-scanning/pmd.yml | 4 +- code-scanning/powershell.yml | 2 +- code-scanning/prisma.yml | 2 +- code-scanning/rubocop.yml | 2 +- code-scanning/scorecards.yml | 4 +- code-scanning/securitycodescan.yml | 2 +- code-scanning/semgrep.yml | 2 +- code-scanning/shiftleft.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/stackhawk.yml | 2 +- code-scanning/synopsys-io.yml | 2 +- code-scanning/sysdig-scan.yml | 2 +- code-scanning/tfsec.yml | 2 +- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 7 ++- code-scanning/xanitizer.yml | 5 +- deployments/alibabacloud.yml | 4 +- deployments/aws.yml | 2 +- deployments/azure-container-webapp.yml | 2 +- deployments/azure-kubernetes-service-helm.yml | 2 +- .../azure-kubernetes-service-kompose.yml | 2 +- .../azure-kubernetes-service-kustomize.yml | 2 +- deployments/azure-kubernetes-service.yml | 2 +- deployments/azure-staticwebapp.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 +- deployments/azure-webapps-java-jar.yml | 4 +- deployments/azure-webapps-node.yml | 4 +- deployments/azure-webapps-php.yml | 2 +- deployments/azure-webapps-python.yml | 4 +- deployments/google.yml | 2 +- deployments/ibm.yml | 2 +- deployments/openshift.yml | 4 +- deployments/tencent.yml | 2 +- deployments/terraform.yml | 2 +- 111 files changed, 188 insertions(+), 185 deletions(-) diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml index eba05f0f49..99fdbc5cdd 100644 --- a/.github/workflows/labeler-triage.yml +++ b/.github/workflows/labeler-triage.yml @@ -11,6 +11,6 @@ jobs: triage: runs-on: ubuntu-latest steps: - - uses: actions/labeler@v3 + - uses: actions/labeler@v4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 217078a152..c319ce1c3c 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v3 + - uses: actions/stale@v5 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync_ghes.yaml index 946218f572..fb9c623f20 100644 --- a/.github/workflows/sync_ghes.yaml +++ b/.github/workflows/sync_ghes.yaml @@ -11,12 +11,12 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" git config user.name "GitHub Actions" - - uses: actions/setup-node@v2 + - uses: actions/setup-node@v3 with: node-version: '12' - name: Check starter workflows for GHES compat diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 7d5c1ee949..d2ac9a52db 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -10,9 +10,9 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - - uses: actions/setup-node@v2 + - uses: actions/setup-node@v3 with: node-version: "12" diff --git a/automation/label.yml b/automation/label.yml index 5cdc45e6d4..a8a1bd725b 100644 --- a/automation/label.yml +++ b/automation/label.yml @@ -17,6 +17,6 @@ jobs: pull-requests: write steps: - - uses: actions/labeler@v2 + - uses: actions/labeler@v4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/automation/stale.yml b/automation/stale.yml index ff88dc0809..1322eafd69 100644 --- a/automation/stale.yml +++ b/automation/stale.yml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v3 + - uses: actions/stale@v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'Stale issue message' diff --git a/ci/ada.yml b/ci/ada.yml index a27902a5ed..7e94b3855e 100644 --- a/ci/ada.yml +++ b/ci/ada.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set up GNAT toolchain run: > diff --git a/ci/android.yml b/ci/android.yml index f289bd5c73..221fca5c90 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/ant.yml b/ci/ant.yml index 0205d40359..16146641ae 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/blank.yml b/ci/blank.yml index 895e5d1d76..607e2cfaeb 100644 --- a/ci/blank.yml +++ b/ci/blank.yml @@ -23,7 +23,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs a single command using the runners shell - name: Run a one-line script diff --git a/ci/c-cpp.yml b/ci/c-cpp.yml index 88d1497621..14d2eb9c34 100644 --- a/ci/c-cpp.yml +++ b/ci/c-cpp.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: configure run: ./configure - name: make diff --git a/ci/clojure.yml b/ci/clojure.yml index 098918a1b8..a76631a5dd 100644 --- a/ci/clojure.yml +++ b/ci/clojure.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install dependencies run: lein deps - name: Run tests diff --git a/ci/cmake.yml b/ci/cmake.yml index 6c858b9198..6f06f756ca 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. diff --git a/ci/crystal.yml b/ci/crystal.yml index 6552afa563..18cc825acb 100644 --- a/ci/crystal.yml +++ b/ci/crystal.yml @@ -15,7 +15,7 @@ jobs: image: crystallang/crystal steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install dependencies run: shards install - name: Run tests diff --git a/ci/d.yml b/ci/d.yml index 6086681203..878716adff 100644 --- a/ci/d.yml +++ b/ci/d.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: dlang-community/setup-dlang@4c99aa991ce7d19dd3064de0a4f2f6b2f152e2d7 - name: 'Build & Test' diff --git a/ci/dart.yml b/ci/dart.yml index 7486577484..7bf352f21b 100644 --- a/ci/dart.yml +++ b/ci/dart.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Note: This workflow uses the latest stable version of the Dart SDK. # You can specify other versions if desired, see documentation here: diff --git a/ci/deno.yml b/ci/deno.yml index 25e9e2a510..24d3d9bda6 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Setup repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup Deno # uses: denoland/setup-deno@v1 diff --git a/ci/django.yml b/ci/django.yml index dbde2666b0..79550cc789 100644 --- a/ci/django.yml +++ b/ci/django.yml @@ -16,9 +16,9 @@ jobs: python-version: [3.7, 3.8, 3.9] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install Dependencies diff --git a/ci/docker-image.yml b/ci/docker-image.yml index 78532a335a..cc9cd6ee37 100644 --- a/ci/docker-image.yml +++ b/ci/docker-image.yml @@ -13,6 +13,6 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 977635a1b4..7b6add3ce3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 06ce344fd1..170b3f6487 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -63,13 +63,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 # Install the .NET Core workload - name: Install .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: 5.0.x diff --git a/ci/dotnet.yml b/ci/dotnet.yml index c31cf6857f..5974d4a034 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup .NET - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: 5.0.x - name: Restore dependencies diff --git a/ci/elixir.yml b/ci/elixir.yml index 525d175bb3..5b5aabbe06 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -1,31 +1,31 @@ -name: Elixir CI - -on: - push: - branches: [ $default-branch ] - pull_request: - branches: [ $default-branch ] - -jobs: - build: - - name: Build and test - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: Set up Elixir - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f - with: - elixir-version: '1.12.3' # Define the elixir version [required] - otp-version: '24.1' # Define the OTP version [required] - - name: Restore dependencies cache - uses: actions/cache@v3 - with: - path: deps - key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} - restore-keys: ${{ runner.os }}-mix- - - name: Install dependencies - run: mix deps.get - - name: Run tests - run: mix test +name: Elixir CI + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + + name: Build and test + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - name: Set up Elixir + uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f + with: + elixir-version: '1.12.3' # Define the elixir version [required] + otp-version: '24.1' # Define the OTP version [required] + - name: Restore dependencies cache + uses: actions/cache@v3 + with: + path: deps + key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} + restore-keys: ${{ runner.os }}-mix- + - name: Install dependencies + run: mix deps.get + - name: Run tests + run: mix test diff --git a/ci/erlang.yml b/ci/erlang.yml index 25cb8939e7..20e269fbad 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -16,7 +16,7 @@ jobs: image: erlang:22.0.7 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Compile run: rebar3 compile - name: Run tests diff --git a/ci/gem-push.yml b/ci/gem-push.yml index 3dc62be3cb..8905272015 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -15,7 +15,7 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Ruby 2.6 uses: actions/setup-ruby@v1 with: diff --git a/ci/go.yml b/ci/go.yml index afff652f99..6f498a6c4c 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -11,10 +11,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v3 with: go-version: 1.17 diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 35f2d9c087..9aeb2b85fe 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -20,9 +20,9 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/gradle.yml b/ci/gradle.yml index 7e4ece545c..8e0d1e4c5f 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -19,9 +19,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/haskell.yml b/ci/haskell.yml index b9b1d4ec6d..827d177f91 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: actions/setup-haskell@v1 with: ghc-version: '8.10.3' diff --git a/ci/ios.yml b/ci/ios.yml index ab92d322ad..5cec5e7648 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/jekyll.yml b/ci/jekyll.yml index 71920c128d..6a98dea142 100644 --- a/ci/jekyll.yml +++ b/ci/jekyll.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the site in the jekyll/builder container run: | docker run \ diff --git a/ci/laravel.yml b/ci/laravel.yml index 5f4e6c9023..e778d7b313 100644 --- a/ci/laravel.yml +++ b/ci/laravel.yml @@ -15,7 +15,7 @@ jobs: - uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e with: php-version: '8.0' - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Copy .env run: php -r "file_exists('.env') || copy('.env.example', '.env');" - name: Install Dependencies diff --git a/ci/makefile.yml b/ci/makefile.yml index eafe622fd5..0156944cdc 100644 --- a/ci/makefile.yml +++ b/ci/makefile.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: configure run: ./configure diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 319f9a1194..dab69fef79 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -16,9 +16,9 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/maven.yml b/ci/maven.yml index f301fe093e..65e0dff20e 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/msbuild.yml b/ci/msbuild.yml index e650e2aa34..3cd8f013bc 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -20,7 +20,7 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Add MSBuild to PATH uses: microsoft/setup-msbuild@v1.0.2 diff --git a/ci/node.js.yml b/ci/node.js.yml index 8d1b9c7001..87ef0d8f5e 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -20,9 +20,9 @@ jobs: # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} cache: 'npm' diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index 8c83cb6237..eda97e1fd7 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index cc5da138f7..504f22ea61 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index 09ff0b3cc7..638ccf806c 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -11,8 +11,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: npm ci @@ -25,8 +25,8 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 registry-url: $registry-url(npm) diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index ef8c6905aa..c461c85dd9 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -11,8 +11,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: npm ci @@ -22,8 +22,8 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 registry-url: https://registry.npmjs.org/ diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml index db009b0f17..13738787b6 100644 --- a/ci/objective-c-xcode.yml +++ b/ci/objective-c-xcode.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/php.yml b/ci/php.yml index 4a1d36bd35..ba84657dab 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Validate composer.json and composer.lock run: composer validate --strict diff --git a/ci/pylint.yml b/ci/pylint.yml index 7b555fee49..383e65cd03 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -9,9 +9,9 @@ jobs: matrix: python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/ci/python-app.yml b/ci/python-app.yml index 2cfc2a36b5..89823c1c0b 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.10 - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: "3.10" - name: Install dependencies diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 9bd6d2b617..57940bdb0c 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -9,9 +9,9 @@ jobs: max-parallel: 5 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.10 - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.10 - name: Add conda to system path diff --git a/ci/python-package.yml b/ci/python-package.yml index b0a63cf6a9..583a366774 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -19,9 +19,9 @@ jobs: python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 3bfabfc125..f55528c5a5 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -18,9 +18,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: '3.x' - name: Install dependencies diff --git a/ci/r.yml b/ci/r.yml index 305c2cf45f..afb870e2fe 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -22,7 +22,7 @@ jobs: r-version: ['3.6.3', '4.1.1'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up R ${{ matrix.r-version }} uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: diff --git a/ci/ruby.yml b/ci/ruby.yml index f6ae1e3573..d8e672abe6 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -22,7 +22,7 @@ jobs: ruby-version: ['2.6', '2.7', '3.0'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Ruby # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index b7b3624394..2ad891f479 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -27,7 +27,7 @@ jobs: DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Install Ruby and gems uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 with: diff --git a/ci/rust.yml b/ci/rust.yml index 6c82c610fe..d51f1afdb7 100644 --- a/ci/rust.yml +++ b/ci/rust.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build run: cargo build --verbose - name: Run tests diff --git a/ci/scala.yml b/ci/scala.yml index af6b2ed0bc..ed24363736 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/super-linter.yml b/ci/super-linter.yml index bebd82dd26..275b34f85c 100644 --- a/ci/super-linter.yml +++ b/ci/super-linter.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 diff --git a/ci/swift.yml b/ci/swift.yml index df062b53e5..3668fc0be6 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -12,7 +12,7 @@ jobs: runs-on: macos-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build run: swift build -v - name: Run tests diff --git a/ci/symfony.yml b/ci/symfony.yml index ba3d49c68d..533d379513 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -16,7 +16,7 @@ jobs: - uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28 with: php-version: '8.0' - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Copy .env.test.local run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" - name: Cache Composer packages diff --git a/ci/webpack.yml b/ci/webpack.yml index 8edb34f4bb..6449fe7a7b 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index fcca708e99..64264e45a0 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index d0b25ac9a3..3237551deb 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -30,7 +30,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Customize the ruby version depending on your needs - name: Setup Ruby diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index d012bce5c8..d86d4f9a8a 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -34,7 +34,7 @@ jobs: # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 00e270ad57..0d6b3de959 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 # For Terraform, Cloudrail requires the plan as input. So we generate it using # the Terraform core binary. diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 4892930921..8100be89cf 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -35,7 +35,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 57b4b69ad9..cd9a68339a 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index ff376a9884..bc65eb0634 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Cache files uses: actions/cache@v3 with: diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index e8e24472b8..07cd73a62c 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -43,7 +43,7 @@ jobs: security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: 42Crunch REST API Static Security Testing uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index a8610c32c4..1118c3d474 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -45,7 +45,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Gets the download URL associated with the $DETEKT_RELEASE_TAG - name: Get Detekt download URL diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 3a5c45fb59..e057348414 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -23,7 +23,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run DevSkim scanner uses: microsoft/DevSkim-Action@v1 diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index 080953ea17..697e56150e 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: flawfinder_scan uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index d67d194897..83f99c1a02 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -39,14 +39,15 @@ jobs: steps: # Check out source code - name: Check Out Source Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Java is required to run the various Fortify utilities. # When scanning a Java application, please use the appropriate Java version for building your application. - name: Setup Java - uses: actions/setup-java@v1 + uses: actions/setup-java@v3 with: - java-version: 1.8 + java-version: 8 + distribution: 'temurin' # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 1cad70cba8..81ebaa792c 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run kubesec scanner uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 59d66a003e..ed424f1dab 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -42,7 +42,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Run your API in the background. Ideally, the API would run in debug # mode & send stacktraces back on "500 Internal Server Error" responses diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index d8eaa9246b..96655affea 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -24,10 +24,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.8 diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0abb40937c..13e58eff77 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Configure CMake run: cmake -B ${{ env.build }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index a6da087b9b..16ade3b2a3 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -29,7 +29,7 @@ jobs: name: njsscan code scanning steps: - name: Checkout the code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: nodejsscan scan id: njsscan uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 92126bdfde..fbca5379b1 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build your application run: ./gradlew assembleDebug # Update this to build your Android or iOS application diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index b5aefa4b59..a6f6aa7059 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Ensure a compatible version of dotnet is installed. # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. @@ -33,7 +33,7 @@ jobs: # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: # - name: Install .NET - # uses: actions/setup-dotnet@v1 + # uses: actions/setup-dotnet@v2 # with: # dotnet-version: '3.1.x' diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 06047344f7..cd88c3430b 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -17,9 +17,9 @@ jobs: pmd-code-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index dfbf452e2b..e70dd96b2d 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -22,7 +22,7 @@ jobs: name: PSScriptAnalyzer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Run PSScriptAnalyzer uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061 diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5b1148202e..07be948b7d 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -33,7 +33,7 @@ jobs: name: Run Prisma Cloud IaC Scan to check steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - id: iac-scan name: Run Scan on CFT files in the repository uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index 373d5b689d..4ab8001407 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index d63b4628cc..a6bde3a8b9 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -22,7 +22,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 with: persist-credentials: false @@ -42,7 +42,7 @@ jobs: # Upload the results as artifacts (optional). - name: "Upload artifact" - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 with: name: SARIF file path: results.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 3063c7ad7e..0b2fa57a6e 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -21,7 +21,7 @@ jobs: SCS: runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 - uses: microsoft/setup-msbuild@v1.0.2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index f99d441f78..86c3647f5c 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: # Checkout project source - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Scan code using project's configuration on https://semgrep.dev/manage - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml index 48b86d3d96..d1154d16de 100644 --- a/code-scanning/shiftleft.yml +++ b/code-scanning/shiftleft.yml @@ -22,7 +22,7 @@ jobs: # Scan runs on ubuntu, mac and windows runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Instructions # 1. Setup JDK, Node.js, Python etc depending on your project type # 2. Compile or build the project before invoking scan diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 8ff2c9a4b8..48ccbe9fc5 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -26,7 +26,7 @@ jobs: snyk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build a Docker image run: docker build -t your/image-to-test . - name: Run Snyk to check Docker image for vulnerabilities diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index b79bf340e4..2799bfccd5 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -25,7 +25,7 @@ jobs: snyk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Run Snyk to check configuration files for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the issues to GitHub Code Scanning diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index af220c0810..64e9b9b967 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Start your service run: ./your-service.sh & # ✏️ Update this to run your own service to be scanned diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 0c1ff16a3a..c73eb173d5 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Synopsys Intelligent Security Scan id: prescription diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f9b29fc5ea..92082e53a4 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the Docker image # Tag image to be built diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 479f713c96..10a77ab6b2 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run tfsec uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 3d5373f22c..d6633bea06 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -26,7 +26,7 @@ jobs: runs-on: "ubuntu-18.04" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build an image from Dockerfile run: | diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 073d1b6b99..2ce32123fb 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -31,7 +31,7 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: repository: '' @@ -41,9 +41,10 @@ jobs: - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - run: unzip -o pipeline-scan-LATEST.zip - - uses: actions/setup-java@v1 + - uses: actions/setup-java@v3 with: - java-version: 1.8 + java-version: 8 + distribution: 'temurin' - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip continue-on-error: true - name: Convert pipeline scan output to SARIF format diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index dc3c9ceed3..c20c741c02 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -50,14 +50,15 @@ jobs: steps: # Check out the repository - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Set up the correct Java version for your project # Please comment out, if your project does not contain Java source code. - name: Set up JDK 11 - uses: actions/setup-java@v1 + uses: actions/setup-java@v3 with: java-version: 11 + distribution: 'temurin' # Compile the code for Java projects and get all libraries, e.g. via Maven # Please adapt, if your project uses another build system to compile Java source code. diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded91780b0..841a2fdda7 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # 1.1 Login to ACR - name: Login to ACR with the AccessKey pair @@ -74,7 +74,7 @@ jobs: tag: "${{ env.TAG }}" # 2.1 (Optional) Login to ACR EE - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Login to ACR EE with the AccessKey pair uses: aliyun/acr-login@v1 with: diff --git a/deployments/aws.yml b/deployments/aws.yml index dab851f906..fe5e0765a0 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -49,7 +49,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 57fe362ab8..c882bde542 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -40,7 +40,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 506819d2a2..948e7db84e 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -57,7 +57,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 1d33fe30e9..7c25319019 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 51b7d69846..f6928d0523 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -55,7 +55,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index e61e64ec51..bb513d4892 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -52,7 +52,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index 8e1faf7e2a..becfede7cc 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest name: Build and Deploy Job steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - name: Build And Deploy diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index d4690a53f4..3357dc8252 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -35,10 +35,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: ${{ env.DOTNET_VERSION }} diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 210fd90ff3..5f58dbfe8d 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -34,10 +34,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Java version - uses: actions/setup-java@v2.3.1 + uses: actions/setup-java@v3.0.0 with: java-version: ${{ env.JAVA_VERSION }} cache: 'maven' diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b6089d4ee7..c967bdb94d 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -32,10 +32,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Node.js - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index f971d1c43d..04f55f4978 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup PHP uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 8605e0a11a..af6a9dd29b 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -34,10 +34,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python version - uses: actions/setup-python@v2.2.2 + uses: actions/setup-python@v3.0.0 with: python-version: ${{ env.PYTHON_VERSION }} cache: 'pip' diff --git a/deployments/google.yml b/deployments/google.yml index 003e53be29..6150672b31 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Configure Workload Identity Federation and generate an access token. - id: 'auth' diff --git a/deployments/ibm.yml b/deployments/ibm.yml index 216b04d587..cb3080fdcc 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Download and Install IBM Cloud CLI - name: Install IBM Cloud CLI diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 46ff961ddb..5775cb0c95 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -71,7 +71,7 @@ jobs: steps: - name: Check for required secrets - uses: actions/github-script@v4 + uses: actions/github-script@v6 with: script: | const secrets = { @@ -109,7 +109,7 @@ jobs: } - name: Check out repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Determine app name if: env.APP_NAME == '' diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 83bde94579..2bf2a68872 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Build - name: Build Docker image diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 589f1f30fc..96e44e03d3 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -64,7 +64,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform From d8be55169b88f4cf8f90c7a7fe03f63244b2afb2 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 21 Mar 2022 11:40:07 -0700 Subject: [PATCH 325/844] add Security Gallery entry for new Dependency Review Action --- dependency-graph/dependency-review.yml | 11 +++++++++++ .../dependency-review.properties.json | 17 +++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 dependency-graph/dependency-review.yml create mode 100644 dependency-graph/properties/dependency-review.properties.json diff --git a/dependency-graph/dependency-review.yml b/dependency-graph/dependency-review.yml new file mode 100644 index 0000000000..6e460181b5 --- /dev/null +++ b/dependency-graph/dependency-review.yml @@ -0,0 +1,11 @@ +name: 'Dependency Review' +on: [pull_request] + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: github/dependency-review-action@main diff --git a/dependency-graph/properties/dependency-review.properties.json b/dependency-graph/properties/dependency-review.properties.json new file mode 100644 index 0000000000..e8a14a13a1 --- /dev/null +++ b/dependency-graph/properties/dependency-review.properties.json @@ -0,0 +1,17 @@ +{ + "name": "Dependency Review", + "creator": "GitHub", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", + "iconName": "octicon mark-github", + "categories": [ + "Dependency Graph", + "Dependency Review", + "Go", + "Java", + "JavaScript", + "TypeScript", + "Python", + "Ruby", + "Actions", + "PHP"] +} From c5111ef87154111daba867bf116825b8848ad936 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Thu, 24 Mar 2022 13:09:18 -0700 Subject: [PATCH 326/844] update org the final, open-sourced DR Action will be hosted under for GA release --- dependency-graph/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-graph/dependency-review.yml b/dependency-graph/dependency-review.yml index 6e460181b5..8e94ea0f49 100644 --- a/dependency-graph/dependency-review.yml +++ b/dependency-graph/dependency-review.yml @@ -8,4 +8,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: github/dependency-review-action@main + uses: actions/dependency-review-action@main From 6537e55e9700a5fa61e5b5f612e4b1efb0251124 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 10:58:48 -0700 Subject: [PATCH 327/844] post-review: use default "creator" entry: "By GitHub" --- dependency-graph/properties/dependency-review.properties.json | 1 - 1 file changed, 1 deletion(-) diff --git a/dependency-graph/properties/dependency-review.properties.json b/dependency-graph/properties/dependency-review.properties.json index e8a14a13a1..3ccbf1fa5d 100644 --- a/dependency-graph/properties/dependency-review.properties.json +++ b/dependency-graph/properties/dependency-review.properties.json @@ -1,6 +1,5 @@ { "name": "Dependency Review", - "creator": "GitHub", "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ From c3a21a83b2a61aa77fecbf9f85c70d6e6f2ad01a Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 13:33:59 -0700 Subject: [PATCH 328/844] post-review: move DR Action spec and props file into code-scanning/ dir tree temporarily, until maintainers refactor this to security/ --- {dependency-graph => code-scanning}/dependency-review.yml | 0 .../properties/dependency-review.properties.json | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {dependency-graph => code-scanning}/dependency-review.yml (100%) rename {dependency-graph => code-scanning}/properties/dependency-review.properties.json (100%) diff --git a/dependency-graph/dependency-review.yml b/code-scanning/dependency-review.yml similarity index 100% rename from dependency-graph/dependency-review.yml rename to code-scanning/dependency-review.yml diff --git a/dependency-graph/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json similarity index 100% rename from dependency-graph/properties/dependency-review.properties.json rename to code-scanning/properties/dependency-review.properties.json From 4aa004f885b18219244520462aa3b46af0146cd0 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 13:39:46 -0700 Subject: [PATCH 329/844] linter: add tags to props file appropriate for code-scanning/ entries (security gallery) --- code-scanning/properties/dependency-review.properties.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 3ccbf1fa5d..3badf4019c 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,6 +3,8 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ + "Code Scanning", + "Automation", "Dependency Graph", "Dependency Review", "Go", From 5bd031f3071b0e3ef3c7d0cda4fdc064790c734f Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 16:50:23 -0700 Subject: [PATCH 330/844] add explanatory comments with links to DR security gallery workflow template file --- code-scanning/dependency-review.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 8e94ea0f49..c3422690a3 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,3 +1,9 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement name: 'Dependency Review' on: [pull_request] From aee1a2083533d8f67f8f771a3671c3cba9de020a Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 16:57:03 -0700 Subject: [PATCH 331/844] add tigher scoped repo perms to workflow run template file --- code-scanning/dependency-review.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index c3422690a3..eb3a90b2e5 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -7,6 +7,9 @@ name: 'Dependency Review' on: [pull_request] +permissions: + repo: read + jobs: dependency-review: runs-on: ubuntu-latest From cdc592d6034f2f17c52a825dd1b456e6e9e6f576 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Tue, 29 Mar 2022 08:52:08 -0700 Subject: [PATCH 332/844] update action version used in template to "v1" branch; set perms to "contents: read" --- code-scanning/dependency-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index eb3a90b2e5..0e72a00efc 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -8,7 +8,7 @@ name: 'Dependency Review' on: [pull_request] permissions: - repo: read + contents: read jobs: dependency-review: @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@main + uses: actions/dependency-review-action@v1 From 1e0060ae0f820f0e350f84c656ca66e287005124 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 30 Mar 2022 10:27:25 +0200 Subject: [PATCH 333/844] Added mention to free plan --- code-scanning/sonarcloud.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index d0cc73be42..bd6a3e1d8a 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -5,6 +5,7 @@ # This workflow helps you trigger a SonarCloud analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. +# Free for open source project. # 1. Login to SonarCloud.io using your GitHub account From 10092345c8d227804b7dc9f587d10813d85199c5 Mon Sep 17 00:00:00 2001 From: h0x0er Date: Wed, 30 Mar 2022 15:08:50 +0530 Subject: [PATCH 334/844] fixing conflict --- ci/elixir.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/elixir.yml b/ci/elixir.yml index 5b5aabbe06..6c76f542ef 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From 3fc061974d6849a15c6ddfd7ccb7c16ed93f38c2 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Wed, 30 Mar 2022 12:52:01 -0700 Subject: [PATCH 335/844] remove "Automation" tag from properites file --- code-scanning/properties/dependency-review.properties.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 3badf4019c..568af90520 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,10 +3,9 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ + "Dependency Review", "Code Scanning", - "Automation", "Dependency Graph", - "Dependency Review", "Go", "Java", "JavaScript", From 589aeb1674483e39ab864dd33cfa5cf63882462a Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 31 Mar 2022 10:34:04 +0200 Subject: [PATCH 336/844] Added restrictive permissions for GITHUB_TOKEN --- code-scanning/sonarcloud.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index bd6a3e1d8a..dade65915a 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -35,6 +35,9 @@ on: branches: [ $default-branch ] workflow_dispatch: +permissions: + pull-requests: read # allows SonarCloud to decorate PRs with analysis results + jobs: Analysis: runs-on: ubuntu-latest @@ -46,7 +49,7 @@ jobs: # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 uses: SonarSource/sonarcloud-github-action@v1.6 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments for the sonarcloud scanner From 439bf3cc34005f8b68d877f9bc5e288e491784e3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 31 Mar 2022 14:28:28 +0530 Subject: [PATCH 337/844] Change to small case --- code-scanning/properties/dependency-review.properties.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 568af90520..e84278ca6a 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,9 +3,8 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Dependency Review", - "Code Scanning", - "Dependency Graph", + "Dependency review", + "Dependency graph", "Go", "Java", "JavaScript", From 8d8c6f77d6d743a4b096c8b5b1eee8467552de77 Mon Sep 17 00:00:00 2001 From: Thomas Boop Date: Thu, 31 Mar 2022 08:24:35 -0400 Subject: [PATCH 338/844] update to v2 --- code-scanning/anchore.yml | 2 +- code-scanning/apisec-scan.yml | 2 +- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/cloudrail.yml | 2 +- code-scanning/codacy.yml | 2 +- code-scanning/codeql.yml | 6 +++--- code-scanning/codescan.yml | 2 +- code-scanning/detekt.yml | 2 +- code-scanning/devskim.yml | 2 +- code-scanning/flawfinder.yml | 2 +- code-scanning/fortify.yml | 2 +- code-scanning/kubesec.yml | 2 +- code-scanning/mayhem-for-api.yml | 2 +- code-scanning/mobsf.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/njsscan.yml | 2 +- code-scanning/nowsecure.yml | 2 +- code-scanning/ossar.yml | 2 +- code-scanning/pmd.yml | 2 +- code-scanning/powershell.yml | 2 +- code-scanning/prisma.yml | 2 +- code-scanning/rubocop.yml | 2 +- code-scanning/securitycodescan.yml | 2 +- code-scanning/semgrep.yml | 2 +- code-scanning/shiftleft.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/synopsys-io.yml | 2 +- code-scanning/sysdig-scan.yml | 2 +- code-scanning/tfsec.yml | 2 +- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- 34 files changed, 36 insertions(+), 36 deletions(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index fcca708e99..66dd09f4f9 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -40,6 +40,6 @@ jobs: image: "localbuild/testimage:latest" acs-report-enable: true - name: Upload Anchore Scan Report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 4737d0605f..5a9b75138d 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -64,6 +64,6 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - name: Import results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./apisec-results.sarif diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index d0b25ac9a3..f54f6e73fd 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -52,6 +52,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index d012bce5c8..dc96cde2ee 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -49,6 +49,6 @@ jobs: params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: cx.sarif diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 00e270ad57..dd70bdf62c 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -50,7 +50,7 @@ jobs: cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() # is needed to ensure the SARIF file is uploaded if: always() diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 4892930921..6b0df9ecd3 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -55,6 +55,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 57b4b69ad9..07b48e7f50 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -53,7 +53,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -67,4 +67,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 5886843a56..b87586c16e 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -37,6 +37,6 @@ jobs: organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: codescan.sarif diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index a8610c32c4..505e31a188 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -111,7 +111,7 @@ jobs: )" > ${{ github.workspace }}/detekt.sarif.json # Uploads results to GitHub repository using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: ${{ github.workspace }}/detekt.sarif.json diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 3a5c45fb59..a4354487f4 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -29,6 +29,6 @@ jobs: uses: microsoft/DevSkim-Action@v1 - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: devskim-results.sarif diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index 080953ea17..179d56ffa0 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -33,6 +33,6 @@ jobs: output: 'flawfinder_results.sarif' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{github.workspace}}/flawfinder_results.sarif \ No newline at end of file diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index d67d194897..1d37bc0691 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -92,6 +92,6 @@ jobs: # Import Fortify on Demand results to GitHub Security Code Scanning - name: Import Results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./gh-fortify-sast.sarif diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 1cad70cba8..ac7085e984 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -36,6 +36,6 @@ jobs: exit-code: "0" - name: Upload Kubesec scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 59d66a003e..94bdc4afb3 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -61,6 +61,6 @@ jobs: sarif-report: mapi.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: mapi.sarif diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index d8eaa9246b..03aec536f6 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -37,6 +37,6 @@ jobs: args: . --sarif --output results.sarif || true - name: Upload mobsfscan report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0abb40937c..078399f50b 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -53,7 +53,7 @@ jobs: # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index a6da087b9b..421aa31ab4 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -36,6 +36,6 @@ jobs: with: args: '. --sarif --output results.sarif || true' - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 92126bdfde..161c78644c 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -47,6 +47,6 @@ jobs: group_id: {{ groupId }} # Update this to your desired Platform group ID - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: NowSecure.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index b5aefa4b59..b3d5b39094 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -44,6 +44,6 @@ jobs: # Upload results to the Security tab - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 06047344f7..e4702d8239 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -31,6 +31,6 @@ jobs: sourcePath: 'src/main/java' analyzeModifiedFilesOnly: false - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: pmd-report.sarif diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index dfbf452e2b..5252cf01e4 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -37,6 +37,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5b1148202e..729cbac980 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -48,7 +48,7 @@ jobs: # The service need to know the type of IaC being scanned template_type: 'CFT' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 # Results are generated only on a success or failure # this is required since GitHub by default won't run the next step # when the previous one has failed. diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index 373d5b689d..8f32c738f0 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -47,6 +47,6 @@ jobs: " - name: Upload Sarif output - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: rubocop.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 3063c7ad7e..471c216230 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -38,4 +38,4 @@ jobs: uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 - name: Upload sarif - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index f99d441f78..f88ad21b69 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -42,7 +42,7 @@ jobs: # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: semgrep.sarif if: always() diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml index 48b86d3d96..552bc99713 100644 --- a/code-scanning/shiftleft.yml +++ b/code-scanning/shiftleft.yml @@ -42,6 +42,6 @@ jobs: # type: python - name: Upload report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: reports diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 8ff2c9a4b8..d0a95bf66b 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -43,6 +43,6 @@ jobs: image: your/image-to-test args: --file=Dockerfile - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index b79bf340e4..ee4723dc3f 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -42,6 +42,6 @@ jobs: # or `main.tf` for a Terraform configuration file file: your-file-to-test.yaml - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 0c1ff16a3a..e32030371a 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -71,7 +71,7 @@ jobs: - name: Upload SARIF file if: ${{steps.prescription.outputs.sastScan == 'true' }} - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: workflowengine-results.sarif.json diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f9b29fc5ea..0b5af83595 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -54,7 +54,7 @@ jobs: # Sysdig inline scanner requires privileged rights run-as-user: root - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 #Upload SARIF file if: always() with: diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 479f713c96..275bf453cc 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -32,7 +32,7 @@ jobs: sarif_file: tfsec.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 3d5373f22c..3bb0b1c8e9 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -42,6 +42,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 073d1b6b99..c7645511ac 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -51,7 +51,7 @@ jobs: uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be with: pipeline-results-json: results.json - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: veracode-results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index dc3c9ceed3..ec0019a2ff 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -87,6 +87,6 @@ jobs: *-Findings-List.sarif # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: sarif_file: Xanitizer-Findings-List.sarif From 24a0860545c9fb8bc75902a3944350e15b2ca893 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Thu, 31 Mar 2022 10:34:19 -0700 Subject: [PATCH 339/844] fix broken build due to missing required category --- code-scanning/properties/dependency-review.properties.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index e84278ca6a..57ca5028cd 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,8 +3,9 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Dependency review", - "Dependency graph", + "Code Scanning", + "Dependency Review", + "Dependency Graph", "Go", "Java", "JavaScript", From dbba84eb877092dade4cc207fe0f2721d9ed60f2 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 1 Apr 2022 10:03:32 +0530 Subject: [PATCH 340/844] revert back to "Dependency review" category The CI test needs to be fixed and not the other way round. --- code-scanning/properties/dependency-review.properties.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 57ca5028cd..e84278ca6a 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,9 +3,8 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Code Scanning", - "Dependency Review", - "Dependency Graph", + "Dependency review", + "Dependency graph", "Go", "Java", "JavaScript", From d629c82ad7b53ccd396ab5ca9f8b97bf9a67ca68 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 1 Apr 2022 10:04:38 +0530 Subject: [PATCH 341/844] Include "Dependency review" in allowed categories --- script/validate-data/settings.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index ce89e36947..ef8ee60328 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -9,6 +9,7 @@ "Continuous integration", "Deployment", "Code Scanning", + "Dependency review", "Automation" ] -} \ No newline at end of file +} From 2e60d03ab7a47f3c73e7a5a95e75fdc1b2d6893c Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 12:38:39 +0530 Subject: [PATCH 342/844] Zscaler IaC Action Publish --- .../properties/zscaler.properties.json | 7 +++ code-scanning/zscaler.yml | 46 +++++++++++++++++++ icons/zscaler.svg | 3 ++ 3 files changed, 56 insertions(+) create mode 100644 code-scanning/properties/zscaler.properties.json create mode 100644 code-scanning/zscaler.yml create mode 100644 icons/zscaler.svg diff --git a/code-scanning/properties/zscaler.properties.json b/code-scanning/properties/zscaler.properties.json new file mode 100644 index 0000000000..784a52b15c --- /dev/null +++ b/code-scanning/properties/zscaler.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Zscaler IaC Scan", + "creator": "Zscaler CWP Team", + "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", + "iconName": "zscaler", + "categories": ["Code Scanning","HCL"] +} \ No newline at end of file diff --git a/code-scanning/zscaler.yml b/code-scanning/zscaler.yml new file mode 100644 index 0000000000..beea601385 --- /dev/null +++ b/code-scanning/zscaler.yml @@ -0,0 +1,46 @@ +#This workflow uses actions that are not certified by GitHub. +#They are provided by a third party and are governed by +#separate terms of service, privacy policy, and support +#documentation. + +#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app, +#which detects security misconfigurations in IaC templates and publishes the findings +#under the code scanning alerts section within the repository. + +name: Zscanner IaC Scan +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + zscaler-iac-scan: + runs-on: ubuntu-latest + steps: + - name : Code Checkout + uses: actions/checkout@v2 + - name : Zscaler IAC Scan + uses : ZscalerCWP/Zscaler-IaC-Action@v0.2.0 + id : zscaler-iac-scan + with: + #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. + #Copy the client ID and client secret key generated during the onboarding process and configure. + #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} + client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} + #This is the user region specified during the onboarding process within the ZWP Admin Portal. + region : 'US' + iac_dir : #Enter the IaC directory path from root. + iac_file : #Enter the IaC file path from root. + output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here. + #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true. + fail_build : #Enter true/false + #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. + - name: Upload SARIF file + if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file diff --git a/icons/zscaler.svg b/icons/zscaler.svg new file mode 100644 index 0000000000..3897442948 --- /dev/null +++ b/icons/zscaler.svg @@ -0,0 +1,3 @@ + + + From 5e3bc9a2fd200fc324e4bff09889cc80465d1a08 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 16:26:19 +0530 Subject: [PATCH 343/844] Update zscaler-iac-scan.yml --- code-scanning/{zscaler.yml => zscaler-iac-scan.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename code-scanning/{zscaler.yml => zscaler-iac-scan.yml} (98%) diff --git a/code-scanning/zscaler.yml b/code-scanning/zscaler-iac-scan.yml similarity index 98% rename from code-scanning/zscaler.yml rename to code-scanning/zscaler-iac-scan.yml index beea601385..e23a8d6b08 100644 --- a/code-scanning/zscaler.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,7 +7,7 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. -name: Zscanner IaC Scan +name: Zscaler IaC Scan on: push: branches: [ $default-branch, $protected-branches ] From 7a322529a7f2fe483452dad5b1941ca7742216e8 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 16:29:09 +0530 Subject: [PATCH 344/844] Update zscaler-iac-scan.properties.json --- .../{zscaler.properties.json => zscaler-iac-scan.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/properties/{zscaler.properties.json => zscaler-iac-scan.properties.json} (100%) diff --git a/code-scanning/properties/zscaler.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json similarity index 100% rename from code-scanning/properties/zscaler.properties.json rename to code-scanning/properties/zscaler-iac-scan.properties.json From 3857754fa1839756e86ec089760bb20c7084c895 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 17:55:47 +0530 Subject: [PATCH 345/844] Update zscaler-iac-scan.properties.json --- code-scanning/properties/zscaler-iac-scan.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/zscaler-iac-scan.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json index 784a52b15c..b6430373d3 100644 --- a/code-scanning/properties/zscaler-iac-scan.properties.json +++ b/code-scanning/properties/zscaler-iac-scan.properties.json @@ -1,7 +1,7 @@ { "name": "Zscaler IaC Scan", - "creator": "Zscaler CWP Team", + "creator": "Zscaler CWP", "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", "iconName": "zscaler", - "categories": ["Code Scanning","HCL"] + "categories": ["Code Scanning","Security"] } \ No newline at end of file From 74471dae6f1a513f17bdacfdce6fd69145a5271a Mon Sep 17 00:00:00 2001 From: mvecha Date: Tue, 5 Apr 2022 13:21:24 +0530 Subject: [PATCH 346/844] Update zscaler-iac-scan.yml --- code-scanning/zscaler-iac-scan.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index e23a8d6b08..a8424b7662 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -16,14 +16,20 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: zscaler-iac-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name : Code Checkout uses: actions/checkout@v2 - name : Zscaler IAC Scan - uses : ZscalerCWP/Zscaler-IaC-Action@v0.2.0 + uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc id : zscaler-iac-scan with: #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. From 3f1969e60bade312dd53ca604e2479900b6a6a5f Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 10:26:21 +0200 Subject: [PATCH 347/844] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 428d899b61..8835ff89b7 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1,7 +1,7 @@ { "name": "SonarCloud", "creator": "Sonar", - "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Free for open source projects", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start analyzing your code in minutes!", "iconName": "sonarcloud", "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From 1132fdda5ded5388ebc46d62f1892bece49f3c26 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 10:43:06 +0200 Subject: [PATCH 348/844] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 8835ff89b7..9b88a7867f 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1,7 +1,7 @@ { "name": "SonarCloud", "creator": "Sonar", - "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start analyzing your code in minutes!", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", "iconName": "sonarcloud", "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From 50c02af8cf04a5cba88c5f47d64db3d2860ddcff Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 10:59:27 +0200 Subject: [PATCH 349/844] changed version to exact SHA Co-authored-by: Sampark Sharma --- code-scanning/sonarcloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index dade65915a..fe9afb4f1f 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -47,7 +47,7 @@ jobs: # You can pin the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@v1.6 + uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) From 090ead86a92181d20a19219314dd1858ec87a787 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 14:51:15 +0200 Subject: [PATCH 350/844] Update syntax for validation --- code-scanning/sonarcloud.yml | 42 ++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index fe9afb4f1f..ff388c8d77 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -45,24 +45,24 @@ jobs: steps: - name: Analyze with SonarCloud - # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) - with: - # Additional arguments for the sonarcloud scanner - args: - # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) - -Dsonar.projectKey= # mandatory - # Unique organization key of your project. You can find it in SonarCloud > Information (bottom-left menu) - -Dsonar.organization= # mandatory - # Comma-separated paths to directories containing main source files. - #-Dsonar.sources= # optional, default is project base directory - # When you need the analysis to take place in a directory other than the one from which it was launched - #-Dsonar.projectBaseDir= # optional, default is . - # Comma-separated paths to directories containing test source files. - #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ - # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false + # You can pin the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) + # mandatory + -Dsonar.projectKey= + -Dsonar.organization= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From cca97c83b88349992531d905e3456a9227e2a391 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Sat, 9 Apr 2022 01:28:14 -0700 Subject: [PATCH 351/844] Add rust-clippy starter workflow (#1462) * Add rust-clippy starter workflow * fix parameter `wait-for-processing` indent of action github/codeql-action/upload-sarif@v1 * Use commit sha instead of tag * addressing pr comments * Update creator * Add comments --- .../properties/rust-clippy.properties.json | 10 ++++ code-scanning/rust-clippy.yml | 54 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 code-scanning/properties/rust-clippy.properties.json create mode 100644 code-scanning/rust-clippy.yml diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json new file mode 100644 index 0000000000..ea5c871fdf --- /dev/null +++ b/code-scanning/properties/rust-clippy.properties.json @@ -0,0 +1,10 @@ +{ + "name": "rust-clippy", + "creator": "Rust", + "description": "A collection of lints to catch common mistakes and improve your Rust code.", + "iconName": "rust", + "categories": [ + "Code Scanning", + "rust" + ] +} \ No newline at end of file diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml new file mode 100644 index 0000000000..e9c426a3f0 --- /dev/null +++ b/code-scanning/rust-clippy.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# rust-clippy is a tool that runs a bunch of lints to catch common +# mistakes in your Rust code and help improve your Rust code. +# More details at https://github.com/rust-lang/rust-clippy +# and https://rust-lang.github.io/rust-clippy/ + +name: rust-clippy analyze + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rust-clippy-analyze: + name: Run rust-clippy analyzing + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install Rust toolchain + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1 + with: + profile: minimal + toolchain: stable + components: clippy + override: true + + - name: Install required cargo + run: cargo install clippy-sarif sarif-fmt + + - name: Run rust-clippy + run: + cargo clippy + --all-features + --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: rust-clippy-results.sarif + wait-for-processing: true \ No newline at end of file From 769950ce816c2f79f8df05cf138640f9aa08625d Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Sun, 10 Apr 2022 17:20:15 +0530 Subject: [PATCH 352/844] Removing code-scanning/shiftleft as per author request (#1513) Co-authored-by: Bishal Prasad --- .../properties/shiftleft.properties.json | 7 --- code-scanning/shiftleft.yml | 47 ------------------- icons/shiftleft.svg | 6 --- 3 files changed, 60 deletions(-) delete mode 100644 code-scanning/properties/shiftleft.properties.json delete mode 100644 code-scanning/shiftleft.yml delete mode 100644 icons/shiftleft.svg diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json deleted file mode 100644 index 1cb36c9432..0000000000 --- a/code-scanning/properties/shiftleft.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Scan", - "creator": "ShiftLeft", - "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.", - "iconName": "shiftleft", - "categories": ["Code Scanning"] -} \ No newline at end of file diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml deleted file mode 100644 index b042670b8a..0000000000 --- a/code-scanning/shiftleft.yml +++ /dev/null @@ -1,47 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates Scan with GitHub's code scanning feature -# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft -# Visit https://slscan.io/en/latest/integrations/code-scan for help -name: SL Scan - -on: - push: - branches: [ $default-branch, $protected-branches ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ $default-branch ] - schedule: - - cron: $cron-weekly - -jobs: - Scan-Build: - # Scan runs on ubuntu, mac and windows - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - # Instructions - # 1. Setup JDK, Node.js, Python etc depending on your project type - # 2. Compile or build the project before invoking scan - # Example: mvn compile, or npm install or pip install goes here - # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url - - - name: Perform Scan - uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64 - env: - WORKSPACE: "" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SCAN_AUTO_BUILD: true - with: - output: reports - # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type - # type: credscan,java - # type: python - - - name: Upload report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: reports diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg deleted file mode 100644 index f8e944af3a..0000000000 --- a/icons/shiftleft.svg +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - From 31b35634e10474dd37c3d2929577d2778e781cbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Sun, 10 Apr 2022 15:07:11 +0200 Subject: [PATCH 353/844] Fix pull request trigger in greetings.yml (#1518) --- automation/greetings.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index ee1cb11677..18ba13f882 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -1,6 +1,6 @@ name: Greetings -on: [pull_request, issues] +on: [pull_request_target, issues] jobs: greeting: From d80712faf41487f0d71d06018ec3bae11b859987 Mon Sep 17 00:00:00 2001 From: Anthony Roussel Date: Sun, 10 Apr 2022 15:29:47 +0200 Subject: [PATCH 354/844] Disable Terraform interactive prompts during apply & plan (#1467) --- deployments/terraform.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 96e44e03d3..6142d2c470 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -82,10 +82,10 @@ jobs: # Generates an execution plan for Terraform - name: Terraform Plan - run: terraform plan + run: terraform plan -input=false # On push to $default-branch, build or change infrastructure according to Terraform configuration files # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - name: Terraform Apply if: github.ref == 'refs/heads/$default-branch' && github.event_name == 'push' - run: terraform apply -auto-approve + run: terraform apply -auto-approve -input=false From 970a7b52557fbdf7dc31c20e64499c21f45deff2 Mon Sep 17 00:00:00 2001 From: dlorenc Date: Sun, 10 Apr 2022 13:06:23 -0500 Subject: [PATCH 355/844] =?UTF-8?q?Update=20the=20cosign-install=20action?= =?UTF-8?q?=20and=20default=20version=20from=201.4.0=20to=201.=E2=80=A6=20?= =?UTF-8?q?(#1452)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update the cosign-install action and default version from 1.4.0 to 1.5.1. Signed-off-by: Dan Lorenc * Update to 1.7.1 and the latest cosign-installer action. Signed-off-by: Dan Lorenc Co-authored-by: Bishal Prasad --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 7b6add3ce3..75f9770365 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605 with: - cosign-release: 'v1.4.0' + cosign-release: 'v1.7.1' # Workaround: https://github.com/docker/build-push-action/issues/461 From eeb7d2860d40ef8ccea22e7cc47f0a7088dc886a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Bedran?= Date: Sun, 10 Apr 2022 16:46:50 -0300 Subject: [PATCH 356/844] Removes " Simulator" substring from device name. (#1470) --- ci/ios.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/ios.yml b/ci/ios.yml index 5cec5e7648..693a7d5ae0 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -26,7 +26,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` @@ -37,7 +37,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` From 9e81e73fe1c6c6786692b02864aeb1271734d235 Mon Sep 17 00:00:00 2001 From: Andrew Freckelton <7751633+frecks@users.noreply.github.com> Date: Mon, 11 Apr 2022 15:04:06 -0400 Subject: [PATCH 357/844] chore: Update go version to 1.18 --- ci/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go.yml b/ci/go.yml index 6f498a6c4c..bb3ec96482 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -16,7 +16,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.17 + go-version: 1.18 - name: Build run: go build -v ./... From 66f87f9dfe82ccc8055c7063ef35ee994f1a3ae1 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 11 Apr 2022 21:41:27 -0700 Subject: [PATCH 358/844] Add clj-watson starter workflow (#1460) * Add clj-watson starter workflow * update permissions * update to latest release * Update clj-watson-action to official release * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * update categories * update categories * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * Update code-scanning/properties/clj-watson.properties.json Co-authored-by: Bishal Prasad * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * add comments to yml file * Update clj-watson.properties.json * use codeql-action/upload-sarif v2 Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> Co-authored-by: Bishal Prasad --- code-scanning/clj-watson.yml | 53 +++++++++++++++++++ .../properties/clj-watson.properties.json | 9 ++++ icons/clj-watson.svg | 1 + 3 files changed, 63 insertions(+) create mode 100644 code-scanning/clj-watson.yml create mode 100644 code-scanning/properties/clj-watson.properties.json create mode 100644 icons/clj-watson.svg diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml new file mode 100644 index 0000000000..2e4ab3cb78 --- /dev/null +++ b/code-scanning/clj-watson.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# clj-watson scans dependencies in a clojure deps.edn +# seeking for vulnerable direct/transitive dependencies and +# build a report with all the information needed to help you +# understand how the vulnerability manifest in your software. +# More details at https://github.com/clj-holmes/clj-watson + +name: clj-watson + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + clj-holmes: + name: Run clj-watson scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Dependency scan + uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c + with: + clj-watson-sha: "65d928c" + clj-watson-tag: "v4.0.1" + database-strategy: github-advisory + aliases: clojure-lsp,test + deps-edn-path: deps.edn + suggest-fix: true + output-type: sarif + output-file: clj-watson-results.sarif + fail-on-result: false + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{github.workspace}}/clj-watson-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/clj-watson.properties.json b/code-scanning/properties/clj-watson.properties.json new file mode 100644 index 0000000000..966314a1a5 --- /dev/null +++ b/code-scanning/properties/clj-watson.properties.json @@ -0,0 +1,9 @@ +{ + "name": "clj-watson", + "description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.", + "iconName": "clj-watson", + "categories": [ + "Code Scanning", + "Clojure" + ] +} diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg new file mode 100644 index 0000000000..74459e5dd6 --- /dev/null +++ b/icons/clj-watson.svg @@ -0,0 +1 @@ + \ No newline at end of file From 94d3aff4c62f40e4751c3c71c61b23c4ec02a072 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Tue, 12 Apr 2022 10:27:04 +0530 Subject: [PATCH 359/844] Remove creator property from rust-clippy This is owned by @josepalafox's BD team in GitHub. --- code-scanning/properties/rust-clippy.properties.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json index ea5c871fdf..473778698d 100644 --- a/code-scanning/properties/rust-clippy.properties.json +++ b/code-scanning/properties/rust-clippy.properties.json @@ -1,10 +1,9 @@ { "name": "rust-clippy", - "creator": "Rust", "description": "A collection of lints to catch common mistakes and improve your Rust code.", "iconName": "rust", "categories": [ "Code Scanning", "rust" ] -} \ No newline at end of file +} From ae0ff4dd3a81c243bea35ec3e2035ab14b94bc9e Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Tue, 12 Apr 2022 10:29:04 +0530 Subject: [PATCH 360/844] Add Actions team as CODEOWNERS for code-scanning starter workflows --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 8866d17d23..91153dee71 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,3 @@ * @actions/starter-workflows -/code-scanning/ @actions/advanced-security-code-scanning +/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows From 92b20ce19b85f9e2d7eb558aa665eb6ac9287cb5 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 13 Apr 2022 23:04:48 -0700 Subject: [PATCH 361/844] Add ESLint starter workflow (#1461) * Add ESLint starter workflow * Specify versions * update permission * Add typescript to categories * Update codeql action to v2; add comments * address review feedbacks * update categories --- code-scanning/eslint.yml | 49 +++++++++++++++++++ .../properties/eslint.properties.json | 11 +++++ icons/eslint.svg | 1 + 3 files changed, 61 insertions(+) create mode 100644 code-scanning/eslint.yml create mode 100644 code-scanning/properties/eslint.properties.json create mode 100644 icons/eslint.svg diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml new file mode 100644 index 0000000000..9067a7d530 --- /dev/null +++ b/code-scanning/eslint.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# ESLint is a tool for identifying and reporting on patterns +# found in ECMAScript/JavaScript code. +# More details at https://github.com/eslint/eslint +# and https://eslint.org + +name: ESLint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + eslint: + name: Run eslint scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install ESLint + run: | + npm install eslint@8.10.0 + npm install @microsoft/eslint-formatter-sarif@2.1.7 + + - name: Run ESLint + run: npx eslint . + --config .eslintrc.js + --ext .js,.jsx,.ts,.tsx + --format @microsoft/eslint-formatter-sarif + --output-file eslint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: eslint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json new file mode 100644 index 0000000000..a84646a82f --- /dev/null +++ b/code-scanning/properties/eslint.properties.json @@ -0,0 +1,11 @@ +{ + "name": "ESLint", + "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", + "iconName": "eslint", + "categories": [ + "Code Scanning", + "JavaScript", + "EcmaScript", + "TypeScript" + ] +} \ No newline at end of file diff --git a/icons/eslint.svg b/icons/eslint.svg new file mode 100644 index 0000000000..23964aa103 --- /dev/null +++ b/icons/eslint.svg @@ -0,0 +1 @@ + \ No newline at end of file From ac3c29ff5b1f47eab61e718d9a62519799d1a7a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Arko?= Date: Sun, 17 Apr 2022 03:07:19 -0700 Subject: [PATCH 362/844] Shorten Rails workflow name, in line with others The workflows for Ruby, RubyGem, Jekyll, and similar are all just the name of the language, package, or framework. This name change brings Rails in line with the other starters. --- ci/properties/rubyonrails.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json index 49b29a4ede..7a2c18ac10 100644 --- a/ci/properties/rubyonrails.properties.json +++ b/ci/properties/rubyonrails.properties.json @@ -1,5 +1,5 @@ { - "name": "Ruby on Rails continuous integration", + "name": "Ruby on Rails", "description": "Build, lint, and test a Rails application", "iconName": "rails", "categories": ["Continuous integration", "Ruby", "Rails"] From 2885b083c9ae49c16188ad79cf15bab9e2107547 Mon Sep 17 00:00:00 2001 From: Jesse Glick Date: Mon, 18 Apr 2022 15:39:08 -0400 Subject: [PATCH 363/844] Update docker/build-push-action https://github.com/docker/build-push-action/commit/ac9327eae2b366085ac7f6a2d02df8aa8ead720a to pick up https://github.com/docker/build-push-action/pull/569 --- ci/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 75f9770365..a9fd4b3811 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -72,7 +72,7 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: context: . push: ${{ github.event_name != 'pull_request' }} From 73afccbbd54778fd08596f3fbe386823dcf15901 Mon Sep 17 00:00:00 2001 From: mvecha Date: Thu, 21 Apr 2022 15:20:01 +0530 Subject: [PATCH 364/844] Addressing PR Comments from Community --- .../properties/zscaler-iac-scan.properties.json | 2 +- code-scanning/zscaler-iac-scan.yml | 15 ++++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/code-scanning/properties/zscaler-iac-scan.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json index b6430373d3..274d17a5fa 100644 --- a/code-scanning/properties/zscaler-iac-scan.properties.json +++ b/code-scanning/properties/zscaler-iac-scan.properties.json @@ -3,5 +3,5 @@ "creator": "Zscaler CWP", "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", "iconName": "zscaler", - "categories": ["Code Scanning","Security"] + "categories": ["Code Scanning"] } \ No newline at end of file diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index a8424b7662..195bb57895 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,6 +7,14 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. +#Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. +#Copy the client ID and client secret key generated during the onboarding process and configure. +#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + +#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues +#for further investigation. + name: Zscaler IaC Scan on: push: @@ -27,14 +35,11 @@ jobs: runs-on: ubuntu-latest steps: - name : Code Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name : Zscaler IAC Scan uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc id : zscaler-iac-scan with: - #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. - #Copy the client ID and client secret key generated during the onboarding process and configure. - #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} #This is the user region specified during the onboarding process within the ZWP Admin Portal. @@ -47,6 +52,6 @@ jobs: #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. - name: Upload SARIF file if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file From cfa93d0eecf7f1b230986ff509814b1ab1ad0ece Mon Sep 17 00:00:00 2001 From: Jeevan Reddy Ragula <90408178+jragula-zs@users.noreply.github.com> Date: Thu, 21 Apr 2022 15:26:09 +0530 Subject: [PATCH 365/844] Update zscaler-iac-scan.yml --- code-scanning/zscaler-iac-scan.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index 195bb57895..c6020a5faf 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -12,8 +12,7 @@ #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). #Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. -#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues -#for further investigation. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation. name: Zscaler IaC Scan on: @@ -54,4 +53,4 @@ jobs: if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} From bf7a4cab85f1dab83a885af2bfd3a5e85d273cd7 Mon Sep 17 00:00:00 2001 From: Jack G Kafaty <50452463+jackgkafaty@users.noreply.github.com> Date: Thu, 21 Apr 2022 13:09:39 -0400 Subject: [PATCH 366/844] Update codeql.yml Line 51 added the query packs by default but commented. Lines 62-63: added better instructions Lines 68-70 added an example which provides better detail --- code-scanning/codeql.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 37109ab2fa..ded7f5dce4 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -48,8 +48,11 @@ jobs: # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild @@ -58,13 +61,12 @@ jobs: # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl - # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - #- run: | - # make bootstrap - # make release + # - run: | + # echo "Run, Build Application using script" + # pwsh -command .\location_of_script_within_repo\buildscript.ps1 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From a5cb76fffb46eedc8f79cc3868b3f1868c7fe766 Mon Sep 17 00:00:00 2001 From: Jack G Kafaty <50452463+jackgkafaty@users.noreply.github.com> Date: Thu, 21 Apr 2022 13:19:45 -0400 Subject: [PATCH 367/844] Update codeql.yml --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index ded7f5dce4..8da9bf27ee 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -66,7 +66,7 @@ jobs: # - run: | # echo "Run, Build Application using script" - # pwsh -command .\location_of_script_within_repo\buildscript.ps1 + # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From c06604910c9a4312db162077a4e46fa7aad61356 Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya <35347859+jaiveerk@users.noreply.github.com> Date: Fri, 22 Apr 2022 04:10:20 -0400 Subject: [PATCH 368/844] Parallelize Jobs for AKS Starter Workflows (#1534) * Reworked AKS deployment workflows (#1403) * rebased to partner_templates * Renaming workflow * Updated corresponding properties.json files for the new aks workflows under deployments. * Updated properties.json titles for aks workflows * Renamed SECRET_NAME to IMAGE_PULL_SECRET_NAME * Moved permissions down to the job level * Updated documentation links * Updated permission for action to read * Removing redundant permissions * write -> read for actions * Updated descriptions * Less reference documentation in header * Added comments to each AKS Starter Workflow step Co-authored-by: Tommy Barnes * Update AKS workflows to not use imagePullSecrets (#1494) * removing old method of adding imagePullSecrets * fixing step casing * For testing: Dependency review starter workflow * changed back to image pull secret, added mask, clarified website and pull secret instructions * made changes to other aks files * Added back imagepullsecrets param to deploy action, reordered env vars * changing release version of deploy action * restructured starter workflows to parallelize secret creation and image building * renamed to buildImage and removed extra space * cleaned up some random newlines * removed extra space * removing changes from partner branch * removing changes from partner branch * through mistake in changing PR, two files lost step for createSecret Co-authored-by: Tommy Barnes Co-authored-by: Tommy Barnes Co-authored-by: Israel Miller Co-authored-by: Bishal Prasad Co-authored-by: Jaiveer Katariya Co-authored-by: Jaiveer Katariya --- deployments/azure-kubernetes-service-helm.yml | 55 ++++++++++++++--- .../azure-kubernetes-service-kompose.yml | 60 +++++++++++++++--- .../azure-kubernetes-service-kustomize.yml | 61 ++++++++++++++++--- deployments/azure-kubernetes-service.yml | 55 ++++++++++++++--- 4 files changed, 199 insertions(+), 32 deletions(-) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 948e7db84e..a5edeaa8f8 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. # Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. @@ -48,12 +48,11 @@ env: CHART_OVERRIDE_PATH: "your-chart-override-path" jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -72,6 +71,21 @@ jobs: run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -85,7 +99,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -96,7 +112,30 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Helm to create manifest files - name: Bake deployment @@ -112,11 +151,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 7c25319019..5b7e4d1eac 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. # Set your dockerComposeFile and kompose-version to suit your configuration. @@ -40,12 +40,11 @@ env: DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -63,7 +62,22 @@ jobs: - name: Build and push image to ACR run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - + + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -77,7 +91,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -88,7 +104,33 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Kompose to create manifest files - name: Bake deployment @@ -101,11 +143,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index f6928d0523..305d6de664 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. # Set your kustomizationPath and kubectl-version to suit your configuration. @@ -46,12 +46,11 @@ env: KUSTOMIZE_PATH: "your-kustomize-path" jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -69,6 +68,24 @@ jobs: - name: Build and push image to ACR run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context @@ -83,7 +100,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -94,7 +113,33 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Kustomize to create manifest files - name: Bake deployment @@ -107,11 +152,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index bb513d4892..c471793a57 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -8,8 +8,7 @@ # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID @@ -19,7 +18,7 @@ # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) # - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) # # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions @@ -43,12 +42,11 @@ env: DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -67,6 +65,21 @@ jobs: run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -80,7 +93,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -93,13 +108,39 @@ jobs: container-registry-password: ${{ steps.get-acr-creds.outputs.password }} secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + # Deploys application based on given manifest file - name: Deploys application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file From 1c5c0f7c8a10324929bd35cc2fb63302ca57baef Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 22 Apr 2022 19:37:39 +0000 Subject: [PATCH 369/844] fix: upgrade @actions/core from 1.2.6 to 1.6.0 Snyk has created this PR to upgrade @actions/core from 1.2.6 to 1.6.0. See this package in npm: https://www.npmjs.com/package/@actions/core See this project in Snyk: https://app.snyk.io/org/cwp-2/project/fd2218da-0d06-448b-be57-a7d3e69b0389?utm_source=github-enterprise&utm_medium=referral&page=upgrade-pr --- script/validate-data/package-lock.json | 24 ++++++++++++++++++++---- script/validate-data/package.json | 2 +- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index 8839d6ab1e..cf7c70a81d 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -1,13 +1,24 @@ { - "name": "sync-ghes-actions", + "name": "validate-data", "version": "1.0.0", "lockfileVersion": 1, "requires": true, "dependencies": { "@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz", + "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==", + "requires": { + "@actions/http-client": "^1.0.11" + } + }, + "@actions/http-client": { + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz", + "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==", + "requires": { + "tunnel": "0.0.6" + } }, "@types/js-yaml": { "version": "3.12.4", @@ -106,6 +117,11 @@ "yn": "3.1.1" } }, + "tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" + }, "typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", diff --git a/script/validate-data/package.json b/script/validate-data/package.json index e6403ee20d..7936f4e4ce 100644 --- a/script/validate-data/package.json +++ b/script/validate-data/package.json @@ -14,7 +14,7 @@ "typescript": "^3.9.2" }, "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.6.0", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" } From ad9daa8da372928e50064995bb1c2f542c0c345c Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya <35347859+jaiveerk@users.noreply.github.com> Date: Sat, 23 Apr 2022 00:40:21 -0400 Subject: [PATCH 370/844] removed actions read permission from createSecret and buildImage steps (#1539) --- deployments/azure-kubernetes-service-helm.yml | 2 -- deployments/azure-kubernetes-service-kompose.yml | 2 -- deployments/azure-kubernetes-service-kustomize.yml | 2 -- deployments/azure-kubernetes-service.yml | 2 -- 4 files changed, 8 deletions(-) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index a5edeaa8f8..510abcdebd 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -50,7 +50,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -73,7 +72,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 5b7e4d1eac..0cf23ba5ac 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -42,7 +42,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -65,7 +64,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 305d6de664..14469db4f1 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -48,7 +48,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -71,7 +70,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index c471793a57..d04a2ace80 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -44,7 +44,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -67,7 +66,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest From 308401f5246098792d1a773569cb339141141361 Mon Sep 17 00:00:00 2001 From: DhavalPatelPersistent <93903969+DhavalPatelPersistent@users.noreply.github.com> Date: Mon, 25 Apr 2022 15:30:28 +0530 Subject: [PATCH 371/844] Update checkmarx.yml --- code-scanning/checkmarx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 297cae0d22..ed13389d97 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -46,7 +46,7 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 From a52cd5a16a7422970cf0d09ddd7489c0abcd1cf3 Mon Sep 17 00:00:00 2001 From: Tristram Oaten Date: Mon, 25 Apr 2022 15:02:37 +0100 Subject: [PATCH 372/844] Update setup-ruby to the latest release The default github action ruby template references this old commit which doesn't have any modern rubies https://github.com/ruby/setup-ruby/commit/473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e The fix is to update the pinned version to the latest release https://github.com/alphagov/forms-api/pull/3/commits/e3c8ad2759088a12ba9f3040d2c47c23799c8455 --- ci/ruby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 256aa1455c..7daf2cc311 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e + uses: ruby/setup-ruby@e3c8ad2759088a12ba9f3040d2c47c23799c8455 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically From a2a01a4b0b9b9f8f39c20efdd1f1eee8fd9772d2 Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Tue, 26 Apr 2022 02:26:34 -0700 Subject: [PATCH 373/844] CodeQL starter workflow: Replace git.io links git.io is deprecated. Replace the references with full links or aka.ms links to the same documentation. --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 37109ab2fa..0e57f4b4fb 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,7 +34,7 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] - # Learn more about CodeQL language support at https://git.io/codeql-language-support + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - name: Checkout repository @@ -56,7 +56,7 @@ jobs: uses: github/codeql-action/autobuild@v2 # ℹ️ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines # and modify them (or add more) to build your code if your project From b6633ec292d288db36de6e7d68e525bb129492c3 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Tue, 26 Apr 2022 22:00:20 -0700 Subject: [PATCH 374/844] Add starter workflow for hadolint --- code-scanning/hadolint.yml | 46 ++++++ .../properties/hadolint.properties.json | 6 + icons/hadolint.svg | 131 ++++++++++++++++++ 3 files changed, 183 insertions(+) create mode 100644 code-scanning/hadolint.yml create mode 100644 code-scanning/properties/hadolint.properties.json create mode 100644 icons/hadolint.svg diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml new file mode 100644 index 0000000000..f941b95a6b --- /dev/null +++ b/code-scanning/hadolint.yml @@ -0,0 +1,46 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +name: Hadolint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + hadolint: + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run hado-lint + uses: hadolint/hadolint-action@v2.1.0 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/hadolint.properties.json b/code-scanning/properties/hadolint.properties.json new file mode 100644 index 0000000000..b4f714155e --- /dev/null +++ b/code-scanning/properties/hadolint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Haskell Dockerfile Linter", + "description": "A smarter Dockerfile linter that helps you build best practice Docker images.", + "iconName": "hadolint", + "categories": ["Code Scanning", "Dockerfile"] +} \ No newline at end of file diff --git a/icons/hadolint.svg b/icons/hadolint.svg new file mode 100644 index 0000000000..048b86cd9f --- /dev/null +++ b/icons/hadolint.svg @@ -0,0 +1,131 @@ + + + + From 0ae51b0d1063d99894068034e0f6e7de60e6ec5b Mon Sep 17 00:00:00 2001 From: Tristram Oaten Date: Thu, 28 Apr 2022 10:58:56 +0100 Subject: [PATCH 375/844] fix sha --- ci/ruby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 7daf2cc311..81ea36336d 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@e3c8ad2759088a12ba9f3040d2c47c23799c8455 + uses: ruby/setup-ruby@2b019609e2b0f1ea1a2bc8ca11cb82ab46ada124 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 662e915c0fe85c4d078b6de037bce62ebc69fe96 Mon Sep 17 00:00:00 2001 From: Bar Hofesh Date: Thu, 28 Apr 2022 22:01:20 +0300 Subject: [PATCH 376/844] Add NeuraLegion to starter workflows (#1203) * Added Neuralegion to starter workflows * Using an action * Fixed Indentation :) * Update neuralegion.yml Co-authored-by: Bishal Prasad --- code-scanning/neuralegion.yml | 175 ++++++++++++++++++ .../properties/neuralegion.properties.json | 24 +++ icons/neuralegion.svg | 57 ++++++ 3 files changed, 256 insertions(+) create mode 100644 code-scanning/neuralegion.yml create mode 100644 code-scanning/properties/neuralegion.properties.json create mode 100644 icons/neuralegion.svg diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml new file mode 100644 index 0000000000..e24e14a753 --- /dev/null +++ b/code-scanning/neuralegion.yml @@ -0,0 +1,175 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Run a Nexploit Scan +# This action runs a new security scan in Nexploit, or reruns an existing one. +# Build Secure Apps & APIs. Fast. +# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love. +# Automatically Tests Every Aspect of Your Apps & APIs +# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports +# Seamlessly integrates with the Tools and Workflows You Already Use +# +# NeuraLegion works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. +# Spin-Up, Configure and Control Scans with Code +# One file. One command. One scan. No UI needed. +# +# Super-Fast Scans +# +# Interacts with applications and APIs, instead of just crawling them and guessing. +# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks. +# +# No False Positives +# +# Stop chasing ghosts and wasting time. NeuraLegion doesn’t return false positives, so you can focus on releasing code. +# +# Comprehensive Security Testing +# +# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities. +# +# More information is available on NeuraLegion’s: +# * [Website](https://www.neuralegion.com/) +# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart) +# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw) +# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+) +# +# Inputs +# +# `name` +# +# **Required**. Scan name. +# +# _Example:_ `name: GitHub scan ${{ github.sha }}` +# +# `api_token` +# +# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens). +# +# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}` +# +# `restart_scan` +# +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# +# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` +# +# `discovery_types` +# +# **Required**. Array of discovery types. The following types are available: +# * `archive` - uses an uploaded HAR-file for a scan +# * `crawler` - uses a crawler to define the attack surface for a scan +# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default. +# +# _Example:_ +# +# ```yml +# discovery_types: | +# [ "crawler", "archive" ] +# ``` +# +# `file_id` +# +# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login). +# +# _Example:_ +# +# ``` +# FILE_ID=$(nexploit-cli archive:upload \ +# --token ${{ secrets.NEXPLOIT_TOKEN }} \ +# --discard true \ +# ./example.har) +# ``` +# +# `crawler_urls` +# +# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface. +# +# _Example:_ +# +# ``` +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# ``` +# +# `hosts_filter` +# +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# +# Outputs +# +# `url` +# +# Url of the resulting scan +# +# `id` +# +# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions: +# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues) +# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan) +# +# Example usage +# +# Start a new scan with parameters +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# discovery_types: | +# [ "crawler", "archive" ] +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# file_id: LiYknMYSdbSZbqgMaC9Sj +# hosts_filter: | +# [ ] +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" +# ``` +# +# Restart an existing scan +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" + + +name: "NeuraLegion" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + neuralegion_scan: + runs-on: ubuntu-18.04 + name: A job to run a Nexploit scan + steps: + - uses: actions/checkout@v2 + - name: Start Nexploit Scan 🏁 + id: start + uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe + with: + api_token: ${{ secrets.NEURALEGION_TOKEN }} + name: GitHub scan ${{ github.sha }} + discovery_types: | + [ "crawler" ] + crawler_urls: | + [ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan diff --git a/code-scanning/properties/neuralegion.properties.json b/code-scanning/properties/neuralegion.properties.json new file mode 100644 index 0000000000..ee64a52d2b --- /dev/null +++ b/code-scanning/properties/neuralegion.properties.json @@ -0,0 +1,24 @@ +{ + "name": "NeuraLegion", + "creator": "NeuraLegion", + "description": "Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports", + "iconName": "neuralegion", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/icons/neuralegion.svg b/icons/neuralegion.svg new file mode 100644 index 0000000000..0534225141 --- /dev/null +++ b/icons/neuralegion.svg @@ -0,0 +1,57 @@ + + + + + + + + + NeuraLegion Logo + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From d09e57c7a386f2c92c1d0d5af960c03c79b02eb0 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Thu, 28 Apr 2022 15:22:57 -0400 Subject: [PATCH 377/844] Adding workflow for sobelow (static analysis tool for the Phoenix framework) (#1528) * Adding sobelow workflow * Removing setup-beam dependency * Updating instructions --- .../properties/sobelow.properties.json | 11 +++++ code-scanning/sobelow.yml | 40 +++++++++++++++++++ icons/sobelow.svg | 20 ++++++++++ 3 files changed, 71 insertions(+) create mode 100644 code-scanning/properties/sobelow.properties.json create mode 100644 code-scanning/sobelow.yml create mode 100644 icons/sobelow.svg diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json new file mode 100644 index 0000000000..163e866ed8 --- /dev/null +++ b/code-scanning/properties/sobelow.properties.json @@ -0,0 +1,11 @@ +{ + "name": "Sobelow", + "creator": "nccgroup", + "description": "Sobelow is a security-focused static analysis tool for the Phoenix framework.", + "iconName": "sobelow", + "categories": [ + "Code Scanning", + "Elixir" + ] + } + \ No newline at end of file diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml new file mode 100644 index 0000000000..21cb6e749e --- /dev/null +++ b/code-scanning/sobelow.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/ +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. +name: Sobelow + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - id: run-action + uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 + - name: Upload report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/icons/sobelow.svg b/icons/sobelow.svg new file mode 100644 index 0000000000..4d243ea659 --- /dev/null +++ b/icons/sobelow.svg @@ -0,0 +1,20 @@ + + + + + + + + From 5aba2798002b169baefab50eb36b19f8d4649fe0 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 2 May 2022 06:08:29 +0000 Subject: [PATCH 378/844] addressing review comments --- script/validate-data/index.ts | 20 ++++++++++---------- script/validate-data/settings.json | 18 +++++++++--------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index da4d2d8d8d..5e6327abdf 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -41,7 +41,7 @@ const propertiesSchema = { } } -async function checkWorkflows(folders: string[], folder_category_map: object[]): Promise { +async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() for (const folder of folders) { @@ -56,7 +56,7 @@ async function checkWorkflows(folders: string[], folder_category_map: object[]): const workflowFilePath = join(folder, e.name); const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) - const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, folder_category_map); + const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } @@ -70,7 +70,7 @@ async function checkWorkflows(folders: string[], folder_category_map: object[]): return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string, folder_category_map: object[]): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, @@ -105,14 +105,14 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, folde } } - var folderName = dirname(workflowPath) - var folder_category = folder_category_map.find( folder_category => folder_category["name"] == folderName)["category"] - if (!workflowPath.endsWith("blank.yml") && ((!properties.categories || properties.categories.length == 0 )|| - properties.categories[0].toLowerCase() !== folder_category.toLowerCase())) { + var path = dirname(workflowPath) + var folder_category = allowed_categories.find( category => category["path"] == path)["name"] + if (!workflowPath.endsWith("blank.yml")) { if(!properties.categories || properties.categories.length == 0) { workflowErrors.errors.push(`Workflow categories cannot be null or empty`) - } else { - workflowErrors.errors.push(`The first category in properties.json categories must be "${folder_category}" for ${basename(folderName)} folder workflow.`) + } + else if(properties.categories[0].toLowerCase() !== folder_category.toLowerCase()) { + workflowErrors.errors.push(`The first category in properties.json categories must be "${folder_category}" for workflow in ${basename(path)} folder.`) } } @@ -129,7 +129,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, folde try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders, settings.folder_category_map + settings.folders, settings.allowed_categories ) if (erroredWorkflows.length > 0) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 7d3ecfefee..667aff6a83 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -5,22 +5,22 @@ "../../deployments", "../../code-scanning" ], - "folder_category_map": [ + "allowed_categories": [ { - "name": "../../ci", - "category": "Continuous integration" + "name": "Continuous integration", + "path": "../../ci" }, { - "name": "../../automation", - "category": "Automation" + "name": "Automation", + "path": "../../automation" }, { - "name": "../../deployments", - "category": "Deployment" + "path": "../../deployments", + "name": "Deployment" }, { - "name": "../../code-scanning", - "category": "Code Scanning" + "name": "Code Scanning", + "path": "../../code-scanning" } ] } \ No newline at end of file From c032ee101f95b6b5be02ec2b43f8ad16f9af2e77 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 2 May 2022 06:32:43 +0000 Subject: [PATCH 379/844] adding dependency review to allowed categories --- script/validate-data/index.ts | 8 ++++---- script/validate-data/settings.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 5e6327abdf..7f7aa445b4 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -106,17 +106,17 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow } var path = dirname(workflowPath) - var folder_category = allowed_categories.find( category => category["path"] == path)["name"] + var folder_categories = allowed_categories.find( category => category["path"] == path)["categories"] if (!workflowPath.endsWith("blank.yml")) { if(!properties.categories || properties.categories.length == 0) { workflowErrors.errors.push(`Workflow categories cannot be null or empty`) } - else if(properties.categories[0].toLowerCase() !== folder_category.toLowerCase()) { - workflowErrors.errors.push(`The first category in properties.json categories must be "${folder_category}" for workflow in ${basename(path)} folder.`) + else if(!folder_categories.some(category => properties.categories[0].toLowerCase() == category.toLowerCase())) { + workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}"`) } } - if(folder_category.toLowerCase() == 'deployment' && !properties.creator) { + if(path.toLowerCase() == 'deployment' && !properties.creator) { workflowErrors.errors.push(`The "creator" in properties.json must be present.`) } } catch (e) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 2765c2a20a..852f575378 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -20,7 +20,7 @@ }, { "path": "../../code-scanning", - "categories": ["Code Scanning", "Dependency review"], + "categories": ["Code Scanning", "Dependency review"] } ] } From ca970a212491702286740f8f0b943e097bdb4de3 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Mon, 2 May 2022 12:23:29 +0530 Subject: [PATCH 380/844] Fix typo --- code-scanning/properties/dependency-review.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index e84278ca6a..c195c73b9e 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -1,6 +1,6 @@ { "name": "Dependency Review", - "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable dependencies to the repository", "iconName": "octicon mark-github", "categories": [ "Dependency review", From ee2bbcf8d8f90b72461d884114f1f2f427779fb1 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 2 May 2022 01:53:59 -0700 Subject: [PATCH 381/844] update step name --- code-scanning/hadolint.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index f941b95a6b..fbbf91495f 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,11 +27,12 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + steps: - name: Checkout code uses: actions/checkout@v3 - - name: Run hado-lint + - name: Run hadolint uses: hadolint/hadolint-action@v2.1.0 with: dockerfile: ./Dockerfile From 74122beced91569ee2a4181188911aae18aa909e Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 2 May 2022 13:22:36 +0000 Subject: [PATCH 382/844] Fixing creator check --- script/validate-data/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 7f7aa445b4..39328c58fb 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -116,7 +116,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow } } - if(path.toLowerCase() == 'deployment' && !properties.creator) { + if(basename(path).toLowerCase() == 'deployments' && !properties.creator) { workflowErrors.errors.push(`The "creator" in properties.json must be present.`) } } catch (e) { From f007e412eef70494c18a54191728f1138e84436b Mon Sep 17 00:00:00 2001 From: Daniel Schultz Date: Tue, 22 Mar 2022 21:17:20 -0400 Subject: [PATCH 383/844] Rename sync-ghes workflow for consistancy Issue #1497 --- .github/workflows/{sync_ghes.yaml => sync-ghes.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{sync_ghes.yaml => sync-ghes.yaml} (100%) diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync-ghes.yaml similarity index 100% rename from .github/workflows/sync_ghes.yaml rename to .github/workflows/sync-ghes.yaml From 52bd793f345de13bebd632f87f1d4544eb724768 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Tue, 3 May 2022 11:00:55 +0530 Subject: [PATCH 384/844] Update script/validate-data/index.ts Co-authored-by: Bishal Prasad --- script/validate-data/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 39328c58fb..4bd260d6c3 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -112,7 +112,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow workflowErrors.errors.push(`Workflow categories cannot be null or empty`) } else if(!folder_categories.some(category => properties.categories[0].toLowerCase() == category.toLowerCase())) { - workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}"`) + workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}. Either move the workflow to an appropriate directory or change the category."`) } } From 2e396aeae52f0e011e01e06e2935845ce3b0cbd9 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 4 May 2022 16:07:22 +0530 Subject: [PATCH 385/844] Create auto_assign.yml --- .github/auto_assign.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/auto_assign.yml diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml new file mode 100644 index 0000000000..02596efa1c --- /dev/null +++ b/.github/auto_assign.yml @@ -0,0 +1,16 @@ +# Set to true to add reviewers to pull requests +addReviewers: true + +# Set to true to add assignees to pull requests +addAssignees: false + +# A list of reviewers to be added to pull requests (GitHub user name) +reviewers: + - phantsure + - anuragc617 + - tiwarishub + - vsvipul + +# A number of reviewers added to the pull request +# Set 0 to add all the reviewers (default: 0) +numberOfReviewers: 1 From a2c02154b7ea27f764122739baf04c91934f5da1 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 4 May 2022 16:20:25 +0530 Subject: [PATCH 386/844] Create auto_assign.yml --- .github/workflows/auto_assign.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .github/workflows/auto_assign.yml diff --git a/.github/workflows/auto_assign.yml b/.github/workflows/auto_assign.yml new file mode 100644 index 0000000000..4dcc612879 --- /dev/null +++ b/.github/workflows/auto_assign.yml @@ -0,0 +1,10 @@ +name: 'Auto Assign' +on: + pull_request: + types: [opened, ready_for_review] + +jobs: + add-reviews: + runs-on: ubuntu-latest + steps: + - uses: kentaro-m/auto-assign-action@v1.2.1 From 49f91dc3426c0d13cb30524f991926c9abb64f9e Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 4 May 2022 16:30:09 +0530 Subject: [PATCH 387/844] Auto issue assignment --- .github/workflows/auto-assign-issues.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/workflows/auto-assign-issues.yml diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml new file mode 100644 index 0000000000..b8406e9447 --- /dev/null +++ b/.github/workflows/auto-assign-issues.yml @@ -0,0 +1,15 @@ +name: Issue assignment + +on: + issues: + types: [opened] + +jobs: + auto-assign: + runs-on: ubuntu-latest + steps: + - name: 'Auto-assign issue' + uses: pozil/auto-assign-issue@v1.4.0 + with: + assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft + numOfAssignee: 1 From 52fc31bdb1e5c4cd28755f48b5c6ed09abaa65fb Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 4 May 2022 16:35:40 +0530 Subject: [PATCH 388/844] Rename auto_assign.yml to auto-assign.yml --- .github/workflows/{auto_assign.yml => auto-assign.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{auto_assign.yml => auto-assign.yml} (100%) diff --git a/.github/workflows/auto_assign.yml b/.github/workflows/auto-assign.yml similarity index 100% rename from .github/workflows/auto_assign.yml rename to .github/workflows/auto-assign.yml From 41b1bb864a4f82c9c0b08e7b1364b2d5d0943ab8 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 4 May 2022 16:36:39 +0530 Subject: [PATCH 389/844] Adding bishal-pdmsft as a reviewer --- .github/auto_assign.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml index 02596efa1c..696b4f833a 100644 --- a/.github/auto_assign.yml +++ b/.github/auto_assign.yml @@ -10,6 +10,7 @@ reviewers: - anuragc617 - tiwarishub - vsvipul + - bishal-pdmsft # A number of reviewers added to the pull request # Set 0 to add all the reviewers (default: 0) From 3e8902ca5688bff9a7736fff0197c2bd208b4a5f Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 5 May 2022 15:55:43 +0530 Subject: [PATCH 390/844] Add dependabot --- .github/dependabot.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..62283f9e3c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" From fc57d752748ceaef22641be7fa94b6a17e691e13 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 9 May 2022 11:16:42 -0700 Subject: [PATCH 391/844] use action commitment sha --- code-scanning/hadolint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index fbbf91495f..2f554e4397 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -33,7 +33,7 @@ jobs: uses: actions/checkout@v3 - name: Run hadolint - uses: hadolint/hadolint-action@v2.1.0 + uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 with: dockerfile: ./Dockerfile format: sarif From 1100f4c7e825065833089b4f25cb045226bf4bbc Mon Sep 17 00:00:00 2001 From: fredster33 Date: Sat, 14 May 2022 07:24:17 -0700 Subject: [PATCH 392/844] Escape to pass tests --- automation/greetings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index 1138ea8e16..562838f79a 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users' first issue' - pr-message: 'Message that will be displayed on users' first pull request' + issue-message: 'Message that will be displayed on users\' first issue' + pr-message: 'Message that will be displayed on users\' first pull request' From a3f4ca426faa51fdc07d753951ef8aa85bfb635a Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Mon, 16 May 2022 13:44:34 -0700 Subject: [PATCH 393/844] Fixing typo in dependency-review-action. --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 0e72a00efc..8966511e05 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,6 +1,6 @@ # Dependency Review Action # -# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement From bed5e488cf5db12055b60ea905d8f90c59ea3c56 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Mon, 16 May 2022 18:28:59 -0400 Subject: [PATCH 394/844] Fix link to `code-scanning` directory Changed https://github.com/actions/starter-workflows/tree/main/ci to https://github.com/actions/starter-workflows/tree/main/code-scanning --- .github/pull_request_template.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 752dd99eb6..9b6c10f972 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,7 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. -- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. +- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** @@ -38,7 +38,7 @@ It is not: **For _Code Scanning_ workflows, the workflow:** -- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci). +- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning). - [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: - [ ] `name`: Name of the Code Scanning integration. - [ ] `organization`: Name of the organization producing the Code Scanning integration. From fb28da064123bacb1ab14fe88c947dcf1c20aa82 Mon Sep 17 00:00:00 2001 From: fredster33 Date: Fri, 20 May 2022 16:55:27 -0700 Subject: [PATCH 395/844] Fix escaping --- automation/greetings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index 562838f79a..46774343e3 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users\' first issue' - pr-message: 'Message that will be displayed on users\' first pull request' + issue-message: "Message that will be displayed on users' first issue" + pr-message: "Message that will be displayed on users' first pull request" From 9f02725cf7ad47bd29fde61950948648c5abe693 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Sat, 21 May 2022 11:13:24 +0530 Subject: [PATCH 396/844] Fix the missing `on` trigger for AKS Kompose --- deployments/azure-kubernetes-service-kompose.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 0cf23ba5ac..60fe5369ae 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -31,6 +31,12 @@ name: Build and deploy an app to AKS with Kompose +on: + push: + branches: + - $default-branch + workflow_dispatch: + env: AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" CONTAINER_NAME: "your-container-name" @@ -148,4 +154,4 @@ jobs: images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + ${{ env.IMAGE_PULL_SECRET_NAME }} From ea7d7777b6893c6401b777663973a51be35b74c4 Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya Date: Mon, 23 May 2022 14:47:39 -0400 Subject: [PATCH 397/844] added checkout step to helm starter workflow --- deployments/azure-kubernetes-service-helm.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 510abcdebd..a6a2f4e0e8 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -120,6 +120,9 @@ jobs: runs-on: ubuntu-latest needs: [buildImage, createSecret] steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + # Logs in with your Azure credentials - name: Azure login uses: azure/login@v1.4.3 From 2be3a09ccb9a825bd8bfed4d2e67a00fadf21648 Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya Date: Mon, 23 May 2022 14:59:13 -0400 Subject: [PATCH 398/844] removed unnecessary checkout from kustomize create-secret step --- deployments/azure-kubernetes-service-kustomize.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 14469db4f1..d46cadbb65 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -74,9 +74,6 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - # Logs in with your Azure credentials - name: Azure login uses: azure/login@v1.4.3 From a4fc6b086e1052d83b7b3a6bae14aca6c055d20a Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Tue, 24 May 2022 16:52:04 -0300 Subject: [PATCH 399/844] SOOS DAST starter action submission --- .../properties/soos-dast-scan.properties.json | 8 ++++ code-scanning/soos-dast-scan.yml | 41 +++++++++++++++++++ icons/soos.svg | 17 ++++++++ 3 files changed, 66 insertions(+) create mode 100644 code-scanning/properties/soos-dast-scan.properties.json create mode 100644 code-scanning/soos-dast-scan.yml create mode 100644 icons/soos.svg diff --git a/code-scanning/properties/soos-dast-scan.properties.json b/code-scanning/properties/soos-dast-scan.properties.json new file mode 100644 index 0000000000..b2834dfe30 --- /dev/null +++ b/code-scanning/properties/soos-dast-scan.properties.json @@ -0,0 +1,8 @@ +{ + "name": "SOOS DAST Scan", + "creator": "SOOS", + "description": "Integrate dynamic application security testing (DAST) and API security testing into your CI pipeline with StackHawk", + "iconName": "soos", + "categories": ["Code Scanning"] + } + \ No newline at end of file diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml new file mode 100644 index 0000000000..a16ed9eb38 --- /dev/null +++ b/code-scanning/soos-dast-scan.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# SOOS is the easy-to-integrate software security solution for your whole team we currently, learn more at https://soos.io/ +# +# To use this action you need to fill the following requirements: +# +# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product). +# +# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload) +# + +name: "SOOS DAST Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +jobs: + soos: + permissions: + security-events: write # for uploading code scanning alert info + name: SOOS DAST Scan + runs-on: ubuntu-latest + steps: + - name: Run SOOS DAST Scan + uses: soos-io/soos-dast-github-action@c32a9d22e9af91ccace86aa7e76673b89c6256fd + with: + client_id: ${{ secrets.SOOS_CLIENT_ID }} + api_key: ${{ secrets.SOOS_API_KEY }} + project_name: "DAST-GitHub-Action-Test" # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository + scan_mode: "baseline" + target_url: "https://www.example.com/" + sarif: true # Only set to true if you want to upload the SARIF report to Github + gpat: ${{ secrets.SOOS_GITHUB_PAT }} + + diff --git a/icons/soos.svg b/icons/soos.svg new file mode 100644 index 0000000000..17a31fcb08 --- /dev/null +++ b/icons/soos.svg @@ -0,0 +1,17 @@ + + + + + + + + + + + From a80536a617f6eb6cf9f1c398f5f163c24ec03e21 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 May 2022 14:46:58 +0000 Subject: [PATCH 400/844] Scorecard v1.1.0 hash bump --- code-scanning/scorecards.yml | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a6bde3a8b9..846988e489 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,37 +17,43 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write + # Used to receive a badge. (Upcoming feature) + id-token: write actions: read contents: read - + steps: - name: "Checkout code" - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 + uses: ossf/scorecard-action@5c8bc69dc88b65c66584e07611df79d3579b0377 # v1.1.0 with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, - # regardless of the value entered here. + # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. publish_results: true - # Upload the results as artifacts (optional). + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 From 866ad3b83c8b7a0f0730c2a7ce908c46784c8a74 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 May 2022 14:50:13 +0000 Subject: [PATCH 401/844] updates --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 846988e489..28fb7f36cc 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -24,7 +24,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 with: persist-credentials: false @@ -48,7 +48,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 with: name: SARIF file path: results.sarif From e2e966c9107306a40bf07c880a1259514ccfab66 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Fri, 27 May 2022 09:36:07 -0300 Subject: [PATCH 402/844] couple fixes from review --- code-scanning/properties/soos-dast-scan.properties.json | 5 ++--- code-scanning/soos-dast-scan.yml | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/code-scanning/properties/soos-dast-scan.properties.json b/code-scanning/properties/soos-dast-scan.properties.json index b2834dfe30..6ef5121a88 100644 --- a/code-scanning/properties/soos-dast-scan.properties.json +++ b/code-scanning/properties/soos-dast-scan.properties.json @@ -1,8 +1,7 @@ { "name": "SOOS DAST Scan", "creator": "SOOS", - "description": "Integrate dynamic application security testing (DAST) and API security testing into your CI pipeline with StackHawk", + "description": "SOOS DAST is the easy-to-integrate no-limit web vulnerability scanner. Integrate SOOS DAST with your CI pipeline to find vulnerabilities by scanning a web app or APIs.", "iconName": "soos", "categories": ["Code Scanning"] - } - \ No newline at end of file +} \ No newline at end of file diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index a16ed9eb38..75fe9ed105 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. # -# SOOS is the easy-to-integrate software security solution for your whole team we currently, learn more at https://soos.io/ +# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/ # # To use this action you need to fill the following requirements: # @@ -32,7 +32,7 @@ jobs: with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} - project_name: "DAST-GitHub-Action-Test" # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository + project_name: ${{ github.repository }} # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository scan_mode: "baseline" target_url: "https://www.example.com/" sarif: true # Only set to true if you want to upload the SARIF report to Github From b9fbda1e7dcc2e8bc9899b02573484620eea0325 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Mon, 30 May 2022 14:11:28 +0200 Subject: [PATCH 403/844] Add actions read permission The CodeQL Action requires this permission to collect information of the workflow run. --- code-scanning/anchore.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 6f52d5d68d..5c19cc353a 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # for github/codeql-action/upload-sarif to get Action run status runs-on: ubuntu-latest steps: - name: Checkout the code From 77df908268e8577f2b7955bbc9d27b46a316aae8 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Mon, 30 May 2022 14:16:42 +0200 Subject: [PATCH 404/844] Set `fail-build` property to false Whenever a security issue is found the `scan action` fails the build and the step, which causes the workflow to fail before uploading the results to Code Scanning. This change turns the error into a warning. --- code-scanning/anchore.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 6f52d5d68d..b0e542e88a 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -39,6 +39,7 @@ jobs: with: image: "localbuild/testimage:latest" acs-report-enable: true + fail-build: false - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v2 with: From 27f5b1e9fdf42fe0686ccb89a2926a08c5ca9abe Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Tue, 31 May 2022 12:28:16 +0200 Subject: [PATCH 405/844] Add descriptive comment The `actions: read` permission is only required when the workflow is executed in a private repository. --- code-scanning/anchore.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 5c19cc353a..27531475b1 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # for github/codeql-action/upload-sarif to get Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository runs-on: ubuntu-latest steps: - name: Checkout the code From 477f6af84e7a702f1832787f81445d0c2bc33010 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Tue, 31 May 2022 14:19:53 +0200 Subject: [PATCH 406/844] Shorten the comment The comment is shortened by removing the URL to the documentation. Co-authored-by: Sampark Sharma --- code-scanning/anchore.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 27531475b1..4fbc9f00e0 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout the code From 45198b14e06f360979705d625fda2daa4d339653 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Tue, 31 May 2022 18:51:10 -0700 Subject: [PATCH 407/844] phpmd --- code-scanning/phpmd.yml | 50 ++++ .../properties/phpmd.properties.json | 6 + icons/phpmd.svg | 252 ++++++++++++++++++ 3 files changed, 308 insertions(+) create mode 100644 code-scanning/phpmd.yml create mode 100644 code-scanning/properties/phpmd.properties.json create mode 100644 icons/phpmd.svg diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml new file mode 100644 index 0000000000..9b9545ae80 --- /dev/null +++ b/code-scanning/phpmd.yml @@ -0,0 +1,50 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# PHPMD is a spin-off project of PHP Depend and +# aims to be a PHP equivalent of the well known Java tool PMD. +# More details at https://phpmd.org/ + +name: PHPMD + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + # workflow_dispatch: + +permissions: + contents: read + +jobs: + PHPMD: + name: Run PHPMD scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + coverage: none + tools: phpmd + + - name: Run PHPMD + run: phpmd . sarif codesize --reportfile phpmd-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: phpmd-results.sarif + wait-for-processing: true diff --git a/code-scanning/properties/phpmd.properties.json b/code-scanning/properties/phpmd.properties.json new file mode 100644 index 0000000000..bd95bf92ec --- /dev/null +++ b/code-scanning/properties/phpmd.properties.json @@ -0,0 +1,6 @@ +{ + "name": "PHPMD", + "description": "A spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD.", + "iconName": "phpmd", + "categories": [ "Code Scanning", "PHP" ] +} \ No newline at end of file diff --git a/icons/phpmd.svg b/icons/phpmd.svg new file mode 100644 index 0000000000..c354f1d5a7 --- /dev/null +++ b/icons/phpmd.svg @@ -0,0 +1,252 @@ + + + + +Created by potrace 1.10, written by Peter Selinger 2001-2011 + + + + + + + + + + + + + + + + + + + + + From dfd625dcc4778d68e194f62e68e5dc65ef73b88b Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Tue, 31 May 2022 19:10:04 -0700 Subject: [PATCH 408/844] use hash --- code-scanning/phpmd.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 9b9545ae80..3c0a5f2d93 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -16,7 +16,6 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly - # workflow_dispatch: permissions: contents: read @@ -34,7 +33,7 @@ jobs: uses: actions/checkout@v3 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161 with: coverage: none tools: phpmd From 978c3bbb41242ad164fb5c43b4fdd3353056addc Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 1 Jun 2022 09:15:10 -0700 Subject: [PATCH 409/844] Update scorecards.yml --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 28fb7f36cc..6135414b76 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -29,7 +29,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@5c8bc69dc88b65c66584e07611df79d3579b0377 # v1.1.0 + uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1 with: results_file: results.sarif results_format: sarif From 74b6f422559f3c58f4adee47ffbefc98d22548e1 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 1 Jun 2022 10:50:44 -0700 Subject: [PATCH 410/844] Update scorecards.yml --- code-scanning/scorecards.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 6135414b76..eed834b484 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -19,7 +19,6 @@ jobs: security-events: write # Used to receive a badge. (Upcoming feature) id-token: write - actions: read contents: read steps: From 74408a5287eb771031d02d73dbe14ed23ec90a41 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 1 Jun 2022 11:00:27 -0700 Subject: [PATCH 411/844] Update scorecards.yml --- code-scanning/scorecards.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index eed834b484..539794d6ce 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -19,7 +19,9 @@ jobs: security-events: write # Used to receive a badge. (Upcoming feature) id-token: write + # Needs for private repositories. contents: read + actions: read steps: - name: "Checkout code" From d33aefde62c5125d69e76f4dfc04aed7a0b28a12 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Thu, 2 Jun 2022 12:12:22 -0300 Subject: [PATCH 412/844] updated action version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 75fe9ed105..47f6c4892e 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@c32a9d22e9af91ccace86aa7e76673b89c6256fd + uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From b812cc5edacb55ae2f748244f67187ae9cbe872b Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Sat, 4 Jun 2022 19:50:14 -0700 Subject: [PATCH 413/844] use new logo from repo owner --- icons/phpmd.svg | 845 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 594 insertions(+), 251 deletions(-) diff --git a/icons/phpmd.svg b/icons/phpmd.svg index c354f1d5a7..7697766915 100644 --- a/icons/phpmd.svg +++ b/icons/phpmd.svg @@ -1,252 +1,595 @@ - - - - -Created by potrace 1.10, written by Peter Selinger 2001-2011 - - - - - - - - - - - - - - - - - - - - + + + + + + + + From ab9d895e8dfdfcc309424b079d074d637b744367 Mon Sep 17 00:00:00 2001 From: satyamchaurasiapersistent <102941840+satyamchaurasiapersistent@users.noreply.github.com> Date: Mon, 6 Jun 2022 11:45:21 +0530 Subject: [PATCH 414/844] Repo Url and SHA value updated. --- code-scanning/checkmarx.yml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index ed13389d97..1c57150a21 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,27 +17,19 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action -permissions: - contents: read - jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action - permissions: - contents: read # for actions/checkout to fetch code - issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues - pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v2 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 + uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe with: project: ${{ secrets.CHECKMARX_PROJECT }} team: ${{ secrets.CHECKMARX_TEAMS }} @@ -46,9 +38,9 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v1 with: sarif_file: cx.sarif From eda5a46a9546396c96ef0e05ad1840c0fbe2e060 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Tue, 17 May 2022 19:00:28 -0400 Subject: [PATCH 415/844] Add Pyre starter workflow --- code-scanning/properties/pyre.properties.json | 7 +++ code-scanning/pyre.yml | 46 +++++++++++++++++++ icons/pyre.svg | 1 + 3 files changed, 54 insertions(+) create mode 100644 code-scanning/properties/pyre.properties.json create mode 100644 code-scanning/pyre.yml create mode 100644 icons/pyre.svg diff --git a/code-scanning/properties/pyre.properties.json b/code-scanning/properties/pyre.properties.json new file mode 100644 index 0000000000..bc123211d9 --- /dev/null +++ b/code-scanning/properties/pyre.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pyre", + "creator": "Meta", + "description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code.", + "iconName": "pyre", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml new file mode 100644 index 0000000000..3c32e8b1d2 --- /dev/null +++ b/code-scanning/pyre.yml @@ -0,0 +1,46 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Pyre with GitHub's +# Code Scanning feature. +# +# Pyre is a performant type checker for Python compliant with +# PEP 484. Pyre can analyze codebases with millions of lines +# of code incrementally – providing instantaneous feedback +# to developers as they write code. +# +# See https://pyre-check.org + +name: Pyre + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + pyre: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pyre + uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d + with: + # To customize these inputs: + # See https://github.com/facebook/pyre-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' diff --git a/icons/pyre.svg b/icons/pyre.svg new file mode 100644 index 0000000000..2af14c039b --- /dev/null +++ b/icons/pyre.svg @@ -0,0 +1 @@ +Asset 1 \ No newline at end of file From 862560d6d0ce6dacc03697cf601d8e83c74520b9 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Mon, 16 May 2022 17:42:13 -0400 Subject: [PATCH 416/844] Add workflow for Pysa https://github.com/facebook/pysa-action https://github.com/facebook/pyre-check --- code-scanning/properties/pysa.properties.json | 7 +++ code-scanning/pysa.yml | 50 +++++++++++++++++++ icons/pysa.svg | 1 + 3 files changed, 58 insertions(+) create mode 100644 code-scanning/properties/pysa.properties.json create mode 100644 code-scanning/pysa.yml create mode 100644 icons/pysa.svg diff --git a/code-scanning/properties/pysa.properties.json b/code-scanning/properties/pysa.properties.json new file mode 100644 index 0000000000..1a61c40dfb --- /dev/null +++ b/code-scanning/properties/pysa.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pysa", + "creator": "Meta", + "description": "Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location.", + "iconName": "pysa", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/pysa.yml b/code-scanning/pysa.yml new file mode 100644 index 0000000000..a9e3c817ed --- /dev/null +++ b/code-scanning/pysa.yml @@ -0,0 +1,50 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Python Static Analyzer (Pysa) with +# GitHub's Code Scanning feature. +# +# Python Static Analyzer (Pysa) is a security-focused static +# analysis tool that tracks flows of data from where they +# originate to where they terminate in a dangerous location. +# +# See https://pyre-check.org/docs/pysa-basics/ + +name: Pysa + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + pysa: + permissions: + actions: read + contents: read + security-events: write + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pysa + uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b + with: + # To customize these inputs: + # See https://github.com/facebook/pysa-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' + infer-types: true + include-default-sapp-filters: true diff --git a/icons/pysa.svg b/icons/pysa.svg new file mode 100644 index 0000000000..ed60fb1388 --- /dev/null +++ b/icons/pysa.svg @@ -0,0 +1 @@ + \ No newline at end of file From 44f8355dd3fcc819e5064577d46aeb5d0b5070a4 Mon Sep 17 00:00:00 2001 From: Anton Krasovsky Date: Tue, 7 Jun 2022 17:57:25 +0100 Subject: [PATCH 417/844] Update workflow to use the newest version of 42Crunch REST API Static Security Testing Action --- code-scanning/crunch42.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 07cd73a62c..1ac846e95a 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -46,7 +46,7 @@ jobs: - uses: actions/checkout@v3 - name: 42Crunch REST API Static Security Testing - uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 + uses: 42Crunch/api-security-audit-action@f3a4f4d44ca6f538fe84361373d7a2a374018fdd with: # Please create free account at https://platform.42crunch.com/register # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm From 7ba355c39e6939dea937ef47c51c708de6ec51a6 Mon Sep 17 00:00:00 2001 From: Satyam Chaurasia Date: Wed, 8 Jun 2022 06:39:55 +0530 Subject: [PATCH 418/844] Adding changes of version and repo URL issue --- code-scanning/checkmarx.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 1c57150a21..e060654663 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,16 +17,24 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe @@ -38,9 +46,9 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory --repo-url=${{ github.event.repository.url }} + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: cx.sarif From a54c80f225c1e6faedf983a842923f7ff81f5bfe Mon Sep 17 00:00:00 2001 From: Noah Irwin Date: Thu, 9 Jun 2022 12:52:18 +0100 Subject: [PATCH 419/844] Adds Contrast Scan workflow --- code-scanning/contrast-scan.yml | 43 +++++++++++++++++++ .../properties/contrast-scan.properties.json | 7 +++ icons/contrast.svg | 16 +++++++ 3 files changed, 66 insertions(+) create mode 100644 code-scanning/contrast-scan.yml create mode 100644 code-scanning/properties/contrast-scan.properties.json create mode 100644 icons/contrast.svg diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml new file mode 100644 index 0000000000..0c8fe6b17a --- /dev/null +++ b/code-scanning/contrast-scan.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github. + +# Pre-requisites: +# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. +# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER. + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +name: Scan analyze workflow +jobs: + build-and-scan: + runs-on: ubuntu-latest + # check out project + steps: + - uses: actions/checkout@v3 + # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. + # -name: Build Project + # ... + # Scan Artifact + - name: Contrast Scan Action + uses: Contrast-Security-OSS/contrastscan-action@092c4e12ee0ee37b6116275f06efea84b2fe9d1a + with: + artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + apiKey: ${{ secrets.CONTRAST_API_KEY }} + orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} + authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} + #Upload the results to GitHub + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output diff --git a/code-scanning/properties/contrast-scan.properties.json b/code-scanning/properties/contrast-scan.properties.json new file mode 100644 index 0000000000..67369b8fa6 --- /dev/null +++ b/code-scanning/properties/contrast-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Contrast Scan", + "creator": "Contrast Security Inc", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.", + "iconName": "contrast", + "categories": ["Code Scanning", "java", "javascript", "dotnet"] +} \ No newline at end of file diff --git a/icons/contrast.svg b/icons/contrast.svg new file mode 100644 index 0000000000..7680157bc0 --- /dev/null +++ b/icons/contrast.svg @@ -0,0 +1,16 @@ + + + + + + + + From ad064a4af4a41be5048d447468dc06ef59b4036d Mon Sep 17 00:00:00 2001 From: Noah Irwin Date: Fri, 10 Jun 2022 11:35:06 +0100 Subject: [PATCH 420/844] Updates from PR feedback --- code-scanning/contrast-scan.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 0c8fe6b17a..e822508507 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -4,6 +4,9 @@ # documentation. # This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github. +# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action. +# Contrast Scan currently supports Java, JavaScript and .NET artifacts. +# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action # Pre-requisites: # All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. @@ -21,6 +24,9 @@ on: name: Scan analyze workflow jobs: build-and-scan: + permissions: + contents: read # for actions/checkout + security-events: write # for github/codeql-action/upload-sarif runs-on: ubuntu-latest # check out project steps: @@ -30,12 +36,12 @@ jobs: # ... # Scan Artifact - name: Contrast Scan Action - uses: Contrast-Security-OSS/contrastscan-action@092c4e12ee0ee37b6116275f06efea84b2fe9d1a - with: - artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact - apiKey: ${{ secrets.CONTRAST_API_KEY }} - orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} - authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} + uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 + with: + artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + apiKey: ${{ secrets.CONTRAST_API_KEY }} + orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} + authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} #Upload the results to GitHub - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 From 5f8fa2190b68e24e1922720865c66a10c9739525 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Fri, 10 Jun 2022 15:31:19 -0300 Subject: [PATCH 421/844] use codeql upload sarif action --- code-scanning/soos-dast-scan.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 47f6c4892e..8969db08da 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -24,18 +24,22 @@ jobs: soos: permissions: security-events: write # for uploading code scanning alert info + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: SOOS DAST Scan runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 + uses: soos-io/soos-dast-github-action@5f8c23ccf8366ea0a58deeb5c804e0524267df43 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} - project_name: ${{ github.repository }} # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository + project_name: "" scan_mode: "baseline" target_url: "https://www.example.com/" - sarif: true # Only set to true if you want to upload the SARIF report to Github - gpat: ${{ secrets.SOOS_GITHUB_PAT }} + output_format: "sarif" + - name: Upload SOOS DAST SARIF Report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif From 66d01dd6da6cc6d7770d1c579799dd00b2259cc6 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Mon, 13 Jun 2022 08:50:37 -0300 Subject: [PATCH 422/844] code review - put exact hash of release --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 8969db08da..cf3b1b7bad 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8c23ccf8366ea0a58deeb5c804e0524267df43 + uses: soos-io/soos-dast-github-action@b524e2cfbc4f4a5733153a7e624f569913f6c6e9 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From a0d1fc31f74beaedb766543246743db312c31c30 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Mon, 13 Jun 2022 13:38:09 -0700 Subject: [PATCH 423/844] Add what PHPMD does --- code-scanning/phpmd.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 3c0a5f2d93..68e082eaea 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -2,6 +2,13 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# What PHPMD does is: It takes a given PHP source code base +# and look for several potential problems within that source. +# These problems can be things like: +# Possible bugs +# Suboptimal code +# Overcomplicated expressions +# Unused parameters, methods, properties # PHPMD is a spin-off project of PHP Depend and # aims to be a PHP equivalent of the well known Java tool PMD. # More details at https://phpmd.org/ From 5864b8200b647d56d3f99013661a16204d76451c Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Tue, 14 Jun 2022 03:20:43 -0700 Subject: [PATCH 424/844] move `What PHPMD does is...` below `PHPMD is a spin-off...` --- code-scanning/phpmd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 68e082eaea..91f4b2d09d 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -2,6 +2,8 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# PHPMD is a spin-off project of PHP Depend and +# aims to be a PHP equivalent of the well known Java tool PMD. # What PHPMD does is: It takes a given PHP source code base # and look for several potential problems within that source. # These problems can be things like: @@ -9,8 +11,6 @@ # Suboptimal code # Overcomplicated expressions # Unused parameters, methods, properties -# PHPMD is a spin-off project of PHP Depend and -# aims to be a PHP equivalent of the well known Java tool PMD. # More details at https://phpmd.org/ name: PHPMD From 191e0166339c8ab513d25af99ce94048b957db69 Mon Sep 17 00:00:00 2001 From: Julien Richard-Foy Date: Tue, 14 Jun 2022 18:02:02 +0200 Subject: [PATCH 425/844] Enable caching by default As shown in the documentation, enable caching by default. --- ci/scala.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/scala.yml b/ci/scala.yml index c985f742af..6f80a22cff 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -21,5 +21,6 @@ jobs: with: java-version: '11' distribution: 'temurin' + cache: 'sbt' - name: Run tests run: sbt test From 746c698c90f01168f2f0bdfda89de9b7b9676cd8 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Fri, 10 Dec 2021 20:21:44 -0500 Subject: [PATCH 426/844] chore: upgrade package-lock.json to v2 --- script/sync-ghes/package-lock.json | 160 +++++++++++++++++++++- script/validate-data/package-lock.json | 177 ++++++++++++++++++++++++- 2 files changed, 334 insertions(+), 3 deletions(-) diff --git a/script/sync-ghes/package-lock.json b/script/sync-ghes/package-lock.json index ebcd318060..768bbda918 100644 --- a/script/sync-ghes/package-lock.json +++ b/script/sync-ghes/package-lock.json @@ -1,8 +1,166 @@ { "name": "sync-ghes-actions", "version": "1.0.0", - "lockfileVersion": 1, + "lockfileVersion": 2, "requires": true, + "packages": { + "": { + "name": "sync-ghes-actions", + "version": "1.0.0", + "license": "MIT", + "dependencies": { + "js-yaml": "^3.13.1" + }, + "devDependencies": { + "@types/js-yaml": "^3.12.4", + "@types/node": "^14.0.1", + "ts-node": "^8.10.1", + "typescript": "^3.9.2" + } + }, + "node_modules/@types/js-yaml": { + "version": "3.12.4", + "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.12.4.tgz", + "integrity": "sha512-fYMgzN+9e28R81weVN49inn/u798ruU91En1ZnGvSZzCRc5jXx9B2EDhlRaWmcO1RIxFHL8AajRXzxDuJu93+A==", + "dev": true + }, + "node_modules/@types/node": { + "version": "14.0.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-14.0.1.tgz", + "integrity": "sha512-FAYBGwC+W6F9+huFIDtn43cpy7+SzG+atzRiTfdp3inUKL2hXnd4rG8hylJLIh4+hqrQy1P17kvJByE/z825hA==", + "dev": true + }, + "node_modules/arg": { + "version": "4.1.3", + "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz", + "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==", + "dev": true + }, + "node_modules/argparse": { + "version": "1.0.10", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", + "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "dependencies": { + "sprintf-js": "~1.0.2" + } + }, + "node_modules/buffer-from": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz", + "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==", + "dev": true + }, + "node_modules/diff": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz", + "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==", + "dev": true, + "engines": { + "node": ">=0.3.1" + } + }, + "node_modules/esprima": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", + "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/js-yaml": { + "version": "3.13.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz", + "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==", + "dependencies": { + "argparse": "^1.0.7", + "esprima": "^4.0.0" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/make-error": { + "version": "1.3.6", + "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz", + "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==", + "dev": true + }, + "node_modules/source-map": { + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", + "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/source-map-support": { + "version": "0.5.19", + "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz", + "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==", + "dev": true, + "dependencies": { + "buffer-from": "^1.0.0", + "source-map": "^0.6.0" + } + }, + "node_modules/sprintf-js": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", + "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" + }, + "node_modules/ts-node": { + "version": "8.10.1", + "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-8.10.1.tgz", + "integrity": "sha512-bdNz1L4ekHiJul6SHtZWs1ujEKERJnHs4HxN7rjTyyVOFf3HaJ6sLqe6aPG62XTzAB/63pKRh5jTSWL0D7bsvw==", + "dev": true, + "dependencies": { + "arg": "^4.1.0", + "diff": "^4.0.1", + "make-error": "^1.1.1", + "source-map-support": "^0.5.17", + "yn": "3.1.1" + }, + "bin": { + "ts-node": "dist/bin.js", + "ts-node-script": "dist/bin-script.js", + "ts-node-transpile-only": "dist/bin-transpile.js", + "ts-script": "dist/bin-script-deprecated.js" + }, + "engines": { + "node": ">=6.0.0" + }, + "peerDependencies": { + "typescript": ">=2.7" + } + }, + "node_modules/typescript": { + "version": "3.9.2", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", + "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==", + "dev": true, + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=4.2.0" + } + }, + "node_modules/yn": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", + "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==", + "dev": true, + "engines": { + "node": ">=6" + } + } + }, "dependencies": { "@types/js-yaml": { "version": "3.12.4", diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index 8839d6ab1e..e660b6a1ae 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -1,8 +1,181 @@ { - "name": "sync-ghes-actions", + "name": "validate-data", "version": "1.0.0", - "lockfileVersion": 1, + "lockfileVersion": 2, "requires": true, + "packages": { + "": { + "name": "validate-data", + "version": "1.0.0", + "license": "MIT", + "dependencies": { + "@actions/core": "^1.2.6", + "js-yaml": "^3.13.1", + "jsonschema": "^1.2.6" + }, + "devDependencies": { + "@types/js-yaml": "^3.12.4", + "@types/node": "^14.0.1", + "ts-node": "^8.10.1", + "typescript": "^3.9.2" + } + }, + "node_modules/@actions/core": { + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", + "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + }, + "node_modules/@types/js-yaml": { + "version": "3.12.4", + "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.12.4.tgz", + "integrity": "sha512-fYMgzN+9e28R81weVN49inn/u798ruU91En1ZnGvSZzCRc5jXx9B2EDhlRaWmcO1RIxFHL8AajRXzxDuJu93+A==", + "dev": true + }, + "node_modules/@types/node": { + "version": "14.0.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-14.0.1.tgz", + "integrity": "sha512-FAYBGwC+W6F9+huFIDtn43cpy7+SzG+atzRiTfdp3inUKL2hXnd4rG8hylJLIh4+hqrQy1P17kvJByE/z825hA==", + "dev": true + }, + "node_modules/arg": { + "version": "4.1.3", + "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz", + "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==", + "dev": true + }, + "node_modules/argparse": { + "version": "1.0.10", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", + "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "dependencies": { + "sprintf-js": "~1.0.2" + } + }, + "node_modules/buffer-from": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz", + "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==", + "dev": true + }, + "node_modules/diff": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz", + "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==", + "dev": true, + "engines": { + "node": ">=0.3.1" + } + }, + "node_modules/esprima": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", + "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/js-yaml": { + "version": "3.13.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz", + "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==", + "dependencies": { + "argparse": "^1.0.7", + "esprima": "^4.0.0" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/jsonschema": { + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/jsonschema/-/jsonschema-1.2.6.tgz", + "integrity": "sha512-SqhURKZG07JyKKeo/ir24QnS4/BV7a6gQy93bUSe4lUdNp0QNpIz2c9elWJQ9dpc5cQYY6cvCzgRwy0MQCLyqA==", + "engines": { + "node": "*" + } + }, + "node_modules/make-error": { + "version": "1.3.6", + "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz", + "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==", + "dev": true + }, + "node_modules/source-map": { + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", + "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/source-map-support": { + "version": "0.5.19", + "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz", + "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==", + "dev": true, + "dependencies": { + "buffer-from": "^1.0.0", + "source-map": "^0.6.0" + } + }, + "node_modules/sprintf-js": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", + "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" + }, + "node_modules/ts-node": { + "version": "8.10.1", + "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-8.10.1.tgz", + "integrity": "sha512-bdNz1L4ekHiJul6SHtZWs1ujEKERJnHs4HxN7rjTyyVOFf3HaJ6sLqe6aPG62XTzAB/63pKRh5jTSWL0D7bsvw==", + "dev": true, + "dependencies": { + "arg": "^4.1.0", + "diff": "^4.0.1", + "make-error": "^1.1.1", + "source-map-support": "^0.5.17", + "yn": "3.1.1" + }, + "bin": { + "ts-node": "dist/bin.js", + "ts-node-script": "dist/bin-script.js", + "ts-node-transpile-only": "dist/bin-transpile.js", + "ts-script": "dist/bin-script-deprecated.js" + }, + "engines": { + "node": ">=6.0.0" + }, + "peerDependencies": { + "typescript": ">=2.7" + } + }, + "node_modules/typescript": { + "version": "3.9.2", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", + "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==", + "dev": true, + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=4.2.0" + } + }, + "node_modules/yn": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", + "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==", + "dev": true, + "engines": { + "node": ">=6" + } + } + }, "dependencies": { "@actions/core": { "version": "1.2.6", From f13e67688e4d309342ada48c6c463d0c17e17d5c Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Sun, 16 Jan 2022 17:36:35 -0500 Subject: [PATCH 427/844] ci: use Node 16 with caching for internal actions --- .github/workflows/sync-ghes.yaml | 4 +++- .github/workflows/validate-data.yaml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index fb9c623f20..aba778071e 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -18,7 +18,9 @@ jobs: git config user.name "GitHub Actions" - uses: actions/setup-node@v3 with: - node-version: '12' + node-version: '16' + cache: 'npm' + cache-dependency-path: script/sync-ghes/package-lock.json - name: Check starter workflows for GHES compat run: | npm ci diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index d2ac9a52db..7f8701d5cc 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -14,7 +14,9 @@ jobs: - uses: actions/setup-node@v3 with: - node-version: "12" + node-version: '16' + cache: 'npm' + cache-dependency-path: script/validate-data/package-lock.json - name: Validate workflows run: | From c369c58c3b3a1f95ed4b9bfabc69d58e60fab4c5 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Sun, 19 Jun 2022 23:24:36 -0700 Subject: [PATCH 428/844] =?UTF-8?q?=E2=9C=A8=20Add=20entry=20for=20SLSA=20?= =?UTF-8?q?Go=20builder=20(#1600)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add entry fo Go builder * updates * updates * updates * updates * updates * updates * updates * updates * updates * rename icon * updates * updates * updates * updates * updates * updates * disclaimer * fix icon name * updates * updates * comments --- ci/go-ossf-slsa3-publish.yml | 35 +++++++++++++++++++ .../go-ossf-slsa3-publish.properties.json | 7 ++++ icons/go-ossf-slsa3-publish.svg | 11 ++++++ 3 files changed, 53 insertions(+) create mode 100644 ci/go-ossf-slsa3-publish.yml create mode 100644 ci/properties/go-ossf-slsa3-publish.properties.json create mode 100644 icons/go-ossf-slsa3-publish.svg diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml new file mode 100644 index 0000000000..09c98c084a --- /dev/null +++ b/ci/go-ossf-slsa3-publish.yml @@ -0,0 +1,35 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps +# that were performed to generate the final binary. +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA Go releaser +on: + workflow_dispatch: + release: + types: [created] + +permissions: read-all + +jobs: + build: + permissions: + id-token: write # To sign. + contents: write # To upload release assets. + actions: read # To read workflow path. + # If you need more configuration options, such as ldflag examples, + # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0 + with: + # By default, the config file is .slsa-goreleaser.yml in the root directory. + # The format of the config file is described in + # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file. + go-version: 1.17 diff --git a/ci/properties/go-ossf-slsa3-publish.properties.json b/ci/properties/go-ossf-slsa3-publish.properties.json new file mode 100644 index 0000000000..2d58eaffd4 --- /dev/null +++ b/ci/properties/go-ossf-slsa3-publish.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SLSA Go releaser", + "creator": "Open Source Security Foundation (OpenSSF)", + "description": "Compile your Go project using a SLSA3 compliant builder", + "iconName": "go-ossf-slsa3-publish", + "categories": ["Continuous integration", "Go"] +} diff --git a/icons/go-ossf-slsa3-publish.svg b/icons/go-ossf-slsa3-publish.svg new file mode 100644 index 0000000000..ea7746896d --- /dev/null +++ b/icons/go-ossf-slsa3-publish.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + From 3a8411e0fd6e81d48b98b81bb46c40d74658e301 Mon Sep 17 00:00:00 2001 From: Noah Irwin Date: Mon, 20 Jun 2022 11:44:08 +0100 Subject: [PATCH 429/844] Add workflow permissions --- code-scanning/contrast-scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index e822508507..61ffd7a09c 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -21,6 +21,9 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + name: Scan analyze workflow jobs: build-and-scan: From 39cdb74736f7e54cd027748ea4fac30a7e47f7bf Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Mon, 20 Jun 2022 09:13:25 -0600 Subject: [PATCH 430/844] Update to v2.2.1 of gradle-build-action --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 9aeb2b85fe..42eae2721b 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index 4642c755a2..0c0f12cda6 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -29,6 +29,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: build From c85125e5394aa3157d87b34291af34a2c4756537 Mon Sep 17 00:00:00 2001 From: Dan Lorenc Date: Wed, 15 Jun 2022 15:20:38 -0500 Subject: [PATCH 431/844] Update cosign to 1.9.0 Signed-off-by: Dan Lorenc --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 2f68e661b9..71aff41d47 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605 + uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 with: - cosign-release: 'v1.7.1' + cosign-release: 'v1.9.0' # Workaround: https://github.com/docker/build-push-action/issues/461 From c91d79cf303724f7fd80537f25a0a4cb0fb1abd8 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Wed, 22 Jun 2022 07:40:07 -0400 Subject: [PATCH 432/844] Update tfsec.yml (#1616) --- code-scanning/tfsec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 6536fbefe9..77f81566ba 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@v3 - name: Run tfsec - uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f + uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f with: sarif_file: tfsec.sarif From 7ae8d12d9ac5aa4a27e5ed1884c54f97d39c78ae Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 22 Jun 2022 04:45:15 -0700 Subject: [PATCH 433/844] updates (#1615) Co-authored-by: Bishal Prasad --- ci/go-ossf-slsa3-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml index 09c98c084a..3f1b732627 100644 --- a/ci/go-ossf-slsa3-publish.yml +++ b/ci/go-ossf-slsa3-publish.yml @@ -27,7 +27,7 @@ jobs: actions: read # To read workflow path. # If you need more configuration options, such as ldflag examples, # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.1.1 with: # By default, the config file is .slsa-goreleaser.yml in the root directory. # The format of the config file is described in From be331aaa2f5c266fdcfe007cb93d0358f956e6a2 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Wed, 22 Jun 2022 17:54:14 -0700 Subject: [PATCH 434/844] Add puppet-lint starter workflow --- .../properties/puppet-lint.properties.json | 6 ++ code-scanning/puppet-lint.yml | 54 +++++++++++ icons/puppet-lint.svg | 95 +++++++++++++++++++ 3 files changed, 155 insertions(+) create mode 100644 code-scanning/properties/puppet-lint.properties.json create mode 100644 code-scanning/puppet-lint.yml create mode 100644 icons/puppet-lint.svg diff --git a/code-scanning/properties/puppet-lint.properties.json b/code-scanning/properties/puppet-lint.properties.json new file mode 100644 index 0000000000..62ebd9ec9a --- /dev/null +++ b/code-scanning/properties/puppet-lint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "puppet-lint", + "description": "Puppet Lint tests Puppet code against the recommended Puppet language style guide.", + "iconName": "puppet-lint", + "categories": [ "Code Scanning", "Puppet" ] +} \ No newline at end of file diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml new file mode 100644 index 0000000000..682c6a9e34 --- /dev/null +++ b/code-scanning/puppet-lint.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Puppet Lint tests Puppet code against the recommended Puppet language style guide. +# https://puppet.com/docs/puppet/7/style_guide.html +# Puppet Lint validates only code style; it does not validate syntax. +# To test syntax, use Puppet's puppet parser validate command. +# More details at https://github.com/puppetlabs/puppet-lint/ + +name: puppet-lint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + puppet-lint: + name: Run puppet-lint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: 2.7 + bundler-cache: true + + - name: Install puppet-lint + run: gem install puppet-lint + + - name: Run puppet-lint + run: puppet-lint . --sarif > puppet-lint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: puppet-lint-results.sarif + wait-for-processing: true diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg new file mode 100644 index 0000000000..c2e2cf7a33 --- /dev/null +++ b/icons/puppet-lint.svg @@ -0,0 +1,95 @@ + + + + + + + + + + From bbd824dff4fb1e648ee02ed2874c69e28ac1218a Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Wed, 22 Jun 2022 17:58:09 -0700 Subject: [PATCH 435/844] use hash --- code-scanning/puppet-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 682c6a9e34..801b90bc28 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf with: ruby-version: 2.7 bundler-cache: true From d26b20b23394d4bbd531b69b5188d6e7d0887312 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Wed, 22 Jun 2022 18:01:19 -0700 Subject: [PATCH 436/844] update image --- .vs/ProjectSettings.json | 3 +++ .vs/VSWorkspaceState.json | 7 +++++++ .vs/slnx.sqlite | Bin 0 -> 131072 bytes .vs/starter-workflows/v16/.suo | Bin 0 -> 34304 bytes icons/puppet-lint.svg | 6 +++--- 5 files changed, 13 insertions(+), 3 deletions(-) create mode 100644 .vs/ProjectSettings.json create mode 100644 .vs/VSWorkspaceState.json create mode 100644 .vs/slnx.sqlite create mode 100644 .vs/starter-workflows/v16/.suo diff --git a/.vs/ProjectSettings.json b/.vs/ProjectSettings.json new file mode 100644 index 0000000000..f8b4888565 --- /dev/null +++ b/.vs/ProjectSettings.json @@ -0,0 +1,3 @@ +{ + "CurrentProjectSetting": null +} \ No newline at end of file diff --git a/.vs/VSWorkspaceState.json b/.vs/VSWorkspaceState.json new file mode 100644 index 0000000000..2aa78772ee --- /dev/null +++ b/.vs/VSWorkspaceState.json @@ -0,0 +1,7 @@ +{ + "ExpandedNodes": [ + "", + "\\code-scanning" + ], + "PreviewInSolutionExplorer": false +} \ No newline at end of file diff --git a/.vs/slnx.sqlite b/.vs/slnx.sqlite new file mode 100644 index 0000000000000000000000000000000000000000..db13a0a0d99f0c0bebaa2b65171fe9fb27315cec GIT binary patch literal 131072 zcmeFa34B~t^*H{vc{A_L@|w13wk}EAv`yPdvoDlV+B9v`HtCY4ENuvrnU`eRWG0=N zv<+pOu*fC?B8bSYh_Z-+8!lfF1w|APK}Esu7eR1CL_tN=|2g-*eP-GM>i75m{a*NR zZ{I!Vo_p?j_nvd_IrrV^-M%HBQ7ea%sj*0=vXPm_uq<<8WhKKfqwqiG`ri!rhoC<| z&RYIm=%1rZZBwNOk(Iw8&UEE(fja`z{F~*=rAvK3_449&{z~qz+zxJ2Arfx+|8FGV zLr${`L*9~;!fbYXJP}h5^-hirCP&w)L-9mB6Hg`v=sy#~>*J$pS8SjwACl6sqjSy9 z&dRQyb)6?y?mi|O{Xw}B{G*>Otc=FU?p*Yxe&+SLPOyE}V!0$1>V-Q&ZHjE+ujpNNdchvI519|8OO z(Ccl6QDVwV@39VD6OF3rbbK&Aid{6s>O^yl!5loZ%T@v6MCqMOXVfu6gw7%qWu;mB z-NWD-~)PY>q z=`3?12JExU2`)&-GUuFiVC?0#-d}TGpG;=lh5cm4Icqte{q`B>1Vj7!jB|plbLJRk zoc2QV@tiYqY%`9ud-MVG-o}eQt*xEX$GeRi9nl!PdO^dojCNehOUx~_NXID39QqWg862p?WWJL`-rI3-RH;eQJFwqMrW3u*I`+B;z_ZgN) z$1y5dhL;Z0ItDgIFQF_u6o~=drKZv_(Q-8Z6yx)j)YP!&tt8`6Cq~KJpCtPjv;!?8 zPzP9F(lLxYIx-A~X?ILDTX$3~tG8=(^;jz7D?85XE$IyFugp1+2ew60Y9cd$YTF6( z<$ZrnEGq@et8}8_f+3%EUJmAru;8qKV>!E4^p@-c%{OUkKFciBn$E3h(SH_nuht)J z3FNGH6lzE5+YvfZ?6EG3a+*b{k*RsL)netk&h=~hw(P8oPNc|;&FE?xCV7(gmeg0U*?DA|^s1RmJTXk>w6@-+ zC4zlC<>HZHM3(!sLZL}pvyBr=mMvpXAtNWfAJ%Bu@$0<1g%}+;D@$t-_J?Y6rG(0?_ zruXd0q@$#r+P&#yV!pPsH*4*Tq=wZD)J=fz&V=G(3<<7N2PcN-(-zOtz{lD$S%KDO z(nn}CAH%fTUTd}g5I6rK5gY*jXDpIY!;nPw?0F|*$XoSaBZ|DFkN9%_MdGlGMfH#x zedhy$)cV&5;T`evFY3QT@c+X3h|{v4Ov?GanMf)#F|H{N+*%S&H12w z)&-|}Jj}{VCERy*nGvI2>RC?LX@6nN9f=832V?CqwJF@t5LLrX4Q=(|NOPEsf!( z*0#EEq%j%`t1Zp-YF&GCYl{lSgN+T*mbTU~G!zXtMO$LwNJFGP+!$+XZ5kYkG{l-> z;nu;%!B}&wG2GVJ(f~ZQ#=_7fEXlQPUHiX;inj2f2fr(g4eN(upeyACc z+8e{oZB30sYD=RUX=@0#4-U1p54K0cYI_Wtt7~n9<{FXL*1?9>wxQ8hgv~sLrrbXO|9X&LA3>X7Xvn-zu{FaBgUt=$y0*HyhPt|FdjuF9YG{lN zHV-z0TVr)?bQDBd>)N$ZFxa9tHAcfjtNI@Oa5E@7x>5gz5aIp96v9=EI%oKQNB_>B=^h5%VpA=(odzYOCOgm zlJ-kIQlnJj`={?k-?x2t`Y!e*eZ9U`Uzzu9?_=J(ycc>C-d=B;w@iFZ{GRwJ@oMp~ zxLaH+E)l(+-+7+&e9m*FC+_L=%oF}9JSp5MoF_zt;{}O-k^d@x1s~xXct7_d_f_s{ zZa=q{t6=}gKF;33p39!Z*08)~OfH-hnO0U3$07&RMD2JgIj*KMaWzejBX;|q?LOT9 zmT=+nLn5<5#|n>6435UrBL%S+9~7BY1bZKR`97)^L|k-0WL5&=Xe0&Aj~2wMo)DRK zz}u_tn;b2SHa{aWjer(UrVEl5Z*5`UC<;&JE~-= z#zm$c(US!kT%4rB8&=1F+!3T)ouC}5snJMcxFEgiF%4}rekh(Qj5bQqV#!QG%@jln z@1y;tXyKTe-j_*^7e?Q!qeu6tsiTT#SzKf~K|HY}L646`h6@j#>Jg3Oz0m!_@?0=1 zGR;U+O%z6|9}=1Ehyi7k+yS2PoDc46uC#docer zI_n~d!g5&DPx*=@VyR@jur%iH(P+gY1=}m%Eiwy0rU%u*@kn%E?c~^~tm~=rQzJAYJdq1F#?0c3NGsrnJNNCVc9|52=a-h zB{5#ktSur_fwe~L)D~{0!z?+73xxOqH5?5eiY8-r-sf(j0!@sgUZe)d%2REZ$ZQ7c z7I=6#o*9`K4C62XQP^KV#YT~-*6@cXM(r%k-XJoIbzlmPBii~{zMhV<1oF7oPPV+0 z!p72r_;rA-Ugm7Pf6m1aAw zpjoTw3qgBnEiXTTlGAOZ6;`&2lGE&>6;yS+X55I$%-f6Nl_FCHas_>Dtyys#?VMrr ztiZB%+M;IXY@jv`L~WZ5)Jj2`J+p$US}30m8)idk)=_MB%Zf6ui7E}7t+FDNHEJAC z`(y=`G|X_$^lYFDg~ z^5t4B&6ZeUrOUKh#D3TyODTlf3@c<-4IOQ0C#>b=OK3Z~ZLq>-E!OHd^wYvcRAr#a z%&~G+x;3b-rqUdXB;d{)r$I5$7A~a3Mk9l{YfuAg$pVpCjYBu3!onaioU<}8FiYoC z5m4r!JCe>&SrrZmt8z3!m2|Xdyjp9O&ZG1we^$usxl~P=JXxVtbLb$pec(_#85tWb z))|^Jo9cPvy9+zGw8GI7qheJ#rA>GOqnSy?HDhC-RF+YlMo_|FTgQ`hw3-;DR*WGy z>5Xd^=z@VUw}dMF$V4U?j=&{D!wDO_dKP`d7I-+GPESx>Z;&Z1#(wz3gUQssq0!{Q zv{x6v;+dL7gs-axQutYXIx_&54ULb&Y4h5#n1NV6gN{*d)a=_%$fX^%f zt;hI8`t=t!J#f+J*Gi@VQ;a0SWnb&MJE1L|r(y*LJpi_Jb#(UhcIw4tA>aV0#MJT8 zCWJ0>4U-5{MSRD4qdN!luM+^U_F12G!R_CU$30UzmHE#9l;s==~7M5!*5ge zD}(%re67;M&z6FLH++8%{Kofu;CbH{0uT9a41Atvl@qu>aR2Q)5AGKj3|!?~9XRZp z9f?(iTgiMazg zO6*PJEFly=fqW-a_&#)09fqku3U3ecbGWhefhc+UI8q%;4yK35yR9(j{Q`?AJ(2DQOe`BD8=Y#aw3NNA423BWIH;#H+(RX zfvHT&KBSk8BuC*sD^hkfsXC%Y_l-qThe*)}vHigmtbf5ql9H?N4S*0qY(#mH!Yi@U z5nvkz87a78Houb7H;d+wA*zJ=00Q;hq7!&Iiid6&ouKzu@tvG)zv#rcj8rBYMknaf zGQOFNc;}LYxulZsz+rD}8J$%xrd46j=!9G}i(kRz_;;B1E#SL2eZQCAZ^v9{#nHBn zPVyJj@O=gy+rH6>dHy_pjgE;MM<@Ke3celSWRyB#Q>A<(&dQuh*+u+TE_Z|ItbZ=L zfGs;fC!KRv@KGx~XNTw@c=l|56~QMvLpMgT>@dRg9ijtv zMj7AA=Jm!-R`DAs#MoOo>K;ONjUA!`cn}-acZd$yfpWf`&F@{ED1n1|c|58aB&Y8X z9putTF2CnAHJ|U&K!tj-e->ZQ=6dwTv2(@_(a~ZOTg>kXO%PCC@8=kT@_Rf-kx$1C z(b48UielR#I#Bjj@|{4Xus1VKILPb494Y0S*?eBh;YIv*_UN9yqb-jo@ic5l-yu4<>nC+`J%)P} zegUg1ez5tw@mbgP@O)~JpT`>Bz*8`!WYg$?axy{Dy?!SJ_&KcZ>Dx7fUj`4Rss{8v ziaP;xyw1D4iEz8lBfYUXNuQv4~6l^Tw7h7~9lx#q$ z>v|BL*W7JtoqCX-zQ46S6Pw+GkQ5_COvhrPl^3dlwpw*)M z4ew8wKuwR&ast)8Jj?LO@a!x_DQn)G8my0zlvT-pY(JP(JiNf%1y;!Dc)p3K2HX!n@R zwzXP;^)yF;#WPZlW1AFPy&+|0sl@|QiWAb})xd#Rg3_{-Sv(!Huzkb3QA{*Q0guK^ zd{Y{8NOgwZlErf|9Y;U)Rumy+W8XCmU#sSqP>_(t84*H44i7{S1>Uh$cRK`7#5P}p zU*wC}Xk11-)2kriqs5hgt=8g~`4zZ!)HX2YYo$y1?*V)^E|0g-lLqRE%z<*Rr<<(GkqbS&&NR=|4r{} z-d}rP^gi$XvG)fM)qmLgb?*b-`@Q#g@9^I0{iydE?-kxlyytt*_8#)4yrbSB@9ExC zy*s@<-i_Y1-s8P3-a7A6??UffZ>e{>H{cb$jQE!LC-GJB74Ze}XW}#B6XK)dH^r}s zUlczp-X-2H-Yk9uP6}KuUL;P5XL=s?eBJYa=YG#Up6is~ii+|n_{QNz<-^LLvPapa zY=e^y%auh+rBbfUR6>eR;X-eR-VD7K`gQ2V(DR`mhkg)xEc9^b>!Ali_lNEY-4VJq z^ienuaYg8o(D|XWLx)1C&}e8Vbb9F2(9Teg|FzKC(D9*`P+e$gXkln>s5CS^6bOkS zCiqtHPa+%mc;LpswSg-F7YC*ShXa|wSYRkH5I8xoJ+LXz5jZ~39Hwn7snEzY;ulc{=zt{gs|E>P({a5?n@4wK0j{lHfht< z6MdeyJWqKZ^L#>jMtWTOw)CL%fOMa97o4`ZQMy*TLb_O*k`7B5X-pcD2Bedv?b0T3 zLQE)EDVHf1D(5O^C>bRIUx2JrPEgvEhTyAk-s6Sf&w|ecp9nr0{ATcL!7m0s8@wxc zd+_GqM}k)eFArW6oC=;9JP;fY?hVF*rv*C{Z4vGdd~B@=hvPWJkNS=lGaMcNe$9cX}(l0O_yYe^S$MJ-S=zX3%+N4 zKkz;3`-blU-)DWF5{Jao#9d;KxL!O#Y!Pe4MdDm>mN*OMkNf9J;NL9)<Ng5&P=_DN> z>1ibGC+QxN?k4G}Bt3$`7A9j*7BKJK10i=Yk85DPt$Tm%R^co)bfCq z`?Xxwa!Jd5TJF_yQOi9zs6(tkGoEG~%~+Z-BxC+bvwzU+?=*XxW`CpETQvJC&Hh5O zKhx|@n!Q1@Khf-uG<%(9f1ufG$QpAG^Ls6SRm*>;<-gVP-)Q--wft9F{)(2rtmVJd z@|U#yMJ@k@mcO9o|D)yqt>r)0^5?buIW7O0|M!f*Gb|A?@cFD({u3?#v6lZx%b(Hm zr?vctTK<%l|3J&1)bb~^{BbS+zLtMa%OBJ7?`rv@TK*j^|F)JtqU8^3`M0$En_B*m zmVZObA4Ku{nXl9Azi9R~nthdKU!mETY4!lkzC^Px((DT~`#jA)N3;8Bb|1|?OS8|= z>|UCEnr8RV>~5OfMYB6Y9-d|8Zu;~|n%zOOPtfdknthyRAEViAG`p2%x6tfnn%zXR z8)uE;K7jqqb`Y_F|rP(z!`w-2j4P&ScW3HlwSJLbX%(|Hm(2UrxZid*e zZid*eZid*eZsrn-axu*=qS^asb|K9!pxOB}JC9~lG|STLT$EM!IV3%sq-T-zOp+cZ z=@}%QB4N|aekb-T46l@!$VA~)C+XgAvHb}v?K?=4FQm}21f^CBo zY#XFt+aLwo1}WG!NWr#23bqYWux*fnZG#kS8>C>{AO+h7DcCkh!L~sPwhdCSZ7>GF zwm}NE4N|aekb-T46l@!$VA~)C+XgAvHb}v?K?=4FQm}21f^CBoY#XFK3QlA{`8U`$ zC;{6BDcCkh!L~sPwhdCSZIFU(gA{BVq+r`11=|KG*fvPPwm}NE4N|aekb-T46l@!$ zVA~)C+XgAvHb}v?K?=4FQm}21f^CBoY#XFt+aLwo1}WG!NWr#23bqYWux*fnZG#kS z8>C>{AO+h7DcCkh!L~sPwhdCSZ7f>_whdCSZIFU(gA{BV%SvF|AO+h7DcCkh!L~sP zwvALL7B5R(8b z9m&{bFTqC%6CWmCOhlw0c<`V2GkzYP=NXBEe{stFxTc+}{7AW9stnHM9+tRZ!1qev zAKa%ySHnK{btUV2EbuCKz3<+@^W25XBt+Lw^<5QsjO+9r2z-TWRECsYToo5o*06u| zogDa-@5I23zUsgSyl)3m-v0?i*`FzO?4#@#yx$D$@ZJ(w={++r-+NL(@*d~^i+7Iy zWiR7@hW$AE0rpJsfBX-L-}ZlAyv=`uc%lC?i0S`=9T7+TXDDxqJ^oR#-oKmegFSao zPz^p6Y7YIkIK$tiEb#ov-xAyy{D$WVi0$9+4|%SU-}W4mf9*M0e#X--KjiVsHwZ7u z?-RZv?-Op3`<0i2pOLqO9u&@#R|*k%kj^{F=(eBv2raY3xBbj@gsd6i_A?*WOSBlbpSgCXu$Z++x&6#Fq$~C~x1aft zQEEoI{mj*rfHl_bXFf={u|~W7%vH05Wvnya?Psne;;=-#{md0}g_Uffm^T;^0@foT z4nJBqb2$-R-nciIoCQKBd&I~$*dt0HU+f#KRE5yY=8b-X>6$NeAj}M^B5Y-k9ue2kw8hrTqzE+xCAZ*ZJ zg<{LyhY0INEXhg!AZc8WEIFYEX2aXk<4jKAL>auSe3A0*3?Zt=pq%y6glPU~d3S0d zjNGHd%e(iN3iW`L`+3Va>8ugEa<-f#E$5G#cPA(?Z`{0li~#dT&bvnm&yJXvv+aEv zk}U$}MA|zal#M+e=0u58PVz?3yGP1F*W`_%cMmTSwgV_Pa^`Gch| z(z|2ied{qcC&4Hg!Fi+U-Gj7d{&;$Kgx1U#QSUyT!1Bh_y9da~%oA1bK8>`e$L*Y) z_S1T~k@fC9MPTHuv2}SjDbZ~T#FgYz6=5E0#@FRjW(i?3By@(FPRK_{M_=P$POF8jJM0%$t=-p*fcs4+%^-I zC61W8ymcC^N-R-#xrY`Qad){pC{zH3_N~hn@_O>d-sR1ti;n2Kys28)d}OVR%ymtN zrIjrLFK?Uy3le(_Ufw|7jwK2&uO}tCmPJyX;G2{VRza zm8*4-WcwOWu|dx0k~d!;IX^%PEE)yO)=dXCrzqFC}k8 z{~Du))Ymluwy=c4wJ$FglL4GJieI&e^eTTGzp9#4q)~Q^h z(tILb6HBTh1!hEFsw6dNYtRX49+?bg3s^Rnywu#de(@YK)9sP{;@Nf{iYrKMEr4!` z?iZJn`9c8J_DM@<}sFle?X{UjEMg{KNfoCE!ZHm4GV&R|2jCTnV@ma3$bMz?Fb20apU91c(G0;rIIb z797iu8`jr0*TRnxHnh|>Ho}kj^)0A7hTovHR)Qb)>st^xhF@*8R9Xh%{k|E;@;it1 zwRL#^zo0ZT%3kFrrCIr*`-)u&xDs$B;7Y)ifGYu40U}IgqYT1Q=U~GQSJjTz@^GT_zi&V@D2DfrBo5%Yxw6vj{=JO=Sskp zfGYu402WaU5QSKk%i?e^>-RCcwe3 zQ?Q50?f3(q&t6jmKO;bj&NYgr!%qm1nui5i6VRr^ZwHXFbIr0M_`v{Db&8^W_ToPk z!7l}nqDh{#dH47KQ3SsaK#I;bi{J+WNYNp)2!0uW6rDwBLB;9tlK`a2L%dej@X&Pl zJpfX6wxtYy1%Q-ITFT(ge^Pdq*7>{r_ZGpW|C|H@(HOZanJwb9B8^=vf?oh2SQ>A4 zKD7$t|3%6rjPjQ9gz^pLkIM7P{on(*Qh5n(0Q@c72=Ha)cDOI^Za{JWTnV@ma3$bM zz?Fb20apU91Y8NY5^yEpO2CzXD}nbc0g;DI{ZtXj4o@T5xe9#>(WfBErUE3Jgx?K- z3TMkCJ0y|pEFXRHQkY1xNw}I8FwcUkX|V!aO$*s1=i$K>a0ui7%(VB+yi359fGYu4 z0JC%*0KZL#r|8)Oc3Ahq)CE!ZHm4GV&R|2jCTnV@ma3$bMz?Hzi zLjsK+iD5Zr^_&t`U=OFGsrYziPkJ&D4G)i~={@m8Og&VaN$dGKb#P*sYZXYP4W!b! zTBQS#(ReJ9QNxf#3RLXlNyW(O5|(Etb6U$Opv~@07X(m#A{-&Re*=;|J1;+Z3mxS1 z^}2`(xtwi zdUecj;&j^U|)N-cC6{`thr!Sz*`ayvzLT3k-<^b z*>&f0P-AB2nzdUx^YlC@FQIbD5n@-YALP5Ub3^Bj%56Kky4UPDrE+uUDV1ybc5dzJ z0kYklJv)Ib_`h$pecuY-MYwI`^1z*CB&h?!;I(s@gdnnBD>C$~?4p%{v*v3vyV??bP*8AgdIFTKY)bWJp>rql7k_$YSK5UUf-F$Qz+%r096 zh!drEGM!P!3=ukuP?VKs?RO)~Ey-vE=jV>(!NMKTkvfv26Jv>7yr5i@UE%kZ48Xh^ zAoGfF8jU0pYN{g=9Z?5zS*Nqii5RfYGAFno9m||^)`78?+j@V^d3`dOaToTJ8Rx9! zeD>RCoD&S~>od*?vd)=fm~q+*&Bt@j$g#~h((cg*%zGOz`n0xoN+0hwZgfOr@ahFQ z^FRM2-#IxBT2j|kdK3E0+Zi8I)0xQFcz-1-kDXoJph-br;YbWi-jWqH?36-AqTVdh z8^A;_pp41dYwhdl+TLea9v#Q1WEoyMOzRlf7`=qD>`){IbeEb+!$ix`{8Nn2TT)ZQ zp0|>WL!B5UZ-0{PW6%z?j6fY=eM!eK^61Dg7^dAZ)ok5SwXEK*(bZ$AjIZoCueYQ# ztiLknKpxl@NvVm<0IF>#%$N85IkBu1EU(guh6{##)_FOYGs1$i0*>YETG3mw4>aGT zsrf9kP-{B3rbYi*(7jrJv?Y+U+EJ(-rEf>*M6t)ZEXrvXrIMdv@hA+NHIKqvKEcpIu3>D#iiGCGkWGd82EX_(|m-dj>% z!Di=?Y0|4^GV#PPnbX>Oo0bUn@sx{4h7nor(+Y(qZOt}LELpaUJ%x;%^nO^QsRLdeJi)2l7jaDMf|7NcWl zWv)J`T+>^*Hj=ij!MkG1D+^6v#P6Wvo}y3-j#W@i*ua^Q%Jn<8cIUKe&RkfJZ0#{0 zDVOFma=xuL4|{f$^}V(4oZTD}g#9zmtX#ZjaV2EiYK?9}KdimZjF@$4{~WIpvA3Bx zT|GUp3*7|!&KyY~=K5aP)|=SSnLKZ4m6abU63gsM4M$-rFLLJ z8hOn$l0!vn($K}+UvvJU>0|+W@iK>v#!6-dd@8oB%lq2n=Ofzuwb^NzQJHqs>aV%5Lh+U~HnNvm zyd`!?=aK2OLet%lN!~ecKyxSVG3;V>|A{_r^3AXO^IorU^ojP4U6xLH{%bXn*`0Ue z0yM;}4N#M}|J{v2Zz!_kthz{l7Z!@Bh*L|0|60w(@7? zb>(-;EAOd6x3Vh%R|2jCTnV@ma3$bMz?Fb20apU91Y8NY5^yE(zbFBLXIKv=0wz2r z9M3Znp8qfMeT-2q3_Tm#AF2wD1>O$a;s1yKTK`7*GjdXHmTr{xNb>>3{c|PYO2CzX zD*;ymt^`~O{Kq74W|7QrY+tsFVM^F3PK~uS4aJ%x;U-nB4>vWnwTIhdu~@i17Heu5 z8ftGHs&DT&ZqJ5|d(tD3Bz!+H3>Qi5flC5X88sC?m`v>(8ciNd@5y@~QzjivCWhj} zaB)&HL9R$@n7&8^H8{1ZL4n{s&8&+ZfPJN zYQc?FCn{RaIq$TlP9ZxpM7q8*TYStky5PE~p~%E&rWboWF%BOy>{X+g!}x8$eEfoS z{&A2eV``<|O68LANOWIhSS6jVnNLo*&(Fa5c0`R)YV(8gS$c)Gped4b-ty-y`(k z0>1Z1FK4XiJd-Jut>H9b&sohtQ~w@eo4q`CL7R1Sh7YlX)oc+;`K*7ng)`gBwQd;y zFH$aHlG}V&g31q=gDl+t{~P7MlBRQkH~ap@vyztkf&N+rI3`d;*X+jpn$VqenN z>udFudEfRv=Do{%p*P{}^|pD-#Mi{{iJua$77vTN#kJxR(d+r0=Sk1!JXd<+o=(p^ z;jhAz!kxl-LPR)TkoXt*uku&$5x#->cd6>`815{Com$ zd0h)9MW&UN#IeW$HBmdBf{;Nf1J?}_Z+N%w*`0TvaNaMkTYgAnHt1O4@rl9FczUED z_Tqygvx;EvgPZS1)q;qN4v5T3Kpc&vp!v~)c-0dk(++rh)qRtrh0*3`M5YnY;>mPD zQj5~G$&pBUpLzsZ)hXKKa4HfzLJz|GMWzdyq-aN#Ox3u^)FXPbAcKpORCvSc7?3-H zl&cezLp3!TNemaHS3Rbojm8hfQ-#q+DOxO3EE$;2yC^;jz7Nkj~TSSY%&e znJkKE)JBtgCsKv+7M`wA3rEKbzrBS66l)L$*uH{2n133bb#PBxL7YYXl&?r4mP*D8 zOJn{XjaDpDkXHF_ky!vTJ*W<1;^;i%b|H6QKOUqj9);FJ(h0JxQw?jf_TYkdj>@GY6`sCen7AbNfVQ837DVCKIVh zd^ByZxKpnDQ(~7cq8`Uj36^asu zpfAYVia2Mh$kYH68e#+ni4|PdBQjM4jKZ>mx)J0P%~?xc&I`ZVcKxg^B2$62M(orU zZl=R5If$X!_yIK>4Ihd^jMheY?j|bG#5n3jYJjXf)pm)@W}t3?hlk^tk%_^u7T~qN zfQpSGQ?20-PmJ1Gn!Q0}7VE&&grkq;>**-NI5OBt8=K{w6gHL~oQRLcY_QUGbQn=v zYh}K&gX#$a$=kh(wUk|){=}wQtCz2#jp}yP3M)I2zAMdkT0yf`(-(sF(pp}A0wt&0 zNGq&t6(y(HMJuT4c+I#GlbN>{#VbXo4CD&>+FG;XINCYG=2?Md?X*SB&e=e18i?99 z8>p3nG<#+RRkct)9X8B{(yXJ{?3NW}UK3RsHd|#yC~MR>p!UfMDrumTpV%ZTpt@eO zX}NaDidIsm)koW71S&#lbK`Xs&s2mT}`Dq7D>Qw z-Z%}4fwpiVB{muv%w2;TSW6a&%xWCEDHRq5iQ$};fq_{%pNfDo2i=i$hRUjNNLZDl z396){MdQ_4t8^ZvNBOftX3wQ+%H+ukt(rpzu`RS+I~f@pE!G*DGn?vpBS>lomsU7> zVpOaur?d%AU^FwSIIh*8c>|@gjOsLk5(e8ko}{DI#3;3545^U}u34-!=9W;UADPG` z!x8wAq2YuLUOkJxVGBGQPp2nf|6(OmT8#bhiN^6KuP%VaGc}6{S9A}g@LK$IW&nO{ zXnYiYNw0P+W+0Z&prcglFp@W5bElhJ4wzgT@R>!R^%$Q>L-u;pCDVW@MiSx2zSebj zLR&hZSb;$gfGu4eojtvsdU06@H~=a!b$m2AIi@BuX&p2t2n;}tj;%dAcXX}o+u7B# z!9uV!0Aq`Q*L7|^2`(G&)hkx`VE_S5w6@_i{!$T)YyjTd9a`TvO%|CV1jZ5lg;yKS zDV30rPegH#ksnOb36=V26SZJ+;Uy(gstzgkVsCsRLckd7#j`~idB77EM=~&c1}8GA z(V>MNIwg1Yo&+b>(qO<ULV2eI$_@dsCaHpu>*8Dil6zaK02Di%8M&^JOigeF2=p&7wn1n&!8 z5!@SG6)Xw77WhWs`amks1$%wJ|9AfH`|t5z?oYyAztvwR|4sfO?DVgf&yfe@wemvQ zEB!+Hwsep5era6VF11LU?*-q(>~DM@@TGj)ef2)S_f_ws-dnuqdt=@cy;WXD{JHo| z@sr}E;wbF$XL^3+`Ksp%Pt?=u2?;L=4+tL+b_)%HkN-LUS^grvpKs(j?pf|W?gDN% zw}SJsUt%v~qij3thtA-CRCSe%9Z z3HEE>#Gnd7D2%xz3wxGTfH?wNYO+r#_@WkPVef)Oq4`XF=m-OEX%@CHI7)^_BM0GE z72(JD3Ujb13)>hRdusY$9-i*-8-c z5_7nOeKMR<@rOMM6JL^roe)Ya3R{loNK?a+P+>bnP(gDad3-I(!p;a;MkT*LXBlL& zyeJD>A`LMTJ;F{yq{i?4ESwk>n`+ zx>;f5nk;Oma5lmZ>qYmCMN)?f<1Wd<1`EYCn1cNitg#BCE`wjPBGVD30gP{A6$@i8 z&cfCUM@|G@7--qTn6tC65yL&@p$PsK=o!?-fI5iSr;03W#&AD+KutyT&94D1&BB%p zoflvz4-kKW1q3@X0vf{U29NaH8$l2qM_{Oe7A!x@aR- zo`o$NX-OS}6*JlK8w3_)VY`NYLZaB=hb-|O6klWG?zY~ZNd$F!nWgz_wG z-H?aW1T~yiU}+Y%Z}=*WC85EdRKd*7W4_4HDa*nhj<{o}iM5iPlZ9Oz@#L6R)e4`L zg`FI6%77uY0$>GEL3jb%=>U~xVJC-dQgdmoH9HHNIpR1mETk1&o`wA!_FgxNR^Z$$ zZ0b;URy$}#D9OTp4xMep^jRULS=hoMN7UL`K~-7Ux8V?V7&t3Vc@}nT$d+!?tiXya zY}#;Q8fMH2EziQf4Xf&w%L<&6g`FD;-(sw+@UkrI-|)q0_Q?t>&%*8v3F{`w3M|XQ zz6~pCR>%rln1xLnMs#4G;4nN^w2Cb3;ILbUt+7L4^G2ZgWKs)%d)U# z(_m;stgzWx*skH|FztpFJSPj=G!&P`RM_FLS<~T~b+E!`XJL;<$QuU13a-e)HVyk^ z*Z?bZZWcCaIQpz=--=M4h5Z`75M9$-fs3-RXG1-uJEa{<9V3voC=0tdqR=!Cbs@xs zS=iIzYozY#LTJmfu(#_(G^_8r5ca|>?Dq&!;>a$9wjc{TKh%Z9t6d0dX%=>a9R$mC zaTh{fkcAB*B?L0U zxK!k+^t~$V_C4XdTUhVA);B3M`G$R+LZz?HH&dAA6TC0+|MWiP{kr#F@0H$jyr=QM z^={&~@F~9C+w7eQUW6C;XT>M@N5n7kUl#8YujKC%r^HjlRs5ymbk8fE?|L5a zT(8{fxfsq5?DDk3mkyufXL0`oZ^DDzz3jKx``N4EoWKCPnGI7ff+gi2Wc84MQ=;h^ zLN&|TOeAwlrLc-K%N$jhdzc^05Eiqn-FZ28p0L_l=BQP*V46^ca1xaV6)dlsEwmd2 z4(#q!sZg&2Z2^hn7YbcD0B7y}MbH*EoJbt88446IMP{Eo|V7q5``n_VQ9;1?#{w1}Y4fC@fWljq18=zqfJg)jpojy#89p9ZHEU=@NE z2!RWNLInU1rpeR%>B0h*v#wy6E2J`^k!2%!BJO*NTwM+a{AFcm@mI9>e`VLQ~z1v;q=(f0H( zUL9>O--!|x20V}?Y^^APSp@%fQj5XZWLbUGV+U&I2rJDJCw`PDZQBNb`3O@cfGw_=;QLk9i+gZ7ZJ7MAV!a`gqXh( zwUP_WB{OXftWg|ok~J)JKg7JXRM_t1h(L1*DP%ohZ*p(sKqR~u;ueJ1U&#Wa07fps z&_ZE@lQZpH1bVnA&A-$O15O65NV#N#mJZuY65;XBmJZvXxr71>U@@Xe4!tueIGm`a z!}#0laeYnoW}VQlvzG@am#9B1oKl!*cppT-l4IbZrM-XSIAMQb@)qpehU8^J-;o+h zj*TbNS~GuY6UL6zjE0-rh_po5dW1$GkTym;^2cUj_y{c!#9Z<|%aAkts@lw=bYEBK z8Ut1kxZ)_cjKG`T%307F=ky0LS1u4bfZ-!W2bgbwM1WE4q)QEz4?JNz z^XPgDo*W(SK8>s`;WX<69ONRnbBXD&o{U+d;m~uGNN)}?COVFjWq?~5N(*SL4GUTr28v+uV;-t%^a(Q<7R~?&WVBdLAOwU8 z0MK&>-Wfs-eK1cOh%)nW6sBme6sbr6F(d z_2AEfUkQFHcx~`dPz|=RSvU{ykH8-SF9yCBxG`{MpgXWE5b(d{f7<^Q|4ncz;4FW? zzYD$rSn8MLH{}=PZ^HinX7~CLcZ2T|-$CE0zAj(2FX;V)_kX-kdOrpG{)67Aw-fgJ3%#QFC-Fz( zBjRo1`^5v|E^(b$FNQp?d7k%t&vU2eTF;bc(9`2t;h8P`TKJ}Lt8keR6*dUfLJ|Kq z|2+Ra{yzRX{(L^k@8s9>ZR{=Vett20H}H4vRqngo=ee8Vzj5v~_rL+w61f zsUWap`eUDCO1N=2^P|G9Ogkg$XRjkW7aCE(w|Nb0_9fU(har+M6i$z(BaOx`9pP8c z5n4Hp;yXqVa}WCgxrg}?H$Iuyi^fbTJD7*q@j~Z%W|D=XNi@WAjuJm}4;gAEj@<1i zkg6(RgTQU0mkjl)8G0~`98zJ=)98_74`iKlHyO>^L5TDLvaWJ=u5w9(B$O}`Ij2I_ zbC&ZEgvwoHYiTJ(Nu5L%ca}nvYwb`3^Bmd3>A@W4PNJ0X5$o?FS~%}%3g&0iV2P}~ z1>}HzKbgAdmV`%n3nc_kNT{zIc9V#lqurS7OraXyrsjY}A+ZP9b8`z1u!qZp6$U2k z>fw~PhJH=~$N}~Y!lfCKVm?U*Pk|#H%(G;vix*_2N3`?cA(ka(!7RiM?If?sEOQ7J zG}$b&8qIaUqHs17#)b4R(XpFb+p=oC_;!!c1Ow?pYu_4Q!m4-ax#0g&n(RlDA+Ur@`UH+(F)gS%`0; zm%IhD%)u_$sGpF@h3jTGk&RV$5ZkG{ict#diKWy_93;9AgWpTy5UL*-hf|G_1ROp~ z!C5;(ayxNtSc8|$Cx|iCi?H2o#F*+Oj#hxtACqN;Gswx@4g&z1x10e&Vq3{#!&;h4 z@J9+bEjS}6%6xpb(9F^2T;yknRCLEUN~M!XMK5vG=%&-kjH@yqBRZTGAcs9$)z$W|>RA|x=|dEYWix%HH9DVa{zpgVIbnNE5U%At!)C%wecBuuBLi0mz2 zH=IZmfmVPNHj6oV$1X|AXbyLdA{!lGt-1Q97nIL%A~R3# ziX5+m5L|&(ISxYhvgN`_g%BK!b+eZcZD;$k=QyI;j3Q^1BvA|212xReWZdgTI5~k+rj>6iKZjYiCPgF105Vp@QSc{f#jB53q;G+TL<(hq;lA zUabVF9#8zvg-)I_j}x_J`KGCz5}+URB7v1;_!s!PH$khL-#xX_>a+l>A4jX_|LS*) zRM(sz_)fKrHvRY)tGAQt8iqq4-J@FE5kD0+z5zxuusw&3ndTcT^l|V$!m2iqv915L zFs3ZN55E7uVTQQF^N`rV-RON<_zKT>CZ(NXh4>Ti)xPiYQ^L)@2Rw1#Cxwf|Gd%s? zG(Q$NfjiH0hv#a~{(r*Hf zNZ$?IBz-z?NV+=EBOTy23kmLc&sJ|Ax0K&4?BpsuYrHL-kKf2$>z&2^iEr|G*#G7$ zg*NtaPrWb8euWPTbJ@E+3*_&xH;BWq%lG0vw38gtTTx zWsCS~&InK-!XiYl#ANZ2c-@I^U0A`lYhG)cgBxou2=En_fGl*w;fI9Zs4T*$tCyca z+*)v5gI)#Z81si9KgSX&$4=V<?E=M?uF++so!iE; z59wuQh>5w{E@@X#`9iEk?`u*8G9MK~gJ!^e#ebDaRMoB)z{2CtC=OH^5056Y;R58FN1ICU$E_{ENRGuE}ZoTu|O zNKUB$g*tCEX z;TyC0m4-%e0v{wQO#e6r`}7e~qT3BDxeiP0@ebsu;E9Is>fJ5yamvHKn-POXRCD54 z*y8JizRrV_=SR^Lpk>SR>CJbDC<`7Pctnme@=N$WshYIJg=m2#2xL{HI8`&WRXr#!dw|-E&ogi1*mgjvqnY`eX;k&V zKJn$@J9x`{M>@H zC}`ESHP)B|1&eemO$HYf6gyrLxtJu!r%{v#GdDKCPRm6juhuzslw3UHH9K)bIxbZa z*0YK@81&PNd5Z7~ z%%P`~D=d^+e!xM~IuD$j22B=hbHa%i2=n~~$7#->@VD~&3u0U5inA5DnIAhsy#gmB zB-ovl7o0=pVUL{F;3rRBC|s{_YwTSGYvtFw(9k5F6~Iw74<6vUrJTb7r{$OcK!=~;v(D4xsrE>4>)x-V=Y;PFpA&8o z&KJ_cp!XGFyYf+`LpjU)WMHH3H-QHKoBn6~pYmVgPp}_jv+VQiL+pO`elE&w4?YuE z$Tj-+a8;bgznOi*zly)yU&m+pL(=2YhxyYX9^dY-A=dsC_m4EpYuR>-gVZued(KNEOce#m=3zF#T|-s`)@yC<;IyHdU> z@UnNVe0lI>c~p7PccHvT{HNR%>I_$PxyZ0`@ZjMzI%l(@7*9? z^2h&z37L*!5U^tL6XR;u>fxQwcWGz&jkv$#UGFDVj3fBWKk*Hl$NyL1)*!!&I5mr} zcM^x8emw37bbmQKpMaYz{n^oY8V8!;DaUzo3oc%a5(hf-1Kc0j+~9NP@T)B)jtUEq z7cJ<5%ljF~vi58V!j$92iiTVOX&&w)>63%pLfqpLh&B9DW|mrlFQqu)aZRCpG|b$J z3va!^L6~_8rEbPpPDH8a52#GwhD-~mtj0ZRo?uGG$CuDR3C?ycPQo&{q|6r=DaIk7 z9r!_w(n@xRSv5E0v03TP|g#-DsD)~ zdYI&(C6=AWSF?s+8%mBtUUVll@^Z7a06TL6ie1NWG{`)O&K8Sf8Y$f5C_^HvaP@1! zbJBSNC1`r9nHw$7SpRrjKNfIRKaRaN{nYKGs>MrLUQ{`XGe}#}=>BJ*(1MD_QS1=XKH3Q0_eBhG8>QsD|EpR2 z4&y`5CZ%WtJ1Fj*$%pL&3OH#(Q5U!i<#~LKM>xat9L|t@XLNohS1A#^l z_Wih@%6|yvS)31rk5v2wM`od83_r$w{E?0&{HTm?&VL5s8RRJcd4Z=F@LflX^8XO^ zb%DV40iyDAB3k3K`Bmn$biAb`DlF|R(-u^%xrcQ?j+@bMWIcxiWt$f8o2_N}PTq8( zMj+>3v?~TTqKPmM!~mHMXavZ@o?a!m9-sB&7y$1??QfiESclr&ei{LAI4w1a1ojYeZC=y zZRjz#&M_?9YQ7?T?7@~D$7@RXdgmlU)Gef@c@_r6Y77}f*n|w|D*!C$!ai6JQt0Ly zfg4cT=1~Q#tFNLE+-X}nVaYnweA>s9j`73JM9pW7UE9B#Wd4C$+yZbXtr_`fX|X7n z3C!Q~(bC{fTGN9wv76?47PmN7KFEkT(a)DbDf#zm#MjSaF(0quH_$0lXnlJKb(8TL z9PJ+rKE}YsS(d?z9k|;uc(Lp*eemMLou&yu!C&JXM~HKKo>7A3#93{AiN}02_!u^? zl_0qmq;8zEWIkyh`$*#s>qy3ePoTpiSFbvH%bYup@31OV=f3Y8RQ zhew!K80CA)ZAwZxUYQOYsG{PBDx@8y2WJqf;m>$!6|mD|KE;}rHU?2p*5u(z@ov!m=bww0a73eX|P zU)dB~0k#0HMYL#l{o<+8DY*5k3Sg$9*FnWoaL-o-fV8t~diks=xYKJ6l{@Ji-3%8 zXiN}XrA0u-*EBk4))ZWxh0@o*zt;g}Q+Q(*0wUyIe5^^lK(91o3hu}% z!Ae&2@+r6(3tzwW1cF|rYzlA1LZEgFzD2U-Q*bF3si;TTEWpw!ywwpa8V5ymnk7?k zD;AC%<9mJ`QZWU0Vl7695qYzaESrKGu?R2bNfN#0>?ye27zcsnGh9p6*;8;amJT-0 zm*}-CrtoqstZhANqC-oj;BG9!uYT%8hm=pj#aJi->j4xUSTa>js~KleOvpkCA>L@~ zyI42{cVe{zLF%WrdG;;cDV~CBv2glpw+HBiE2iK^EbNEv+=>n@oq`*&@RgXM5gk-K z1@~bQg4EfqmzPb!Jy)fFawuA;ui!? zyT$34HB)de7E(36Nd<8iOu;2tjewiaQ)W;Z=@Q0~T(&WeV=hI>kUd`jsR) z&n;7Mn^wMx1y<4qYfbPgKTIFANC%%Du__QMGpf~3!S!2spQfW)?mm+>>NHHjtz6r4 z>X6kyK>@c+!3|y5F?&M=BWgx#?Ne}L*Fa81&Fe(M%mo{5nEL;459M(l$LUD~OiX-6QbyzuJP-~91cc*x0ta`P2+7U|CkQBLDN)OyR!U7w5JZ%x zkW?xuHKit&R!EsB90w{QmN6PlVx_xhXJ_{DU0L}nRo?x#)7>+@vorHe_jUgoV7#QJ zfgM>;=vxfXyr%gB;%|E>J-VRicNrjjE$v3MoBzW3FMK5f0I6cD1~GsU!)+9scq|tA`OE-xHRS3xmsPM=vIHEA0C^=( z2e`^Qf?Uo3Bn%Pc#DSm^%NU@71@Vb}!Ab^5VA!ubA5_s|1{h$7;plnNeYr9hpuPqG z!8-+1p;{N9y{__Uk&PeZ1t_mLUTIbPW7fEU=7q3d!R;d>JbccL!_9HFkzC>Jc05hVU>4|7{NP+UPN5l!NY)Vj;m8I5c% zRjFckDPMyEBSLejbqjLWy7T!Iz|!(yb_?>>yYo0=cL;O0 zpukYK89pOSgaW`@kh#X4%P%bgjkh4@aCeTWHDb3h(7Xku>fKvB?NQ2KQsE1V{Ngq4 zY)>H%w6|c_!`xY>)_@8jG`ou6TTmngcJhxCBQ)b0W28}L*kFZsC0hoOeR9nNe(5Ey2UaRxXE`_k+u*+1Gf+5Oq4vmJH@stSy@zQ}&lTwz|D?Vb5F z^HSz1>r`fgbtJPgGtv5O=88;d`b%qf`Yr2GKofi_{ZM*Cx;Z^AJ>1%o9+Xa`J~kgo z{WZ1M`eEv^)M{%EAPZcR8exr1on?JH`Jd$5*3jfD$sJaCavQ`l47W1ohGa)_j`=xM zBN&-1HcuuK_9x~W_MgmO+Xu~^=FX7Apy#n?2EOhyFigd-Ade?lkNQt3OlMd%b6lHkH=zq4ag4M<;QMM+D|5aWg>`@vA0Ov50}7$V2|0t}7h) z9j+&oCa+QaHxhoDqJd`(+M0fenxdlRP*J62?)+x%$!^yfwYIAGA9}m)#_+c3t73TD zbPj|NsMOR)Zzo6#zcy1Jy^Zp2d2Kvgb}J~mUf!FqZ8@b%uAB)45$3m`*GF%q7BIB& z-Kb?5r2zYPC}dhnNy;nQ`TsbV&_Mj=gw$L4Gu@EzxrGLnW)8M3rUX>awjtLVjkSn2 zjCyH8=7nCXyc}Wc0vd)RUgPt88b)4I@maqt4cW9_wO|F>NL;Xz#UX{3Xw1AtsNQJ+{(gL6zJkW(IxGKG>RJu?cKn+Q5XetXIYiDvr>9zFq1*xe*U^5l@3vEx!)G* z4>EN>q-4^-(&tsks%ZJkiWk}o1T|6MKChkT?6gK{K&lp47E8V3UhPH6P4S9ME855vNDNhNSqJ8uwWn*YWnA`UVh9qP~k?dYV8wpXO9lT2^ z=E~7S!h0y2TxpF8o}>hKaXgXK^R$LUQ&i*x|4cEa7KuMsmuM_1`bw6V*2UjDXn#>J zyZL(uDN$XHbM=)XD%!JL{X!<1)=4;7k<*n%-8Cf90J?`y-srf;(up!n=SB4T@VO6G zVbPx9b1z$?ogC#0%P-_Ri7)8bdI%b#QtP^3+ZRBx0PQQbD1vq;?Np?JD~*b$(aY_m zovJoRReA@03vm=#MFB)p69)qH6AUI>Ly`^JdQUyCg75@Sy_fU(m+d>fu6ML*gLVfU?&5Bxlj;Q@$YD4;;{)OzAtJt(UzWW=IG0lGcwEXjq^&Y06&X9sIyF=T&Eqz14Zt-so(#S2^pQA2`$OMa~$z z31aH6bE+Y3;G^uT*?rkZ?8~zEW>?zvXzSbM*^9GvS;N*KlHe8VOy;1OH>YJD$heuw zneSLfGySdCGTHQL>p=QQdUyI^YkPXN^-y|YdVKoo^vHDI)R(DFYh&sSs51DZ`Sa9$ zspVEX)Ed0pnw6?eWs?80#w6deE=j(a+zyuiw&WVCBDum`Vve>P^Zw-YXll957 z?a$0p_DTDQ`4@Yi`Fr~bbC0>_>u%=tynoLO^vuBjG6QgU)+_!A=_0{+Lxn&V&^8Ph zR~tizwf5u))X{b}M9_PlnGIAg8( z4}$9vkAMWuP+>!!(%*#1j{LoFQba@ORrHeZGRC(*fG3)|wnI|dsqi{Ssr_6^F8;98 z`v@W8?{%88O8kJrM2AkMpswOMEPoe%d*5Jh!byuY*R@TUo)oakq3g+*rVwZh_rH<) z7l!)4z*7Y-o>(LOyx@Munb?P4sIYl<4U&$EnqIV41+c@-YddFaUScBv0X@)}2l1c?k z@Xpwy4#jp=_iBh9g5lAQVg8V3dWX(N?Bp4mTzOuG#gEc55k~hUT9k1nx3&RciRe^? zZf``T=^@`9VaOYB)r6YE z19zyR(w-i#ipE>h+FDGE5Z#Au>2U~t5lakfum;aJj}!k#1Bzddt4C=Hi{$C@#c|$& zeJrI=#=^d9jFc<@`hIrsQl}ST{Qns9xR&e8y_kC(to)YT*xW@q!+9U-0Bm>ecUC(y zoKa4#(>MD$RQx-XeLTA<+nSw_y)fH1^F`)wnM0Y!GwU)fnX#FAu-?x=1%Ulf`L83r zAU!rcEL{xw0dJ*#1Ni~@)Get|sllmavMc#J$gJ;3-khvWnt=3w*xqcmoUHmCFvjjaIg9Svt~?At#N*%4SKTjhq|WGYnu z*~mA)SDc3o2}}zTUK@m!i(UJ(k~}0aa0>So z(Q9;CeSR@G4_OK$aaJ&jC43>-j$L;eN9qUXAuEBiMV&}Ih_SQi<<{{+(>)!Kz#j73rxL0~e9x@8908;$) z0BZ_g;@C$otv@#pc?4K>J2|$yAmBZ!olmc15au4y&Ldzn$95cqkUQ8ig#UKJ4Pg2$CqjXTk zAm*FXrF%!AmoSL(M#Z>4Mxj(Ni0MYfq&q~R7BdLo#*W-%xRDC~{>C zBD8VN6_=?o>%6W7 SzKIYnXQTPy;$v(mV*dpvnS6!- literal 0 HcmV?d00001 diff --git a/.vs/starter-workflows/v16/.suo b/.vs/starter-workflows/v16/.suo new file mode 100644 index 0000000000000000000000000000000000000000..962942ea22fff9b452b61562d7bf63660eb5293e GIT binary patch literal 34304 zcmeHQdvIJ;89$r0w53Hsuth{jp#`kj&E5B=FPdzU7NNE!AuTkey}Nri*=Do5-MiZ~ zG(|x`5Ffl>0tzbp!Hf>$=&0iiIx^0Hj({@?|2XRCAC8JMj{gBtf4}=kZZ^ByyN|Zn z^q!sXo^$VceCPR{@B7YU-+beOKR@^KC4UhmW{X%PK0L8poMZX!vbe?hLVN`8ZGaC? zoH#)*`orm%7OH_8MHat;Xcv7V13ND!*_5`;DzRj`&Dj^K8EGQ%!>8|g$Mq=$`uV5z zkh_2}D-Mb4fISIUpEz1Ai8+3&&;za2Jtsh!4=>;wy02z-iXuv#7AfE-jEDie%K$|T z39kr=FrJmoHKNV64BnRmn2*XKXZw7^c(sGyKRfEIH{h?i{ELvn<3=jX`~R#JXmN8~ ze;ocR0sMR(Yi|~)0sw0qyY7$?FARHig*3L{`?Y{>!+%AEaCULFa=6nu{?EVj?z^6J#y@(S5c6gH zn|*f)@o z{2%$g9CDHcKd1m^xG*zTc^mkrX%h2MKGf{53B0~;e5%HO^`Z{)v!l*=Gs{oDg_6_NkYQ1nuDWR*^u~*HQo9 z2JROP{CB{1=s#QT>@*JjuPpzc4fKBxC~5|DHY+B?4p7((fIL86ctjNQ0V#17v(q4+ zoFPbobCx+_gE9Y8hUW+}$VydfDSW9@pxHg0vRcB0^lJ287S|&;m3302f7BP4Itne( zlRPNTTxx_Fz`PO%W@@31plk`F?4|ReN1KCW_(u`4hJmUhm><@^90;};E{kY2<@Ct`!cC< zj6%~47f>4;#4y@W!Pi`gs~@GC@i~H&3R)=Q^c$EXz}N*XTc`%i>_4W->lxT4wgb6} zjLT@A9I``Io*OW#eWyw<5A^KVZgh3BnPVst8O{mB8%EQ|;U>d7jQB+WQz;;{t{g0& zGE{Vt5%I?6b%%elsx6cG<7?R;eDJ6DpL+Z5+ZX-l*5yyM_3ppuZ})1Fed%OkW_OM~ z_3ksT{%q*bQD5ib$&G#QaTuLe!6X7|VGR1V7nlT!Gbi?qr?ZfJ*oXshj5%Fk6$oQh{N>Tqr}H=gjQM@AUWOy!c%LLs-IvvXo%!ZYFbWb-4P zK1q@~5v+x)VS=9`Fxj9qubO77{51Yfa?J_0CoUA2iOU)mUF=JJ_Pq3 zz+S-3fLj3j0K)(oa4X;d;2?l$#9+q_w*or};B;!He+cd|60D#gD8F0w`awT(BqL{~ z`arb*EJmeV9!tNiz=xGK@DBkSnf5_oj$!nrz*-fwT1mhj#T&G=bt^mUqFp;jk2Uk;{I?jds{nTK??%{4 z^RF}ioBW3}|6Avu`K;KCLYtkR9{(le{xw7Qw}9=8aPjC z_9KKD(4=>HP&&XRxidjQO;E!|zG#LwF_B>XL&M$9G;QMlJiePu}By};f>PSvbIO5Ka_ zqZA&%^B6b^A8NV}QhESSFQob&&FzPatKGej?cE4PzizlB{JH^A$nz3n@)w27e;m4i z1bDXDc=i1&I#!lpqo}N@W<7BJc8RB5y&EL_j&=L``@(@fue&E4@VmX8^wVj|(+r(?8PS`dwO4w@lUA=`ER?nmQKg@kf04 zxkEn5$MNoUM{Zljh zU39_X1w}2WN}-U-jGRpM!swdb%j8S74>dl>i!>6Sd>7*ru2~%oJoeZ7uUNUa zs|T;P4E6A4d_6*LtF4GephokrA!nyED`7Dm|8WgWss&}-6V0a6O1zN5PB+gsC8Ok1 zaZhhb`yl5h5Bm1)GXf42@@TS-_Hi|y&8Jhbj`kr4_K3GR;F0+2Xpf?ui+N>pMkyBZ za=N2^S231O#jjT;2eV^JW^*hYmV@zN$lK))C{m9m&MWz4#5Rz+O@a1i*+bPT#i*RV!$morDomOQ9Q2;j8rrXk5z7r;S}dkx zK4z1hm8- zVMt8ew#$`q6_A9y)UK`Ls*swf&E>f!>LPiLD2wpqcD>Lc4nywKwYhms`s2<51z(4N zpSzj$z3$u!yaOrdU%k*(dXNHlNc**P{II!kn0v8#b}FHzA;fPML^ah1;dH97jQ)0t=`-JUlV3mFIUYNefEb zhnw|Dwe{X7#BUcwsZyAaI5UzS{9!?qNI!ZrhSuW#Q=QVaCgnE!nn~%X=S?r5mg4Cy zj;cILmBKDH_Q7`+L?2|y^5E{sFQz~R$tMcYnsku+DAFiH5@nj1bb$8_|6^IzBO=>O)&8bGOZ@96*L*BVV}`#AbP?k1dn^sTg=9Q~hu1LOQ}DM$a; z3TxGl{*OF%YwRnS-Bzbc|L4*)H}yztdK_~feZ47Ae&zit&DzFSYd#v4pLve{ee9iD z8xP6e5RP29l|az%4g`}icPtQ&;jBf_+ZFRmK{*_BiTmn0WTqV)QM2hHH=^a0v|LCX zQ8rXKZd2chmU)!1T8^&-;*oefaJ=`7Wq;28!IjjA9Nm$M=d)@yS?~;{RBVYGC=?T^ ztY^2rJ8m$WO{<>4R1S|~Dz{6HkI5t0&}VKL^oDHj8I=6VU^1NadJ{oO_RCAypEp;) zK8U@g)=GIroV5Aumkj{PYmop7<3=dKWQPf9J< zZv@1FGS}(~U9_S{hphO*awsO@uu>rC4)`JwcULHpbO#kV>F)|Cia*rlktBaO9GpT1 zW|@nHmMP0O9!y>f;3iS-Z`91}OCWi6%{)H`C$C;&1rXMAjkfx=ksfXFAXjT}Ucf;N z+j*|l`qNLk@=JA>H4fc0T+cgMeoL>p97Q&mk@}58{|)*d^U2|G68$w0i}~CEB@n?W zLT}QY^h)ud5|R==MVg27-z1>(`$XdmP1)GMST~(-<v!U95$EB*H*_jAi1_v00$%(5 zo;rX{DTek%0n7g>%~b4p0}uG zcz}m@D)AQiW?$mYLx|=k9$f(79fP&sSMNo?@S%4cz#TQ*VH?1&^q%}Ue1iC%M0pc% z&EVDK!KRh4wsET8b1>R8?6WV)FFoX`3pMrCF;C{q{3k$dV^P1gxRG1XTlW+^dlyC9 zdU;#t{-4&q|B3fGoBE4!xEm0U%HGd2eG|~k{XbnD-hh7n5B?&;#{ECbaKV;y{}1j8 zn~(SZIP!nVznWA~SvFbzFDsc~_||Ni#W~f+SCsOe^>I}p?S^6g{}9j9`fzed(l{sU z-=&1WZz=d5fj{r%_29%K|FNnU*Bw`-)A_N Sx>z-0_Wlj8R>`+f`S1TJ`3C6# literal 0 HcmV?d00001 diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg index c2e2cf7a33..4e5d4d049a 100644 --- a/icons/puppet-lint.svg +++ b/icons/puppet-lint.svg @@ -4,9 +4,9 @@ Date: Wed, 22 Jun 2022 18:01:39 -0700 Subject: [PATCH 437/844] Revert "update image" This reverts commit d26b20b23394d4bbd531b69b5188d6e7d0887312. --- .vs/ProjectSettings.json | 3 --- .vs/VSWorkspaceState.json | 7 ------- .vs/slnx.sqlite | Bin 131072 -> 0 bytes .vs/starter-workflows/v16/.suo | Bin 34304 -> 0 bytes icons/puppet-lint.svg | 6 +++--- 5 files changed, 3 insertions(+), 13 deletions(-) delete mode 100644 .vs/ProjectSettings.json delete mode 100644 .vs/VSWorkspaceState.json delete mode 100644 .vs/slnx.sqlite delete mode 100644 .vs/starter-workflows/v16/.suo diff --git a/.vs/ProjectSettings.json b/.vs/ProjectSettings.json deleted file mode 100644 index f8b4888565..0000000000 --- a/.vs/ProjectSettings.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "CurrentProjectSetting": null -} \ No newline at end of file diff --git a/.vs/VSWorkspaceState.json b/.vs/VSWorkspaceState.json deleted file mode 100644 index 2aa78772ee..0000000000 --- a/.vs/VSWorkspaceState.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "ExpandedNodes": [ - "", - "\\code-scanning" - ], - "PreviewInSolutionExplorer": false -} \ No newline at end of file diff --git a/.vs/slnx.sqlite b/.vs/slnx.sqlite deleted file mode 100644 index db13a0a0d99f0c0bebaa2b65171fe9fb27315cec..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 131072 zcmeFa34B~t^*H{vc{A_L@|w13wk}EAv`yPdvoDlV+B9v`HtCY4ENuvrnU`eRWG0=N zv<+pOu*fC?B8bSYh_Z-+8!lfF1w|APK}Esu7eR1CL_tN=|2g-*eP-GM>i75m{a*NR zZ{I!Vo_p?j_nvd_IrrV^-M%HBQ7ea%sj*0=vXPm_uq<<8WhKKfqwqiG`ri!rhoC<| z&RYIm=%1rZZBwNOk(Iw8&UEE(fja`z{F~*=rAvK3_449&{z~qz+zxJ2Arfx+|8FGV zLr${`L*9~;!fbYXJP}h5^-hirCP&w)L-9mB6Hg`v=sy#~>*J$pS8SjwACl6sqjSy9 z&dRQyb)6?y?mi|O{Xw}B{G*>Otc=FU?p*Yxe&+SLPOyE}V!0$1>V-Q&ZHjE+ujpNNdchvI519|8OO z(Ccl6QDVwV@39VD6OF3rbbK&Aid{6s>O^yl!5loZ%T@v6MCqMOXVfu6gw7%qWu;mB z-NWD-~)PY>q z=`3?12JExU2`)&-GUuFiVC?0#-d}TGpG;=lh5cm4Icqte{q`B>1Vj7!jB|plbLJRk zoc2QV@tiYqY%`9ud-MVG-o}eQt*xEX$GeRi9nl!PdO^dojCNehOUx~_NXID39QqWg862p?WWJL`-rI3-RH;eQJFwqMrW3u*I`+B;z_ZgN) z$1y5dhL;Z0ItDgIFQF_u6o~=drKZv_(Q-8Z6yx)j)YP!&tt8`6Cq~KJpCtPjv;!?8 zPzP9F(lLxYIx-A~X?ILDTX$3~tG8=(^;jz7D?85XE$IyFugp1+2ew60Y9cd$YTF6( z<$ZrnEGq@et8}8_f+3%EUJmAru;8qKV>!E4^p@-c%{OUkKFciBn$E3h(SH_nuht)J z3FNGH6lzE5+YvfZ?6EG3a+*b{k*RsL)netk&h=~hw(P8oPNc|;&FE?xCV7(gmeg0U*?DA|^s1RmJTXk>w6@-+ zC4zlC<>HZHM3(!sLZL}pvyBr=mMvpXAtNWfAJ%Bu@$0<1g%}+;D@$t-_J?Y6rG(0?_ zruXd0q@$#r+P&#yV!pPsH*4*Tq=wZD)J=fz&V=G(3<<7N2PcN-(-zOtz{lD$S%KDO z(nn}CAH%fTUTd}g5I6rK5gY*jXDpIY!;nPw?0F|*$XoSaBZ|DFkN9%_MdGlGMfH#x zedhy$)cV&5;T`evFY3QT@c+X3h|{v4Ov?GanMf)#F|H{N+*%S&H12w z)&-|}Jj}{VCERy*nGvI2>RC?LX@6nN9f=832V?CqwJF@t5LLrX4Q=(|NOPEsf!( z*0#EEq%j%`t1Zp-YF&GCYl{lSgN+T*mbTU~G!zXtMO$LwNJFGP+!$+XZ5kYkG{l-> z;nu;%!B}&wG2GVJ(f~ZQ#=_7fEXlQPUHiX;inj2f2fr(g4eN(upeyACc z+8e{oZB30sYD=RUX=@0#4-U1p54K0cYI_Wtt7~n9<{FXL*1?9>wxQ8hgv~sLrrbXO|9X&LA3>X7Xvn-zu{FaBgUt=$y0*HyhPt|FdjuF9YG{lN zHV-z0TVr)?bQDBd>)N$ZFxa9tHAcfjtNI@Oa5E@7x>5gz5aIp96v9=EI%oKQNB_>B=^h5%VpA=(odzYOCOgm zlJ-kIQlnJj`={?k-?x2t`Y!e*eZ9U`Uzzu9?_=J(ycc>C-d=B;w@iFZ{GRwJ@oMp~ zxLaH+E)l(+-+7+&e9m*FC+_L=%oF}9JSp5MoF_zt;{}O-k^d@x1s~xXct7_d_f_s{ zZa=q{t6=}gKF;33p39!Z*08)~OfH-hnO0U3$07&RMD2JgIj*KMaWzejBX;|q?LOT9 zmT=+nLn5<5#|n>6435UrBL%S+9~7BY1bZKR`97)^L|k-0WL5&=Xe0&Aj~2wMo)DRK zz}u_tn;b2SHa{aWjer(UrVEl5Z*5`UC<;&JE~-= z#zm$c(US!kT%4rB8&=1F+!3T)ouC}5snJMcxFEgiF%4}rekh(Qj5bQqV#!QG%@jln z@1y;tXyKTe-j_*^7e?Q!qeu6tsiTT#SzKf~K|HY}L646`h6@j#>Jg3Oz0m!_@?0=1 zGR;U+O%z6|9}=1Ehyi7k+yS2PoDc46uC#docer zI_n~d!g5&DPx*=@VyR@jur%iH(P+gY1=}m%Eiwy0rU%u*@kn%E?c~^~tm~=rQzJAYJdq1F#?0c3NGsrnJNNCVc9|52=a-h zB{5#ktSur_fwe~L)D~{0!z?+73xxOqH5?5eiY8-r-sf(j0!@sgUZe)d%2REZ$ZQ7c z7I=6#o*9`K4C62XQP^KV#YT~-*6@cXM(r%k-XJoIbzlmPBii~{zMhV<1oF7oPPV+0 z!p72r_;rA-Ugm7Pf6m1aAw zpjoTw3qgBnEiXTTlGAOZ6;`&2lGE&>6;yS+X55I$%-f6Nl_FCHas_>Dtyys#?VMrr ztiZB%+M;IXY@jv`L~WZ5)Jj2`J+p$US}30m8)idk)=_MB%Zf6ui7E}7t+FDNHEJAC z`(y=`G|X_$^lYFDg~ z^5t4B&6ZeUrOUKh#D3TyODTlf3@c<-4IOQ0C#>b=OK3Z~ZLq>-E!OHd^wYvcRAr#a z%&~G+x;3b-rqUdXB;d{)r$I5$7A~a3Mk9l{YfuAg$pVpCjYBu3!onaioU<}8FiYoC z5m4r!JCe>&SrrZmt8z3!m2|Xdyjp9O&ZG1we^$usxl~P=JXxVtbLb$pec(_#85tWb z))|^Jo9cPvy9+zGw8GI7qheJ#rA>GOqnSy?HDhC-RF+YlMo_|FTgQ`hw3-;DR*WGy z>5Xd^=z@VUw}dMF$V4U?j=&{D!wDO_dKP`d7I-+GPESx>Z;&Z1#(wz3gUQssq0!{Q zv{x6v;+dL7gs-axQutYXIx_&54ULb&Y4h5#n1NV6gN{*d)a=_%$fX^%f zt;hI8`t=t!J#f+J*Gi@VQ;a0SWnb&MJE1L|r(y*LJpi_Jb#(UhcIw4tA>aV0#MJT8 zCWJ0>4U-5{MSRD4qdN!luM+^U_F12G!R_CU$30UzmHE#9l;s==~7M5!*5ge zD}(%re67;M&z6FLH++8%{Kofu;CbH{0uT9a41Atvl@qu>aR2Q)5AGKj3|!?~9XRZp z9f?(iTgiMazg zO6*PJEFly=fqW-a_&#)09fqku3U3ecbGWhefhc+UI8q%;4yK35yR9(j{Q`?AJ(2DQOe`BD8=Y#aw3NNA423BWIH;#H+(RX zfvHT&KBSk8BuC*sD^hkfsXC%Y_l-qThe*)}vHigmtbf5ql9H?N4S*0qY(#mH!Yi@U z5nvkz87a78Houb7H;d+wA*zJ=00Q;hq7!&Iiid6&ouKzu@tvG)zv#rcj8rBYMknaf zGQOFNc;}LYxulZsz+rD}8J$%xrd46j=!9G}i(kRz_;;B1E#SL2eZQCAZ^v9{#nHBn zPVyJj@O=gy+rH6>dHy_pjgE;MM<@Ke3celSWRyB#Q>A<(&dQuh*+u+TE_Z|ItbZ=L zfGs;fC!KRv@KGx~XNTw@c=l|56~QMvLpMgT>@dRg9ijtv zMj7AA=Jm!-R`DAs#MoOo>K;ONjUA!`cn}-acZd$yfpWf`&F@{ED1n1|c|58aB&Y8X z9putTF2CnAHJ|U&K!tj-e->ZQ=6dwTv2(@_(a~ZOTg>kXO%PCC@8=kT@_Rf-kx$1C z(b48UielR#I#Bjj@|{4Xus1VKILPb494Y0S*?eBh;YIv*_UN9yqb-jo@ic5l-yu4<>nC+`J%)P} zegUg1ez5tw@mbgP@O)~JpT`>Bz*8`!WYg$?axy{Dy?!SJ_&KcZ>Dx7fUj`4Rss{8v ziaP;xyw1D4iEz8lBfYUXNuQv4~6l^Tw7h7~9lx#q$ z>v|BL*W7JtoqCX-zQ46S6Pw+GkQ5_COvhrPl^3dlwpw*)M z4ew8wKuwR&ast)8Jj?LO@a!x_DQn)G8my0zlvT-pY(JP(JiNf%1y;!Dc)p3K2HX!n@R zwzXP;^)yF;#WPZlW1AFPy&+|0sl@|QiWAb})xd#Rg3_{-Sv(!Huzkb3QA{*Q0guK^ zd{Y{8NOgwZlErf|9Y;U)Rumy+W8XCmU#sSqP>_(t84*H44i7{S1>Uh$cRK`7#5P}p zU*wC}Xk11-)2kriqs5hgt=8g~`4zZ!)HX2YYo$y1?*V)^E|0g-lLqRE%z<*Rr<<(GkqbS&&NR=|4r{} z-d}rP^gi$XvG)fM)qmLgb?*b-`@Q#g@9^I0{iydE?-kxlyytt*_8#)4yrbSB@9ExC zy*s@<-i_Y1-s8P3-a7A6??UffZ>e{>H{cb$jQE!LC-GJB74Ze}XW}#B6XK)dH^r}s zUlczp-X-2H-Yk9uP6}KuUL;P5XL=s?eBJYa=YG#Up6is~ii+|n_{QNz<-^LLvPapa zY=e^y%auh+rBbfUR6>eR;X-eR-VD7K`gQ2V(DR`mhkg)xEc9^b>!Ali_lNEY-4VJq z^ienuaYg8o(D|XWLx)1C&}e8Vbb9F2(9Teg|FzKC(D9*`P+e$gXkln>s5CS^6bOkS zCiqtHPa+%mc;LpswSg-F7YC*ShXa|wSYRkH5I8xoJ+LXz5jZ~39Hwn7snEzY;ulc{=zt{gs|E>P({a5?n@4wK0j{lHfht< z6MdeyJWqKZ^L#>jMtWTOw)CL%fOMa97o4`ZQMy*TLb_O*k`7B5X-pcD2Bedv?b0T3 zLQE)EDVHf1D(5O^C>bRIUx2JrPEgvEhTyAk-s6Sf&w|ecp9nr0{ATcL!7m0s8@wxc zd+_GqM}k)eFArW6oC=;9JP;fY?hVF*rv*C{Z4vGdd~B@=hvPWJkNS=lGaMcNe$9cX}(l0O_yYe^S$MJ-S=zX3%+N4 zKkz;3`-blU-)DWF5{Jao#9d;KxL!O#Y!Pe4MdDm>mN*OMkNf9J;NL9)<Ng5&P=_DN> z>1ibGC+QxN?k4G}Bt3$`7A9j*7BKJK10i=Yk85DPt$Tm%R^co)bfCq z`?Xxwa!Jd5TJF_yQOi9zs6(tkGoEG~%~+Z-BxC+bvwzU+?=*XxW`CpETQvJC&Hh5O zKhx|@n!Q1@Khf-uG<%(9f1ufG$QpAG^Ls6SRm*>;<-gVP-)Q--wft9F{)(2rtmVJd z@|U#yMJ@k@mcO9o|D)yqt>r)0^5?buIW7O0|M!f*Gb|A?@cFD({u3?#v6lZx%b(Hm zr?vctTK<%l|3J&1)bb~^{BbS+zLtMa%OBJ7?`rv@TK*j^|F)JtqU8^3`M0$En_B*m zmVZObA4Ku{nXl9Azi9R~nthdKU!mETY4!lkzC^Px((DT~`#jA)N3;8Bb|1|?OS8|= z>|UCEnr8RV>~5OfMYB6Y9-d|8Zu;~|n%zOOPtfdknthyRAEViAG`p2%x6tfnn%zXR z8)uE;K7jqqb`Y_F|rP(z!`w-2j4P&ScW3HlwSJLbX%(|Hm(2UrxZid*e zZid*eZid*eZsrn-axu*=qS^asb|K9!pxOB}JC9~lG|STLT$EM!IV3%sq-T-zOp+cZ z=@}%QB4N|aekb-T46l@!$VA~)C+XgAvHb}v?K?=4FQm}21f^CBo zY#XFt+aLwo1}WG!NWr#23bqYWux*fnZG#kS8>C>{AO+h7DcCkh!L~sPwhdCSZ7>GF zwm}NE4N|aekb-T46l@!$VA~)C+XgAvHb}v?K?=4FQm}21f^CBoY#XFK3QlA{`8U`$ zC;{6BDcCkh!L~sPwhdCSZIFU(gA{BVq+r`11=|KG*fvPPwm}NE4N|aekb-T46l@!$ zVA~)C+XgAvHb}v?K?=4FQm}21f^CBoY#XFt+aLwo1}WG!NWr#23bqYWux*fnZG#kS z8>C>{AO+h7DcCkh!L~sPwhdCSZ7f>_whdCSZIFU(gA{BV%SvF|AO+h7DcCkh!L~sP zwvALL7B5R(8b z9m&{bFTqC%6CWmCOhlw0c<`V2GkzYP=NXBEe{stFxTc+}{7AW9stnHM9+tRZ!1qev zAKa%ySHnK{btUV2EbuCKz3<+@^W25XBt+Lw^<5QsjO+9r2z-TWRECsYToo5o*06u| zogDa-@5I23zUsgSyl)3m-v0?i*`FzO?4#@#yx$D$@ZJ(w={++r-+NL(@*d~^i+7Iy zWiR7@hW$AE0rpJsfBX-L-}ZlAyv=`uc%lC?i0S`=9T7+TXDDxqJ^oR#-oKmegFSao zPz^p6Y7YIkIK$tiEb#ov-xAyy{D$WVi0$9+4|%SU-}W4mf9*M0e#X--KjiVsHwZ7u z?-RZv?-Op3`<0i2pOLqO9u&@#R|*k%kj^{F=(eBv2raY3xBbj@gsd6i_A?*WOSBlbpSgCXu$Z++x&6#Fq$~C~x1aft zQEEoI{mj*rfHl_bXFf={u|~W7%vH05Wvnya?Psne;;=-#{md0}g_Uffm^T;^0@foT z4nJBqb2$-R-nciIoCQKBd&I~$*dt0HU+f#KRE5yY=8b-X>6$NeAj}M^B5Y-k9ue2kw8hrTqzE+xCAZ*ZJ zg<{LyhY0INEXhg!AZc8WEIFYEX2aXk<4jKAL>auSe3A0*3?Zt=pq%y6glPU~d3S0d zjNGHd%e(iN3iW`L`+3Va>8ugEa<-f#E$5G#cPA(?Z`{0li~#dT&bvnm&yJXvv+aEv zk}U$}MA|zal#M+e=0u58PVz?3yGP1F*W`_%cMmTSwgV_Pa^`Gch| z(z|2ied{qcC&4Hg!Fi+U-Gj7d{&;$Kgx1U#QSUyT!1Bh_y9da~%oA1bK8>`e$L*Y) z_S1T~k@fC9MPTHuv2}SjDbZ~T#FgYz6=5E0#@FRjW(i?3By@(FPRK_{M_=P$POF8jJM0%$t=-p*fcs4+%^-I zC61W8ymcC^N-R-#xrY`Qad){pC{zH3_N~hn@_O>d-sR1ti;n2Kys28)d}OVR%ymtN zrIjrLFK?Uy3le(_Ufw|7jwK2&uO}tCmPJyX;G2{VRza zm8*4-WcwOWu|dx0k~d!;IX^%PEE)yO)=dXCrzqFC}k8 z{~Du))Ymluwy=c4wJ$FglL4GJieI&e^eTTGzp9#4q)~Q^h z(tILb6HBTh1!hEFsw6dNYtRX49+?bg3s^Rnywu#de(@YK)9sP{;@Nf{iYrKMEr4!` z?iZJn`9c8J_DM@<}sFle?X{UjEMg{KNfoCE!ZHm4GV&R|2jCTnV@ma3$bMz?Fb20apU91c(G0;rIIb z797iu8`jr0*TRnxHnh|>Ho}kj^)0A7hTovHR)Qb)>st^xhF@*8R9Xh%{k|E;@;it1 zwRL#^zo0ZT%3kFrrCIr*`-)u&xDs$B;7Y)ifGYu40U}IgqYT1Q=U~GQSJjTz@^GT_zi&V@D2DfrBo5%Yxw6vj{=JO=Sskp zfGYu402WaU5QSKk%i?e^>-RCcwe3 zQ?Q50?f3(q&t6jmKO;bj&NYgr!%qm1nui5i6VRr^ZwHXFbIr0M_`v{Db&8^W_ToPk z!7l}nqDh{#dH47KQ3SsaK#I;bi{J+WNYNp)2!0uW6rDwBLB;9tlK`a2L%dej@X&Pl zJpfX6wxtYy1%Q-ITFT(ge^Pdq*7>{r_ZGpW|C|H@(HOZanJwb9B8^=vf?oh2SQ>A4 zKD7$t|3%6rjPjQ9gz^pLkIM7P{on(*Qh5n(0Q@c72=Ha)cDOI^Za{JWTnV@ma3$bM zz?Fb20apU91Y8NY5^yEpO2CzXD}nbc0g;DI{ZtXj4o@T5xe9#>(WfBErUE3Jgx?K- z3TMkCJ0y|pEFXRHQkY1xNw}I8FwcUkX|V!aO$*s1=i$K>a0ui7%(VB+yi359fGYu4 z0JC%*0KZL#r|8)Oc3Ahq)CE!ZHm4GV&R|2jCTnV@ma3$bMz?Hzi zLjsK+iD5Zr^_&t`U=OFGsrYziPkJ&D4G)i~={@m8Og&VaN$dGKb#P*sYZXYP4W!b! zTBQS#(ReJ9QNxf#3RLXlNyW(O5|(Etb6U$Opv~@07X(m#A{-&Re*=;|J1;+Z3mxS1 z^}2`(xtwi zdUecj;&j^U|)N-cC6{`thr!Sz*`ayvzLT3k-<^b z*>&f0P-AB2nzdUx^YlC@FQIbD5n@-YALP5Ub3^Bj%56Kky4UPDrE+uUDV1ybc5dzJ z0kYklJv)Ib_`h$pecuY-MYwI`^1z*CB&h?!;I(s@gdnnBD>C$~?4p%{v*v3vyV??bP*8AgdIFTKY)bWJp>rql7k_$YSK5UUf-F$Qz+%r096 zh!drEGM!P!3=ukuP?VKs?RO)~Ey-vE=jV>(!NMKTkvfv26Jv>7yr5i@UE%kZ48Xh^ zAoGfF8jU0pYN{g=9Z?5zS*Nqii5RfYGAFno9m||^)`78?+j@V^d3`dOaToTJ8Rx9! zeD>RCoD&S~>od*?vd)=fm~q+*&Bt@j$g#~h((cg*%zGOz`n0xoN+0hwZgfOr@ahFQ z^FRM2-#IxBT2j|kdK3E0+Zi8I)0xQFcz-1-kDXoJph-br;YbWi-jWqH?36-AqTVdh z8^A;_pp41dYwhdl+TLea9v#Q1WEoyMOzRlf7`=qD>`){IbeEb+!$ix`{8Nn2TT)ZQ zp0|>WL!B5UZ-0{PW6%z?j6fY=eM!eK^61Dg7^dAZ)ok5SwXEK*(bZ$AjIZoCueYQ# ztiLknKpxl@NvVm<0IF>#%$N85IkBu1EU(guh6{##)_FOYGs1$i0*>YETG3mw4>aGT zsrf9kP-{B3rbYi*(7jrJv?Y+U+EJ(-rEf>*M6t)ZEXrvXrIMdv@hA+NHIKqvKEcpIu3>D#iiGCGkWGd82EX_(|m-dj>% z!Di=?Y0|4^GV#PPnbX>Oo0bUn@sx{4h7nor(+Y(qZOt}LELpaUJ%x;%^nO^QsRLdeJi)2l7jaDMf|7NcWl zWv)J`T+>^*Hj=ij!MkG1D+^6v#P6Wvo}y3-j#W@i*ua^Q%Jn<8cIUKe&RkfJZ0#{0 zDVOFma=xuL4|{f$^}V(4oZTD}g#9zmtX#ZjaV2EiYK?9}KdimZjF@$4{~WIpvA3Bx zT|GUp3*7|!&KyY~=K5aP)|=SSnLKZ4m6abU63gsM4M$-rFLLJ z8hOn$l0!vn($K}+UvvJU>0|+W@iK>v#!6-dd@8oB%lq2n=Ofzuwb^NzQJHqs>aV%5Lh+U~HnNvm zyd`!?=aK2OLet%lN!~ecKyxSVG3;V>|A{_r^3AXO^IorU^ojP4U6xLH{%bXn*`0Ue z0yM;}4N#M}|J{v2Zz!_kthz{l7Z!@Bh*L|0|60w(@7? zb>(-;EAOd6x3Vh%R|2jCTnV@ma3$bMz?Fb20apU91Y8NY5^yE(zbFBLXIKv=0wz2r z9M3Znp8qfMeT-2q3_Tm#AF2wD1>O$a;s1yKTK`7*GjdXHmTr{xNb>>3{c|PYO2CzX zD*;ymt^`~O{Kq74W|7QrY+tsFVM^F3PK~uS4aJ%x;U-nB4>vWnwTIhdu~@i17Heu5 z8ftGHs&DT&ZqJ5|d(tD3Bz!+H3>Qi5flC5X88sC?m`v>(8ciNd@5y@~QzjivCWhj} zaB)&HL9R$@n7&8^H8{1ZL4n{s&8&+ZfPJN zYQc?FCn{RaIq$TlP9ZxpM7q8*TYStky5PE~p~%E&rWboWF%BOy>{X+g!}x8$eEfoS z{&A2eV``<|O68LANOWIhSS6jVnNLo*&(Fa5c0`R)YV(8gS$c)Gped4b-ty-y`(k z0>1Z1FK4XiJd-Jut>H9b&sohtQ~w@eo4q`CL7R1Sh7YlX)oc+;`K*7ng)`gBwQd;y zFH$aHlG}V&g31q=gDl+t{~P7MlBRQkH~ap@vyztkf&N+rI3`d;*X+jpn$VqenN z>udFudEfRv=Do{%p*P{}^|pD-#Mi{{iJua$77vTN#kJxR(d+r0=Sk1!JXd<+o=(p^ z;jhAz!kxl-LPR)TkoXt*uku&$5x#->cd6>`815{Com$ zd0h)9MW&UN#IeW$HBmdBf{;Nf1J?}_Z+N%w*`0TvaNaMkTYgAnHt1O4@rl9FczUED z_Tqygvx;EvgPZS1)q;qN4v5T3Kpc&vp!v~)c-0dk(++rh)qRtrh0*3`M5YnY;>mPD zQj5~G$&pBUpLzsZ)hXKKa4HfzLJz|GMWzdyq-aN#Ox3u^)FXPbAcKpORCvSc7?3-H zl&cezLp3!TNemaHS3Rbojm8hfQ-#q+DOxO3EE$;2yC^;jz7Nkj~TSSY%&e znJkKE)JBtgCsKv+7M`wA3rEKbzrBS66l)L$*uH{2n133bb#PBxL7YYXl&?r4mP*D8 zOJn{XjaDpDkXHF_ky!vTJ*W<1;^;i%b|H6QKOUqj9);FJ(h0JxQw?jf_TYkdj>@GY6`sCen7AbNfVQ837DVCKIVh zd^ByZxKpnDQ(~7cq8`Uj36^asu zpfAYVia2Mh$kYH68e#+ni4|PdBQjM4jKZ>mx)J0P%~?xc&I`ZVcKxg^B2$62M(orU zZl=R5If$X!_yIK>4Ihd^jMheY?j|bG#5n3jYJjXf)pm)@W}t3?hlk^tk%_^u7T~qN zfQpSGQ?20-PmJ1Gn!Q0}7VE&&grkq;>**-NI5OBt8=K{w6gHL~oQRLcY_QUGbQn=v zYh}K&gX#$a$=kh(wUk|){=}wQtCz2#jp}yP3M)I2zAMdkT0yf`(-(sF(pp}A0wt&0 zNGq&t6(y(HMJuT4c+I#GlbN>{#VbXo4CD&>+FG;XINCYG=2?Md?X*SB&e=e18i?99 z8>p3nG<#+RRkct)9X8B{(yXJ{?3NW}UK3RsHd|#yC~MR>p!UfMDrumTpV%ZTpt@eO zX}NaDidIsm)koW71S&#lbK`Xs&s2mT}`Dq7D>Qw z-Z%}4fwpiVB{muv%w2;TSW6a&%xWCEDHRq5iQ$};fq_{%pNfDo2i=i$hRUjNNLZDl z396){MdQ_4t8^ZvNBOftX3wQ+%H+ukt(rpzu`RS+I~f@pE!G*DGn?vpBS>lomsU7> zVpOaur?d%AU^FwSIIh*8c>|@gjOsLk5(e8ko}{DI#3;3545^U}u34-!=9W;UADPG` z!x8wAq2YuLUOkJxVGBGQPp2nf|6(OmT8#bhiN^6KuP%VaGc}6{S9A}g@LK$IW&nO{ zXnYiYNw0P+W+0Z&prcglFp@W5bElhJ4wzgT@R>!R^%$Q>L-u;pCDVW@MiSx2zSebj zLR&hZSb;$gfGu4eojtvsdU06@H~=a!b$m2AIi@BuX&p2t2n;}tj;%dAcXX}o+u7B# z!9uV!0Aq`Q*L7|^2`(G&)hkx`VE_S5w6@_i{!$T)YyjTd9a`TvO%|CV1jZ5lg;yKS zDV30rPegH#ksnOb36=V26SZJ+;Uy(gstzgkVsCsRLckd7#j`~idB77EM=~&c1}8GA z(V>MNIwg1Yo&+b>(qO<ULV2eI$_@dsCaHpu>*8Dil6zaK02Di%8M&^JOigeF2=p&7wn1n&!8 z5!@SG6)Xw77WhWs`amks1$%wJ|9AfH`|t5z?oYyAztvwR|4sfO?DVgf&yfe@wemvQ zEB!+Hwsep5era6VF11LU?*-q(>~DM@@TGj)ef2)S_f_ws-dnuqdt=@cy;WXD{JHo| z@sr}E;wbF$XL^3+`Ksp%Pt?=u2?;L=4+tL+b_)%HkN-LUS^grvpKs(j?pf|W?gDN% zw}SJsUt%v~qij3thtA-CRCSe%9Z z3HEE>#Gnd7D2%xz3wxGTfH?wNYO+r#_@WkPVef)Oq4`XF=m-OEX%@CHI7)^_BM0GE z72(JD3Ujb13)>hRdusY$9-i*-8-c z5_7nOeKMR<@rOMM6JL^roe)Ya3R{loNK?a+P+>bnP(gDad3-I(!p;a;MkT*LXBlL& zyeJD>A`LMTJ;F{yq{i?4ESwk>n`+ zx>;f5nk;Oma5lmZ>qYmCMN)?f<1Wd<1`EYCn1cNitg#BCE`wjPBGVD30gP{A6$@i8 z&cfCUM@|G@7--qTn6tC65yL&@p$PsK=o!?-fI5iSr;03W#&AD+KutyT&94D1&BB%p zoflvz4-kKW1q3@X0vf{U29NaH8$l2qM_{Oe7A!x@aR- zo`o$NX-OS}6*JlK8w3_)VY`NYLZaB=hb-|O6klWG?zY~ZNd$F!nWgz_wG z-H?aW1T~yiU}+Y%Z}=*WC85EdRKd*7W4_4HDa*nhj<{o}iM5iPlZ9Oz@#L6R)e4`L zg`FI6%77uY0$>GEL3jb%=>U~xVJC-dQgdmoH9HHNIpR1mETk1&o`wA!_FgxNR^Z$$ zZ0b;URy$}#D9OTp4xMep^jRULS=hoMN7UL`K~-7Ux8V?V7&t3Vc@}nT$d+!?tiXya zY}#;Q8fMH2EziQf4Xf&w%L<&6g`FD;-(sw+@UkrI-|)q0_Q?t>&%*8v3F{`w3M|XQ zz6~pCR>%rln1xLnMs#4G;4nN^w2Cb3;ILbUt+7L4^G2ZgWKs)%d)U# z(_m;stgzWx*skH|FztpFJSPj=G!&P`RM_FLS<~T~b+E!`XJL;<$QuU13a-e)HVyk^ z*Z?bZZWcCaIQpz=--=M4h5Z`75M9$-fs3-RXG1-uJEa{<9V3voC=0tdqR=!Cbs@xs zS=iIzYozY#LTJmfu(#_(G^_8r5ca|>?Dq&!;>a$9wjc{TKh%Z9t6d0dX%=>a9R$mC zaTh{fkcAB*B?L0U zxK!k+^t~$V_C4XdTUhVA);B3M`G$R+LZz?HH&dAA6TC0+|MWiP{kr#F@0H$jyr=QM z^={&~@F~9C+w7eQUW6C;XT>M@N5n7kUl#8YujKC%r^HjlRs5ymbk8fE?|L5a zT(8{fxfsq5?DDk3mkyufXL0`oZ^DDzz3jKx``N4EoWKCPnGI7ff+gi2Wc84MQ=;h^ zLN&|TOeAwlrLc-K%N$jhdzc^05Eiqn-FZ28p0L_l=BQP*V46^ca1xaV6)dlsEwmd2 z4(#q!sZg&2Z2^hn7YbcD0B7y}MbH*EoJbt88446IMP{Eo|V7q5``n_VQ9;1?#{w1}Y4fC@fWljq18=zqfJg)jpojy#89p9ZHEU=@NE z2!RWNLInU1rpeR%>B0h*v#wy6E2J`^k!2%!BJO*NTwM+a{AFcm@mI9>e`VLQ~z1v;q=(f0H( zUL9>O--!|x20V}?Y^^APSp@%fQj5XZWLbUGV+U&I2rJDJCw`PDZQBNb`3O@cfGw_=;QLk9i+gZ7ZJ7MAV!a`gqXh( zwUP_WB{OXftWg|ok~J)JKg7JXRM_t1h(L1*DP%ohZ*p(sKqR~u;ueJ1U&#Wa07fps z&_ZE@lQZpH1bVnA&A-$O15O65NV#N#mJZuY65;XBmJZvXxr71>U@@Xe4!tueIGm`a z!}#0laeYnoW}VQlvzG@am#9B1oKl!*cppT-l4IbZrM-XSIAMQb@)qpehU8^J-;o+h zj*TbNS~GuY6UL6zjE0-rh_po5dW1$GkTym;^2cUj_y{c!#9Z<|%aAkts@lw=bYEBK z8Ut1kxZ)_cjKG`T%307F=ky0LS1u4bfZ-!W2bgbwM1WE4q)QEz4?JNz z^XPgDo*W(SK8>s`;WX<69ONRnbBXD&o{U+d;m~uGNN)}?COVFjWq?~5N(*SL4GUTr28v+uV;-t%^a(Q<7R~?&WVBdLAOwU8 z0MK&>-Wfs-eK1cOh%)nW6sBme6sbr6F(d z_2AEfUkQFHcx~`dPz|=RSvU{ykH8-SF9yCBxG`{MpgXWE5b(d{f7<^Q|4ncz;4FW? zzYD$rSn8MLH{}=PZ^HinX7~CLcZ2T|-$CE0zAj(2FX;V)_kX-kdOrpG{)67Aw-fgJ3%#QFC-Fz( zBjRo1`^5v|E^(b$FNQp?d7k%t&vU2eTF;bc(9`2t;h8P`TKJ}Lt8keR6*dUfLJ|Kq z|2+Ra{yzRX{(L^k@8s9>ZR{=Vett20H}H4vRqngo=ee8Vzj5v~_rL+w61f zsUWap`eUDCO1N=2^P|G9Ogkg$XRjkW7aCE(w|Nb0_9fU(har+M6i$z(BaOx`9pP8c z5n4Hp;yXqVa}WCgxrg}?H$Iuyi^fbTJD7*q@j~Z%W|D=XNi@WAjuJm}4;gAEj@<1i zkg6(RgTQU0mkjl)8G0~`98zJ=)98_74`iKlHyO>^L5TDLvaWJ=u5w9(B$O}`Ij2I_ zbC&ZEgvwoHYiTJ(Nu5L%ca}nvYwb`3^Bmd3>A@W4PNJ0X5$o?FS~%}%3g&0iV2P}~ z1>}HzKbgAdmV`%n3nc_kNT{zIc9V#lqurS7OraXyrsjY}A+ZP9b8`z1u!qZp6$U2k z>fw~PhJH=~$N}~Y!lfCKVm?U*Pk|#H%(G;vix*_2N3`?cA(ka(!7RiM?If?sEOQ7J zG}$b&8qIaUqHs17#)b4R(XpFb+p=oC_;!!c1Ow?pYu_4Q!m4-ax#0g&n(RlDA+Ur@`UH+(F)gS%`0; zm%IhD%)u_$sGpF@h3jTGk&RV$5ZkG{ict#diKWy_93;9AgWpTy5UL*-hf|G_1ROp~ z!C5;(ayxNtSc8|$Cx|iCi?H2o#F*+Oj#hxtACqN;Gswx@4g&z1x10e&Vq3{#!&;h4 z@J9+bEjS}6%6xpb(9F^2T;yknRCLEUN~M!XMK5vG=%&-kjH@yqBRZTGAcs9$)z$W|>RA|x=|dEYWix%HH9DVa{zpgVIbnNE5U%At!)C%wecBuuBLi0mz2 zH=IZmfmVPNHj6oV$1X|AXbyLdA{!lGt-1Q97nIL%A~R3# ziX5+m5L|&(ISxYhvgN`_g%BK!b+eZcZD;$k=QyI;j3Q^1BvA|212xReWZdgTI5~k+rj>6iKZjYiCPgF105Vp@QSc{f#jB53q;G+TL<(hq;lA zUabVF9#8zvg-)I_j}x_J`KGCz5}+URB7v1;_!s!PH$khL-#xX_>a+l>A4jX_|LS*) zRM(sz_)fKrHvRY)tGAQt8iqq4-J@FE5kD0+z5zxuusw&3ndTcT^l|V$!m2iqv915L zFs3ZN55E7uVTQQF^N`rV-RON<_zKT>CZ(NXh4>Ti)xPiYQ^L)@2Rw1#Cxwf|Gd%s? zG(Q$NfjiH0hv#a~{(r*Hf zNZ$?IBz-z?NV+=EBOTy23kmLc&sJ|Ax0K&4?BpsuYrHL-kKf2$>z&2^iEr|G*#G7$ zg*NtaPrWb8euWPTbJ@E+3*_&xH;BWq%lG0vw38gtTTx zWsCS~&InK-!XiYl#ANZ2c-@I^U0A`lYhG)cgBxou2=En_fGl*w;fI9Zs4T*$tCyca z+*)v5gI)#Z81si9KgSX&$4=V<?E=M?uF++so!iE; z59wuQh>5w{E@@X#`9iEk?`u*8G9MK~gJ!^e#ebDaRMoB)z{2CtC=OH^5056Y;R58FN1ICU$E_{ENRGuE}ZoTu|O zNKUB$g*tCEX z;TyC0m4-%e0v{wQO#e6r`}7e~qT3BDxeiP0@ebsu;E9Is>fJ5yamvHKn-POXRCD54 z*y8JizRrV_=SR^Lpk>SR>CJbDC<`7Pctnme@=N$WshYIJg=m2#2xL{HI8`&WRXr#!dw|-E&ogi1*mgjvqnY`eX;k&V zKJn$@J9x`{M>@H zC}`ESHP)B|1&eemO$HYf6gyrLxtJu!r%{v#GdDKCPRm6juhuzslw3UHH9K)bIxbZa z*0YK@81&PNd5Z7~ z%%P`~D=d^+e!xM~IuD$j22B=hbHa%i2=n~~$7#->@VD~&3u0U5inA5DnIAhsy#gmB zB-ovl7o0=pVUL{F;3rRBC|s{_YwTSGYvtFw(9k5F6~Iw74<6vUrJTb7r{$OcK!=~;v(D4xsrE>4>)x-V=Y;PFpA&8o z&KJ_cp!XGFyYf+`LpjU)WMHH3H-QHKoBn6~pYmVgPp}_jv+VQiL+pO`elE&w4?YuE z$Tj-+a8;bgznOi*zly)yU&m+pL(=2YhxyYX9^dY-A=dsC_m4EpYuR>-gVZued(KNEOce#m=3zF#T|-s`)@yC<;IyHdU> z@UnNVe0lI>c~p7PccHvT{HNR%>I_$PxyZ0`@ZjMzI%l(@7*9? z^2h&z37L*!5U^tL6XR;u>fxQwcWGz&jkv$#UGFDVj3fBWKk*Hl$NyL1)*!!&I5mr} zcM^x8emw37bbmQKpMaYz{n^oY8V8!;DaUzo3oc%a5(hf-1Kc0j+~9NP@T)B)jtUEq z7cJ<5%ljF~vi58V!j$92iiTVOX&&w)>63%pLfqpLh&B9DW|mrlFQqu)aZRCpG|b$J z3va!^L6~_8rEbPpPDH8a52#GwhD-~mtj0ZRo?uGG$CuDR3C?ycPQo&{q|6r=DaIk7 z9r!_w(n@xRSv5E0v03TP|g#-DsD)~ zdYI&(C6=AWSF?s+8%mBtUUVll@^Z7a06TL6ie1NWG{`)O&K8Sf8Y$f5C_^HvaP@1! zbJBSNC1`r9nHw$7SpRrjKNfIRKaRaN{nYKGs>MrLUQ{`XGe}#}=>BJ*(1MD_QS1=XKH3Q0_eBhG8>QsD|EpR2 z4&y`5CZ%WtJ1Fj*$%pL&3OH#(Q5U!i<#~LKM>xat9L|t@XLNohS1A#^l z_Wih@%6|yvS)31rk5v2wM`od83_r$w{E?0&{HTm?&VL5s8RRJcd4Z=F@LflX^8XO^ zb%DV40iyDAB3k3K`Bmn$biAb`DlF|R(-u^%xrcQ?j+@bMWIcxiWt$f8o2_N}PTq8( zMj+>3v?~TTqKPmM!~mHMXavZ@o?a!m9-sB&7y$1??QfiESclr&ei{LAI4w1a1ojYeZC=y zZRjz#&M_?9YQ7?T?7@~D$7@RXdgmlU)Gef@c@_r6Y77}f*n|w|D*!C$!ai6JQt0Ly zfg4cT=1~Q#tFNLE+-X}nVaYnweA>s9j`73JM9pW7UE9B#Wd4C$+yZbXtr_`fX|X7n z3C!Q~(bC{fTGN9wv76?47PmN7KFEkT(a)DbDf#zm#MjSaF(0quH_$0lXnlJKb(8TL z9PJ+rKE}YsS(d?z9k|;uc(Lp*eemMLou&yu!C&JXM~HKKo>7A3#93{AiN}02_!u^? zl_0qmq;8zEWIkyh`$*#s>qy3ePoTpiSFbvH%bYup@31OV=f3Y8RQ zhew!K80CA)ZAwZxUYQOYsG{PBDx@8y2WJqf;m>$!6|mD|KE;}rHU?2p*5u(z@ov!m=bww0a73eX|P zU)dB~0k#0HMYL#l{o<+8DY*5k3Sg$9*FnWoaL-o-fV8t~diks=xYKJ6l{@Ji-3%8 zXiN}XrA0u-*EBk4))ZWxh0@o*zt;g}Q+Q(*0wUyIe5^^lK(91o3hu}% z!Ae&2@+r6(3tzwW1cF|rYzlA1LZEgFzD2U-Q*bF3si;TTEWpw!ywwpa8V5ymnk7?k zD;AC%<9mJ`QZWU0Vl7695qYzaESrKGu?R2bNfN#0>?ye27zcsnGh9p6*;8;amJT-0 zm*}-CrtoqstZhANqC-oj;BG9!uYT%8hm=pj#aJi->j4xUSTa>js~KleOvpkCA>L@~ zyI42{cVe{zLF%WrdG;;cDV~CBv2glpw+HBiE2iK^EbNEv+=>n@oq`*&@RgXM5gk-K z1@~bQg4EfqmzPb!Jy)fFawuA;ui!? zyT$34HB)de7E(36Nd<8iOu;2tjewiaQ)W;Z=@Q0~T(&WeV=hI>kUd`jsR) z&n;7Mn^wMx1y<4qYfbPgKTIFANC%%Du__QMGpf~3!S!2spQfW)?mm+>>NHHjtz6r4 z>X6kyK>@c+!3|y5F?&M=BWgx#?Ne}L*Fa81&Fe(M%mo{5nEL;459M(l$LUD~OiX-6QbyzuJP-~91cc*x0ta`P2+7U|CkQBLDN)OyR!U7w5JZ%x zkW?xuHKit&R!EsB90w{QmN6PlVx_xhXJ_{DU0L}nRo?x#)7>+@vorHe_jUgoV7#QJ zfgM>;=vxfXyr%gB;%|E>J-VRicNrjjE$v3MoBzW3FMK5f0I6cD1~GsU!)+9scq|tA`OE-xHRS3xmsPM=vIHEA0C^=( z2e`^Qf?Uo3Bn%Pc#DSm^%NU@71@Vb}!Ab^5VA!ubA5_s|1{h$7;plnNeYr9hpuPqG z!8-+1p;{N9y{__Uk&PeZ1t_mLUTIbPW7fEU=7q3d!R;d>JbccL!_9HFkzC>Jc05hVU>4|7{NP+UPN5l!NY)Vj;m8I5c% zRjFckDPMyEBSLejbqjLWy7T!Iz|!(yb_?>>yYo0=cL;O0 zpukYK89pOSgaW`@kh#X4%P%bgjkh4@aCeTWHDb3h(7Xku>fKvB?NQ2KQsE1V{Ngq4 zY)>H%w6|c_!`xY>)_@8jG`ou6TTmngcJhxCBQ)b0W28}L*kFZsC0hoOeR9nNe(5Ey2UaRxXE`_k+u*+1Gf+5Oq4vmJH@stSy@zQ}&lTwz|D?Vb5F z^HSz1>r`fgbtJPgGtv5O=88;d`b%qf`Yr2GKofi_{ZM*Cx;Z^AJ>1%o9+Xa`J~kgo z{WZ1M`eEv^)M{%EAPZcR8exr1on?JH`Jd$5*3jfD$sJaCavQ`l47W1ohGa)_j`=xM zBN&-1HcuuK_9x~W_MgmO+Xu~^=FX7Apy#n?2EOhyFigd-Ade?lkNQt3OlMd%b6lHkH=zq4ag4M<;QMM+D|5aWg>`@vA0Ov50}7$V2|0t}7h) z9j+&oCa+QaHxhoDqJd`(+M0fenxdlRP*J62?)+x%$!^yfwYIAGA9}m)#_+c3t73TD zbPj|NsMOR)Zzo6#zcy1Jy^Zp2d2Kvgb}J~mUf!FqZ8@b%uAB)45$3m`*GF%q7BIB& z-Kb?5r2zYPC}dhnNy;nQ`TsbV&_Mj=gw$L4Gu@EzxrGLnW)8M3rUX>awjtLVjkSn2 zjCyH8=7nCXyc}Wc0vd)RUgPt88b)4I@maqt4cW9_wO|F>NL;Xz#UX{3Xw1AtsNQJ+{(gL6zJkW(IxGKG>RJu?cKn+Q5XetXIYiDvr>9zFq1*xe*U^5l@3vEx!)G* z4>EN>q-4^-(&tsks%ZJkiWk}o1T|6MKChkT?6gK{K&lp47E8V3UhPH6P4S9ME855vNDNhNSqJ8uwWn*YWnA`UVh9qP~k?dYV8wpXO9lT2^ z=E~7S!h0y2TxpF8o}>hKaXgXK^R$LUQ&i*x|4cEa7KuMsmuM_1`bw6V*2UjDXn#>J zyZL(uDN$XHbM=)XD%!JL{X!<1)=4;7k<*n%-8Cf90J?`y-srf;(up!n=SB4T@VO6G zVbPx9b1z$?ogC#0%P-_Ri7)8bdI%b#QtP^3+ZRBx0PQQbD1vq;?Np?JD~*b$(aY_m zovJoRReA@03vm=#MFB)p69)qH6AUI>Ly`^JdQUyCg75@Sy_fU(m+d>fu6ML*gLVfU?&5Bxlj;Q@$YD4;;{)OzAtJt(UzWW=IG0lGcwEXjq^&Y06&X9sIyF=T&Eqz14Zt-so(#S2^pQA2`$OMa~$z z31aH6bE+Y3;G^uT*?rkZ?8~zEW>?zvXzSbM*^9GvS;N*KlHe8VOy;1OH>YJD$heuw zneSLfGySdCGTHQL>p=QQdUyI^YkPXN^-y|YdVKoo^vHDI)R(DFYh&sSs51DZ`Sa9$ zspVEX)Ed0pnw6?eWs?80#w6deE=j(a+zyuiw&WVCBDum`Vve>P^Zw-YXll957 z?a$0p_DTDQ`4@Yi`Fr~bbC0>_>u%=tynoLO^vuBjG6QgU)+_!A=_0{+Lxn&V&^8Ph zR~tizwf5u))X{b}M9_PlnGIAg8( z4}$9vkAMWuP+>!!(%*#1j{LoFQba@ORrHeZGRC(*fG3)|wnI|dsqi{Ssr_6^F8;98 z`v@W8?{%88O8kJrM2AkMpswOMEPoe%d*5Jh!byuY*R@TUo)oakq3g+*rVwZh_rH<) z7l!)4z*7Y-o>(LOyx@Munb?P4sIYl<4U&$EnqIV41+c@-YddFaUScBv0X@)}2l1c?k z@Xpwy4#jp=_iBh9g5lAQVg8V3dWX(N?Bp4mTzOuG#gEc55k~hUT9k1nx3&RciRe^? zZf``T=^@`9VaOYB)r6YE z19zyR(w-i#ipE>h+FDGE5Z#Au>2U~t5lakfum;aJj}!k#1Bzddt4C=Hi{$C@#c|$& zeJrI=#=^d9jFc<@`hIrsQl}ST{Qns9xR&e8y_kC(to)YT*xW@q!+9U-0Bm>ecUC(y zoKa4#(>MD$RQx-XeLTA<+nSw_y)fH1^F`)wnM0Y!GwU)fnX#FAu-?x=1%Ulf`L83r zAU!rcEL{xw0dJ*#1Ni~@)Get|sllmavMc#J$gJ;3-khvWnt=3w*xqcmoUHmCFvjjaIg9Svt~?At#N*%4SKTjhq|WGYnu z*~mA)SDc3o2}}zTUK@m!i(UJ(k~}0aa0>So z(Q9;CeSR@G4_OK$aaJ&jC43>-j$L;eN9qUXAuEBiMV&}Ih_SQi<<{{+(>)!Kz#j73rxL0~e9x@8908;$) z0BZ_g;@C$otv@#pc?4K>J2|$yAmBZ!olmc15au4y&Ldzn$95cqkUQ8ig#UKJ4Pg2$CqjXTk zAm*FXrF%!AmoSL(M#Z>4Mxj(Ni0MYfq&q~R7BdLo#*W-%xRDC~{>C zBD8VN6_=?o>%6W7 SzKIYnXQTPy;$v(mV*dpvnS6!- diff --git a/.vs/starter-workflows/v16/.suo b/.vs/starter-workflows/v16/.suo deleted file mode 100644 index 962942ea22fff9b452b61562d7bf63660eb5293e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34304 zcmeHQdvIJ;89$r0w53Hsuth{jp#`kj&E5B=FPdzU7NNE!AuTkey}Nri*=Do5-MiZ~ zG(|x`5Ffl>0tzbp!Hf>$=&0iiIx^0Hj({@?|2XRCAC8JMj{gBtf4}=kZZ^ByyN|Zn z^q!sXo^$VceCPR{@B7YU-+beOKR@^KC4UhmW{X%PK0L8poMZX!vbe?hLVN`8ZGaC? zoH#)*`orm%7OH_8MHat;Xcv7V13ND!*_5`;DzRj`&Dj^K8EGQ%!>8|g$Mq=$`uV5z zkh_2}D-Mb4fISIUpEz1Ai8+3&&;za2Jtsh!4=>;wy02z-iXuv#7AfE-jEDie%K$|T z39kr=FrJmoHKNV64BnRmn2*XKXZw7^c(sGyKRfEIH{h?i{ELvn<3=jX`~R#JXmN8~ ze;ocR0sMR(Yi|~)0sw0qyY7$?FARHig*3L{`?Y{>!+%AEaCULFa=6nu{?EVj?z^6J#y@(S5c6gH zn|*f)@o z{2%$g9CDHcKd1m^xG*zTc^mkrX%h2MKGf{53B0~;e5%HO^`Z{)v!l*=Gs{oDg_6_NkYQ1nuDWR*^u~*HQo9 z2JROP{CB{1=s#QT>@*JjuPpzc4fKBxC~5|DHY+B?4p7((fIL86ctjNQ0V#17v(q4+ zoFPbobCx+_gE9Y8hUW+}$VydfDSW9@pxHg0vRcB0^lJ287S|&;m3302f7BP4Itne( zlRPNTTxx_Fz`PO%W@@31plk`F?4|ReN1KCW_(u`4hJmUhm><@^90;};E{kY2<@Ct`!cC< zj6%~47f>4;#4y@W!Pi`gs~@GC@i~H&3R)=Q^c$EXz}N*XTc`%i>_4W->lxT4wgb6} zjLT@A9I``Io*OW#eWyw<5A^KVZgh3BnPVst8O{mB8%EQ|;U>d7jQB+WQz;;{t{g0& zGE{Vt5%I?6b%%elsx6cG<7?R;eDJ6DpL+Z5+ZX-l*5yyM_3ppuZ})1Fed%OkW_OM~ z_3ksT{%q*bQD5ib$&G#QaTuLe!6X7|VGR1V7nlT!Gbi?qr?ZfJ*oXshj5%Fk6$oQh{N>Tqr}H=gjQM@AUWOy!c%LLs-IvvXo%!ZYFbWb-4P zK1q@~5v+x)VS=9`Fxj9qubO77{51Yfa?J_0CoUA2iOU)mUF=JJ_Pq3 zz+S-3fLj3j0K)(oa4X;d;2?l$#9+q_w*or};B;!He+cd|60D#gD8F0w`awT(BqL{~ z`arb*EJmeV9!tNiz=xGK@DBkSnf5_oj$!nrz*-fwT1mhj#T&G=bt^mUqFp;jk2Uk;{I?jds{nTK??%{4 z^RF}ioBW3}|6Avu`K;KCLYtkR9{(le{xw7Qw}9=8aPjC z_9KKD(4=>HP&&XRxidjQO;E!|zG#LwF_B>XL&M$9G;QMlJiePu}By};f>PSvbIO5Ka_ zqZA&%^B6b^A8NV}QhESSFQob&&FzPatKGej?cE4PzizlB{JH^A$nz3n@)w27e;m4i z1bDXDc=i1&I#!lpqo}N@W<7BJc8RB5y&EL_j&=L``@(@fue&E4@VmX8^wVj|(+r(?8PS`dwO4w@lUA=`ER?nmQKg@kf04 zxkEn5$MNoUM{Zljh zU39_X1w}2WN}-U-jGRpM!swdb%j8S74>dl>i!>6Sd>7*ru2~%oJoeZ7uUNUa zs|T;P4E6A4d_6*LtF4GephokrA!nyED`7Dm|8WgWss&}-6V0a6O1zN5PB+gsC8Ok1 zaZhhb`yl5h5Bm1)GXf42@@TS-_Hi|y&8Jhbj`kr4_K3GR;F0+2Xpf?ui+N>pMkyBZ za=N2^S231O#jjT;2eV^JW^*hYmV@zN$lK))C{m9m&MWz4#5Rz+O@a1i*+bPT#i*RV!$morDomOQ9Q2;j8rrXk5z7r;S}dkx zK4z1hm8- zVMt8ew#$`q6_A9y)UK`Ls*swf&E>f!>LPiLD2wpqcD>Lc4nywKwYhms`s2<51z(4N zpSzj$z3$u!yaOrdU%k*(dXNHlNc**P{II!kn0v8#b}FHzA;fPML^ah1;dH97jQ)0t=`-JUlV3mFIUYNefEb zhnw|Dwe{X7#BUcwsZyAaI5UzS{9!?qNI!ZrhSuW#Q=QVaCgnE!nn~%X=S?r5mg4Cy zj;cILmBKDH_Q7`+L?2|y^5E{sFQz~R$tMcYnsku+DAFiH5@nj1bb$8_|6^IzBO=>O)&8bGOZ@96*L*BVV}`#AbP?k1dn^sTg=9Q~hu1LOQ}DM$a; z3TxGl{*OF%YwRnS-Bzbc|L4*)H}yztdK_~feZ47Ae&zit&DzFSYd#v4pLve{ee9iD z8xP6e5RP29l|az%4g`}icPtQ&;jBf_+ZFRmK{*_BiTmn0WTqV)QM2hHH=^a0v|LCX zQ8rXKZd2chmU)!1T8^&-;*oefaJ=`7Wq;28!IjjA9Nm$M=d)@yS?~;{RBVYGC=?T^ ztY^2rJ8m$WO{<>4R1S|~Dz{6HkI5t0&}VKL^oDHj8I=6VU^1NadJ{oO_RCAypEp;) zK8U@g)=GIroV5Aumkj{PYmop7<3=dKWQPf9J< zZv@1FGS}(~U9_S{hphO*awsO@uu>rC4)`JwcULHpbO#kV>F)|Cia*rlktBaO9GpT1 zW|@nHmMP0O9!y>f;3iS-Z`91}OCWi6%{)H`C$C;&1rXMAjkfx=ksfXFAXjT}Ucf;N z+j*|l`qNLk@=JA>H4fc0T+cgMeoL>p97Q&mk@}58{|)*d^U2|G68$w0i}~CEB@n?W zLT}QY^h)ud5|R==MVg27-z1>(`$XdmP1)GMST~(-<v!U95$EB*H*_jAi1_v00$%(5 zo;rX{DTek%0n7g>%~b4p0}uG zcz}m@D)AQiW?$mYLx|=k9$f(79fP&sSMNo?@S%4cz#TQ*VH?1&^q%}Ue1iC%M0pc% z&EVDK!KRh4wsET8b1>R8?6WV)FFoX`3pMrCF;C{q{3k$dV^P1gxRG1XTlW+^dlyC9 zdU;#t{-4&q|B3fGoBE4!xEm0U%HGd2eG|~k{XbnD-hh7n5B?&;#{ECbaKV;y{}1j8 zn~(SZIP!nVznWA~SvFbzFDsc~_||Ni#W~f+SCsOe^>I}p?S^6g{}9j9`fzed(l{sU z-=&1WZz=d5fj{r%_29%K|FNnU*Bw`-)A_N Sx>z-0_Wlj8R>`+f`S1TJ`3C6# diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg index 4e5d4d049a..c2e2cf7a33 100644 --- a/icons/puppet-lint.svg +++ b/icons/puppet-lint.svg @@ -4,9 +4,9 @@ Date: Wed, 22 Jun 2022 18:02:42 -0700 Subject: [PATCH 438/844] fix image --- icons/puppet-lint.svg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg index c2e2cf7a33..4e5d4d049a 100644 --- a/icons/puppet-lint.svg +++ b/icons/puppet-lint.svg @@ -4,9 +4,9 @@ Date: Thu, 23 Jun 2022 08:36:06 +0300 Subject: [PATCH 439/844] Update trivy-action to fix the performance issue This version of trivy-action fixed an issue reported by GitHub. The detail is in https://github.com/aquasecurity/trivy/issues/2357. --- code-scanning/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 06b5cae517..63be9472c5 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -33,7 +33,7 @@ jobs: docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'template' From beafd2dec2a4a449a4d7adf79bf9c087826bf851 Mon Sep 17 00:00:00 2001 From: divyansh42 Date: Mon, 28 Mar 2022 17:37:21 +0530 Subject: [PATCH 440/844] Add CRDA starter workflow and modify openshift workflow Signed-off-by: divyansh42 --- code-scanning/crda.yml | 126 ++++++++++++++++++ code-scanning/properties/crda.properties.json | 7 + deployments/openshift.yml | 19 ++- 3 files changed, 150 insertions(+), 2 deletions(-) create mode 100644 code-scanning/crda.yml create mode 100644 code-scanning/properties/crda.properties.json diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml new file mode 100644 index 0000000000..d5bb88f46a --- /dev/null +++ b/code-scanning/crda.yml @@ -0,0 +1,126 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your source code using +# Red Hat CodeReady Dependency Analytics. + +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event + +# 💁 The CRDA Starter workflow will: +# - Checkout your repository +# - Setup the required tool stack +# - Install the CRDA command line tool +# - Auto detect the manifest file and install the project's dependencies +# - Perform the security scan using CRDA +# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab +# - Optionally upload the SARIF file as an artifact for the future reference + +# ℹ️ Configure your repository and the workflow with the following steps: +# 1. Setup the tool stack based on the project's requirement. +# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack +# 2. (Optional) CRDA action attempt to detect the language and install the +# required dependencies for your project. If your project doesn't aligns +# with the default dependency installation command mentioned here +# https://github.com/redhat-actions/crda/#3-installing-dependencies. +# Use the required inputs to setup the same +# 3. (Optional) CRDA action attempts to detect the manifest file if it is +# present in the root of the project and named as per the default mentioned +# here https://github.com/redhat-actions/crda/#3-installing-dependencies. +# If it deviates from the default, use the required inputs to setup the same +# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN. +# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication +# 5. (Optional) Upload SARIF file as an Artifact to download and view +# 6. Commit and push the workflow file to your default branch to trigger a workflow run. + +# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. + +name: CRDA Scan + +# Controls when the workflow will run +on: + # TODO: Customize trigger events based on your DevSecOps processes + # + # This workflow is made to run with OpenShift starter workflow + # https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml + # However, if you want to run this workflow as a standalone workflow, please + # uncomment the 'push' trigger below and configure it based on your requirements. + # + workflow_call: + secrets: + CRDA_KEY: + required: false + SNYK_TOKEN: + required: false + workflow_dispatch: + + # push: + # branches: [ $default-branch, $protected-branches ] + + # pull_request_target is used to securely share secret to the PR's workflow run. + # For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target + pull_request_target: + branches: [ $default-branch ] + types: [ assigned, opened, synchronize, reopened, labeled, edited ] + +permissions: + contents: read + +jobs: + crda-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for redhat-actions/crda to upload SARIF results + name: Scan project vulnerabilities with CRDA + runs-on: ubuntu-20.04 + steps: + + - name: Check out repository + uses: actions/checkout@v2 + + # ******************************************************************* + # Required: Instructions to setup project + # 1. Setup Go, Java, Node.js or Python depending on your project type + # 2. Setup Actions are listed below, choose one from them: + # - Go: https://github.com/actions/setup-go + # - Java: https://github.com/actions/setup-java + # - Node.js: https://github.com/actions/setup-node + # - Python: https://github.com/actions/setup-python + # + # Example: + # - name: Setup Node + # uses: actions/setup-node@v2 + # with: + # node-version: '14' + + # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md + - name: Install CRDA CLI + uses: redhat-actions/openshift-tools-installer@v1 + with: + source: github + github_pat: ${{ github.token }} + # Choose the desired version of the CRDA CLI + crda: "latest" + + ###################################################################################### + # https://github.com/redhat-actions/crda/blob/main/README.md + # + # By default, CRDA will detect the manifest file and install the required dependencies + # using the standard command for the project type. + # If your project doesn't aligns with the defaults mentioned in this action, you will + # need to set few inputs that are described here: + # https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies + # Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand + # process to get a SNYK_TOKEN or a CRDA_KEY + - name: CRDA Scan + id: scan + uses: redhat-actions/crda@v1 + with: + crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token + # snyk_token: ${{ secrets.SNYK_TOKEN }} + # upload_artifact: false # Set this to false to skip artifact upload diff --git a/code-scanning/properties/crda.properties.json b/code-scanning/properties/crda.properties.json new file mode 100644 index 0000000000..9e1a7ac677 --- /dev/null +++ b/code-scanning/properties/crda.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Red Hat CodeReady Dependency Analytics", + "creator": "Red Hat", + "description": "Scan your project's dependencies with CodeReady Dependency Analytics.", + "iconName": "openshift", + "categories": ["Code Scanning", "Go", "Python", "Node.js", "Java"] +} diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 5775cb0c95..8504059323 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -54,15 +54,30 @@ env: on: # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + workflow_dispatch: push: # Edit to the branch(es) you want to build and deploy on each push. branches: [ $default-branch ] jobs: + # 🖊️ EDIT if you want to run vulnerability check on your project before deploying + # the application. Please uncomment the below CRDA scan job and configure to run it in + # your workflow. For details about CRDA action visit https://github.com/redhat-actions/crda/blob/main/README.md + # + # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab. + # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows + + crda-scan: + uses: ./.github/workflows/crda.yml + secrets: + CRDA_KEY: ${{ secrets.CRDA_KEY }} + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY + openshift-ci-cd: + # 🖊️ Uncomment this if you are using CRDA scan step above + # needs: crda-scan name: Build and deploy to OpenShift - # ubuntu-20.04 can also be used. - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 environment: production outputs: From 658980f080dea11eda60ca93a162b99239eebf8e Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Mon, 27 Jun 2022 20:51:38 -0700 Subject: [PATCH 441/844] Add lintr starter workflow --- code-scanning/lintr.yml | 54 ++ .../properties/lintr.properties.json | 6 + icons/lintr.svg | 679 ++++++++++++++++++ 3 files changed, 739 insertions(+) create mode 100644 code-scanning/lintr.yml create mode 100644 code-scanning/properties/lintr.properties.json create mode 100644 icons/lintr.svg diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml new file mode 100644 index 0000000000..74a3b21578 --- /dev/null +++ b/code-scanning/lintr.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# lintr provides static code analysis for R. +# It checks for adherence to a given style, +# identifying syntax errors and possible semantic issues, +# then reports them to you so you can take action. +# More details at https://lintr.r-lib.org/ + +name: lintr + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + lintr: + name: Run lintr scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup R + uses: r-lib/actions/setup-r@4e1feaf90520ec1215d1882fdddfe3411c08e492 + + - name: Setup lintr + uses: r-lib/actions/setup-r-dependencies@4e1feaf90520ec1215d1882fdddfe3411c08e492 + with: + extra-packages: lintr + + - name: Run lintr + run: lintr::sarif_output(lintr::lint_dir("."), "lintr-results.sarif") + shell: Rscript {0} + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: lintr-results.sarif + wait-for-processing: true diff --git a/code-scanning/properties/lintr.properties.json b/code-scanning/properties/lintr.properties.json new file mode 100644 index 0000000000..07e97410e4 --- /dev/null +++ b/code-scanning/properties/lintr.properties.json @@ -0,0 +1,6 @@ +{ + "name": "lintr", + "description": "lintr provides static code analysis for R.", + "iconName": "lintr", + "categories": [ "Code Scanning", "R" ] +} \ No newline at end of file diff --git a/icons/lintr.svg b/icons/lintr.svg new file mode 100644 index 0000000000..cdc40d8d9e --- /dev/null +++ b/icons/lintr.svg @@ -0,0 +1,679 @@ + + + + + + + + + + From 4235f787e51ef913ae2ae78052c2d771b01f515f Mon Sep 17 00:00:00 2001 From: James Moore Date: Tue, 28 Jun 2022 08:00:44 +0100 Subject: [PATCH 442/844] fix cosign command line args --- ci/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 71aff41d47..e88539d749 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -90,4 +90,4 @@ jobs: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }} + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} From 948fdf226a354119fd08717925bc56caaf64c165 Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Tue, 28 Jun 2022 17:20:56 +0200 Subject: [PATCH 443/844] Update the sample version of the Dependency Review action. --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 8966511e05..fe461b4243 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@v1 + uses: actions/dependency-review-action@v2 From 313d29fe98742126d16aed69a2e4e534180470d8 Mon Sep 17 00:00:00 2001 From: Andreas Nesheim Date: Tue, 5 Jul 2022 09:53:27 +0200 Subject: [PATCH 444/844] Update dotnet.yml --- ci/dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet.yml b/ci/dotnet.yml index 5974d4a034..a8eccabbbe 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -16,7 +16,7 @@ jobs: - name: Setup .NET uses: actions/setup-dotnet@v2 with: - dotnet-version: 5.0.x + dotnet-version: 6.0.x - name: Restore dependencies run: dotnet restore - name: Build From b8cd0487750ed06b0ca6a9e878f561ddaa3d6ab0 Mon Sep 17 00:00:00 2001 From: Andreas Nesheim Date: Tue, 5 Jul 2022 09:57:44 +0200 Subject: [PATCH 445/844] Update dotnet-desktop.yml --- ci/dotnet-desktop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 00a78c7ba1..bd2cb2ee51 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -71,7 +71,7 @@ jobs: - name: Install .NET Core uses: actions/setup-dotnet@v2 with: - dotnet-version: 5.0.x + dotnet-version: 6.0.x # Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild - name: Setup MSBuild.exe From 4d31a0b2a19136fed4d8f8beb6745c43c9530d66 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 00:47:52 +0000 Subject: [PATCH 446/844] update --- ci/go-ossf-slsa3-publish.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml index 3f1b732627..a7388752f0 100644 --- a/ci/go-ossf-slsa3-publish.yml +++ b/ci/go-ossf-slsa3-publish.yml @@ -20,16 +20,19 @@ on: permissions: read-all jobs: + # ======================================================================================================================================== + # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. + # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file + #========================================================================================================================================= build: permissions: id-token: write # To sign. contents: write # To upload release assets. actions: read # To read workflow path. - # If you need more configuration options, such as ldflag examples, - # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.1.1 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0 with: - # By default, the config file is .slsa-goreleaser.yml in the root directory. - # The format of the config file is described in - # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file. go-version: 1.17 + # ============================================================================================================= + # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects + # ============================================================================================================= + From 157a5156d853fdfdef304b631876bf6b92526ed8 Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 26 Jul 2022 10:54:41 +0300 Subject: [PATCH 447/844] Adding JFrog Frogbot to GitHub starter workflows --- code-scanning/frogbot-fix.yml | 56 +++++++++ code-scanning/frogbot-scan-pr.yml | 112 ++++++++++++++++++ .../properties/frogbot-fix.properties.json | 15 +++ .../frogbot-scan-pr.properties.json | 15 +++ icons/frogbot.svg | 80 +++++++++++++ 5 files changed, 278 insertions(+) create mode 100644 code-scanning/frogbot-fix.yml create mode 100644 code-scanning/frogbot-scan-pr.yml create mode 100644 code-scanning/properties/frogbot-fix.properties.json create mode 100644 code-scanning/properties/frogbot-scan-pr.properties.json create mode 100644 icons/frogbot.svg diff --git a/code-scanning/frogbot-fix.yml b/code-scanning/frogbot-fix.yml new file mode 100644 index 0000000000..278e8fa530 --- /dev/null +++ b/code-scanning/frogbot-fix.yml @@ -0,0 +1,56 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot + +name: "Frogbot Fix" +on: + push: + branches: + # The scanning and creation of pull requests with fixes are triggered by pushing code to one of the these branches. + # You can edit the list of branches you wish to open fix pull requests on. + - "main" + - "master" +permissions: + contents: write + pull-requests: write +jobs: + create-fix-pull-requests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + # Install prerequisites - uncomment the relevant one + + # - uses: actions/setup-go@v3 + # with: + # go-version: 1.17.x + + # - uses: actions/setup-java@v3 + # with: + # java-version: "11" + # distribution: "temurin" + + # - uses: actions/setup-node@v3 + # with: + # node-version: "16.x" + + + - uses: jfrog/frogbot@v2 + env: + # [Mandatory] + # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + JF_URL: ${{ secrets.FROGBOT_URL }} + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Mandatory if using npm] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "npm i" \ No newline at end of file diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml new file mode 100644 index 0000000000..54304d33c0 --- /dev/null +++ b/code-scanning/frogbot-scan-pr.yml @@ -0,0 +1,112 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: "Frogbot Scan" +on: + pull_request_target: + types: [ opened, synchronize ] +permissions: + pull-requests: write +jobs: + scan-pull-request: + runs-on: ubuntu-latest + # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the + # "frogbot" GitHub environment can approve the pull request to be scanned. + environment: frogbot + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Install prerequisites - uncomment the relevant ones + + # - uses: actions/setup-go@v3 + # with: + # go-version: 1.17.x + + # - uses: actions/setup-java@v3 + # with: + # java-version: "11" + # distribution: "temurin" + + # - uses: actions/setup-node@v3 + # with: + # node-version: "16.x" + + # - uses: gradle/gradle-build-action@v2 + + # - uses: actions/setup-dotnet@v2 + # with: + # dotnet-version: "3.1.x" + + # - uses: nuget/setup-nuget@v1 + # with: + # nuget-version: "5.x" + + # - uses: actions/setup-python@v3 + # with: + # python-version: "3.x" + + # - run: pipx install pipenv + + - uses: jfrog/frogbot@v2 + env: + # [Mandatory] + # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + JF_URL: ${{ secrets.JF_URL }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # Uncomment the below options if you'd like to use them. + + # [Mandatory when using npm] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "npm i" + + # [Mandatory when using .NET] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "dotnet restore" + + # [Optional when using Nuget] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "nuget restore" + + # [Optional when using Pip] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "pip install" + + # [Optional when using Pipenv] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "pipenv install" + + # [Optional, default: https://api.github.com] + # API endpoint to GitHub + # JF_GIT_API_ENDPOINT: https://github.example.com + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + + # [Optional, default: "."] + # Relative path to the project in the git repository + # JF_WORKING_DIR: path/to/working/dir + + # [Optional] + # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches + # JF_WATCHES: ,... + + # [Optional] + # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects + # JF_PROJECT: \ No newline at end of file diff --git a/code-scanning/properties/frogbot-fix.properties.json b/code-scanning/properties/frogbot-fix.properties.json new file mode 100644 index 0000000000..5d04487a51 --- /dev/null +++ b/code-scanning/properties/frogbot-fix.properties.json @@ -0,0 +1,15 @@ +{ + "name": "Frogbot Scan and Fix", + "description": "Automatically creates pull requests with fixes for vulnerable project dependencies. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.", + "iconName": "frogbot", + "categories": [ + "Code Scanning", + "Go Module", + "Maven POM", + "NPM Config", + "Gradle", + "C#", + "Python" + ], + "organization": "JFrog" +} \ No newline at end of file diff --git a/code-scanning/properties/frogbot-scan-pr.properties.json b/code-scanning/properties/frogbot-scan-pr.properties.json new file mode 100644 index 0000000000..e0a93c84ca --- /dev/null +++ b/code-scanning/properties/frogbot-scan-pr.properties.json @@ -0,0 +1,15 @@ +{ + "name": "Frogbot Scan Pull Requests", + "description": "Automatically scans new pull requests for security vulnerabilities. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.", + "iconName": "frogbot", + "categories": [ + "Code Scanning", + "Go Module", + "Maven POM", + "NPM Config", + "Gradle", + "C#", + "Python" + ], + "owner": "JFrog" +} \ No newline at end of file diff --git a/icons/frogbot.svg b/icons/frogbot.svg new file mode 100644 index 0000000000..21100d9790 --- /dev/null +++ b/icons/frogbot.svg @@ -0,0 +1,80 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 8d20e653093dd0b3a96d85d7eb4acfdf17538708 Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 26 Jul 2022 10:56:16 +0300 Subject: [PATCH 448/844] Adding JFrog Frogbot to GitHub starter workflows --- code-scanning/properties/frogbot-scan-pr.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/frogbot-scan-pr.properties.json b/code-scanning/properties/frogbot-scan-pr.properties.json index e0a93c84ca..8f9626ce5e 100644 --- a/code-scanning/properties/frogbot-scan-pr.properties.json +++ b/code-scanning/properties/frogbot-scan-pr.properties.json @@ -11,5 +11,5 @@ "C#", "Python" ], - "owner": "JFrog" + "organization": "JFrog" } \ No newline at end of file From 3f209e2e12fe65ca78260e8b76979987a7d04d8e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Jul 2022 11:07:22 +0000 Subject: [PATCH 449/844] Bump pozil/auto-assign-issue from 1.4.0 to 1.8.0 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.4.0 to 1.8.0. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.4.0...v1.8.0) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index b8406e9447..a30a190c83 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.4.0 + uses: pozil/auto-assign-issue@v1.8.0 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From d21062f26a40d2ecdff191dab5d946422d103194 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Jul 2022 12:06:19 +0000 Subject: [PATCH 450/844] Bump peter-evans/close-issue from 1 to 2 Bumps [peter-evans/close-issue](https://github.com/peter-evans/close-issue) from 1 to 2. - [Release notes](https://github.com/peter-evans/close-issue/releases) - [Commits](https://github.com/peter-evans/close-issue/compare/v1...v2) --- updated-dependencies: - dependency-name: peter-evans/close-issue dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/label-feature.yml | 2 +- .github/workflows/label-support.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/label-feature.yml b/.github/workflows/label-feature.yml index d13cf877c9..122caac624 100644 --- a/.github/workflows/label-feature.yml +++ b/.github/workflows/label-feature.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close Issue - uses: peter-evans/close-issue@v1 + uses: peter-evans/close-issue@v2 if: contains(github.event.issue.labels.*.name, 'feature') with: comment: | diff --git a/.github/workflows/label-support.yml b/.github/workflows/label-support.yml index ea0f2401cc..e762afcc33 100644 --- a/.github/workflows/label-support.yml +++ b/.github/workflows/label-support.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close Issue - uses: peter-evans/close-issue@v1 + uses: peter-evans/close-issue@v2 if: contains(github.event.issue.labels.*.name, 'support') with: comment: | From 4a8f18e34dd13d2b6ee4d8da2ba72629eafe1609 Mon Sep 17 00:00:00 2001 From: Jess Bees Date: Wed, 27 Jul 2022 09:15:54 -0400 Subject: [PATCH 451/844] Add starter workflows for Pages builds and deployments (#1645) * commit dummy workflow * Update nextjs.yml * renaming * actually do a node build * add jekyll build & deploy * add permissions * update jekyll to use composite upload action * update next to use composite upload action * update icon yml * change nexjs icon * Cleanup further the Jekyll template * add gatsby starter workflow * fix composite error * fix updated actions * Add Hugo * Apply suggestions from code review * Inital commit for nuxtjs starter workflow * Cleanup all templates * Add baseUrl through an action * Use `base_url` output for Hugo configuration * Create static.yml * Create static.properties.json * clarify path * alternative jekyll icon with only tube * use alternate jekyll icon * use original xvg with proper viewBox parameters * Add paper-spa/configure-pages to starter workflows Replaces paper-spa/setup-pages where appropriate. * use setup-ruby action instead of our container * Add starter workflow for GitHub Pages's legacy Jekyll build Named `jekyll-gh-pages` so that it connotes the familiar "hands off" build process of the Jekyll build as performed by github pages workers, without sounding deprecated by using the words "legacy" or "classic". * Use the static_site_generator input so we can modify the correct config * Update gatsby.yml * Update wording on the 'legacy' jekyll workflow * Fix filename: this should have a json extension * Fix filename: this should have a .properties.json extension * Update nextjs.properties.json * Update static.properties.json * Fix typo in name of Gatsby * Remove pull_request triggers * Update to latest versions of core Actions * Remove '--if-present' flag from 'npm run build' commands to prevent silent failure * Perform static HTML export for Next.js * Add '--no-install' flag to 'npx' usage * Update Nuxt starter workflow to run 'generate' * Default to using npm if not using yarn * Reword 'nuxt generate' step name * Update pages/gatsby.yml * Update description of Jekyll starter workflow * Add configure-pages step to static workflow * Add configuration step to enable Pages * Pages: Set `PREFIX_PATHS` env var for Gatsby build * Update Next.js starter workflow to cache builds See https://nextjs.org/docs/advanced-features/ci-build-caching#github-actions * Update NuxtJS starter workflow to cache builds Basically modeled after the Gatsby starter workflow * Call out node ssg getting started + setup * Update nuxt documentation * Retarget actions referencing `paper-spa` to `actions` Also point to newly published `v1` tags rather than `main` or `v0`. Co-authored-by: yimysty Co-authored-by: Tommy Byrd Co-authored-by: Yoann Chaudet Co-authored-by: Timothy Co-authored-by: Smitha Borkar <12040799+smithaborkar@users.noreply.github.com> Co-authored-by: James M. Greene --- icons/gatsby.svg | 7 ++ icons/hugo.svg | 9 ++ icons/jekyll-tube.svg | 1 + icons/nextjs.svg | 3 + icons/nuxtjs.svg | 4 + pages/gatsby.yml | 96 +++++++++++++++++++ pages/hugo.yml | 66 +++++++++++++ pages/jekyll-gh-pages.yml | 50 ++++++++++ pages/jekyll.yml | 53 ++++++++++ pages/nextjs.yml | 95 ++++++++++++++++++ pages/nuxtjs.yml | 90 +++++++++++++++++ pages/properties/gatsby.properties.json | 7 ++ pages/properties/hugo.properties.json | 7 ++ .../jekyll-gh-pages.properties.json | 7 ++ pages/properties/jekyll.properties.json | 7 ++ pages/properties/nextjs.properties.json | 7 ++ pages/properties/nuxtjs.properties.json | 7 ++ pages/properties/static.properties.json | 7 ++ pages/static.yml | 42 ++++++++ 19 files changed, 565 insertions(+) create mode 100644 icons/gatsby.svg create mode 100644 icons/hugo.svg create mode 100644 icons/jekyll-tube.svg create mode 100644 icons/nextjs.svg create mode 100644 icons/nuxtjs.svg create mode 100644 pages/gatsby.yml create mode 100644 pages/hugo.yml create mode 100644 pages/jekyll-gh-pages.yml create mode 100644 pages/jekyll.yml create mode 100644 pages/nextjs.yml create mode 100644 pages/nuxtjs.yml create mode 100644 pages/properties/gatsby.properties.json create mode 100644 pages/properties/hugo.properties.json create mode 100644 pages/properties/jekyll-gh-pages.properties.json create mode 100644 pages/properties/jekyll.properties.json create mode 100644 pages/properties/nextjs.properties.json create mode 100644 pages/properties/nuxtjs.properties.json create mode 100644 pages/properties/static.properties.json create mode 100644 pages/static.yml diff --git a/icons/gatsby.svg b/icons/gatsby.svg new file mode 100644 index 0000000000..5578b06cb2 --- /dev/null +++ b/icons/gatsby.svg @@ -0,0 +1,7 @@ + + + Gatsby + + + + diff --git a/icons/hugo.svg b/icons/hugo.svg new file mode 100644 index 0000000000..ea72a6f51a --- /dev/null +++ b/icons/hugo.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/icons/jekyll-tube.svg b/icons/jekyll-tube.svg new file mode 100644 index 0000000000..89dd55dce0 --- /dev/null +++ b/icons/jekyll-tube.svg @@ -0,0 +1 @@ + diff --git a/icons/nextjs.svg b/icons/nextjs.svg new file mode 100644 index 0000000000..c45d6e63fb --- /dev/null +++ b/icons/nextjs.svg @@ -0,0 +1,3 @@ + + + diff --git a/icons/nuxtjs.svg b/icons/nuxtjs.svg new file mode 100644 index 0000000000..bebded37c0 --- /dev/null +++ b/icons/nuxtjs.svg @@ -0,0 +1,4 @@ + + + + diff --git a/pages/gatsby.yml b/pages/gatsby.yml new file mode 100644 index 0000000000..9cdf3fc930 --- /dev/null +++ b/pages/gatsby.yml @@ -0,0 +1,96 @@ +# Sample workflow for building and deploying a Gatsby site to GitHub Pages +# +# To get started with Gatsby see: https://www.gatsbyjs.com/docs/quick-start/ +# +name: Deploy Gatsby site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +# Default to bash +defaults: + run: + shell: bash + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "::set-output name=manager::yarn" + echo "::set-output name=command::install" + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "::set-output name=manager::npm" + echo "::set-output name=command::ci" + exit 0 + else + echo "Unable to determine packager manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v3 + with: + node-version: "16" + cache: ${{ steps.detect-package-manager.outputs.manager }} + - name: Setup Pages + id: pages + uses: actions/configure-pages@v1 + with: + # Automatically inject pathPrefix in your Gatsby configuration file. + # + # You may remove this line if you want to manage the configuration yourself. + static_site_generator: gatsby + - name: Restore cache + uses: actions/cache@v3 + with: + path: | + public + .cache + key: ${{ runner.os }}-gatsby-build-${{ hashFiles('public') }} + restore-keys: | + ${{ runner.os }}-gatsby-build- + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} + - name: Build with Gatsby + env: + PREFIX_PATHS: 'true' + run: ${{ steps.detect-package-manager.outputs.manager }} run build + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: ./public + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/hugo.yml b/pages/hugo.yml new file mode 100644 index 0000000000..07b2b854ce --- /dev/null +++ b/pages/hugo.yml @@ -0,0 +1,66 @@ +# Sample workflow for building and deploying a Hugo site to GitHub Pages +name: Deploy Hugo site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +# Default to bash +defaults: + run: + shell: bash + +jobs: + # Build job + build: + runs-on: ubuntu-latest + env: + HUGO_VERSION: 0.99.0 + steps: + - name: Install Hugo CLI + run: | + wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_Linux-64bit.deb \ + && sudo dpkg -i ${{ runner.temp }}/hugo.deb + - name: Checkout + uses: actions/checkout@v3 + with: + submodules: recursive + - name: Setup Pages + id: pages + uses: actions/configure-pages@v1 + - name: Build with Hugo + run: | + hugo \ + --minify \ + --baseURL ${{ steps.pages.outputs.base_url }} + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: ./public + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml new file mode 100644 index 0000000000..7ee1e972ca --- /dev/null +++ b/pages/jekyll-gh-pages.yml @@ -0,0 +1,50 @@ +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll with GitHub Pages dependencies preinstalled + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@v1 + with: + source: ./ + destination: ./_site + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/jekyll.yml b/pages/jekyll.yml new file mode 100644 index 0000000000..05c876114d --- /dev/null +++ b/pages/jekyll.yml @@ -0,0 +1,53 @@ +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: '3.0' # Not needed with a .ruby-version file + bundler-cache: true # runs 'bundle install' and caches installed gems automatically + cache-version: 0 # Increment this number if you need to re-download cached gems + - name: Setup Pages + id: pages + uses: actions/configure-pages@v1 + - run: bundle exec jekyll build --baseurl ${{ steps.pages.outputs.base_path }} # defaults output to '/_site' + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 # This will automatically upload an artifact from the '/_site' directory + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/nextjs.yml b/pages/nextjs.yml new file mode 100644 index 0000000000..79a1cc89f8 --- /dev/null +++ b/pages/nextjs.yml @@ -0,0 +1,95 @@ +# Sample workflow for building and deploying a Next.js site to GitHub Pages +# +# To get started with Next.js see: https://nextjs.org/docs/getting-started +# +name: Deploy Next.js site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "::set-output name=manager::yarn" + echo "::set-output name=command::install" + echo "::set-output name=runner::yarn" + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "::set-output name=manager::npm" + echo "::set-output name=command::ci" + echo "::set-output name=runner::npx --no-install" + exit 0 + else + echo "Unable to determine packager manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v3 + with: + node-version: "16" + cache: ${{ steps.detect-package-manager.outputs.manager }} + - name: Setup Pages + id: pages + uses: actions/configure-pages@v1 + with: + # Automatically inject basePath in your Next.js configuration file and disable + # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized). + # + # You may remove this line if you want to manage the configuration yourself. + static_site_generator: next + - name: Restore cache + uses: actions/cache@v3 + with: + path: | + .next/cache + # Generate a new cache whenever packages or source files change. + key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }} + # If source files changed but packages didn't, rebuild from a prior cache. + restore-keys: | + ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}- + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} + - name: Build with Next.js + run: ${{ steps.detect-package-manager.outputs.runner }} next build + - name: Static HTML export with Next.js + run: ${{ steps.detect-package-manager.outputs.runner }} next export + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: ./out + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml new file mode 100644 index 0000000000..87c1201bc5 --- /dev/null +++ b/pages/nuxtjs.yml @@ -0,0 +1,90 @@ +# Sample workflow for building and deploying a Nuxt site to GitHub Pages +# +# To get started with Nuxt see: https://nuxtjs.org/docs/get-started/installation +# +name: Deploy Nuxt site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "::set-output name=manager::yarn" + echo "::set-output name=command::install" + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "::set-output name=manager::npm" + echo "::set-output name=command::ci" + exit 0 + else + echo "Unable to determine packager manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v3 + with: + node-version: "16" + cache: ${{ steps.detect-package-manager.outputs.manager }} + - name: Setup Pages + id: pages + uses: actions/configure-pages@v1 + with: + # Automatically inject router.base in your Nuxt configuration file and set + # target to static (https://nuxtjs.org/docs/configuration-glossary/configuration-target/). + # + # You may remove this line if you want to manage the configuration yourself. + static_site_generator: nuxt + - name: Restore cache + uses: actions/cache@v3 + with: + path: | + dist + .nuxt + key: ${{ runner.os }}-nuxt-build-${{ hashFiles('dist') }} + restore-keys: | + ${{ runner.os }}-nuxt-build- + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} + - name: Static HTML export with Nuxt + run: ${{ steps.detect-package-manager.outputs.manager }} run generate + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: ./dist + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/properties/gatsby.properties.json b/pages/properties/gatsby.properties.json new file mode 100644 index 0000000000..7d82424e63 --- /dev/null +++ b/pages/properties/gatsby.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Gatsby", + "creator": "GitHub Actions", + "description": "Package a Gatsby site.", + "iconName": "gatsby", + "categories": ["Pages"] +} \ No newline at end of file diff --git a/pages/properties/hugo.properties.json b/pages/properties/hugo.properties.json new file mode 100644 index 0000000000..1fa902c954 --- /dev/null +++ b/pages/properties/hugo.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Hugo", + "creator": "GitHub Actions", + "description": "Package a Hugo site.", + "iconName": "hugo", + "categories": ["Pages"] +} \ No newline at end of file diff --git a/pages/properties/jekyll-gh-pages.properties.json b/pages/properties/jekyll-gh-pages.properties.json new file mode 100644 index 0000000000..6f278c8d42 --- /dev/null +++ b/pages/properties/jekyll-gh-pages.properties.json @@ -0,0 +1,7 @@ +{ + "name": "GitHub Pages Jekyll", + "creator": "GitHub Actions", + "description": "Package a Jekyll site with GitHub Pages dependencies preinstalled.", + "iconName": "jekyll-tube", + "categories": ["Pages"] +} diff --git a/pages/properties/jekyll.properties.json b/pages/properties/jekyll.properties.json new file mode 100644 index 0000000000..a6c9d5c37b --- /dev/null +++ b/pages/properties/jekyll.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Jekyll", + "creator": "GitHub Actions", + "description": "Package a Jekyll site.", + "iconName": "jekyll-tube", + "categories": ["Pages"] +} diff --git a/pages/properties/nextjs.properties.json b/pages/properties/nextjs.properties.json new file mode 100644 index 0000000000..0b9d3b4f7b --- /dev/null +++ b/pages/properties/nextjs.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Next.js", + "creator": "GitHub Actions", + "description": "Package a Next.js site.", + "iconName": "nextjs", + "categories": ["Pages"] +} diff --git a/pages/properties/nuxtjs.properties.json b/pages/properties/nuxtjs.properties.json new file mode 100644 index 0000000000..b799074f22 --- /dev/null +++ b/pages/properties/nuxtjs.properties.json @@ -0,0 +1,7 @@ +{ + "name": "NuxtJS", + "creator": "GitHub Actions", + "description": "Package a NuxtJS site.", + "iconName": "nuxtjs", + "categories": ["Pages"] +} \ No newline at end of file diff --git a/pages/properties/static.properties.json b/pages/properties/static.properties.json new file mode 100644 index 0000000000..5b727a8d8a --- /dev/null +++ b/pages/properties/static.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Static HTML", + "creator": "GitHub Actions", + "description": "Deploy static files in a repository without a build.", + "iconName": "html", + "categories": ["Pages"] +} diff --git a/pages/static.yml b/pages/static.yml new file mode 100644 index 0000000000..bd753e9bd5 --- /dev/null +++ b/pages/static.yml @@ -0,0 +1,42 @@ +# Simple workflow for deploying static content to GitHub Pages +name: Deploy static content to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +jobs: + # Single deploy job since we're just deploying + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + # Upload entire repository + path: '.' + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@main From e262f54fe94550c841313843fbad17fb37e0cd2a Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Thu, 28 Jul 2022 18:39:43 -0700 Subject: [PATCH 452/844] Address feedback --- pages/properties/gatsby.properties.json | 3 +-- pages/properties/hugo.properties.json | 3 +-- pages/properties/jekyll-gh-pages.properties.json | 3 +-- pages/properties/jekyll.properties.json | 3 +-- pages/properties/nextjs.properties.json | 3 +-- pages/properties/nuxtjs.properties.json | 3 +-- pages/properties/static.properties.json | 1 - 7 files changed, 6 insertions(+), 13 deletions(-) diff --git a/pages/properties/gatsby.properties.json b/pages/properties/gatsby.properties.json index 7d82424e63..df260f89ba 100644 --- a/pages/properties/gatsby.properties.json +++ b/pages/properties/gatsby.properties.json @@ -1,7 +1,6 @@ { "name": "Gatsby", - "creator": "GitHub Actions", "description": "Package a Gatsby site.", "iconName": "gatsby", - "categories": ["Pages"] + "categories": ["Pages", "Gatsby"] } \ No newline at end of file diff --git a/pages/properties/hugo.properties.json b/pages/properties/hugo.properties.json index 1fa902c954..b6f6dc7c5c 100644 --- a/pages/properties/hugo.properties.json +++ b/pages/properties/hugo.properties.json @@ -1,7 +1,6 @@ { "name": "Hugo", - "creator": "GitHub Actions", "description": "Package a Hugo site.", "iconName": "hugo", - "categories": ["Pages"] + "categories": ["Pages", "Hugo"] } \ No newline at end of file diff --git a/pages/properties/jekyll-gh-pages.properties.json b/pages/properties/jekyll-gh-pages.properties.json index 6f278c8d42..3e38602fae 100644 --- a/pages/properties/jekyll-gh-pages.properties.json +++ b/pages/properties/jekyll-gh-pages.properties.json @@ -1,7 +1,6 @@ { "name": "GitHub Pages Jekyll", - "creator": "GitHub Actions", "description": "Package a Jekyll site with GitHub Pages dependencies preinstalled.", "iconName": "jekyll-tube", - "categories": ["Pages"] + "categories": ["Pages", "Jekyll"] } diff --git a/pages/properties/jekyll.properties.json b/pages/properties/jekyll.properties.json index a6c9d5c37b..8b4c1d2935 100644 --- a/pages/properties/jekyll.properties.json +++ b/pages/properties/jekyll.properties.json @@ -1,7 +1,6 @@ { "name": "Jekyll", - "creator": "GitHub Actions", "description": "Package a Jekyll site.", "iconName": "jekyll-tube", - "categories": ["Pages"] + "categories": ["Pages", "Jekyll"] } diff --git a/pages/properties/nextjs.properties.json b/pages/properties/nextjs.properties.json index 0b9d3b4f7b..42099089ed 100644 --- a/pages/properties/nextjs.properties.json +++ b/pages/properties/nextjs.properties.json @@ -1,7 +1,6 @@ { "name": "Next.js", - "creator": "GitHub Actions", "description": "Package a Next.js site.", "iconName": "nextjs", - "categories": ["Pages"] + "categories": ["Pages", "Next"] } diff --git a/pages/properties/nuxtjs.properties.json b/pages/properties/nuxtjs.properties.json index b799074f22..d79909efb1 100644 --- a/pages/properties/nuxtjs.properties.json +++ b/pages/properties/nuxtjs.properties.json @@ -1,7 +1,6 @@ { "name": "NuxtJS", - "creator": "GitHub Actions", "description": "Package a NuxtJS site.", "iconName": "nuxtjs", - "categories": ["Pages"] + "categories": ["Pages", "Nuxt"] } \ No newline at end of file diff --git a/pages/properties/static.properties.json b/pages/properties/static.properties.json index 5b727a8d8a..7181b6e5b5 100644 --- a/pages/properties/static.properties.json +++ b/pages/properties/static.properties.json @@ -1,6 +1,5 @@ { "name": "Static HTML", - "creator": "GitHub Actions", "description": "Deploy static files in a repository without a build.", "iconName": "html", "categories": ["Pages"] From 095efcc4ae6d78a141a5925360fec19a10d5fa45 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 1 Aug 2022 06:34:01 -0700 Subject: [PATCH 453/844] more metadata --- pages/properties/static.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/properties/static.properties.json b/pages/properties/static.properties.json index 7181b6e5b5..372579c094 100644 --- a/pages/properties/static.properties.json +++ b/pages/properties/static.properties.json @@ -2,5 +2,5 @@ "name": "Static HTML", "description": "Deploy static files in a repository without a build.", "iconName": "html", - "categories": ["Pages"] + "categories": ["Pages", "HTML", "JavaScript", "CSS"] } From e35bb09c200dd3bc2dccb7cf1e4f1aa5fce0a9a4 Mon Sep 17 00:00:00 2001 From: omerzi Date: Sun, 7 Aug 2022 09:32:25 +0300 Subject: [PATCH 454/844] Code review changes --- code-scanning/frogbot-fix.yml | 5 ++- code-scanning/frogbot-scan-pr.yml | 58 ++++++------------------------- 2 files changed, 14 insertions(+), 49 deletions(-) diff --git a/code-scanning/frogbot-fix.yml b/code-scanning/frogbot-fix.yml index 278e8fa530..b51c26924c 100644 --- a/code-scanning/frogbot-fix.yml +++ b/code-scanning/frogbot-fix.yml @@ -2,6 +2,9 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# Frogbot Scan and Fix does the following: +# Automatically creates pull requests with fixes for vulnerable project dependencies. +# Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot name: "Frogbot Fix" @@ -37,7 +40,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@v2 + - uses: jfrog/frogbot@2291fc454e8aeea77386cfcb85a1ae36765bb1f4 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 54304d33c0..325cc247f0 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -2,6 +2,10 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# Frogbot Scan Pull Requests does the following: +# Automatically scans new pull requests for security vulnerabilities. +# Uses JFrog Xray to scan the project. +# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot name: "Frogbot Scan" on: @@ -35,23 +39,9 @@ jobs: # with: # node-version: "16.x" - # - uses: gradle/gradle-build-action@v2 + # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - # - uses: actions/setup-dotnet@v2 - # with: - # dotnet-version: "3.1.x" - - # - uses: nuget/setup-nuget@v1 - # with: - # nuget-version: "5.x" - - # - uses: actions/setup-python@v3 - # with: - # python-version: "3.x" - - # - run: pipx install pipenv - - - uses: jfrog/frogbot@v2 + - uses: jfrog/frogbot@2291fc454e8aeea77386cfcb85a1ae36765bb1f4 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) @@ -69,7 +59,9 @@ jobs: # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Uncomment the below options if you'd like to use them. + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory when using npm] # The command that installs the dependencies @@ -79,34 +71,4 @@ jobs: # The command that installs the dependencies # JF_INSTALL_DEPS_CMD: "dotnet restore" - # [Optional when using Nuget] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "nuget restore" - - # [Optional when using Pip] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "pip install" - - # [Optional when using Pipenv] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "pipenv install" - - # [Optional, default: https://api.github.com] - # API endpoint to GitHub - # JF_GIT_API_ENDPOINT: https://github.example.com - - # [Mandatory if JF_USER and JF_PASSWORD are not provided] - # JFrog access token with 'read' permissions on Xray service - # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - - # [Optional, default: "."] - # Relative path to the project in the git repository - # JF_WORKING_DIR: path/to/working/dir - - # [Optional] - # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches - # JF_WATCHES: ,... - - # [Optional] - # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects - # JF_PROJECT: \ No newline at end of file + # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request \ No newline at end of file From 552d98b770dc070aabb54827ef43ef6a8234969f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Aug 2022 13:23:06 +0000 Subject: [PATCH 455/844] Bump pozil/auto-assign-issue from 1.8.0 to 1.9.0 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index a30a190c83..ec278a6f0c 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.8.0 + uses: pozil/auto-assign-issue@v1.9.0 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From aa797da6b2edcd9760ce0321c2e7b7f872d08c06 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 10 Aug 2022 18:19:19 +0530 Subject: [PATCH 456/844] Fix PR assign --- .github/workflows/auto-assign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml index 4dcc612879..d7161b105b 100644 --- a/.github/workflows/auto-assign.yml +++ b/.github/workflows/auto-assign.yml @@ -1,6 +1,6 @@ name: 'Auto Assign' on: - pull_request: + pull_request_target: types: [opened, ready_for_review] jobs: From 9bdc3e7253235498a505f21e37662dcfa54de969 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Thu, 11 Aug 2022 03:05:57 +0900 Subject: [PATCH 457/844] Refer actions/deploy-pages stable tag in pages/static --- pages/static.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/static.yml b/pages/static.yml index bd753e9bd5..350b2c8893 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -39,4 +39,4 @@ jobs: path: '.' - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@main + uses: actions/deploy-pages@v1 From 67805723f0bf3c53f17eaaea77e9cfd44d6a2417 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 00:59:05 +0000 Subject: [PATCH 458/844] update --- ci/generic-generator-ossf-slsa3-publish.yml | 63 +++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 ci/generic-generator-ossf-slsa3-publish.yml diff --git a/ci/generic-generator-ossf-slsa3-publish.yml b/ci/generic-generator-ossf-slsa3-publish.yml new file mode 100644 index 0000000000..f843fd1a48 --- /dev/null +++ b/ci/generic-generator-ossf-slsa3-publish.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps +# that were performed to generate the final binary. +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA generic generator +on: + workflow_dispatch: + release: + types: [created] + +permissions: read-all + +jobs: + build: + outputs: + digests: ${{ steps.hash.outputs.digests }} + + steps: + # ======================================================== + # + # Step 1: Build your artifacts. + # + # ======================================================== + - name: Build artifacts + run: | + # These are some amazing artifacts. + echo "artifact1" > artifact1 + echo "artifact2" > artifact2 + + # ======================================================== + # + # Step 2: Add a step to generate the provenance subjects + # as shown below. Update the sha256 sum arguments + # to include all binaries that you generate + # provenance for. + # + # ======================================================== + - name: Generate subject + id: hash + run: | + set -euo pipefail + + echo "::set-output name=digests::$(sha256sum artifact1 artifact2 | base64 -w0)" + + provenance: + needs: [build] + permissions: + actions: read + id-token: write + contents: read + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" + upload-assets: true # Optional: Upload to a new release \ No newline at end of file From 0f26631ba6e9900520c570d1153140b812a9e870 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 01:04:52 +0000 Subject: [PATCH 459/844] update --- ...h.yml => generator-generic-ossf-slsa3-publish.yml} | 0 ...nerator-generic-ossf-slsa3-publish.properties.json | 7 +++++++ icons/generator-generic-ossf-slsa3-publish.svg | 11 +++++++++++ 3 files changed, 18 insertions(+) rename ci/{generic-generator-ossf-slsa3-publish.yml => generator-generic-ossf-slsa3-publish.yml} (100%) create mode 100644 ci/properties/generator-generic-ossf-slsa3-publish.properties.json create mode 100644 icons/generator-generic-ossf-slsa3-publish.svg diff --git a/ci/generic-generator-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml similarity index 100% rename from ci/generic-generator-ossf-slsa3-publish.yml rename to ci/generator-generic-ossf-slsa3-publish.yml diff --git a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json new file mode 100644 index 0000000000..2861c3f1ef --- /dev/null +++ b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SLSA Generic generator", + "creator": "Open Source Security Foundation (OpenSSF)", + "description": "Generate SLSA3 provenance for your existing release workflows", + "iconName": "go-ossf-slsa3-publish", + "categories": ["Continuous integration"] +} diff --git a/icons/generator-generic-ossf-slsa3-publish.svg b/icons/generator-generic-ossf-slsa3-publish.svg new file mode 100644 index 0000000000..ea7746896d --- /dev/null +++ b/icons/generator-generic-ossf-slsa3-publish.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + From c81201dd621f7167106925fcbb2db17b6381d430 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 01:06:11 +0000 Subject: [PATCH 460/844] update --- ci/generator-generic-ossf-slsa3-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index f843fd1a48..e37a3f35b6 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -60,4 +60,4 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 with: base64-subjects: "${{ needs.build.outputs.digests }}" - upload-assets: true # Optional: Upload to a new release \ No newline at end of file + upload-assets: true # Optional: Upload to a new release From 19e6b35e8432c1d2915cbc9d86b12e4fcb0d1838 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 01:14:33 +0000 Subject: [PATCH 461/844] update --- ci/generator-generic-ossf-slsa3-publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index e37a3f35b6..eae74315b9 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -21,6 +21,7 @@ permissions: read-all jobs: build: + runs-on: ubuntu-latest outputs: digests: ${{ steps.hash.outputs.digests }} From 026c540730dd5bafad6c468af4cb2176bd0327cb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 01:21:35 +0000 Subject: [PATCH 462/844] update --- ci/generator-generic-ossf-slsa3-publish.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index eae74315b9..54c110e951 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -55,9 +55,9 @@ jobs: provenance: needs: [build] permissions: - actions: read - id-token: write - contents: read + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 with: base64-subjects: "${{ needs.build.outputs.digests }}" From 30f1eecad156ad2196177709d0d2fe8f20eb8e78 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 15:55:40 +0000 Subject: [PATCH 463/844] update --- ci/generator-generic-ossf-slsa3-publish.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index 54c110e951..feadcf293b 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -3,10 +3,10 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow lets you compile your Go project using a SLSA3 compliant builder. -# This workflow will generate a so-called "provenance" file describing the steps +# This workflow lets you compile your Go project using a SLSA3 compliant builder +# This workflow will generate a so-called "provenance" file describing the steps # that were performed to generate the final binary. -# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# The project is an initiative of the OpenSSF (openssf.org) and is developed at # https://github.com/slsa-framework/slsa-github-generator. # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. # For more information about SLSA and how it improves the supply-chain, visit slsa.dev. @@ -26,11 +26,13 @@ jobs: digests: ${{ steps.hash.outputs.digests }} steps: + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 + # ======================================================== # # Step 1: Build your artifacts. # - # ======================================================== + # ======================================================== - name: Build artifacts run: | # These are some amazing artifacts. From aec987bfb55cb1003ba043fdd1a67426eba751e3 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 1 Aug 2022 15:00:08 +0000 Subject: [PATCH 464/844] comments --- ci/generator-generic-ossf-slsa3-publish.yml | 12 +++++++----- ...erator-generic-ossf-slsa3-publish.properties.json | 4 ++-- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index feadcf293b..c8a35441a7 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -3,9 +3,8 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow lets you compile your Go project using a SLSA3 compliant builder -# This workflow will generate a so-called "provenance" file describing the steps -# that were performed to generate the final binary. +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements # The project is an initiative of the OpenSSF (openssf.org) and is developed at # https://github.com/slsa-framework/slsa-github-generator. # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. @@ -26,7 +25,7 @@ jobs: digests: ${{ steps.hash.outputs.digests }} steps: - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 + uses: actions/checkout@v3 # ======================================================== # @@ -52,7 +51,10 @@ jobs: run: | set -euo pipefail - echo "::set-output name=digests::$(sha256sum artifact1 artifact2 | base64 -w0)" + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "::set-output name=digests::$(sha256sum $files | base64 -w0)" provenance: needs: [build] diff --git a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json index 2861c3f1ef..32cf63d06b 100644 --- a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json +++ b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json @@ -2,6 +2,6 @@ "name": "SLSA Generic generator", "creator": "Open Source Security Foundation (OpenSSF)", "description": "Generate SLSA3 provenance for your existing release workflows", - "iconName": "go-ossf-slsa3-publish", - "categories": ["Continuous integration"] + "iconName": "generator-generic-ossf-slsa3-publish", + "categories": ["Continuous integration", "Go", "Elixir", "Erlang", "PHP", "Haskell", "Rust", "Java", "Scala", "Gradle", "Maven", "Python", "C", "C++", "TypeScript", "JavaScript", "npm", "Ruby", "HTML", "Composer", "Makefile", "Ada"] } From 6f7030b18ad1da672b55b9ca4f6ec1abed29f7ed Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 11 Aug 2022 13:32:01 +0000 Subject: [PATCH 465/844] update --- ci/generator-generic-ossf-slsa3-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index c8a35441a7..a249449a5a 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -25,7 +25,7 @@ jobs: digests: ${{ steps.hash.outputs.digests }} steps: - uses: actions/checkout@v3 + - uses: actions/checkout@v3 # ======================================================== # From b206471e4d771114db07fd56357db8f2ae20a8d2 Mon Sep 17 00:00:00 2001 From: Dylan Rinker Date: Tue, 16 Aug 2022 09:24:41 -0400 Subject: [PATCH 466/844] Update clj-holes.yml - Fixed a typo in the upload-sarif@v1 action - Commented out the rules-repository. The template will now default to rules in git://clj-holmes/clj-holmes-rules#main, but the format is preserved. --- code-scanning/clj-holmes.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 4150cbbb2e..3cfde1469e 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -31,7 +31,7 @@ jobs: - name: Scan code uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb with: - rules-repository: 'git://org/private-rules-repo#main' + # rules-repository: 'git://org/private-rules-repo#main' output-type: 'sarif' output-file: 'clj-holmes-results.sarif' fail-on-result: 'false' @@ -40,4 +40,4 @@ jobs: uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ${{github.workspace}}/clj-holmes-results.sarif - ait-for-processing: true \ No newline at end of file + wait-for-processing: true From 65d796c94f140568865b90066331e52031cd8a8d Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 16 Aug 2022 12:47:02 -0400 Subject: [PATCH 467/844] Add Anchore Syft SBOM scan workflow --- code-scanning/anchore-syft.yml | 38 +++++++++++++++++++ .../properties/anchore-syft.properties.json | 7 ++++ 2 files changed, 45 insertions(+) create mode 100644 code-scanning/anchore-syft.yml create mode 100644 code-scanning/properties/anchore-syft.properties.json diff --git a/code-scanning/anchore-syft.yml b/code-scanning/anchore-syft.yml new file mode 100644 index 0000000000..8180622251 --- /dev/null +++ b/code-scanning/anchore-syft.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency +# submission API. + +# For more information on the Anchore sbom-action usage +# and parameters, see https://github.com/anchore/sbom-action. For more +# information about the Anchore SBOM tool, Syft, see +# https://github.com/anchore/syft +name: Anchore Syft SBOM scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + +permissions: + contents: write + +jobs: + Anchore-Build-Scan: + permissions: + contents: write # required to upload to the Dependency submission API + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v3 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Scan the image and upload dependency results + uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a + with: + image: "localbuild/testimage:latest" + artifact-name: image.spdx.json + dependency-snapshot: true diff --git a/code-scanning/properties/anchore-syft.properties.json b/code-scanning/properties/anchore-syft.properties.json new file mode 100644 index 0000000000..815f8b287a --- /dev/null +++ b/code-scanning/properties/anchore-syft.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Anchore Syft SBOM Scan", + "organization": "Anchore", + "description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.", + "iconName": "anchore", + "categories": ["Code Scanning", "dockerfile", "dependency-management"] +} From a82c7d200aac56c398fd9b679da120d310965861 Mon Sep 17 00:00:00 2001 From: omerzi Date: Sun, 7 Aug 2022 09:32:25 +0300 Subject: [PATCH 468/844] Code review changes --- ...ogbot-fix.yml => frogbot-scan-and-fix.yml} | 7 ++- code-scanning/frogbot-scan-pr.yml | 60 ++++--------------- ...n => frogbot-scan-and-fix.properties.json} | 0 .../frogbot-scan-pr.properties.json | 2 +- 4 files changed, 17 insertions(+), 52 deletions(-) rename code-scanning/{frogbot-fix.yml => frogbot-scan-and-fix.yml} (86%) rename code-scanning/properties/{frogbot-fix.properties.json => frogbot-scan-and-fix.properties.json} (100%) diff --git a/code-scanning/frogbot-fix.yml b/code-scanning/frogbot-scan-and-fix.yml similarity index 86% rename from code-scanning/frogbot-fix.yml rename to code-scanning/frogbot-scan-and-fix.yml index 278e8fa530..c9ce731cd2 100644 --- a/code-scanning/frogbot-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -2,9 +2,12 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# Frogbot Scan and Fix does the following: +# Automatically creates pull requests with fixes for vulnerable project dependencies. +# Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot -name: "Frogbot Fix" +name: "Frogbot Scan and Fix" on: push: branches: @@ -37,7 +40,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@v2 + - uses: jfrog/frogbot@2291fc454e8aeea77386cfcb85a1ae36765bb1f4 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 54304d33c0..a72ae4c6e2 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -2,8 +2,12 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# Frogbot Scan Pull Request does the following: +# Automatically scans new pull requests for security vulnerabilities. +# Uses JFrog Xray to scan the project. +# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot -name: "Frogbot Scan" +name: "Frogbot Scan Pull Request" on: pull_request_target: types: [ opened, synchronize ] @@ -35,23 +39,9 @@ jobs: # with: # node-version: "16.x" - # - uses: gradle/gradle-build-action@v2 + # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - # - uses: actions/setup-dotnet@v2 - # with: - # dotnet-version: "3.1.x" - - # - uses: nuget/setup-nuget@v1 - # with: - # nuget-version: "5.x" - - # - uses: actions/setup-python@v3 - # with: - # python-version: "3.x" - - # - run: pipx install pipenv - - - uses: jfrog/frogbot@v2 + - uses: jfrog/frogbot@2291fc454e8aeea77386cfcb85a1ae36765bb1f4 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) @@ -69,7 +59,9 @@ jobs: # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Uncomment the below options if you'd like to use them. + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory when using npm] # The command that installs the dependencies @@ -79,34 +71,4 @@ jobs: # The command that installs the dependencies # JF_INSTALL_DEPS_CMD: "dotnet restore" - # [Optional when using Nuget] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "nuget restore" - - # [Optional when using Pip] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "pip install" - - # [Optional when using Pipenv] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "pipenv install" - - # [Optional, default: https://api.github.com] - # API endpoint to GitHub - # JF_GIT_API_ENDPOINT: https://github.example.com - - # [Mandatory if JF_USER and JF_PASSWORD are not provided] - # JFrog access token with 'read' permissions on Xray service - # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - - # [Optional, default: "."] - # Relative path to the project in the git repository - # JF_WORKING_DIR: path/to/working/dir - - # [Optional] - # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches - # JF_WATCHES: ,... - - # [Optional] - # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects - # JF_PROJECT: \ No newline at end of file + # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request \ No newline at end of file diff --git a/code-scanning/properties/frogbot-fix.properties.json b/code-scanning/properties/frogbot-scan-and-fix.properties.json similarity index 100% rename from code-scanning/properties/frogbot-fix.properties.json rename to code-scanning/properties/frogbot-scan-and-fix.properties.json diff --git a/code-scanning/properties/frogbot-scan-pr.properties.json b/code-scanning/properties/frogbot-scan-pr.properties.json index 8f9626ce5e..b74f3e6c71 100644 --- a/code-scanning/properties/frogbot-scan-pr.properties.json +++ b/code-scanning/properties/frogbot-scan-pr.properties.json @@ -1,5 +1,5 @@ { - "name": "Frogbot Scan Pull Requests", + "name": "Frogbot Scan Pull Request", "description": "Automatically scans new pull requests for security vulnerabilities. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.", "iconName": "frogbot", "categories": [ From dc77db1892c77df0137f5391f7fa318d7b26b283 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 18 Aug 2022 12:49:49 +0530 Subject: [PATCH 469/844] Update CODEOWNERS to have pages team --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) diff --git a/CODEOWNERS b/CODEOWNERS index 91153dee71..0a7c0a548d 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,4 @@ * @actions/starter-workflows /code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows +/pages/ @actions/pages @actions/starter-workflows From 4a6ec1eed26d248486e437ab7f525efbd3cba6a1 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 19 Aug 2022 09:45:08 -0500 Subject: [PATCH 470/844] Update Pages starter workflows to use actions/configure-pages@v2 --- pages/gatsby.yml | 2 +- pages/hugo.yml | 2 +- pages/jekyll-gh-pages.yml | 2 +- pages/jekyll.yml | 4 ++-- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- pages/static.yml | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 9cdf3fc930..4f2857d8ca 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -57,7 +57,7 @@ jobs: cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages - uses: actions/configure-pages@v1 + uses: actions/configure-pages@v2 with: # Automatically inject pathPrefix in your Gatsby configuration file. # diff --git a/pages/hugo.yml b/pages/hugo.yml index 07b2b854ce..19788356a0 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -42,7 +42,7 @@ jobs: submodules: recursive - name: Setup Pages id: pages - uses: actions/configure-pages@v1 + uses: actions/configure-pages@v2 - name: Build with Hugo run: | hugo \ diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 7ee1e972ca..8c7a207703 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -28,7 +28,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Pages - uses: actions/configure-pages@v1 + uses: actions/configure-pages@v2 - name: Build with Jekyll uses: actions/jekyll-build-pages@v1 with: diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 05c876114d..adc80a7815 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -35,8 +35,8 @@ jobs: cache-version: 0 # Increment this number if you need to re-download cached gems - name: Setup Pages id: pages - uses: actions/configure-pages@v1 - - run: bundle exec jekyll build --baseurl ${{ steps.pages.outputs.base_path }} # defaults output to '/_site' + uses: actions/configure-pages@v2 + - run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" # defaults output to '/_site' - name: Upload artifact uses: actions/upload-pages-artifact@v1 # This will automatically upload an artifact from the '/_site' directory diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 79a1cc89f8..2993770a68 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -54,7 +54,7 @@ jobs: cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages - uses: actions/configure-pages@v1 + uses: actions/configure-pages@v2 with: # Automatically inject basePath in your Next.js configuration file and disable # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized). diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 87c1201bc5..4f5a4fde3b 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -52,7 +52,7 @@ jobs: cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages - uses: actions/configure-pages@v1 + uses: actions/configure-pages@v2 with: # Automatically inject router.base in your Nuxt configuration file and set # target to static (https://nuxtjs.org/docs/configuration-glossary/configuration-target/). diff --git a/pages/static.yml b/pages/static.yml index 350b2c8893..9e0e871522 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -31,7 +31,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Pages - uses: actions/configure-pages@v1 + uses: actions/configure-pages@v2 - name: Upload artifact uses: actions/upload-pages-artifact@v1 with: From a935168dbb30ef14da46efd208b4198a13477a6f Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 19 Aug 2022 10:15:25 -0500 Subject: [PATCH 471/844] Add a trailing slash back into the Hugo starter workflow for maximum backward compatibility with themes --- pages/hugo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 19788356a0..51164f10b5 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -47,7 +47,7 @@ jobs: run: | hugo \ --minify \ - --baseURL ${{ steps.pages.outputs.base_url }} + --baseURL ${{ steps.pages.outputs.base_url }}/ - name: Upload artifact uses: actions/upload-pages-artifact@v1 with: From 8e45e8f5fbfb87a387e3a04d415d3249406f56f0 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 19 Aug 2022 10:17:23 -0500 Subject: [PATCH 472/844] Remove unused step ID from a few Pages workflows --- pages/nextjs.yml | 1 - pages/nuxtjs.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 2993770a68..5c2bf67187 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -53,7 +53,6 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages - id: pages uses: actions/configure-pages@v2 with: # Automatically inject basePath in your Next.js configuration file and disable diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 4f5a4fde3b..4178f18125 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -51,7 +51,6 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages - id: pages uses: actions/configure-pages@v2 with: # Automatically inject router.base in your Nuxt configuration file and set From c7c674d47ef76ecbbd6d0c3a12934d31b2094be3 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 19 Aug 2022 11:28:44 -0500 Subject: [PATCH 473/844] Pages: Explicitly set Hugo environment as production --- pages/hugo.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/pages/hugo.yml b/pages/hugo.yml index 07b2b854ce..ea705f3577 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -46,6 +46,7 @@ jobs: - name: Build with Hugo run: | hugo \ + --environment production --minify \ --baseURL ${{ steps.pages.outputs.base_url }} - name: Upload artifact From 71b1a7c99f8b54d104b465e0dd9dc74e34a223bf Mon Sep 17 00:00:00 2001 From: ShootingStarDragons Date: Sat, 13 Aug 2022 22:16:20 +0800 Subject: [PATCH 474/844] feat(mdbook): add mdbook support Log: add mdbook support --- icons/mdbook.svg | 22 +++++++++ pages/mdbook.yml | 62 +++++++++++++++++++++++++ pages/properties/mdbook.properties.json | 6 +++ 3 files changed, 90 insertions(+) create mode 100644 icons/mdbook.svg create mode 100644 pages/mdbook.yml create mode 100644 pages/properties/mdbook.properties.json diff --git a/icons/mdbook.svg b/icons/mdbook.svg new file mode 100644 index 0000000000..90e0ea58bd --- /dev/null +++ b/icons/mdbook.svg @@ -0,0 +1,22 @@ + + + + + diff --git a/pages/mdbook.yml b/pages/mdbook.yml new file mode 100644 index 0000000000..57f3636d60 --- /dev/null +++ b/pages/mdbook.yml @@ -0,0 +1,62 @@ +# Sample workflow for building and deploying a mdbook site to GitHub Pages +# +# To get started with mdbook see: https://rust-lang.github.io/mdBook/index.html +# +name: Deploy mdbook site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true +jobs: + # This workflow contains a single job called "build" + build: + env: + MDBOOK_VERSION : 0.4.21 + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v3 + + # Runs a single command using the runners shell + - name: install mdbook + run: | + curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh + rustup update + cargo install --version ${MDBOOK_VERSION} mdbook + - name: Setup Pages + id: pages + uses: actions/configure-pages@v1 + - name: Build with mdbook + run: mdbook build + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: ./book + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/properties/mdbook.properties.json b/pages/properties/mdbook.properties.json new file mode 100644 index 0000000000..8617e7f302 --- /dev/null +++ b/pages/properties/mdbook.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Mdbook", + "description": "Package a Mdbook site.", + "iconName": "mdbook", + "categories": ["Pages", "Mdbook"] +} From 6d0b6c7b277795626387ee24bdf45a62804c39f5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Aug 2022 13:27:01 +0000 Subject: [PATCH 475/844] Bump pozil/auto-assign-issue from 1.9.0 to 1.10.0 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index ec278a6f0c..0cb93458e8 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.9.0 + uses: pozil/auto-assign-issue@v1.10.0 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From 467b0208ed901696ef31d79fe72a8e92a4b205da Mon Sep 17 00:00:00 2001 From: Milan Aryal <9361180+MilanAryal@users.noreply.github.com> Date: Mon, 22 Aug 2022 21:30:03 +0545 Subject: [PATCH 476/844] Pages: Set Jekyll environment as production --- pages/jekyll.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 05c876114d..36e29c312f 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -37,6 +37,8 @@ jobs: id: pages uses: actions/configure-pages@v1 - run: bundle exec jekyll build --baseurl ${{ steps.pages.outputs.base_path }} # defaults output to '/_site' + env: + JEKYLL_ENV: production - name: Upload artifact uses: actions/upload-pages-artifact@v1 # This will automatically upload an artifact from the '/_site' directory From 5ab15a73492cdce9e2d0ec3a7a77106325270e92 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Mon, 22 Aug 2022 12:13:18 -0700 Subject: [PATCH 477/844] Update scorecards.yml --- code-scanning/scorecards.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 539794d6ce..e4f1d0f8fc 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -25,12 +25,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1 + uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1 with: results_file: results.sarif results_format: sarif @@ -49,7 +49,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0 with: name: SARIF file path: results.sarif @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 + uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 with: sarif_file: results.sarif From 0d3c129311ae22b406e99c27395a9a450b04076d Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 22 Aug 2022 14:37:34 -0500 Subject: [PATCH 478/844] Add missing backslash for multi-line continuation Co-authored-by: Yoann Chaudet --- pages/hugo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index ea705f3577..5ab13b0a9e 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -46,7 +46,7 @@ jobs: - name: Build with Hugo run: | hugo \ - --environment production + --environment production \ --minify \ --baseURL ${{ steps.pages.outputs.base_url }} - name: Upload artifact From 709400e808d401c345db341aa93fa473f91c8f85 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 22 Aug 2022 16:13:12 -0500 Subject: [PATCH 479/844] Set HUGO_ENV* env vars instead of CLI flag Reverts https://github.com/actions/starter-workflows/pull/1689 Fixes https://github.com/actions/starter-workflows/issues/1683 --- pages/hugo.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 5ab13b0a9e..da2f462c51 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -44,9 +44,12 @@ jobs: id: pages uses: actions/configure-pages@v1 - name: Build with Hugo + env: + # For maximum backward compatibility with Hugo modules + HUGO_ENVIRONMENT: production + HUGO_ENV: production run: | hugo \ - --environment production \ --minify \ --baseURL ${{ steps.pages.outputs.base_url }} - name: Upload artifact From bff759f503d37945684e33890eb21e671ab9f815 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 22 Aug 2022 16:39:05 -0500 Subject: [PATCH 480/844] Clarify './_site' directory usage --- pages/jekyll.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pages/jekyll.yml b/pages/jekyll.yml index adc80a7815..5c7b90c76a 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -36,9 +36,12 @@ jobs: - name: Setup Pages id: pages uses: actions/configure-pages@v2 - - run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" # defaults output to '/_site' + - name: Build with Jekyll + # Outputs to the './_site' directory by default + run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" - name: Upload artifact - uses: actions/upload-pages-artifact@v1 # This will automatically upload an artifact from the '/_site' directory + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@v1 # Deployment job deploy: From 27a76bc269764e7bffc4b0f694969e96dc3c8358 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 23 Aug 2022 11:17:35 +0300 Subject: [PATCH 481/844] Update frogbot-scan-pr.yml --- code-scanning/frogbot-scan-pr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 5ef3b1c693..b732a55042 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@c8dfceda50ee19fee0cc19992c4a4aaffc95f4c6 + - uses: jfrog/frogbot@9678b9ea5bb1da478518345a454abaf1e7ecc637 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) @@ -72,4 +72,4 @@ jobs: # The command that installs the dependencies # JF_INSTALL_DEPS_CMD: "dotnet restore" - # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request \ No newline at end of file + # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request From f4c529ed9fdaf315db0e6b0fa7c2585b9ebc26e0 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 23 Aug 2022 11:17:52 +0300 Subject: [PATCH 482/844] Update frogbot-scan-and-fix.yml --- code-scanning/frogbot-scan-and-fix.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index c9ce731cd2..e48a301ea7 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -40,7 +40,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@2291fc454e8aeea77386cfcb85a1ae36765bb1f4 + - uses: jfrog/frogbot@9678b9ea5bb1da478518345a454abaf1e7ecc637 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) @@ -56,4 +56,4 @@ jobs: # [Mandatory if using npm] # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "npm i" \ No newline at end of file + # JF_INSTALL_DEPS_CMD: "npm i" From 77485a55d02fe7bc782d6b07e192b53c1f9b7345 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 23 Aug 2022 16:56:22 +0300 Subject: [PATCH 483/844] Update frogbot-scan-and-fix.yml --- code-scanning/frogbot-scan-and-fix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index e48a301ea7..56725f5839 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -40,7 +40,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@9678b9ea5bb1da478518345a454abaf1e7ecc637 + - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From 5fd9f566895bae9243a07fe73bd9c8cb53d9fc15 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 23 Aug 2022 16:56:36 +0300 Subject: [PATCH 484/844] Update frogbot-scan-pr.yml --- code-scanning/frogbot-scan-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index b732a55042..bdc71b4483 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@9678b9ea5bb1da478518345a454abaf1e7ecc637 + - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From cdcdda3a89148c23d9fc83a0a63ca7c8c65d083a Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Wed, 24 Aug 2022 15:41:50 +0300 Subject: [PATCH 485/844] Update frogbot-scan-and-fix.properties.json --- code-scanning/properties/frogbot-scan-and-fix.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/frogbot-scan-and-fix.properties.json b/code-scanning/properties/frogbot-scan-and-fix.properties.json index 5d04487a51..a072c5a316 100644 --- a/code-scanning/properties/frogbot-scan-and-fix.properties.json +++ b/code-scanning/properties/frogbot-scan-and-fix.properties.json @@ -11,5 +11,5 @@ "C#", "Python" ], - "organization": "JFrog" -} \ No newline at end of file + "creator": "JFrog" +} From bb6277cf2af38fd4bff0b737f2cbdb3f59e7279b Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Wed, 24 Aug 2022 15:42:10 +0300 Subject: [PATCH 486/844] Update frogbot-scan-pr.properties.json --- code-scanning/properties/frogbot-scan-pr.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/frogbot-scan-pr.properties.json b/code-scanning/properties/frogbot-scan-pr.properties.json index b74f3e6c71..257f9d6fb3 100644 --- a/code-scanning/properties/frogbot-scan-pr.properties.json +++ b/code-scanning/properties/frogbot-scan-pr.properties.json @@ -11,5 +11,5 @@ "C#", "Python" ], - "organization": "JFrog" -} \ No newline at end of file + "creator": "JFrog" +} From 5b0989e0424bb00942ebe8290af0c7d9f575317e Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 25 Aug 2022 10:24:32 -0500 Subject: [PATCH 487/844] Pages: Bring use of `ruby/setup-ruby` into compliance --- pages/jekyll.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 36e29c312f..c3f7781d5d 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + # Sample workflow for building and deploying a Jekyll site to GitHub Pages name: Deploy Jekyll site to Pages @@ -28,7 +33,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa with: ruby-version: '3.0' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 0d82602f17f0f783f926e660e9c567a96e3a8a69 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 25 Aug 2022 22:46:15 -0500 Subject: [PATCH 488/844] Add optional quotes to Hugo CLI baseURL --- pages/hugo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 0461b71da8..fb8c924c90 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -51,7 +51,7 @@ jobs: run: | hugo \ --minify \ - --baseURL ${{ steps.pages.outputs.base_url }}/ + --baseURL "${{ steps.pages.outputs.base_url }}/" - name: Upload artifact uses: actions/upload-pages-artifact@v1 with: From 9d734850ef2e1ed5d071ec980059f3a51aa46fcc Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 25 Aug 2022 23:42:31 -0500 Subject: [PATCH 489/844] Update all usages of ruby/setup-ruby to latest --- ci/ruby.yml | 2 +- ci/rubyonrails.yml | 4 ++-- code-scanning/brakeman.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/rubocop.yml | 2 +- pages/jekyll.yml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 81ea36336d..6340760d1e 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@2b019609e2b0f1ea1a2bc8ca11cb82ab46ada124 + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 2ad891f479..958a104374 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Install Ruby and gems - uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: bundler-cache: true # Add or replace any other lints here diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index 155208fc86..b04cabf75c 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -34,7 +34,7 @@ jobs: # Customize the ruby version depending on your needs - name: Setup Ruby - uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: ruby-version: '2.7' diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 801b90bc28..d41b65ba96 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: ruby-version: 2.7 bundler-cache: true diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index ed458b2a53..8018ca13c3 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -28,7 +28,7 @@ jobs: # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners - name: Set up Ruby - uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: ruby-version: 2.6 diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 37ee81888b..d039d12b8a 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -33,7 +33,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: ruby-version: '3.0' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 2f880ea2a2c40752e91d1e0c645d3e997fef9397 Mon Sep 17 00:00:00 2001 From: omerzi Date: Sun, 28 Aug 2022 16:07:58 +0300 Subject: [PATCH 490/844] Update Frogbot permissions and Tag --- code-scanning/frogbot-scan-and-fix.yml | 3 ++- code-scanning/frogbot-scan-pr.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 56725f5839..a4b1c89cc8 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -18,6 +18,7 @@ on: permissions: contents: write pull-requests: write + security-events: write jobs: create-fix-pull-requests: runs-on: ubuntu-latest @@ -40,7 +41,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416 + - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index bdc71b4483..ec19d61668 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416 + - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From d13b97ea2931d2fcd9a5472cdd6dc838845a0f8a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Aug 2022 13:44:15 +0000 Subject: [PATCH 491/844] Bump kentaro-m/auto-assign-action from 1.2.1 to 1.2.2 Bumps [kentaro-m/auto-assign-action](https://github.com/kentaro-m/auto-assign-action) from 1.2.1 to 1.2.2. - [Release notes](https://github.com/kentaro-m/auto-assign-action/releases) - [Commits](https://github.com/kentaro-m/auto-assign-action/compare/v1.2.1...v1.2.2) --- updated-dependencies: - dependency-name: kentaro-m/auto-assign-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml index d7161b105b..b0789b3877 100644 --- a/.github/workflows/auto-assign.yml +++ b/.github/workflows/auto-assign.yml @@ -7,4 +7,4 @@ jobs: add-reviews: runs-on: ubuntu-latest steps: - - uses: kentaro-m/auto-assign-action@v1.2.1 + - uses: kentaro-m/auto-assign-action@v1.2.2 From a4af1b700b74cf840fba5cbc9502a1a3eb6a43c1 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Tue, 30 Aug 2022 10:13:31 -0400 Subject: [PATCH 492/844] branches --- .github/workflows/sync-ghes.yaml | 3 +-- code-scanning/frogbot-scan-and-fix.yml | 6 +----- deployments/alibabacloud.yml | 3 +-- deployments/aws.yml | 3 +-- deployments/azure-container-webapp.yml | 3 +-- deployments/azure-kubernetes-service-helm.yml | 3 +-- deployments/azure-kubernetes-service-kompose.yml | 3 +-- deployments/azure-kubernetes-service-kustomize.yml | 3 +-- deployments/azure-kubernetes-service.yml | 3 +-- deployments/azure-staticwebapp.yml | 6 ++---- deployments/azure-webapps-dotnet-core.yml | 3 +-- deployments/azure-webapps-java-jar.yml | 3 +-- deployments/azure-webapps-node.yml | 3 +-- deployments/azure-webapps-php.yml | 3 +-- deployments/azure-webapps-python.yml | 3 +-- deployments/google-cloudrun-docker.yml | 3 +-- deployments/google-cloudrun-source.yml | 3 +-- deployments/google.yml | 3 +-- deployments/ibm.yml | 3 +-- deployments/tencent.yml | 3 +-- deployments/terraform.yml | 3 +-- 21 files changed, 22 insertions(+), 47 deletions(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index aba778071e..c8b83c92ff 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -2,8 +2,7 @@ name: Sync workflows for GHES on: push: - branches: - - main + branches: [ $default-branch ] jobs: sync: diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 56725f5839..4829c8ff32 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -10,11 +10,7 @@ name: "Frogbot Scan and Fix" on: push: - branches: - # The scanning and creation of pull requests with fixes are triggered by pushing code to one of the these branches. - # You can edit the list of branches you wish to open fix pull requests on. - - "main" - - "master" + branches: [ $default-branch ] permissions: contents: write pull-requests: write diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index d7c27d909c..9853b75bd0 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -21,8 +21,7 @@ name: Build and Deploy to ACK on: push: - branches: - - $default-branch + branches: [ $default-branch ] # Environment variables available to all jobs and steps in this workflow. env: diff --git a/deployments/aws.yml b/deployments/aws.yml index 47253bf012..958584480d 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -28,8 +28,7 @@ name: Deploy to Amazon ECS on: push: - branches: - - $default-branch + branches: [ $default-branch ] env: AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 8b690658c0..cc2e1ddd56 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -31,8 +31,7 @@ env: on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: permissions: diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index a6a2f4e0e8..83a9163cfd 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -34,8 +34,7 @@ name: Build and deploy an app to AKS with Helm on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 60fe5369ae..0e76365786 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -33,8 +33,7 @@ name: Build and deploy an app to AKS with Kompose on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index d46cadbb65..1a89f3c0fb 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -33,8 +33,7 @@ name: Build and deploy an app to AKS with Kustomize on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index d04a2ace80..3e4941911e 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -29,8 +29,7 @@ name: Build and deploy an app to AKS on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index a40ecc22ad..8fe07ced59 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -14,12 +14,10 @@ name: Deploy web app to Azure Static Web Apps on: push: - branches: - - $default-branch + branches: [ $default-branch ] pull_request: types: [opened, synchronize, reopened, closed] - branches: - - $default-branch + branches: [ $default-branch ] # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 0b59686828..9b2189554d 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -26,8 +26,7 @@ env: on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: permissions: diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 6e3df8ddd5..60fa68c188 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -26,8 +26,7 @@ env: on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: permissions: diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 1480c92ab0..98e72c2c02 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -19,8 +19,7 @@ on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 98e8dc77fb..4d08dbd1bb 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -21,8 +21,7 @@ name: Build and deploy PHP app to Azure Web App on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 50f48232c2..d7aa802532 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -25,8 +25,7 @@ env: on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: permissions: diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml index b8d0511e2e..bd748f8b3c 100644 --- a/deployments/google-cloudrun-docker.yml +++ b/deployments/google-cloudrun-docker.yml @@ -46,8 +46,7 @@ name: Build and Deploy to Cloud Run on: push: - branches: - - $default-branch + branches: [ $default-branch ] env: PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml index 2916b454ef..e6fcb52832 100644 --- a/deployments/google-cloudrun-source.yml +++ b/deployments/google-cloudrun-source.yml @@ -48,8 +48,7 @@ name: Deploy to Cloud Run from Source on: push: - branches: - - $default-branch + branches: [ $default-branch ] env: PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id diff --git a/deployments/google.yml b/deployments/google.yml index 6150672b31..846452a529 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -14,8 +14,7 @@ name: Build and Deploy to GKE on: push: - branches: - - $default-branch + branches: [ $default-branch ] env: PROJECT_ID: ${{ secrets.GKE_PROJECT }} diff --git a/deployments/ibm.yml b/deployments/ibm.yml index cb3080fdcc..53a58c5387 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -10,8 +10,7 @@ name: Build and Deploy to IKS on: push: - branches: - - $default-branch + branches: [ $default-branch ] # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 4e9e9f6e0a..ba65fe52af 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -17,8 +17,7 @@ name: Tencent Kubernetes Engine on: push: - branches: - - $default-branch + branches: [ $default-branch ] # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 53efe48753..c06f6853dc 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -46,8 +46,7 @@ name: 'Terraform' on: push: - branches: - - $default-branch + branches: [ $default-branch ] pull_request: permissions: From d14e8af6e3b15be640c45ec39df46968b03267a2 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Tue, 30 Aug 2022 21:45:04 +0530 Subject: [PATCH 493/844] Added EthicalCheck Action --- code-scanning/ethicalcheck.yml | 57 +++++++++++++++++++ .../properties/ethicalcheck.properties.json | 24 ++++++++ 2 files changed, 81 insertions(+) create mode 100644 code-scanning/ethicalcheck.yml create mode 100644 code-scanning/properties/ethicalcheck.properties.json diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml new file mode 100644 index 0000000000..c089015811 --- /dev/null +++ b/code-scanning/ethicalcheck.yml @@ -0,0 +1,57 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# EthicalCheck addresses the critical need to continuously security test APIs in development and in production. + +# EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. +# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. + +# You develop the application and API, we bring complete and continuous security testing to you, accelerating development. + +# Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service. + +# How EthicalCheck works? +# EthicalCheck functions in the following simple steps. +# 1. Security Testing. +# Provide your OpenAPI specification or start with a public Postman collection URL. +# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing. +# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc. + +# 2. Reporting. +# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities. +# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging. + + +# This is a starter workflow to help you get started with EthicalCheck Actions + +name: EthicalCheck-Workflow + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the $default-branch branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + +jobs: + Trigger_EthicalCheck: + runs-on: ubuntu-latest + + steps: + - name: EthicalCheck Free & Automated API Security Testing Service + uses: apisec-inc/ethicalcheck-action@latest + with: + # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL. + oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs" + # The email address to which the penetration test report will be sent. + email: "xxx@apisec.ai" \ No newline at end of file diff --git a/code-scanning/properties/ethicalcheck.properties.json b/code-scanning/properties/ethicalcheck.properties.json new file mode 100644 index 0000000000..c0949be383 --- /dev/null +++ b/code-scanning/properties/ethicalcheck.properties.json @@ -0,0 +1,24 @@ +{ + "name": "EthicalCheck", + "creator": "APIsec", + "description": "EthicalCheck addresses the critical need to continuously security test APIs in development and in production. EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. You develop the application and API, we bring complete and continuous security testing to you, accelerating development.Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service.", + "iconName": "apisec", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} From b12833e6712790ba428240bfa1ee3a65d331e630 Mon Sep 17 00:00:00 2001 From: Christian Oliff Date: Tue, 30 Aug 2022 22:13:30 +0900 Subject: [PATCH 494/844] use latest version of Hugo --- pages/hugo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index fb8c924c90..3ddbb806e6 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -30,7 +30,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.99.0 + HUGO_VERSION: 0.102.1 steps: - name: Install Hugo CLI run: | From 4b48da22521e5e07c463fd96d7d4890f718ad4b7 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 2 Sep 2022 17:32:30 -0500 Subject: [PATCH 495/844] Update Hugo to truly latest --- pages/hugo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 3ddbb806e6..f273fb2068 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -30,7 +30,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.102.1 + HUGO_VERSION: 0.102.3 steps: - name: Install Hugo CLI run: | From 2333616c7db48c45158cb0fa7eb2491a04cb3c59 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Thu, 8 Sep 2022 09:37:44 -0500 Subject: [PATCH 496/844] Upgraded scorecard action to v2.0.0 - Upgraded scorecard action to v2.0.0 https://github.com/ossf/scorecard-action/commit/13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index e4f1d0f8fc..38db68f60f 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,7 +17,7 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write - # Used to receive a badge. (Upcoming feature) + # Used to receive a badge. id-token: write # Needs for private repositories. contents: read @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1 + uses: ossf/scorecard-action@13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f # tag=v2.0.0 with: results_file: results.sarif results_format: sarif From f539d4746910e16daa46883aa5e5c9f1295aa13e Mon Sep 17 00:00:00 2001 From: David Losert Date: Fri, 9 Sep 2022 17:57:59 +0200 Subject: [PATCH 497/844] Adds Node 18 and removes Node 12 --- ci/node.js.yml | 2 +- ci/npm-grunt.yml | 2 +- ci/npm-gulp.yml | 2 +- ci/webpack.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ci/node.js.yml b/ci/node.js.yml index 87ef0d8f5e..a89108d690 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -16,7 +16,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index eda97e1fd7..e39ddbfe7c 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] steps: - uses: actions/checkout@v3 diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 504f22ea61..7606deaf43 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] steps: - uses: actions/checkout@v3 diff --git a/ci/webpack.yml b/ci/webpack.yml index 6449fe7a7b..0bc6406270 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] steps: - uses: actions/checkout@v3 From 2426779103b940fa2d7d571c75be0c06171f04e6 Mon Sep 17 00:00:00 2001 From: Eric Allard <106756852+SOOS-EAllard@users.noreply.github.com> Date: Fri, 9 Sep 2022 15:00:01 -0400 Subject: [PATCH 498/844] Updated old instructions to add more detail --- code-scanning/soos-dast-scan.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index cf3b1b7bad..9b58e909ba 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -3,13 +3,18 @@ # separate terms of service, privacy policy, and support # documentation. # -# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/ +# SOOS is the easy-to-integrate and affordable software security solution for your whole team. +# Learn more at https://soos.io/ # -# To use this action you need to fill the following requirements: +# To use this action, perform the following steps: # -# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product). +# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA and DAST products. # -# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload) +# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here. +# +# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. +# +# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token. # name: "SOOS DAST Scan" From 1a784af20d0eddd7900eb9f63678660cc7e546b8 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 13 Sep 2022 17:54:12 +0530 Subject: [PATCH 499/844] Update settings.json --- script/sync-ghes/settings.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 9648ab449e..31574dc614 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,13 +2,17 @@ "folders": [ "../../ci", "../../automation", - "../../code-scanning" + "../../code-scanning", + "../../pages" ], "enabledActions": [ "actions/checkout", + "actions/configure-pages", "actions/create-release", "actions/delete-package-versions", + "actions/deploy-pages", "actions/download-artifact", + "actions/jekyll-build-pages", "actions/setup-dotnet", "actions/setup-go", "actions/setup-java", @@ -16,6 +20,7 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", + "actions/upload-pages-artifact". "actions/upload-release-asset", "github/codeql-action" ], From e5cdae6f10e23d66ee6189deeb636921904ae535 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 13 Sep 2022 17:56:10 +0530 Subject: [PATCH 500/844] Update settings.json --- script/sync-ghes/settings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 31574dc614..ff4857b718 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -20,7 +20,7 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", - "actions/upload-pages-artifact". + "actions/upload-pages-artifact", "actions/upload-release-asset", "github/codeql-action" ], From cf9b6844331ef5bb238a1103f9f9d8c0434d6eb3 Mon Sep 17 00:00:00 2001 From: A-Katopodis Date: Tue, 13 Sep 2022 13:14:35 -0500 Subject: [PATCH 501/844] Updated powershell to v1.1 commit --- code-scanning/powershell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 1d72a9b6f4..d78a1261ef 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -31,7 +31,7 @@ jobs: - uses: actions/checkout@v3 - name: Run PSScriptAnalyzer - uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061 + uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f with: # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. From 6763818232c8e655fbd26b92701537c5e6ecd9a5 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 11:52:08 +0530 Subject: [PATCH 502/844] Update sync-ghes.yaml --- .github/workflows/sync-ghes.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index c8b83c92ff..5e949bb29a 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -3,6 +3,7 @@ name: Sync workflows for GHES on: push: branches: [ $default-branch ] + workflow_dispatch: jobs: sync: From 864be6fc0f793382b5679b75a7b1f3ac7aaf7193 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 12:16:25 +0530 Subject: [PATCH 503/844] Add actions/cache to list of enabledActions --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index ff4857b718..fe80c8a7d4 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -6,6 +6,7 @@ "../../pages" ], "enabledActions": [ + "actions/cache", "actions/checkout", "actions/configure-pages", "actions/create-release", From 723f3e411d8038c90af3237d9fa76a4aad305ee5 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 12:18:02 +0530 Subject: [PATCH 504/844] Revert "Adding manual trigger to sync ghes script" --- .github/workflows/sync-ghes.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 5e949bb29a..c8b83c92ff 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -3,7 +3,6 @@ name: Sync workflows for GHES on: push: branches: [ $default-branch ] - workflow_dispatch: jobs: sync: From 94ce275060ff31c5184c38b15269be673cb9deb0 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 15:55:59 +0530 Subject: [PATCH 505/844] Add setup-python to list of enabledActions for ghes --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index fe80c8a7d4..41d6bcdfc4 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -18,6 +18,7 @@ "actions/setup-go", "actions/setup-java", "actions/setup-node", + "actions/setup-python", "actions/stale", "actions/starter-workflows", "actions/upload-artifact", From 96389955e3b06980ccd373faec93c7e88bafe10c Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 16:53:35 +0530 Subject: [PATCH 506/844] Update pull_request_template.md --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 9b6c10f972..0a98861f0d 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -41,7 +41,7 @@ It is not: - [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning). - [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: - [ ] `name`: Name of the Code Scanning integration. - - [ ] `organization`: Name of the organization producing the Code Scanning integration. + - [ ] `creator`: Name of the organization/user producing the Code Scanning integration. - [ ] `description`: Short description of the Code Scanning integration. - [ ] `categories`: Array of languages supported by the Code Scanning integration. - [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons). From 81fe53796f8c719d680381815cbfd359119a8460 Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Wed, 14 Sep 2022 09:37:06 -0400 Subject: [PATCH 507/844] Update to scorecard-action:v2.0.3 Includes bug fixes --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 38db68f60f..8ca5094a54 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f # tag=v2.0.0 + uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3 with: results_file: results.sarif results_format: sarif From 568b096f39f842303134c2e9bc694f1298cd2b5f Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Wed, 14 Sep 2022 18:17:28 -0400 Subject: [PATCH 508/844] add actions: read to any job using upload-sarif --- code-scanning/apisec-scan.yml | 1 + code-scanning/brakeman.yml | 1 + code-scanning/checkmarx.yml | 1 + code-scanning/clj-holmes.yml | 1 + code-scanning/clj-watson.yml | 1 + code-scanning/codacy.yml | 1 + code-scanning/codescan.yml | 1 + code-scanning/contrast-scan.yml | 1 + code-scanning/eslint.yml | 1 + code-scanning/hadolint.yml | 2 +- code-scanning/lintr.yml | 1 + code-scanning/mobsf.yml | 1 + code-scanning/msvc.yml | 1 + code-scanning/njsscan.yml | 1 + code-scanning/ossar.yml | 1 + code-scanning/phpmd.yml | 1 + code-scanning/pmd.yml | 1 + code-scanning/powershell.yml | 1 + code-scanning/prisma.yml | 1 + code-scanning/puppet-lint.yml | 1 + code-scanning/rust-clippy.yml | 1 + code-scanning/semgrep.yml | 1 + code-scanning/snyk-container.yml | 1 + code-scanning/snyk-infrastructure.yml | 1 + code-scanning/sobelow.yml | 1 + code-scanning/sysdig-scan.yml | 1 + code-scanning/trivy.yml | 1 + code-scanning/veracode.yml | 1 + code-scanning/xanitizer.yml | 1 + 29 files changed, 29 insertions(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 5a9b75138d..a2dfbd22d4 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -49,6 +49,7 @@ jobs: Trigger APIsec scan: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index b04cabf75c..957343c7fe 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Brakeman Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index e060654663..9bdb136065 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,6 +29,7 @@ jobs: issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 3cfde1469e..4487e237de 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -24,6 +24,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 2e4ab3cb78..76903a9d04 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index b74e449830..7b705bd10d 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Codacy Security Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 92707b1aac..a9f10535e3 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 61ffd7a09c..4e4deb7c40 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout security-events: write # for github/codeql-action/upload-sarif + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # check out project steps: diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 9067a7d530..54b01c839e 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 2f554e4397..315365282e 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 74a3b21578..350df19701 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 6d2bfb8dc4..1013749c50 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -21,6 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 863fbcb8e7..e8dac8842d 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Analyze runs-on: windows-latest diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8c359b8165..d766a6fcb6 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: njsscan code scanning steps: diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index cbef5a2124..2bd91dd92b 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: windows-latest steps: diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 91f4b2d09d..d10ace1e09 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -34,6 +34,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index a1e32c4f40..8115116ead 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -21,6 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index d78a1261ef..02e5de77f1 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: PSScriptAnalyzer runs-on: ubuntu-latest steps: diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 6f2031b6e1..1a12b86d79 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index d41b65ba96..50b86dbbbb 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index e9c426a3f0..c5f10ee747 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index fae9885231..b10a9307f1 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 0fbbf87958..a232c539c7 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index a685323d9e..3ca10353ed 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 21cb6e749e..7d38c7740f 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f075a8016c..f9b61b9c80 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -24,6 +24,7 @@ jobs: checks: write # for sysdiglabs/scan-action to publish the checks contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 63be9472c5..f56d9e5b98 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -22,6 +22,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build runs-on: "ubuntu-18.04" steps: diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index b8a5b3796b..89d35df251 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3462eaad5c..5724a977d3 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -51,6 +51,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: From cb341b59ed903d36aedd3012de4d5c1f58af194c Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Fri, 16 Sep 2022 09:25:07 +0200 Subject: [PATCH 509/844] Update CodeQL to include category by default Code Scanning can accept multiple uploads for the same tool and uses the concept of category to keep results separated. If not provided explicitly, the category is computed based on a few parameters like workflow path and matrix variables. The implicit computation of the category can create confusion if users change their workflow, as we start considering the new analyses as unrelated to existing results. By making the category explicit in the workflow we hope to make the concept more prominent and reduce accidental changes. --- code-scanning/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index a113b5951f..00ffcdb7af 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -70,3 +70,5 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" From 3bc0ad0b1d779b51875217d1f1c70bcdadff9bc3 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Fri, 16 Sep 2022 10:51:50 +0000 Subject: [PATCH 510/844] Add pages templates to validate script --- script/validate-data/settings.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 852f575378..23c4790873 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -3,7 +3,8 @@ "../../ci", "../../automation", "../../deployments", - "../../code-scanning" + "../../code-scanning", + "../../pages" ], "allowed_categories": [ { @@ -21,6 +22,10 @@ { "path": "../../code-scanning", "categories": ["Code Scanning", "Dependency review"] + }, + { + "path": "../../pages", + "categories": ["Pages"] } ] } From cd26daf9c2098b73c9c0640acd9b27c3e34e1d44 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Fri, 16 Sep 2022 15:05:57 -0700 Subject: [PATCH 511/844] Clear name conflict --- ci/{jekyll.yml => jekyll-docker.yml} | 0 .../{jekyll.properties.json => jekyll-docker.properties.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename ci/{jekyll.yml => jekyll-docker.yml} (100%) rename ci/properties/{jekyll.properties.json => jekyll-docker.properties.json} (100%) diff --git a/ci/jekyll.yml b/ci/jekyll-docker.yml similarity index 100% rename from ci/jekyll.yml rename to ci/jekyll-docker.yml diff --git a/ci/properties/jekyll.properties.json b/ci/properties/jekyll-docker.properties.json similarity index 100% rename from ci/properties/jekyll.properties.json rename to ci/properties/jekyll-docker.properties.json From 95057f2418925de42fda9e1fe02c8a3a0f5f5755 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Mon, 19 Sep 2022 11:45:31 +0000 Subject: [PATCH 512/844] Update logic from unique template name to filename --- script/validate-data/index.ts | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 4bd260d6c3..b903c3f3c8 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -7,7 +7,6 @@ import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; interface WorkflowWithErrors { id: string; - name: string; errors: string[]; } @@ -43,7 +42,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] - const workflow_template_names = new Set() + const workflow_template_paths = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -57,8 +56,8 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); - if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { - workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) + if(workflow_template_paths.size == workflow_template_paths.add(e.name).size) { + workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) @@ -73,7 +72,6 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, - name: null, errors: [] } try { @@ -82,9 +80,6 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow const propertiesFileContent = await fs.readFile(propertiesPath, "utf8") const properties: WorkflowProperties = JSON.parse(propertiesFileContent) - if(properties.name && properties.name.trim().length > 0) { - workflowErrors.name = properties.name - } let v = new validator(); const res = v.validate(properties, propertiesSchema) workflowErrors.errors = res.errors.map(e => e.toString()) From 4bb0cbfc9e46a125e1b0b39b77dd808cfee89fba Mon Sep 17 00:00:00 2001 From: Chris Patterson Date: Tue, 20 Sep 2022 10:25:45 +0530 Subject: [PATCH 513/844] Enable caching by default for docker builds. --- ci/docker-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index e88539d749..41253c1175 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -78,6 +78,9 @@ jobs: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker From 1a46538eaab360b6ee9226283a9a03cc4c1b73a9 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 20 Sep 2022 11:43:05 +0000 Subject: [PATCH 514/844] Keep both unique template name and filename logic --- ci/properties/jekyll-docker.properties.json | 2 +- script/validate-data/index.ts | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ci/properties/jekyll-docker.properties.json b/ci/properties/jekyll-docker.properties.json index bbe279cbea..7c66dba0ac 100644 --- a/ci/properties/jekyll-docker.properties.json +++ b/ci/properties/jekyll-docker.properties.json @@ -1,5 +1,5 @@ { - "name": "Jekyll", + "name": "Jekyll using Docker image", "description": "Package a Jekyll site using the jekyll/builder Docker image.", "iconName": "jekyll", "categories": ["Continuous integration", "HTML"] diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index b903c3f3c8..90f1760288 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -7,6 +7,7 @@ import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; interface WorkflowWithErrors { id: string; + name: string; errors: string[]; } @@ -42,6 +43,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] + const workflow_template_names = new Set() const workflow_template_paths = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { @@ -56,8 +58,11 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); + if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { + workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) + } if(workflow_template_paths.size == workflow_template_paths.add(e.name).size) { - workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) + workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) @@ -72,6 +77,7 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, + name: null, errors: [] } try { @@ -80,6 +86,9 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow const propertiesFileContent = await fs.readFile(propertiesPath, "utf8") const properties: WorkflowProperties = JSON.parse(propertiesFileContent) + if(properties.name && properties.name.trim().length > 0) { + workflowErrors.name = properties.name + } let v = new validator(); const res = v.validate(properties, propertiesSchema) workflowErrors.errors = res.errors.map(e => e.toString()) From af733fded0b315861e891f5aa54cb6ec54fa8d2b Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 20 Sep 2022 12:51:33 +0000 Subject: [PATCH 515/844] Address comments --- script/validate-data/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 90f1760288..abbdfbefa1 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -44,7 +44,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() - const workflow_template_paths = new Set() + const workflow_template_file_names = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -61,7 +61,7 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } - if(workflow_template_paths.size == workflow_template_paths.add(e.name).size) { + if(workflow_template_file_names.size == workflow_template_file_names.add(e.name).size) { workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { From e7e1dc203701c85e902a1122ed62af132af1c7bf Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 20 Sep 2022 16:36:24 +0300 Subject: [PATCH 516/844] Update Frogbot's version --- code-scanning/frogbot-scan-and-fix.yml | 2 +- code-scanning/frogbot-scan-pr.yml | 2 +- starter-workflows.iml | 9 +++++++++ 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 starter-workflows.iml diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 6dd4b0e359..0089f10831 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -37,7 +37,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab + - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index ec19d61668..bd1a9c2dc6 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab + - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/starter-workflows.iml b/starter-workflows.iml new file mode 100644 index 0000000000..8021953ed9 --- /dev/null +++ b/starter-workflows.iml @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file From bdee68f5716734c91c3783c2d70bd246abb23cc2 Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 20 Sep 2022 16:39:01 +0300 Subject: [PATCH 517/844] Update JFrog Frogbot's Version --- starter-workflows.iml | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 starter-workflows.iml diff --git a/starter-workflows.iml b/starter-workflows.iml deleted file mode 100644 index 8021953ed9..0000000000 --- a/starter-workflows.iml +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - \ No newline at end of file From a50f9361bc1283eb5191ada8a0878319ecd8919e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Tue, 20 Sep 2022 20:02:09 +0300 Subject: [PATCH 518/844] chore: upgrade cosign-installer version to latest MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index e88539d749..d07a3f8e91 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 + uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 with: - cosign-release: 'v1.9.0' + cosign-release: 'v1.11.0' # Workaround: https://github.com/docker/build-push-action/issues/461 From 6b52b98767046e01d8c0543b30767b8214b85be4 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 12:46:14 +0100 Subject: [PATCH 519/844] Hide ESLint on GHES --- code-scanning/properties/eslint.properties.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json index a84646a82f..2a1271f845 100644 --- a/code-scanning/properties/eslint.properties.json +++ b/code-scanning/properties/eslint.properties.json @@ -2,10 +2,11 @@ "name": "ESLint", "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", "iconName": "eslint", + "enterprise": false, "categories": [ "Code Scanning", "JavaScript", "EcmaScript", "TypeScript" ] -} \ No newline at end of file +} From 23737db30608c6a9c4175971df3a2d451278b955 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 15:45:41 +0100 Subject: [PATCH 520/844] Make enterprise opt-in instead of opt-out --- code-scanning/properties/codeql.properties.json | 1 + script/sync-ghes/index.ts | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index ddb4627f49..8ee80b42cf 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", + "enterprise": true, "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 608e73d63c..a8161097b5 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - workflowProperties.enterprise !== false && + workflowProperties.enterprise === true && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From d75ca7ac2e1a53eb04fc809ac8affdf2cded060d Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Wed, 21 Sep 2022 16:04:36 +0100 Subject: [PATCH 521/844] fix trigger for ghes sync --- .github/workflows/sync-ghes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 5e949bb29a..26d2665e7b 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -2,7 +2,7 @@ name: Sync workflows for GHES on: push: - branches: [ $default-branch ] + branches: [ main ] workflow_dispatch: jobs: From da2e9558af199abdd3140a07fde272cfdd257831 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 16:00:40 +0100 Subject: [PATCH 522/844] Only use enterprise check for code-scanning folder --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index a8161097b5..a320d365bf 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - workflowProperties.enterprise === true && + (workflowProperties.enterprise === true || folder !== 'code-scanning') && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From e1512d3916167a26724d2861a9953390eb1ae2f7 Mon Sep 17 00:00:00 2001 From: mthibeau73 Date: Wed, 21 Sep 2022 14:04:45 -0500 Subject: [PATCH 523/844] Add Zimperium zScan starter workflow --- .../properties/zscan.properties.json | 14 +++++ code-scanning/zscan.yml | 61 +++++++++++++++++++ icons/zscan.svg | 11 ++++ 3 files changed, 86 insertions(+) create mode 100644 code-scanning/properties/zscan.properties.json create mode 100644 code-scanning/zscan.yml create mode 100644 icons/zscan.svg diff --git a/code-scanning/properties/zscan.properties.json b/code-scanning/properties/zscan.properties.json new file mode 100644 index 0000000000..18c96d71af --- /dev/null +++ b/code-scanning/properties/zscan.properties.json @@ -0,0 +1,14 @@ +{ + "name": "zScan", + "creator": "Zimperium", + "description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ​", + "iconName": "zScan", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C" + ] +} diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml new file mode 100644 index 0000000000..1ac6bbdde3 --- /dev/null +++ b/code-scanning/zscan.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) +# and identifies security, privacy, and compliance-related vulnerabilities. ​ +# +# Prerequisites: ​ +# * An active Zimperium zScan account is required. If you are not an existing Zimperium +# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us. +# * Either GitHub Advanced Security (GHAS) or a public repository is required to display +# issues and view the remediation information inside of GitHub code scanning alerts. ​ +# +# For additional information and setup instructions +# please visit: https://github.com/Zimperium/zScanMarketplace#readme + +name: "Zimperium zScan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + zscan: + name: zScan + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Execute gradle build + run: ./gradlew build # Change this to build your mobile application + + - name: Run Zimperium zScan + uses: zimperium/zscanmarketplace@bfc6670f6648d796098c251ccefcfdb98983174d + timeout-minutes: 60 + with: + # REPLACE: Zimperium Client Environment Name + client_env: env_string + # REPLACE: Zimperium Client ID + client_id: id_string + # REPLACE: Zimperium Client Secret + client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }} + # REPLACE: The path to an .ipa or .apk + app_file: app-release-unsigned.apk + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: Zimperium.sarif + \ No newline at end of file diff --git a/icons/zscan.svg b/icons/zscan.svg new file mode 100644 index 0000000000..1dff4160c6 --- /dev/null +++ b/icons/zscan.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + From 6a3b2bbd2ec26fd76e5e1eca8365eedddf483835 Mon Sep 17 00:00:00 2001 From: Nick McCurdy Date: Thu, 22 Sep 2022 10:46:38 -0400 Subject: [PATCH 524/844] Add pages directory to readme --- README.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f39892f31c..9cf6833c79 100644 --- a/README.md +++ b/README.md @@ -12,10 +12,11 @@ These are the workflow files for helping people get started with GitHub Actions. ### Directory structure -* [ci](ci): solutions for Continuous Integration workflows. -* [deployments](deployments): solutions for Deployment workflows. -* [automation](automation): solutions for automating workflows. -* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security) +* [ci](ci): solutions for Continuous Integration workflows +* [deployments](deployments): solutions for Deployment workflows +* [automation](automation): solutions for automating workflows +* [code-scanning](code-scanning): solutions for [Code Scanning](https://github.com/features/security) +* [pages](pages): solutions for Pages workflows * [icons](icons): svg icons for the relevant template Each workflow must be written in YAML and have a `.yml` extension. They also need a corresponding `.properties.json` file that contains extra metadata about the workflow (this is displayed in the GitHub.com UI). @@ -40,6 +41,14 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * monitoring * Automation * utilities +* Pages +* Hugo +* Gatsby +* Next +* Nuxt +* HTML +* JavaScript +* CSS ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: From 13ad0bf0aef432c6577fcff3afcf10a492f2e907 Mon Sep 17 00:00:00 2001 From: mthibeau73 Date: Fri, 23 Sep 2022 10:32:47 -0500 Subject: [PATCH 525/844] lowercase iconName in properties file --- code-scanning/properties/zscan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/zscan.properties.json b/code-scanning/properties/zscan.properties.json index 18c96d71af..6b55756bae 100644 --- a/code-scanning/properties/zscan.properties.json +++ b/code-scanning/properties/zscan.properties.json @@ -2,7 +2,7 @@ "name": "zScan", "creator": "Zimperium", "description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ​", - "iconName": "zScan", + "iconName": "zscan", "categories": [ "Code Scanning", "Java", From 3f6632a2aee5450e054cc12323ff30695875d46b Mon Sep 17 00:00:00 2001 From: Nick McCurdy Date: Fri, 23 Sep 2022 11:42:07 -0400 Subject: [PATCH 526/844] Remove redundant languages --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index 9cf6833c79..fa8d351446 100644 --- a/README.md +++ b/README.md @@ -46,9 +46,6 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * Gatsby * Next * Nuxt -* HTML -* JavaScript -* CSS ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: From aa0375afbf5108c17eb280bc8e9045aa57c2e78c Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Fri, 23 Sep 2022 18:04:56 -0300 Subject: [PATCH 527/844] Remove trailing whitespaces --- code-scanning/scorecards.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 8ca5094a54..31a4fa10bc 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -22,7 +22,7 @@ jobs: # Needs for private repositories. contents: read actions: read - + steps: - name: "Checkout code" uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 @@ -41,8 +41,8 @@ jobs: # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless # of the value entered here. publish_results: true @@ -54,7 +54,7 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 From 5f2c1d104d691cc446a7c525b53476b9c4d5b333 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Sep 2022 13:32:49 +0000 Subject: [PATCH 528/844] Bump actions/stale from 5 to 6 Bumps [actions/stale](https://github.com/actions/stale) from 5 to 6. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index c319ce1c3c..002f30d415 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v5 + - uses: actions/stale@v6 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' From 022ac9babb7d92b4ea5775cb0385fcc4101d2ad4 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 23 Sep 2022 08:51:24 -0400 Subject: [PATCH 529/844] Update Anchore Grype scan action workflow --- code-scanning/anchore.yml | 19 ++++++++++--------- .../properties/anchore-syft.properties.json | 2 +- .../properties/anchore.properties.json | 8 ++++---- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index a3d2eed0ce..818fb707ee 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -9,7 +9,7 @@ # and parameters, see https://github.com/anchore/scan-action. For more # information on Anchore's container image scanning tool Grype, see # https://github.com/anchore/grype -name: Anchore Container Scan +name: Anchore Grype vulnerability scan on: push: @@ -28,20 +28,21 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - name: Checkout the code + - name: Check out the code uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled - uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd + - name: Run the Anchore Grype scan action + uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 + id: scan with: image: "localbuild/testimage:latest" - acs-report-enable: true - fail-build: false - - name: Upload Anchore Scan Report + fail-build: true + severity-cutoff: critical + - name: Upload vulnerability report uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: results.sarif + sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/code-scanning/properties/anchore-syft.properties.json b/code-scanning/properties/anchore-syft.properties.json index 815f8b287a..aa4cb1e702 100644 --- a/code-scanning/properties/anchore-syft.properties.json +++ b/code-scanning/properties/anchore-syft.properties.json @@ -1,6 +1,6 @@ { "name": "Anchore Syft SBOM Scan", - "organization": "Anchore", + "creator": "Anchore", "description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.", "iconName": "anchore", "categories": ["Code Scanning", "dockerfile", "dependency-management"] diff --git a/code-scanning/properties/anchore.properties.json b/code-scanning/properties/anchore.properties.json index d997da473b..94634ddd24 100644 --- a/code-scanning/properties/anchore.properties.json +++ b/code-scanning/properties/anchore.properties.json @@ -1,7 +1,7 @@ { - "name": "Anchore Container Scan", - "creator": "Indeni Cloudrail", - "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.", + "name": "Anchore Grype Vulnerability Scan", + "creator": "Anchore", + "description": "Produce source and container vulnerability reports based on Anchore's open source Grype tool.", "iconName": "anchore", "categories": ["Code Scanning", "dockerfile"] -} \ No newline at end of file +} From 10798e7d81930be332a078bedadfb4d44a644016 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Tue, 27 Sep 2022 21:19:54 -0700 Subject: [PATCH 530/844] Add: Astro to starter workflows --- pages/astro.yml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 pages/astro.yml diff --git a/pages/astro.yml b/pages/astro.yml new file mode 100644 index 0000000000..01873b7303 --- /dev/null +++ b/pages/astro.yml @@ -0,0 +1,51 @@ +# Sample workflow for building and deploying an Astro site to GitHub Pages +# +# To get started with Astro see: https://docs.astro.build/en/getting-started/ +# + +name: Deploy Roadmap to Pages + +on: + push: + branches: [main] + paths: # only needed when project in subfolder + - "roadmap-priorities" + - ".github/workflows/deploy-roadmap.yml" + workflow_dispatch: + +permissions: + contents: read + pages: write + id-token: write + +env: + PAT: '.' # default value when not using subfolders + # PAT: subfolder + +jobs: + build: + name: Build & Deploy + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 16 + cache-dependency-path: ${{ env.PAT }}/package-lock.json + - run: npm install && npm run build + working-directory: ${{ env.PAT }} + - uses: actions/upload-pages-artifact@v1 + with: + path: ${{ env.PAT }}/dist + + deploy: + needs: build + name: Deploy + runs-on: ubuntu-latest + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 From 61aa8be81622eae19e5c240fb5e4bc9321265ce3 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Tue, 27 Sep 2022 21:22:38 -0700 Subject: [PATCH 531/844] Paths not enabled by default --- pages/astro.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 01873b7303..3deef31753 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -8,9 +8,10 @@ name: Deploy Roadmap to Pages on: push: branches: [main] - paths: # only needed when project in subfolder - - "roadmap-priorities" - - ".github/workflows/deploy-roadmap.yml" + # paths: + # only needed when project in subfolder + # - "subfolder" + # - ".github/workflows/astro.yml" workflow_dispatch: permissions: From 13ccf721fe833f11f32c6602733406915a5ed7f6 Mon Sep 17 00:00:00 2001 From: Keegan Saunders Date: Tue, 28 Jun 2022 22:02:19 -0400 Subject: [PATCH 532/844] Add NowSecure Mobile SBOM starter workflow --- code-scanning/nowsecure-mobile-sbom.yml | 55 +++++++++++++++++++ .../nowsecure-mobile-sbom.properties.json | 21 +++++++ 2 files changed, 76 insertions(+) create mode 100644 code-scanning/nowsecure-mobile-sbom.yml create mode 100644 code-scanning/properties/nowsecure-mobile-sbom.properties.json diff --git a/code-scanning/nowsecure-mobile-sbom.yml b/code-scanning/nowsecure-mobile-sbom.yml new file mode 100644 index 0000000000..b9cf039392 --- /dev/null +++ b/code-scanning/nowsecure-mobile-sbom.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# NowSecure: The Mobile Security Experts . +# +# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer, +# you can find it in NowSecure Platform. +# +# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access: +# . +# +# Instructions: +# +# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and +# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit +# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub". +# +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Dependency graph" tab in the "Insights" pane once the action has run. + +name: "NowSecure Mobile SBOM" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + nowsecure: + name: NowSecure Mobile SBOM + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build your application + run: ./gradlew assembleDebug # Update this to build your Android or iOS application + + - name: NowSecure upload app + uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c + with: + token: ${{ secrets.NS_TOKEN }} + app_file: app-debug.apk # Update this to a path to your .ipa or .apk + group_id: {{ groupId }} # Update this to your desired Platform group ID diff --git a/code-scanning/properties/nowsecure-mobile-sbom.properties.json b/code-scanning/properties/nowsecure-mobile-sbom.properties.json new file mode 100644 index 0000000000..32a7964c72 --- /dev/null +++ b/code-scanning/properties/nowsecure-mobile-sbom.properties.json @@ -0,0 +1,21 @@ +{ + "name": "NowSecure Mobile SBOM", + "creator": "NowSecure", + "description": "Generate a Mobile SBOM for an application and submit to Dependency Graph", + "iconName": "nowsecure", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C", + "C", + "C++", + "C#", + "Rust", + "JavaScript", + "TypeScript", + "Node" + ] +} From 4193b3bdfdd9c76feecfd076d8404783221a3be2 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:32:20 +0100 Subject: [PATCH 533/844] Adding new yaml file with action example --- code-scanning/checkmarx-one.yml | 40 +++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 code-scanning/checkmarx-one.yml diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml new file mode 100644 index 0000000000..89dcdd68ea --- /dev/null +++ b/code-scanning/checkmarx-one.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Checkmarx One Action + +name: Checkmarx Scan + +# Controls when the workflow will run +on: + pull_request: + types: [opened, reopened, synchronize] + branches: [ $default-branch, $protected-branches ] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # This step checks out a copy of your repository. + - name: Checkout repository + uses: actions/checkout@v2 + - name: Checkmarx scan + uses: checkmarx/ast-github-action@main + with: + base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx + cx_client_id: ${{ secrets.CX_CLIENT_ID }} + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} + cx_tenant: ${{ secrets.CX_TENANT }} + additional_params: --report-format sarif --output-path . + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: cx_result.sarif \ No newline at end of file From b2113622be8e2b2dbf9b32aa12af30faa65e5362 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:32:56 +0100 Subject: [PATCH 534/844] Add new properties file for Checkmarx --- code-scanning/properties/checkmarx-one.properties.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 code-scanning/properties/checkmarx-one.properties.json diff --git a/code-scanning/properties/checkmarx-one.properties.json b/code-scanning/properties/checkmarx-one.properties.json new file mode 100644 index 0000000000..f5ebef8bab --- /dev/null +++ b/code-scanning/properties/checkmarx-one.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Checkmarx", + "creator": "Checkmarx", + "description": "Beat vulnerabilities with more secure code.Scan your code with Checkmarx One and see results in the GitHub code scanning.", + "iconName": "checkmarx", + "categories": ["Code Scanning","code-quality", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] +} \ No newline at end of file From 4d24769f48db2cc2d8ae87ceb69c9f5a51b32e1e Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:33:34 +0100 Subject: [PATCH 535/844] Update checkmarx.svg --- icons/checkmarx.svg | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg index 6bf5ad3708..ab11dadaff 100644 --- a/icons/checkmarx.svg +++ b/icons/checkmarx.svg @@ -1,14 +1 @@ - - - - - - + From 3031cebead8b924c888e3d7b36340bdf4f9db1df Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:35:25 +0100 Subject: [PATCH 536/844] Update checkmarx.svg --- icons/checkmarx.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg index ab11dadaff..899b3bc533 100644 --- a/icons/checkmarx.svg +++ b/icons/checkmarx.svg @@ -1 +1 @@ - + From 61b58c843faaf321af8150f75a667eae24e0e458 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Thu, 29 Sep 2022 15:22:03 -0700 Subject: [PATCH 537/844] Update pages/astro.yml Co-authored-by: Yoann Chaudet --- pages/astro.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/astro.yml b/pages/astro.yml index 3deef31753..544b93d31c 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -3,7 +3,7 @@ # To get started with Astro see: https://docs.astro.build/en/getting-started/ # -name: Deploy Roadmap to Pages +name: Deploy Astro site to Pages on: push: From 3c68ea5b08cbdafc0df46651c977b6d07b94d2e8 Mon Sep 17 00:00:00 2001 From: Ivan <98037481+IvanZosimov@users.noreply.github.com> Date: Fri, 30 Sep 2022 10:32:25 +0200 Subject: [PATCH 538/844] Update dotnet-desktop.yml to use setup-dotnet@v3 --- ci/dotnet-desktop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index bd2cb2ee51..fd82a3962d 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -69,7 +69,7 @@ jobs: # Install the .NET Core workload - name: Install .NET Core - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v3 with: dotnet-version: 6.0.x From 94301453103b54c82be6c73f03dbbb377e95241d Mon Sep 17 00:00:00 2001 From: Ivan <98037481+IvanZosimov@users.noreply.github.com> Date: Fri, 30 Sep 2022 10:33:07 +0200 Subject: [PATCH 539/844] Update dotnet.yml to use setup-dotnet@v3 --- ci/dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet.yml b/ci/dotnet.yml index a8eccabbbe..7465e23a05 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Setup .NET - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v3 with: dotnet-version: 6.0.x - name: Restore dependencies From c4a90daee92b84b29c81d86edf855a258363f5d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Sep 2022 12:29:54 +0000 Subject: [PATCH 540/844] Bump @actions/core from 1.2.6 to 1.9.1 in /script/validate-data Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.2.6 to 1.9.1. - [Release notes](https://github.com/actions/toolkit/releases) - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) --- updated-dependencies: - dependency-name: "@actions/core" dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- script/validate-data/package-lock.json | 64 +++++++++++++++++++++++--- script/validate-data/package.json | 2 +- 2 files changed, 58 insertions(+), 8 deletions(-) diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index e660b6a1ae..358c6615bd 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -9,7 +9,7 @@ "version": "1.0.0", "license": "MIT", "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.9.1", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" }, @@ -21,9 +21,21 @@ } }, "node_modules/@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz", + "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==", + "dependencies": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "node_modules/@actions/http-client": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz", + "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==", + "dependencies": { + "tunnel": "^0.0.6" + } }, "node_modules/@types/js-yaml": { "version": "3.12.4", @@ -153,6 +165,14 @@ "typescript": ">=2.7" } }, + "node_modules/tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", + "engines": { + "node": ">=0.6.11 <=0.7.0 || >=0.7.3" + } + }, "node_modules/typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", @@ -166,6 +186,14 @@ "node": ">=4.2.0" } }, + "node_modules/uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", + "bin": { + "uuid": "dist/bin/uuid" + } + }, "node_modules/yn": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", @@ -178,9 +206,21 @@ }, "dependencies": { "@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz", + "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==", + "requires": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "@actions/http-client": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz", + "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==", + "requires": { + "tunnel": "^0.0.6" + } }, "@types/js-yaml": { "version": "3.12.4", @@ -279,12 +319,22 @@ "yn": "3.1.1" } }, + "tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" + }, "typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==", "dev": true }, + "uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==" + }, "yn": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", diff --git a/script/validate-data/package.json b/script/validate-data/package.json index e6403ee20d..6811f19edb 100644 --- a/script/validate-data/package.json +++ b/script/validate-data/package.json @@ -14,7 +14,7 @@ "typescript": "^3.9.2" }, "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.9.1", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" } From d668c4cb8b5f3382c65ebcf1624bab95329b274c Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht <15221358+pnacht@users.noreply.github.com> Date: Fri, 7 Oct 2022 14:25:58 +0000 Subject: [PATCH 541/844] Clarify comments in scorecard.yml --- code-scanning/scorecards.yml | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 31a4fa10bc..1a9119f94d 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -1,7 +1,10 @@ name: Scorecards supply-chain security on: - # Only the default branch is supported. + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: $cron-weekly push: @@ -17,11 +20,11 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write - # Used to receive a badge. + # Needed to publish results and get a badge (see publish_results below). id-token: write - # Needs for private repositories. - contents: read - actions: read + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read steps: - name: "Checkout code" @@ -40,10 +43,13 @@ jobs: # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless - # of the value entered here. + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF From 493117b7055b853103d64a04bfe76998714e047f Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht <15221358+pnacht@users.noreply.github.com> Date: Fri, 7 Oct 2022 18:22:49 +0000 Subject: [PATCH 542/844] Add disclaimer requested in PR template --- code-scanning/scorecards.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 1a9119f94d..afd2b938bc 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + name: Scorecards supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See From 988cccd442c473a2a89d6793baf896c191a10002 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Mon, 10 Oct 2022 11:12:22 +0000 Subject: [PATCH 543/844] Update old documentation links --- ci/ant.yml | 2 +- ci/dotnet.yml | 3 +++ ci/go.yml | 3 +++ ci/gradle.yml | 2 +- ci/maven.yml | 2 +- ci/node.js.yml | 2 +- ci/npm-publish-github-packages.yml | 2 +- ci/npm-publish.yml | 2 +- ci/python-app.yml | 2 +- ci/python-package.yml | 2 +- ci/python-publish.yml | 2 +- ci/swift.yml | 3 +++ 12 files changed, 18 insertions(+), 9 deletions(-) diff --git a/ci/ant.yml b/ci/ant.yml index 16146641ae..e9dba0106e 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -1,5 +1,5 @@ # This workflow will build a Java project with Ant -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-ant +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-ant name: Java CI diff --git a/ci/dotnet.yml b/ci/dotnet.yml index 7465e23a05..f11f05069d 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -1,3 +1,6 @@ +# This workflow will build a .NET project +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net + name: .NET on: diff --git a/ci/go.yml b/ci/go.yml index bb3ec96482..4d95674ed1 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -1,3 +1,6 @@ +# This workflow will build a golang project +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go + name: Go on: diff --git a/ci/gradle.yml b/ci/gradle.yml index 0c0f12cda6..2be0b58ec9 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. # This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-gradle name: Java CI with Gradle diff --git a/ci/maven.yml b/ci/maven.yml index 65e0dff20e..26bfc73522 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -1,5 +1,5 @@ # This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven name: Java CI with Maven diff --git a/ci/node.js.yml b/ci/node.js.yml index a89108d690..f230593b30 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -1,5 +1,5 @@ # This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs name: Node.js CI diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index 638ccf806c..e790f4dd4f 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -1,5 +1,5 @@ # This workflow will run tests using node and then publish a package to GitHub Packages when a release is created -# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages +# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages name: Node.js Package diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index c461c85dd9..6cdebafb6b 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -1,5 +1,5 @@ # This workflow will run tests using node and then publish a package to GitHub Packages when a release is created -# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages +# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages name: Node.js Package diff --git a/ci/python-app.yml b/ci/python-app.yml index 4b7fa5f2da..994538258f 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -1,5 +1,5 @@ # This workflow will install Python dependencies, run tests and lint with a single version of Python -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python name: Python application diff --git a/ci/python-package.yml b/ci/python-package.yml index 583a366774..de579a3d4e 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -1,5 +1,5 @@ # This workflow will install Python dependencies, run tests and lint with a variety of Python versions -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python name: Python package diff --git a/ci/python-publish.yml b/ci/python-publish.yml index ec703542be..bdaab28a48 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -1,5 +1,5 @@ # This workflow will upload a Python Package using Twine when a release is created -# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by diff --git a/ci/swift.yml b/ci/swift.yml index 3668fc0be6..9d84f86f96 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -1,3 +1,6 @@ +# This workflow will build a golang project +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-swift + name: Swift on: From eaf0ed4a08ebf0cf7b2ef7ac29c1f18f0d5bf084 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Oct 2022 14:19:44 +0000 Subject: [PATCH 544/844] Bump pozil/auto-assign-issue from 1.10.0 to 1.10.1 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.10.0 to 1.10.1. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.10.0...v1.10.1) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index 0cb93458e8..98f071a6ae 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.10.0 + uses: pozil/auto-assign-issue@v1.10.1 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From e9fd3bc4fbab5eb36f309948b4f2b1319ceb35a6 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Mon, 10 Oct 2022 15:48:40 +0000 Subject: [PATCH 545/844] Update versions/hashes --- code-scanning/scorecards.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index afd2b938bc..0e159aa2ba 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -32,12 +32,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3 + uses: ossf/scorecard-action@e363bfca00e752f91de7b7d2a77340e2e523cb18 # v2.0.4 with: results_file: results.sarif results_format: sarif @@ -51,7 +51,7 @@ jobs: # - Publish results to OpenSSF REST API for easy access by consumers # - Allows the repository to include the Scorecard badge. # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: + # For private repositories: # - `publish_results` will always be set to `false`, regardless # of the value entered here. publish_results: true @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0 + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 with: name: SARIF file path: results.sarif @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 + uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27 with: sarif_file: results.sarif From 9a9cef713d58450916333470a1bd233e97c2f83e Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec <83706991+abdul-hai-apisec@users.noreply.github.com> Date: Wed, 12 Oct 2022 14:21:47 +0530 Subject: [PATCH 546/844] Update ethicalcheck.yml --- code-scanning/ethicalcheck.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index c089015811..4a8ad3cdde 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -49,9 +49,16 @@ jobs: steps: - name: EthicalCheck Free & Automated API Security Testing Service - uses: apisec-inc/ethicalcheck-action@latest + uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641 with: # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL. oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs" # The email address to which the penetration test report will be sent. - email: "xxx@apisec.ai" \ No newline at end of file + email: "xxx@apisec.ai" + sarif-result-file: "ethicalcheck-results.sarif" + + - name: Upload sarif file to repository + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ./ethicalcheck-results.sarif + From d1768edd6c32f2b7ed1b94b93e98390da3e4e3d4 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 12 Oct 2022 13:05:05 +0000 Subject: [PATCH 547/844] Remove filename check --- script/validate-data/index.ts | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index abbdfbefa1..4bd260d6c3 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -44,7 +44,6 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() - const workflow_template_file_names = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -59,10 +58,7 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { - workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) - } - if(workflow_template_file_names.size == workflow_template_file_names.add(e.name).size) { - workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) + workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) From 90fcb3f10e2f67fb9e90e866901f7e9173317ea3 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Wed, 12 Oct 2022 20:30:11 +0530 Subject: [PATCH 548/844] Added permissions --- code-scanning/ethicalcheck.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index 4a8ad3cdde..2818bc695d 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -42,9 +42,14 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: - +permissions: + contents: read + jobs: Trigger_EthicalCheck: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: @@ -57,8 +62,8 @@ jobs: email: "xxx@apisec.ai" sarif-result-file: "ethicalcheck-results.sarif" - - name: Upload sarif file to repository - uses: github/codeql-action/upload-sarif@v2 - with: + - name: Upload sarif file to repository + uses: github/codeql-action/upload-sarif@v2 + with: sarif_file: ./ethicalcheck-results.sarif From a66a1979359eb8f01c0b728469a7c62868fa9b30 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Wed, 12 Oct 2022 16:05:01 +0100 Subject: [PATCH 549/844] Update checkmarx-one.yml --- code-scanning/checkmarx-one.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index 89dcdd68ea..ffa8d85fee 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -3,7 +3,8 @@ # separate terms of service, privacy policy, and support # documentation. -# This is a basic workflow to help you get started with Using Checkmarx One Action +# This is a basic workflow to help you get started with Using Checkmarx One Action, +# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html name: Checkmarx Scan @@ -24,17 +25,17 @@ jobs: steps: # This step checks out a copy of your repository. - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Checkmarx scan uses: checkmarx/ast-github-action@main with: - base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx - cx_client_id: ${{ secrets.CX_CLIENT_ID }} - cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} - cx_tenant: ${{ secrets.CX_TENANT }} + base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One + cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e + cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One additional_params: --report-format sarif --output-path . - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository - sarif_file: cx_result.sarif \ No newline at end of file + sarif_file: cx_result.sarif From 4076f8b8dab71a2b12de6816f8f16f2f508dcdac Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Wed, 12 Oct 2022 16:20:46 +0100 Subject: [PATCH 550/844] Update checkmarx-one.yml --- code-scanning/checkmarx-one.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index ffa8d85fee..262ed55272 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -14,10 +14,18 @@ on: types: [opened, reopened, synchronize] branches: [ $default-branch, $protected-branches ] +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif + # The type of runner that the job will run on runs-on: ubuntu-latest @@ -26,7 +34,8 @@ jobs: # This step checks out a copy of your repository. - name: Checkout repository uses: actions/checkout@v3 - - name: Checkmarx scan + # This step creates the Checkmarx One scan + - name: Checkmarx One scan uses: checkmarx/ast-github-action@main with: base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One From 0376d797710c37d032bd06418de4a56775c03882 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Wed, 12 Oct 2022 16:48:51 +0100 Subject: [PATCH 551/844] Update checkmarx.svg --- icons/checkmarx.svg | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg index 899b3bc533..fbdc9f3b67 100644 --- a/icons/checkmarx.svg +++ b/icons/checkmarx.svg @@ -1 +1,12 @@ - + + + + + + + + + + + + From 8048d62634872e937bf37f33028e4b4448a4d7d4 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 13 Oct 2022 13:01:48 -0700 Subject: [PATCH 552/844] Add dependency graph Scala builds do not automatically get support for the dependency graph. This addition will upload dependency information to the dependency graph so users get Dependabot alerts. --- ci/scala.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/ci/scala.yml b/ci/scala.yml index 4a3c112725..a88374f30d 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -6,17 +6,24 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' + cache: 'sbt' - name: Run tests run: sbt test + # This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository + - name: Upload dependency graph + uses: scalacenter/sbt-dependency-submission@v2 From 6686f7461a5ea356163d37ef11e325ab03a534bb Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 13 Oct 2022 13:08:31 -0700 Subject: [PATCH 553/844] Add disclaimer --- ci/scala.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ci/scala.yml b/ci/scala.yml index a88374f30d..9e786727b0 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Scala CI on: From 1be22cecc3906449c5014d187ad9c1e3bb1159cb Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 13 Oct 2022 13:24:08 -0700 Subject: [PATCH 554/844] Add dependency graph to Maven workflows --- ci/maven.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ci/maven.yml b/ci/maven.yml index 65e0dff20e..d762ee9a9a 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -1,6 +1,11 @@ # This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Java CI with Maven on: @@ -24,3 +29,7 @@ jobs: cache: maven - name: Build with Maven run: mvn -B package --file pom.xml + + # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive + - name: Update dependency graph + uses: advanced-security/maven-dependency-submission-action@v1 From 9c49b9d11c5dd12f3732b4707fde87d4753c3873 Mon Sep 17 00:00:00 2001 From: Nick McCurdy Date: Mon, 17 Oct 2022 08:31:16 -0400 Subject: [PATCH 555/844] Delete Gatsby, Next, and Nuxt categories https://github.com/actions/starter-workflows/pull/1762#discussion_r996963757 --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index fa8d351446..7ff406f694 100644 --- a/README.md +++ b/README.md @@ -43,9 +43,6 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * utilities * Pages * Hugo -* Gatsby -* Next -* Nuxt ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: From b646c9c97cd4a2e9ed23bc609e2cae25e04effb9 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Mon, 17 Oct 2022 14:24:31 +0100 Subject: [PATCH 556/844] Update checkmarx-one.yml --- code-scanning/checkmarx-one.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index 262ed55272..e666ddd8a9 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -3,6 +3,11 @@ # separate terms of service, privacy policy, and support # documentation. +# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. +# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository +# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling +# scan customization using the full functionality and flexibility of the CLI tool. + # This is a basic workflow to help you get started with Using Checkmarx One Action, # documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html From e5b363612e747c2961857eef5c4d66d2824a1efc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Oct 2022 13:53:14 +0000 Subject: [PATCH 557/844] Bump pozil/auto-assign-issue from 1.10.1 to 1.11.0 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.10.1 to 1.11.0. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.10.1...v1.11.0) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index 98f071a6ae..adaa8d69af 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.10.1 + uses: pozil/auto-assign-issue@v1.11.0 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From 94ce36310999d6d76d8a1b23bdc1f09f5b38f6fe Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 18 Oct 2022 18:19:20 +0530 Subject: [PATCH 558/844] Update ci/swift.yml Co-authored-by: Scott Brenner --- ci/swift.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/swift.yml b/ci/swift.yml index 9d84f86f96..91276e31fa 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -1,4 +1,4 @@ -# This workflow will build a golang project +# This workflow will build a Swift project # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-swift name: Swift From 7482e30dc1cfa91d8f20b52fc6416d6dec435652 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Thu, 20 Oct 2022 11:11:54 +0530 Subject: [PATCH 559/844] Updated the description --- code-scanning/properties/ethicalcheck.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/ethicalcheck.properties.json b/code-scanning/properties/ethicalcheck.properties.json index c0949be383..8728ca796c 100644 --- a/code-scanning/properties/ethicalcheck.properties.json +++ b/code-scanning/properties/ethicalcheck.properties.json @@ -1,7 +1,7 @@ { "name": "EthicalCheck", "creator": "APIsec", - "description": "EthicalCheck addresses the critical need to continuously security test APIs in development and in production. EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. You develop the application and API, we bring complete and continuous security testing to you, accelerating development.Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service.", + "description": "EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.", "iconName": "apisec", "categories": [ "Code Scanning", From cef3397932c8d0fa8bf0b0d10b0e662d6d3208a9 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 20 Oct 2022 15:14:03 +0100 Subject: [PATCH 560/844] Update checkmarx-one.yml --- code-scanning/checkmarx-one.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index e666ddd8a9..d85c0c53ca 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -41,7 +41,7 @@ jobs: uses: actions/checkout@v3 # This step creates the Checkmarx One scan - name: Checkmarx One scan - uses: checkmarx/ast-github-action@main + uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc with: base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e From a95c4f68c84a608cd51d3e85b7516945d61cc69a Mon Sep 17 00:00:00 2001 From: Oliver King Date: Thu, 20 Oct 2022 15:06:21 -0400 Subject: [PATCH 561/844] update aks workflows to latest versions --- deployments/azure-kubernetes-service-helm.yml | 151 +++++++----------- .../azure-kubernetes-service-kompose.yml | 145 ++++++----------- .../azure-kubernetes-service-kustomize.yml | 141 ++++++---------- deployments/azure-kubernetes-service.yml | 129 +++++---------- 4 files changed, 197 insertions(+), 369 deletions(-) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 83a9163cfd..86582e77fa 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -1,14 +1,16 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster # For instructions see: # - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters # - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these +# 1. Set the following secrets in your repository (instructions for getting these # https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID @@ -34,7 +36,7 @@ name: Build and deploy an app to AKS with Helm on: push: - branches: [ $default-branch ] + branches: [$default-branch] workflow_dispatch: env: @@ -42,7 +44,6 @@ env: CONTAINER_NAME: "your-container-name" RESOURCE_GROUP: "your-resource-group" CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" CHART_PATH: "your-chart-path" CHART_OVERRIDE_PATH: "your-chart-override-path" @@ -53,63 +54,21 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + # Checks out the repository this file is in + - uses: actions/checkout@v3 - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds - - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . deploy: permissions: @@ -117,45 +76,43 @@ jobs: contents: read id-token: write runs-on: ubuntu-latest - needs: [buildImage, createSecret] + needs: [buildImage] steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} - # Runs Helm to create manifest files - - name: Bake deployment - uses: azure/k8s-bake@v2.1 - with: - renderEngine: 'helm' - helmChart: ${{ env.CHART_PATH }} - overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} - overrides: | - replicas:2 - helm-version: 'latest' - id: bake + # Runs Helm to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2 + with: + renderEngine: "helm" + helmChart: ${{ env.CHART_PATH }} + overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} + overrides: | + replicas:2 + helm-version: "latest" + id: bake - # Deploys application based on manifest files from previous step - - name: Deploy application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ steps.bake.outputs.manifestsBundle }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 0e76365786..a0e6bdd22f 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -1,14 +1,16 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster # For instructions see: # - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters # - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these +# 1. Set the following secrets in your repository (instructions for getting these # https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID @@ -33,7 +35,7 @@ name: Build and deploy an app to AKS with Kompose on: push: - branches: [ $default-branch ] + branches: [$default-branch] workflow_dispatch: env: @@ -41,7 +43,6 @@ env: CONTAINER_NAME: "your-container-name" RESOURCE_GROUP: "your-resource-group" CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" jobs: @@ -51,106 +52,62 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} - deploy: permissions: actions: read contents: read id-token: write runs-on: ubuntu-latest - needs: [buildImage, createSecret] + needs: [buildImage] steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} - # Runs Kompose to create manifest files - - name: Bake deployment - uses: azure/k8s-bake@v2.1 - with: - renderEngine: 'kompose' - dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} - kompose-version: 'latest' - id: bake + # Runs Kompose to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2 + with: + renderEngine: "kompose" + dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} + kompose-version: "latest" + id: bake - # Deploys application based on manifest files from previous step - - name: Deploy application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ steps.bake.outputs.manifestsBundle }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 1a89f3c0fb..6c87057a59 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -1,14 +1,16 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster # For instructions see: # - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters # - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these +# 1. Set the following secrets in your repository (instructions for getting these # https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID @@ -33,7 +35,7 @@ name: Build and deploy an app to AKS with Kustomize on: push: - branches: [ $default-branch ] + branches: [$default-branch] workflow_dispatch: env: @@ -41,7 +43,6 @@ env: CONTAINER_NAME: "your-container-name" RESOURCE_GROUP: "your-resource-group" CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" KUSTOMIZE_PATH: "your-kustomize-path" jobs: @@ -51,106 +52,62 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} - deploy: permissions: actions: read contents: read id-token: write runs-on: ubuntu-latest - needs: [buildImage, createSecret] + needs: [buildImage] steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} - # Runs Kustomize to create manifest files - - name: Bake deployment - uses: azure/k8s-bake@v2.1 - with: - renderEngine: 'kustomize' - kustomizationPath: ${{ env.KUSTOMIZE_PATH }} - kubectl-version: latest - id: bake + # Runs Kustomize to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2 + with: + renderEngine: "kustomize" + kustomizationPath: ${{ env.KUSTOMIZE_PATH }} + kubectl-version: latest + id: bake - # Deploys application based on manifest files from previous step - - name: Deploy application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ steps.bake.outputs.manifestsBundle }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index 3e4941911e..f0b2b3814f 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -1,9 +1,11 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster # For instructions see: # - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters # - https://github.com/Azure/aks-create-action # # To configure this workflow: @@ -29,7 +31,7 @@ name: Build and deploy an app to AKS on: push: - branches: [ $default-branch ] + branches: [$default-branch] workflow_dispatch: env: @@ -37,8 +39,7 @@ env: CONTAINER_NAME: "your-container-name" RESOURCE_GROUP: "your-resource-group" CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" - DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' + DEPLOYMENT_MANIFEST_PATH: "your-deployment-manifest-path" jobs: buildImage: @@ -47,63 +48,21 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + # Checks out the repository this file is in + - uses: actions/checkout@v3 - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . deploy: permissions: @@ -111,33 +70,31 @@ jobs: contents: read id-token: write runs-on: ubuntu-latest - needs: [buildImage, createSecret] + needs: [buildImage] steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} - # Deploys application based on given manifest file - - name: Deploys application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + # Deploys application based on given manifest file + - name: Deploys application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} From 4367f77de0ebfc8e0bfd31a369320d5d57610c51 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Thu, 20 Oct 2022 16:06:10 -0700 Subject: [PATCH 562/844] add: concurrency and default branch ref --- pages/astro.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 544b93d31c..b3ef3514c6 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -2,25 +2,29 @@ # # To get started with Astro see: https://docs.astro.build/en/getting-started/ # - name: Deploy Astro site to Pages on: + # Runs on pushes targeting the default branch push: - branches: [main] - # paths: - # only needed when project in subfolder - # - "subfolder" - # - ".github/workflows/astro.yml" + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages permissions: contents: read pages: write id-token: write +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + env: - PAT: '.' # default value when not using subfolders + PAT: "." # default value when not using subfolders # PAT: subfolder jobs: From a2272ea794367d19ee4866bc1620fc318693778a Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Thu, 20 Oct 2022 16:10:14 -0700 Subject: [PATCH 563/844] update: rename subfolder path to avoid confusion --- pages/astro.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index b3ef3514c6..13d209bc16 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -24,24 +24,24 @@ concurrency: cancel-in-progress: true env: - PAT: "." # default value when not using subfolders - # PAT: subfolder + BUILD_PATH: "." # default value when not using subfolders + # BUILD_PATH: subfolder jobs: build: - name: Build & Deploy + name: Build runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: node-version: 16 - cache-dependency-path: ${{ env.PAT }}/package-lock.json + cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json - run: npm install && npm run build - working-directory: ${{ env.PAT }} + working-directory: ${{ env.BUILD_PATH }} - uses: actions/upload-pages-artifact@v1 with: - path: ${{ env.PAT }}/dist + path: ${{ env.BUILD_PATH }}/dist deploy: needs: build From e05fb5453707149f64da79b7755479a06dd6137a Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Thu, 20 Oct 2022 16:30:54 -0700 Subject: [PATCH 564/844] minor tweaks for consistency with other templates --- pages/astro.yml | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 13d209bc16..1d4ec5fcb8 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -32,10 +32,30 @@ jobs: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - name: Checkout + uses: actions/checkout@v3 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "::set-output name=manager::yarn" + echo "::set-output name=command::install" + echo "::set-output name=runner::yarn" + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "::set-output name=manager::npm" + echo "::set-output name=command::ci" + echo "::set-output name=runner::npx --no-install" + exit 0 + else + echo "Unable to determine packager manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v3 with: - node-version: 16 + node-version: "16" + cache: ${{ steps.detect-package-manager.outputs.manager }} cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json - run: npm install && npm run build working-directory: ${{ env.BUILD_PATH }} @@ -44,12 +64,12 @@ jobs: path: ${{ env.BUILD_PATH }}/dist deploy: - needs: build - name: Deploy - runs-on: ubuntu-latest environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} + needs: build + runs-on: ubuntu-latest + name: Deploy steps: - name: Deploy to GitHub Pages id: deployment From 03afd8292058dd5860870efad5c27295dd1fc67d Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Mon, 24 Oct 2022 15:22:18 -0700 Subject: [PATCH 565/844] Update to latest commit sha --- ci/maven.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/maven.yml b/ci/maven.yml index d762ee9a9a..4a8d107309 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -32,4 +32,4 @@ jobs: # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive - name: Update dependency graph - uses: advanced-security/maven-dependency-submission-action@v1 + uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6 From cf8803940451b743087390d37a4bd1db62503efb Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Mon, 24 Oct 2022 15:22:49 -0700 Subject: [PATCH 566/844] Add optional marking --- ci/maven.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/maven.yml b/ci/maven.yml index 4a8d107309..31fb19ffa5 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -29,7 +29,7 @@ jobs: cache: maven - name: Build with Maven run: mvn -B package --file pom.xml - - # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive + + # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive - name: Update dependency graph uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6 From c1444385ea259d1d65245650e32286eb22ea1341 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Mon, 24 Oct 2022 15:24:40 -0700 Subject: [PATCH 567/844] Mark optional and use commit SHA --- ci/scala.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/scala.yml b/ci/scala.yml index 9e786727b0..14ba966947 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -29,6 +29,6 @@ jobs: cache: 'sbt' - name: Run tests run: sbt test - # This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository + # Optional: This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository - name: Upload dependency graph - uses: scalacenter/sbt-dependency-submission@v2 + uses: scalacenter/sbt-dependency-submission@ab086b50c947c9774b70f39fc7f6e20ca2706c91 From ee5b05445ac5bdd8c014232489d3215d22e0ddf8 Mon Sep 17 00:00:00 2001 From: Jeevan Reddy Ragula Date: Tue, 25 Oct 2022 16:32:52 +0530 Subject: [PATCH 568/844] update zscaler iac scan version --- code-scanning/zscaler-iac-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index c6020a5faf..e880bdf941 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,7 +7,7 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. -#Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. +#Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process. #Copy the client ID and client secret key generated during the onboarding process and configure. #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). @@ -36,12 +36,12 @@ jobs: - name : Code Checkout uses: actions/checkout@v3 - name : Zscaler IAC Scan - uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc + uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087 id : zscaler-iac-scan with: client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} - #This is the user region specified during the onboarding process within the ZWP Admin Portal. + #This is the user region specified during the onboarding process within the ZPC Admin Portal. region : 'US' iac_dir : #Enter the IaC directory path from root. iac_file : #Enter the IaC file path from root. From 9d82221b3c47a53248149b62bc84bfdc8ba6e57d Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:23:39 +0200 Subject: [PATCH 569/844] Create sonarqube.yaml --- code-scanning/sonarqube.yaml | 65 ++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 code-scanning/sonarqube.yaml diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml new file mode 100644 index 0000000000..c6fbfce7b8 --- /dev/null +++ b/code-scanning/sonarqube.yaml @@ -0,0 +1,65 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow helps you trigger a SonarQube analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. +# (this feature is available starting from Developer Edition) + +# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub) + +# 2. Import your project on SonarQube +# * Add your repository as a new project by clicking "Create project" from your homepage. +# +# 3. Select GitHub Actions as your CI and follow the tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarQube. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarQube, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + +name: SonarQube analysis + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + workflow_dispatch: + +permissions: + pull-requests: read # allows SonarQube to decorate PRs with analysis results + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + - name: Analyze with SonarQube + + # You can pin the exact commit or the version. + # uses: SonarSource/sonarqube-scan-action@v1.1.0 + uses: SonarSource/sonarqube-scan-action@v1.1.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu) + # mandatory + -Dsonar.projectKey= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From f44ecbf0e28eae370cbcbece24deff8737158257 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:29:30 +0200 Subject: [PATCH 570/844] Added comments --- code-scanning/sonarqube.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml index c6fbfce7b8..e9b8d98742 100644 --- a/code-scanning/sonarqube.yaml +++ b/code-scanning/sonarqube.yaml @@ -13,15 +13,16 @@ # * Add your repository as a new project by clicking "Create project" from your homepage. # # 3. Select GitHub Actions as your CI and follow the tutorial -# * a. Copy/paste the Project Key and the Organization Key into the args parameter below -# (You'll find this information in SonarQube. Click on "Information" at the bottom left) +# * a. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator) # -# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN -# (On SonarQube, click on your avatar on top-right > My account > Security -# or go directly to https://sonarcloud.io/account/security/) +# * b. Copy/paste your SonarQube host URL to your Github repository's secrets using the name SONAR_HOST_URL +# +# * c. Copy/paste the project Key into the args parameter below +# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage) -# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) -# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) +# Feel free to take a look at our documentation (https://docs.sonarqube.org/latest/analysis/github-integration/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/sq/10) name: SonarQube analysis From 4a1cad76c04ded3d2d1e1f20778ea3855c9e5d1d Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:57:24 +0200 Subject: [PATCH 571/844] Added reference to documentation --- code-scanning/sonarqube.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml index e9b8d98742..f34d48e73c 100644 --- a/code-scanning/sonarqube.yaml +++ b/code-scanning/sonarqube.yaml @@ -5,7 +5,7 @@ # This workflow helps you trigger a SonarQube analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. -# (this feature is available starting from Developer Edition) +# (this feature is available starting from SonarQube 9.7, Developer Edition and above) # 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub) From 65cfd09f0d556e4bcaf18ed7555c5af1cdce91d3 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Wed, 26 Oct 2022 16:05:53 -0300 Subject: [PATCH 572/844] update soos dast to latest version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 47f6c4892e..0b982d3adb 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 + uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From 81a4ed37489870ca8016e5d64aaee8aa1c0c2f03 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Wed, 26 Oct 2022 16:10:52 -0300 Subject: [PATCH 573/844] comment about latest version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 0b982d3adb..825f573a9d 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db + uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db # Use latest version from https://github.com/marketplace/actions/soos-dast with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From c36348cbc69edcc1766b7c5927c5ceaa3a9d902c Mon Sep 17 00:00:00 2001 From: Angela P Wen Date: Wed, 26 Oct 2022 23:28:17 +0000 Subject: [PATCH 574/844] Add Go to code scanning autobuild comment --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 00ffcdb7af..34c5de72a1 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -53,7 +53,7 @@ jobs: # queries: security-extended,security-and-quality - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@v2 From ae7e197e30022cb4359c3d686798ca03f042a42b Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Wed, 26 Oct 2022 19:19:46 -0700 Subject: [PATCH 575/844] add: astro icon --- icons/astro.svg | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 icons/astro.svg diff --git a/icons/astro.svg b/icons/astro.svg new file mode 100644 index 0000000000..ff9dd54b54 --- /dev/null +++ b/icons/astro.svg @@ -0,0 +1,20 @@ + + + + + + + + + + + + + + + + + + + + From 57f76cbb16a75bd7c17ce270e67a667e0d083676 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Wed, 26 Oct 2022 19:21:14 -0700 Subject: [PATCH 576/844] add: astro properties --- pages/properties/astro.properties.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 pages/properties/astro.properties.json diff --git a/pages/properties/astro.properties.json b/pages/properties/astro.properties.json new file mode 100644 index 0000000000..bc7db05d05 --- /dev/null +++ b/pages/properties/astro.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Astro", + "description": "Deploy an Astro site.", + "iconName": "astro", + "categories": ["Pages", "Astro"] +} From b56cd5718e3a1f4ab9c35471b8a7fd4db9569fbf Mon Sep 17 00:00:00 2001 From: Mohammed Asif <87167426+asifadn9@users.noreply.github.com> Date: Thu, 27 Oct 2022 16:59:58 +0530 Subject: [PATCH 577/844] Update apisec-scan.yml --- code-scanning/apisec-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 5a9b75138d..fc09be3793 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -53,7 +53,7 @@ jobs: steps: - name: APIsec scan - uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993 + uses: apisec-inc/apisec-run-scan@f748a240d69ca6cd7e9532fd0a47bec4ccd6a73c with: # The APIsec username with which the scans will be executed apisec-username: ${{ secrets.apisec_username }} From 21885a7e846d33a4d2393c8916620a383e20a189 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Thu, 27 Oct 2022 13:22:19 +0000 Subject: [PATCH 578/844] Update scorecard-action to 2.0.6 --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 0e159aa2ba..11e305f3f3 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -37,7 +37,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e363bfca00e752f91de7b7d2a77340e2e523cb18 # v2.0.4 + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 with: results_file: results.sarif results_format: sarif From 7714a42d7a7f9901b9ea6589b98c906a544beb13 Mon Sep 17 00:00:00 2001 From: Luca Casonato Date: Mon, 31 Oct 2022 14:15:11 +0100 Subject: [PATCH 579/844] Update denoland/setup-deno workflow This updates the version of the denoland/setup-deno action used in ci/deno.yml starter workflow to a version that uses node16, to remove the warning about node12 workflows being deprecated. The version updated to is the latest released version, v1.1.1: https://github.com/denoland/setup-deno/releases/tag/v1.1.1 --- ci/deno.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/deno.yml b/ci/deno.yml index 2234bf6a6e..5ee940df1f 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow will install Deno then run Deno lint and test. +# This workflow will install Deno then run `deno lint` and `deno test`. # For more information see: https://github.com/denoland/setup-deno name: Deno @@ -27,7 +27,7 @@ jobs: - name: Setup Deno # uses: denoland/setup-deno@v1 - uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e983317366 + uses: denoland/setup-deno@9db7f66e8e16b5699a514448ce994936c63f0d54 with: deno-version: v1.x @@ -39,4 +39,4 @@ jobs: run: deno lint - name: Run tests - run: deno test -A --unstable + run: deno test -A From c7e73d7edc4e376bfdb148a7ee0a1d732c8443f9 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:23:48 +0100 Subject: [PATCH 580/844] Update sonarqube.yaml --- code-scanning/sonarqube.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml index f34d48e73c..23f79da99c 100644 --- a/code-scanning/sonarqube.yaml +++ b/code-scanning/sonarqube.yaml @@ -13,10 +13,10 @@ # * Add your repository as a new project by clicking "Create project" from your homepage. # # 3. Select GitHub Actions as your CI and follow the tutorial -# * a. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN # (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator) # -# * b. Copy/paste your SonarQube host URL to your Github repository's secrets using the name SONAR_HOST_URL +# * b. Copy/paste your SonarQube host URL to your GitHub repository's secrets using the name SONAR_HOST_URL # # * c. Copy/paste the project Key into the args parameter below # (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage) From ca67faa01ca580695b67779e7cc67cf4b6586ddd Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:25:29 +0100 Subject: [PATCH 581/844] Rename sonarqube.yaml to sonarqube.yml --- code-scanning/{sonarqube.yaml => sonarqube.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/{sonarqube.yaml => sonarqube.yml} (100%) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yml similarity index 100% rename from code-scanning/sonarqube.yaml rename to code-scanning/sonarqube.yml From a5ee5608b9f19e8c4949b365711030820ead5d69 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:27:23 +0100 Subject: [PATCH 582/844] Create sonarqube.properties.json --- code-scanning/properties/sonarqube.properties.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 code-scanning/properties/sonarqube.properties.json diff --git a/code-scanning/properties/sonarqube.properties.json b/code-scanning/properties/sonarqube.properties.json new file mode 100644 index 0000000000..9912c5174d --- /dev/null +++ b/code-scanning/properties/sonarqube.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SonarQube", + "creator": "Sonar", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", + "iconName": "sonarqube", + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] +} From 4c8f3a77aa64cc3b5da5b5b244d75e07285e77d3 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:28:50 +0100 Subject: [PATCH 583/844] Add files via upload --- icons/SonarQube icon.svg | 1 + 1 file changed, 1 insertion(+) create mode 100644 icons/SonarQube icon.svg diff --git a/icons/SonarQube icon.svg b/icons/SonarQube icon.svg new file mode 100644 index 0000000000..b5c23d8f74 --- /dev/null +++ b/icons/SonarQube icon.svg @@ -0,0 +1 @@ +SonarQube icon \ No newline at end of file From 5081d1525082e71f7be1c3eb381c7e5443e28f95 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:29:30 +0100 Subject: [PATCH 584/844] Rename SonarQube icon.svg to sonarqube.svg --- icons/{SonarQube icon.svg => sonarqube.svg} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename icons/{SonarQube icon.svg => sonarqube.svg} (94%) diff --git a/icons/SonarQube icon.svg b/icons/sonarqube.svg similarity index 94% rename from icons/SonarQube icon.svg rename to icons/sonarqube.svg index b5c23d8f74..a4bba35d37 100644 --- a/icons/SonarQube icon.svg +++ b/icons/sonarqube.svg @@ -1 +1 @@ -SonarQube icon \ No newline at end of file +SonarQube icon From 84381b5f5ca76d70f5041ab1b484b4e8bf267c7b Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 3 Nov 2022 17:29:01 +0000 Subject: [PATCH 585/844] Update checkmarx-one.properties.json --- code-scanning/properties/checkmarx-one.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/checkmarx-one.properties.json b/code-scanning/properties/checkmarx-one.properties.json index f5ebef8bab..c1b2eea43b 100644 --- a/code-scanning/properties/checkmarx-one.properties.json +++ b/code-scanning/properties/checkmarx-one.properties.json @@ -3,5 +3,5 @@ "creator": "Checkmarx", "description": "Beat vulnerabilities with more secure code.Scan your code with Checkmarx One and see results in the GitHub code scanning.", "iconName": "checkmarx", - "categories": ["Code Scanning","code-quality", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] -} \ No newline at end of file + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] +} From 0b50b4b57933ac53f9bf799ff67aea8c2bdcaddf Mon Sep 17 00:00:00 2001 From: jorgectf Date: Fri, 4 Nov 2022 20:45:41 +0100 Subject: [PATCH 586/844] Remove extra whitespaces --- .github/dependabot.yml | 6 ++--- ci/ada.yml | 2 +- ci/cmake.yml | 4 +-- ci/go-ossf-slsa3-publish.yml | 8 +++--- ci/makefile.yml | 8 +++--- ci/npm-grunt.yml | 2 +- ci/npm-gulp.yml | 2 +- ci/webpack.yml | 2 +- code-scanning/apisec-scan.yml | 6 ++--- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/clj-holmes.yml | 4 +-- code-scanning/clj-watson.yml | 6 ++--- code-scanning/cloudrail.yml | 6 ++--- code-scanning/codacy.yml | 2 +- code-scanning/codeql.yml | 6 ++--- code-scanning/codescan.yml | 2 +- code-scanning/contrast-scan.yml | 8 +++--- code-scanning/detekt.yml | 4 +-- code-scanning/devskim.yml | 2 +- code-scanning/eslint.yml | 4 +-- code-scanning/ethicalcheck.yml | 8 +++--- code-scanning/hadolint.yml | 2 +- code-scanning/lintr.yml | 2 +- code-scanning/mobsf.yml | 4 +-- code-scanning/msvc.yml | 2 +- code-scanning/neuralegion.yml | 4 +-- code-scanning/njsscan.yml | 2 +- code-scanning/ossar.yml | 2 +- code-scanning/phpmd.yml | 6 ++--- code-scanning/pmd.yml | 2 +- code-scanning/powershell.yml | 10 +++---- code-scanning/prisma.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/rust-clippy.yml | 4 +-- code-scanning/securitycodescan.yml | 6 ++--- code-scanning/semgrep.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/sobelow.yml | 6 ++--- code-scanning/sonarcloud.yml | 16 ++++++------ code-scanning/soos-dast-scan.yml | 4 +-- code-scanning/synopsys-io.yml | 16 ++++++------ code-scanning/sysdig-scan.yml | 6 ++--- code-scanning/tfsec.yml | 6 ++--- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- code-scanning/zscan.yml | 9 +++---- deployments/alibabacloud.yml | 32 +++++++++++------------ deployments/azure-container-webapp.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-node.yml | 2 +- deployments/azure-webapps-python.yml | 8 +++--- deployments/tencent.yml | 12 ++++----- 56 files changed, 140 insertions(+), 141 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 62283f9e3c..ee66df244f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,12 +5,12 @@ version: 2 updates: - - package-ecosystem: "npm" + - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" - - - package-ecosystem: "github-actions" + + - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" diff --git a/ci/ada.yml b/ci/ada.yml index 7e94b3855e..417ed2e006 100644 --- a/ci/ada.yml +++ b/ci/ada.yml @@ -17,7 +17,7 @@ jobs: - name: Set up GNAT toolchain run: > - sudo apt-get update && + sudo apt-get update && sudo apt-get install gnat gprbuild - name: Build diff --git a/ci/cmake.yml b/ci/cmake.yml index 6f06f756ca..95d7efd7cf 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -31,7 +31,7 @@ jobs: - name: Test working-directory: ${{github.workspace}}/build - # Execute tests defined by the CMake configuration. + # Execute tests defined by the CMake configuration. # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail run: ctest -C ${{env.BUILD_TYPE}} - + diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml index a7388752f0..b357cc07d9 100644 --- a/ci/go-ossf-slsa3-publish.yml +++ b/ci/go-ossf-slsa3-publish.yml @@ -3,10 +3,10 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow lets you compile your Go project using a SLSA3 compliant builder. -# This workflow will generate a so-called "provenance" file describing the steps +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps # that were performed to generate the final binary. -# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# The project is an initiative of the OpenSSF (openssf.org) and is developed at # https://github.com/slsa-framework/slsa-github-generator. # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. # For more information about SLSA and how it improves the supply-chain, visit slsa.dev. @@ -21,7 +21,7 @@ permissions: read-all jobs: # ======================================================================================================================================== - # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. + # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file #========================================================================================================================================= build: diff --git a/ci/makefile.yml b/ci/makefile.yml index 0156944cdc..1b53855ad3 100644 --- a/ci/makefile.yml +++ b/ci/makefile.yml @@ -13,15 +13,15 @@ jobs: steps: - uses: actions/checkout@v3 - + - name: configure run: ./configure - + - name: Install dependencies run: make - + - name: Run check run: make check - + - name: Run distcheck run: make distcheck diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index e39ddbfe7c..0bcbd1c9ff 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -13,7 +13,7 @@ jobs: strategy: matrix: node-version: [14.x, 16.x, 18.x] - + steps: - uses: actions/checkout@v3 diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 7606deaf43..7d79002e88 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -13,7 +13,7 @@ jobs: strategy: matrix: node-version: [14.x, 16.x, 18.x] - + steps: - uses: actions/checkout@v3 diff --git a/ci/webpack.yml b/ci/webpack.yml index 0bc6406270..2b8b18a805 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -13,7 +13,7 @@ jobs: strategy: matrix: node-version: [14.x, 16.x, 18.x] - + steps: - uses: actions/checkout@v3 diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 209e882d9b..09f50cd3b0 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -3,8 +3,8 @@ # separate terms of service, privacy policy, and support # documentation. -# APIsec addresses the critical need to secure APIs before they reach production. -# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. +# APIsec addresses the critical need to secure APIs before they reach production. +# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. # Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities. # How to Get Started with APIsec.ai @@ -50,7 +50,7 @@ jobs: Trigger_APIsec_scan: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index 957343c7fe..5547c592c9 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Brakeman Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 9bdb136065..582488a128 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,7 +29,7 @@ jobs: issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 4487e237de..87f11cbceb 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -16,7 +16,7 @@ on: permissions: contents: read - + jobs: clj-holmes: name: Run clj-holmes scanning @@ -24,7 +24,7 @@ jobs: permissions: contents: read security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 76903a9d04..59bfd41b8a 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -6,7 +6,7 @@ # seeking for vulnerable direct/transitive dependencies and # build a report with all the information needed to help you # understand how the vulnerability manifest in your software. -# More details at https://github.com/clj-holmes/clj-watson +# More details at https://github.com/clj-holmes/clj-watson name: clj-watson @@ -29,7 +29,7 @@ jobs: permissions: contents: read security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 @@ -40,7 +40,7 @@ jobs: clj-watson-sha: "65d928c" clj-watson-tag: "v4.0.1" database-strategy: github-advisory - aliases: clojure-lsp,test + aliases: clojure-lsp,test deps-edn-path: deps.edn suggest-fix: true output-type: sarif diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 4a0cd73c00..e5defa3c57 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -26,7 +26,7 @@ jobs: - name: Clone repo uses: actions/checkout@v3 - # For Terraform, Cloudrail requires the plan as input. So we generate it using + # For Terraform, Cloudrail requires the plan as input. So we generate it using # the Terraform core binary. - uses: hashicorp/setup-terraform@v1 with: @@ -53,6 +53,6 @@ jobs: uses: github/codeql-action/upload-sarif@v2 # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() # is needed to ensure the SARIF file is uploaded - if: always() + if: always() with: sarif_file: cloudrail_results.sarif diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 7b705bd10d..bbb211857c 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -30,7 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Codacy Security Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 34c5de72a1..3f0ecfbd5c 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -48,11 +48,11 @@ jobs: # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild @@ -61,7 +61,7 @@ jobs: # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # If the Autobuild fails above, remove it and uncomment the following three lines. + # If the Autobuild fails above, remove it and uncomment the following three lines. # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. # - run: | diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index a9f10535e3..0959d232d1 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 4e4deb7c40..ff3d9d3a84 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -8,7 +8,7 @@ # Contrast Scan currently supports Java, JavaScript and .NET artifacts. # For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action -# Pre-requisites: +# Pre-requisites: # All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. # The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER. @@ -30,7 +30,7 @@ jobs: permissions: contents: read # for actions/checkout security-events: write # for github/codeql-action/upload-sarif - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # check out project steps: @@ -38,7 +38,7 @@ jobs: # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. # -name: Build Project # ... - # Scan Artifact + # Scan Artifact - name: Contrast Scan Action uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 with: @@ -46,7 +46,7 @@ jobs: apiKey: ${{ secrets.CONTRAST_API_KEY }} orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} - #Upload the results to GitHub + #Upload the results to GitHub - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 0c65813487..a13a5170a7 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -69,13 +69,13 @@ jobs: } } ' 1> gh_response.json - + DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json) if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then echo "Release tag doesn't match expected commit SHA" exit 1 fi - + DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index bf1126103b..4abd6ca0cf 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -27,7 +27,7 @@ jobs: - name: Run DevSkim scanner uses: microsoft/DevSkim-Action@v1 - + - name: Upload DevSkim scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 54b01c839e..fcb4f217ac 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: read security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 @@ -39,7 +39,7 @@ jobs: run: npx eslint . --config .eslintrc.js --ext .js,.jsx,.ts,.tsx - --format @microsoft/eslint-formatter-sarif + --format @microsoft/eslint-formatter-sarif --output-file eslint-results.sarif continue-on-error: true diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index 2818bc695d..a68d0a2c7c 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -44,12 +44,12 @@ on: permissions: contents: read - + jobs: Trigger_EthicalCheck: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: @@ -61,9 +61,9 @@ jobs: # The email address to which the penetration test report will be sent. email: "xxx@apisec.ai" sarif-result-file: "ethicalcheck-results.sarif" - + - name: Upload sarif file to repository uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./ethicalcheck-results.sarif - + diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 315365282e..68aebaadb6 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 350df19701..8a6de5796d 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -29,7 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 1013749c50..21462488cf 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -21,7 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index e8dac8842d..172d855551 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Analyze runs-on: windows-latest diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml index e24e14a753..e9189d5e53 100644 --- a/code-scanning/neuralegion.yml +++ b/code-scanning/neuralegion.yml @@ -50,7 +50,7 @@ # # `restart_scan` # -# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. # # _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` # @@ -95,7 +95,7 @@ # # `hosts_filter` # -# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. # # Outputs # diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index d766a6fcb6..81e3650c6d 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: njsscan code scanning steps: diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index 2bd91dd92b..63a7515fbf 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: windows-latest steps: diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index d10ace1e09..686551ae8c 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -2,9 +2,9 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. -# PHPMD is a spin-off project of PHP Depend and +# PHPMD is a spin-off project of PHP Depend and # aims to be a PHP equivalent of the well known Java tool PMD. -# What PHPMD does is: It takes a given PHP source code base +# What PHPMD does is: It takes a given PHP source code base # and look for several potential problems within that source. # These problems can be things like: # Possible bugs @@ -34,7 +34,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 8115116ead..6b5b7ea299 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -21,7 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 02e5de77f1..1e8a4267de 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -16,7 +16,7 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly - + permissions: contents: read @@ -25,7 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: PSScriptAnalyzer runs-on: ubuntu-latest steps: @@ -37,11 +37,11 @@ jobs: # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. path: .\ - recurse: true - # Include your own basic security rules. Removing this option will run all the rules + recurse: true + # Include your own basic security rules. Removing this option will run all the rules includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' output: results.sarif - + # Upload the SARIF file generated in the previous step - name: Upload SARIF results file uses: github/codeql-action/upload-sarif@v2 diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 1a12b86d79..9b24386948 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -29,7 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 50b86dbbbb..26b6cca0bc 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -29,7 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index c5f10ee747..90583f342f 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -4,7 +4,7 @@ # documentation. # rust-clippy is a tool that runs a bunch of lints to catch common # mistakes in your Rust code and help improve your Rust code. -# More details at https://github.com/rust-lang/rust-clippy +# More details at https://github.com/rust-lang/rust-clippy # and https://rust-lang.github.io/rust-clippy/ name: rust-clippy analyze @@ -25,7 +25,7 @@ jobs: permissions: contents: read security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index b6ee5ad7b8..7a93d8aa9d 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -24,11 +24,11 @@ jobs: - uses: actions/checkout@v3 - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 - uses: microsoft/setup-msbuild@v1.0.2 - + - name: Set up projects for analysis uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d - - - name: Restore dependencies + + - name: Restore dependencies run: dotnet restore - name: Build diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index b10a9307f1..23486e4901 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index a232c539c7..c3756c8610 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -30,7 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index 3ca10353ed..aedf2a3c2b 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -29,7 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 7d38c7740f..61d376f45e 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -16,7 +16,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -28,11 +28,11 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v3 - id: run-action uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 - name: Upload report diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index ff388c8d77..41075e4efb 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow helps you trigger a SonarCloud analysis of your code and populates +# This workflow helps you trigger a SonarCloud analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. # Free for open source project. @@ -11,16 +11,16 @@ # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. -# * Please note that many languages are eligible for automatic analysis, +# * Please note that many languages are eligible for automatic analysis, # which means that the analysis will start automatically without the need to set up GitHub Actions. # * This behavior can be changed in Administration > Analysis Method. -# +# # 3. Follow the SonarCloud in-product tutorial # * a. Copy/paste the Project Key and the Organization Key into the args parameter below # (You'll find this information in SonarCloud. Click on "Information" at the bottom left) # # * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN -# (On SonarCloud, click on your avatar on top-right > My account > Security +# (On SonarCloud, click on your avatar on top-right > My account > Security # or go directly to https://sonarcloud.io/account/security/) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) @@ -41,9 +41,9 @@ permissions: jobs: Analysis: runs-on: ubuntu-latest - + steps: - - name: Analyze with SonarCloud + - name: Analyze with SonarCloud # You can pin the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 @@ -53,7 +53,7 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments for the sonarcloud scanner - args: + args: # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) # mandatory -Dsonar.projectKey= @@ -65,4 +65,4 @@ jobs: # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false + #-Dsonar.verbose= # optional, default is false diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 95dfd673cb..2ab3d4c9b1 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -12,7 +12,7 @@ # # 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here. # -# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. +# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. # # 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token. # @@ -29,7 +29,7 @@ jobs: soos: permissions: security-events: write # for uploading code scanning alert info - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: SOOS DAST Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index c32334c643..61169e2c67 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -22,11 +22,11 @@ jobs: actions: read contents: read security-events: write - + steps: - name: Checkout repository uses: actions/checkout@v3 - + - name: Synopsys Intelligent Security Scan id: prescription uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 @@ -36,7 +36,7 @@ jobs: workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} stage: "IO" - + # Please note that the ID in previous step was set to prescription # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN # is defined in settings @@ -48,7 +48,7 @@ jobs: wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip unzip -j polaris_cli-linux64.zip -d /tmp /tmp/polaris analyze -w - + # Please note that the ID in previous step was set to prescription # in order for this logic to work - name: Software Composition Analysis with Black Duck @@ -56,7 +56,7 @@ jobs: uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 with: args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' - + - name: Synopsys Intelligent Security Scan if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 @@ -64,11 +64,11 @@ jobs: ioServerUrl: ${{secrets.IO_SERVER_URL}} ioServerToken: ${{secrets.IO_SERVER_TOKEN}} workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} - additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} - --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} + --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} stage: "WORKFLOW" - + - name: Upload SARIF file if: ${{steps.prescription.outputs.sastScan == 'true' }} uses: github/codeql-action/upload-sarif@v2 diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f9b61b9c80..8c13a4bd1e 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -24,7 +24,7 @@ jobs: checks: write # for sysdiglabs/scan-action to publish the checks contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: @@ -39,7 +39,7 @@ jobs: id: scan uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 with: - # Tag of the image to analyse. + # Tag of the image to analyse. # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above image-tag: ${{ github.repository }}:latest # API token for Sysdig Scanning auth @@ -47,7 +47,7 @@ jobs: # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ # US-East https://secure.sysdig.com # US-West https://us2.app.sysdig.com - # EU https://eu1.app.sysdig.com + # EU https://eu1.app.sysdig.com sysdig-secure-url: https://us2.app.sysdig.com dockerfile-path: ./Dockerfile input-type: docker-daemon diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 77f81566ba..48ee4d2243 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -29,10 +29,10 @@ jobs: - name: Run tfsec uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f with: - sarif_file: tfsec.sarif + sarif_file: tfsec.sarif - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository - sarif_file: tfsec.sarif + sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index f56d9e5b98..4a8fe41ed7 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -22,7 +22,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build runs-on: "ubuntu-18.04" steps: diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 89d35df251..04fc8146e6 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 5724a977d3..8fd5c7b497 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -51,7 +51,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml index 1ac6bbdde3..7f035f53ec 100644 --- a/code-scanning/zscan.yml +++ b/code-scanning/zscan.yml @@ -3,16 +3,16 @@ # separate terms of service, privacy policy, and support # documentation. # -# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) +# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) # and identifies security, privacy, and compliance-related vulnerabilities. ​ # # Prerequisites: ​ # * An active Zimperium zScan account is required. If you are not an existing Zimperium # zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us. -# * Either GitHub Advanced Security (GHAS) or a public repository is required to display +# * Either GitHub Advanced Security (GHAS) or a public repository is required to display # issues and view the remediation information inside of GitHub code scanning alerts. ​ # -# For additional information and setup instructions +# For additional information and setup instructions # please visit: https://github.com/Zimperium/zScanMarketplace#readme name: "Zimperium zScan" @@ -33,7 +33,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout repository uses: actions/checkout@v3 @@ -58,4 +58,3 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: sarif_file: Zimperium.sarif - \ No newline at end of file diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 9853b75bd0..96d5d3865d 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -3,7 +3,7 @@ # # To use this workflow, you will need to complete the following set-up steps: # -# 1. Create an ACR repository to store your container images. +# 1. Create an ACR repository to store your container images. # You can use ACR EE instance for more security and better performance. # For instructions see https://www.alibabacloud.com/help/doc-detail/142168.htm # @@ -14,7 +14,7 @@ # 3. Store your AccessKey pair in GitHub Actions secrets named `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET`. # For instructions on setting up secrets see: https://developer.github.com/actions/managing-workflows/storing-secrets/ # -# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. +# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. # name: Build and Deploy to ACK @@ -46,12 +46,12 @@ jobs: build: runs-on: ubuntu-latest environment: production - + steps: - name: Checkout uses: actions/checkout@v3 - - # 1.1 Login to ACR + + # 1.1 Login to ACR - name: Login to ACR with the AccessKey pair uses: aliyun/acr-login@v1 with: @@ -59,13 +59,13 @@ jobs: access-key-id: "${{ secrets.ACCESS_KEY_ID }}" access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" - # 1.2 Buid and push image to ACR - - name: Build and push image to ACR + # 1.2 Buid and push image to ACR + - name: Build and push image to ACR run: | - docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . - docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" - - # 1.3 Scan image in ACR + docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . + docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" + + # 1.3 Scan image in ACR - name: Scan image in ACR uses: aliyun/acr-scan@v1 with: @@ -75,7 +75,7 @@ jobs: repository: "${{ env.NAMESPACE }}/${{ env.IMAGE }}" tag: "${{ env.TAG }}" - # 2.1 (Optional) Login to ACR EE + # 2.1 (Optional) Login to ACR EE - uses: actions/checkout@v3 - name: Login to ACR EE with the AccessKey pair uses: aliyun/acr-login@v1 @@ -86,12 +86,12 @@ jobs: access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" - # 2.2 (Optional) Build and push image ACR EE - - name: Build and push image to ACR EE + # 2.2 (Optional) Build and push image ACR EE + - name: Build and push image to ACR EE run: | docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" . docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" - # 2.3 (Optional) Scan image in ACR EE + # 2.3 (Optional) Scan image in ACR EE - name: Scan image in ACR EE uses: aliyun/acr-scan@v1 with: @@ -102,7 +102,7 @@ jobs: repository: "${{ env.ACR_EE_NAMESPACE}}/${{ env.ACR_EE_IMAGE }}" tag: "${{ env.ACR_EE_TAG }}" - # 3.1 Set ACK context + # 3.1 Set ACK context - name: Set K8s context uses: aliyun/ack-set-context@v1 with: diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index cc2e1ddd56..4d98340739 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -11,7 +11,7 @@ # 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. # For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret # -# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions. +# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions. # # 4. Create three app settings on your Azure Web app: # DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io" diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 9b2189554d..005aef2d7e 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -43,7 +43,7 @@ jobs: uses: actions/setup-dotnet@v2 with: dotnet-version: ${{ env.DOTNET_VERSION }} - + - name: Set up dependency caching for faster builds uses: actions/cache@v3 with: diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 60fa68c188..c29d871aa4 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -63,7 +63,7 @@ jobs: environment: name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - + steps: - name: Download artifact from build job uses: actions/download-artifact@v3 diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 98e72c2c02..c72b1beff0 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -70,7 +70,7 @@ jobs: name: node-app - name: 'Deploy to Azure WebApp' - id: deploy-to-webapp + id: deploy-to-webapp uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index d7aa802532..0ce3ce9b8a 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -51,15 +51,15 @@ jobs: - name: Install dependencies run: pip install -r requirements.txt - + # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - + - name: Upload artifact for deployment jobs uses: actions/upload-artifact@v3 with: name: python-app path: | - . + . !venv/ deploy: @@ -77,7 +77,7 @@ jobs: with: name: python-app path: . - + - name: 'Deploy to Azure Web App' id: deploy-to-webapp uses: azure/webapps-deploy@v2 diff --git a/deployments/tencent.yml b/deployments/tencent.yml index ba65fe52af..3d228548a8 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -2,12 +2,12 @@ # # To configure this workflow: # -# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster, +# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster, # including deployment.yml, kustomization.yml, service.yml, etc. # -# 2. Set up secrets in your workspace: +# 2. Set up secrets in your workspace: # - TENCENT_CLOUD_SECRET_ID with Tencent Cloud secret id -# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key +# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key # - TENCENT_CLOUD_ACCOUNT_ID with Tencent Cloud account id # - TKE_REGISTRY_PASSWORD with TKE registry password # @@ -38,10 +38,10 @@ jobs: - name: Checkout uses: actions/checkout@v3 - + # Build - name: Build Docker image - run: | + run: | docker build -t ${TKE_IMAGE_URL}:${GITHUB_SHA} . - name: Login TKE Registry @@ -65,7 +65,7 @@ jobs: secret_key: ${{ secrets.TENCENT_CLOUD_SECRET_KEY }} tke_region: ${{ env.TKE_REGION }} cluster_id: ${{ env.TKE_CLUSTER_ID }} - + - name: Switch to TKE context run: | kubectl config use-context ${TKE_CLUSTER_ID}-context-default From aa953da46e3883e1dd96aa56b07d3835de4cb466 Mon Sep 17 00:00:00 2001 From: Chandni Patel <88407036+patelchandni@users.noreply.github.com> Date: Fri, 7 Oct 2022 16:03:49 -0500 Subject: [PATCH 587/844] Starter workflows for Azure Functions App --- deployments/azure-functions-app-container.yml | 57 +++++++++++++++++++ deployments/azure-functions-app-dotnet.yml | 50 ++++++++++++++++ deployments/azure-functions-app-java.yml | 51 +++++++++++++++++ deployments/azure-functions-app-nodejs.yml | 52 +++++++++++++++++ .../azure-functions-app-powershell.yml | 37 ++++++++++++ deployments/azure-functions-app-python.yml | 53 +++++++++++++++++ ...re-functions-app-container.properties.json | 7 +++ ...azure-functions-app-dotnet.properties.json | 7 +++ .../azure-functions-app-java.properties.json | 7 +++ ...azure-functions-app-nodejs.properties.json | 7 +++ ...e-functions-app-powershell.properties.json | 7 +++ ...azure-functions-app-python.properties.json | 7 +++ 12 files changed, 342 insertions(+) create mode 100644 deployments/azure-functions-app-container.yml create mode 100644 deployments/azure-functions-app-dotnet.yml create mode 100644 deployments/azure-functions-app-java.yml create mode 100644 deployments/azure-functions-app-nodejs.yml create mode 100644 deployments/azure-functions-app-powershell.yml create mode 100644 deployments/azure-functions-app-python.yml create mode 100644 deployments/properties/azure-functions-app-container.properties.json create mode 100644 deployments/properties/azure-functions-app-dotnet.properties.json create mode 100644 deployments/properties/azure-functions-app-java.properties.json create mode 100644 deployments/properties/azure-functions-app-nodejs.properties.json create mode 100644 deployments/properties/azure-functions-app-powershell.properties.json create mode 100644 deployments/properties/azure-functions-app-python.properties.json diff --git a/deployments/azure-functions-app-container.yml b/deployments/azure-functions-app-container.yml new file mode 100644 index 0000000000..0984ba4c0a --- /dev/null +++ b/deployments/azure-functions-app-container.yml @@ -0,0 +1,57 @@ +# Action Requires +# 1. Setup the AZURE_CREDENTIALS secrets in your GitHub Repository +# 2. Setup the REGISTRY_USERNAME secrets in your GitHub Repository +# 3. Setup the REGISTRY_PASSWORD secrets in your GitHub Repository +# 4. Replace REGISTRY, NAMESPACE, IMAGE, TAG in the following template with proper values +# 5. Add this yaml file to your project's .github/workflows/ +# 6. Push your local project to your GitHub Repository + +name: Linux_Container_Workflow + +on: + push: + branches: + - master + +jobs: + build-and-deploy: + runs-on: ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v3 + + - name: 'Login via Azure CLI' + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: 'Docker Login' + uses: azure/docker-login@v1 + with: + login-server: contoso.azurecr.io + username: ${{ secrets.REGISTRY_USERNAME }} + password: ${{ secrets.REGISTRY_PASSWORD }} + + - name: 'Compose Customized Docker Image' + shell: bash + run: | + # If your function app project is not located in your repository's root + # Please change the path to your directory for docker build + docker build . -t REGISTRY/NAMESPACE/IMAGE:TAG + docker push REGISTRY/NAMESPACE/IMAGE:TAG + + - name: 'Run Azure Functions Container Action' + uses: Azure/functions-container-action@v1 + id: fa + with: + app-name: PLEASE_REPLACE_THIS_WITH_YOUR_FUNCTION_APP_NAME + image: REGISTRY/NAMESPACE/IMAGE:TAG + + #- name: 'use the published functionapp url in upcoming steps' + # run: | + # echo "${{ steps.fa.outputs.app-url }}" + + - name: Azure logout + run: | + az logout \ No newline at end of file diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml new file mode 100644 index 0000000000..40f76ab69b --- /dev/null +++ b/deployments/azure-functions-app-dotnet.yml @@ -0,0 +1,50 @@ +name: Deploy DotNet project to Azure Function App + +on: + [push] + +# CONFIGURATION +# For help, go to https://github.com/Azure/Actions +# +# 1. Set up the following secrets in your repository: +# AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# +# 2. Change these variables for your configuration: +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root + DOTNET_VERSION: '6.0.x' # set this to the dotnet version to use (e.g. '2.1.x', '3.1.x', '5.0.x') + +jobs: + build-and-deploy: + runs-on: windows-latest # For Linux, use ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v3 + + # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below + # - name: 'Login via Azure CLI' + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} + + - name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment + uses: actions/setup-dotnet@v3 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: 'Resolve Project Dependencies Using Dotnet' + shell: pwsh # For Linux, use bash + run: | + pushd './${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}' + dotnet build --configuration Release --output ./output + popd + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + package: '${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}/output' + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC \ No newline at end of file diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml new file mode 100644 index 0000000000..138a877d57 --- /dev/null +++ b/deployments/azure-functions-app-java.yml @@ -0,0 +1,51 @@ +name: Deploy Java project to Azure Function App + +on: + [push] + +# CONFIGURATION +# For help, go to https://github.com/Azure/Actions +# +# 1. Set up the following secrets in your repository: +# AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# +# 2. Change these variables for your configuration: +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + POM_XML_DIRECTORY: '.' # set this to the directory which contains pom.xml file + JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17') + +jobs: + build-and-deploy: + runs-on: windows-latest # For Linux, use ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v3 + + # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below + # - name: 'Login via Azure CLI' + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} + + - name: Setup Java Sdk ${{ env.JAVA_VERSION }} + uses: actions/setup-java@v1 + with: + java-version: ${{ env.JAVA_VERSION }} + + - name: 'Restore Project Dependencies Using Mvn' + shell: pwsh # For Linux, use bash + run: | + pushd './${{ env.POM_XML_DIRECTORY }}' + mvn clean package + popd + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + package: '${{ env.POM_XML_DIRECTORY }}' # if there are multiple function apps in same project, then this path will be like './${{ env.POM_XML_DIRECTORY }}/target/azure-functions/${{ env.POM_FUNCTIONAPP_NAME }' + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC + respect-pom-xml: true \ No newline at end of file diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml new file mode 100644 index 0000000000..4d7505deda --- /dev/null +++ b/deployments/azure-functions-app-nodejs.yml @@ -0,0 +1,52 @@ +name: Deploy Node.js project to Azure Function App + +on: + [push] + +# CONFIGURATION +# For help, go to https://github.com/Azure/Actions +# +# 1. Set up the following secrets in your repository: +# AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# +# 2. Change these variables for your configuration: +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root + NODE_VERSION: '16.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x') + +jobs: + build-and-deploy: + runs-on: windows-latest # For Linux, use ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v3 + + # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below + # - name: 'Login via Azure CLI' + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} + + - name: Setup Node ${{ env.NODE_VERSION }} Environment + uses: actions/setup-node@v3 + with: + node-version: ${{ env.NODE_VERSION }} + + - name: 'Resolve Project Dependencies Using Npm' + shell: pwsh # For Linux, use bash + run: | + pushd './${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}' + npm install + npm run build --if-present + npm run test --if-present + popd + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC \ No newline at end of file diff --git a/deployments/azure-functions-app-powershell.yml b/deployments/azure-functions-app-powershell.yml new file mode 100644 index 0000000000..d228efaf9a --- /dev/null +++ b/deployments/azure-functions-app-powershell.yml @@ -0,0 +1,37 @@ +name: Deploy PowerShell project to Azure Function App + +on: + [push] + +# CONFIGURATION +# For help, go to https://github.com/Azure/Actions +# +# 1. Set up the following secrets in your repository: +# AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# +# 2. Change these variables for your configuration: +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root + +jobs: + build-and-deploy: + runs-on: windows-latest # For Linux, use ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v3 + + # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below + # - name: 'Login via Azure CLI' + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC \ No newline at end of file diff --git a/deployments/azure-functions-app-python.yml b/deployments/azure-functions-app-python.yml new file mode 100644 index 0000000000..0964914ec7 --- /dev/null +++ b/deployments/azure-functions-app-python.yml @@ -0,0 +1,53 @@ +name: Deploy Python project to Azure Function App + +on: + [push] + +# CONFIGURATION +# For help, go to https://github.com/Azure/Actions +# +# 1. Set up the following secrets in your repository: +# AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# +# 2. Change these variables for your configuration: +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root + PYTHON_VERSION: '3.9' # set this to the python version to use (e.g. '3.6', '3.7', '3.8') + +jobs: + build-and-deploy: + runs-on: ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v3 + + # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below + # - name: 'Login via Azure CLI' + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} + + - name: Setup Python ${{ env.PYTHON_VERSION }} Environment + uses: actions/setup-python@v4 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: 'Resolve Project Dependencies Using Pip' + shell: bash + run: | + pushd './${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}' + python -m pip install --upgrade pip + pip install -r requirements.txt --target=".python_packages/lib/site-packages" + popd + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC + scm-do-build-during-deployment: true + enable-oryx-build: true \ No newline at end of file diff --git a/deployments/properties/azure-functions-app-container.properties.json b/deployments/properties/azure-functions-app-container.properties.json new file mode 100644 index 0000000000..41b8d46f99 --- /dev/null +++ b/deployments/properties/azure-functions-app-container.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy container to Azure Functions App", + "description": "Build a container and deploy it to an Azure Functions App on Linux.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Dockerfile", "Azure Functions"] +} diff --git a/deployments/properties/azure-functions-app-dotnet.properties.json b/deployments/properties/azure-functions-app-dotnet.properties.json new file mode 100644 index 0000000000..38e472c5b7 --- /dev/null +++ b/deployments/properties/azure-functions-app-dotnet.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy .NET Core app to Azure Functions App", + "description": "Build a .NET Core project and deploy it to an Azure Functions App on Windows or Linux.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "C#", "aspNetCore", "Azure Functions"] +} diff --git a/deployments/properties/azure-functions-app-java.properties.json b/deployments/properties/azure-functions-app-java.properties.json new file mode 100644 index 0000000000..c44a9e98dd --- /dev/null +++ b/deployments/properties/azure-functions-app-java.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy Java app to Azure Functions App", + "description": "Build a Java project and deploy it to an Azure Functions App on Windows or Linux.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Java", "Maven", "Azure Functions"] +} diff --git a/deployments/properties/azure-functions-app-nodejs.properties.json b/deployments/properties/azure-functions-app-nodejs.properties.json new file mode 100644 index 0000000000..c74fe83dc3 --- /dev/null +++ b/deployments/properties/azure-functions-app-nodejs.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy Node.js to Azure Functions App", + "description": "Build a Node.js project and deploy it to an Azure Functions App on Windows or Linux.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "JavaScript", "TypeScript", "npm", "Azure Functions"] +} diff --git a/deployments/properties/azure-functions-app-powershell.properties.json b/deployments/properties/azure-functions-app-powershell.properties.json new file mode 100644 index 0000000000..bd6d80d652 --- /dev/null +++ b/deployments/properties/azure-functions-app-powershell.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy PowerShell app to Azure Functions App", + "description": "Deploy PowerShell project to an Azure Functions App on Windows or Linux.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "PowerShell", "Azure Functions"] +} diff --git a/deployments/properties/azure-functions-app-python.properties.json b/deployments/properties/azure-functions-app-python.properties.json new file mode 100644 index 0000000000..5fb61a3214 --- /dev/null +++ b/deployments/properties/azure-functions-app-python.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy Python app to Azure Functions App", + "description": "Build a Python app and deploy it to an Azure Functions App on Linux.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Python", "Pip", "Azure Functions"] +} From ad25137ca3ada5e5c710879bb33862cb3f6c9edd Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Mon, 7 Nov 2022 10:21:52 -0600 Subject: [PATCH 588/844] Update checkmarx.svg --- icons/checkmarx.svg | 81 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 71 insertions(+), 10 deletions(-) diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg index fbdc9f3b67..7c5b4d9c58 100644 --- a/icons/checkmarx.svg +++ b/icons/checkmarx.svg @@ -1,12 +1,73 @@ - - - + + - - - - - - - + + + + + + + + + + + + + + From 417e1b988833bf9a2e61584d6ac86f0235e3116c Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Tue, 8 Nov 2022 14:09:19 +0100 Subject: [PATCH 589/844] Apply suggestions from code review Co-authored-by: Sampark Sharma --- code-scanning/zscan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml index 7f035f53ec..01c3b0577f 100644 --- a/code-scanning/zscan.yml +++ b/code-scanning/zscan.yml @@ -6,11 +6,11 @@ # The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) # and identifies security, privacy, and compliance-related vulnerabilities. ​ # -# Prerequisites: ​ +# Prerequisites: # * An active Zimperium zScan account is required. If you are not an existing Zimperium # zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us. # * Either GitHub Advanced Security (GHAS) or a public repository is required to display -# issues and view the remediation information inside of GitHub code scanning alerts. ​ +# issues and view the remediation information inside of GitHub code scanning alerts.​ # # For additional information and setup instructions # please visit: https://github.com/Zimperium/zScanMarketplace#readme From ff2f23cb02201f3dec599148501033e5b9e7f164 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 8 Nov 2022 16:05:26 +0200 Subject: [PATCH 590/844] Update frogbot-scan-pr.yml --- code-scanning/frogbot-scan-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index bd1a9c2dc6..74ee41e1ba 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 + - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From 762810aba56b19721e194f22cf5ee461b36eb635 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 8 Nov 2022 16:05:42 +0200 Subject: [PATCH 591/844] Update frogbot-scan-and-fix.yml --- code-scanning/frogbot-scan-and-fix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 0089f10831..12414a12fc 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -37,7 +37,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 + - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From 4050b957a2285c70272bc6bfdb4b2443847d09cf Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Tue, 8 Nov 2022 15:34:49 -0300 Subject: [PATCH 592/844] update soos dast version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 47f6c4892e..8723a8b7d1 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 + uses: soos-io/soos-dast-github-action@5b9c65687cee49aee1c776759f25561f908be565 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From f92f22260133a67e7d13ab38b8bb6a3f64689f95 Mon Sep 17 00:00:00 2001 From: Chandni Patel Date: Tue, 8 Nov 2022 13:07:25 -0600 Subject: [PATCH 593/844] updates based on feedback --- deployments/azure-functions-app-container.yml | 57 +++++++++++++------ deployments/azure-functions-app-dotnet.yml | 34 +++++++---- deployments/azure-functions-app-java.yml | 34 +++++++---- deployments/azure-functions-app-nodejs.yml | 36 ++++++++---- .../azure-functions-app-powershell.yml | 34 +++++++---- deployments/azure-functions-app-python.yml | 34 +++++++---- ...azure-functions-app-dotnet.properties.json | 2 +- ...e-functions-app-powershell.properties.json | 2 +- 8 files changed, 164 insertions(+), 69 deletions(-) diff --git a/deployments/azure-functions-app-container.yml b/deployments/azure-functions-app-container.yml index 0984ba4c0a..7b438be026 100644 --- a/deployments/azure-functions-app-container.yml +++ b/deployments/azure-functions-app-container.yml @@ -1,17 +1,39 @@ -# Action Requires -# 1. Setup the AZURE_CREDENTIALS secrets in your GitHub Repository -# 2. Setup the REGISTRY_USERNAME secrets in your GitHub Repository -# 3. Setup the REGISTRY_PASSWORD secrets in your GitHub Repository -# 4. Replace REGISTRY, NAMESPACE, IMAGE, TAG in the following template with proper values -# 5. Add this yaml file to your project's .github/workflows/ -# 6. Push your local project to your GitHub Repository +# This workflow will build a container and deploy it to an Azure Functions App on Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app. +# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-function-linux-custom-image?tabs=in-process%2Cbash%2Cazure-cli&pivots=programming-language-csharp +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_RBAC_CREDENTIALS +# - REGISTRY_USERNAME +# - REGISTRY_PASSWORD +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Container Action: https://github.com/Azure/functions-container-action +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp -name: Linux_Container_Workflow +name: Deploy container to Azure Functions App on: push: branches: - - master + - [$default-branch] + +permissions: + contents: read + +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + LOGIN_SERVER: 'login-server' # set this to login server for your private container registry (e.g. 'contoso.azurecr.io', 'index.docker.io' ) + REGISTRY: 'your-registry' # set this to proper value for REGISTRY + NAMESPACE: 'your-namespace' # set this to proper value for NAMESPACE + IMAGE: 'your-image' # set this to proper value for IMAGE + TAG: 'your-tag' # set this to proper value for TAG jobs: build-and-deploy: @@ -24,12 +46,12 @@ jobs: - name: 'Login via Azure CLI' uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} - name: 'Docker Login' uses: azure/docker-login@v1 with: - login-server: contoso.azurecr.io + login-server: ${{ env.LOGIN_SERVER }} username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} @@ -38,20 +60,21 @@ jobs: run: | # If your function app project is not located in your repository's root # Please change the path to your directory for docker build - docker build . -t REGISTRY/NAMESPACE/IMAGE:TAG - docker push REGISTRY/NAMESPACE/IMAGE:TAG + docker build . -t ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} + docker push ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} - name: 'Run Azure Functions Container Action' uses: Azure/functions-container-action@v1 id: fa with: - app-name: PLEASE_REPLACE_THIS_WITH_YOUR_FUNCTION_APP_NAME - image: REGISTRY/NAMESPACE/IMAGE:TAG + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + image: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} - #- name: 'use the published functionapp url in upcoming steps' + # If you want to display or use the functionapp url, then uncomment the task below + #- name: 'Published functionapp url' # run: | # echo "${{ steps.fa.outputs.app-url }}" - name: Azure logout run: | - az logout \ No newline at end of file + az logout diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml index 40f76ab69b..7f094eb26e 100644 --- a/deployments/azure-functions-app-dotnet.yml +++ b/deployments/azure-functions-app-dotnet.yml @@ -1,15 +1,28 @@ +# This workflow will build a .NET Core project and deploy it to an Azure Functions App on Windows or Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app. +# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-csharp?tabs=in-process +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Action: https://github.com/Azure/functions-action +# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp + name: Deploy DotNet project to Azure Function App on: - [push] + push: + branches: + - [$default-branch] -# CONFIGURATION -# For help, go to https://github.com/Azure/Actions -# -# 1. Set up the following secrets in your repository: -# AZURE_FUNCTIONAPP_PUBLISH_PROFILE -# -# 2. Change these variables for your configuration: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root @@ -27,7 +40,7 @@ jobs: # - name: 'Login via Azure CLI' # uses: azure/login@v1 # with: - # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment uses: actions/setup-dotnet@v3 @@ -47,4 +60,5 @@ jobs: with: app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} package: '${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}/output' - publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC \ No newline at end of file + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC + \ No newline at end of file diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml index 138a877d57..a00db935bb 100644 --- a/deployments/azure-functions-app-java.yml +++ b/deployments/azure-functions-app-java.yml @@ -1,15 +1,28 @@ +# This workflow will build a Java project and deploy it to an Azure Functions App on Windows or Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app. +# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-java +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Action: https://github.com/Azure/functions-action +# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp + name: Deploy Java project to Azure Function App on: - [push] + push: + branches: + - [$default-branch] -# CONFIGURATION -# For help, go to https://github.com/Azure/Actions -# -# 1. Set up the following secrets in your repository: -# AZURE_FUNCTIONAPP_PUBLISH_PROFILE -# -# 2. Change these variables for your configuration: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure POM_XML_DIRECTORY: '.' # set this to the directory which contains pom.xml file @@ -27,7 +40,7 @@ jobs: # - name: 'Login via Azure CLI' # uses: azure/login@v1 # with: - # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Java Sdk ${{ env.JAVA_VERSION }} uses: actions/setup-java@v1 @@ -48,4 +61,5 @@ jobs: app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} package: '${{ env.POM_XML_DIRECTORY }}' # if there are multiple function apps in same project, then this path will be like './${{ env.POM_XML_DIRECTORY }}/target/azure-functions/${{ env.POM_FUNCTIONAPP_NAME }' publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC - respect-pom-xml: true \ No newline at end of file + respect-pom-xml: true + \ No newline at end of file diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml index 4d7505deda..5f174554a9 100644 --- a/deployments/azure-functions-app-nodejs.yml +++ b/deployments/azure-functions-app-nodejs.yml @@ -1,15 +1,30 @@ +# This workflow will build a Node.js project and deploy it to an Azure Functions App on Windows or Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app. +# For instructions see: +# - https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-node +# - https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-typescript +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Action: https://github.com/Azure/functions-action +# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp + name: Deploy Node.js project to Azure Function App on: - [push] + push: + branches: + - [$default-branch] -# CONFIGURATION -# For help, go to https://github.com/Azure/Actions -# -# 1. Set up the following secrets in your repository: -# AZURE_FUNCTIONAPP_PUBLISH_PROFILE -# -# 2. Change these variables for your configuration: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root @@ -27,7 +42,7 @@ jobs: # - name: 'Login via Azure CLI' # uses: azure/login@v1 # with: - # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Node ${{ env.NODE_VERSION }} Environment uses: actions/setup-node@v3 @@ -49,4 +64,5 @@ jobs: with: app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} - publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC \ No newline at end of file + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC + \ No newline at end of file diff --git a/deployments/azure-functions-app-powershell.yml b/deployments/azure-functions-app-powershell.yml index d228efaf9a..824b94e04a 100644 --- a/deployments/azure-functions-app-powershell.yml +++ b/deployments/azure-functions-app-powershell.yml @@ -1,15 +1,28 @@ +# This workflow will deploy a PowerShell project to an Azure Functions App on Windows or Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app. +# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-powershell +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Action: https://github.com/Azure/functions-action +# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp + name: Deploy PowerShell project to Azure Function App on: - [push] + push: + branches: + - [$default-branch] -# CONFIGURATION -# For help, go to https://github.com/Azure/Actions -# -# 1. Set up the following secrets in your repository: -# AZURE_FUNCTIONAPP_PUBLISH_PROFILE -# -# 2. Change these variables for your configuration: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root @@ -26,7 +39,7 @@ jobs: # - name: 'Login via Azure CLI' # uses: azure/login@v1 # with: - # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: 'Run Azure Functions Action' uses: Azure/functions-action@v1 @@ -34,4 +47,5 @@ jobs: with: app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} - publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC \ No newline at end of file + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC + \ No newline at end of file diff --git a/deployments/azure-functions-app-python.yml b/deployments/azure-functions-app-python.yml index 0964914ec7..d387ba2300 100644 --- a/deployments/azure-functions-app-python.yml +++ b/deployments/azure-functions-app-python.yml @@ -1,15 +1,28 @@ +# This workflow will build a Python app and deploy it to an Azure Functions App on Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app. +# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-python?pivots=python-mode-configuration +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Action: https://github.com/Azure/functions-action +# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp + name: Deploy Python project to Azure Function App on: - [push] + push: + branches: + - [$default-branch] -# CONFIGURATION -# For help, go to https://github.com/Azure/Actions -# -# 1. Set up the following secrets in your repository: -# AZURE_FUNCTIONAPP_PUBLISH_PROFILE -# -# 2. Change these variables for your configuration: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root @@ -27,7 +40,7 @@ jobs: # - name: 'Login via Azure CLI' # uses: azure/login@v1 # with: - # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Python ${{ env.PYTHON_VERSION }} Environment uses: actions/setup-python@v4 @@ -50,4 +63,5 @@ jobs: package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC scm-do-build-during-deployment: true - enable-oryx-build: true \ No newline at end of file + enable-oryx-build: true + \ No newline at end of file diff --git a/deployments/properties/azure-functions-app-dotnet.properties.json b/deployments/properties/azure-functions-app-dotnet.properties.json index 38e472c5b7..8ae963de03 100644 --- a/deployments/properties/azure-functions-app-dotnet.properties.json +++ b/deployments/properties/azure-functions-app-dotnet.properties.json @@ -3,5 +3,5 @@ "description": "Build a .NET Core project and deploy it to an Azure Functions App on Windows or Linux.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "C#", "aspNetCore", "Azure Functions"] + "categories": ["Deployment", "C#", "AspNetCore", "Azure Functions"] } diff --git a/deployments/properties/azure-functions-app-powershell.properties.json b/deployments/properties/azure-functions-app-powershell.properties.json index bd6d80d652..533f84f73e 100644 --- a/deployments/properties/azure-functions-app-powershell.properties.json +++ b/deployments/properties/azure-functions-app-powershell.properties.json @@ -1,6 +1,6 @@ { "name": "Deploy PowerShell app to Azure Functions App", - "description": "Deploy PowerShell project to an Azure Functions App on Windows or Linux.", + "description": "Deploy a PowerShell project to an Azure Functions App on Windows or Linux.", "creator": "Microsoft Azure", "iconName": "azure", "categories": ["Deployment", "PowerShell", "Azure Functions"] From a31c09a4f1fd94bb31fb3e8955e4c05c0b855cc1 Mon Sep 17 00:00:00 2001 From: Arjan Keeman Date: Tue, 15 Nov 2022 09:52:54 +0100 Subject: [PATCH 594/844] update deprecated syntax see https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ --- deployments/aws.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/aws.yml b/deployments/aws.yml index 958584480d..af7d87d707 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -75,7 +75,7 @@ jobs: # be deployed to ECS. docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" + echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT - name: Fill in the new image ID in the Amazon ECS task definition id: task-def From a749535e85718bb29553b8e7f6b5217e71a5ccd1 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 16 Nov 2022 01:05:10 +0100 Subject: [PATCH 595/844] Add lint workflow --- .github/workflows/lint.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/lint.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000000..cd3fb3d5cf --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,32 @@ +name: Lint + +on: + pull_request: + branches: + - main + +jobs: + + pre-commit: + name: pre-commit + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - uses: actions/setup-python@v4 + with: + python-version: 3.8 + cache: 'pip' + + - name: Cache pre-commit + uses: actions/cache@v3 + with: + path: ~/.cache/pre-commit + key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} + + - name: Install pre-commit + run: pip3 install pre-commit + + - name: Run pre-commit + run: pre-commit run --all-files --show-diff-on-failure --color always \ No newline at end of file From 6cd7a70d9f1db1f8485ccb48d863ef766fa0fbc1 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 16 Nov 2022 01:05:19 +0100 Subject: [PATCH 596/844] Add pre-commit configuration file --- .pre-commit-config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000000..7699e821c1 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,5 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.3.0 + hooks: + - id: trailing-whitespace \ No newline at end of file From 5bc87732339ec6887dbd6275cb90686464b3de3c Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 16 Nov 2022 01:16:46 +0100 Subject: [PATCH 597/844] Remove pip cache --- .github/workflows/lint.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index cd3fb3d5cf..76c82c2146 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -17,7 +17,6 @@ jobs: - uses: actions/setup-python@v4 with: python-version: 3.8 - cache: 'pip' - name: Cache pre-commit uses: actions/cache@v3 From edcef6ec3eb410566c2f21feaae17d5c4eacef6c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 22 Nov 2022 19:23:58 +0000 Subject: [PATCH 598/844] update --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 11e305f3f3..0e42bae847 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -41,11 +41,11 @@ jobs: with: results_file: results.sarif results_format: sarif - # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecards on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + # repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers From d0d2da4fd3080c5a70fddd00f554a21a5aeef591 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 22 Nov 2022 13:38:23 -0600 Subject: [PATCH 599/844] Astro: Update to use the detected package manager --- pages/astro.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 1d4ec5fcb8..54d46727d6 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -40,12 +40,10 @@ jobs: if [ -f "${{ github.workspace }}/yarn.lock" ]; then echo "::set-output name=manager::yarn" echo "::set-output name=command::install" - echo "::set-output name=runner::yarn" exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then echo "::set-output name=manager::npm" echo "::set-output name=command::ci" - echo "::set-output name=runner::npx --no-install" exit 0 else echo "Unable to determine packager manager" @@ -57,9 +55,14 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json - - run: npm install && npm run build + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} working-directory: ${{ env.BUILD_PATH }} - - uses: actions/upload-pages-artifact@v1 + - name: Build with Astro + run: ${{ steps.detect-package-manager.outputs.manager }} run build + working-directory: ${{ env.BUILD_PATH }} + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 with: path: ${{ env.BUILD_PATH }}/dist From 1ffc2dce9f0e0d25af6d872223730be7badd2a93 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 22 Nov 2022 13:43:51 -0600 Subject: [PATCH 600/844] Pages: Update Node.js-based workflows to use non-deprecated mechanism for setting outputs See https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ --- pages/astro.yml | 8 ++++---- pages/gatsby.yml | 8 ++++---- pages/nextjs.yml | 12 ++++++------ pages/nuxtjs.yml | 8 ++++---- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 54d46727d6..9f845f3f86 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -38,12 +38,12 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 4f2857d8ca..7db9291386 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -39,12 +39,12 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 5c2bf67187..7e39f832ad 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -34,14 +34,14 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" - echo "::set-output name=runner::yarn" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT + echo "runner=yarn" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" - echo "::set-output name=runner::npx --no-install" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT + echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 4178f18125..660202e8d6 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -34,12 +34,12 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" From c868fdbf8caaf8ec83c4b4e884a8546044d8c46b Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 22 Nov 2022 21:47:03 -0600 Subject: [PATCH 601/844] Pages: Configure Astro origin and base path using CLI arguments --- pages/astro.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pages/astro.yml b/pages/astro.yml index 9f845f3f86..77f29248e2 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -40,10 +40,12 @@ jobs: if [ -f "${{ github.workspace }}/yarn.lock" ]; then echo "manager=yarn" >> $GITHUB_OUTPUT echo "command=install" >> $GITHUB_OUTPUT + echo "runner=yarn" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then echo "manager=npm" >> $GITHUB_OUTPUT echo "command=ci" >> $GITHUB_OUTPUT + echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" @@ -55,11 +57,17 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json + - name: Setup Pages + id: pages + uses: actions/configure-pages@v2 - name: Install dependencies run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} working-directory: ${{ env.BUILD_PATH }} - name: Build with Astro - run: ${{ steps.detect-package-manager.outputs.manager }} run build + run: | + ${{ steps.detect-package-manager.outputs.runner }} astro build \ + --site "${{ steps.pages.outputs.origin }}" \ + --base "${{ steps.pages.outputs.base_path }}" working-directory: ${{ env.BUILD_PATH }} - name: Upload artifact uses: actions/upload-pages-artifact@v1 From 2f81287648d16dc1cda091d44b06368c5e73af73 Mon Sep 17 00:00:00 2001 From: Nguyen Long Nhat <27698189+torn4dom4n@users.noreply.github.com> Date: Mon, 21 Nov 2022 01:17:23 +0700 Subject: [PATCH 602/844] Using node 18 --- pages/gatsby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 7db9291386..a288d7da56 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -53,7 +53,7 @@ jobs: - name: Setup Node uses: actions/setup-node@v3 with: - node-version: "16" + node-version: "18" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages From e493e52668ef051fc37be7453871d17470f56e0e Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 29 Nov 2022 17:48:50 +0530 Subject: [PATCH 603/844] Check only certain files --- .pre-commit-config.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7699e821c1..5d6f7eb0d3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,5 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.3.0 + files: ^automation|ci|code-scanning|deployments|pages hooks: - - id: trailing-whitespace \ No newline at end of file + - id: trailing-whitespace From ec11d3549bcc7ca2a1df7f76461d31c70313d391 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 29 Nov 2022 18:13:36 +0530 Subject: [PATCH 604/844] Check for only certain files --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5d6f7eb0d3..19bf39d63c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.3.0 - files: ^automation|ci|code-scanning|deployments|pages hooks: - id: trailing-whitespace + files: (automation/|ci/|code-scanning/|deployments/|pages/).*(yaml|yml|json)$ From 1716d2dcd64d64e5a33a6f72146ebc51010a7d6d Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 30 Nov 2022 10:21:45 +0000 Subject: [PATCH 605/844] Fix whitespace lint --- .github/workflows/lint.yaml | 2 +- code-scanning/checkmarx-one.yml | 12 ++++++------ .../properties/dependency-review.properties.json | 2 +- code-scanning/properties/mobsf.properties.json | 8 ++++---- code-scanning/properties/pmd.properties.json | 12 ++++++------ code-scanning/properties/semgrep.properties.json | 2 +- code-scanning/properties/sobelow.properties.json | 1 - code-scanning/properties/sonarcloud.properties.json | 2 +- 8 files changed, 20 insertions(+), 21 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 76c82c2146..2bb90ed838 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,7 +1,7 @@ name: Lint on: - pull_request: + pull_request_target: branches: - main diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index d85c0c53ca..6214ab1f90 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -3,12 +3,12 @@ # separate terms of service, privacy policy, and support # documentation. -# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. -# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository -# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling +# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. +# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository +# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling # scan customization using the full functionality and flexibility of the CLI tool. -# This is a basic workflow to help you get started with Using Checkmarx One Action, +# This is a basic workflow to help you get started with Using Checkmarx One Action, # documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html name: Checkmarx Scan @@ -30,7 +30,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif - + # The type of runner that the job will run on runs-on: ubuntu-latest @@ -39,7 +39,7 @@ jobs: # This step checks out a copy of your repository. - name: Checkout repository uses: actions/checkout@v3 - # This step creates the Checkmarx One scan + # This step creates the Checkmarx One scan - name: Checkmarx One scan uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc with: diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index c195c73b9e..f76aacd18a 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -13,4 +13,4 @@ "Ruby", "Actions", "PHP"] -} +} diff --git a/code-scanning/properties/mobsf.properties.json b/code-scanning/properties/mobsf.properties.json index a6afbfa7f4..fb5d65bebc 100644 --- a/code-scanning/properties/mobsf.properties.json +++ b/code-scanning/properties/mobsf.properties.json @@ -4,10 +4,10 @@ "description": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.", "iconName": "mobsf", "categories": [ - "Code Scanning", - "Java", - "Swift", - "Objective-C", + "Code Scanning", + "Java", + "Swift", + "Objective-C", "Kotlin" ] } \ No newline at end of file diff --git a/code-scanning/properties/pmd.properties.json b/code-scanning/properties/pmd.properties.json index b96ecb75c0..7b7970942d 100644 --- a/code-scanning/properties/pmd.properties.json +++ b/code-scanning/properties/pmd.properties.json @@ -4,12 +4,12 @@ "description": "PMD is a static source code analyzer. It supports Java, JavaScript, Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.", "iconName": "pmd", "categories": [ - "Code Scanning", - "Java", - "JavaScript", - "Apex", - "Modelica", - "PLSQL", + "Code Scanning", + "Java", + "JavaScript", + "Apex", + "Modelica", + "PLSQL", "Apache Velocity", "XML", "XSl", diff --git a/code-scanning/properties/semgrep.properties.json b/code-scanning/properties/semgrep.properties.json index 5f74ed5358..c694b38c45 100644 --- a/code-scanning/properties/semgrep.properties.json +++ b/code-scanning/properties/semgrep.properties.json @@ -4,4 +4,4 @@ "description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.", "iconName": "semgrep", "categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"] -} \ No newline at end of file +} \ No newline at end of file diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json index 163e866ed8..960ac8a479 100644 --- a/code-scanning/properties/sobelow.properties.json +++ b/code-scanning/properties/sobelow.properties.json @@ -8,4 +8,3 @@ "Elixir" ] } - \ No newline at end of file diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 9b88a7867f..0f4e1516c9 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -3,5 +3,5 @@ "creator": "Sonar", "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", "iconName": "sonarcloud", - "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From 6adaff50c1b390ca04c9c668f07e996dee1a25ac Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 30 Nov 2022 10:26:21 +0000 Subject: [PATCH 606/844] Fix no newline at EOF --- code-scanning/properties/semgrep.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/semgrep.properties.json b/code-scanning/properties/semgrep.properties.json index c694b38c45..f1fffe3910 100644 --- a/code-scanning/properties/semgrep.properties.json +++ b/code-scanning/properties/semgrep.properties.json @@ -4,4 +4,4 @@ "description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.", "iconName": "semgrep", "categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"] -} \ No newline at end of file +} From f53db96ce1ca57bf1214bda95a59f2a7ec45d8b8 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 30 Nov 2022 11:04:14 +0000 Subject: [PATCH 607/844] Add supported tech stack list --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7ff406f694..fc1bd902de 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * `description`: the description shown in onboarding * `iconName`: the icon name in the relevant folder, for example, `django` should have an icon `icons/django.svg`. Only SVG is supported at this time. Another option is to use [octicon](https://primer.style/octicons/). The format to use an octicon is `octicon <>`. Example: `octicon person` * `creator`: creator of the template shown in onboarding. All the workflow templates from an author will have the same `creator` field. -* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml). When a user views the available templates, those templates that match the same language will feature more prominently. +* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml) and the list of tech stacks available [here](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml). When a user views the available templates, those templates that match the same language will feature more prominently. ### Categories * continuous-integration From 4f469603129f59fefca0072e32a2eed15002fe4c Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 1 Dec 2022 06:55:46 +0000 Subject: [PATCH 608/844] Add instructions to test templates --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 7ff406f694..1048694d81 100644 --- a/README.md +++ b/README.md @@ -50,3 +50,23 @@ These variables can be placed in the starter workflow and will be substituted as * `$default-branch`: will substitute the branch from the repository, for example `main` and `master` * `$protected-branches`: will substitute any protected branches from the repository * `$cron-daily`: will substitute a valid but random time within the day + +## How to test templates before publishing + +### Disable template for public +The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX. +Example `properties.json` file: +```json +{ + "name": "Node.js", + "description": "Build and test a Node.js project with npm.", + "iconName": "nodejs", + "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"], + "labels": ["preview"] +} +``` + +Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible. + +### Enable template for public +Remove the `labels` array from `properties.json` file to publish the template to public From bd3d623e07d9ec600ba22e97a047b9afb91075f9 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 1 Dec 2022 13:06:55 +0530 Subject: [PATCH 609/844] Apply suggestions from code review Co-authored-by: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1048694d81..e455e1376b 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ These variables can be placed in the starter workflow and will be substituted as ## How to test templates before publishing ### Disable template for public -The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX. +The template author adds a `labels` array in the template's `properties.json` file with a label `preview`. This will hide the template from users, unless user uses query parameter `preview=true` in the URL. Example `properties.json` file: ```json { @@ -66,7 +66,7 @@ Example `properties.json` file: } ``` -Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible. +For viewing the templates with `preview` label, provide query parameter `preview=true` to the `new workflow` page URL. Eg. `https://github.com///actions/new?preview=true`. ### Enable template for public Remove the `labels` array from `properties.json` file to publish the template to public From db5c5c4b5e88807a37600118dc80be71301ba48b Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 1 Dec 2022 17:08:17 +0100 Subject: [PATCH 610/844] Apply suggestions from code review Co-authored-by: Sampark Sharma --- code-scanning/sonarqube.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml index 23f79da99c..68585a9d43 100644 --- a/code-scanning/sonarqube.yml +++ b/code-scanning/sonarqube.yml @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Analyze with SonarQube + - name: Analyze with SonarQube # You can pin the exact commit or the version. # uses: SonarSource/sonarqube-scan-action@v1.1.0 @@ -52,7 +52,7 @@ jobs: SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments for the sonarcloud scanner - args: + args: # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu) # mandatory -Dsonar.projectKey= @@ -63,4 +63,4 @@ jobs: # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false + #-Dsonar.verbose= # optional, default is false From 0cd0541922d9efdce53b33f9c49b01d6cd6ca54b Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 1 Dec 2022 17:13:18 +0100 Subject: [PATCH 611/844] added SHA to action definition --- code-scanning/sonarqube.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml index 68585a9d43..f01b9dcd4b 100644 --- a/code-scanning/sonarqube.yml +++ b/code-scanning/sonarqube.yml @@ -45,7 +45,7 @@ jobs: # You can pin the exact commit or the version. # uses: SonarSource/sonarqube-scan-action@v1.1.0 - uses: SonarSource/sonarqube-scan-action@v1.1.0 + uses: SonarSource/sonarqube-scan-action@7295e71c9583053f5bf40e9d4068a0c974603ec8 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) From 3408b65a7132d3f0ffa75a4e7a42aa2849f04a1d Mon Sep 17 00:00:00 2001 From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com> Date: Thu, 8 Dec 2022 14:38:34 +1300 Subject: [PATCH 612/844] Update Go version to 1.19 Go 1.18 will be at end of life sometime within the coming months (Q1 2023). Go 1.19 will be around until Q3 2023, by which point 1.20 will have been released. --- ci/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go.yml b/ci/go.yml index 4d95674ed1..e89f6c9fbf 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.18 + go-version: 1.19 - name: Build run: go build -v ./... From 7a584505f5655db11a8c6f01d1913bc7ab3b0a50 Mon Sep 17 00:00:00 2001 From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com> Date: Thu, 8 Dec 2022 14:41:48 +1300 Subject: [PATCH 613/844] Fixed misspelling of "privileged" --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 0a98861f0d..05cb4b18e9 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,7 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. -- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. +- [ ] Should specify least privileged [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** From fe2a38622547802426adddc16f8a700ac2ed0edc Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 8 Dec 2022 11:35:13 +0530 Subject: [PATCH 614/844] Update README.md Co-authored-by: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fc1bd902de..cc272b52e4 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * `description`: the description shown in onboarding * `iconName`: the icon name in the relevant folder, for example, `django` should have an icon `icons/django.svg`. Only SVG is supported at this time. Another option is to use [octicon](https://primer.style/octicons/). The format to use an octicon is `octicon <>`. Example: `octicon person` * `creator`: creator of the template shown in onboarding. All the workflow templates from an author will have the same `creator` field. -* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml) and the list of tech stacks available [here](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml). When a user views the available templates, those templates that match the same language will feature more prominently. +* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml) and the list of tech stacks available [here](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml). When a user views the available templates, those templates that match the language and tech stacks will feature more prominently. ### Categories * continuous-integration From 1899cb68914da2e7df727fdabfc8f4277c76463d Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 8 Dec 2022 06:10:22 +0000 Subject: [PATCH 615/844] Fix whitespaces --- code-scanning/properties/sonarqube.properties.json | 2 +- code-scanning/sonarqube.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/properties/sonarqube.properties.json b/code-scanning/properties/sonarqube.properties.json index 9912c5174d..009602babb 100644 --- a/code-scanning/properties/sonarqube.properties.json +++ b/code-scanning/properties/sonarqube.properties.json @@ -3,5 +3,5 @@ "creator": "Sonar", "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", "iconName": "sonarqube", - "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml index f01b9dcd4b..220e43a90a 100644 --- a/code-scanning/sonarqube.yml +++ b/code-scanning/sonarqube.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow helps you trigger a SonarQube analysis of your code and populates +# This workflow helps you trigger a SonarQube analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. # (this feature is available starting from SonarQube 9.7, Developer Edition and above) @@ -11,7 +11,7 @@ # 2. Import your project on SonarQube # * Add your repository as a new project by clicking "Create project" from your homepage. -# +# # 3. Select GitHub Actions as your CI and follow the tutorial # * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN # (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator) @@ -39,7 +39,7 @@ permissions: jobs: Analysis: runs-on: ubuntu-latest - + steps: - name: Analyze with SonarQube From 384d799f2c7135d7c1a8c2de7c45c7b829b37c84 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 23 Nov 2022 16:19:36 +0200 Subject: [PATCH 616/844] add Datree --- code-scanning/datree.yml | 44 +++++++++++++++++++ .../properties/datree.properties.json | 7 +++ icons/datree.svg | 1 + 3 files changed, 52 insertions(+) create mode 100644 code-scanning/datree.yml create mode 100644 code-scanning/properties/datree.properties.json create mode 100644 icons/datree.svg diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml new file mode 100644 index 0000000000..682ab5dd2b --- /dev/null +++ b/code-scanning/datree.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your code and scans your desired k8s config files for misconfigurations using the Datree CLI. +# The results are then uploaded to GitHub Security Code Scanning. +# +# For more information and configurations options, see https://github.com/datreeio/action-datree/ + +name: Datree + +on: + push: + branches: [ main ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ main ] + +jobs: + datree: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Run Datree policy check + continue-on-error: true + uses: hadar-co/action-datree@main + env: + # In order to use the Datree action you will need to have a Datree token. + # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. + DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} + with: + # Add the path to the configuration file/s that you would like to test. + # See https://github.com/datreeio/action-datree#usage for all available options. + path: test-file.yaml + # Setting a SARIF output will generate a file named "datree.sarif" containing your test results + cliArguments: "-o sarif" + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: datree.sarif \ No newline at end of file diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json new file mode 100644 index 0000000000..99e07a58d6 --- /dev/null +++ b/code-scanning/properties/datree.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Datree", + "creator": "Datree", + "description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning", + "iconName": "datree", + "categories": ["Code Scanning", "YAML"] +} \ No newline at end of file diff --git a/icons/datree.svg b/icons/datree.svg new file mode 100644 index 0000000000..ca986c6457 --- /dev/null +++ b/icons/datree.svg @@ -0,0 +1 @@ + \ No newline at end of file From b79ff384b92634dae9948e7acda99c752827710a Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 23 Nov 2022 16:37:43 +0200 Subject: [PATCH 617/844] add Datree --- code-scanning/datree.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index 682ab5dd2b..df301c7c39 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -12,10 +12,10 @@ name: Datree on: push: - branches: [ main ] + branches: [ $default-branch, $protected-branches ] pull_request: # The branches below must be a subset of the branches above - branches: [ main ] + branches: [ $default-branch ] jobs: datree: From 2fe9028318a16ee399cbb6fc832b30e3486f93b6 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 7 Dec 2022 16:23:25 +0200 Subject: [PATCH 618/844] fix workflow --- code-scanning/datree.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index df301c7c39..44afd69dbf 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -17,6 +17,9 @@ on: # The branches below must be a subset of the branches above branches: [ $default-branch ] +permissions: + contents: read + jobs: datree: permissions: @@ -27,7 +30,7 @@ jobs: - uses: actions/checkout@v3 - name: Run Datree policy check continue-on-error: true - uses: hadar-co/action-datree@main + uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a env: # In order to use the Datree action you will need to have a Datree token. # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. @@ -41,4 +44,4 @@ jobs: - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: datree.sarif \ No newline at end of file + sarif_file: datree.sarif From eaef38b7d53821181be4769ca49cd73b29a1dc95 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 7 Dec 2022 16:24:28 +0200 Subject: [PATCH 619/844] fix workflow --- code-scanning/properties/datree.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json index 99e07a58d6..b7c695c658 100644 --- a/code-scanning/properties/datree.properties.json +++ b/code-scanning/properties/datree.properties.json @@ -4,4 +4,4 @@ "description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning", "iconName": "datree", "categories": ["Code Scanning", "YAML"] -} \ No newline at end of file +} From bf83018c61c4c637421536d74854c789df696c20 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Thu, 8 Dec 2022 09:57:36 +0200 Subject: [PATCH 620/844] Update code-scanning/datree.yml Co-authored-by: Sampark Sharma --- code-scanning/datree.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index 44afd69dbf..2e446829bc 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -34,7 +34,7 @@ jobs: env: # In order to use the Datree action you will need to have a Datree token. # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. - DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} + DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} with: # Add the path to the configuration file/s that you would like to test. # See https://github.com/datreeio/action-datree#usage for all available options. From 9e27144d52a9ebe6f2660accc372e55385044204 Mon Sep 17 00:00:00 2001 From: Florin Coada Date: Fri, 9 Dec 2022 15:35:44 +0000 Subject: [PATCH 621/844] Add explanation on which value to use to scan Kotlin and TypeScript Added comments explaining which values should be used if the user would like to scan Kotlin or TypeScript. --- code-scanning/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 3f0ecfbd5c..002e424e00 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,6 +34,8 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: From 5f790e392edb9bda28c53cb73e24c08e22aac844 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Mon, 12 Dec 2022 16:44:33 -0300 Subject: [PATCH 622/844] update soos dast to latest version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 95dfd673cb..6a5a04782f 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db # Use latest version from https://github.com/marketplace/actions/soos-dast + uses: soos-io/soos-dast-github-action@3e71b27756f4ed77d7ad3c0ad92afddb47a40e4d # Use latest version from https://github.com/marketplace/actions/soos-dast with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From 89d867e0d8e0e6a099005135a107deee089c5a32 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Tue, 13 Dec 2022 10:30:16 +0000 Subject: [PATCH 623/844] Fix code-scanning filtering for relative paths --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index a320d365bf..f53d220b40 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - (workflowProperties.enterprise === true || folder !== 'code-scanning') && + (workflowProperties.enterprise === true || basename(folder) !== 'code-scanning') && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From 1006a379d3e0ef603884037fa614bb831b9387f6 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Tue, 13 Dec 2022 08:40:14 -0300 Subject: [PATCH 624/844] linter --- code-scanning/soos-dast-scan.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 9b4f470b1b..99b9027095 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -45,6 +45,4 @@ jobs: - name: Upload SOOS DAST SARIF Report uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: results.sarif - - + sarif_file: results.sarif \ No newline at end of file From a2fbfc40767ff866fed3e15b2123cf514445cf24 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 13 Dec 2022 17:58:04 +0530 Subject: [PATCH 625/844] Update lint.yaml --- .github/workflows/lint.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 2bb90ed838..a76800ca09 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,7 +1,7 @@ name: Lint on: - pull_request_target: + pull_request: branches: - main @@ -28,4 +28,4 @@ jobs: run: pip3 install pre-commit - name: Run pre-commit - run: pre-commit run --all-files --show-diff-on-failure --color always \ No newline at end of file + run: pre-commit run --all-files --show-diff-on-failure --color always From ef331a6ad4a8dcd60a1eb62f2e7ebc150d967e91 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 13 Dec 2022 18:02:56 +0530 Subject: [PATCH 626/844] Update lint.yaml --- .github/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index a76800ca09..737e69c97c 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,7 +1,7 @@ name: Lint on: - pull_request: + pull_request_target: branches: - main From 95cee2a6f2019101ee71a6b954d2feb092acef0d Mon Sep 17 00:00:00 2001 From: Chris Gavin Date: Wed, 14 Dec 2022 12:23:14 +0000 Subject: [PATCH 627/844] Add Kotlin to CodeQL supported languages. --- code-scanning/properties/codeql.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index 8ee80b42cf..f5e78bf53a 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -2,7 +2,7 @@ "name": "CodeQL Analysis", "creator": "GitHub", "enterprise": true, - "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby and Kotlin developers.", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin"] } From 50c4e6f5a82cc11652504253929532f8db08f684 Mon Sep 17 00:00:00 2001 From: Joe Mooring Date: Mon, 12 Dec 2022 13:58:51 -0800 Subject: [PATCH 628/844] Fix and improve Hugo starter action Closes #1854 --- pages/hugo.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index f273fb2068..05a5b50a38 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -30,12 +30,14 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.102.3 + HUGO_VERSION: 0.108.0 steps: - name: Install Hugo CLI run: | - wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_Linux-64bit.deb \ + wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \ && sudo dpkg -i ${{ runner.temp }}/hugo.deb + - name: Install Dart Sass Embedded + run: sudo snap install dart-sass-embedded - name: Checkout uses: actions/checkout@v3 with: @@ -43,6 +45,8 @@ jobs: - name: Setup Pages id: pages uses: actions/configure-pages@v2 + - name: Install Node.js dependencies + run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Build with Hugo env: # For maximum backward compatibility with Hugo modules From d248c347a99f828503c7da2f45bf2b9a1bee494b Mon Sep 17 00:00:00 2001 From: Sam Morrow Date: Tue, 20 Dec 2022 10:18:45 +0100 Subject: [PATCH 629/844] Fix pre-commit lints (#1877) --- .github/workflows/lint.yaml | 2 +- .pre-commit-config.yaml | 2 +- deployments/azure-functions-app-dotnet.yml | 1 - deployments/azure-functions-app-java.yml | 1 - deployments/azure-functions-app-nodejs.yml | 1 - deployments/azure-functions-app-powershell.yml | 1 - deployments/azure-functions-app-python.yml | 1 - 7 files changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 737e69c97c..263d56949e 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -16,7 +16,7 @@ jobs: - uses: actions/setup-python@v4 with: - python-version: 3.8 + python-version: 3.11 - name: Cache pre-commit uses: actions/cache@v3 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 19bf39d63c..0377bfac7b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.4.0 hooks: - id: trailing-whitespace files: (automation/|ci/|code-scanning/|deployments/|pages/).*(yaml|yml|json)$ diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml index 7f094eb26e..8b2c23ba8a 100644 --- a/deployments/azure-functions-app-dotnet.yml +++ b/deployments/azure-functions-app-dotnet.yml @@ -61,4 +61,3 @@ jobs: app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} package: '${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}/output' publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC - \ No newline at end of file diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml index a00db935bb..0774544eaf 100644 --- a/deployments/azure-functions-app-java.yml +++ b/deployments/azure-functions-app-java.yml @@ -62,4 +62,3 @@ jobs: package: '${{ env.POM_XML_DIRECTORY }}' # if there are multiple function apps in same project, then this path will be like './${{ env.POM_XML_DIRECTORY }}/target/azure-functions/${{ env.POM_FUNCTIONAPP_NAME }' publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC respect-pom-xml: true - \ No newline at end of file diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml index 5f174554a9..b8033f0aef 100644 --- a/deployments/azure-functions-app-nodejs.yml +++ b/deployments/azure-functions-app-nodejs.yml @@ -65,4 +65,3 @@ jobs: app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC - \ No newline at end of file diff --git a/deployments/azure-functions-app-powershell.yml b/deployments/azure-functions-app-powershell.yml index 824b94e04a..505b5afe4e 100644 --- a/deployments/azure-functions-app-powershell.yml +++ b/deployments/azure-functions-app-powershell.yml @@ -48,4 +48,3 @@ jobs: app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC - \ No newline at end of file diff --git a/deployments/azure-functions-app-python.yml b/deployments/azure-functions-app-python.yml index d387ba2300..0220227a29 100644 --- a/deployments/azure-functions-app-python.yml +++ b/deployments/azure-functions-app-python.yml @@ -64,4 +64,3 @@ jobs: publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC scm-do-build-during-deployment: true enable-oryx-build: true - \ No newline at end of file From 65ce1d1247c712eaf53538c36be403b41d2d1b6b Mon Sep 17 00:00:00 2001 From: Matt Wang Date: Tue, 20 Dec 2022 01:22:40 -0800 Subject: [PATCH 630/844] Update all pinned versions of `ruby/setup-ruby` to latest (#1869) --- ci/ruby.yml | 2 +- ci/rubyonrails.yml | 4 ++-- code-scanning/brakeman.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/rubocop.yml | 2 +- pages/jekyll.yml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 6340760d1e..e1551d58ba 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 + uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 958a104374..5102b3d97b 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 + uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Install Ruby and gems - uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 + uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 with: bundler-cache: true # Add or replace any other lints here diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index 5547c592c9..d381e859f4 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -35,7 +35,7 @@ jobs: # Customize the ruby version depending on your needs - name: Setup Ruby - uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 + uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 with: ruby-version: '2.7' diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 26b6cca0bc..0804ba9729 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -36,7 +36,7 @@ jobs: uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 + uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 with: ruby-version: 2.7 bundler-cache: true diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index 8018ca13c3..97a693f150 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -28,7 +28,7 @@ jobs: # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners - name: Set up Ruby - uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 + uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 with: ruby-version: 2.6 diff --git a/pages/jekyll.yml b/pages/jekyll.yml index d039d12b8a..b7e78f1d04 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -33,7 +33,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 + uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 with: ruby-version: '3.0' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 2d6e0ed3efd769c2c2050d24c849a2673ad9381f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Dec 2022 13:07:32 +0000 Subject: [PATCH 631/844] Bump actions/stale from 6 to 7 Bumps [actions/stale](https://github.com/actions/stale) from 6 to 7. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 002f30d415..0cae015fef 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v6 + - uses: actions/stale@v7 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' From 28a47a7bc4497d7b0c039030a1eba04556bf9a64 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 3 Jan 2023 13:42:22 +0530 Subject: [PATCH 632/844] Add quotes to python version (#1878) --- ci/python-package-conda.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 57940bdb0c..384f9b727c 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -13,7 +13,7 @@ jobs: - name: Set up Python 3.10 uses: actions/setup-python@v3 with: - python-version: 3.10 + python-version: '3.10' - name: Add conda to system path run: | # $CONDA is an environment variable pointing to the root of the miniconda directory From f95dae101b48e96e89dae4c3fcbaf4a211d6d089 Mon Sep 17 00:00:00 2001 From: Mihai Maruseac Date: Tue, 3 Jan 2023 00:18:37 -0800 Subject: [PATCH 633/844] Update SLSA generators to v1.4.0 (#1884) Since GitHub's deprecation of `set-ouput`, the SLSA reusable workflows needed to change. This PR updates them to the latest version. Fixes https://github.com/slsa-framework/slsa-github-generator/issues/1302 Signed-off-by: Mihai Maruseac Signed-off-by: Mihai Maruseac Co-authored-by: Sampark Sharma --- ci/generator-generic-ossf-slsa3-publish.yml | 8 +++----- ci/go-ossf-slsa3-publish.yml | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index a249449a5a..a36e782cbf 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -16,8 +16,6 @@ on: release: types: [created] -permissions: read-all - jobs: build: runs-on: ubuntu-latest @@ -46,7 +44,7 @@ jobs: # provenance for. # # ======================================================== - - name: Generate subject + - name: Generate subject for provenance id: hash run: | set -euo pipefail @@ -54,7 +52,7 @@ jobs: # List the artifacts the provenance will refer to. files=$(ls artifact*) # Generate the subjects (base64 encoded). - echo "::set-output name=digests::$(sha256sum $files | base64 -w0)" + echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" provenance: needs: [build] @@ -62,7 +60,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 with: base64-subjects: "${{ needs.build.outputs.digests }}" upload-assets: true # Optional: Upload to a new release diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml index b357cc07d9..79ea193f75 100644 --- a/ci/go-ossf-slsa3-publish.yml +++ b/ci/go-ossf-slsa3-publish.yml @@ -29,7 +29,7 @@ jobs: id-token: write # To sign. contents: write # To upload release assets. actions: read # To read workflow path. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0 with: go-version: 1.17 # ============================================================================================================= From 9f245d9aba830ad16a097a45c78331a05114d815 Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Tue, 3 Jan 2023 05:19:28 -0300 Subject: [PATCH 634/844] Update 'Scorecards' occurrences to 'Scorecard' (#1889) * Update Scorecard naming occurences Signed-off-by: Gabriela Gutierrez * Update Scorecard icon naming Signed-off-by: Gabriela Gutierrez * Update Scorecard workflow naming Signed-off-by: Gabriela Gutierrez Signed-off-by: Gabriela Gutierrez Co-authored-by: Sampark Sharma --- code-scanning/properties/scorecard.properties.json | 7 +++++++ code-scanning/properties/scorecards.properties.json | 7 ------- code-scanning/{scorecards.yml => scorecard.yml} | 6 +++--- icons/{scorecards.svg => scorecard.svg} | 0 4 files changed, 10 insertions(+), 10 deletions(-) create mode 100644 code-scanning/properties/scorecard.properties.json delete mode 100644 code-scanning/properties/scorecards.properties.json rename code-scanning/{scorecards.yml => scorecard.yml} (95%) rename icons/{scorecards.svg => scorecard.svg} (100%) diff --git a/code-scanning/properties/scorecard.properties.json b/code-scanning/properties/scorecard.properties.json new file mode 100644 index 0000000000..b95344db71 --- /dev/null +++ b/code-scanning/properties/scorecard.properties.json @@ -0,0 +1,7 @@ +{ + "name": "OSSF Scorecard", + "creator": "Open Source Security Foundation (OpenSSF)", + "description": "Scorecard is a static supply-chain security analysis tool to assess the security posture of your project", + "iconName": "scorecard", + "categories": ["Code Scanning"] +} diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json deleted file mode 100644 index a98834c56c..0000000000 --- a/code-scanning/properties/scorecards.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "OSSF Scorecards", - "creator": "Open Source Security Foundation (OpenSSF)", - "description": "Scorecards is a static supply-chain security analysis tool to assess the security posture of your project", - "iconName": "scorecards", - "categories": ["Code Scanning"] -} diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecard.yml similarity index 95% rename from code-scanning/scorecards.yml rename to code-scanning/scorecard.yml index 0e42bae847..69cf948175 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecard.yml @@ -2,7 +2,7 @@ # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. -name: Scorecards supply-chain security +name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection @@ -19,7 +19,7 @@ permissions: read-all jobs: analysis: - name: Scorecards analysis + name: Scorecard analysis runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. @@ -43,7 +43,7 @@ jobs: results_format: sarif # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecards on a *private* repository + # - you are installing Scorecard on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. # repo_token: ${{ secrets.SCORECARD_TOKEN }} diff --git a/icons/scorecards.svg b/icons/scorecard.svg similarity index 100% rename from icons/scorecards.svg rename to icons/scorecard.svg From a3c3cf245cf3085f16519742863ffb583666d5f0 Mon Sep 17 00:00:00 2001 From: Paul Hodgkinson <41705651+aegilops@users.noreply.github.com> Date: Thu, 12 Jan 2023 10:57:17 +0000 Subject: [PATCH 635/844] Added Bandit starter workflow and properties file (#1859) * Added Bandit starter workflow and properties file. Python security scanner, Action by a Hubber, wraps free tool * Set icon name to one in the icons folder * Switched to Bandit's own SVG icon * Added workflow disclaimer * Fixed author name Co-authored-by: Sampark Sharma --- code-scanning/bandit.yml | 53 +++++++++++ .../properties/bandit.properties.json | 8 ++ icons/bandit.svg | 87 +++++++++++++++++++ 3 files changed, 148 insertions(+) create mode 100644 code-scanning/bandit.yml create mode 100644 code-scanning/properties/bandit.properties.json create mode 100644 icons/bandit.svg diff --git a/code-scanning/bandit.yml b/code-scanning/bandit.yml new file mode 100644 index 0000000000..a80ecef471 --- /dev/null +++ b/code-scanning/bandit.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Bandit is a security linter designed to find common security issues in Python code. +# This action will run Bandit on your codebase. +# The results of the scan will be found under the Security tab of your repository. + +# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname +# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA + +name: Bandit +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + bandit: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Bandit Scan + uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c + + with: # optional arguments + # exit with 0, even with results found + exit_zero: true # optional, default is DEFAULT + # Github token of the repository (automatically created by Github) + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. + # File or directory to run bandit on + # path: # optional, default is . + # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) + # level: # optional, default is UNDEFINED + # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) + # confidence: # optional, default is UNDEFINED + # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) + # excluded_paths: # optional, default is DEFAULT + # comma-separated list of test IDs to skip + # skips: # optional, default is DEFAULT + # path to a .bandit file that supplies command line arguments + # ini_path: # optional, default is DEFAULT + diff --git a/code-scanning/properties/bandit.properties.json b/code-scanning/properties/bandit.properties.json new file mode 100644 index 0000000000..90566e783a --- /dev/null +++ b/code-scanning/properties/bandit.properties.json @@ -0,0 +1,8 @@ +{ + "name": "Bandit Scan", + "creator": "abirismyname", + "enterprise": false, + "description": "Bandit is free software designed to find common security issues in Python code, maintained by PyCQA", + "iconName": "bandit", + "categories": ["Code Scanning", "Python"] +} diff --git a/icons/bandit.svg b/icons/bandit.svg new file mode 100644 index 0000000000..d318652874 --- /dev/null +++ b/icons/bandit.svg @@ -0,0 +1,87 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 91513169eaaa5cfd7b3ccebb7843ff747907e075 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Wed, 18 Jan 2023 16:21:16 -0600 Subject: [PATCH 636/844] Update all Pages starter workflows to use actions/configure-pages@v3 --- pages/astro.yml | 2 +- pages/gatsby.yml | 2 +- pages/hugo.yml | 2 +- pages/jekyll-gh-pages.yml | 2 +- pages/jekyll.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- pages/static.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 77f29248e2..1b6478fd32 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -59,7 +59,7 @@ jobs: cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json - name: Setup Pages id: pages - uses: actions/configure-pages@v2 + uses: actions/configure-pages@v3 - name: Install dependencies run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} working-directory: ${{ env.BUILD_PATH }} diff --git a/pages/gatsby.yml b/pages/gatsby.yml index a288d7da56..34f15dd44b 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -57,7 +57,7 @@ jobs: cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages - uses: actions/configure-pages@v2 + uses: actions/configure-pages@v3 with: # Automatically inject pathPrefix in your Gatsby configuration file. # diff --git a/pages/hugo.yml b/pages/hugo.yml index 05a5b50a38..d4363fd7b2 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -44,7 +44,7 @@ jobs: submodules: recursive - name: Setup Pages id: pages - uses: actions/configure-pages@v2 + uses: actions/configure-pages@v3 - name: Install Node.js dependencies run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Build with Hugo diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 8c7a207703..792aa187fa 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -28,7 +28,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Pages - uses: actions/configure-pages@v2 + uses: actions/configure-pages@v3 - name: Build with Jekyll uses: actions/jekyll-build-pages@v1 with: diff --git a/pages/jekyll.yml b/pages/jekyll.yml index b7e78f1d04..f4f1825388 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -40,7 +40,7 @@ jobs: cache-version: 0 # Increment this number if you need to re-download cached gems - name: Setup Pages id: pages - uses: actions/configure-pages@v2 + uses: actions/configure-pages@v3 - name: Build with Jekyll # Outputs to the './_site' directory by default run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 7e39f832ad..5bd6c150bf 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -53,7 +53,7 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages - uses: actions/configure-pages@v2 + uses: actions/configure-pages@v3 with: # Automatically inject basePath in your Next.js configuration file and disable # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized). diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 660202e8d6..e7d8891cbc 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -51,7 +51,7 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages - uses: actions/configure-pages@v2 + uses: actions/configure-pages@v3 with: # Automatically inject router.base in your Nuxt configuration file and set # target to static (https://nuxtjs.org/docs/configuration-glossary/configuration-target/). diff --git a/pages/static.yml b/pages/static.yml index 9e0e871522..d6b719218e 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -31,7 +31,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Pages - uses: actions/configure-pages@v2 + uses: actions/configure-pages@v3 - name: Upload artifact uses: actions/upload-pages-artifact@v1 with: From 96f31daf6942f2589856b5825befeffc18d76322 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Mon, 23 Jan 2023 11:10:50 +0530 Subject: [PATCH 637/844] Try to fix lint error (#1914) --- code-scanning/bandit.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/code-scanning/bandit.yml b/code-scanning/bandit.yml index a80ecef471..1ee087c9ca 100644 --- a/code-scanning/bandit.yml +++ b/code-scanning/bandit.yml @@ -32,7 +32,6 @@ jobs: - uses: actions/checkout@v2 - name: Bandit Scan uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c - with: # optional arguments # exit with 0, even with results found exit_zero: true # optional, default is DEFAULT From 8933c0e536e5a119253824cbf3c85999444162ad Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya <35347859+jaiveerk@users.noreply.github.com> Date: Mon, 23 Jan 2023 00:43:29 -0500 Subject: [PATCH 638/844] Update AKS Starter Workflows to Use Kubelogin (#1911) * update sw to use kubelogin * modified set context to use kubelogin * whitespace issue? * Reverting bandit file Co-authored-by: Bishal Prasad --- deployments/azure-kubernetes-service-helm.yml | 8 ++++++++ deployments/azure-kubernetes-service-kompose.yml | 8 ++++++++ deployments/azure-kubernetes-service-kustomize.yml | 8 ++++++++ deployments/azure-kubernetes-service.yml | 8 ++++++++ 4 files changed, 32 insertions(+) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 86582e77fa..c3b521e588 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -89,12 +89,20 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Use kubelogin to configure your kubeconfig for Azure auth + - name: Set up kubelogin for non-interactive login + uses: azure/use-kubelogin@v1 + with: + kubelogin-version: 'v0.0.25' + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v3 with: resource-group: ${{ env.RESOURCE_GROUP }} cluster-name: ${{ env.CLUSTER_NAME }} + admin: 'false' + use-kubelogin: 'true' # Runs Helm to create manifest files - name: Bake deployment diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index a0e6bdd22f..c2edceaee6 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -87,12 +87,20 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Use kubelogin to configure your kubeconfig for Azure auth + - name: Set up kubelogin for non-interactive login + uses: azure/use-kubelogin@v1 + with: + kubelogin-version: 'v0.0.25' + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v3 with: resource-group: ${{ env.RESOURCE_GROUP }} cluster-name: ${{ env.CLUSTER_NAME }} + admin: 'false' + use-kubelogin: 'true' # Runs Kompose to create manifest files - name: Bake deployment diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 6c87057a59..1b8aa99da1 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -87,12 +87,20 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Use kubelogin to configure your kubeconfig for Azure auth + - name: Set up kubelogin for non-interactive login + uses: azure/use-kubelogin@v1 + with: + kubelogin-version: 'v0.0.25' + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v3 with: resource-group: ${{ env.RESOURCE_GROUP }} cluster-name: ${{ env.CLUSTER_NAME }} + admin: 'false' + use-kubelogin: 'true' # Runs Kustomize to create manifest files - name: Bake deployment diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index f0b2b3814f..f5450e539c 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -83,12 +83,20 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Use kubelogin to configure your kubeconfig for Azure auth + - name: Set up kubelogin for non-interactive login + uses: azure/use-kubelogin@v1 + with: + kubelogin-version: 'v0.0.25' + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v3 with: resource-group: ${{ env.RESOURCE_GROUP }} cluster-name: ${{ env.CLUSTER_NAME }} + admin: 'false' + use-kubelogin: 'true' # Deploys application based on given manifest file - name: Deploys application From d92e1f890e0f4a8dd0051b2aeb2476cb1f4bbccb Mon Sep 17 00:00:00 2001 From: Robin Neatherway Date: Mon, 23 Jan 2023 15:56:27 +0000 Subject: [PATCH 639/844] Correct indentation of "run" example --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 002e424e00..f0c3bebfae 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -67,8 +67,8 @@ jobs: # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From 63bb49fa36a7497ddf10213d052f6ba9c8eee853 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 26 Jan 2023 14:07:47 +0530 Subject: [PATCH 640/844] Update lint.yaml (#1915) --- .github/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 263d56949e..b526eeb8d2 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,7 +1,7 @@ name: Lint on: - pull_request_target: + pull_request: branches: - main From f35be5c494bbd11675293a19c91e471191d9d66d Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 13:58:39 +0100 Subject: [PATCH 641/844] icon: refresh psalm logo Signed-off-by: Emmanuel Roullit --- icons/psalm.svg | 24 +----------------------- 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/icons/psalm.svg b/icons/psalm.svg index 3533e2dac3..fd9d3474af 100644 --- a/icons/psalm.svg +++ b/icons/psalm.svg @@ -1,23 +1 @@ - - - - - - - - - - - - - - - - - - - - - - - + \ No newline at end of file From ac13a846c956442df592a674cac09e7208c1ed3e Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 14:04:26 +0100 Subject: [PATCH 642/844] ci: remove trailing whitespaces Signed-off-by: Emmanuel Roullit --- code-scanning/properties/psalm.properties.json | 2 +- code-scanning/psalm.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/properties/psalm.properties.json b/code-scanning/properties/psalm.properties.json index cba67b416d..381a31277a 100644 --- a/code-scanning/properties/psalm.properties.json +++ b/code-scanning/properties/psalm.properties.json @@ -4,7 +4,7 @@ "description": "Psalm is a static analysis tool for finding errors in PHP applications", "iconName": "psalm", "categories": [ - "Code Scanning", + "Code Scanning", "PHP" ] } diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index b4c7aba254..d6226a15d5 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -9,21 +9,21 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly jobs: php-security: runs-on: ubuntu-latest - + steps: - name: Checkout code uses: actions/checkout@v2 - name: Psalm Security Scan uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 - + - name: Upload Security Analysis results to GitHub uses: github/codeql-action/upload-sarif@v1 with: From f07709949e75d13e1511700953273eb80da4635c Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 14:13:04 +0100 Subject: [PATCH 643/844] ci: restrict starter workflow permissions Signed-off-by: Emmanuel Roullit --- code-scanning/psalm.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index d6226a15d5..d35787e179 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -9,13 +9,21 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: php-security: runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code @@ -27,4 +35,4 @@ jobs: - name: Upload Security Analysis results to GitHub uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From 3a818c491024917b28e503cbac0e1aa1d07a8fbd Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 14:13:37 +0100 Subject: [PATCH 644/844] ci: bump github actions version Signed-off-by: Emmanuel Roullit --- code-scanning/psalm.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index d35787e179..1e88766bd1 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -27,12 +27,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Psalm Security Scan uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 - name: Upload Security Analysis results to GitHub - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif From a248253343fd89ef758e1f6044b935515e932f71 Mon Sep 17 00:00:00 2001 From: vitorveiga Date: Tue, 31 Jan 2023 10:55:13 +0000 Subject: [PATCH 645/844] Add Jscrambler Code Integrity starter workflow (#1893) * Add Jscrambler Code Integrity starter workflow * Use hash commit * fix: missing permissions and improve description * chore: move to code scanning category * chore: workflow checks review --- code-scanning/jscrambler-code-integrity.yml | 47 +++++++++++++++++++ .../jscrambler-code-integrity.properties.json | 7 +++ icons/jscrambler.svg | 1 + 3 files changed, 55 insertions(+) create mode 100644 code-scanning/jscrambler-code-integrity.yml create mode 100644 code-scanning/properties/jscrambler-code-integrity.properties.json create mode 100644 icons/jscrambler.svg diff --git a/code-scanning/jscrambler-code-integrity.yml b/code-scanning/jscrambler-code-integrity.yml new file mode 100644 index 0000000000..cbc934509c --- /dev/null +++ b/code-scanning/jscrambler-code-integrity.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Jscrambler Code Integrity Action. +# It automates the protection of your JavaScript Applications, so you can run it whenever a new version of your application is built. +# A Jscrambler account is required to use this Workflow. +# +# More info can be found here : https://docs.jscrambler.com/latest/code-integrity/documentation/github-ci-integration + +name: Jscrambler Code Integrity + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 18 + - run: npm ci + - run: npm run build + - name: Jscrambler Code Integrity + id: jscrambler + # the complete list of inputs can be found here: https://github.com/marketplace/actions/jscrambler#inputs + uses: jscrambler/code-integrity-actions/protect@ab65962a2ecffcc362b75a997e24a181d0bde5fb + with: + application-id: ${{ secrets.JSCRAMBLER_APPLICATION_ID }} # This value should be created within your Jscrambler account + secret-key: ${{ secrets.JSCRAMBLER_SECRET_KEY }} # This value can be found in your Jscrambler account + access-key: ${{ secrets.JSCRAMBLER_ACCESS_KEY }} # This value can be found in your Jscrambler account + jscrambler-config-path: jscrambler.json # Download from your Jscrambler account + files-src: | # List of Files to be protected + dist/**/* + files-dest: . diff --git a/code-scanning/properties/jscrambler-code-integrity.properties.json b/code-scanning/properties/jscrambler-code-integrity.properties.json new file mode 100644 index 0000000000..f231d5c2fc --- /dev/null +++ b/code-scanning/properties/jscrambler-code-integrity.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Jscrambler Code Integrity", + "description": "Protect your JavaScript Application with polymorphic obfuscation, code locks, and self-defensive techniques", + "creator": "Jscrambler", + "iconName": "jscrambler", + "categories": ["Code Scanning", "JavaScript", "HTML"] +} diff --git a/icons/jscrambler.svg b/icons/jscrambler.svg new file mode 100644 index 0000000000..17f79b78f8 --- /dev/null +++ b/icons/jscrambler.svg @@ -0,0 +1 @@ + \ No newline at end of file From ea28b603a3a237371a836a7d6124d4f868f78e3a Mon Sep 17 00:00:00 2001 From: Dylan Smith Date: Tue, 31 Jan 2023 11:56:30 +0000 Subject: [PATCH 646/844] Use updated Azure logo (#1922) --- icons/azure.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/icons/azure.svg b/icons/azure.svg index 2ff63c104e..3b89df5f18 100644 --- a/icons/azure.svg +++ b/icons/azure.svg @@ -1 +1 @@ - \ No newline at end of file + From c26da3749c8d37900fd0ac34b90056670424a926 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Thu, 2 Feb 2023 17:31:49 +0000 Subject: [PATCH 647/844] adding credo workflow --- code-scanning/credo.yml | 60 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 code-scanning/credo.yml diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml new file mode 100644 index 0000000000..f69159b8da --- /dev/null +++ b/code-scanning/credo.yml @@ -0,0 +1,60 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + + +# Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency. +# https://github.com/rrrene/credo +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 1. Add :credo as a dependency to your project's mix.exs with version ~> 1.7.0-rc.1 - https://github.com/rrrene/credo#installation-and-usage +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. + +name: Credo + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + otp: [version] + elixir: [version] + steps: + - uses: actions/checkout@v3 + - uses: erlef/setup-beam@v1 + with: + otp-version: ${{matrix.otp}} + elixir-version: ${{matrix.elixir}} + - name: get dependencies + run: mix deps.get + - name: compile dependencies + run: mix deps.compile + - name: compile + run: mix compile + - name: credo-scan + run: mix credo --format=sarif > credo_output.sarif + - name: upload sarif + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: credo_output.sarif From dd99cc07334b542d7991237f376d3791b470c643 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Wed, 8 Feb 2023 14:19:57 +0200 Subject: [PATCH 648/844] Frogbot update (#1925) * Update Frogbot starter workflows * Update * Update Frogbot starter-workflows commit hash --- code-scanning/frogbot-scan-and-fix.yml | 39 ++++++++---------- code-scanning/frogbot-scan-pr.yml | 55 +++++++++----------------- 2 files changed, 35 insertions(+), 59 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 12414a12fc..96dcfb5513 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -7,6 +7,9 @@ # Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file: +# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md + name: "Frogbot Scan and Fix" on: push: @@ -21,36 +24,28 @@ jobs: steps: - uses: actions/checkout@v3 - # Install prerequisites - uncomment the relevant one - - # - uses: actions/setup-go@v3 - # with: - # go-version: 1.17.x - - # - uses: actions/setup-java@v3 - # with: - # java-version: "11" - # distribution: "temurin" + # IMPORTANT: + # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix + # 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - # - uses: actions/setup-node@v3 - # with: - # node-version: "16.x" - - - - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694 + - uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716 env: # [Mandatory] - # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) - JF_URL: ${{ secrets.FROGBOT_URL }} + # JFrog platform URL + JF_URL: ${{ secrets.JF_URL }} # [Mandatory if JF_USER and JF_PASSWORD are not provided] # JFrog access token with 'read' permissions on Xray service - JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }} + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory] # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # [Mandatory if using npm] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "npm i" + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} \ No newline at end of file diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 74ee41e1ba..fe7d125df6 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -7,6 +7,9 @@ # Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file: +# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md + name: "Frogbot Scan Pull Request" on: pull_request_target: @@ -19,57 +22,35 @@ jobs: runs-on: ubuntu-latest # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the # "frogbot" GitHub environment can approve the pull request to be scanned. + # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md environment: frogbot steps: - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }} - # Install prerequisites - uncomment the relevant ones - - # - uses: actions/setup-go@v3 - # with: - # go-version: 1.17.x - - # - uses: actions/setup-java@v3 - # with: - # java-version: "11" - # distribution: "temurin" - - # - uses: actions/setup-node@v3 - # with: - # node-version: "16.x" - - # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request + # IMPORTANT: + # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix + # 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694 + - uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716 env: # [Mandatory] - # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + # JFrog platform URL JF_URL: ${{ secrets.JF_URL }} - # [Mandatory if JF_ACCESS_TOKEN is not provided] - # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD - JF_USER: ${{ secrets.JF_USER }} - - # [Mandatory if JF_ACCESS_TOKEN is not provided] - # JFrog password. Must be provided with JF_USER - JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory] # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # [Mandatory if JF_USER and JF_PASSWORD are not provided] - # JFrog access token with 'read' permissions on Xray service - # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - - # [Mandatory when using npm] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "npm i" - - # [Mandatory when using .NET] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "dotnet restore" + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} - # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} \ No newline at end of file From 5343fe6869403f9be2246dee0c94c3b6dafcc7c4 Mon Sep 17 00:00:00 2001 From: Milos Pantic <101411245+panticmilos@users.noreply.github.com> Date: Fri, 10 Feb 2023 09:04:29 +0100 Subject: [PATCH 649/844] Change event to pull_request_target (#1930) Co-authored-by: Sampark Sharma --- automation/label.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/label.yml b/automation/label.yml index a8a1bd725b..4613569074 100644 --- a/automation/label.yml +++ b/automation/label.yml @@ -6,7 +6,7 @@ # https://github.com/actions/labeler name: Labeler -on: [pull_request] +on: [pull_request_target] jobs: label: From d31bcb967ace062e1663d3e227bb04bcb83e33f6 Mon Sep 17 00:00:00 2001 From: Ouvill Date: Fri, 10 Feb 2023 17:05:33 +0900 Subject: [PATCH 650/844] fix update cosign version on docker-publish.yml (#1917) upgrade cosign version https://github.com/sigstore/cosign/releases/tag/v1.13.1 The current version is out of date and the following error occurs ``` getting signer: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key ``` Co-authored-by: Sampark Sharma --- ci/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 11dd662de4..d57b2f1bd3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -43,7 +43,7 @@ jobs: if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 with: - cosign-release: 'v1.11.0' + cosign-release: 'v1.13.1' # Workaround: https://github.com/docker/build-push-action/issues/461 From 62569bfea96e8c89515a814c93df67a973323738 Mon Sep 17 00:00:00 2001 From: "Tajinder Singh (TJ)" Date: Wed, 15 Feb 2023 13:27:26 +0100 Subject: [PATCH 651/844] Add defender for devops workflow (#1940) * Created new workflow for defender for devops * Create defender-for-devops.properties.json * fixed pr comments * fixed linting issues * fixed linting issues * removed trailing white space * changed from preview to v1.6.0 --- code-scanning/defender-for-devops.yml | 43 +++++++++++++++++++ .../defender-for-devops.properties.json | 7 +++ 2 files changed, 50 insertions(+) create mode 100644 code-scanning/defender-for-devops.yml create mode 100644 code-scanning/properties/defender-for-devops.properties.json diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml new file mode 100644 index 0000000000..c521f3697e --- /dev/null +++ b/code-scanning/defender-for-devops.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. +# MSDO installs, configures and runs the latest versions of static analysis tools +# (including, but not limited to, SDL/security and compliance tools). +# +# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue, +# as well as Windows self hosted agents. ubuntu-latest support coming soon. +# +# For more information about the action , check out https://github.com/microsoft/security-devops-action + +name: "Microsoft Defender For Devops" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + MSDO: + # currently only windows latest is supported + runs-on: windows-latest + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-dotnet@v3 + with: + dotnet-version: | + 5.0.x + 6.0.x + - name: Run Microsoft Security DevOps + uses: microsoft/security-devops-action@v1.6.0 + id: msdo + - name: Upload results to Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} diff --git a/code-scanning/properties/defender-for-devops.properties.json b/code-scanning/properties/defender-for-devops.properties.json new file mode 100644 index 0000000000..23b01d3b02 --- /dev/null +++ b/code-scanning/properties/defender-for-devops.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Microsoft Defender For DevOps Scan", + "creator": "Microsoft", + "description": "Defender for devops helps integrate multiple tools with GitHub Advanced Security and sends the results to Defender for cloud dashbord.", + "iconName": "microsoft", + "categories": ["Code Scanning", "IaC","Docker Images", "Defender For DevOps", "EsLint", "Bandit", "Trivy", "BinSkim", "TemplateAnalyzer"] +} From 10f6091ee89f01509479e792e3f982ea3d615fdb Mon Sep 17 00:00:00 2001 From: Chris Carini <6374067+ChrisCarini@users.noreply.github.com> Date: Wed, 15 Feb 2023 22:09:52 -0800 Subject: [PATCH 652/844] Update scorecard.yml with latest releases (#1944) Update scorecard.yml with latest releases for ossf/scorecard-action & github/codeql-action/upload-sarif --- code-scanning/scorecard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 69cf948175..19b9b00f29 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -37,7 +37,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 with: results_file: results.sarif results_format: sarif @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27 + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 with: sarif_file: results.sarif From 1d039e1607c98d9b9a705102315b43896ad10633 Mon Sep 17 00:00:00 2001 From: "Tajinder Singh (TJ)" Date: Tue, 21 Feb 2023 13:50:42 +0100 Subject: [PATCH 653/844] fixed typo (#1942) * fixed typo * Update defender-for-devops.yml * update to valid categories * fixed request changes --- code-scanning/defender-for-devops.yml | 4 ++++ code-scanning/properties/defender-for-devops.properties.json | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml index c521f3697e..71971cdcc2 100644 --- a/code-scanning/defender-for-devops.yml +++ b/code-scanning/defender-for-devops.yml @@ -11,6 +11,10 @@ # as well as Windows self hosted agents. ubuntu-latest support coming soon. # # For more information about the action , check out https://github.com/microsoft/security-devops-action +# +# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration +# and provide permission before this can report data back to azure. +# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github name: "Microsoft Defender For Devops" diff --git a/code-scanning/properties/defender-for-devops.properties.json b/code-scanning/properties/defender-for-devops.properties.json index 23b01d3b02..495fa26875 100644 --- a/code-scanning/properties/defender-for-devops.properties.json +++ b/code-scanning/properties/defender-for-devops.properties.json @@ -1,7 +1,7 @@ { "name": "Microsoft Defender For DevOps Scan", "creator": "Microsoft", - "description": "Defender for devops helps integrate multiple tools with GitHub Advanced Security and sends the results to Defender for cloud dashbord.", + "description": "Defender for DevOps helps integrate multiple tools with GitHub Advanced Security and sends the results to Defender for Cloud dashboard.", "iconName": "microsoft", - "categories": ["Code Scanning", "IaC","Docker Images", "Defender For DevOps", "EsLint", "Bandit", "Trivy", "BinSkim", "TemplateAnalyzer"] + "categories": ["Code Scanning", "HCL","Dockerfile", "Python", "JavaScript", "EcmaScript", "TypeScript"] } From 77bc6e809fc1431ae3f609be5f4c35b63a5964d0 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Wed, 22 Feb 2023 15:39:47 +0000 Subject: [PATCH 654/844] add credo properties --- code-scanning/properties/credo.properties.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 code-scanning/properties/credo.properties.json diff --git a/code-scanning/properties/credo.properties.json b/code-scanning/properties/credo.properties.json new file mode 100644 index 0000000000..3a86a10e92 --- /dev/null +++ b/code-scanning/properties/credo.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Credo Scan", + "creator": "Credo", + "description": "Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.", + "categories": ["Code Scanning", "Elixir"] +} \ No newline at end of file From 44ca9a5fd13509852c27c825be45925da1e2c6b5 Mon Sep 17 00:00:00 2001 From: jongwooo Date: Tue, 28 Feb 2023 00:18:12 +0900 Subject: [PATCH 655/844] Replace deprecated command with environment file --- code-scanning/detekt.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index a13a5170a7..15aeb45524 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -77,7 +77,7 @@ jobs: fi DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) - echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" + echo "download_url=$DETEKT_DOWNLOAD_URL" >> $GITHUB_OUTPUT # Sets up the detekt cli - name: Setup Detekt diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 4d08dbd1bb..b3aee8de5d 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -54,7 +54,7 @@ jobs: id: composer-cache if: steps.check_files.outputs.files_exists == 'true' run: | - echo "::set-output name=dir::$(composer config cache-files-dir)" + echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT - name: Set up dependency caching for faster installs uses: actions/cache@v3 From da484b4eb58a75ee389d1483a295b33c9774ea0f Mon Sep 17 00:00:00 2001 From: syed-imran <100760767+SyedsImran@users.noreply.github.com> Date: Sat, 4 Mar 2023 18:12:33 +0530 Subject: [PATCH 656/844] Update apisec-scan.yml (#1898) Co-authored-by: Sampark Sharma --- code-scanning/apisec-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index ec8b8bb7ef..34defa90bf 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -10,7 +10,7 @@ # How to Get Started with APIsec.ai # 1. Schedule a demo at https://www.apisec.ai/request-a-demo . # -# 2. Register your account at https://cloud.fxlabs.io/#/signup . +# 2. Register your account at https://cloud.apisec.ai/#/signup . # # 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly. # @@ -55,7 +55,7 @@ jobs: steps: - name: APIsec scan - uses: apisec-inc/apisec-run-scan@f748a240d69ca6cd7e9532fd0a47bec4ccd6a73c + uses: apisec-inc/apisec-run-scan@025432089674a28ba8fb55f8ab06c10215e772ea with: # The APIsec username with which the scans will be executed apisec-username: ${{ secrets.apisec_username }} From 02af783829f3f5b38e36ff3145c01c38ca02ede3 Mon Sep 17 00:00:00 2001 From: Eric Fernandez <90832420+EricFernandezSnyk@users.noreply.github.com> Date: Tue, 7 Mar 2023 10:52:52 +0000 Subject: [PATCH 657/844] Addition of snyk-security workflow to enable the Snyk platform from a single GitHub Action (#1939) * Create snyk-security.properties.json * Create snyk-security.yml * Update snyk-security.yml * Fix mispelling Co-authored-by: Sampark Sharma * Apply comments from PR - Moved documentation link to the top - Made `|| true` optional - Added commit SHA for the Snyk GitHub Action * Remove empty space Co-authored-by: Sampark Sharma * Remove empty space in line end Co-authored-by: Sampark Sharma * Update Categories * Updated after running pre-commit linting --------- Co-authored-by: Sampark Sharma --- .../properties/snyk-security.properties.json | 7 ++ code-scanning/snyk-security.yml | 79 +++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100644 code-scanning/properties/snyk-security.properties.json create mode 100644 code-scanning/snyk-security.yml diff --git a/code-scanning/properties/snyk-security.properties.json b/code-scanning/properties/snyk-security.properties.json new file mode 100644 index 0000000000..3c10ca1f79 --- /dev/null +++ b/code-scanning/properties/snyk-security.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Snyk Security", + "creator": "Snyk", + "description": "Detect vulnerabilities across your applications and infrastructure with the Snyk platform.", + "iconName": "snyk", + "categories": ["Code Scanning","JavaScript", "Python", "Java", "PHP", "C#", "C", "C++", "Ruby", "Swift", "Go", "TypeScript", "Kotlin", "Apex", "Scala", "Terraform", "Dockerfile"] +} diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml new file mode 100644 index 0000000000..715fa1bddf --- /dev/null +++ b/code-scanning/snyk-security.yml @@ -0,0 +1,79 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code, +# Snyk Container and Snyk Infrastructure as Code) +# The setup installs the Snyk CLI - for more details on the possible commands +# check https://docs.snyk.io/snyk-cli/cli-reference +# The results of Snyk Code are then uploaded to GitHub Security Code Scanning +# +# In order to use the Snyk Action you will need to have a Snyk API token. +# More details in https://github.com/snyk/actions#getting-your-snyk-token +# or you can signup for free at https://snyk.io/login +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Security + +on: + push: + branches: [$default-branch, $protected-branches] + pull_request: + branches: [$default-branch] + +permissions: + contents: read + +jobs: + snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + + # For Snyk Open Source you must first set up the development environment for your application's dependencies + # For example for Node + #- uses: actions/setup-node@v3 + # with: + # node-version: 16 + + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Runs Snyk Code (SAST) analysis and uploads result into GitHub. + # Use || true to not fail the pipeline + - name: Snyk Code test + run: snyk code test --sarif > snyk-code.sarif # || true + + # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. + - name: Snyk Open Source monitor + run: snyk monitor --all-projects + + # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk. + # Use || true to not fail the pipeline. + - name: Snyk IaC test and report + run: snyk iac test --report # || true + + # Build the docker image for testing + - name: Build a Docker image + run: docker build -t your/image-to-test . + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + - name: Snyk Container monitor + run: snyk container monitor your/image-to-test --file=Dockerfile + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif From 1375dc0a9d3bf61ca8ba1b64c6c24568375d792e Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 7 Mar 2023 18:30:19 +0530 Subject: [PATCH 658/844] Update comment for third party action usage (#1960) * Update comment for third party action usage * Update third party usage comment * Update third party usage comment --- ci/elixir.yml | 5 +++++ ci/msbuild.yml | 5 +++++ ci/symfony.yml | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/ci/elixir.yml b/ci/elixir.yml index 6c76f542ef..371ff242ca 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Elixir CI on: diff --git a/ci/msbuild.yml b/ci/msbuild.yml index c50354ef84..a52ec35f65 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: MSBuild on: diff --git a/ci/symfony.yml b/ci/symfony.yml index d1ac71a2af..4b957e1a15 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Symfony on: From f5cfb3ea9c17d9f3031dc88a7b065108653916e8 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Tue, 7 Mar 2023 14:52:54 -0600 Subject: [PATCH 659/844] Update code-scanning/credo.yml Co-authored-by: Sampark Sharma --- code-scanning/credo.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index f69159b8da..7861c0265e 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -33,6 +33,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest strategy: fail-fast: false From 07c72062df203ca1bd7062f410eaeaf37992e0b1 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Tue, 7 Mar 2023 20:56:57 +0000 Subject: [PATCH 660/844] adding commit sha to for action --- code-scanning/credo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index 7861c0265e..9a778819d6 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -42,7 +42,7 @@ jobs: elixir: [version] steps: - uses: actions/checkout@v3 - - uses: erlef/setup-beam@v1 + - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: otp-version: ${{matrix.otp}} elixir-version: ${{matrix.elixir}} From 19a9f5df85afdfd434d0d1cbec9b033e4feb9b8c Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 9 Mar 2023 13:49:38 -0500 Subject: [PATCH 661/844] Add runner size docs --- code-scanning/codeql.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index f0c3bebfae..79a4a7c109 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -23,6 +23,11 @@ on: jobs: analyze: name: Analyze + # Runner size impacts CodeQL analysis time. Please see: + # https://gh.io/recommended-hardware-resources-for-running-codeql + # https://gh.io/supported-runners-and-hardware-resources + # https://gh.io/using-larger-runners + # to learn more. runs-on: ubuntu-latest permissions: actions: read From 4813d8a07f7a3de9033856273303d278f6292b53 Mon Sep 17 00:00:00 2001 From: Jess Bees Date: Thu, 9 Mar 2023 14:08:16 -0500 Subject: [PATCH 662/844] Trim whitespace on pages/mdbook.yml --- pages/mdbook.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 57f3636d60..216f1862a6 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -38,14 +38,14 @@ jobs: # Runs a single command using the runners shell - name: install mdbook run: | - curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh + curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh rustup update cargo install --version ${MDBOOK_VERSION} mdbook - name: Setup Pages id: pages uses: actions/configure-pages@v1 - name: Build with mdbook - run: mdbook build + run: mdbook build - name: Upload artifact uses: actions/upload-pages-artifact@v1 with: From add94e933cf74933f403110e720822f95cae1c36 Mon Sep 17 00:00:00 2001 From: Tommy Byrd Date: Thu, 9 Mar 2023 16:54:17 -0500 Subject: [PATCH 663/844] Update mdbook.properties.json --- pages/properties/mdbook.properties.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/properties/mdbook.properties.json b/pages/properties/mdbook.properties.json index 8617e7f302..2a4fe8ded0 100644 --- a/pages/properties/mdbook.properties.json +++ b/pages/properties/mdbook.properties.json @@ -1,6 +1,6 @@ { - "name": "Mdbook", - "description": "Package a Mdbook site.", + "name": "mdBook", + "description": "Package a site using mdBook.", "iconName": "mdbook", - "categories": ["Pages", "Mdbook"] + "categories": ["Pages", "mdBook"] } From 39018ecd743923c6534e2569aed15a92fa51a9c5 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 9 Mar 2023 19:50:49 -0600 Subject: [PATCH 664/844] Update casing of mdBook within copy in mdbook.yml --- pages/mdbook.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 216f1862a6..b4f05856ed 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -1,8 +1,8 @@ -# Sample workflow for building and deploying a mdbook site to GitHub Pages +# Sample workflow for building and deploying a mdBook site to GitHub Pages # -# To get started with mdbook see: https://rust-lang.github.io/mdBook/index.html +# To get started with mdBook see: https://rust-lang.github.io/mdBook/index.html # -name: Deploy mdbook site to Pages +name: Deploy mdBook site to Pages on: # Runs on pushes targeting the default branch From 9ab053c67bbd9ee6a5129255ac0efb4072ffc719 Mon Sep 17 00:00:00 2001 From: Hanxiao Liu Date: Fri, 10 Mar 2023 14:06:31 +0800 Subject: [PATCH 665/844] Add workflow for Azure Web App with Gradle (#1955) * Add starter workflow for Azure Web App with Gradle * Use gradle build instead of assemable and mark template as preview --------- Co-authored-by: Sampark Sharma --- deployments/azure-webapps-java-jar-gradle.yml | 79 +++++++++++++++++++ ...re-webapps-java-jar-gradle.properties.json | 8 ++ 2 files changed, 87 insertions(+) create mode 100644 deployments/azure-webapps-java-jar-gradle.yml create mode 100644 deployments/properties/azure-webapps-java-jar-gradle.properties.json diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml new file mode 100644 index 0000000000..b1c1df92fd --- /dev/null +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -0,0 +1,79 @@ +# This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-java?tabs=javase&pivots=platform-linux +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the JAVA_VERSION environment variable below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +name: Build and deploy Gradle app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + JAVA_VERSION: '11' # set this to the Java version to use + DISTRIBUTION: zulu # set this to the Java distribution + +on: + push: + branches: [ $default-branch ] + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Set up Java version + uses: actions/setup-java@v3.0.0 + with: + java-version: ${{ env.JAVA_VERSION }} + distribution: ${{ env.DISTRIBUTION }} + cache: 'gradle' + + - name: Build with Gradle + run: gradle build + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v3 + with: + name: java-app + path: '${{ github.workspace }}/build/libs/*.jar' + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v3 + with: + name: java-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: '*.jar' diff --git a/deployments/properties/azure-webapps-java-jar-gradle.properties.json b/deployments/properties/azure-webapps-java-jar-gradle.properties.json new file mode 100644 index 0000000000..31804d7e1b --- /dev/null +++ b/deployments/properties/azure-webapps-java-jar-gradle.properties.json @@ -0,0 +1,8 @@ +{ + "name": "Deploy a Gradle .jar app to an Azure Web App", + "description": "Build a Gradle project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Java", "Gradle"], + "labels": ["preview"] +} From e46e854a2150e3cb8e2bc5bde009ae0d96815d9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=81=AA=E3=81=A4=E3=81=8D?= Date: Mon, 13 Mar 2023 03:38:16 -0700 Subject: [PATCH 666/844] Update jekyll workflow to use ruby 3.1 (#1969) --- pages/jekyll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/jekyll.yml b/pages/jekyll.yml index f4f1825388..e8fff64a4d 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -35,7 +35,7 @@ jobs: - name: Setup Ruby uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 with: - ruby-version: '3.0' # Not needed with a .ruby-version file + ruby-version: '3.1' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically cache-version: 0 # Increment this number if you need to re-download cached gems - name: Setup Pages From c1b76c45d4bb701afdb26b132bc865f261d555be Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Mon, 13 Mar 2023 12:56:25 +0200 Subject: [PATCH 667/844] Frogbot update (#1980) * Update Frogbot starter workflows * Update * Update Frogbot starter-workflows commit hash --------- Co-authored-by: Sampark Sharma --- code-scanning/frogbot-scan-and-fix.yml | 36 +++++++++++++++++++------- code-scanning/frogbot-scan-pr.yml | 36 +++++++++++++++++++------- 2 files changed, 54 insertions(+), 18 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 96dcfb5513..feacb7fcc6 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -7,8 +7,7 @@ # Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot -# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file: -# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md name: "Frogbot Scan and Fix" on: @@ -26,10 +25,17 @@ jobs: # IMPORTANT: # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md + # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716 + - uses: jfrog/frogbot@3395426f351556d4568e30a6dfd2909dbedae99e env: + # [Mandatory if the two conditions below are met] + # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies + # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. + # + # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore") + # JF_INSTALL_DEPS_CMD: "" + # [Mandatory] # JFrog platform URL JF_URL: ${{ secrets.JF_URL }} @@ -38,14 +44,26 @@ jobs: # JFrog access token with 'read' permissions on Xray service JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - # [Mandatory] - # The GitHub token automatically generated for the job - JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD # JF_USER: ${{ secrets.JF_USER }} # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog password. Must be provided with JF_USER - # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} \ No newline at end of file + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Optional] + # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository + # in Artifactory, which proxies https://releases.jfrog.io/artifactory + # The 'frogbot' executable and other tools it needs will be downloaded through this repository. + # JF_RELEASES_REPO: "" + + # [Optional] + # Frogbot will download the project dependencies, if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no + # need to set this value, if it is set in the frogbot-config.yml file. + # JF_DEPS_REPO: "" \ No newline at end of file diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index fe7d125df6..9e8b6c556c 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -7,8 +7,7 @@ # Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot -# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file: -# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md name: "Frogbot Scan Pull Request" on: @@ -31,10 +30,17 @@ jobs: # IMPORTANT: # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md + # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716 + - uses: jfrog/frogbot@3395426f351556d4568e30a6dfd2909dbedae99e env: + # [Mandatory if the two conditions below are met] + # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies + # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. + # + # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore") + # JF_INSTALL_DEPS_CMD: "" + # [Mandatory] # JFrog platform URL JF_URL: ${{ secrets.JF_URL }} @@ -43,14 +49,26 @@ jobs: # JFrog access token with 'read' permissions on Xray service JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - # [Mandatory] - # The GitHub token automatically generated for the job - JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD # JF_USER: ${{ secrets.JF_USER }} # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog password. Must be provided with JF_USER - # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} \ No newline at end of file + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Optional] + # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository + # in Artifactory, which proxies https://releases.jfrog.io/artifactory + # The 'frogbot' executable and other tools it needs will be downloaded through this repository. + # JF_RELEASES_REPO: "" + + # [Optional] + # Frogbot will download the project dependencies, if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no + # need to set this value, if it is set in the frogbot-config.yml file. + # JF_DEPS_REPO: "" \ No newline at end of file From 6e49802a68a601c443c4df09ea4ed977ceb0b283 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lu=C3=ADs=20Reis?= Date: Mon, 13 Mar 2023 12:37:25 +0000 Subject: [PATCH 668/844] Update Jscrambler logo (#1964) Co-authored-by: Luis Reis --- icons/jscrambler.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/icons/jscrambler.svg b/icons/jscrambler.svg index 17f79b78f8..7b9642776b 100644 --- a/icons/jscrambler.svg +++ b/icons/jscrambler.svg @@ -1 +1 @@ - \ No newline at end of file + \ No newline at end of file From ed18ec10673b224bf43c4a3fe4c2c291afe95090 Mon Sep 17 00:00:00 2001 From: Tommy Byrd Date: Mon, 13 Mar 2023 22:39:36 -0400 Subject: [PATCH 669/844] Update mdbook.svg Remove embedded style tag --- icons/mdbook.svg | 5 ----- 1 file changed, 5 deletions(-) diff --git a/icons/mdbook.svg b/icons/mdbook.svg index 90e0ea58bd..c61e0a6138 100644 --- a/icons/mdbook.svg +++ b/icons/mdbook.svg @@ -1,9 +1,4 @@ - Date: Tue, 14 Mar 2023 00:04:25 -0500 Subject: [PATCH 670/844] Update mdbook.yml, primarily to update to configure-pages@v3 --- pages/mdbook.yml | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/pages/mdbook.yml b/pages/mdbook.yml index b4f05856ed..ddff0debd2 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -22,34 +22,31 @@ permissions: concurrency: group: "pages" cancel-in-progress: true + jobs: - # This workflow contains a single job called "build" + # Build job build: - env: - MDBOOK_VERSION : 0.4.21 - # The type of runner that the job will run on runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job + env: + MDBOOK_VERSION: 0.4.21 steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - uses: actions/checkout@v3 - - # Runs a single command using the runners shell - - name: install mdbook + - name: Install mdBook run: | curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh rustup update cargo install --version ${MDBOOK_VERSION} mdbook - name: Setup Pages id: pages - uses: actions/configure-pages@v1 - - name: Build with mdbook + uses: actions/configure-pages@v3 + - name: Build with mdBook run: mdbook build - name: Upload artifact uses: actions/upload-pages-artifact@v1 with: path: ./book + + # Deployment job deploy: environment: name: github-pages From db26d12511a69937b8396fc443f57e37e2a0e740 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 14 Mar 2023 00:12:22 -0500 Subject: [PATCH 671/844] Update concurrency.cancel-in-progress to false for all Pages starter workflows --- pages/astro.yml | 5 +++-- pages/gatsby.yml | 5 +++-- pages/hugo.yml | 5 +++-- pages/jekyll-gh-pages.yml | 5 +++-- pages/jekyll.yml | 5 +++-- pages/mdbook.yml | 6 ++++-- pages/nextjs.yml | 5 +++-- pages/nuxtjs.yml | 5 +++-- pages/static.yml | 5 +++-- 9 files changed, 28 insertions(+), 18 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 1b6478fd32..dbe49dbf81 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -18,10 +18,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false env: BUILD_PATH: "." # default value when not using subfolders diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 34f15dd44b..fbe9e708a9 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -18,10 +18,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false # Default to bash defaults: diff --git a/pages/hugo.yml b/pages/hugo.yml index d4363fd7b2..343128472d 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -15,10 +15,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false # Default to bash defaults: diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 792aa187fa..7d18dc80d3 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -15,10 +15,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false jobs: # Build job diff --git a/pages/jekyll.yml b/pages/jekyll.yml index e8fff64a4d..9e6bf6727f 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -20,10 +20,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false jobs: # Build job diff --git a/pages/mdbook.yml b/pages/mdbook.yml index b4f05856ed..2966fa0bfc 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -18,10 +18,12 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false + jobs: # This workflow contains a single job called "build" build: diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 5bd6c150bf..bf15a7135e 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -18,10 +18,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false jobs: # Build job diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index e7d8891cbc..3ded228a0a 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -18,10 +18,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false jobs: # Build job diff --git a/pages/static.yml b/pages/static.yml index d6b719218e..c0cfa3581f 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -15,10 +15,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false jobs: # Single deploy job since we're just deploying From 20496ebfca42582d0ca772172a927616bc3bcd41 Mon Sep 17 00:00:00 2001 From: Hanxiao Liu Date: Thu, 16 Mar 2023 18:10:14 +0800 Subject: [PATCH 672/844] Add workflow for Azure Function App with Gradle (#1963) * Add starter workflow for Azure Function App with Gradle * Mark as preview * Fix properties for function gradle template * Add workflow and job level permissions to function gradle template --------- Co-authored-by: Sampark Sharma --- .../azure-functions-app-java-gradle.yml | 70 +++++++++++++++++++ ...-functions-app-java-gradle.properties.json | 8 +++ 2 files changed, 78 insertions(+) create mode 100644 deployments/azure-functions-app-java-gradle.yml create mode 100644 deployments/properties/azure-functions-app-java-gradle.properties.json diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml new file mode 100644 index 0000000000..69f634312a --- /dev/null +++ b/deployments/azure-functions-app-java-gradle.yml @@ -0,0 +1,70 @@ +# This workflow will build a Java project and deploy it to an Azure Functions App on Windows or Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app and applied azure functions plugin for gradle. +# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-first-java-gradle +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Action: https://github.com/Azure/functions-action +# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp + +name: Deploy Gradle Java project to Azure Function App + +on: + push: + branches: + - [$default-branch] + +permissions: + contents: read + +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + BUILD_GRADLE_DIRECTORY: '.' # set this to the directory which contains build.gradle file + JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17') + +jobs: + build-and-deploy: + permissions: + contents: none + runs-on: windows-latest # For Linux, use ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v3 + + # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below + # - name: 'Login via Azure CLI' + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository + + - name: Setup Java Sdk ${{ env.JAVA_VERSION }} + uses: actions/setup-java@v1 + with: + java-version: ${{ env.JAVA_VERSION }} + + # Build function project with functions gradle plugin + # For project with function plugin lower than 1.12.1, please make sure you have set same app name in gradle configuration + - name: 'Restore Project Dependencies Using Gradle Plugin for Azure Functions' + shell: pwsh # For Linux, use bash + run: | + pushd './${{ env.BUILD_GRADLE_DIRECTORY }}' + gradle azureFunctionsPackage -DappName=${{ env.AZURE_FUNCTIONAPP_NAME }} + popd + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + package: '${{ env.BUILD_GRADLE_DIRECTORY }}/build/azure-functions/${{ env.AZURE_FUNCTIONAPP_NAME }}' + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC diff --git a/deployments/properties/azure-functions-app-java-gradle.properties.json b/deployments/properties/azure-functions-app-java-gradle.properties.json new file mode 100644 index 0000000000..5c3bd165cc --- /dev/null +++ b/deployments/properties/azure-functions-app-java-gradle.properties.json @@ -0,0 +1,8 @@ +{ + "name": "Deploy Gradle app to Azure Functions App", + "description": "Build a Java project and deploy it to an Azure Functions App on Windows or Linux.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Java", "Gradle", "Azure Functions"], + "labels": ["preview"] +} From f31b00f6cce1cd19ed8b231e5eca4694a464e5f9 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 20 Mar 2023 23:25:38 -0500 Subject: [PATCH 673/844] Update all Pages starter workflows to use actions/deploy-pages@v2 --- pages/astro.yml | 2 +- pages/gatsby.yml | 2 +- pages/hugo.yml | 2 +- pages/jekyll-gh-pages.yml | 2 +- pages/jekyll.yml | 2 +- pages/mdbook.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- pages/static.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index dbe49dbf81..8377ee483a 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -85,4 +85,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/gatsby.yml b/pages/gatsby.yml index fbe9e708a9..8303af4108 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -94,4 +94,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/hugo.yml b/pages/hugo.yml index 343128472d..fd6c4b4631 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -72,4 +72,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 7d18dc80d3..851f2ce28f 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -48,4 +48,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 9e6bf6727f..b680516835 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -61,4 +61,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 191aa484d6..78d664ebf0 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -57,4 +57,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/nextjs.yml b/pages/nextjs.yml index bf15a7135e..5dd673dfa7 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -92,4 +92,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 3ded228a0a..1ec761a8de 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -87,4 +87,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/static.yml b/pages/static.yml index c0cfa3581f..43bec60eaf 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -40,4 +40,4 @@ jobs: path: '.' - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 From fc5ffa2714ad1088b5c57c94e31093aaeeb0f592 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Fri, 24 Mar 2023 14:14:25 +0000 Subject: [PATCH 674/844] removed whitespace --- code-scanning/credo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index 9a778819d6..c1fb8d17cd 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -46,7 +46,7 @@ jobs: with: otp-version: ${{matrix.otp}} elixir-version: ${{matrix.elixir}} - - name: get dependencies + - name: get dependencies run: mix deps.get - name: compile dependencies run: mix deps.compile From b294ad2ff3d618c03a33966760f39e2730bcef9b Mon Sep 17 00:00:00 2001 From: Josh Goldberg Date: Mon, 27 Mar 2023 18:13:09 -0400 Subject: [PATCH 675/844] chore: fix package(r) manager typo --- pages/astro.yml | 2 +- pages/gatsby.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index dbe49dbf81..bde35605e5 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -49,7 +49,7 @@ jobs: echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else - echo "Unable to determine packager manager" + echo "Unable to determine package manager" exit 1 fi - name: Setup Node diff --git a/pages/gatsby.yml b/pages/gatsby.yml index fbe9e708a9..a5dceb3283 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -48,7 +48,7 @@ jobs: echo "command=ci" >> $GITHUB_OUTPUT exit 0 else - echo "Unable to determine packager manager" + echo "Unable to determine package manager" exit 1 fi - name: Setup Node diff --git a/pages/nextjs.yml b/pages/nextjs.yml index bf15a7135e..a9da03d351 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -45,7 +45,7 @@ jobs: echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else - echo "Unable to determine packager manager" + echo "Unable to determine package manager" exit 1 fi - name: Setup Node diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 3ded228a0a..d3c992198c 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -43,7 +43,7 @@ jobs: echo "command=ci" >> $GITHUB_OUTPUT exit 0 else - echo "Unable to determine packager manager" + echo "Unable to determine package manager" exit 1 fi - name: Setup Node From eeb9248ea6d958f2adcb504c334b98464be041ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=81=AA=E3=81=A4=E3=81=8D?= Date: Tue, 4 Apr 2023 14:26:08 -0700 Subject: [PATCH 676/844] Update ruby/setup-ruby for CVE-2023-28755 and CVE-2023-28756 --- ci/ruby.yml | 2 +- ci/rubyonrails.yml | 4 ++-- code-scanning/brakeman.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/rubocop.yml | 2 +- pages/jekyll.yml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index e1551d58ba..9e940816e1 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 5102b3d97b..20ff014af4 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Install Ruby and gems - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: bundler-cache: true # Add or replace any other lints here diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index d381e859f4..197300c40f 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -35,7 +35,7 @@ jobs: # Customize the ruby version depending on your needs - name: Setup Ruby - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: '2.7' diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 0804ba9729..047ff00be6 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -36,7 +36,7 @@ jobs: uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: 2.7 bundler-cache: true diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index 97a693f150..e2347dbb30 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -28,7 +28,7 @@ jobs: # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners - name: Set up Ruby - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: 2.6 diff --git a/pages/jekyll.yml b/pages/jekyll.yml index b680516835..5adebe4e50 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -34,7 +34,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: '3.1' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically From b9b82275918a75a68714fe4edda0810552a65e23 Mon Sep 17 00:00:00 2001 From: Issy Long Date: Tue, 11 Apr 2023 15:40:06 +0100 Subject: [PATCH 677/844] Add Swift to the list of CodeQL-supported languages - This is in public beta. --- code-scanning/properties/codeql.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index f5e78bf53a..8aaa8f54be 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -2,7 +2,7 @@ "name": "CodeQL Analysis", "creator": "GitHub", "enterprise": true, - "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby and Kotlin developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Kotlin and Swift developers.", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin", "Swift"] } From 6a1457d1e2dbee50677ff2610ac2ea7b2f1dad1c Mon Sep 17 00:00:00 2001 From: Marcos Pereira <3464445+marcospgp@users.noreply.github.com> Date: Fri, 14 Apr 2023 23:02:17 +0100 Subject: [PATCH 678/844] Update manual.yml --- automation/manual.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/manual.yml b/automation/manual.yml index 4a7131e812..faabdec1b6 100644 --- a/automation/manual.yml +++ b/automation/manual.yml @@ -27,4 +27,4 @@ jobs: steps: # Runs a single command using the runners shell - name: Send greeting - run: echo "Hello ${{ github.event.inputs.name }}" \ No newline at end of file + run: echo "Hello ${{ inputs.name }}" From 73f69c4600dd494bc6311ba2c4c2e362e25fde2f Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Mon, 17 Apr 2023 12:06:44 -0700 Subject: [PATCH 679/844] CodeQL: Run on macOS by default if the target language is Swift CodeQL Swift analysis is best supported on macOS. In preparation for CodeQL supporting Swift analysis in beta, adjust the CodeQL starter workflow template to run the `swift` matrix job on `macos-latest`, and all other matrix jobs on `ubuntu-latest`. This does not affect the matrix itself. --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index f0c3bebfae..bd394aeae5 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -23,7 +23,7 @@ on: jobs: analyze: name: Analyze - runs-on: ubuntu-latest + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: actions: read contents: read @@ -51,7 +51,7 @@ jobs: # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality From 1c781c4e6aa4c2db08b9133b742b4f35871e150e Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 18 Apr 2023 11:20:09 -0500 Subject: [PATCH 680/844] Add data type to workflow_dispatch inputs --- automation/manual.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/automation/manual.yml b/automation/manual.yml index faabdec1b6..11b2e3558a 100644 --- a/automation/manual.yml +++ b/automation/manual.yml @@ -15,6 +15,8 @@ on: default: 'World' # Input has to be provided for the workflow to run required: true + # The data type of the input + type: string # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: From 744aa3940ae8bc1de5fb3d4a5d58832d1fa70573 Mon Sep 17 00:00:00 2001 From: daz Date: Tue, 18 Apr 2023 12:10:27 -0600 Subject: [PATCH 681/844] Update to v2.4.2 of gradle/gradle-build-action This update contains important fixes and we recommend that all new workflows use this version. --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 42eae2721b..326c3ca127 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 + uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 + uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index 2be0b58ec9..461a705fc0 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -29,6 +29,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 + uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 with: arguments: build From d4482bb5829c32e2d0803b022eebc6f0280c4649 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Apr 2023 20:55:06 +0000 Subject: [PATCH 682/844] Bump actions/stale from 7 to 8 Bumps [actions/stale](https://github.com/actions/stale) from 7 to 8. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v7...v8) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0cae015fef..ecdf037f9b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v7 + - uses: actions/stale@v8 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' From f6b2d354a2ab0113314ab63a77d94d6532475e47 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Apr 2023 20:56:17 +0000 Subject: [PATCH 683/844] Bump peter-evans/close-issue from 2 to 3 Bumps [peter-evans/close-issue](https://github.com/peter-evans/close-issue) from 2 to 3. - [Release notes](https://github.com/peter-evans/close-issue/releases) - [Commits](https://github.com/peter-evans/close-issue/compare/v2...v3) --- updated-dependencies: - dependency-name: peter-evans/close-issue dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/label-feature.yml | 2 +- .github/workflows/label-support.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/label-feature.yml b/.github/workflows/label-feature.yml index 122caac624..aaf1e7e805 100644 --- a/.github/workflows/label-feature.yml +++ b/.github/workflows/label-feature.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close Issue - uses: peter-evans/close-issue@v2 + uses: peter-evans/close-issue@v3 if: contains(github.event.issue.labels.*.name, 'feature') with: comment: | diff --git a/.github/workflows/label-support.yml b/.github/workflows/label-support.yml index e762afcc33..639ae0a585 100644 --- a/.github/workflows/label-support.yml +++ b/.github/workflows/label-support.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close Issue - uses: peter-evans/close-issue@v2 + uses: peter-evans/close-issue@v3 if: contains(github.event.issue.labels.*.name, 'support') with: comment: | From d841affe4c5e9554c36059bf0b297818f4778a16 Mon Sep 17 00:00:00 2001 From: Trevor Blanarik Date: Mon, 24 Apr 2023 15:53:48 +0000 Subject: [PATCH 684/844] corrects the syntax for so that the array is inline --- deployments/azure-functions-app-container.yml | 3 +-- deployments/azure-functions-app-dotnet.yml | 3 +-- deployments/azure-functions-app-java-gradle.yml | 3 +-- deployments/azure-functions-app-java.yml | 3 +-- deployments/azure-functions-app-nodejs.yml | 3 +-- deployments/azure-functions-app-powershell.yml | 3 +-- deployments/azure-functions-app-python.yml | 3 +-- 7 files changed, 7 insertions(+), 14 deletions(-) diff --git a/deployments/azure-functions-app-container.yml b/deployments/azure-functions-app-container.yml index 7b438be026..1173b95068 100644 --- a/deployments/azure-functions-app-container.yml +++ b/deployments/azure-functions-app-container.yml @@ -21,8 +21,7 @@ name: Deploy container to Azure Functions App on: push: - branches: - - [$default-branch] + branches: [$default-branch] permissions: contents: read diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml index 8b2c23ba8a..824614e0c1 100644 --- a/deployments/azure-functions-app-dotnet.yml +++ b/deployments/azure-functions-app-dotnet.yml @@ -20,8 +20,7 @@ name: Deploy DotNet project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml index 69f634312a..36c50b8aaa 100644 --- a/deployments/azure-functions-app-java-gradle.yml +++ b/deployments/azure-functions-app-java-gradle.yml @@ -20,8 +20,7 @@ name: Deploy Gradle Java project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] permissions: contents: read diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml index 0774544eaf..5608328511 100644 --- a/deployments/azure-functions-app-java.yml +++ b/deployments/azure-functions-app-java.yml @@ -20,8 +20,7 @@ name: Deploy Java project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml index b8033f0aef..916f396d1d 100644 --- a/deployments/azure-functions-app-nodejs.yml +++ b/deployments/azure-functions-app-nodejs.yml @@ -22,8 +22,7 @@ name: Deploy Node.js project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-powershell.yml b/deployments/azure-functions-app-powershell.yml index 505b5afe4e..5d623168c9 100644 --- a/deployments/azure-functions-app-powershell.yml +++ b/deployments/azure-functions-app-powershell.yml @@ -20,8 +20,7 @@ name: Deploy PowerShell project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-python.yml b/deployments/azure-functions-app-python.yml index 0220227a29..6452a18499 100644 --- a/deployments/azure-functions-app-python.yml +++ b/deployments/azure-functions-app-python.yml @@ -20,8 +20,7 @@ name: Deploy Python project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure From 2f530b0cd479c1e07141f409afdd623b43179869 Mon Sep 17 00:00:00 2001 From: Stephen Chudleigh Date: Wed, 26 Apr 2023 01:21:31 -0700 Subject: [PATCH 685/844] Update elixir.yml Fixes the build error on the default build action and updates the Erlang/Elixir versions. --- ci/elixir.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index 371ff242ca..9890efd8dd 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -23,10 +23,10 @@ jobs: steps: - uses: actions/checkout@v3 - name: Set up Elixir - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f + uses: erlef/setup-beam@v1 with: - elixir-version: '1.12.3' # Define the elixir version [required] - otp-version: '24.1' # Define the OTP version [required] + elixir-version: '1.14.4' # Define the elixir version [required] + otp-version: '25.3' # Define the OTP version [required] - name: Restore dependencies cache uses: actions/cache@v3 with: From feb7e20c136025f76bfdebf7a2be112faf3dd544 Mon Sep 17 00:00:00 2001 From: jcook36605 Date: Fri, 28 Apr 2023 17:23:42 -0400 Subject: [PATCH 686/844] Update maven.yml --- ci/maven.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/maven.yml b/ci/maven.yml index c553f73a03..f97113ef9e 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -21,10 +21,10 @@ jobs: steps: - uses: actions/checkout@v3 - - name: Set up JDK 11 + - name: Set up JDK 17 uses: actions/setup-java@v3 with: - java-version: '11' + java-version: '17' distribution: 'temurin' cache: maven - name: Build with Maven From 4c95f1b7e49b61adcfe16b906abc6955919baa4e Mon Sep 17 00:00:00 2001 From: Leo Kettmeir Date: Wed, 3 May 2023 12:17:51 +0200 Subject: [PATCH 687/844] Update denoland/setup-deno workflow --- ci/deno.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/deno.yml b/ci/deno.yml index 5ee940df1f..c48292e850 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -27,7 +27,7 @@ jobs: - name: Setup Deno # uses: denoland/setup-deno@v1 - uses: denoland/setup-deno@9db7f66e8e16b5699a514448ce994936c63f0d54 + uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 with: deno-version: v1.x From ae3f875c790648b014466245a12e878375457506 Mon Sep 17 00:00:00 2001 From: Zonespace <41448081+Zonespace27@users.noreply.github.com> Date: Tue, 16 May 2023 08:50:17 -0700 Subject: [PATCH 688/844] Bumps python-package versions Deprecates 3.8 and adds 3.11 for the python versions to build --- ci/python-package.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/python-package.yml b/ci/python-package.yml index de579a3d4e..249ceef8bb 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -16,7 +16,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: ["3.8", "3.9", "3.10"] + python-version: ["3.9", "3.10", "3.11"] steps: - uses: actions/checkout@v3 From b54241071aa42253f58aefd5d960e98471d97f37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Mon, 15 May 2023 21:44:39 +0300 Subject: [PATCH 689/844] use intermediate environment variables to avoid risks of script injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- ci/docker-publish.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index d57b2f1bd3..4aaca04375 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,10 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 + uses: sigstore/cosign-installer@03d0fecf172873164a163bbc64bed0f3bf114ed7 #v3.4.0 with: - cosign-release: 'v1.13.1' - + cosign-release: 'v2.0.2' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx @@ -90,7 +89,9 @@ jobs: - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} env: - COSIGN_EXPERIMENTAL: "true" + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} From b015c848b62afa863d3f5607a61b1604ee66ebea Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Mon, 22 May 2023 10:10:15 -0700 Subject: [PATCH 690/844] CodeQL: Reduce job timeout to 2h if the target language is Swift Some projects observed intermittent build timeouts with Swift. In case this happens, and our CodeQL-level mitigations do not prevent the problem, we want to avoid using up 6h of the customer's billed macOS Actions minutes (which is the default timeout), so we suggest a reduced timeout of 2h. This value is chosen to accommodate the total job time (build + CodeQL extraction + CodeQL analysis) we expect for large Swift projects. We may choose to adjust it in future. --- code-scanning/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index bd394aeae5..e901a24072 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -24,6 +24,7 @@ jobs: analyze: name: Analyze runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: actions: read contents: read From 5aa237a2b718234311cf2602f0251ef551ae19c6 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 30 May 2023 09:38:22 -0400 Subject: [PATCH 691/844] add descriptive name to trivy starter workflow --- code-scanning/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 4a8fe41ed7..451f303fba 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -name: build +name: trivy on: push: From 02d32ccbc289bd4bcb46c0a8b1f51a4df4e1f74e Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 30 May 2023 09:56:36 -0400 Subject: [PATCH 692/844] ubuntu runner upgrade to vNext --- code-scanning/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 451f303fba..e4d38cd91d 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -24,7 +24,7 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build - runs-on: "ubuntu-18.04" + runs-on: "ubuntu-20.04" steps: - name: Checkout code uses: actions/checkout@v3 From ee518ae76c27a9700e06499dd8f8c1c99d6d0316 Mon Sep 17 00:00:00 2001 From: Beth Brennan <34719884+elbrenn@users.noreply.github.com> Date: Wed, 31 May 2023 13:38:11 -0400 Subject: [PATCH 693/844] Update CODEOWNERS --- CODEOWNERS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 0a7c0a548d..a47bd5b840 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,4 +1,4 @@ -* @actions/starter-workflows +* @actions/actions-workflow-development-reviewers -/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows -/pages/ @actions/pages @actions/starter-workflows +/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers +/pages/ @actions/pages @actions/actions-workflow-development-reviewers From 437d407a8a0b4ff654b5ccc6f3ef59c946cb5210 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Tue, 6 Jun 2023 16:22:48 -0700 Subject: [PATCH 694/844] add Endor Labs --- code-scanning/endorlabs.yml | 46 ++ .../properties/endorlabs.properties.json | 7 + icons/endorlabs.svg | 426 ++++++++++++++++++ 3 files changed, 479 insertions(+) create mode 100644 code-scanning/endorlabs.yml create mode 100644 code-scanning/properties/endorlabs.properties.json create mode 100644 icons/endorlabs.svg diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml new file mode 100644 index 0000000000..5f6e8672d8 --- /dev/null +++ b/code-scanning/endorlabs.yml @@ -0,0 +1,46 @@ +name: Endor Labs Scan +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly +jobs: + scan: + permissions: + security-events: write # Used to upload sarif artifact to GitHub + contents: read # Used to checkout a private repository but actions/checkout. + actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required. + id-token: write # Used for keyless authentication to Endor Labs + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v3 + #### Package Build Instructions + ### Use this section to define the build steps used by your software package. + ### Endor Labs does this for you when possible. + # - name: Setup Java + # uses: actions/setup-java@v3 + # with: + # distribution: 'microsoft' + # java-version: '17' + # - name: Build Package + # run: mvn clean install + - name: Endor Labs Scan Pull Request + if: github.event_name == 'pull_request' + uses: endorlabs/github-action@main + with: + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + sarif_file: findings.sarif + - name: Endor Labs Scan Push to main + if: github.event_name == 'push' + uses: endorlabs/github-action@main + with: + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + ci_run: "false" + sarif_file: findings.sarif + - name: Upload SARIF to github + uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd + with: + sarif_file: findings.sarif \ No newline at end of file diff --git a/code-scanning/properties/endorlabs.properties.json b/code-scanning/properties/endorlabs.properties.json new file mode 100644 index 0000000000..8c4cbb0837 --- /dev/null +++ b/code-scanning/properties/endorlabs.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Endor Labs Scan", + "creator": "EndorLabs", + "description": "Identify, prioritize and address open source and code governance issues with Endor Labs.", + "iconName": "endorlabs", + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "ruby", "go", "kotlin", "scala" ] +} \ No newline at end of file diff --git a/icons/endorlabs.svg b/icons/endorlabs.svg new file mode 100644 index 0000000000..04f1287b9a --- /dev/null +++ b/icons/endorlabs.svg @@ -0,0 +1,426 @@ + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From 43f7851be318b6c6d3f53cc2dcc716304ce0b1f4 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Tue, 6 Jun 2023 20:20:00 -0700 Subject: [PATCH 695/844] Change to specified version --- code-scanning/endorlabs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 5f6e8672d8..cc7ebaa1db 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -35,7 +35,7 @@ jobs: sarif_file: findings.sarif - name: Endor Labs Scan Push to main if: github.event_name == 'push' - uses: endorlabs/github-action@main + uses: endorlabs/github-action@v1.0.0 with: namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. ci_run: "false" @@ -43,4 +43,4 @@ jobs: - name: Upload SARIF to github uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd with: - sarif_file: findings.sarif \ No newline at end of file + sarif_file: findings.sarif From ea40b7a2671cddb7c82f6daf4ac2f299bd4ca475 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Tue, 6 Jun 2023 20:22:38 -0700 Subject: [PATCH 696/844] Update to commit sha --- code-scanning/endorlabs.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index cc7ebaa1db..b3d92c4b29 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -29,13 +29,13 @@ jobs: # run: mvn clean install - name: Endor Labs Scan Pull Request if: github.event_name == 'pull_request' - uses: endorlabs/github-action@main + uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. sarif_file: findings.sarif - - name: Endor Labs Scan Push to main - if: github.event_name == 'push' - uses: endorlabs/github-action@v1.0.0 + - name: Endor Labs Scan Monitor + if: github.event_name == 'push' + uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. ci_run: "false" From bb9bbc31d84c8b28e3aad02f5a7124bf710ccc72 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Wed, 7 Jun 2023 17:28:33 -0500 Subject: [PATCH 697/844] add line at eof and adding icon --- code-scanning/properties/credo.properties.json | 3 ++- icons/code.svg | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 icons/code.svg diff --git a/code-scanning/properties/credo.properties.json b/code-scanning/properties/credo.properties.json index 3a86a10e92..cdc621fed2 100644 --- a/code-scanning/properties/credo.properties.json +++ b/code-scanning/properties/credo.properties.json @@ -2,5 +2,6 @@ "name": "Credo Scan", "creator": "Credo", "description": "Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.", + "iconName": "code", "categories": ["Code Scanning", "Elixir"] -} \ No newline at end of file +} diff --git a/icons/code.svg b/icons/code.svg new file mode 100644 index 0000000000..ee64cbcf4a --- /dev/null +++ b/icons/code.svg @@ -0,0 +1 @@ + \ No newline at end of file From 82f55d00bdc01e81e34edf2ce29733c6f96f0ef1 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 8 Jun 2023 12:08:28 -0400 Subject: [PATCH 698/844] Bump DR to take advantage of latest features --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index fe461b4243..b0dedc42e0 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@v2 + uses: actions/dependency-review-action@v3 From 47e25f909529738fcd02d3f6a07224e4cd35f0b6 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Mon, 12 Jun 2023 11:13:06 +0100 Subject: [PATCH 699/844] CodeQL: Update autobuild comment Add Swift to the list of compiled languages that autobuild will try to build. --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index e901a24072..0b8af3397d 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -56,7 +56,7 @@ jobs: # queries: security-extended,security-and-quality - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@v2 From fae93dfd03b4d95ea199d016c0177a0e9acf5036 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Mon, 12 Jun 2023 19:05:57 -0700 Subject: [PATCH 700/844] Update endorlabs.properties.json --- code-scanning/properties/endorlabs.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/endorlabs.properties.json b/code-scanning/properties/endorlabs.properties.json index 8c4cbb0837..f251c7b78d 100644 --- a/code-scanning/properties/endorlabs.properties.json +++ b/code-scanning/properties/endorlabs.properties.json @@ -4,4 +4,4 @@ "description": "Identify, prioritize and address open source and code governance issues with Endor Labs.", "iconName": "endorlabs", "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "ruby", "go", "kotlin", "scala" ] -} \ No newline at end of file +} From 9988e13794684252e6aed931cfe876d5eb0afdf4 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Mon, 12 Jun 2023 19:08:27 -0700 Subject: [PATCH 701/844] Update endorlabs.yml --- code-scanning/endorlabs.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index b3d92c4b29..cc9d71f642 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -15,7 +15,7 @@ jobs: id-token: write # Used for keyless authentication to Endor Labs runs-on: ubuntu-latest steps: - - name: Checkout Repository + - name: Checkout repository uses: actions/checkout@v3 #### Package Build Instructions ### Use this section to define the build steps used by your software package. @@ -27,13 +27,13 @@ jobs: # java-version: '17' # - name: Build Package # run: mvn clean install - - name: Endor Labs Scan Pull Request + - name: Endor Labs scan pull request if: github.event_name == 'pull_request' uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. sarif_file: findings.sarif - - name: Endor Labs Scan Monitor + - name: Endor Labs scan monitor if: github.event_name == 'push' uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: From 018bc7064380b34483c023064f31435f65011ecd Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Mon, 12 Jun 2023 19:08:58 -0700 Subject: [PATCH 702/844] Update endorlabs.yml --- code-scanning/endorlabs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index cc9d71f642..7c69cb4098 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -1,4 +1,4 @@ -name: Endor Labs Scan +name: Endor Labs on: push: branches: [ $default-branch ] From c6e2cb88e6e745ed8ad5c23581c173668afb4319 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Thu, 15 Jun 2023 09:11:51 -0700 Subject: [PATCH 703/844] Add comments header --- code-scanning/endorlabs.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 7c69cb4098..59a9a29fc7 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -1,7 +1,12 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Endor Labs on: push: - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] pull_request: branches: [ $default-branch ] schedule: From 6da5a650b9818dfd8ecff77ba25ff5d79d0119fb Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Thu, 15 Jun 2023 09:13:08 -0700 Subject: [PATCH 704/844] Update case and spacing --- code-scanning/properties/endorlabs.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/endorlabs.properties.json b/code-scanning/properties/endorlabs.properties.json index f251c7b78d..4347f4c102 100644 --- a/code-scanning/properties/endorlabs.properties.json +++ b/code-scanning/properties/endorlabs.properties.json @@ -1,6 +1,6 @@ { - "name": "Endor Labs Scan", - "creator": "EndorLabs", + "name": "Endor Labs scan", + "creator": "Endor Labs", "description": "Identify, prioritize and address open source and code governance issues with Endor Labs.", "iconName": "endorlabs", "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "ruby", "go", "kotlin", "scala" ] From 03ce4e088fd4b766979b2642c82187dcff28b83c Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Thu, 15 Jun 2023 10:36:30 -0700 Subject: [PATCH 705/844] Fix Linter Issues --- code-scanning/endorlabs.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 59a9a29fc7..1ad0e2609b 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -15,7 +15,7 @@ jobs: scan: permissions: security-events: write # Used to upload sarif artifact to GitHub - contents: read # Used to checkout a private repository but actions/checkout. + contents: read # Used to checkout a private repository by actions/checkout. actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required. id-token: write # Used for keyless authentication to Endor Labs runs-on: ubuntu-latest @@ -23,8 +23,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 #### Package Build Instructions - ### Use this section to define the build steps used by your software package. - ### Endor Labs does this for you when possible. + ### Use this section to define the build steps used by your software package. + ### Endor Labs builds your software for you where possible but the required build tools must be made availible. # - name: Setup Java # uses: actions/setup-java@v3 # with: @@ -36,13 +36,13 @@ jobs: if: github.event_name == 'pull_request' uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: - namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. sarif_file: findings.sarif - name: Endor Labs scan monitor - if: github.event_name == 'push' + if: github.event_name == 'push' uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: - namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. ci_run: "false" sarif_file: findings.sarif - name: Upload SARIF to github From 2402be0dd2440854bd9c695066d297daaf836468 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 15 Jun 2023 16:46:40 -0400 Subject: [PATCH 706/844] Update code-scanning/codeql.yml Co-authored-by: Nick Liffen --- code-scanning/codeql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 79a4a7c109..15398a7973 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -27,7 +27,8 @@ jobs: # https://gh.io/recommended-hardware-resources-for-running-codeql # https://gh.io/supported-runners-and-hardware-resources # https://gh.io/using-larger-runners - # to learn more. + # to learn more. + # Consider using larger runners for possible analysis time improvements. runs-on: ubuntu-latest permissions: actions: read From fcf8a26d9d738ab865ef0fa1413a579df8424b6f Mon Sep 17 00:00:00 2001 From: Dmitry Shibanov Date: Mon, 19 Jun 2023 11:47:56 +0200 Subject: [PATCH 707/844] bump go version and use single quotes --- ci/go.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/go.yml b/ci/go.yml index e89f6c9fbf..9f74f8704d 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -17,9 +17,9 @@ jobs: - uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: - go-version: 1.19 + go-version: '1.20' - name: Build run: go build -v ./... From c6191f3c154ba8fc2b63183ac0d8e67897ea3c23 Mon Sep 17 00:00:00 2001 From: Joe Mooring Date: Tue, 20 Jun 2023 22:39:07 -0700 Subject: [PATCH 708/844] Update Hugo version and switch to Dart Sass --- pages/hugo.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index fd6c4b4631..8d9fc97244 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -31,14 +31,14 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.108.0 + HUGO_VERSION: 0.114.0 steps: - name: Install Hugo CLI run: | wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \ && sudo dpkg -i ${{ runner.temp }}/hugo.deb - - name: Install Dart Sass Embedded - run: sudo snap install dart-sass-embedded + - name: Install Dart Sass + run: sudo snap install dart-sass - name: Checkout uses: actions/checkout@v3 with: From c4caf17ee5bda39bed4d37be14e5acf859468769 Mon Sep 17 00:00:00 2001 From: delarea Date: Mon, 3 Jul 2023 17:30:23 +0300 Subject: [PATCH 709/844] Update latest commit --- code-scanning/frogbot-scan-and-fix.yml | 2 +- code-scanning/frogbot-scan-pr.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index feacb7fcc6..73ce5e318f 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -27,7 +27,7 @@ jobs: # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - uses: jfrog/frogbot@3395426f351556d4568e30a6dfd2909dbedae99e + - uses: jfrog/frogbot@5702c8636050340331e746f169687527860d2245 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 9e8b6c556c..7b60c23cf6 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -32,7 +32,7 @@ jobs: # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - uses: jfrog/frogbot@3395426f351556d4568e30a6dfd2909dbedae99e + - uses: jfrog/frogbot@5702c8636050340331e746f169687527860d2245 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies From 0c238aec84e18522e7befaa32ccb39537e7dc44d Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 10 Jul 2023 23:00:03 -0500 Subject: [PATCH 710/844] Update all Pages starter workflows to use upload-pages-artifact@v2 --- pages/astro.yml | 2 +- pages/gatsby.yml | 2 +- pages/hugo.yml | 2 +- pages/jekyll-gh-pages.yml | 2 +- pages/jekyll.yml | 2 +- pages/mdbook.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- pages/static.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 42789585f4..ccbae47b42 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -71,7 +71,7 @@ jobs: --base "${{ steps.pages.outputs.base_path }}" working-directory: ${{ env.BUILD_PATH }} - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ${{ env.BUILD_PATH }}/dist diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 1fe2d24de3..676740b61b 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -80,7 +80,7 @@ jobs: PREFIX_PATHS: 'true' run: ${{ steps.detect-package-manager.outputs.manager }} run build - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./public diff --git a/pages/hugo.yml b/pages/hugo.yml index fd6c4b4631..9e0fb88348 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -58,7 +58,7 @@ jobs: --minify \ --baseURL "${{ steps.pages.outputs.base_url }}/" - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./public diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 851f2ce28f..044e34cdb1 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -36,7 +36,7 @@ jobs: source: ./ destination: ./_site - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 # Deployment job deploy: diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 5adebe4e50..bd2f2e89ca 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -49,7 +49,7 @@ jobs: JEKYLL_ENV: production - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 # Deployment job deploy: diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 78d664ebf0..0fae7a4a27 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -43,7 +43,7 @@ jobs: - name: Build with mdBook run: mdbook build - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./book diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 81073e6ac1..308b76e319 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -78,7 +78,7 @@ jobs: - name: Static HTML export with Next.js run: ${{ steps.detect-package-manager.outputs.runner }} next export - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./out diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index ddf8f4f271..2951136868 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -73,7 +73,7 @@ jobs: - name: Static HTML export with Nuxt run: ${{ steps.detect-package-manager.outputs.manager }} run generate - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./dist diff --git a/pages/static.yml b/pages/static.yml index 43bec60eaf..31ac4283a2 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -34,7 +34,7 @@ jobs: - name: Setup Pages uses: actions/configure-pages@v3 - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: # Upload entire repository path: '.' From 356930494d1828026e574eb42892964e6b1ce089 Mon Sep 17 00:00:00 2001 From: Natalie Somersall Date: Wed, 12 Jul 2023 15:25:09 +0000 Subject: [PATCH 711/844] move gem workflow to ruby/setup-ruby, same as ruby --- ci/gem-push.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ci/gem-push.yml b/ci/gem-push.yml index 8905272015..dd6d867397 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -17,7 +17,10 @@ jobs: steps: - uses: actions/checkout@v3 - name: Set up Ruby 2.6 - uses: actions/setup-ruby@v1 + # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, + # change this to (see https://github.com/ruby/setup-ruby#versioning): + # uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: 2.6.x From 830d0c7c9dc9cb64457807f740440982e68a1a77 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:30:22 -0500 Subject: [PATCH 712/844] Add comment containing friendly version number --- ci/deno.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/deno.yml b/ci/deno.yml index c48292e850..92338c9705 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -27,7 +27,7 @@ jobs: - name: Setup Deno # uses: denoland/setup-deno@v1 - uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 + uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 # v1.1.2 with: deno-version: v1.x From d0ceca4feaff32caa6d0957e1b1ae9314b619167 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:36:51 -0500 Subject: [PATCH 713/844] Compress the comment --- code-scanning/codeql.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 15398a7973..18667cf50f 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -23,11 +23,10 @@ on: jobs: analyze: name: Analyze - # Runner size impacts CodeQL analysis time. Please see: - # https://gh.io/recommended-hardware-resources-for-running-codeql - # https://gh.io/supported-runners-and-hardware-resources - # https://gh.io/using-larger-runners - # to learn more. + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners # Consider using larger runners for possible analysis time improvements. runs-on: ubuntu-latest permissions: From ec351ca4a9ea59041fccee4d2bbaf1fcf1a98e31 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:39:44 -0500 Subject: [PATCH 714/844] Delete trailing whitespace --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 660514a9c5..f53c061a3f 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -27,7 +27,7 @@ jobs: # - https://gh.io/recommended-hardware-resources-for-running-codeql # - https://gh.io/supported-runners-and-hardware-resources # - https://gh.io/using-larger-runners - # Consider using larger runners for possible analysis time improvements. + # Consider using larger runners for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: From a07603e5efb78778ca8291d20a54900f0024e0b8 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:51:15 -0500 Subject: [PATCH 715/844] Update to latest cosign versions --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 4aaca04375..31da0e37bf 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@03d0fecf172873164a163bbc64bed0f3bf114ed7 #v3.4.0 + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 with: - cosign-release: 'v2.0.2' + cosign-release: 'v2.1.1' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx From cbe6296a3534c58492e4553dbc21063c347bbe7b Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 10:30:20 -0500 Subject: [PATCH 716/844] Update ci/elixir.yml --- ci/elixir.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index 9890efd8dd..a8513c17cf 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -23,7 +23,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Set up Elixir - uses: erlef/setup-beam@v1 + uses: erlef/setup-beam@61e01a43a562a89bfc54c7f9a378ff67b03e4a21 # v1.16.0 with: elixir-version: '1.14.4' # Define the elixir version [required] otp-version: '25.3' # Define the OTP version [required] From 49efc3d27f757ab3bb8e7ee7ee9233c32a27de77 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 10:30:29 -0500 Subject: [PATCH 717/844] Update ci/elixir.yml --- ci/elixir.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index a8513c17cf..58f0b2783b 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -25,8 +25,8 @@ jobs: - name: Set up Elixir uses: erlef/setup-beam@61e01a43a562a89bfc54c7f9a378ff67b03e4a21 # v1.16.0 with: - elixir-version: '1.14.4' # Define the elixir version [required] - otp-version: '25.3' # Define the OTP version [required] + elixir-version: '1.15.2' # [Required] Define the Elixir version + otp-version: '26.0' # [Required] Define the Erlang/OTP version - name: Restore dependencies cache uses: actions/cache@v3 with: From 72d4aceb2f6ab012523440e972bab7b0e8747d95 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 10:38:10 -0500 Subject: [PATCH 718/844] Bumping version to latest --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 326c3ca127..3e301337af 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 + uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 + uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index 461a705fc0..51645f9532 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -29,6 +29,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 + uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0 with: arguments: build From 652258c72af71832785fa194dafa5bcbe0df3250 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 11:00:03 -0500 Subject: [PATCH 719/844] Bump frogbot to v2.10.0 --- code-scanning/frogbot-scan-and-fix.yml | 2 +- code-scanning/frogbot-scan-pr.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 73ce5e318f..ed7028901d 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -27,7 +27,7 @@ jobs: # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - uses: jfrog/frogbot@5702c8636050340331e746f169687527860d2245 + - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 7b60c23cf6..a2e29fa824 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -32,7 +32,7 @@ jobs: # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - uses: jfrog/frogbot@5702c8636050340331e746f169687527860d2245 + - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies From 9744b8f3b58f39e65faa4bf117a3f0efeb9748b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Fabianski?= Date: Mon, 17 Jul 2023 15:24:07 +0200 Subject: [PATCH 720/844] feat: add Bearer code scanning option --- code-scanning/bearer.yml | 39 ++++++++++++++ .../properties/bearer.properties.json | 7 +++ icons/bearer.svg | 53 +++++++++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 code-scanning/bearer.yml create mode 100644 code-scanning/properties/bearer.properties.json create mode 100644 icons/bearer.svg diff --git a/code-scanning/bearer.yml b/code-scanning/bearer.yml new file mode 100644 index 0000000000..a62494a45e --- /dev/null +++ b/code-scanning/bearer.yml @@ -0,0 +1,39 @@ +# This workflow file requires a free account on Bearer.com to manage findings, notifications and more. +# +# See https://docs.bearer.com/guides/bearer-cloud/ + +name: Bearer + +on: + push: + branches: [$default-branch, $protected-branches] + pull_request: + # The branches below must be a subset of the branches above + branches: [$default-branch] + schedule: + - cron: $cron-weekly + +permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + +jobs: + bearer: + runs-on: ubuntu-latest + steps: + # Checkout project source + - uses: actions/checkout@v3 + # Scan code using Bearer CLI + - name: Run Report + id: report + uses: bearer/bearer-action@v2 + with: + api-key: ${{ secrets.BEARER_TOKEN }} + format: sarif + output: results.sarif + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/code-scanning/properties/bearer.properties.json b/code-scanning/properties/bearer.properties.json new file mode 100644 index 0000000000..05b02c2718 --- /dev/null +++ b/code-scanning/properties/bearer.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Bearer", + "creator": "Bearer", + "description": "Continuously run Bearer code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.", + "iconName": "bearer", + "categories": ["Code Scanning", "JavaScript", "TypeScript", "Java", "Ruby"] +} diff --git a/icons/bearer.svg b/icons/bearer.svg new file mode 100644 index 0000000000..64cb93a74b --- /dev/null +++ b/icons/bearer.svg @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 357ab69839bf136ea0f2984f2b7541856821cf63 Mon Sep 17 00:00:00 2001 From: "Justin Goshi (from Dev Box)" Date: Tue, 1 Aug 2023 11:10:55 -1000 Subject: [PATCH 721/844] Split cmake starter workflow single/multi plaform --- ci/cmake-multi-platform.yml | 60 +++++++++++++++++++++ ci/{cmake.yml => cmake-single-platform.yml} | 4 +- ci/properties/cmake-multi-platform.json | 6 +++ ci/properties/cmake-single-platform.json | 6 +++ ci/properties/cmake.properties.json | 6 --- 5 files changed, 75 insertions(+), 7 deletions(-) create mode 100644 ci/cmake-multi-platform.yml rename ci/{cmake.yml => cmake-single-platform.yml} (83%) create mode 100644 ci/properties/cmake-multi-platform.json create mode 100644 ci/properties/cmake-single-platform.json delete mode 100644 ci/properties/cmake.properties.json diff --git a/ci/cmake-multi-platform.yml b/ci/cmake-multi-platform.yml new file mode 100644 index 0000000000..70475c18ad --- /dev/null +++ b/ci/cmake-multi-platform.yml @@ -0,0 +1,60 @@ +# This starter workflow is for a CMake project running on multiple platforms. There is a different starter workflow if you just want a single platform. +# See: https://github.com/actions/starter-workflows/blob/main/ci/cmake-single-platform.yml +name: CMake on a multiple platforms + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ${{ matrix.os }} + + strategy: + # Set fail-fast to false to ensure that feedback is delivered for all matrix combinations. Can consider changing this to true when the workflow is stable. + fail-fast: false + + # Set up a matrix to run the following 3 configurations: + # 1. + # 2. + # 3. + # + # To add more build types (Release, Debug, RelWithDebInfo, etc.) customize the build_type list. + matrix: + os: [ubuntu-latest, windows-latest] + build_type: [Release] + compiler: [gcc, clang, cl] + exclude: + - os: windows-latest + compiler: gcc + - os: windows-latest + compiler: clang + - os: ubuntu-latest + compiler: cl + + steps: + - uses: actions/checkout@v3 + + - name: Set reusable strings + # Turn repeated input strings (such as the build output directory) into step outputs. These step outputs can be used throughout the workflow file. + id: strings + shell: bash + run: | + echo "build-output-dir=${{github.workspace}}/build" >> "$GITHUB_OUTPUT" + + - name: Configure CMake + # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. + # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type + run: cmake -B ${{ steps.strings.outputs.build-output-dir }} -DCMAKE_CXX_COMPILER=${{matrix.compiler}} -DCMAKE_C_COMPILER=${{matrix.compiler}} -DCMAKE_BUILD_TYPE=${{matrix.build_type}} -S ${{github.workspace}} + + - name: Build + # Build your program with the given configuration. Note that --config is needed because the default Windows generator is a multi-config generator (Visual Studio generator). + run: cmake --build ${{ steps.strings.outputs.build-output-dir }} --config ${{matrix.build_type}} + + - name: Test + working-directory: ${{ steps.strings.outputs.build-output-dir }} + # Execute tests defined by the CMake configuration. Note that -C is needed because the default Windows generator is a multi-config generator (Visual Studio generator). + # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail + run: ctest -C ${{matrix.build_type}} diff --git a/ci/cmake.yml b/ci/cmake-single-platform.yml similarity index 83% rename from ci/cmake.yml rename to ci/cmake-single-platform.yml index 95d7efd7cf..ccc318b5d6 100644 --- a/ci/cmake.yml +++ b/ci/cmake-single-platform.yml @@ -1,4 +1,6 @@ -name: CMake +# This starter workflow is for a CMake project running on a single platform. There is a different starter workflow if you need cross-platform coverage. +# See: https://github.com/actions/starter-workflows/blob/main/ci/cmake-multi-platform.yml +name: CMake on a single platform on: push: diff --git a/ci/properties/cmake-multi-platform.json b/ci/properties/cmake-multi-platform.json new file mode 100644 index 0000000000..d26e2c2259 --- /dev/null +++ b/ci/properties/cmake-multi-platform.json @@ -0,0 +1,6 @@ +{ + "name": "CMake based multi-platform projects", + "description": "Build and test a CMake based project on multiple platforms.", + "iconName": "cmake", + "categories": ["Continuous integration", "C", "C++"] +} \ No newline at end of file diff --git a/ci/properties/cmake-single-platform.json b/ci/properties/cmake-single-platform.json new file mode 100644 index 0000000000..f843cf9c14 --- /dev/null +++ b/ci/properties/cmake-single-platform.json @@ -0,0 +1,6 @@ +{ + "name": "CMake based single-platform projects", + "description": "Build and test a CMake based project on a single-platform.", + "iconName": "cmake", + "categories": ["Continuous integration", "C", "C++"] +} \ No newline at end of file diff --git a/ci/properties/cmake.properties.json b/ci/properties/cmake.properties.json deleted file mode 100644 index a7f5d0670d..0000000000 --- a/ci/properties/cmake.properties.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "CMake based projects", - "description": "Build and test a CMake based project.", - "iconName": "cmake", - "categories": ["Continuous integration", "C", "C++"] -} \ No newline at end of file From 12e30f58ecfd8ceac12a2f97fecd52d5011ceff8 Mon Sep 17 00:00:00 2001 From: "Justin Goshi (from Dev Box)" Date: Thu, 3 Aug 2023 12:00:16 -1000 Subject: [PATCH 722/844] Address a few comments on the PR --- ci/cmake-multi-platform.yml | 27 ++++++++++++++++++------ ci/properties/cmake-multi-platform.json | 2 +- ci/properties/cmake-single-platform.json | 2 +- 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/ci/cmake-multi-platform.yml b/ci/cmake-multi-platform.yml index 70475c18ad..a520c1a427 100644 --- a/ci/cmake-multi-platform.yml +++ b/ci/cmake-multi-platform.yml @@ -25,14 +25,24 @@ jobs: matrix: os: [ubuntu-latest, windows-latest] build_type: [Release] - compiler: [gcc, clang, cl] + c_compiler: [gcc, clang, cl] + include: + - os: windows-latest + c_compiler: cl + cpp_compiler: cl + - os: ubuntu-latest + c_compiler: gcc + cpp_compiler: g++ + - os: ubuntu-latest + c_compiler: clang + cpp_compiler: clang++ exclude: - os: windows-latest - compiler: gcc + c_compiler: gcc - os: windows-latest - compiler: clang + c_compiler: clang - os: ubuntu-latest - compiler: cl + c_compiler: cl steps: - uses: actions/checkout@v3 @@ -47,7 +57,12 @@ jobs: - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type - run: cmake -B ${{ steps.strings.outputs.build-output-dir }} -DCMAKE_CXX_COMPILER=${{matrix.compiler}} -DCMAKE_C_COMPILER=${{matrix.compiler}} -DCMAKE_BUILD_TYPE=${{matrix.build_type}} -S ${{github.workspace}} + run: > + cmake -B ${{ steps.strings.outputs.build-output-dir }} + -DCMAKE_CXX_COMPILER=${{matrix.cpp_compiler}} + -DCMAKE_C_COMPILER=${{matrix.c_compiler}} + -DCMAKE_BUILD_TYPE=${{matrix.build_type}} + -S ${{github.workspace}} - name: Build # Build your program with the given configuration. Note that --config is needed because the default Windows generator is a multi-config generator (Visual Studio generator). @@ -57,4 +72,4 @@ jobs: working-directory: ${{ steps.strings.outputs.build-output-dir }} # Execute tests defined by the CMake configuration. Note that -C is needed because the default Windows generator is a multi-config generator (Visual Studio generator). # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail - run: ctest -C ${{matrix.build_type}} + run: ctest --build-config ${{matrix.build_type}} diff --git a/ci/properties/cmake-multi-platform.json b/ci/properties/cmake-multi-platform.json index d26e2c2259..ef44fcf3ed 100644 --- a/ci/properties/cmake-multi-platform.json +++ b/ci/properties/cmake-multi-platform.json @@ -1,5 +1,5 @@ { - "name": "CMake based multi-platform projects", + "name": "CMake based, multi-platform projects", "description": "Build and test a CMake based project on multiple platforms.", "iconName": "cmake", "categories": ["Continuous integration", "C", "C++"] diff --git a/ci/properties/cmake-single-platform.json b/ci/properties/cmake-single-platform.json index f843cf9c14..8c7260eba6 100644 --- a/ci/properties/cmake-single-platform.json +++ b/ci/properties/cmake-single-platform.json @@ -1,5 +1,5 @@ { - "name": "CMake based single-platform projects", + "name": "CMake based, single-platform projects", "description": "Build and test a CMake based project on a single-platform.", "iconName": "cmake", "categories": ["Continuous integration", "C", "C++"] From 34455614ec3d864812ebfe35d7576aca6c4359ec Mon Sep 17 00:00:00 2001 From: "Justin Goshi (from Dev Box)" Date: Thu, 3 Aug 2023 12:37:25 -1000 Subject: [PATCH 723/844] Grammar changes --- ci/cmake-multi-platform.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/cmake-multi-platform.yml b/ci/cmake-multi-platform.yml index a520c1a427..dd5e5c488f 100644 --- a/ci/cmake-multi-platform.yml +++ b/ci/cmake-multi-platform.yml @@ -1,6 +1,6 @@ # This starter workflow is for a CMake project running on multiple platforms. There is a different starter workflow if you just want a single platform. # See: https://github.com/actions/starter-workflows/blob/main/ci/cmake-single-platform.yml -name: CMake on a multiple platforms +name: CMake on multiple platforms on: push: @@ -13,7 +13,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: - # Set fail-fast to false to ensure that feedback is delivered for all matrix combinations. Can consider changing this to true when the workflow is stable. + # Set fail-fast to false to ensure that feedback is delivered for all matrix combinations. Consider changing this to true when your workflow is stable. fail-fast: false # Set up a matrix to run the following 3 configurations: From 8582d8dd0ced59e2ac5d3472a346ad2872b127b8 Mon Sep 17 00:00:00 2001 From: marcosdotps Date: Fri, 4 Aug 2023 16:43:31 +0200 Subject: [PATCH 724/844] reduce icon size so we are faster --- icons/brakeman.svg | 948 +++++++++++++++++++++--------------------- icons/clj-holmes.svg | 467 ++++++++++++++++++++- icons/clj-watson.svg | 468 ++++++++++++++++++++- icons/eslint.svg | 358 +++++++++++++++- icons/synopsys-io.svg | 272 +++++++++++- 5 files changed, 2045 insertions(+), 468 deletions(-) diff --git a/icons/brakeman.svg b/icons/brakeman.svg index ce91881e8f..ba4aed2955 100644 --- a/icons/brakeman.svg +++ b/icons/brakeman.svg @@ -1,464 +1,484 @@ - -image/svg+xml \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/clj-holmes.svg b/icons/clj-holmes.svg index 74459e5dd6..51f2f7cc06 100644 --- a/icons/clj-holmes.svg +++ b/icons/clj-holmes.svg @@ -1 +1,466 @@ - \ No newline at end of file + + + + + + + + + + + + diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg index 74459e5dd6..099cb430a0 100644 --- a/icons/clj-watson.svg +++ b/icons/clj-watson.svg @@ -1 +1,467 @@ - \ No newline at end of file + + + + + + + + + + + + diff --git a/icons/eslint.svg b/icons/eslint.svg index 23964aa103..dc02e9bd81 100644 --- a/icons/eslint.svg +++ b/icons/eslint.svg @@ -1 +1,357 @@ - \ No newline at end of file + + + + + + + + + + + diff --git a/icons/synopsys-io.svg b/icons/synopsys-io.svg index 764a3be23c..7e6e579b2b 100644 --- a/icons/synopsys-io.svg +++ b/icons/synopsys-io.svg @@ -1 +1,271 @@ - \ No newline at end of file + + + + + + + + + + + + From ed1d73eb989689c28f93b74aa9a6fdaf49c3819c Mon Sep 17 00:00:00 2001 From: "Justin Goshi (from Dev Box)" Date: Fri, 4 Aug 2023 06:37:11 -1000 Subject: [PATCH 725/844] Respond to PR comments --- ci/cmake-multi-platform.yml | 14 +++++++------- ci/properties/cmake-multi-platform.json | 2 +- ci/properties/cmake-single-platform.json | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ci/cmake-multi-platform.yml b/ci/cmake-multi-platform.yml index dd5e5c488f..774ba906a8 100644 --- a/ci/cmake-multi-platform.yml +++ b/ci/cmake-multi-platform.yml @@ -52,24 +52,24 @@ jobs: id: strings shell: bash run: | - echo "build-output-dir=${{github.workspace}}/build" >> "$GITHUB_OUTPUT" + echo "build-output-dir=${{ github.workspace }}/build" >> "$GITHUB_OUTPUT" - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type run: > cmake -B ${{ steps.strings.outputs.build-output-dir }} - -DCMAKE_CXX_COMPILER=${{matrix.cpp_compiler}} - -DCMAKE_C_COMPILER=${{matrix.c_compiler}} - -DCMAKE_BUILD_TYPE=${{matrix.build_type}} - -S ${{github.workspace}} + -DCMAKE_CXX_COMPILER=${{ matrix.cpp_compiler }} + -DCMAKE_C_COMPILER=${{ matrix.c_compiler }} + -DCMAKE_BUILD_TYPE=${{ matrix.build_type }} + -S ${{ github.workspace }} - name: Build # Build your program with the given configuration. Note that --config is needed because the default Windows generator is a multi-config generator (Visual Studio generator). - run: cmake --build ${{ steps.strings.outputs.build-output-dir }} --config ${{matrix.build_type}} + run: cmake --build ${{ steps.strings.outputs.build-output-dir }} --config ${{ matrix.build_type }} - name: Test working-directory: ${{ steps.strings.outputs.build-output-dir }} # Execute tests defined by the CMake configuration. Note that -C is needed because the default Windows generator is a multi-config generator (Visual Studio generator). # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail - run: ctest --build-config ${{matrix.build_type}} + run: ctest --build-config ${{ matrix.build_type }} diff --git a/ci/properties/cmake-multi-platform.json b/ci/properties/cmake-multi-platform.json index ef44fcf3ed..59d1b47336 100644 --- a/ci/properties/cmake-multi-platform.json +++ b/ci/properties/cmake-multi-platform.json @@ -3,4 +3,4 @@ "description": "Build and test a CMake based project on multiple platforms.", "iconName": "cmake", "categories": ["Continuous integration", "C", "C++"] -} \ No newline at end of file +} diff --git a/ci/properties/cmake-single-platform.json b/ci/properties/cmake-single-platform.json index 8c7260eba6..c0aa074537 100644 --- a/ci/properties/cmake-single-platform.json +++ b/ci/properties/cmake-single-platform.json @@ -3,4 +3,4 @@ "description": "Build and test a CMake based project on a single-platform.", "iconName": "cmake", "categories": ["Continuous integration", "C", "C++"] -} \ No newline at end of file +} From d7abf7d27d13ea9a8eba671df8f020cab44849fa Mon Sep 17 00:00:00 2001 From: "Justin Goshi (from Dev Box)" Date: Fri, 4 Aug 2023 14:58:59 -1000 Subject: [PATCH 726/844] Fix a comment --- ci/cmake-multi-platform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/cmake-multi-platform.yml b/ci/cmake-multi-platform.yml index 774ba906a8..e0bcb559bb 100644 --- a/ci/cmake-multi-platform.yml +++ b/ci/cmake-multi-platform.yml @@ -70,6 +70,6 @@ jobs: - name: Test working-directory: ${{ steps.strings.outputs.build-output-dir }} - # Execute tests defined by the CMake configuration. Note that -C is needed because the default Windows generator is a multi-config generator (Visual Studio generator). + # Execute tests defined by the CMake configuration. Note that --build-config is needed because the default Windows generator is a multi-config generator (Visual Studio generator). # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail run: ctest --build-config ${{ matrix.build_type }} From d7000e06a1d535765f66a1a85e31384a66a3460e Mon Sep 17 00:00:00 2001 From: "Justin Goshi (from Dev Box)" Date: Wed, 9 Aug 2023 14:15:51 -1000 Subject: [PATCH 727/844] Fix errors found with CI validation checks. --- ci/cmake-multi-platform.yml | 2 +- ...multi-platform.json => cmake-multi-platform.properties.json} | 0 ...ngle-platform.json => cmake-single-platform.properties.json} | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename ci/properties/{cmake-multi-platform.json => cmake-multi-platform.properties.json} (100%) rename ci/properties/{cmake-single-platform.json => cmake-single-platform.properties.json} (100%) diff --git a/ci/cmake-multi-platform.yml b/ci/cmake-multi-platform.yml index e0bcb559bb..8762e9f5c3 100644 --- a/ci/cmake-multi-platform.yml +++ b/ci/cmake-multi-platform.yml @@ -13,7 +13,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: - # Set fail-fast to false to ensure that feedback is delivered for all matrix combinations. Consider changing this to true when your workflow is stable. + # Set fail-fast to false to ensure that feedback is delivered for all matrix combinations. Consider changing this to true when your workflow is stable. fail-fast: false # Set up a matrix to run the following 3 configurations: diff --git a/ci/properties/cmake-multi-platform.json b/ci/properties/cmake-multi-platform.properties.json similarity index 100% rename from ci/properties/cmake-multi-platform.json rename to ci/properties/cmake-multi-platform.properties.json diff --git a/ci/properties/cmake-single-platform.json b/ci/properties/cmake-single-platform.properties.json similarity index 100% rename from ci/properties/cmake-single-platform.json rename to ci/properties/cmake-single-platform.properties.json From 90c598c5abb9a59b609aa11a9db752321f5d30fb Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Fri, 28 Jul 2023 17:14:13 +0200 Subject: [PATCH 728/844] update docker actions to latest stable --- ci/docker-publish.yml | 15 ++++++++------- deployments/azure-container-webapp.yml | 6 +++--- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 31da0e37bf..ff80b663a3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -45,15 +45,17 @@ jobs: with: cosign-release: 'v2.1.1' - # Workaround: https://github.com/docker/build-push-action/issues/461 - - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -63,7 +65,7 @@ jobs: # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -71,7 +73,7 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 with: context: . push: ${{ github.event_name != 'pull_request' }} @@ -80,7 +82,6 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max - # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker # repository is public to avoid leaking data. If you would like to publish diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 4d98340739..2f686e6207 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -45,10 +45,10 @@ jobs: - uses: actions/checkout@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - name: Log in to GitHub container registry - uses: docker/login-action@v1.10.0 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -58,7 +58,7 @@ jobs: run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - name: Build and push container image to registry - uses: docker/build-push-action@v2 + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 with: push: true tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} From 61f8558b81aeb89428f7c35e58e66a5d6ac3060c Mon Sep 17 00:00:00 2001 From: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Date: Tue, 3 Oct 2023 07:40:34 +0200 Subject: [PATCH 729/844] Update codeql.yml --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index f53c061a3f..8a5d2d9041 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -40,8 +40,8 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] - # Use only 'java' to analyze code written in Java, Kotlin or both - # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: From c6c44522f3551484ccca20c59884efa3354665bb Mon Sep 17 00:00:00 2001 From: Isabelle Date: Mon, 13 Nov 2023 18:49:29 +0100 Subject: [PATCH 730/844] Update to latest audit code version (#2209) * Update to latest audit code version * Fix Description * Fix extra space in comments --- code-scanning/crunch42.yml | 21 +++++++++---------- .../properties/crunch42.properties.json | 2 +- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 1ac846e95a..94ea23bd0b 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -3,23 +3,22 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow locates REST API file contracts -# (Swagger or OpenAPI format, v2 and v3, JSON and YAML) -# and runs 200+ security checks on them using 42Crunch Security Audit technology. +# This workflow locates REST API file contracts (Swagger or OpenAPI format, v2 and v3, JSON and YAML) +# and runs 300+ security checks on them using 42Crunch Security Audit technology to uncover +# potential vulnerabilities related to authentication, authorization as well as data validation. # # Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm # -# To use this workflow, you will need to complete the following setup steps. +# To use this workflow, you need a 42Crunch platform account. If you do not have one, you can contact us +# from this page: https://42crunch.com/request-demo. # -# 1. Create a free 42Crunch account at https://platform.42crunch.com/register -# -# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# 1. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm # to create an API Token on the 42Crunch platform # -# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm, -# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow +# 2. Create an secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# and store the 42Crunch API Token in that secret. Expected default is API_TOKEN (see the api-token property in the task). # -# If you have any questions or need help contact https://support.42crunch.com +# If you have any questions or need help, open an issue at: https://support.42crunch.com. name: "42Crunch REST API Static Security Testing" @@ -46,7 +45,7 @@ jobs: - uses: actions/checkout@v3 - name: 42Crunch REST API Static Security Testing - uses: 42Crunch/api-security-audit-action@f3a4f4d44ca6f538fe84361373d7a2a374018fdd + uses: 42Crunch/api-security-audit-action@fc01ea7a89e6268875868f9d89598af7a9899ae0 with: # Please create free account at https://platform.42crunch.com/register # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm diff --git a/code-scanning/properties/crunch42.properties.json b/code-scanning/properties/crunch42.properties.json index 82ae816ec0..b87f0a6107 100644 --- a/code-scanning/properties/crunch42.properties.json +++ b/code-scanning/properties/crunch42.properties.json @@ -1,7 +1,7 @@ { "name": "42Crunch API Security Audit", "creator": "42Crunch", - "description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.", + "description": "Use the 42Crunch Audit to perform static API security testing (SAST) on OpenAPI/Swagger files.", "iconName": "42crunch", "categories": ["Code Scanning"] } \ No newline at end of file From 16ea338f2a3f14f58188c8a968effcd5b954543f Mon Sep 17 00:00:00 2001 From: Philip Hayton Date: Wed, 22 Nov 2023 22:01:57 +0000 Subject: [PATCH 731/844] fix: bearer does not upload sarif report (#2178) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: bearer does not upload sarif report When issues are found the exit code is non zero and so the github action aborts before uploading the sarif report. This change fixes that issues. * chore: update bearer.yml following review --------- Co-authored-by: Cédric Fabianski Co-authored-by: Cédric Fabianski --- code-scanning/bearer.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/code-scanning/bearer.yml b/code-scanning/bearer.yml index a62494a45e..7e66e57e49 100644 --- a/code-scanning/bearer.yml +++ b/code-scanning/bearer.yml @@ -1,7 +1,10 @@ -# This workflow file requires a free account on Bearer.com to manage findings, notifications and more. +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. # +# This workflow file requires a free account on Bearer.com to manage findings, notifications and more. # See https://docs.bearer.com/guides/bearer-cloud/ - name: Bearer on: @@ -27,11 +30,12 @@ jobs: # Scan code using Bearer CLI - name: Run Report id: report - uses: bearer/bearer-action@v2 + uses: bearer/bearer-action@828eeb928ce2f4a7ca5ed57fb8b59508cb8c79bc with: api-key: ${{ secrets.BEARER_TOKEN }} format: sarif output: results.sarif + exit-code: 0 # Upload SARIF file generated in previous step - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 From d4b398cf2d363647f68222ce68153fd433152b39 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Mon, 4 Dec 2023 10:24:28 +0100 Subject: [PATCH 732/844] Include protected branches in PR analyses --- code-scanning/codeql.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 8a5d2d9041..8cdc69c5dd 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -15,8 +15,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - # The branches below must be a subset of the branches above - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] schedule: - cron: $cron-weekly From a0a25cc2d4b6bd5d9870c18c04159dbe4e599e31 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 4 Dec 2023 12:51:37 -0600 Subject: [PATCH 733/844] Pages: Update core actions usage and target Node 20 --- pages/astro.yml | 10 +++++----- pages/gatsby.yml | 10 +++++----- pages/hugo.yml | 6 +++--- pages/jekyll-gh-pages.yml | 6 +++--- pages/jekyll.yml | 6 +++--- pages/mdbook.yml | 6 +++--- pages/nextjs.yml | 10 +++++----- pages/nuxtjs.yml | 10 +++++----- pages/static.yml | 6 +++--- 9 files changed, 35 insertions(+), 35 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index ccbae47b42..8e2e7aa7ec 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Detect package manager id: detect-package-manager run: | @@ -53,14 +53,14 @@ jobs: exit 1 fi - name: Setup Node - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: - node-version: "16" + node-version: "20" cache: ${{ steps.detect-package-manager.outputs.manager }} cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json - name: Setup Pages id: pages - uses: actions/configure-pages@v3 + uses: actions/configure-pages@v4 - name: Install dependencies run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} working-directory: ${{ env.BUILD_PATH }} @@ -85,4 +85,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v2 + uses: actions/deploy-pages@v3 diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 676740b61b..54781ade58 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Detect package manager id: detect-package-manager run: | @@ -52,13 +52,13 @@ jobs: exit 1 fi - name: Setup Node - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: - node-version: "18" + node-version: "20" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages - uses: actions/configure-pages@v3 + uses: actions/configure-pages@v4 with: # Automatically inject pathPrefix in your Gatsby configuration file. # @@ -94,4 +94,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v2 + uses: actions/deploy-pages@v3 diff --git a/pages/hugo.yml b/pages/hugo.yml index b31229572b..7906f3fe57 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -40,12 +40,12 @@ jobs: - name: Install Dart Sass run: sudo snap install dart-sass - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: submodules: recursive - name: Setup Pages id: pages - uses: actions/configure-pages@v3 + uses: actions/configure-pages@v4 - name: Install Node.js dependencies run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Build with Hugo @@ -72,4 +72,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v2 + uses: actions/deploy-pages@v3 diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 044e34cdb1..88328bdded 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -27,9 +27,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Pages - uses: actions/configure-pages@v3 + uses: actions/configure-pages@v4 - name: Build with Jekyll uses: actions/jekyll-build-pages@v1 with: @@ -48,4 +48,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v2 + uses: actions/deploy-pages@v3 diff --git a/pages/jekyll.yml b/pages/jekyll.yml index bd2f2e89ca..b55f39ba6a 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Ruby uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: @@ -41,7 +41,7 @@ jobs: cache-version: 0 # Increment this number if you need to re-download cached gems - name: Setup Pages id: pages - uses: actions/configure-pages@v3 + uses: actions/configure-pages@v4 - name: Build with Jekyll # Outputs to the './_site' directory by default run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" @@ -61,4 +61,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v2 + uses: actions/deploy-pages@v3 diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 0fae7a4a27..fb3dc556e4 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -31,7 +31,7 @@ jobs: env: MDBOOK_VERSION: 0.4.21 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install mdBook run: | curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh @@ -39,7 +39,7 @@ jobs: cargo install --version ${MDBOOK_VERSION} mdbook - name: Setup Pages id: pages - uses: actions/configure-pages@v3 + uses: actions/configure-pages@v4 - name: Build with mdBook run: mdbook build - name: Upload artifact @@ -57,4 +57,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v2 + uses: actions/deploy-pages@v3 diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 308b76e319..42b88a7ad7 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Detect package manager id: detect-package-manager run: | @@ -49,12 +49,12 @@ jobs: exit 1 fi - name: Setup Node - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: - node-version: "16" + node-version: "20" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages - uses: actions/configure-pages@v3 + uses: actions/configure-pages@v4 with: # Automatically inject basePath in your Next.js configuration file and disable # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized). @@ -92,4 +92,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v2 + uses: actions/deploy-pages@v3 diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 2951136868..bc945612ad 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Detect package manager id: detect-package-manager run: | @@ -47,12 +47,12 @@ jobs: exit 1 fi - name: Setup Node - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: - node-version: "16" + node-version: "20" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages - uses: actions/configure-pages@v3 + uses: actions/configure-pages@v4 with: # Automatically inject router.base in your Nuxt configuration file and set # target to static (https://nuxtjs.org/docs/configuration-glossary/configuration-target/). @@ -87,4 +87,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v2 + uses: actions/deploy-pages@v3 diff --git a/pages/static.yml b/pages/static.yml index 31ac4283a2..43aa997552 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -30,9 +30,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Pages - uses: actions/configure-pages@v3 + uses: actions/configure-pages@v4 - name: Upload artifact uses: actions/upload-pages-artifact@v2 with: @@ -40,4 +40,4 @@ jobs: path: '.' - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v2 + uses: actions/deploy-pages@v3 From 036cf7236e0167fea2b243f6852b8bcc2c4bfe4a Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 4 Dec 2023 13:02:46 -0600 Subject: [PATCH 734/844] Update mdBook version --- pages/mdbook.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/mdbook.yml b/pages/mdbook.yml index fb3dc556e4..0abd3f6e78 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -29,7 +29,7 @@ jobs: build: runs-on: ubuntu-latest env: - MDBOOK_VERSION: 0.4.21 + MDBOOK_VERSION: 0.4.36 steps: - uses: actions/checkout@v4 - name: Install mdBook From b90d9897990146a6dabe451c9b69512c4c3bf9ca Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 4 Dec 2023 13:07:46 -0600 Subject: [PATCH 735/844] Update setup-ruby and ruby-version for Pages Jekyll workflow --- pages/jekyll.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/jekyll.yml b/pages/jekyll.yml index b55f39ba6a..eab6c78dd6 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -34,9 +34,9 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Setup Ruby - uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + uses: ruby/setup-ruby@8575951200e472d5f2d95c625da0c7bec8217c42 # v1.161.0 with: - ruby-version: '3.1' # Not needed with a .ruby-version file + ruby-version: '3.2' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically cache-version: 0 # Increment this number if you need to re-download cached gems - name: Setup Pages From 78e2eb137d27cc241cfe376586fa778aa761ce93 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 4 Dec 2023 13:09:37 -0600 Subject: [PATCH 736/844] Update to latest Hugo version --- pages/hugo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 7906f3fe57..d8d99b3bcc 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -31,7 +31,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.114.0 + HUGO_VERSION: 0.120.4 steps: - name: Install Hugo CLI run: | From e6948282a25e67967bb337bd03175c538c95def0 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 4 Dec 2023 13:26:42 -0600 Subject: [PATCH 737/844] Revert to Ruby 3.1 due to incompatibility issues with google-protobuf --- pages/jekyll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/jekyll.yml b/pages/jekyll.yml index eab6c78dd6..695a1922d7 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -36,7 +36,7 @@ jobs: - name: Setup Ruby uses: ruby/setup-ruby@8575951200e472d5f2d95c625da0c7bec8217c42 # v1.161.0 with: - ruby-version: '3.2' # Not needed with a .ruby-version file + ruby-version: '3.1' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically cache-version: 0 # Increment this number if you need to re-download cached gems - name: Setup Pages From 3cb56ae6f382c77777039a64c4abd2291e42ccdc Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Thu, 14 Dec 2023 12:21:29 +0000 Subject: [PATCH 738/844] update codeql.yml to reference node20 actions --- code-scanning/codeql.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 8cdc69c5dd..ca605c9057 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -45,11 +45,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -63,7 +63,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -76,6 +76,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" From 4f4ef4e030aab6e921ab9cc50856e611c5694ba9 Mon Sep 17 00:00:00 2001 From: lsynopsys <106822263+lsynopsys@users.noreply.github.com> Date: Fri, 22 Dec 2023 23:41:56 +0530 Subject: [PATCH 739/844] Synopsys Action's starter workflow (#2234) * Synopsys action starter workflow * Synopsys action - Address review comments * Synopsys action - Address review comments 2 * Addressed review comments * Fixed review comments * Parameter changes accommodation --------- Co-authored-by: kishorikumar <104522232+kishorikumar@users.noreply.github.com> Co-authored-by: Alexis Abril --- .../synopsys-action.properties.json | 7 + code-scanning/synopsys-action.yml | 41 +++ icons/synopsys-action.svg | 271 ++++++++++++++++++ 3 files changed, 319 insertions(+) create mode 100644 code-scanning/properties/synopsys-action.properties.json create mode 100644 code-scanning/synopsys-action.yml create mode 100644 icons/synopsys-action.svg diff --git a/code-scanning/properties/synopsys-action.properties.json b/code-scanning/properties/synopsys-action.properties.json new file mode 100644 index 0000000000..3b40d8bd48 --- /dev/null +++ b/code-scanning/properties/synopsys-action.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Synopsys Action", + "creator": "Synopsys", + "description": "The Synopsys GitHub Action allows you to configure your pipeline to run Synopsys security testing and take action on the security results", + "iconName": "synopsys-action", + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "Ruby", "PHP", "Swift", "Kotlin" , "Python", "VB.NET", "Objective C"] +} diff --git a/code-scanning/synopsys-action.yml b/code-scanning/synopsys-action.yml new file mode 100644 index 0000000000..78855d6b82 --- /dev/null +++ b/code-scanning/synopsys-action.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +name: Synopsys Security Testing + +on: + push: + # At this time, it is recommended to run Polaris only on pushes to main branches + # Pull request analysis will be supported by Polaris in the future + branches: [ $default-branch, $protected-branches ] + + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Synopsys Action + uses: synopsys-sig/synopsys-action@v1.6.0 + with: + #------------------------------------------COVERITY----------------------------------------- + coverity_url: ${{ secrets.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + + #------------------------------------------BLACKDUCK---------------------------------------- + blackduck_token: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackduck_url: ${{ secrets.BLACKDUCK_URL }} + + #------------------------------------------POLARIS------------------------------------------ + polaris_server_url: ${{ secrets.POLARIS_SERVER_URL }} + polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_assessment_types: "SCA,SAST" + + diff --git a/icons/synopsys-action.svg b/icons/synopsys-action.svg new file mode 100644 index 0000000000..7e6e579b2b --- /dev/null +++ b/icons/synopsys-action.svg @@ -0,0 +1,271 @@ + + + + + + + + + + + + From 9ca802af48eece95a8913da7f6715998842ceb79 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 22 Dec 2023 13:22:30 -0600 Subject: [PATCH 740/844] Pages: Update all workflows to use Artifacts V4 --- pages/astro.yml | 4 ++-- pages/gatsby.yml | 4 ++-- pages/hugo.yml | 4 ++-- pages/jekyll-gh-pages.yml | 4 ++-- pages/jekyll.yml | 4 ++-- pages/mdbook.yml | 4 ++-- pages/nextjs.yml | 4 ++-- pages/nuxtjs.yml | 4 ++-- pages/static.yml | 4 ++-- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 8e2e7aa7ec..0929af5655 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -71,7 +71,7 @@ jobs: --base "${{ steps.pages.outputs.base_path }}" working-directory: ${{ env.BUILD_PATH }} - name: Upload artifact - uses: actions/upload-pages-artifact@v2 + uses: actions/upload-pages-artifact@v3 with: path: ${{ env.BUILD_PATH }}/dist @@ -85,4 +85,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v3 + uses: actions/deploy-pages@v4 diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 54781ade58..7d5c342d89 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -80,7 +80,7 @@ jobs: PREFIX_PATHS: 'true' run: ${{ steps.detect-package-manager.outputs.manager }} run build - name: Upload artifact - uses: actions/upload-pages-artifact@v2 + uses: actions/upload-pages-artifact@v3 with: path: ./public @@ -94,4 +94,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v3 + uses: actions/deploy-pages@v4 diff --git a/pages/hugo.yml b/pages/hugo.yml index d8d99b3bcc..6e40b040b0 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -58,7 +58,7 @@ jobs: --minify \ --baseURL "${{ steps.pages.outputs.base_url }}/" - name: Upload artifact - uses: actions/upload-pages-artifact@v2 + uses: actions/upload-pages-artifact@v3 with: path: ./public @@ -72,4 +72,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v3 + uses: actions/deploy-pages@v4 diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 88328bdded..8d5586c325 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -36,7 +36,7 @@ jobs: source: ./ destination: ./_site - name: Upload artifact - uses: actions/upload-pages-artifact@v2 + uses: actions/upload-pages-artifact@v3 # Deployment job deploy: @@ -48,4 +48,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v3 + uses: actions/deploy-pages@v4 diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 695a1922d7..17fec3f9c8 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -49,7 +49,7 @@ jobs: JEKYLL_ENV: production - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@v2 + uses: actions/upload-pages-artifact@v3 # Deployment job deploy: @@ -61,4 +61,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v3 + uses: actions/deploy-pages@v4 diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 0abd3f6e78..6ea654d37b 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -43,7 +43,7 @@ jobs: - name: Build with mdBook run: mdbook build - name: Upload artifact - uses: actions/upload-pages-artifact@v2 + uses: actions/upload-pages-artifact@v3 with: path: ./book @@ -57,4 +57,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v3 + uses: actions/deploy-pages@v4 diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 42b88a7ad7..e855af2585 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -78,7 +78,7 @@ jobs: - name: Static HTML export with Next.js run: ${{ steps.detect-package-manager.outputs.runner }} next export - name: Upload artifact - uses: actions/upload-pages-artifact@v2 + uses: actions/upload-pages-artifact@v3 with: path: ./out @@ -92,4 +92,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v3 + uses: actions/deploy-pages@v4 diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index bc945612ad..f133bb1f96 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -73,7 +73,7 @@ jobs: - name: Static HTML export with Nuxt run: ${{ steps.detect-package-manager.outputs.manager }} run generate - name: Upload artifact - uses: actions/upload-pages-artifact@v2 + uses: actions/upload-pages-artifact@v3 with: path: ./dist @@ -87,4 +87,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v3 + uses: actions/deploy-pages@v4 diff --git a/pages/static.yml b/pages/static.yml index 43aa997552..819974a2c2 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -34,10 +34,10 @@ jobs: - name: Setup Pages uses: actions/configure-pages@v4 - name: Upload artifact - uses: actions/upload-pages-artifact@v2 + uses: actions/upload-pages-artifact@v3 with: # Upload entire repository path: '.' - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v3 + uses: actions/deploy-pages@v4 From 42326d080464485184a7a63431593b327a1c2e3b Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Tue, 9 Jan 2024 12:22:16 -0800 Subject: [PATCH 741/844] Clarify permisions on codeql-action starter --- code-scanning/codeql.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index ca605c9057..808449d6b0 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -30,9 +30,12 @@ jobs: runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: + # required for all workflows + security-events: write + + # only required for workflows in private repositories actions: read contents: read - security-events: write strategy: fail-fast: false From 11f5772f81322d6870d68325745585232feb9f51 Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Fri, 1 Dec 2023 16:09:10 +0000 Subject: [PATCH 742/844] Update dependency-review.yml --- code-scanning/dependency-review.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index b0dedc42e0..c2a26ee5d3 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -7,6 +7,10 @@ name: 'Dependency Review' on: [pull_request] +# If using a dependency submission action in this workflow this permission will need to be set to: +# permissions: +# contents: write +# https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api permissions: contents: read @@ -15,6 +19,10 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: 'Dependency Review' uses: actions/dependency-review-action@v3 + # Commonly enabled options (https://github.com/actions/dependency-review-action#configuration-options) + # with: + # comment-summary-in-pr: true + # retry-on-snapshot-warnings: true From aa49bd30958867dd77e2c3b9e4448a5bba6229bb Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Mon, 11 Dec 2023 09:48:24 +0000 Subject: [PATCH 743/844] Tidy up comments --- code-scanning/dependency-review.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index c2a26ee5d3..d2110e5e74 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,6 +1,9 @@ # Dependency Review Action # -# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable +# packages will be blocked from merging. # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement @@ -8,8 +11,10 @@ name: 'Dependency Review' on: [pull_request] # If using a dependency submission action in this workflow this permission will need to be set to: +# # permissions: # contents: write +# # https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api permissions: contents: read From 0239269003a81d1a264262c63fa8e90016003e10 Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Mon, 11 Dec 2023 10:37:22 +0000 Subject: [PATCH 744/844] Update to match standards in actions/starter-workflows/.../pull_request_template.md --- code-scanning/dependency-review.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index d2110e5e74..0f14196847 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -7,8 +7,10 @@ # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement -name: 'Dependency Review' -on: [pull_request] +name: 'Dependency review' +on: + pull_request: + branches: [ $default-branch ] # If using a dependency submission action in this workflow this permission will need to be set to: # @@ -23,7 +25,7 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: - - name: 'Checkout Repository' + - name: 'Checkout repository' uses: actions/checkout@v4 - name: 'Dependency Review' uses: actions/dependency-review-action@v3 From 0d8fa6f490c38fa55d68d7805b5ce14327147a1e Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Mon, 11 Dec 2023 10:38:54 +0000 Subject: [PATCH 745/844] Add $protected-branches to pull_request target --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 0f14196847..2f98c51412 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -10,7 +10,7 @@ name: 'Dependency review' on: pull_request: - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] # If using a dependency submission action in this workflow this permission will need to be set to: # From f9970771a8a4de97dd778bd03bd70004d35229d7 Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Mon, 29 Jan 2024 08:47:36 +0000 Subject: [PATCH 746/844] Update dependency-review-action to v4 --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 2f98c51412..77f5b3b836 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -28,7 +28,7 @@ jobs: - name: 'Checkout repository' uses: actions/checkout@v4 - name: 'Dependency Review' - uses: actions/dependency-review-action@v3 + uses: actions/dependency-review-action@v4 # Commonly enabled options (https://github.com/actions/dependency-review-action#configuration-options) # with: # comment-summary-in-pr: true From a6ab3d3f95328114cecaf0f88283911042c64a71 Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Mon, 29 Jan 2024 09:05:18 +0000 Subject: [PATCH 747/844] Update dependency-review.yml --- code-scanning/dependency-review.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 77f5b3b836..39d06e3ff3 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -31,5 +31,7 @@ jobs: uses: actions/dependency-review-action@v4 # Commonly enabled options (https://github.com/actions/dependency-review-action#configuration-options) # with: + # fail-on-severity: moderate + # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later # comment-summary-in-pr: true # retry-on-snapshot-warnings: true From e67682c31c4865c050478a9813f2fd7f53c89ca7 Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Mon, 29 Jan 2024 10:09:37 +0000 Subject: [PATCH 748/844] Add perms for comment-summary-in-pr --- code-scanning/dependency-review.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 39d06e3ff3..82c1ef5818 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -20,6 +20,8 @@ on: # https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api permissions: contents: read + # Required if `comment-summary-in-pr: true` is uncommented below + # pull-requests: write jobs: dependency-review: @@ -29,7 +31,7 @@ jobs: uses: actions/checkout@v4 - name: 'Dependency Review' uses: actions/dependency-review-action@v4 - # Commonly enabled options (https://github.com/actions/dependency-review-action#configuration-options) + # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. # with: # fail-on-severity: moderate # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later From 1d205de4189b72599fec438db2408fe31b5aca22 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 29 Jan 2024 12:24:50 -0600 Subject: [PATCH 749/844] Update CODEOWNERS adding dependency graph team as an additional codeowner for the /code-scanning/ directory --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index a47bd5b840..79470b02e9 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,4 +1,4 @@ * @actions/actions-workflow-development-reviewers -/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers +/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/teams/advanced-security-dependency-graph /pages/ @actions/pages @actions/actions-workflow-development-reviewers From 7a5fb795ed60813e94a88a2662548763a74cdba1 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 29 Jan 2024 14:24:42 -0600 Subject: [PATCH 750/844] Update CODEOWNERS --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 79470b02e9..4389365353 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,4 +1,4 @@ * @actions/actions-workflow-development-reviewers -/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/teams/advanced-security-dependency-graph +/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph /pages/ @actions/pages @actions/actions-workflow-development-reviewers From fc7f47d8b0910ec57def656b8e64c9a63d33d5af Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 29 Jan 2024 14:20:03 -0600 Subject: [PATCH 751/844] Update all Pages workflows to actions/cache@v4 for node20 compliance --- pages/gatsby.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 7d5c342d89..c82a2f7aa3 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -65,7 +65,7 @@ jobs: # You may remove this line if you want to manage the configuration yourself. static_site_generator: gatsby - name: Restore cache - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: | public diff --git a/pages/nextjs.yml b/pages/nextjs.yml index e855af2585..f91a07d80a 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -62,7 +62,7 @@ jobs: # You may remove this line if you want to manage the configuration yourself. static_site_generator: next - name: Restore cache - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: | .next/cache diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index f133bb1f96..5ceb0e8d81 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -60,7 +60,7 @@ jobs: # You may remove this line if you want to manage the configuration yourself. static_site_generator: nuxt - name: Restore cache - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: | dist From cea0111003eb0a9d60577b022615a45886369fab Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 29 Jan 2024 14:38:17 -0600 Subject: [PATCH 752/844] Update dependency-review.yml removing extra whitespace --- code-scanning/dependency-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 82c1ef5818..14255a917e 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,7 +1,7 @@ # Dependency Review Action # -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. # Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable # packages will be blocked from merging. # From 2d30c1b64c9baaae3c40be441ecc0ee1409a483d Mon Sep 17 00:00:00 2001 From: daz Date: Wed, 31 Jan 2024 04:56:20 -0700 Subject: [PATCH 753/844] Update for `gradle/actions@v3.0.0` release - Bump version hashes to use `v3.0.0` of Gradle action - Bump to Node20-compatible versions of `actions/checkout` and `actions/setup-java` - Replace uses of `gradle/gradle-build-action` with `gradle/actions/setup-gradle` - Split "Setup Gradle" step out of "Run Gradle" steps - Add separate Job using `gradle/actions/dependency-submission` (flagged as optional) - Bump to setup JDK 17 --- ci/gradle-publish.yml | 19 +++++++++---------- ci/gradle.yml | 37 ++++++++++++++++++++++++++++--------- 2 files changed, 37 insertions(+), 19 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 3e301337af..6cc37c34d5 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -20,26 +20,25 @@ jobs: packages: write steps: - - uses: actions/checkout@v3 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 with: - java-version: '11' + java-version: '17' distribution: 'temurin' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file + - name: Setup Gradle + uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0 + - name: Build with Gradle - uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0 - with: - arguments: build + run: ./gradlew build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0 - with: - arguments: publish + run: ./gradlew publish env: USERNAME: ${{ github.actor }} TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ci/gradle.yml b/ci/gradle.yml index 51645f9532..499f3a2d99 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -13,22 +13,41 @@ on: pull_request: branches: [ $default-branch ] -permissions: - contents: read - jobs: build: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v3 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 with: - java-version: '11' + java-version: '17' distribution: 'temurin' + + - name: Setup Gradle + uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0 + - name: Build with Gradle - uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0 + run: ./gradlew build + + # Optional: Uploads the full dependency graph to GitHub to enable Dependabot alerts + dependency-submission: + + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 with: - arguments: build + java-version: '17' + distribution: 'temurin' + + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0 From b0b88404ff0b2033d82041240d19b4b887d576a7 Mon Sep 17 00:00:00 2001 From: daz Date: Wed, 31 Jan 2024 13:29:02 -0700 Subject: [PATCH 754/844] Improve documentation in starter workflow - Remove "optional" flag from dependency-submission - Add example of running without Gradle wrapper - Link to action docs --- ci/gradle.yml | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/ci/gradle.yml b/ci/gradle.yml index 499f3a2d99..db5eacf4c8 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -28,13 +28,26 @@ jobs: java-version: '17' distribution: 'temurin' + # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. + # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0 - - name: Build with Gradle + - name: Build with Gradle Wrapper run: ./gradlew build - # Optional: Uploads the full dependency graph to GitHub to enable Dependabot alerts + # NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html). + # If your project does not have the Gradle Wrapper configured, you can use the following configuration + # to run Gradle with a specified version. + # + # - name: Setup Gradle + # uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0 + # with: + # gradle-version: '8.5' + # + # - name: Build with Gradle 8.5 + # run: gradle build + dependency-submission: runs-on: ubuntu-latest @@ -49,5 +62,7 @@ jobs: java-version: '17' distribution: 'temurin' + # Genereates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. + # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - name: Generate and submit dependency graph uses: gradle/actions/dependency-submission@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0 From 51848d8b1567905ff32bd182801935475eaeab33 Mon Sep 17 00:00:00 2001 From: daz Date: Wed, 31 Jan 2024 13:36:52 -0700 Subject: [PATCH 755/844] Remove trailing whitespace --- ci/gradle.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ci/gradle.yml b/ci/gradle.yml index db5eacf4c8..cee4eed649 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -37,8 +37,7 @@ jobs: run: ./gradlew build # NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html). - # If your project does not have the Gradle Wrapper configured, you can use the following configuration - # to run Gradle with a specified version. + # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. # # - name: Setup Gradle # uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0 @@ -47,7 +46,7 @@ jobs: # # - name: Build with Gradle 8.5 # run: gradle build - + dependency-submission: runs-on: ubuntu-latest From 6c7819814a50a3f71ff124d8a6a0a53a4a574df7 Mon Sep 17 00:00:00 2001 From: daz Date: Wed, 31 Jan 2024 15:07:12 -0700 Subject: [PATCH 756/844] Fix typo --- ci/gradle.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/gradle.yml b/ci/gradle.yml index cee4eed649..361a5d5777 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -61,7 +61,7 @@ jobs: java-version: '17' distribution: 'temurin' - # Genereates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. + # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - name: Generate and submit dependency graph uses: gradle/actions/dependency-submission@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0 From 6e4aae97ef99f585c8977538f5ef971fe47b0556 Mon Sep 17 00:00:00 2001 From: SOOS-GSteen Date: Tue, 6 Feb 2024 11:44:04 -0500 Subject: [PATCH 757/844] soos-dast-scan.yml update (#2240) * Update soos-dast-scan.yml * use major version syntax * code review * lint * Update soos-dast-scan.yml --- code-scanning/soos-dast-scan.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 99b9027095..335aa03dae 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -4,18 +4,20 @@ # documentation. # # SOOS is the easy-to-integrate and affordable software security solution for your whole team. +# # Learn more at https://soos.io/ # # To use this action, perform the following steps: # -# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA and DAST products. +# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA, DAST, and SBOM products. # -# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here. +# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate/dast/). Note the "API Credentials" section of this page; the keys you will need for the next step are here. # # 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. # # 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token. # +# Check for the latest version here: https://github.com/marketplace/actions/soos-dast name: "SOOS DAST Scan" @@ -30,11 +32,11 @@ jobs: permissions: security-events: write # for uploading code scanning alert info actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: SOOS DAST Scan + name: SOOS DAST Analysis runs-on: ubuntu-latest steps: - - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@3e71b27756f4ed77d7ad3c0ad92afddb47a40e4d # Use latest version from https://github.com/marketplace/actions/soos-dast + - name: Run SOOS DAST Analysis + uses: soos-io/soos-dast-github-action@d0ee0d8feb02c1881e6a1d785bf2078662631150 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From ba9d3788e41756554f71500303a39dbea535b6ef Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Tue, 6 Feb 2024 12:55:25 -0600 Subject: [PATCH 758/844] Changing default behavior to include comment summary in PR also gave the workflow the appropriate permissions required, pull-requests: write --- code-scanning/dependency-review.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 14255a917e..74e66ed205 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -20,8 +20,8 @@ on: # https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api permissions: contents: read - # Required if `comment-summary-in-pr: true` is uncommented below - # pull-requests: write + # Write permissions for pull-requests are required for using the `comment-summary-in-pr` option, comment out if you aren't using this option + pull-requests: write jobs: dependency-review: @@ -32,8 +32,8 @@ jobs: - name: 'Dependency Review' uses: actions/dependency-review-action@v4 # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. - # with: + with: + comment-summary-in-pr: always # fail-on-severity: moderate - # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later - # comment-summary-in-pr: true + # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later # retry-on-snapshot-warnings: true From 8aab15dd49a9ff76eca0fc91767e173f5d0f15d9 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Wed, 7 Feb 2024 09:06:01 -0600 Subject: [PATCH 759/844] Update code-scanning/dependency-review.yml begone, whitespace Co-authored-by: Chad Bentz <1760475+felickz@users.noreply.github.com> --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 74e66ed205..14d335c5e8 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -35,5 +35,5 @@ jobs: with: comment-summary-in-pr: always # fail-on-severity: moderate - # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later + # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later # retry-on-snapshot-warnings: true From c4f5db626001352990a0a12dc2e89f4716e9e2a0 Mon Sep 17 00:00:00 2001 From: Sam Partington Date: Wed, 7 Feb 2024 17:33:08 +0000 Subject: [PATCH 760/844] Code Scanning shouldn't own `dependency-review.yml` --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) diff --git a/CODEOWNERS b/CODEOWNERS index 4389365353..2ed2e33dcf 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,4 +1,5 @@ * @actions/actions-workflow-development-reviewers /code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph +/code-scanning/dependency-review.yml @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph /pages/ @actions/pages @actions/actions-workflow-development-reviewers From f263f7e886286af4c6edcb21f2fb4b2d45846a07 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Mon, 12 Feb 2024 06:56:37 -0600 Subject: [PATCH 761/844] Run ci/rubyonrails with bundle exec --- ci/rubyonrails.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 20ff014af4..dba16cb256 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -51,8 +51,8 @@ jobs: bundler-cache: true # Add or replace any other lints here - name: Security audit dependencies - run: bin/bundler-audit --update + run: bundle exec bundler-audit --update - name: Security audit application code - run: bin/brakeman -q -w2 + run: bundle exec brakeman -q -w2 - name: Lint Ruby files - run: bin/rubocop --parallel + run: bundle exec rubocop --parallel From e4840c47d074b5cdaff1d1d3684b2fed38c548d7 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Mon, 12 Feb 2024 06:57:16 -0600 Subject: [PATCH 762/844] Spell bundle-audit without the r Usage as described in https://github.com/rubysec/bundler-audit#readme --- ci/rubyonrails.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index dba16cb256..c9835fb91e 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -51,7 +51,7 @@ jobs: bundler-cache: true # Add or replace any other lints here - name: Security audit dependencies - run: bundle exec bundler-audit --update + run: bundle exec bundle-audit --update - name: Security audit application code run: bundle exec brakeman -q -w2 - name: Lint Ruby files From 4b8ca42dd9f838356c049899bc877fcda8bf6539 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Mon, 12 Feb 2024 06:59:39 -0600 Subject: [PATCH 763/844] Prefer ruby/setup-ruby@v1 As recommended in https://github.com/ruby/setup-ruby#setup-ruby --- ci/rubyonrails.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index c9835fb91e..d62b55245f 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + uses: ruby/setup-ruby@v1 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Install Ruby and gems - uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + uses: ruby/setup-ruby@v1 with: bundler-cache: true # Add or replace any other lints here From d303234ad7a0c432ed79bc98259043570ea64012 Mon Sep 17 00:00:00 2001 From: daz Date: Tue, 13 Feb 2024 14:00:27 -0700 Subject: [PATCH 764/844] Update for `gradle/actions@v3.1.0` release - Bump version hashes to use `gradle/actions/setup-gradle@v3.1.0` - Bump version hash to use `gradle/actions/dependency-submission@v3.1.0` --- ci/gradle-publish.yml | 2 +- ci/gradle.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 6cc37c34d5..2af46165be 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,7 +30,7 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Setup Gradle - uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0 + uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - name: Build with Gradle run: ./gradlew build diff --git a/ci/gradle.yml b/ci/gradle.yml index 361a5d5777..65a332be61 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -31,7 +31,7 @@ jobs: # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle - uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0 + uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - name: Build with Gradle Wrapper run: ./gradlew build @@ -40,7 +40,7 @@ jobs: # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. # # - name: Setup Gradle - # uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0 + # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 # with: # gradle-version: '8.5' # @@ -64,4 +64,4 @@ jobs: # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0 + uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 From 05e45811599669cf3c0631d7980937988b31be11 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Thu, 15 Feb 2024 09:01:39 +0100 Subject: [PATCH 765/844] Update codeql.yml with new build-mode --- code-scanning/codeql.yml | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 808449d6b0..d0df66c8ab 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -40,11 +40,12 @@ jobs: strategy: fail-fast: false matrix: - language: [ $detected-codeql-languages ] - # CodeQL supports [ $supported-codeql-languages ] - # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + $codeql-languages-matrix + # CodeQL supports the following values keywords for 'language': $supported-codeql-languages + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. steps: - name: Checkout repository @@ -55,6 +56,7 @@ jobs: uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. @@ -62,21 +64,20 @@ jobs: # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh + - if: ${{ matrix.build-mode == 'manual' }} + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 From 8a973982d129261906540b29fc80512a1fd3ec81 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Mon, 19 Feb 2024 15:54:06 +0100 Subject: [PATCH 766/844] Update code-scanning/codeql.yml Co-authored-by: Henry Mercer --- code-scanning/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index d0df66c8ab..00ef183d5b 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -42,6 +42,7 @@ jobs: matrix: $codeql-languages-matrix # CodeQL supports the following values keywords for 'language': $supported-codeql-languages + # Use `c-cpp` to analyze code written in C, C++ or both # Use 'java-kotlin' to analyze code written in Java, Kotlin or both # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, From 4a8c4e08b0b97c465318cc670fc212b94cfcbaba Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Mon, 19 Feb 2024 15:57:02 +0100 Subject: [PATCH 767/844] Update code-scanning/codeql.yml Co-authored-by: Henry Mercer --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 00ef183d5b..1d23be1ea7 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -71,7 +71,7 @@ jobs: # to build your code. # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: ${{ matrix.build-mode == 'manual' }} + - if: matrix.build-mode == 'manual' run: | echo 'If you are using a "manual" build mode for one or more of the' \ 'languages you are analyzing, replace this with the commands to build' \ From 03277899f01de35a7544217d1b02c1031bae1102 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Wed, 6 Mar 2024 16:46:46 -0500 Subject: [PATCH 768/844] tfsec latest v0.1.4 (#2318) --- code-scanning/tfsec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 48ee4d2243..706c8be1a6 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@v3 - name: Run tfsec - uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f + uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 with: sarif_file: tfsec.sarif From 3fb9f82449706d5e8e6605bf7cb839b690359cdc Mon Sep 17 00:00:00 2001 From: Tim Heuer Date: Tue, 12 Mar 2024 12:08:25 -0700 Subject: [PATCH 769/844] Updating dotnet CI starter workflows (#2333) * Update dotnet.yml Updating versions * Update dotnet-desktop.yml Bumping versions * Update ci/dotnet-desktop.yml Co-authored-by: Alexis Abril --------- Co-authored-by: Alexis Abril --- ci/dotnet-desktop.yml | 8 ++++---- ci/dotnet.yml | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index fd82a3962d..ad99b56b9b 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -63,19 +63,19 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 # Install the .NET Core workload - name: Install .NET Core - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: - dotnet-version: 6.0.x + dotnet-version: 8.0.x # Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild - name: Setup MSBuild.exe - uses: microsoft/setup-msbuild@v1.0.2 + uses: microsoft/setup-msbuild@v2 # Execute all unit tests in the solution - name: Execute unit tests diff --git a/ci/dotnet.yml b/ci/dotnet.yml index f11f05069d..b869d6ef84 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -15,11 +15,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Setup .NET - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: - dotnet-version: 6.0.x + dotnet-version: 8.0.x - name: Restore dependencies run: dotnet restore - name: Build From 0f4d22325b4bd42a10be5b295f57866f7c78b2bb Mon Sep 17 00:00:00 2001 From: cclin Date: Mon, 25 Mar 2024 16:05:58 +0800 Subject: [PATCH 770/844] Update astro.yml for yarn based project --- pages/astro.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pages/astro.yml b/pages/astro.yml index 0929af5655..03044be19e 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -42,11 +42,13 @@ jobs: echo "manager=yarn" >> $GITHUB_OUTPUT echo "command=install" >> $GITHUB_OUTPUT echo "runner=yarn" >> $GITHUB_OUTPUT + echo "lockfile=yarn.lock" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then echo "manager=npm" >> $GITHUB_OUTPUT echo "command=ci" >> $GITHUB_OUTPUT echo "runner=npx --no-install" >> $GITHUB_OUTPUT + echo "lockfile=package-lock.json" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine package manager" @@ -57,7 +59,7 @@ jobs: with: node-version: "20" cache: ${{ steps.detect-package-manager.outputs.manager }} - cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json + cache-dependency-path: ${{ env.BUILD_PATH }}/${{ steps.detect-package-manager.outputs.lockfile }} - name: Setup Pages id: pages uses: actions/configure-pages@v4 From 61cdce264d9ad8045eee8229857b814e0c0510a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=EC=B9=B4=EA=B8=B0=EC=9E=90=ED=8C=90?= Date: Tue, 26 Mar 2024 08:26:55 +0900 Subject: [PATCH 771/844] Updating nextjs.yml for Next.js 14 Support (#2204) * Update nextjs.yml * Update nextjs.yml --------- Co-authored-by: Alexis Abril --- pages/nextjs.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pages/nextjs.yml b/pages/nextjs.yml index f91a07d80a..74e57fceb5 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -73,10 +73,8 @@ jobs: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}- - name: Install dependencies run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} - - name: Build with Next.js + - name: Build and Static HTML export with Next.js run: ${{ steps.detect-package-manager.outputs.runner }} next build - - name: Static HTML export with Next.js - run: ${{ steps.detect-package-manager.outputs.runner }} next export - name: Upload artifact uses: actions/upload-pages-artifact@v3 with: From aad92724382fbe4be3a7880224fb9c1cacd3b7b2 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Tue, 26 Mar 2024 13:18:17 +0100 Subject: [PATCH 772/844] Update codeql.yml Limit matrix information in the job name to language by default --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 1d23be1ea7..dd1406acb0 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -21,7 +21,7 @@ on: jobs: analyze: - name: Analyze + name: Analyze (${{ matrix.language }}) # Runner size impacts CodeQL analysis time. To learn more, please see: # - https://gh.io/recommended-hardware-resources-for-running-codeql # - https://gh.io/supported-runners-and-hardware-resources From fdbad9c74f2ddbd29ef69cedd91184c4552c7360 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Tue, 26 Mar 2024 13:41:53 +0100 Subject: [PATCH 773/844] Update codeql.yml links to docs --- code-scanning/codeql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index dd1406acb0..cb883a9bb7 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -47,7 +47,8 @@ jobs: # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository uses: actions/checkout@v4 From 831e9cb8e41cb47e2ffdabda6c3f268a057ffae5 Mon Sep 17 00:00:00 2001 From: Andreas Deininger Date: Wed, 27 Mar 2024 18:51:41 +0100 Subject: [PATCH 774/844] Bump workflow actions of various starter files (#2210) --- code-scanning/detekt.yml | 2 +- code-scanning/endorlabs.yml | 2 +- code-scanning/rust-clippy.yml | 4 ++-- deployments/alibabacloud.yml | 4 ++-- pages/hugo.yml | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 15aeb45524..502c66e8be 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -13,7 +13,7 @@ # 4. Manually, on demand, via the "workflow_dispatch" event # # The workflow should work with no modifications, but you might like to use a -# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG +# later version of the Detekt CLI by modifying the $DETEKT_RELEASE_TAG # environment variable. name: Scan with Detekt diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 1ad0e2609b..5633a6bc16 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -24,7 +24,7 @@ jobs: uses: actions/checkout@v3 #### Package Build Instructions ### Use this section to define the build steps used by your software package. - ### Endor Labs builds your software for you where possible but the required build tools must be made availible. + ### Endor Labs builds your software for you where possible but the required build tools must be made available. # - name: Setup Java # uses: actions/setup-java@v3 # with: diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index 90583f342f..4f50c3e203 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -28,7 +28,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Install Rust toolchain uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1 @@ -52,4 +52,4 @@ jobs: uses: github/codeql-action/upload-sarif@v1 with: sarif_file: rust-clippy-results.sarif - wait-for-processing: true \ No newline at end of file + wait-for-processing: true diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 96d5d3865d..74dd7f63ef 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -49,7 +49,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # 1.1 Login to ACR - name: Login to ACR with the AccessKey pair @@ -59,7 +59,7 @@ jobs: access-key-id: "${{ secrets.ACCESS_KEY_ID }}" access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" - # 1.2 Buid and push image to ACR + # 1.2 Build and push image to ACR - name: Build and push image to ACR run: | docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . diff --git a/pages/hugo.yml b/pages/hugo.yml index 6e40b040b0..1061a74bd7 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -31,7 +31,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.120.4 + HUGO_VERSION: 0.124.1 steps: - name: Install Hugo CLI run: | From 4620c76b38f478f21a88b354ce6794dcfacba755 Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Wed, 27 Mar 2024 13:25:03 -0700 Subject: [PATCH 775/844] update Scorecard Action hashes and version comments (#2348) * update action hashes and version comments ossf/scorecard-action v2.1.2 is old and doesnt work after a Sigstore change. https://blog.sigstore.dev/tuf-root-update/ Signed-off-by: Spencer Schrock * downgrade actions/upload-artifact to node20 version of v3 dependabot will suggest upgrade to v4.3.1 for repos that can upgrade. note: v3.pre.node20 is how dependabot refers to the pinned hash, so use that so it can upgrade the comment Signed-off-by: Spencer Schrock * upgrade github/codeql-action/upload-sarif to v3.24.9 Signed-off-by: Spencer Schrock --------- Signed-off-by: Spencer Schrock Co-authored-by: Alexis Abril --- code-scanning/scorecard.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 19b9b00f29..162c788bbd 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -32,19 +32,19 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. # repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: @@ -59,14 +59,15 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 with: name: SARIF file path: results.sarif retention-days: 5 - # Upload the results to GitHub's code scanning dashboard. + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: sarif_file: results.sarif From 4ca845b387fb6f8d1b8ba86e6b2d3b345cd862b7 Mon Sep 17 00:00:00 2001 From: Alexis Abril Date: Fri, 29 Mar 2024 13:23:28 -0700 Subject: [PATCH 776/844] Update CODEOWNERS Simplifying the CODEOWNERS file to allow respective teams the capabilities to manage PRs as responsibilities have been updated recently. In the short term, this will add notifications to folks for each team. --- CODEOWNERS | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 2ed2e33dcf..7580ac67a5 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,5 +1,5 @@ +* @actions/advanced-security-code-scanning +* @actions/advanced-security-dependency-graph +* @actions/pages * @actions/actions-workflow-development-reviewers - -/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph -/code-scanning/dependency-review.yml @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph -/pages/ @actions/pages @actions/actions-workflow-development-reviewers +* @actions/starter-workflows From 87efe4c91d3d86b0f544d36ceaae0dc8be94f080 Mon Sep 17 00:00:00 2001 From: Alexis Abril Date: Fri, 29 Mar 2024 15:20:42 -0700 Subject: [PATCH 777/844] Update CODEOWNERS Adding @actions/starter-workflows to each category to minimize notification pollution. --- CODEOWNERS | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 7580ac67a5..50abb26484 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,5 +1,5 @@ -* @actions/advanced-security-code-scanning -* @actions/advanced-security-dependency-graph -* @actions/pages -* @actions/actions-workflow-development-reviewers -* @actions/starter-workflows +* @actions/actions-workflow-development-reviewers @actions/starter-workflows + +/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph @actions/starter-workflows +/code-scanning/dependency-review.yml @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph @actions/starter-workflows +/pages/ @actions/pages @actions/actions-workflow-development-reviewers @actions/starter-workflows From c9a0122a593db43660edaf37cf6cae081c2f45d9 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 29 Mar 2024 19:57:20 -0500 Subject: [PATCH 778/844] Update all Pages workflows to use actions/configure-pages@v5 --- pages/astro.yml | 2 +- pages/gatsby.yml | 2 +- pages/hugo.yml | 2 +- pages/jekyll-gh-pages.yml | 2 +- pages/jekyll.yml | 2 +- pages/mdbook.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- pages/static.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 03044be19e..25db103f04 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -62,7 +62,7 @@ jobs: cache-dependency-path: ${{ env.BUILD_PATH }}/${{ steps.detect-package-manager.outputs.lockfile }} - name: Setup Pages id: pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 - name: Install dependencies run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} working-directory: ${{ env.BUILD_PATH }} diff --git a/pages/gatsby.yml b/pages/gatsby.yml index c82a2f7aa3..1bcc667f5b 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -58,7 +58,7 @@ jobs: cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 with: # Automatically inject pathPrefix in your Gatsby configuration file. # diff --git a/pages/hugo.yml b/pages/hugo.yml index 1061a74bd7..141ad91a5a 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -45,7 +45,7 @@ jobs: submodules: recursive - name: Setup Pages id: pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 - name: Install Node.js dependencies run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Build with Hugo diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 8d5586c325..2874cc0c98 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -29,7 +29,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Setup Pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 - name: Build with Jekyll uses: actions/jekyll-build-pages@v1 with: diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 17fec3f9c8..f07bc39085 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -41,7 +41,7 @@ jobs: cache-version: 0 # Increment this number if you need to re-download cached gems - name: Setup Pages id: pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 - name: Build with Jekyll # Outputs to the './_site' directory by default run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 6ea654d37b..cf79f4e071 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -39,7 +39,7 @@ jobs: cargo install --version ${MDBOOK_VERSION} mdbook - name: Setup Pages id: pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 - name: Build with mdBook run: mdbook build - name: Upload artifact diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 74e57fceb5..ccde58d30c 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -54,7 +54,7 @@ jobs: node-version: "20" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 with: # Automatically inject basePath in your Next.js configuration file and disable # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized). diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 5ceb0e8d81..25a6862718 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -52,7 +52,7 @@ jobs: node-version: "20" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 with: # Automatically inject router.base in your Nuxt configuration file and set # target to static (https://nuxtjs.org/docs/configuration-glossary/configuration-target/). diff --git a/pages/static.yml b/pages/static.yml index 819974a2c2..5640380712 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -32,7 +32,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Setup Pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 - name: Upload artifact uses: actions/upload-pages-artifact@v3 with: From e4837fa7681a5ff12fe8500675c47c7f6a296f98 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 29 Mar 2024 20:19:30 -0500 Subject: [PATCH 779/844] Improve step name for Next.js build --- pages/nextjs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/nextjs.yml b/pages/nextjs.yml index ccde58d30c..e2c9ab62a2 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -73,7 +73,7 @@ jobs: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}- - name: Install dependencies run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} - - name: Build and Static HTML export with Next.js + - name: Build with Next.js run: ${{ steps.detect-package-manager.outputs.runner }} next build - name: Upload artifact uses: actions/upload-pages-artifact@v3 From efd31e5f0f3f40497cbbd7d3991ddac4da4037ca Mon Sep 17 00:00:00 2001 From: SOOS-GSteen Date: Mon, 1 Apr 2024 16:11:05 -0400 Subject: [PATCH 780/844] update soos dash action commit hash / sarif action version / logo (#2317) * Update soos-dast-scan.yml * Update soos-dast-scan.yml * Update soos.svg * Update code-scanning/soos-dast-scan.yml Co-authored-by: Alexis Abril --------- Co-authored-by: Alexis Abril --- code-scanning/soos-dast-scan.yml | 6 +++--- icons/soos.svg | 18 +----------------- 2 files changed, 4 insertions(+), 20 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 335aa03dae..b3e470e98f 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Analysis - uses: soos-io/soos-dast-github-action@d0ee0d8feb02c1881e6a1d785bf2078662631150 + uses: soos-io/soos-dast-github-action@a7f2cb2dfd143cb3224712d902ca0a1da0198ea9 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} @@ -45,6 +45,6 @@ jobs: target_url: "https://www.example.com/" output_format: "sarif" - name: Upload SOOS DAST SARIF Report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif diff --git a/icons/soos.svg b/icons/soos.svg index 17a31fcb08..7480560df9 100644 --- a/icons/soos.svg +++ b/icons/soos.svg @@ -1,17 +1 @@ - - - - - - - - - - - + \ No newline at end of file From b53d05e4b0dde7cdaeda60476acfcaaa1713f8cc Mon Sep 17 00:00:00 2001 From: Charly Garcia <155784995+cgarciagarcia@users.noreply.github.com> Date: Mon, 1 Apr 2024 17:12:02 -0300 Subject: [PATCH 781/844] ci: use artisan command to run test, because this ci/laravel.yml does not work properly in laravel when uses Pest instead of PHPUnit (#2284) Co-authored-by: Alexis Abril --- ci/laravel.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/laravel.yml b/ci/laravel.yml index e778d7b313..fc30f21321 100644 --- a/ci/laravel.yml +++ b/ci/laravel.yml @@ -28,8 +28,8 @@ jobs: run: | mkdir -p database touch database/database.sqlite - - name: Execute tests (Unit and Feature tests) via PHPUnit + - name: Execute tests (Unit and Feature tests) via PHPUnit/Pest env: DB_CONNECTION: sqlite DB_DATABASE: database/database.sqlite - run: vendor/bin/phpunit + run: php artisan test From 31a3e00dab4440b64f47b6b9d92f8d330e1b6f00 Mon Sep 17 00:00:00 2001 From: Issy Long Date: Wed, 3 Apr 2024 10:23:11 +0100 Subject: [PATCH 782/844] codeql: Clarify that hosted larger runners only exist on GHEC - Part of https://github.com/github/code-scanning/issues/13748. --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index cb883a9bb7..d24240d0d4 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -25,8 +25,8 @@ jobs: # Runner size impacts CodeQL analysis time. To learn more, please see: # - https://gh.io/recommended-hardware-resources-for-running-codeql # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners - # Consider using larger runners for possible analysis time improvements. + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: From cd4b67d0b4d0afb975b04ffa9097d358de9a7af3 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 3 Jan 2024 02:09:21 -0500 Subject: [PATCH 783/844] Checkout: Update all workflows to use Checkout V4 --- .github/workflows/lint.yaml | 2 +- .github/workflows/sync-ghes.yaml | 2 +- .github/workflows/validate-data.yaml | 2 +- ci/ada.yml | 2 +- ci/android.yml | 2 +- ci/ant.yml | 2 +- ci/blank.yml | 2 +- ci/c-cpp.yml | 2 +- ci/clojure.yml | 2 +- ci/cmake-multi-platform.yml | 2 +- ci/cmake-single-platform.yml | 2 +- ci/crystal.yml | 2 +- ci/d.yml | 2 +- ci/dart.yml | 2 +- ci/deno.yml | 2 +- ci/django.yml | 2 +- ci/docker-image.yml | 2 +- ci/docker-publish.yml | 2 +- ci/elixir.yml | 2 +- ci/erlang.yml | 2 +- ci/gem-push.yml | 2 +- ci/generator-generic-ossf-slsa3-publish.yml | 2 +- ci/go.yml | 2 +- ci/haskell.yml | 2 +- ci/ios.yml | 2 +- ci/jekyll-docker.yml | 2 +- ci/laravel.yml | 2 +- ci/makefile.yml | 2 +- ci/maven-publish.yml | 2 +- ci/maven.yml | 2 +- ci/msbuild.yml | 2 +- ci/node.js.yml | 2 +- ci/npm-grunt.yml | 2 +- ci/npm-gulp.yml | 2 +- ci/npm-publish-github-packages.yml | 4 ++-- ci/npm-publish.yml | 4 ++-- ci/objective-c-xcode.yml | 2 +- ci/php.yml | 2 +- ci/pylint.yml | 2 +- ci/python-app.yml | 2 +- ci/python-package-conda.yml | 2 +- ci/python-package.yml | 2 +- ci/python-publish.yml | 2 +- ci/r.yml | 2 +- ci/ruby.yml | 2 +- ci/rubyonrails.yml | 4 ++-- ci/rust.yml | 2 +- ci/scala.yml | 2 +- ci/super-linter.yml | 2 +- ci/swift.yml | 2 +- ci/symfony.yml | 2 +- ci/webpack.yml | 2 +- code-scanning/anchore-syft.yml | 2 +- code-scanning/anchore.yml | 2 +- code-scanning/bearer.yml | 2 +- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx-one.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/cloudrail.yml | 2 +- code-scanning/codacy.yml | 2 +- code-scanning/codescan.yml | 2 +- code-scanning/contrast-scan.yml | 2 +- code-scanning/credo.yml | 2 +- code-scanning/crunch42.yml | 2 +- code-scanning/datree.yml | 2 +- code-scanning/defender-for-devops.yml | 2 +- code-scanning/detekt.yml | 2 +- code-scanning/devskim.yml | 2 +- code-scanning/endorlabs.yml | 2 +- code-scanning/eslint.yml | 2 +- code-scanning/flawfinder.yml | 2 +- code-scanning/fortify.yml | 2 +- code-scanning/frogbot-scan-and-fix.yml | 2 +- code-scanning/hadolint.yml | 2 +- code-scanning/jscrambler-code-integrity.yml | 2 +- code-scanning/kubesec.yml | 2 +- code-scanning/lintr.yml | 2 +- code-scanning/mayhem-for-api.yml | 2 +- code-scanning/mobsf.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/njsscan.yml | 2 +- code-scanning/nowsecure-mobile-sbom.yml | 2 +- code-scanning/nowsecure.yml | 2 +- code-scanning/ossar.yml | 2 +- code-scanning/phpmd.yml | 2 +- code-scanning/pmd.yml | 2 +- code-scanning/powershell.yml | 2 +- code-scanning/prisma.yml | 2 +- code-scanning/psalm.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/pyre.yml | 2 +- code-scanning/pysa.yml | 2 +- code-scanning/rubocop.yml | 2 +- code-scanning/securitycodescan.yml | 2 +- code-scanning/semgrep.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/snyk-security.yml | 2 +- code-scanning/sobelow.yml | 2 +- code-scanning/stackhawk.yml | 2 +- code-scanning/synopsys-action.yml | 2 +- code-scanning/synopsys-io.yml | 2 +- code-scanning/sysdig-scan.yml | 2 +- code-scanning/tfsec.yml | 2 +- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- code-scanning/zscaler-iac-scan.yml | 2 +- code-scanning/zscan.yml | 2 +- deployments/alibabacloud.yml | 2 +- deployments/aws.yml | 2 +- deployments/azure-container-webapp.yml | 2 +- deployments/azure-functions-app-container.yml | 2 +- deployments/azure-functions-app-dotnet.yml | 2 +- deployments/azure-functions-app-java-gradle.yml | 2 +- deployments/azure-functions-app-java.yml | 2 +- deployments/azure-functions-app-nodejs.yml | 2 +- deployments/azure-functions-app-powershell.yml | 2 +- deployments/azure-functions-app-python.yml | 2 +- deployments/azure-kubernetes-service-helm.yml | 4 ++-- deployments/azure-kubernetes-service-kompose.yml | 4 ++-- deployments/azure-kubernetes-service-kustomize.yml | 4 ++-- deployments/azure-kubernetes-service.yml | 4 ++-- deployments/azure-staticwebapp.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-java-jar-gradle.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-node.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- deployments/azure-webapps-python.yml | 2 +- deployments/google.yml | 2 +- deployments/ibm.yml | 2 +- deployments/openshift.yml | 2 +- deployments/tencent.yml | 2 +- deployments/terraform.yml | 2 +- 135 files changed, 142 insertions(+), 142 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index b526eeb8d2..ffe789eb6b 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index ddd048441d..6a3da68e59 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -10,7 +10,7 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 7f8701d5cc..43f5578a6a 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -10,7 +10,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-node@v3 with: diff --git a/ci/ada.yml b/ci/ada.yml index 417ed2e006..ecb01cd8ad 100644 --- a/ci/ada.yml +++ b/ci/ada.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up GNAT toolchain run: > diff --git a/ci/android.yml b/ci/android.yml index 221fca5c90..80a33b4c0d 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: set up JDK 11 uses: actions/setup-java@v3 with: diff --git a/ci/ant.yml b/ci/ant.yml index e9dba0106e..517a37a633 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: diff --git a/ci/blank.yml b/ci/blank.yml index 607e2cfaeb..8decfee630 100644 --- a/ci/blank.yml +++ b/ci/blank.yml @@ -23,7 +23,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Runs a single command using the runners shell - name: Run a one-line script diff --git a/ci/c-cpp.yml b/ci/c-cpp.yml index 14d2eb9c34..087efee6bf 100644 --- a/ci/c-cpp.yml +++ b/ci/c-cpp.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: configure run: ./configure - name: make diff --git a/ci/clojure.yml b/ci/clojure.yml index a76631a5dd..06396a8985 100644 --- a/ci/clojure.yml +++ b/ci/clojure.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install dependencies run: lein deps - name: Run tests diff --git a/ci/cmake-multi-platform.yml b/ci/cmake-multi-platform.yml index 8762e9f5c3..6d493980bd 100644 --- a/ci/cmake-multi-platform.yml +++ b/ci/cmake-multi-platform.yml @@ -45,7 +45,7 @@ jobs: c_compiler: cl steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set reusable strings # Turn repeated input strings (such as the build output directory) into step outputs. These step outputs can be used throughout the workflow file. diff --git a/ci/cmake-single-platform.yml b/ci/cmake-single-platform.yml index ccc318b5d6..1e89f2f1fa 100644 --- a/ci/cmake-single-platform.yml +++ b/ci/cmake-single-platform.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. diff --git a/ci/crystal.yml b/ci/crystal.yml index 18cc825acb..0b4f5704cf 100644 --- a/ci/crystal.yml +++ b/ci/crystal.yml @@ -15,7 +15,7 @@ jobs: image: crystallang/crystal steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install dependencies run: shards install - name: Run tests diff --git a/ci/d.yml b/ci/d.yml index 350eeeee57..e2682984a8 100644 --- a/ci/d.yml +++ b/ci/d.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: dlang-community/setup-dlang@4c99aa991ce7d19dd3064de0a4f2f6b2f152e2d7 - name: 'Build & Test' diff --git a/ci/dart.yml b/ci/dart.yml index 7bf352f21b..35c0ee6e34 100644 --- a/ci/dart.yml +++ b/ci/dart.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Note: This workflow uses the latest stable version of the Dart SDK. # You can specify other versions if desired, see documentation here: diff --git a/ci/deno.yml b/ci/deno.yml index 92338c9705..abbf294429 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Setup repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Deno # uses: denoland/setup-deno@v1 diff --git a/ci/django.yml b/ci/django.yml index 79550cc789..0503635290 100644 --- a/ci/django.yml +++ b/ci/django.yml @@ -16,7 +16,7 @@ jobs: python-version: [3.7, 3.8, 3.9] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v3 with: diff --git a/ci/docker-image.yml b/ci/docker-image.yml index cc9cd6ee37..be757cca1e 100644 --- a/ci/docker-image.yml +++ b/ci/docker-image.yml @@ -13,6 +13,6 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build the Docker image run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index ff80b663a3..8a042a508f 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer diff --git a/ci/elixir.yml b/ci/elixir.yml index 58f0b2783b..43b32be102 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Elixir uses: erlef/setup-beam@61e01a43a562a89bfc54c7f9a378ff67b03e4a21 # v1.16.0 with: diff --git a/ci/erlang.yml b/ci/erlang.yml index 984b83adf6..d8dcb76cc0 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -19,7 +19,7 @@ jobs: image: erlang:22.0.7 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Compile run: rebar3 compile - name: Run tests diff --git a/ci/gem-push.yml b/ci/gem-push.yml index dd6d867397..262d9bce15 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -15,7 +15,7 @@ jobs: packages: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Ruby 2.6 # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index a36e782cbf..35c829b139 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -23,7 +23,7 @@ jobs: digests: ${{ steps.hash.outputs.digests }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # ======================================================== # diff --git a/ci/go.yml b/ci/go.yml index 9f74f8704d..2154740733 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -14,7 +14,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v4 diff --git a/ci/haskell.yml b/ci/haskell.yml index 5693f90de2..6be41621df 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-haskell@v1 with: ghc-version: '8.10.3' diff --git a/ci/ios.yml b/ci/ios.yml index 693a7d5ae0..e1dca4bdef 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/jekyll-docker.yml b/ci/jekyll-docker.yml index 6a98dea142..4ae36d7826 100644 --- a/ci/jekyll-docker.yml +++ b/ci/jekyll-docker.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build the site in the jekyll/builder container run: | docker run \ diff --git a/ci/laravel.yml b/ci/laravel.yml index fc30f21321..267c798ea9 100644 --- a/ci/laravel.yml +++ b/ci/laravel.yml @@ -15,7 +15,7 @@ jobs: - uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e with: php-version: '8.0' - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Copy .env run: php -r "file_exists('.env') || copy('.env.example', '.env');" - name: Install Dependencies diff --git a/ci/makefile.yml b/ci/makefile.yml index 1b53855ad3..5b6d2e6316 100644 --- a/ci/makefile.yml +++ b/ci/makefile.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: configure run: ./configure diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index dab69fef79..954e6c8d9b 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -16,7 +16,7 @@ jobs: packages: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: diff --git a/ci/maven.yml b/ci/maven.yml index f97113ef9e..47816eea03 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 17 uses: actions/setup-java@v3 with: diff --git a/ci/msbuild.yml b/ci/msbuild.yml index a52ec35f65..25ed6d1b00 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -28,7 +28,7 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Add MSBuild to PATH uses: microsoft/setup-msbuild@v1.0.2 diff --git a/ci/node.js.yml b/ci/node.js.yml index f230593b30..688a227883 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -20,7 +20,7 @@ jobs: # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v3 with: diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index 0bcbd1c9ff..0039895d28 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -15,7 +15,7 @@ jobs: node-version: [14.x, 16.x, 18.x] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v3 diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 7d79002e88..19bed274bb 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -15,7 +15,7 @@ jobs: node-version: [14.x, 16.x, 18.x] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v3 diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index e790f4dd4f..189970904d 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -11,7 +11,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-node@v3 with: node-version: 16 @@ -25,7 +25,7 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-node@v3 with: node-version: 16 diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 6cdebafb6b..0049296098 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -11,7 +11,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-node@v3 with: node-version: 16 @@ -22,7 +22,7 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-node@v3 with: node-version: 16 diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml index 13738787b6..8c73fcee1a 100644 --- a/ci/objective-c-xcode.yml +++ b/ci/objective-c-xcode.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/php.yml b/ci/php.yml index a3bdfd7db9..0cf8c96a2e 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Validate composer.json and composer.lock run: composer validate --strict diff --git a/ci/pylint.yml b/ci/pylint.yml index 383e65cd03..c73e032c0f 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -9,7 +9,7 @@ jobs: matrix: python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v3 with: diff --git a/ci/python-app.yml b/ci/python-app.yml index 994538258f..5963096c33 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python 3.10 uses: actions/setup-python@v3 with: diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 384f9b727c..f3586044ab 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -9,7 +9,7 @@ jobs: max-parallel: 5 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python 3.10 uses: actions/setup-python@v3 with: diff --git a/ci/python-package.yml b/ci/python-package.yml index 249ceef8bb..19247ca7b7 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -19,7 +19,7 @@ jobs: python-version: ["3.9", "3.10", "3.11"] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v3 with: diff --git a/ci/python-publish.yml b/ci/python-publish.yml index bdaab28a48..b7a704be54 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v3 with: diff --git a/ci/r.yml b/ci/r.yml index 68f02d722d..6d58427116 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -25,7 +25,7 @@ jobs: r-version: ['3.6.3', '4.1.1'] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up R ${{ matrix.r-version }} uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: diff --git a/ci/ruby.yml b/ci/ruby.yml index 9e940816e1..1eaba46512 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -25,7 +25,7 @@ jobs: ruby-version: ['2.6', '2.7', '3.0'] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Ruby # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 20ff014af4..23c242c74d 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -27,7 +27,7 @@ jobs: DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test" steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Add or replace dependency steps here - name: Install Ruby and gems uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install Ruby and gems uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: diff --git a/ci/rust.yml b/ci/rust.yml index d51f1afdb7..cda1f64a62 100644 --- a/ci/rust.yml +++ b/ci/rust.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build run: cargo build --verbose - name: Run tests diff --git a/ci/scala.yml b/ci/scala.yml index 14ba966947..83b09f7d8b 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: diff --git a/ci/super-linter.yml b/ci/super-linter.yml index 275b34f85c..01dc63bfce 100644 --- a/ci/super-linter.yml +++ b/ci/super-linter.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 diff --git a/ci/swift.yml b/ci/swift.yml index 91276e31fa..f2da0d0c9e 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -15,7 +15,7 @@ jobs: runs-on: macos-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build run: swift build -v - name: Run tests diff --git a/ci/symfony.yml b/ci/symfony.yml index 4b957e1a15..4ca1764e61 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -24,7 +24,7 @@ jobs: - uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28 with: php-version: '8.0' - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Copy .env.test.local run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" - name: Cache Composer packages diff --git a/ci/webpack.yml b/ci/webpack.yml index 2b8b18a805..9e967c0d54 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -15,7 +15,7 @@ jobs: node-version: [14.x, 16.x, 18.x] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v3 diff --git a/code-scanning/anchore-syft.yml b/code-scanning/anchore-syft.yml index 8180622251..99d4dd0b5e 100644 --- a/code-scanning/anchore-syft.yml +++ b/code-scanning/anchore-syft.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - name: Scan the image and upload dependency results diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 818fb707ee..2bbc55e812 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - name: Run the Anchore Grype scan action diff --git a/code-scanning/bearer.yml b/code-scanning/bearer.yml index 7e66e57e49..7971be96e6 100644 --- a/code-scanning/bearer.yml +++ b/code-scanning/bearer.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: # Checkout project source - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Scan code using Bearer CLI - name: Run Report id: report diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index 197300c40f..0d1cb052dc 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -31,7 +31,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Customize the ruby version depending on your needs - name: Setup Ruby diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index 6214ab1f90..7feeb25b24 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -38,7 +38,7 @@ jobs: steps: # This step checks out a copy of your repository. - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # This step creates the Checkmarx One scan - name: Checkmarx One scan uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 582488a128..b4a99f3235 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -35,7 +35,7 @@ jobs: # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index e5defa3c57..8273881b53 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 # For Terraform, Cloudrail requires the plan as input. So we generate it using # the Terraform core binary. diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index bbb211857c..c3cd9f542f 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -36,7 +36,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 0959d232d1..c4858c636e 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Cache files uses: actions/cache@v3 with: diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index ff3d9d3a84..1950d3ae2c 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest # check out project steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. # -name: Build Project # ... diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index c1fb8d17cd..8c8c8be26c 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -41,7 +41,7 @@ jobs: otp: [version] elixir: [version] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: otp-version: ${{matrix.otp}} diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 94ea23bd0b..693bf5ff33 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -42,7 +42,7 @@ jobs: security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: 42Crunch REST API Static Security Testing uses: 42Crunch/api-security-audit-action@fc01ea7a89e6268875868f9d89598af7a9899ae0 diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index 2e446829bc..a892cf8f0f 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -27,7 +27,7 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run Datree policy check continue-on-error: true uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml index 71971cdcc2..07aa7d1a5e 100644 --- a/code-scanning/defender-for-devops.yml +++ b/code-scanning/defender-for-devops.yml @@ -32,7 +32,7 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-dotnet@v3 with: dotnet-version: | diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 502c66e8be..76a116bc84 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -45,7 +45,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Gets the download URL associated with the $DETEKT_RELEASE_TAG - name: Get Detekt download URL diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 4abd6ca0cf..98daab85fc 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -23,7 +23,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run DevSkim scanner uses: microsoft/DevSkim-Action@v1 diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 5633a6bc16..670fe62305 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 #### Package Build Instructions ### Use this section to define the build steps used by your software package. ### Endor Labs builds your software for you where possible but the required build tools must be made available. diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index fcb4f217ac..876ea2bc98 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -28,7 +28,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install ESLint run: | diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index 4ed8792449..d564b68ae3 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: flawfinder_scan uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index 5e7c4221f9..c52b70e537 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -39,7 +39,7 @@ jobs: steps: # Check out source code - name: Check Out Source Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Java is required to run the various Fortify utilities. # When scanning a Java application, please use the appropriate Java version for building your application. diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index ed7028901d..62eb9ec6a7 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -21,7 +21,7 @@ jobs: create-fix-pull-requests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # IMPORTANT: # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 68aebaadb6..2d901a4f08 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -30,7 +30,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run hadolint uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 diff --git a/code-scanning/jscrambler-code-integrity.yml b/code-scanning/jscrambler-code-integrity.yml index cbc934509c..69d7c42f05 100644 --- a/code-scanning/jscrambler-code-integrity.yml +++ b/code-scanning/jscrambler-code-integrity.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-node@v3 with: node-version: 18 diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index c432673224..98fd8e004b 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run kubesec scanner uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 8a6de5796d..01ce71912a 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup R uses: r-lib/actions/setup-r@4e1feaf90520ec1215d1882fdddfe3411c08e492 diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 64fe71ab92..9e533fe47f 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -42,7 +42,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Run your API in the background. Ideally, the API would run in debug # mode & send stacktraces back on "500 Internal Server Error" responses diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 21462488cf..9f876aea7d 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Setup python uses: actions/setup-python@v3 diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 172d855551..0700989a01 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Configure CMake run: cmake -B ${{ env.build }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 81e3650c6d..8062259302 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -30,7 +30,7 @@ jobs: name: njsscan code scanning steps: - name: Checkout the code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: nodejsscan scan id: njsscan uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 diff --git a/code-scanning/nowsecure-mobile-sbom.yml b/code-scanning/nowsecure-mobile-sbom.yml index b9cf039392..539b038d86 100644 --- a/code-scanning/nowsecure-mobile-sbom.yml +++ b/code-scanning/nowsecure-mobile-sbom.yml @@ -42,7 +42,7 @@ jobs: contents: read steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build your application run: ./gradlew assembleDebug # Update this to build your Android or iOS application diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 7b5ba8f6a3..324a533c13 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build your application run: ./gradlew assembleDebug # Update this to build your Android or iOS application diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index 63a7515fbf..ad46e1d1f7 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Ensure a compatible version of dotnet is installed. # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 686551ae8c..58ca4f840c 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup PHP uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161 diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 6b5b7ea299..ed5eec92e7 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -24,7 +24,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 1e8a4267de..52f65a093d 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -29,7 +29,7 @@ jobs: name: PSScriptAnalyzer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run PSScriptAnalyzer uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 9b24386948..4b84b21e47 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -34,7 +34,7 @@ jobs: name: Run Prisma Cloud IaC Scan to check steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - id: iac-scan name: Run Scan on CFT files in the repository uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index 1e88766bd1..dddbfdd7d0 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Psalm Security Scan uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 047ff00be6..e039085881 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Ruby uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml index 3c32e8b1d2..791dbaa524 100644 --- a/code-scanning/pyre.yml +++ b/code-scanning/pyre.yml @@ -33,7 +33,7 @@ jobs: security-events: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true diff --git a/code-scanning/pysa.yml b/code-scanning/pysa.yml index a9e3c817ed..a60a99f349 100644 --- a/code-scanning/pysa.yml +++ b/code-scanning/pysa.yml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index e2347dbb30..feef351ccf 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 7a93d8aa9d..5d5e87b958 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -21,7 +21,7 @@ jobs: SCS: runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 - uses: microsoft/setup-msbuild@v1.0.2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index 23486e4901..f21aa9a995 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: # Checkout project source - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Scan code using project's configuration on https://semgrep.dev/manage - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index c3756c8610..edbea1d635 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -33,7 +33,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build a Docker image run: docker build -t your/image-to-test . - name: Run Snyk to check Docker image for vulnerabilities diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index aedf2a3c2b..a5605a3efc 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -32,7 +32,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run Snyk to check configuration files for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the issues to GitHub Code Scanning diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml index 715fa1bddf..4941e0021b 100644 --- a/code-scanning/snyk-security.yml +++ b/code-scanning/snyk-security.yml @@ -35,7 +35,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Snyk CLI to check for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the SAST issues to GitHub Code Scanning diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 61d376f45e..6dd4ffee1f 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: run-action uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 - name: Upload report diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index 64e9b9b967..cac0507adf 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Start your service run: ./your-service.sh & # ✏️ Update this to run your own service to be scanned diff --git a/code-scanning/synopsys-action.yml b/code-scanning/synopsys-action.yml index 78855d6b82..f78def5efe 100644 --- a/code-scanning/synopsys-action.yml +++ b/code-scanning/synopsys-action.yml @@ -20,7 +20,7 @@ jobs: contents: read steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Synopsys Action uses: synopsys-sig/synopsys-action@v1.6.0 with: diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 61169e2c67..df50d9d5c6 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Synopsys Intelligent Security Scan id: prescription diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 8c13a4bd1e..c9a0edb3e4 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build the Docker image # Tag image to be built diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 706c8be1a6..388fc37a30 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run tfsec uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index e4d38cd91d..ec90221ec5 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -27,7 +27,7 @@ jobs: runs-on: "ubuntu-20.04" steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build an image from Dockerfile run: | diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 04fc8146e6..379493fdf0 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -32,7 +32,7 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: repository: '' diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 8fd5c7b497..32c977e9e4 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -57,7 +57,7 @@ jobs: steps: # Check out the repository - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Set up the correct Java version for your project # Please comment out, if your project does not contain Java source code. diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index e880bdf941..7a2fc00d73 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name : Code Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name : Zscaler IAC Scan uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087 id : zscaler-iac-scan diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml index 01c3b0577f..018e473c04 100644 --- a/code-scanning/zscan.yml +++ b/code-scanning/zscan.yml @@ -36,7 +36,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Execute gradle build run: ./gradlew build # Change this to build your mobile application diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 74dd7f63ef..526169ef6c 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -76,7 +76,7 @@ jobs: tag: "${{ env.TAG }}" # 2.1 (Optional) Login to ACR EE - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Login to ACR EE with the AccessKey pair uses: aliyun/acr-login@v1 with: diff --git a/deployments/aws.yml b/deployments/aws.yml index af7d87d707..3a1caa94ad 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -51,7 +51,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 2f686e6207..57d6386641 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 diff --git a/deployments/azure-functions-app-container.yml b/deployments/azure-functions-app-container.yml index 1173b95068..8333878f54 100644 --- a/deployments/azure-functions-app-container.yml +++ b/deployments/azure-functions-app-container.yml @@ -40,7 +40,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: 'Login via Azure CLI' uses: azure/login@v1 diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml index 824614e0c1..bf1169bf21 100644 --- a/deployments/azure-functions-app-dotnet.yml +++ b/deployments/azure-functions-app-dotnet.yml @@ -33,7 +33,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below # - name: 'Login via Azure CLI' diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml index 36c50b8aaa..131e287d93 100644 --- a/deployments/azure-functions-app-java-gradle.yml +++ b/deployments/azure-functions-app-java-gradle.yml @@ -38,7 +38,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below # - name: 'Login via Azure CLI' diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml index 5608328511..e7b78c0a02 100644 --- a/deployments/azure-functions-app-java.yml +++ b/deployments/azure-functions-app-java.yml @@ -33,7 +33,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below # - name: 'Login via Azure CLI' diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml index 916f396d1d..6c2e45c6d6 100644 --- a/deployments/azure-functions-app-nodejs.yml +++ b/deployments/azure-functions-app-nodejs.yml @@ -35,7 +35,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below # - name: 'Login via Azure CLI' diff --git a/deployments/azure-functions-app-powershell.yml b/deployments/azure-functions-app-powershell.yml index 5d623168c9..9ffc62807a 100644 --- a/deployments/azure-functions-app-powershell.yml +++ b/deployments/azure-functions-app-powershell.yml @@ -32,7 +32,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below # - name: 'Login via Azure CLI' diff --git a/deployments/azure-functions-app-python.yml b/deployments/azure-functions-app-python.yml index 6452a18499..2c50d8ac93 100644 --- a/deployments/azure-functions-app-python.yml +++ b/deployments/azure-functions-app-python.yml @@ -33,7 +33,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below # - name: 'Login via Azure CLI' diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index c3b521e588..a6c666b468 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -55,7 +55,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login @@ -79,7 +79,7 @@ jobs: needs: [buildImage] steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index c2edceaee6..a222528960 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -53,7 +53,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login @@ -77,7 +77,7 @@ jobs: needs: [buildImage] steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 1b8aa99da1..e27e04e07a 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -53,7 +53,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login @@ -77,7 +77,7 @@ jobs: needs: [buildImage] steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index f5450e539c..649eb72f0f 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login @@ -73,7 +73,7 @@ jobs: needs: [buildImage] steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index 8fe07ced59..bc9bc62af0 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest name: Build and Deploy Job steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - name: Build And Deploy diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 005aef2d7e..b4bfafbbb5 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up .NET Core uses: actions/setup-dotnet@v2 diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index b1c1df92fd..63a45cc208 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Java version uses: actions/setup-java@v3.0.0 diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index c29d871aa4..608fb8ee83 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Java version uses: actions/setup-java@v3.0.0 diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index c72b1beff0..147d4e612d 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -34,7 +34,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Node.js uses: actions/setup-node@v3 diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index b3aee8de5d..1182c2a899 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Setup PHP uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 0ce3ce9b8a..656f95c9a0 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python version uses: actions/setup-python@v3.0.0 diff --git a/deployments/google.yml b/deployments/google.yml index 846452a529..deb987748b 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -37,7 +37,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Configure Workload Identity Federation and generate an access token. - id: 'auth' diff --git a/deployments/ibm.yml b/deployments/ibm.yml index 53a58c5387..eaec2750b8 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Download and Install IBM Cloud CLI - name: Install IBM Cloud CLI diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 8504059323..1c3fc43d52 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -124,7 +124,7 @@ jobs: } - name: Check out repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Determine app name if: env.APP_NAME == '' diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 3d228548a8..bf75b561fc 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -37,7 +37,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Build - name: Build Docker image diff --git a/deployments/terraform.yml b/deployments/terraform.yml index c06f6853dc..25d29630fd 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -66,7 +66,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform From ca5bcdc6930fe44fae60c9e0a60f5c1f56b2d449 Mon Sep 17 00:00:00 2001 From: Rex P <106129829+another-rex@users.noreply.github.com> Date: Wed, 10 Apr 2024 13:21:33 +1000 Subject: [PATCH 784/844] Add OSV-Scanner code scanning workflow (#2350) * Add OSV-Scanner code scanning workflow * Update code-scanning/osv-scanner.yml Co-authored-by: Alexis Abril --------- Co-authored-by: Alexis Abril --- code-scanning/osv-scanner.yml | 48 +++++++++++++++++++ .../properties/osv-scanner.properties.json | 7 +++ icons/osv.svg | 29 +++++++++++ 3 files changed, 84 insertions(+) create mode 100644 code-scanning/osv-scanner.yml create mode 100644 code-scanning/properties/osv-scanner.properties.json create mode 100644 icons/osv.svg diff --git a/code-scanning/osv-scanner.yml b/code-scanning/osv-scanner.yml new file mode 100644 index 0000000000..2aa7150659 --- /dev/null +++ b/code-scanning/osv-scanner.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities, +# in addition to a PR check which fails if new vulnerabilities are introduced. +# +# For more examples and options, including how to ignore specific vulnerabilities, +# see https://google.github.io/osv-scanner/github-action/ + +name: OSV-Scanner + +on: + pull_request: + branches: [ $default-branch, $protected-branches ] + merge_group: + branches: [ $default-branch, $protected-branches ] + schedule: + - cron: $cron-weekly + push: + branches: [ $default-branch, $protected-branches ] + +permissions: + # Require writing security events to upload SARIF file to security tab + security-events: write + # Read commit contents + contents: read + +jobs: + scan-scheduled: + if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 + with: + # Example of specifying custom arguments + scan-args: |- + -r + --skip-git + ./ + scan-pr: + if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 + with: + # Example of specifying custom arguments + scan-args: |- + -r + --skip-git + ./ diff --git a/code-scanning/properties/osv-scanner.properties.json b/code-scanning/properties/osv-scanner.properties.json new file mode 100644 index 0000000000..2ea1d36d03 --- /dev/null +++ b/code-scanning/properties/osv-scanner.properties.json @@ -0,0 +1,7 @@ +{ + "name": "OSV Scanner", + "creator": "Google", + "description": "Vulnerability scanner for your dependencies using data provided by https://osv.dev", + "iconName": "osv", + "categories": ["Code Scanning", "JavaScript", "Python", "Java", "PHP", "C#", "R", "Ruby", "Rust", "Swift", "Go", "TypeScript"] +} diff --git a/icons/osv.svg b/icons/osv.svg new file mode 100644 index 0000000000..c01aeee446 --- /dev/null +++ b/icons/osv.svg @@ -0,0 +1,29 @@ + + + + + + + + + + + + From a3194f5b4757a7bfb2324b17ccf11e28df2bc4f9 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Thu, 11 Apr 2024 09:39:30 +0200 Subject: [PATCH 785/844] Update CodeQL workflow to use packages:read permission. Co-authored-by: Anders Starcke Henriksen --- code-scanning/codeql.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index d24240d0d4..6fdadb163d 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -33,6 +33,9 @@ jobs: # required for all workflows security-events: write + # required to fetch internal or private CodeQL packs + packages: read + # only required for workflows in private repositories actions: read contents: read From ac9c407320899c9ddcb5054890deec998e9a20bb Mon Sep 17 00:00:00 2001 From: mponaws <157431286+mponaws@users.noreply.github.com> Date: Thu, 18 Apr 2024 12:39:17 -0700 Subject: [PATCH 786/844] Add starter-workflows for Policy Validator (#2375) * Add starter-workflows for Policy Validator * Add starter-workflows for Policy Validator * Add starter-workflows for Policy Validator, removed references to GitHub secrets & S3 to keep it simple --- code-scanning/policy-validator-cfn.yaml | 84 ++++++++++++++++++ code-scanning/policy-validator-tf.yaml | 87 +++++++++++++++++++ .../policy-validator-cfn.properties.json | 7 ++ .../policy-validator-tf.properties.json | 7 ++ 4 files changed, 185 insertions(+) create mode 100644 code-scanning/policy-validator-cfn.yaml create mode 100644 code-scanning/policy-validator-tf.yaml create mode 100644 code-scanning/properties/policy-validator-cfn.properties.json create mode 100644 code-scanning/properties/policy-validator-tf.properties.json diff --git a/code-scanning/policy-validator-cfn.yaml b/code-scanning/policy-validator-cfn.yaml new file mode 100644 index 0000000000..b2cd163a9f --- /dev/null +++ b/code-scanning/policy-validator-cfn.yaml @@ -0,0 +1,84 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will validate the IAM policies in the CloudFormation (CFN) templates with using the standard and custom checks in AWS IAM Access Analyzer +# To use this workflow, you will need to complete the following set up steps before start using it: +# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. In the below workflow, ARN of such role is stored in the GitHub secrets with name `POLICY_VALIDATOR_ROLE` +# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo. +# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the given CFN templates. +# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow. +name: Validate AWS IAM policies in CloudFormation templates using Policy Validator +on: + push: + branches: [$default-branch, $protected-branches] + pull_request: + # The branches below must be a subset of the branches above + branches: [$default-branch] +env: + AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions + REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 + TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. +jobs: + policy-validator: + runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable) + # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow + # https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + name: Policy Validator checks for AWS IAM policies + steps: + # checkout the repo for workflow to access the contents + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + # Configure AWS Credentials. More configuration details here - https://github.com/aws-actions/configure-aws-credentials + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 + with: + role-to-assume: ${{ env.AWS_ROLE }} + aws-region: ${{ env.REGION }} + # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer ValidatePolicy check + id: run-aws-validate-policy + uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + with: + policy-check-type: "VALIDATE_POLICY" + template-path: ${{ env.TEMPLATE_PATH}} + region: ${{ env.REGION }} + # Print result from VALIDATE_POLICY check + - name: Print the result for ValidatePolicy check + if: success() || failure() + run: echo "${{ steps.run-aws-validate-policy.outputs.result }}" + # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckAccessNotGranted check + id: run-aws-check-access-not-granted + uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + with: + policy-check-type: "CHECK_ACCESS_NOT_GRANTED" + template-path: ${{ env.TEMPLATE_PATH}} + actions: ${{ env.ACTIONS }} + region: ${{ env.REGION }} + # Print result from CHECK_ACCESS_NOT_GRANTED check + - name: Print the result for CheckAccessNotGranted check + if: success() || failure() + run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}" + # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + # reference-policy is stored in GitHub secrets + - name: Run AWS AccessAnalyzer CheckNoNewAccess check + id: run-aws-check-no-new-access + uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + with: + policy-check-type: "CHECK_NO_NEW_ACCESS" + template-path: ${{ env.TEMPLATE_PATH}} + reference-policy: ${{ env.REFERENCE }} + reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} + region: ${{env.REGION }} + # Print result from CHECK_NO_NEW_ACCESS check + - name: Print the result for CheckNoNewAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" diff --git a/code-scanning/policy-validator-tf.yaml b/code-scanning/policy-validator-tf.yaml new file mode 100644 index 0000000000..1ca77b5f95 --- /dev/null +++ b/code-scanning/policy-validator-tf.yaml @@ -0,0 +1,87 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer +# To use this workflow, you will need to complete the following set up steps before start using it: +# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. +# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo. +# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates. +# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow. + +name: Validate AWS IAM policies in Terraform templates using Policy Validator +on: + push: + branches: [$default-branch, $protected-branches] + pull_request: + # The branches below must be a subset of the branches above + branches: [$default-branch] +env: + AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions + REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 + TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + +jobs: + policy-validator: + runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable) + #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow + #https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners + name: Policy Validator checks for AWS IAM policies + steps: + # checkout the repo for workflow to access the contents + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + # Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 + with: + role-to-assume: ${{ env.AWS_ROLE }} + aws-region: ${{ env.REGION }} + # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer ValidatePolicy check + id: run-aws-validate-policy + uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + with: + policy-check-type: "VALIDATE_POLICY" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from VALIDATE_POLICY check + - name: Print the result for ValidatePolicy check + if: success() || failure() + run: echo "${{ steps.run-aws-validate-policy.outputs.result }}" + # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckAccessNotGranted check + id: run-aws-check-access-not-granted + uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + with: + policy-check-type: "CHECK_ACCESS_NOT_GRANTED" + template-path: ${{ env.TEMPLATE_PATH }} + actions: ${{ env.ACTIONS }} + region: ${{ env.REGION }} + # Print result from CHECK_ACCESS_NOT_GRANTED check + - name: Print the result for CheckAccessNotGranted check + if: success() || failure() + run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}" + # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + # reference-policy is stored in GitHub secrets + - name: Run AWS AccessAnalyzer CheckNoNewAccess check + id: run-aws-check-no-new-access + uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + with: + policy-check-type: "CHECK_NO_NEW_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + reference-policy: ${{ env.REFERENCE_POLICY }} + reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_NEW_ACCESS check + - name: Print the result CheckNoNewAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" diff --git a/code-scanning/properties/policy-validator-cfn.properties.json b/code-scanning/properties/policy-validator-cfn.properties.json new file mode 100644 index 0000000000..496b36856c --- /dev/null +++ b/code-scanning/properties/policy-validator-cfn.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Policy Validator for CloudFormation", + "creator": "Amazon Web Services", + "description": "Validate AWS IAM Policies in CloudFormation Templates powered IAM Access Analyzer", + "iconName": "aws", + "categories": ["Code Scanning", "AWS", "Python"] +} diff --git a/code-scanning/properties/policy-validator-tf.properties.json b/code-scanning/properties/policy-validator-tf.properties.json new file mode 100644 index 0000000000..f683f49c1e --- /dev/null +++ b/code-scanning/properties/policy-validator-tf.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Policy Validator for Terraform", + "creator": "Amazon Web Services", + "description": "Validate AWS IAM Policies in Terraform Templates powered IAM Access Analyzer", + "iconName": "aws", + "categories": ["Code Scanning", "AWS", "Python"] +} From 7e9ab60c5f227c12ce1b4197e7bc9ef4447d2e18 Mon Sep 17 00:00:00 2001 From: Fabian Aguilar Gomez Date: Fri, 19 Apr 2024 16:26:10 -0500 Subject: [PATCH 787/844] remove pages for now --- script/sync-ghes/settings.json | 1 - 1 file changed, 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 41d6bcdfc4..c848615b01 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -3,7 +3,6 @@ "../../ci", "../../automation", "../../code-scanning", - "../../pages" ], "enabledActions": [ "actions/cache", From 29b0a3e3a9e362bf782a2d3d4bd200a92b577704 Mon Sep 17 00:00:00 2001 From: Fabian Aguilar Gomez Date: Fri, 19 Apr 2024 16:30:57 -0500 Subject: [PATCH 788/844] Update settings.json --- script/sync-ghes/settings.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index c848615b01..0fd7319433 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -10,7 +10,6 @@ "actions/configure-pages", "actions/create-release", "actions/delete-package-versions", - "actions/deploy-pages", "actions/download-artifact", "actions/jekyll-build-pages", "actions/setup-dotnet", @@ -21,7 +20,6 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", - "actions/upload-pages-artifact", "actions/upload-release-asset", "github/codeql-action" ], From 37d6de723e3afd1add9316fdfcdbe9413b8603f9 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 13:38:10 -0400 Subject: [PATCH 789/844] Setup-Java: Update all workflows to use Setup-Java V4 Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- ci/android.yml | 2 +- ci/ant.yml | 2 +- ci/maven-publish.yml | 2 +- ci/maven.yml | 2 +- ci/scala.yml | 2 +- code-scanning/endorlabs.yml | 2 +- code-scanning/fortify.yml | 2 +- code-scanning/pmd.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-functions-app-java-gradle.yml | 4 +++- deployments/azure-functions-app-java.yml | 4 +++- deployments/azure-webapps-java-jar-gradle.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- 14 files changed, 18 insertions(+), 14 deletions(-) diff --git a/ci/android.yml b/ci/android.yml index 80a33b4c0d..fec1eb98b3 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/ant.yml b/ci/ant.yml index 517a37a633..8cfe6417a7 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -17,7 +17,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 954e6c8d9b..64b848b61d 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -18,7 +18,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/maven.yml b/ci/maven.yml index 47816eea03..7709373159 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 17 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '17' distribution: 'temurin' diff --git a/ci/scala.yml b/ci/scala.yml index 83b09f7d8b..49ca1e763d 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 670fe62305..46d14280a9 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -26,7 +26,7 @@ jobs: ### Use this section to define the build steps used by your software package. ### Endor Labs builds your software for you where possible but the required build tools must be made available. # - name: Setup Java - # uses: actions/setup-java@v3 + # uses: actions/setup-java@v4 # with: # distribution: 'microsoft' # java-version: '17' diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index c52b70e537..8a94fca9da 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -44,7 +44,7 @@ jobs: # Java is required to run the various Fortify utilities. # When scanning a Java application, please use the appropriate Java version for building your application. - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: 8 distribution: 'temurin' diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index ed5eec92e7..d904a49eea 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -26,7 +26,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 379493fdf0..df2f8b667b 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -42,7 +42,7 @@ jobs: - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - run: unzip -o pipeline-scan-LATEST.zip - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: java-version: 8 distribution: 'temurin' diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 32c977e9e4..3b323e951f 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -62,7 +62,7 @@ jobs: # Set up the correct Java version for your project # Please comment out, if your project does not contain Java source code. - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: 11 distribution: 'temurin' diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml index 131e287d93..87d9ec019a 100644 --- a/deployments/azure-functions-app-java-gradle.yml +++ b/deployments/azure-functions-app-java-gradle.yml @@ -28,6 +28,7 @@ permissions: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure BUILD_GRADLE_DIRECTORY: '.' # set this to the directory which contains build.gradle file + DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft') JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17') jobs: @@ -47,8 +48,9 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Java Sdk ${{ env.JAVA_VERSION }} - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: + distribution: ${{ env.DISTRIBUTION }} java-version: ${{ env.JAVA_VERSION }} # Build function project with functions gradle plugin diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml index e7b78c0a02..c487affb84 100644 --- a/deployments/azure-functions-app-java.yml +++ b/deployments/azure-functions-app-java.yml @@ -25,6 +25,7 @@ on: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure POM_XML_DIRECTORY: '.' # set this to the directory which contains pom.xml file + DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft') JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17') jobs: @@ -42,8 +43,9 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Java Sdk ${{ env.JAVA_VERSION }} - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: + distribution: ${{ env.DISTRIBUTION }} java-version: ${{ env.JAVA_VERSION }} - name: 'Restore Project Dependencies Using Mvn' diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index 63a45cc208..51817b5843 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up Java version - uses: actions/setup-java@v3.0.0 + uses: actions/setup-java@v4 with: java-version: ${{ env.JAVA_VERSION }} distribution: ${{ env.DISTRIBUTION }} diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 608fb8ee83..c98baed362 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up Java version - uses: actions/setup-java@v3.0.0 + uses: actions/setup-java@v4 with: java-version: ${{ env.JAVA_VERSION }} distribution: ${{ env.DISTRIBUTION }} From 545832af8bf577275404c16cbca83d07fd475543 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 14:23:34 -0400 Subject: [PATCH 790/844] Setup-Dotnet: Update all workflows to Setup-Dotnet V4 --- code-scanning/defender-for-devops.yml | 2 +- code-scanning/ossar.yml | 2 +- deployments/azure-functions-app-dotnet.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml index 07aa7d1a5e..0b058ce1c7 100644 --- a/code-scanning/defender-for-devops.yml +++ b/code-scanning/defender-for-devops.yml @@ -33,7 +33,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: actions/setup-dotnet@v3 + - uses: actions/setup-dotnet@v4 with: dotnet-version: | 5.0.x diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index ad46e1d1f7..c1ecac1050 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -40,7 +40,7 @@ jobs: # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: # - name: Install .NET - # uses: actions/setup-dotnet@v2 + # uses: actions/setup-dotnet@v4 # with: # dotnet-version: '3.1.x' diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml index bf1169bf21..99ad945ce4 100644 --- a/deployments/azure-functions-app-dotnet.yml +++ b/deployments/azure-functions-app-dotnet.yml @@ -42,7 +42,7 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index b4bfafbbb5..73b6380b9d 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up .NET Core - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} From d51dfabea2a2164939745ecebe07826579c2626c Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 16:03:52 -0400 Subject: [PATCH 791/844] Artifacts: Update all workflows to use Artifacts V4 Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- ci/dotnet-desktop.yml | 4 ++-- code-scanning/msvc.yml | 2 +- code-scanning/scorecard.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 ++-- deployments/azure-webapps-java-jar-gradle.yml | 4 ++-- deployments/azure-webapps-java-jar.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- deployments/azure-webapps-php.yml | 4 ++-- deployments/azure-webapps-python.yml | 4 ++-- 10 files changed, 17 insertions(+), 17 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index ad99b56b9b..400a721cea 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: - name: MSIX Package + name: MSIX Package ${{ matrix.configuration }} path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0700989a01..b905ef8d39 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -60,7 +60,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v3 + # uses: actions/upload-artifact@v4 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 162c788bbd..729d741a99 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: SARIF file path: results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 32c977e9e4..2fd110a2e2 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -87,7 +87,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index b4bfafbbb5..64124e5a67 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -59,7 +59,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -75,7 +75,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index 63a45cc208..a066d8912a 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -50,7 +50,7 @@ jobs: run: gradle build - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/build/libs/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 608fb8ee83..f6c17a9739 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -50,7 +50,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 147d4e612d..891a7d6337 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -49,7 +49,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: node-app path: . @@ -65,7 +65,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 1182c2a899..3391c83b24 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -70,7 +70,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: php-app path: . @@ -86,7 +86,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 656f95c9a0..e4868c4cdb 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -55,7 +55,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: python-app path: | @@ -73,7 +73,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: python-app path: . From a072fdfb1ceba231fa8e1036cb88eac42ad10db9 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 17:10:59 -0400 Subject: [PATCH 792/844] Labeler: Update to v5 --- .github/workflows/labeler-triage.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml index 99fdbc5cdd..2de6b88591 100644 --- a/.github/workflows/labeler-triage.yml +++ b/.github/workflows/labeler-triage.yml @@ -5,12 +5,12 @@ permissions: pull-requests: write on: -- pull_request_target + pull_request_target: jobs: triage: runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4 + - uses: actions/labeler@v5 with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file + repo-token: "${{ secrets.GITHUB_TOKEN }}" From 1830845916d09bee7327d12cbf1e387edfdb9846 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 13:37:42 -0400 Subject: [PATCH 793/844] Setup-Node: Update all workflows to use Setup-Node V4 * Switch default node version to 20 * Update version set to 18.x, 20.x, 22.x Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- .github/workflows/sync-ghes.yaml | 4 ++-- .github/workflows/validate-data.yaml | 4 ++-- ci/node.js.yml | 4 ++-- ci/npm-grunt.yml | 4 ++-- ci/npm-gulp.yml | 4 ++-- ci/npm-publish-github-packages.yml | 8 ++++---- ci/npm-publish.yml | 8 ++++---- ci/webpack.yml | 4 ++-- code-scanning/crda.yml | 4 ++-- code-scanning/jscrambler-code-integrity.yml | 4 ++-- code-scanning/snyk-security.yml | 4 ++-- deployments/azure-functions-app-nodejs.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- 13 files changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 6a3da68e59..5d39d18e4c 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -15,9 +15,9 @@ jobs: git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" git config user.name "GitHub Actions" - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: '16' + node-version: '20' cache: 'npm' cache-dependency-path: script/sync-ghes/package-lock.json - name: Check starter workflows for GHES compat diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 43f5578a6a..52988aa5b7 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -12,9 +12,9 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: '16' + node-version: '20' cache: 'npm' cache-dependency-path: script/validate-data/package-lock.json diff --git a/ci/node.js.yml b/ci/node.js.yml index 688a227883..d5ccc1494a 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -16,13 +16,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} cache: 'npm' diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index 0039895d28..ccdabd8861 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -12,13 +12,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 19bed274bb..3a4ec122fc 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -12,13 +12,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index 189970904d..99531c0178 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 - run: npm ci - run: npm test @@ -26,9 +26,9 @@ jobs: packages: write steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 registry-url: $registry-url(npm) - run: npm ci - run: npm publish diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 0049296098..2a4766d389 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 - run: npm ci - run: npm test @@ -23,9 +23,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 registry-url: https://registry.npmjs.org/ - run: npm ci - run: npm publish diff --git a/ci/webpack.yml b/ci/webpack.yml index 9e967c0d54..1013845287 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -12,13 +12,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml index d5bb88f46a..82610acf1f 100644 --- a/code-scanning/crda.yml +++ b/code-scanning/crda.yml @@ -94,9 +94,9 @@ jobs: # # Example: # - name: Setup Node - # uses: actions/setup-node@v2 + # uses: actions/setup-node@v4 # with: - # node-version: '14' + # node-version: '20' # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md - name: Install CRDA CLI diff --git a/code-scanning/jscrambler-code-integrity.yml b/code-scanning/jscrambler-code-integrity.yml index 69d7c42f05..64a998a955 100644 --- a/code-scanning/jscrambler-code-integrity.yml +++ b/code-scanning/jscrambler-code-integrity.yml @@ -28,9 +28,9 @@ jobs: contents: read steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 18 + node-version: 20 - run: npm ci - run: npm run build - name: Jscrambler Code Integrity diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml index 4941e0021b..bee888c04b 100644 --- a/code-scanning/snyk-security.yml +++ b/code-scanning/snyk-security.yml @@ -43,9 +43,9 @@ jobs: # For Snyk Open Source you must first set up the development environment for your application's dependencies # For example for Node - #- uses: actions/setup-node@v3 + #- uses: actions/setup-node@v4 # with: - # node-version: 16 + # node-version: 20 env: # This is where you will need to introduce the Snyk API token created with your Snyk account diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml index 6c2e45c6d6..69d3d275ef 100644 --- a/deployments/azure-functions-app-nodejs.yml +++ b/deployments/azure-functions-app-nodejs.yml @@ -27,7 +27,7 @@ on: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root - NODE_VERSION: '16.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x') + NODE_VERSION: '20.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x') jobs: build-and-deploy: @@ -44,7 +44,7 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Node ${{ env.NODE_VERSION }} Environment - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 147d4e612d..dfa9dbb187 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -25,7 +25,7 @@ on: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '14.x' # set this to the node version to use + NODE_VERSION: '20.x' # set this to the node version to use permissions: contents: read @@ -37,7 +37,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' From 23a568e80a38bbe4a73f1b49a344ea50b3a50351 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 21:32:56 -0400 Subject: [PATCH 794/844] fix(openshift): comment out dangling dependency --- deployments/openshift.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 1c3fc43d52..d6785c2f88 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -67,11 +67,11 @@ jobs: # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab. # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows - crda-scan: - uses: ./.github/workflows/crda.yml - secrets: - CRDA_KEY: ${{ secrets.CRDA_KEY }} - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY + #crda-scan: + # uses: ./.github/workflows/crda.yml + # secrets: + # CRDA_KEY: ${{ secrets.CRDA_KEY }} + # # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY openshift-ci-cd: # 🖊️ Uncomment this if you are using CRDA scan step above From e656ded9f0017958db40fbd074f083d5b9c29c62 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Fri, 26 Apr 2024 07:16:34 -0400 Subject: [PATCH 795/844] Reference ruby/setup-ruby with latest commit hash As required in pull_request_template.md --- ci/rubyonrails.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 17e08b4e4f..b976f3f3f3 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v4 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Install Ruby and gems - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1 with: bundler-cache: true # Add or replace any other lints here From 5902ad751bbf5a50ae17fe754e01046512540412 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 11:56:18 -0700 Subject: [PATCH 796/844] Update script/sync-ghes/settings.json --- script/sync-ghes/settings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 0fd7319433..0dbea1e647 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,7 @@ "folders": [ "../../ci", "../../automation", - "../../code-scanning", + "../../code-scanning" ], "enabledActions": [ "actions/cache", From d526113a1b61be86f4ba9aac4f765073a26cdd65 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 11:56:46 -0700 Subject: [PATCH 797/844] Update script/sync-ghes/settings.json --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 0dbea1e647..fec0264068 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -10,6 +10,7 @@ "actions/configure-pages", "actions/create-release", "actions/delete-package-versions", + "actions/deploy-pages", "actions/download-artifact", "actions/jekyll-build-pages", "actions/setup-dotnet", From 7d07997513aa76f3d0f2523a58b194c1c1b90b6d Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 11:57:05 -0700 Subject: [PATCH 798/844] Update script/sync-ghes/settings.json --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index fec0264068..cb0197aa44 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -21,6 +21,7 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", + "actions/upload-pages-artifact", "actions/upload-release-asset", "github/codeql-action" ], From 264962401da5f1837581d623fbc211c84118ae07 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:03:21 -0700 Subject: [PATCH 799/844] ici --- script/sync-ghes/index.ts | 6 ++++++ script/sync-ghes/settings.json | 6 +++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index f53d220b40..2559b40aa3 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -163,6 +163,9 @@ async function checkWorkflow( await exec("rm", ["-fr", ...settings.folders]); await exec("rm", ["-fr", "../../icons"]); + // Ignore read-only folders from compatible workflows list + result.compatibleWorkflows = result.compatibleWorkflows.filter(x => !settings.readOnlyFolders.includes(x.folder)); + console.log("Sync changes from main for compatible workflows"); await exec("git", [ "checkout", @@ -184,6 +187,9 @@ async function checkWorkflow( }) ), ]); + + // Add back Pages icons + } catch (e) { console.error("Unhandled error while syncing workflows", e); process.exitCode = 1; diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index cb0197aa44..ce18eb6179 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,11 @@ "folders": [ "../../ci", "../../automation", - "../../code-scanning" + "../../code-scanning", + "../../pages" + ], + "readOnlyFolders": [ + "../../pages" ], "enabledActions": [ "actions/cache", From c7480532d0129274e25ccd09e2357377a228f56a Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:16:50 -0700 Subject: [PATCH 800/844] again --- script/sync-ghes/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 2559b40aa3..7c07a367ca 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -153,7 +153,7 @@ async function checkWorkflow( console.groupEnd(); console.log("Switch to GHES branch"); - await exec("git", ["checkout", "ghes"]); + // await exec("git", ["checkout", "ghes"]); // In order to sync from main, we might need to remove some workflows, add some // and modify others. The lazy approach is to delete all workflows first, and then @@ -163,7 +163,7 @@ async function checkWorkflow( await exec("rm", ["-fr", ...settings.folders]); await exec("rm", ["-fr", "../../icons"]); - // Ignore read-only folders from compatible workflows list + // Ignore compatible workflows in a read-only folder result.compatibleWorkflows = result.compatibleWorkflows.filter(x => !settings.readOnlyFolders.includes(x.folder)); console.log("Sync changes from main for compatible workflows"); From 252e935e86952db9cad9b0f6c9ee1d543f91e12c Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:17:24 -0700 Subject: [PATCH 801/844] ghes --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 7c07a367ca..e7cb2b2601 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -153,7 +153,7 @@ async function checkWorkflow( console.groupEnd(); console.log("Switch to GHES branch"); - // await exec("git", ["checkout", "ghes"]); + await exec("git", ["checkout", "ghes"]); // In order to sync from main, we might need to remove some workflows, add some // and modify others. The lazy approach is to delete all workflows first, and then From 1e15901e1c50134c3eb77f2b3c82b79d15a5f3e5 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:20:27 -0700 Subject: [PATCH 802/844] wip --- script/sync-ghes/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index e7cb2b2601..03d04f0779 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -156,11 +156,11 @@ async function checkWorkflow( await exec("git", ["checkout", "ghes"]); // In order to sync from main, we might need to remove some workflows, add some - // and modify others. The lazy approach is to delete all workflows first, and then + // and modify others. The lazy approach is to delete all workflows first (except from read-only folders), and then // just bring the compatible ones over from the main branch. We let git figure out // whether it's a deletion, add, or modify and commit the new state. console.log("Remove all workflows"); - await exec("rm", ["-fr", ...settings.folders]); + await exec("rm", ["-fr", ...(settings.folders.filter(x => !settings.readOnlyFolders.includes(x)))]); await exec("rm", ["-fr", "../../icons"]); // Ignore compatible workflows in a read-only folder From 138375ba29d0bac534217573f589a49ebb3d87d3 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:30:15 -0700 Subject: [PATCH 803/844] wip --- script/sync-ghes/index.ts | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 03d04f0779..9105bb395b 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -160,11 +160,17 @@ async function checkWorkflow( // just bring the compatible ones over from the main branch. We let git figure out // whether it's a deletion, add, or modify and commit the new state. console.log("Remove all workflows"); - await exec("rm", ["-fr", ...(settings.folders.filter(x => !settings.readOnlyFolders.includes(x)))]); + await exec("rm", ["-fr", ...settings.folders]); await exec("rm", ["-fr", "../../icons"]); - // Ignore compatible workflows in a read-only folder - result.compatibleWorkflows = result.compatibleWorkflows.filter(x => !settings.readOnlyFolders.includes(x.folder)); + // Bring back the read-only folders + console.log("Restore read-only folders"); + settings.readOnlyFolders.forEach(async (folder) => { + await exec("git", [ + "checkout", + folder + ]); + }); console.log("Sync changes from main for compatible workflows"); await exec("git", [ From 66e7ed44ca7256287ab489b0eda374250e41979c Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:31:34 -0700 Subject: [PATCH 804/844] wip --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 9105bb395b..3b8aa93f73 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -165,7 +165,7 @@ async function checkWorkflow( // Bring back the read-only folders console.log("Restore read-only folders"); - settings.readOnlyFolders.forEach(async (folder) => { + await settings.readOnlyFolders.forEach(async (folder) => { await exec("git", [ "checkout", folder From ddca0a93277bce73784982a3a5e8ccb46f2bdac7 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:33:45 -0700 Subject: [PATCH 805/844] async --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 3b8aa93f73..9105bb395b 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -165,7 +165,7 @@ async function checkWorkflow( // Bring back the read-only folders console.log("Restore read-only folders"); - await settings.readOnlyFolders.forEach(async (folder) => { + settings.readOnlyFolders.forEach(async (folder) => { await exec("git", [ "checkout", folder From 3fa8d369daa66974da30d33cc5df57d08ac1cc1d Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:37:57 -0700 Subject: [PATCH 806/844] async --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 9105bb395b..3b8aa93f73 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -165,7 +165,7 @@ async function checkWorkflow( // Bring back the read-only folders console.log("Restore read-only folders"); - settings.readOnlyFolders.forEach(async (folder) => { + await settings.readOnlyFolders.forEach(async (folder) => { await exec("git", [ "checkout", folder From 9f6e4a9e7dbeddc1a36599c96b026a4e6afaf871 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:38:43 -0700 Subject: [PATCH 807/844] wip --- script/sync-ghes/index.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 3b8aa93f73..0b84733cda 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -172,6 +172,8 @@ async function checkWorkflow( ]); }); + throw 'x' + console.log("Sync changes from main for compatible workflows"); await exec("git", [ "checkout", From 00731369055d2c5f848a5542fbbe453fc4b5761f Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:40:32 -0700 Subject: [PATCH 808/844] wip --- script/sync-ghes/index.ts | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 0b84733cda..2f20fec0b5 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -165,14 +165,12 @@ async function checkWorkflow( // Bring back the read-only folders console.log("Restore read-only folders"); - await settings.readOnlyFolders.forEach(async (folder) => { + for (let i = 0; i < settings.readOnlyFolders.length; i++) { await exec("git", [ "checkout", - folder + settings.readOnlyFolders[i] ]); - }); - - throw 'x' + } console.log("Sync changes from main for compatible workflows"); await exec("git", [ From dd92d3760d30c5eeaa21bbf35bfd83007e1e251b Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:43:22 -0700 Subject: [PATCH 809/844] wip --- script/sync-ghes/index.ts | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 2f20fec0b5..204294690d 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -180,10 +180,13 @@ async function checkWorkflow( ...Array.prototype.concat.apply( [], result.compatibleWorkflows.map((x) => { - const r = [ - join(x.folder, `${x.id}.yml`), - join(x.folder, "properties", `${x.id}.properties.json`), - ]; + const r = []; + + // Don't touch read-only folders + if (!settings.readOnlyFolders.includes(x.folder)) { + r.push(join(x.folder, `${x.id}.yml`)); + r.push(join(x.folder, "properties", `${x.id}.properties.json`)); + }; if (x.iconType === "svg") { r.push(join("../../icons", `${x.iconName}.svg`)); From 2c3a9cab039548b67470dbd9001f579b4dc39772 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:46:23 -0700 Subject: [PATCH 810/844] Update script/sync-ghes/index.ts --- script/sync-ghes/index.ts | 3 --- 1 file changed, 3 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 204294690d..fcdaaad5e2 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -196,9 +196,6 @@ async function checkWorkflow( }) ), ]); - - // Add back Pages icons - } catch (e) { console.error("Unhandled error while syncing workflows", e); process.exitCode = 1; From b30fbdf5f2c90750a667f9bf56ba7777f9dee6f6 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 2 May 2024 10:59:15 -0400 Subject: [PATCH 811/844] Specify bash shell so that it doesn't fail if switching to 'windows` --- code-scanning/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 6fdadb163d..655fc59b4e 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -76,6 +76,7 @@ jobs: # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - if: matrix.build-mode == 'manual' + shell: bash run: | echo 'If you are using a "manual" build mode for one or more of the' \ 'languages you are analyzing, replace this with the commands to build' \ From 6702f0d2e3cec8183954616cf7fd6f921b701302 Mon Sep 17 00:00:00 2001 From: Dylan Date: Mon, 6 May 2024 09:57:14 -0400 Subject: [PATCH 812/844] Fortify Starter Workflow to use new Fortify AST Action (#2245) * Update Fortify logo * Update fortify workflow Update positioning, Github action versions, Java version and add in Debricked packaging support * Update fortify.properties.json Update languages and creator * Update fortify.yml Update triggers based on latest starter workflow guidelines * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update code-scanning/properties/fortify.properties.json Co-authored-by: James M. Greene * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update fortify.yml * Update fortify.properties.json * Update fortify.yml Update starter workflow to use new unified Fortify AST Action * Update fortify.yml * Update fortify.yml * Update fortify.yml Refine workflow comments * Update fortify.yml Bump checkout action version * Update fortify.yml * Update fortify.yml * Update fortify.yml One final clean up * Update fortify.properties.json * Update fortify.yml * Update fortify.yml * Update fortify.properties.json Update with support for Bicep and Solidity * Update fortify.properties.json Uppercase "Solidity" for consistency * Change v1 to commit hash --------- Co-authored-by: James M. Greene Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> --- code-scanning/fortify.yml | 116 ++++++++---------- .../properties/fortify.properties.json | 8 +- icons/fortify.svg | 30 ++++- 3 files changed, 84 insertions(+), 70 deletions(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index c52b70e537..01611e8c11 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -4,32 +4,31 @@ # documentation. ################################################################################################################################################ -# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# -# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # -# or contact our sales team, visit microfocus.com/appsecurity. # +# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # +# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # # # -# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# -# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # -# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # -# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # -# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # -# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # +# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # +# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # +# documentation. If you need additional assistance, please contact Fortify support. # ################################################################################################################################################ -name: Fortify on Demand Scan +name: Fortify AST Scan -# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +# Customize trigger events based on your DevSecOps process and/or policy on: - workflow_dispatch: push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly + workflow_dispatch: jobs: - FoD-SAST-Scan: - # Use the appropriate runner for building your source code. - # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + Fortify-AST-Scan: + # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). runs-on: ubuntu-latest permissions: actions: read @@ -41,58 +40,45 @@ jobs: - name: Check Out Source Code uses: actions/checkout@v4 - # Java is required to run the various Fortify utilities. - # When scanning a Java application, please use the appropriate Java version for building your application. + # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner. - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: - java-version: 8 + java-version: 17 distribution: 'temurin' - # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. - # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: - # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). - # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. - # ScanCentral has additional options that should be set for PHP and Python projects - # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. - # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ - - name: Download Fortify ScanCentral Client - uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 - - name: Package Code + Dependencies - run: scancentral package $PACKAGE_OPTS -o package.zip - env: - PACKAGE_OPTS: "-bt mvn" - - # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java - # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: - # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). - # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. - - name: Download Fortify on Demand Universal CI Tool - uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 - - name: Perform SAST Scan - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" - env: - FOD_URL: "https://ams.fortify.com/" - FOD_API_URL: "https://api.ams.fortify.com/" - FOD_TENANT: ${{ secrets.FOD_TENANT }} - FOD_USER: ${{ secrets.FOD_USER }} - FOD_PAT: ${{ secrets.FOD_PAT }} - FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} - FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" - FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' - - # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - - name: Export results to GitHub-optimized SARIF - uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b - with: - fod_base_url: "https://ams.fortify.com/" - fod_tenant: ${{ secrets.FOD_TENANT }} - fod_user: ${{ secrets.FOD_USER }} - fod_password: ${{ secrets.FOD_PAT }} - fod_release_id: ${{ secrets.FOD_RELEASE_ID }} - - # Import Fortify on Demand results to GitHub Security Code Scanning - - name: Import Results - uses: github/codeql-action/upload-sarif@v2 + # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then + # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is + # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools + # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for + # details. + - name: Run FoD SAST Scan + uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418 with: - sarif_file: ./gh-fortify-sast.sarif + sast-scan: true + env: + ### Required configuration when integrating with Fortify on Demand + FOD_URL: https://ams.fortify.com + FOD_TENANT: ${{secrets.FOD_TENANT}} + FOD_USER: ${{secrets.FOD_USER}} + FOD_PASSWORD: ${{secrets.FOD_PAT}} + ### Optional configuration when integrating with Fortify on Demand + # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if + # Debricked SCA scan is enabled on Fortify on Demand + # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /:; may + # replace app+release name with numeric release ID + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard + ### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # SSC_URL: ${{secrets.SSC_URL}} # SSC URL + # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken + # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token + # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan; + # usually defined as organization or repo variable + ### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options + # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: /: + # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard diff --git a/code-scanning/properties/fortify.properties.json b/code-scanning/properties/fortify.properties.json index 100b4bb1b3..9a7511cef4 100644 --- a/code-scanning/properties/fortify.properties.json +++ b/code-scanning/properties/fortify.properties.json @@ -1,7 +1,7 @@ { - "name": "Fortify on Demand Scan", - "creator": "Micro Focus", - "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", + "name": "Fortify Scan", + "creator": "OpenText", + "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 33+ languages into your DevSecOps workflows.", "iconName": "fortify", - "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"] + "categories": ["Code Scanning", "ABAP", "ActionScript", "Bicep", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Dart", "Go", "HCL", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Solidity", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML", "YAML"] } diff --git a/icons/fortify.svg b/icons/fortify.svg index 45a0d77f57..70339605e3 100644 --- a/icons/fortify.svg +++ b/icons/fortify.svg @@ -1 +1,29 @@ - \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 7ea2dd7e0811dcfcc9dddffdce42b377a42ca745 Mon Sep 17 00:00:00 2001 From: Ross Rogers Date: Tue, 21 May 2024 14:32:42 -0700 Subject: [PATCH 813/844] Update Mayhem for API to reference new site --- code-scanning/mayhem-for-api.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 9e533fe47f..cac5f61a4d 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -9,13 +9,11 @@ # # To use this workflow, you will need to: # -# 1. Create a Mayhem for API account at -# https://mayhem4api.forallsecure.com/signup +# 1. Create a Mayhem account at https://app.mayhem.security # -# 2. Create a service account token `mapi organization service-account create -# ` +# 2. Create an API token at https://app.mayhem.security/-/settings/user/api-tokens # -# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN" +# 3. Add the API token as a secret in GitHub called "MAYHEM_TOKEN" # # 4. Update the "Start your API" step to run your API in the background before # starting the Mayhem for API scan, and update the `api-url` & `api-spec` @@ -51,10 +49,10 @@ jobs: run: ./run_your_api.sh & # <- ✏️ update this - name: Mayhem for API - uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010 + uses: ForAllSecure/mapi-action@v1 continue-on-error: true with: - mapi-token: ${{ secrets.MAPI_TOKEN }} + mayhem-token: ${{ secrets.MAYHEM_TOKEN }} api-url: http://localhost:8080 # <- ✏️ update this api-spec: http://localhost:8080/openapi.json # <- ✏️ update this duration: 60 From 39131434ed4bd7dcf8071fc2faaaa0ef8a23c4eb Mon Sep 17 00:00:00 2001 From: Cory Miller <13227161+cory-miller@users.noreply.github.com> Date: Wed, 22 May 2024 10:25:41 -0400 Subject: [PATCH 814/844] Fix typo in grade starter workflow --- ci/gradle.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/gradle.yml b/ci/gradle.yml index 65a332be61..74dffb5e6e 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -28,7 +28,7 @@ jobs: java-version: '17' distribution: 'temurin' - # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. + # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 From 61d42c9d0c8d4a398799a581eb6ce48ca742a2bc Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 30 May 2024 09:34:08 -0700 Subject: [PATCH 815/844] Update cosign versions --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 8a042a508f..f8e709f228 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 with: - cosign-release: 'v2.1.1' + cosign-release: 'v2.2.4' # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache From de925c96d94d3e63cbeb7ff809d8ec64fc331c3b Mon Sep 17 00:00:00 2001 From: yahavi Date: Sat, 1 Jun 2024 18:57:06 +0300 Subject: [PATCH 816/844] Frogbot: Update to 2.21.0 --- code-scanning/frogbot-scan-and-fix.yml | 10 +++------- code-scanning/frogbot-scan-pr.yml | 14 +++++--------- 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 62eb9ec6a7..549ef8c49d 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -5,9 +5,9 @@ # Frogbot Scan and Fix does the following: # Automatically creates pull requests with fixes for vulnerable project dependencies. # Uses JFrog Xray to scan the project. -# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot -# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration name: "Frogbot Scan and Fix" on: @@ -23,11 +23,7 @@ jobs: steps: - uses: actions/checkout@v4 - # IMPORTANT: - # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 + - uses: jfrog/frogbot@d01623d0fc8de585c21225f55842f2d2c45cf094 # v2.21.0 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index a2e29fa824..465405c06b 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -5,9 +5,9 @@ # Frogbot Scan Pull Request does the following: # Automatically scans new pull requests for security vulnerabilities. # Uses JFrog Xray to scan the project. -# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot -# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration name: "Frogbot Scan Pull Request" on: @@ -21,18 +21,14 @@ jobs: runs-on: ubuntu-latest # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the # "frogbot" GitHub environment can approve the pull request to be scanned. - # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md + # Read more here (Install Frogbot Using GitHub Actions): https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions environment: frogbot steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - # IMPORTANT: - # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 + - uses: jfrog/frogbot@d01623d0fc8de585c21225f55842f2d2c45cf094 # v2.21.0 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies From 74366efdcd18a2e2f16bf04acdafd8c38625014e Mon Sep 17 00:00:00 2001 From: Antoine Do Nascimento Date: Mon, 3 Jun 2024 17:26:02 +0200 Subject: [PATCH 817/844] Update DataDog/synthetics-ci-github-action workflow --- ci/datadog-synthetics.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml index 7056f87093..28a07c7697 100644 --- a/ci/datadog-synthetics.yml +++ b/ci/datadog-synthetics.yml @@ -29,7 +29,7 @@ jobs: # Run Synthetic tests within your GitHub workflow. # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci - name: Run Datadog Synthetic tests - uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e + uses: DataDog/synthetics-ci-github-action@c36b031081c29b54513d7faba468ddd5b248baf3 # v1.4.0 with: api_key: ${{secrets.DD_API_KEY}} app_key: ${{secrets.DD_APP_KEY}} From 9f1db534549e072c20d5d1a79e0a4ff45a674caf Mon Sep 17 00:00:00 2001 From: Antoine Vinot Date: Mon, 3 Jun 2024 20:58:42 +0200 Subject: [PATCH 818/844] Update sonarcloud.yml after latest release of the action (#2405) Co-authored-by: Alexis Abril --- code-scanning/sonarcloud.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 41075e4efb..0e7f274220 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -46,13 +46,12 @@ jobs: - name: Analyze with SonarCloud # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + # uses: SonarSource/sonarcloud-github-action@v2.2.0 + uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: - # Additional arguments for the sonarcloud scanner + # Additional arguments for the SonarScanner CLI args: # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) # mandatory @@ -60,9 +59,9 @@ jobs: -Dsonar.organization= # Comma-separated paths to directories containing main source files. #-Dsonar.sources= # optional, default is project base directory - # When you need the analysis to take place in a directory other than the one from which it was launched - #-Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. #-Dsonar.verbose= # optional, default is false + # When you need the analysis to take place in a directory other than the one from which it was launched, default is . + projectBaseDir: . From 5a11e5968cb905fe46c844bb8147628cfe226f40 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Sat, 8 Jun 2024 11:47:24 -0400 Subject: [PATCH 819/844] Reference latest ruby/setup-ruby (1.179.1) with commit hash Can build ruby 3.1.6 and 3.3.2 --- ci/rubyonrails.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index b976f3f3f3..f3177e231b 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v4 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1 + uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Install Ruby and gems - uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1 + uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 with: bundler-cache: true # Add or replace any other lints here From 0321f5f585a59bc25d0a7885165edf7f63b2d2f2 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Sat, 8 Jun 2024 12:19:48 -0400 Subject: [PATCH 820/844] Run lint with binstubs --- ci/rubyonrails.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index f3177e231b..ad3ac88261 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -49,10 +49,12 @@ jobs: uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 with: bundler-cache: true + - name: Generate binstubs + run: bundle binstubs bundler-audit brakeman rubocop # Add or replace any other lints here - name: Security audit dependencies - run: bundle exec bundle-audit --update + run: bin/bundler-audit --update - name: Security audit application code - run: bundle exec brakeman -q -w2 + run: bin/brakeman -q -w2 - name: Lint Ruby files - run: bundle exec rubocop --parallel + run: bin/rubocop --parallel From 647cac4f347894582e3fd841b84b0b2c6485b23d Mon Sep 17 00:00:00 2001 From: alankuo-aws <151653677+alankuo-aws@users.noreply.github.com> Date: Mon, 17 Jun 2024 16:32:21 -0400 Subject: [PATCH 821/844] Update policy validator starter workflows (#2433) * Update policy validator starter workflows * Fix reference policy argument --- code-scanning/policy-validator-cfn.yaml | 24 +++++++++++++++++++----- code-scanning/policy-validator-tf.yaml | 22 ++++++++++++++++++---- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/code-scanning/policy-validator-cfn.yaml b/code-scanning/policy-validator-cfn.yaml index b2cd163a9f..8d32ce14f0 100644 --- a/code-scanning/policy-validator-cfn.yaml +++ b/code-scanning/policy-validator-cfn.yaml @@ -20,7 +20,8 @@ env: AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template. - ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. jobs: @@ -45,7 +46,7 @@ jobs: # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - name: Run AWS AccessAnalyzer ValidatePolicy check id: run-aws-validate-policy - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "VALIDATE_POLICY" template-path: ${{ env.TEMPLATE_PATH}} @@ -57,11 +58,12 @@ jobs: # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - name: Run AWS AccessAnalyzer CheckAccessNotGranted check id: run-aws-check-access-not-granted - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "CHECK_ACCESS_NOT_GRANTED" template-path: ${{ env.TEMPLATE_PATH}} actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} region: ${{ env.REGION }} # Print result from CHECK_ACCESS_NOT_GRANTED check - name: Print the result for CheckAccessNotGranted check @@ -71,14 +73,26 @@ jobs: # reference-policy is stored in GitHub secrets - name: Run AWS AccessAnalyzer CheckNoNewAccess check id: run-aws-check-no-new-access - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "CHECK_NO_NEW_ACCESS" template-path: ${{ env.TEMPLATE_PATH}} - reference-policy: ${{ env.REFERENCE }} + reference-policy: ${{ env.REFERENCE_POLICY }} reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} region: ${{env.REGION }} # Print result from CHECK_NO_NEW_ACCESS check - name: Print the result for CheckNoNewAccess check if: success() || failure() run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" diff --git a/code-scanning/policy-validator-tf.yaml b/code-scanning/policy-validator-tf.yaml index 1ca77b5f95..07f884f6ad 100644 --- a/code-scanning/policy-validator-tf.yaml +++ b/code-scanning/policy-validator-tf.yaml @@ -21,7 +21,8 @@ env: AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON - ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. @@ -48,7 +49,7 @@ jobs: # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator - name: Run AWS AccessAnalyzer ValidatePolicy check id: run-aws-validate-policy - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "VALIDATE_POLICY" template-path: ${{ env.TEMPLATE_PATH }} @@ -60,11 +61,12 @@ jobs: # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator - name: Run AWS AccessAnalyzer CheckAccessNotGranted check id: run-aws-check-access-not-granted - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "CHECK_ACCESS_NOT_GRANTED" template-path: ${{ env.TEMPLATE_PATH }} actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} region: ${{ env.REGION }} # Print result from CHECK_ACCESS_NOT_GRANTED check - name: Print the result for CheckAccessNotGranted check @@ -74,7 +76,7 @@ jobs: # reference-policy is stored in GitHub secrets - name: Run AWS AccessAnalyzer CheckNoNewAccess check id: run-aws-check-no-new-access - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "CHECK_NO_NEW_ACCESS" template-path: ${{ env.TEMPLATE_PATH }} @@ -85,3 +87,15 @@ jobs: - name: Print the result CheckNoNewAccess check if: success() || failure() run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" From dc63c580c6738d293a9448f43221325cbe050570 Mon Sep 17 00:00:00 2001 From: Inaki Villar Date: Fri, 21 Jun 2024 11:33:35 -0700 Subject: [PATCH 822/844] Update for gradle/actions@v3.4.2 release --- ci/gradle-publish.yml | 2 +- ci/gradle.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 2af46165be..4f36680b4a 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,7 +30,7 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Setup Gradle - uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 - name: Build with Gradle run: ./gradlew build diff --git a/ci/gradle.yml b/ci/gradle.yml index 74dffb5e6e..eb756d0221 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -31,7 +31,7 @@ jobs: # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle - uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 - name: Build with Gradle Wrapper run: ./gradlew build @@ -40,7 +40,7 @@ jobs: # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. # # - name: Setup Gradle - # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + # uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 # with: # gradle-version: '8.5' # @@ -64,4 +64,4 @@ jobs: # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + uses: gradle/actions/dependency-submission@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 From eb0381de25dd68ef86956335a0f1edb9521591b7 Mon Sep 17 00:00:00 2001 From: yahavi Date: Fri, 28 Jun 2024 15:56:30 +0300 Subject: [PATCH 823/844] Update to 2.21.2 --- code-scanning/frogbot-scan-and-fix.yml | 2 +- code-scanning/frogbot-scan-pr.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 549ef8c49d..12f8011692 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -23,7 +23,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: jfrog/frogbot@d01623d0fc8de585c21225f55842f2d2c45cf094 # v2.21.0 + - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 465405c06b..badcef0315 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -28,7 +28,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - uses: jfrog/frogbot@d01623d0fc8de585c21225f55842f2d2c45cf094 # v2.21.0 + - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies From 46555797bbd57e663e8505f781c0c4576563c28a Mon Sep 17 00:00:00 2001 From: Antoine Do Nascimento <78449051+AntoineDona@users.noreply.github.com> Date: Fri, 28 Jun 2024 15:00:32 +0200 Subject: [PATCH 824/844] Fix wrong hash --- ci/datadog-synthetics.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml index 28a07c7697..0ea06787d3 100644 --- a/ci/datadog-synthetics.yml +++ b/ci/datadog-synthetics.yml @@ -29,7 +29,7 @@ jobs: # Run Synthetic tests within your GitHub workflow. # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci - name: Run Datadog Synthetic tests - uses: DataDog/synthetics-ci-github-action@c36b031081c29b54513d7faba468ddd5b248baf3 # v1.4.0 + uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0 with: api_key: ${{secrets.DD_API_KEY}} app_key: ${{secrets.DD_APP_KEY}} From e6a84878775b73145774535516f255f521cfc68f Mon Sep 17 00:00:00 2001 From: Joe Mooring Date: Fri, 28 Jun 2024 13:52:35 -0700 Subject: [PATCH 825/844] pages: Update Hugo workflow - Bump version - Set cache directory - Remove outdated environment variable --- pages/hugo.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 141ad91a5a..b4f316a3b3 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -31,7 +31,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.124.1 + HUGO_VERSION: 0.128.0 steps: - name: Install Hugo CLI run: | @@ -50,9 +50,8 @@ jobs: run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Build with Hugo env: - # For maximum backward compatibility with Hugo modules + HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache HUGO_ENVIRONMENT: production - HUGO_ENV: production run: | hugo \ --minify \ From 763a1a60f8e6b874e2ebd4bbb9203789caaecd3a Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 13:24:02 -0400 Subject: [PATCH 826/844] Upload-Sarif: Update all workflows to use Upload-Sarif V3 --- code-scanning/anchore.yml | 2 +- code-scanning/apisec-scan.yml | 2 +- code-scanning/bearer.yml | 2 +- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx-one.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/clj-holmes.yml | 2 +- code-scanning/clj-watson.yml | 2 +- code-scanning/cloudrail.yml | 2 +- code-scanning/codacy.yml | 2 +- code-scanning/codescan.yml | 2 +- code-scanning/contrast-scan.yml | 2 +- code-scanning/credo.yml | 2 +- code-scanning/datree.yml | 2 +- code-scanning/defender-for-devops.yml | 2 +- code-scanning/detekt.yml | 2 +- code-scanning/devskim.yml | 2 +- code-scanning/endorlabs.yml | 2 +- code-scanning/eslint.yml | 2 +- code-scanning/ethicalcheck.yml | 2 +- code-scanning/flawfinder.yml | 2 +- code-scanning/hadolint.yml | 2 +- code-scanning/kubesec.yml | 2 +- code-scanning/lintr.yml | 2 +- code-scanning/mayhem-for-api.yml | 2 +- code-scanning/mobsf.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/njsscan.yml | 2 +- code-scanning/nowsecure.yml | 2 +- code-scanning/ossar.yml | 2 +- code-scanning/phpmd.yml | 2 +- code-scanning/pmd.yml | 2 +- code-scanning/powershell.yml | 2 +- code-scanning/prisma.yml | 2 +- code-scanning/psalm.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/rubocop.yml | 2 +- code-scanning/rust-clippy.yml | 2 +- code-scanning/scorecard.yml | 2 +- code-scanning/securitycodescan.yml | 2 +- code-scanning/semgrep.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/snyk-security.yml | 2 +- code-scanning/sobelow.yml | 2 +- code-scanning/synopsys-io.yml | 2 +- code-scanning/sysdig-scan.yml | 2 +- code-scanning/tfsec.yml | 2 +- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- code-scanning/zscaler-iac-scan.yml | 2 +- code-scanning/zscan.yml | 2 +- 53 files changed, 53 insertions(+), 53 deletions(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 2bbc55e812..8ada351499 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -43,6 +43,6 @@ jobs: fail-build: true severity-cutoff: critical - name: Upload vulnerability report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 34defa90bf..f425ca8a20 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -66,6 +66,6 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - name: Import results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ./apisec-results.sarif diff --git a/code-scanning/bearer.yml b/code-scanning/bearer.yml index 7971be96e6..b384d82cf2 100644 --- a/code-scanning/bearer.yml +++ b/code-scanning/bearer.yml @@ -38,6 +38,6 @@ jobs: exit-code: 0 # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index 0d1cb052dc..38e572c8d0 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -53,6 +53,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index 7feeb25b24..ae326bd8e2 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -49,7 +49,7 @@ jobs: cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One additional_params: --report-format sarif --output-path . - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: cx_result.sarif diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index b4a99f3235..5406860c13 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -50,6 +50,6 @@ jobs: params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: cx.sarif diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 87f11cbceb..2d919a5db9 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -38,7 +38,7 @@ jobs: fail-on-result: 'false' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{github.workspace}}/clj-holmes-results.sarif wait-for-processing: true diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 59bfd41b8a..b0a7443b24 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -48,7 +48,7 @@ jobs: fail-on-result: false - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{github.workspace}}/clj-watson-results.sarif wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 8273881b53..846c43d1e8 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -50,7 +50,7 @@ jobs: cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() # is needed to ensure the SARIF file is uploaded if: always() diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index c3cd9f542f..2f2acc340e 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -56,6 +56,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index c4858c636e..cb338df3b3 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -44,6 +44,6 @@ jobs: organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: codescan.sarif diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 1950d3ae2c..197779f56e 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -48,6 +48,6 @@ jobs: authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} #Upload the results to GitHub - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index 8c8c8be26c..5a322a4695 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -55,7 +55,7 @@ jobs: - name: credo-scan run: mix credo --format=sarif > credo_output.sarif - name: upload sarif - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: credo_output.sarif diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index a892cf8f0f..a98eabeb23 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -42,6 +42,6 @@ jobs: # Setting a SARIF output will generate a file named "datree.sarif" containing your test results cliArguments: "-o sarif" - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: datree.sarif diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml index 07aa7d1a5e..59eaaa799f 100644 --- a/code-scanning/defender-for-devops.yml +++ b/code-scanning/defender-for-devops.yml @@ -42,6 +42,6 @@ jobs: uses: microsoft/security-devops-action@v1.6.0 id: msdo - name: Upload results to Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 76a116bc84..2d6293b7bd 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -111,7 +111,7 @@ jobs: )" > ${{ github.workspace }}/detekt.sarif.json # Uploads results to GitHub repository using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: ${{ github.workspace }}/detekt.sarif.json diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 98daab85fc..794986a5f1 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -29,6 +29,6 @@ jobs: uses: microsoft/DevSkim-Action@v1 - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: devskim-results.sarif diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 670fe62305..7f3951a2fb 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -46,6 +46,6 @@ jobs: ci_run: "false" sarif_file: findings.sarif - name: Upload SARIF to github - uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd + uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 with: sarif_file: findings.sarif diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 876ea2bc98..7304e8358a 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -44,7 +44,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: eslint-results.sarif wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index a68d0a2c7c..fac8a74531 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -63,7 +63,7 @@ jobs: sarif-result-file: "ethicalcheck-results.sarif" - name: Upload sarif file to repository - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ./ethicalcheck-results.sarif diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index d564b68ae3..d3898b691b 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -33,6 +33,6 @@ jobs: output: 'flawfinder_results.sarif' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{github.workspace}}/flawfinder_results.sarif \ No newline at end of file diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 2d901a4f08..eacbabb039 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -41,7 +41,7 @@ jobs: no-fail: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: hadolint-results.sarif wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 98fd8e004b..750acc7558 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -36,6 +36,6 @@ jobs: exit-code: "0" - name: Upload Kubesec scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 01ce71912a..7bb83e3820 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: lintr-results.sarif wait-for-processing: true diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 9e533fe47f..93b0dd2f2d 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -61,6 +61,6 @@ jobs: sarif-report: mapi.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: mapi.sarif diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 9f876aea7d..05e014e9d4 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -38,6 +38,6 @@ jobs: args: . --sarif --output results.sarif || true - name: Upload mobsfscan report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0700989a01..b8469decf6 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -54,7 +54,7 @@ jobs: # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8062259302..767b967fe1 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -37,6 +37,6 @@ jobs: with: args: '. --sarif --output results.sarif || true' - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 324a533c13..5cb6c29466 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -47,6 +47,6 @@ jobs: group_id: {{ groupId }} # Update this to your desired Platform group ID - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: NowSecure.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index ad46e1d1f7..1c7a6d9ada 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -51,6 +51,6 @@ jobs: # Upload results to the Security tab - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 58ca4f840c..5ceaabc489 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -51,7 +51,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: phpmd-results.sarif wait-for-processing: true diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index ed5eec92e7..50524aedc1 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -38,6 +38,6 @@ jobs: sourcePath: 'src/main/java' analyzeModifiedFilesOnly: false - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: pmd-report.sarif diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 52f65a093d..216f1dc99e 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -44,6 +44,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 4b84b21e47..5461f5cd9b 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -49,7 +49,7 @@ jobs: # The service need to know the type of IaC being scanned template_type: 'CFT' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 # Results are generated only on a success or failure # this is required since GitHub by default won't run the next step # when the previous one has failed. diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index dddbfdd7d0..a0563d964a 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -33,6 +33,6 @@ jobs: uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 - name: Upload Security Analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index e039085881..014b0a0cf3 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: puppet-lint-results.sarif wait-for-processing: true diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index feef351ccf..a3e7af8ff0 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -47,6 +47,6 @@ jobs: " - name: Upload Sarif output - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: rubocop.sarif diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index 4f50c3e203..e4b2508281 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: rust-clippy-results.sarif wait-for-processing: true diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 162c788bbd..d7474f9ba6 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 with: sarif_file: results.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 5d5e87b958..58cb9c6483 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -38,4 +38,4 @@ jobs: uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 - name: Upload sarif - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index f21aa9a995..bbf787a503 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -43,7 +43,7 @@ jobs: # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: semgrep.sarif if: always() diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index edbea1d635..c485691560 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -50,6 +50,6 @@ jobs: image: your/image-to-test args: --file=Dockerfile - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index a5605a3efc..f1466b2894 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -49,6 +49,6 @@ jobs: # or `main.tf` for a Terraform configuration file file: your-file-to-test.yaml - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml index 4941e0021b..8f230201cf 100644 --- a/code-scanning/snyk-security.yml +++ b/code-scanning/snyk-security.yml @@ -74,6 +74,6 @@ jobs: # Push the Snyk Code results into GitHub Code Scanning tab - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk-code.sarif diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 6dd4ffee1f..cfbf1f4ff6 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -36,6 +36,6 @@ jobs: - id: run-action uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 - name: Upload report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index df50d9d5c6..6e245d7692 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -71,7 +71,7 @@ jobs: - name: Upload SARIF file if: ${{steps.prescription.outputs.sastScan == 'true' }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: workflowengine-results.sarif.json diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index c9a0edb3e4..11fd8b75f4 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -55,7 +55,7 @@ jobs: # Sysdig inline scanner requires privileged rights run-as-user: root - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 #Upload SARIF file if: always() with: diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 388fc37a30..c8ef49ce3e 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -32,7 +32,7 @@ jobs: sarif_file: tfsec.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index ec90221ec5..7180f7267c 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -43,6 +43,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 379493fdf0..c1b9b334c9 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -53,7 +53,7 @@ jobs: uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be with: pipeline-results-json: results.json - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: veracode-results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 32c977e9e4..0f96c5ab00 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -95,6 +95,6 @@ jobs: *-Findings-List.sarif # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 with: sarif_file: Xanitizer-Findings-List.sarif diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index 7a2fc00d73..523c4955b5 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -51,6 +51,6 @@ jobs: #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. - name: Upload SARIF file if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml index 018e473c04..9c9b3035d0 100644 --- a/code-scanning/zscan.yml +++ b/code-scanning/zscan.yml @@ -55,6 +55,6 @@ jobs: app_file: app-release-unsigned.apk - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: Zimperium.sarif From 570cd926cd9d81217009010cf740cb6e18bf4267 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Mon, 29 Jul 2024 14:37:50 -0400 Subject: [PATCH 827/844] Switch github upload sarif to tag GitHub owed actions are allowed to use tags instead of SHAs Co-authored-by: Jacob Wallraff --- code-scanning/endorlabs.yml | 2 +- code-scanning/scorecard.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 7f3951a2fb..cea041d4b0 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -46,6 +46,6 @@ jobs: ci_run: "false" sarif_file: findings.sarif - name: Upload SARIF to github - uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: findings.sarif diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index d7474f9ba6..b58ec1f302 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif From 47f69d786f0bb6108917098d195cd3a9ff64ee00 Mon Sep 17 00:00:00 2001 From: Jacob Wallraff Date: Tue, 30 Jul 2024 10:17:07 -0700 Subject: [PATCH 828/844] Revert "Artifacts: Update all workflows to use Artifacts V4" --- ci/dotnet-desktop.yml | 4 ++-- code-scanning/msvc.yml | 2 +- code-scanning/scorecard.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 ++-- deployments/azure-webapps-java-jar-gradle.yml | 4 ++-- deployments/azure-webapps-java-jar.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- deployments/azure-webapps-php.yml | 4 ++-- deployments/azure-webapps-python.yml | 4 ++-- 10 files changed, 17 insertions(+), 17 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 400a721cea..ad99b56b9b 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: - name: MSIX Package ${{ matrix.configuration }} + name: MSIX Package path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index b905ef8d39..0700989a01 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -60,7 +60,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v4 + # uses: actions/upload-artifact@v3 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 729d741a99..162c788bbd 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 with: name: SARIF file path: results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 2fd110a2e2..32c977e9e4 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -87,7 +87,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v3 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 64124e5a67..b4bfafbbb5 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -59,7 +59,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -75,7 +75,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index a066d8912a..63a45cc208 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -50,7 +50,7 @@ jobs: run: gradle build - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: java-app path: '${{ github.workspace }}/build/libs/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: java-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index f6c17a9739..608fb8ee83 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -50,7 +50,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 891a7d6337..147d4e612d 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -49,7 +49,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: node-app path: . @@ -65,7 +65,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 3391c83b24..1182c2a899 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -70,7 +70,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: php-app path: . @@ -86,7 +86,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index e4868c4cdb..656f95c9a0 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -55,7 +55,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: python-app path: | @@ -73,7 +73,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: python-app path: . From a44a949b68865dda4900d885cfdf710a702ec3b5 Mon Sep 17 00:00:00 2001 From: Jacob Wallraff Date: Thu, 1 Aug 2024 15:19:04 -0700 Subject: [PATCH 829/844] Update labeler.yml for v5 --- .github/labeler.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 2d04e263f7..fb0886314f 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -1,3 +1,4 @@ # Add 'code-scanning' label to any changes within 'code-scanning' folder or any subfolders code-scanning: -- code-scanning/**/* +- changed-files: + - any-glob-to-any-file: code-scanning/**/* From 9512b1a781279d0e720561e0cbdba5f1ed397216 Mon Sep 17 00:00:00 2001 From: Jacob Wallraff Date: Thu, 1 Aug 2024 15:42:06 -0700 Subject: [PATCH 830/844] Update stale.yml to only use workflow_dispatch --- .github/workflows/stale.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index ecdf037f9b..f9f361d95c 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,8 +1,9 @@ name: Mark stale issues and pull requests on: - schedule: - - cron: "21 4 * * *" + workflow_dispatch: + # schedule: + # - cron: "21 4 * * *" jobs: stale: From fdb3717e44c9c423a0acf005ee67c5ffaa043eb5 Mon Sep 17 00:00:00 2001 From: daz Date: Wed, 7 Aug 2024 11:04:34 -0600 Subject: [PATCH 831/844] Update for `gradle/actions@v4.0.0` release - Bump version hashes to use `gradle/actions/setup-gradle@v4.0.0` - Bump version hash to use `gradle/actions/dependency-submission@v4.0.0` --- ci/gradle-publish.yml | 2 +- ci/gradle.yml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 4f36680b4a..20d17dc3b7 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,7 +30,7 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Setup Gradle - uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 + uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 - name: Build with Gradle run: ./gradlew build diff --git a/ci/gradle.yml b/ci/gradle.yml index eb756d0221..40a40c112b 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -31,7 +31,7 @@ jobs: # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle - uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 + uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 - name: Build with Gradle Wrapper run: ./gradlew build @@ -40,11 +40,11 @@ jobs: # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. # # - name: Setup Gradle - # uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 + # uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 # with: - # gradle-version: '8.5' + # gradle-version: '8.9' # - # - name: Build with Gradle 8.5 + # - name: Build with Gradle 8.9 # run: gradle build dependency-submission: @@ -64,4 +64,4 @@ jobs: # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 + uses: gradle/actions/dependency-submission@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 From af1bbdc4308b034a9d854df319a91d57b7664b5d Mon Sep 17 00:00:00 2001 From: SOOS-GSteen Date: Fri, 16 Aug 2024 11:10:57 -0400 Subject: [PATCH 832/844] Update soos-dast-scan.yml hash (#2466) * Update soos-dast-scan.yml * Update soos-dast-scan.yml * Update soos-dast-scan.yml * Update soos-dast-scan.yml --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index b3e470e98f..0d42c927d2 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Analysis - uses: soos-io/soos-dast-github-action@a7f2cb2dfd143cb3224712d902ca0a1da0198ea9 + uses: soos-io/soos-dast-github-action@65d9878d77c8993f3db9e86a92bc2ad3a6e060af with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From 83b6e98d43fce23a60eb247f3c165b79b3c60ad2 Mon Sep 17 00:00:00 2001 From: Michael Chernov <4ernovm@gmail.com> Date: Fri, 16 Aug 2024 18:16:20 +0300 Subject: [PATCH 833/844] Add Debricked starter workflow (#2107) * Add Debricked starter workflow * Add permissions section * Remove schedule * Fix review comments --------- Co-authored-by: Alexis Abril --- code-scanning/debricked.yml | 43 +++++++++++++++++++ .../properties/debricked.properties.json | 19 ++++++++ icons/debricked.svg | 3 ++ 3 files changed, 65 insertions(+) create mode 100644 code-scanning/debricked.yml create mode 100644 code-scanning/properties/debricked.properties.json create mode 100644 icons/debricked.svg diff --git a/code-scanning/debricked.yml b/code-scanning/debricked.yml new file mode 100644 index 0000000000..79b0a07d36 --- /dev/null +++ b/code-scanning/debricked.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +##################################################################################################################################################################### +# Use this workflow template as a basis for integrating Debricked into your GitHub workflows. # +# # +# If you need additional assistance with configuration feel free to contact us via chat or email at support@debricked.com # +# To learn more about Debricked or contact our team, visit https://debricked.com/ # +# # +# To run this workflow, complete the following set-up steps: # +# # +# 1. If you don’t have a Debricked account, create one by visiting https://debricked.com/app/en/register # +# 2. Generate your Debricked access token, by following the steps mentioned in https://portal.debricked.com/administration-47/how-do-i-generate-an-access-token-130 # +# 3. In GitHub, navigate to the repository # +# 4. Click on “Settings” (If you cannot see the “Settings” tab, select the dropdown menu, then click “Settings”) # +# 5. In the “Security” section click on “Secrets and variables”, then click “Actions” # +# 6. In the “Secrets” tab, click on “New repository secret” # +# 7. In the “Name” field, type the name of the secret # +# 8. In the “Secret” field, enter the value of the secret # +# 9. Click “Add secret” # +# 10. You should now be ready to use the workflow! # +##################################################################################################################################################################### + +name: Debricked Scan + +on: + push: + +permissions: + contents: read + +jobs: + vulnerabilities-scan: + name: Vulnerabilities scan + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - uses: debricked/actions@v3 + env: + DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }} diff --git a/code-scanning/properties/debricked.properties.json b/code-scanning/properties/debricked.properties.json new file mode 100644 index 0000000000..f669f0964c --- /dev/null +++ b/code-scanning/properties/debricked.properties.json @@ -0,0 +1,19 @@ +{ + "name": "Debricked Scan", + "creator": "OpenText", + "description": "Integrate with Debricked's state of the art AI-powered Software Composition Analysis to automate your security.", + "iconName": "debricked", + "categories": [ + "Code Scanning", + "Python", + "JavaScript", + "Java", + "PHP", + "Ruby", + "Go", + "Rust", + "Swift", + "C#", + "Objective-C" + ] +} diff --git a/icons/debricked.svg b/icons/debricked.svg new file mode 100644 index 0000000000..cb8a3d52c9 --- /dev/null +++ b/icons/debricked.svg @@ -0,0 +1,3 @@ + + + From ba125834f1f7cbe9a1e3d363b7b9c9f89e9f7413 Mon Sep 17 00:00:00 2001 From: Ian Lynagh Date: Tue, 20 Aug 2024 12:06:59 +0100 Subject: [PATCH 834/844] CodeQL: Remove Swift 2h timeout Spurious intermittent timeouts are no longer expected on Swift. --- code-scanning/codeql.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 655fc59b4e..3e48389ae3 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -28,7 +28,6 @@ jobs: # - https://gh.io/using-larger-runners (GitHub.com only) # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: # required for all workflows security-events: write From ae01bb2a2fa5733aaf305c4161350c9af10345b9 Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Wed, 21 Aug 2024 11:21:42 -0700 Subject: [PATCH 835/844] google: update workflow versions and instructions (#2478) * google: update workflow versions and instructions * Pin hashes --- deployments/google-cloudrun-docker.yml | 138 ++++++++++------------ deployments/google-cloudrun-source.yml | 112 ++++++++---------- deployments/google.yml | 157 ++++++++++++++----------- 3 files changed, 197 insertions(+), 210 deletions(-) diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml index bd748f8b3c..70af95e6bc 100644 --- a/deployments/google-cloudrun-docker.yml +++ b/deployments/google-cloudrun-docker.yml @@ -1,113 +1,95 @@ -# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch -# -# Overview: -# -# 1. Authenticate to Google Cloud -# 2. Authenticate Docker to Artifact Registry -# 3. Build a docker container -# 4. Publish it to Google Artifact Registry -# 5. Deploy it to Cloud Run +# This workflow build and push a Docker container to Google Artifact Registry +# and deploy it on Cloud Run when a commit is pushed to the $default-branch +# branch. # # To configure this workflow: # -# 1. Ensure the required Google Cloud APIs are enabled: -# -# Cloud Run run.googleapis.com -# Artifact Registry artifactregistry.googleapis.com -# -# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) -# -# 3. Ensure the required IAM permissions are granted +# 1. Enable the following Google Cloud APIs: # -# Cloud Run -# roles/run.admin -# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# - Artifact Registry (artifactregistry.googleapis.com) +# - Cloud Run (run.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) # -# Artifact Registry -# roles/artifactregistry.admin (project or repository level) +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. # -# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# 2. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. # -# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: # -# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Cloud Run Developer (roles/run.developer) # -# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources # -# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run -# -# Further reading: -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying -# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles -# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege +# 3. Change the values in the "env" block to match your values. -name: Build and Deploy to Cloud Run +name: 'Build and Deploy to Cloud Run' on: push: - branches: [ $default-branch ] + branches: + - '$default-branch' env: - PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id - GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location - SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name - REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + REGION: 'us-central1' # TODO: update to your region + SERVICE: 'my-service' # TODO: update to your service name + WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider jobs: deploy: - # Add 'id-token' with the intended permissions for workload identity federation + runs-on: 'ubuntu-latest' + permissions: contents: 'read' id-token: 'write' - runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v0' + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 with: - token_format: 'access_token' - workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider - service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com - - # NOTE: Alternative option - authentication via credentials json - # - name: Google Auth - # id: auth - # uses: 'google-github-actions/auth@v0' - # with: - # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' + workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}' - # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) - - # Authenticate Docker to Google Cloud Artifact Registry - - name: Docker Auth - id: docker-auth - uses: 'docker/login-action@v1' + # BEGIN - Docker auth and build + # + # If you already have a container image, you can omit these steps. + - name: 'Docker Auth' + uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3 with: username: 'oauth2accesstoken' - password: '${{ steps.auth.outputs.access_token }}' - registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + password: '${{ steps.auth.outputs.auth_token }}' + registry: '${{ env.REGION }}-docker.pkg.dev' - - name: Build and Push Container + - name: 'Build and Push Container' run: |- - docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./ - docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + DOCKER_TAG="$${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + docker build --tag "${DOCKER_TAG}" . + docker push "${DOCKER_TAG}" + - name: 'Deploy to Cloud Run' - # END - Docker auth and build + # END - Docker auth and build - - name: Deploy to Cloud Run - id: deploy - uses: google-github-actions/deploy-cloudrun@v0 + uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2 with: - service: ${{ env.SERVICE }} - region: ${{ env.REGION }} - # NOTE: If using a pre-built image, update the image name here - image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} + service: '${{ env.SERVICE }}' + region: '${{ env.REGION }}' + # NOTE: If using a pre-built image, update the image name below: + + image: '${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}' + # If required, use the Cloud Run URL output in later steps + - name: 'Show output' + run: |2- - # If required, use the Cloud Run url output in later steps - - name: Show Output - run: echo ${{ steps.deploy.outputs.url }} + echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml index e6fcb52832..6a9a5512a6 100644 --- a/deployments/google-cloudrun-source.yml +++ b/deployments/google-cloudrun-source.yml @@ -1,95 +1,75 @@ -# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch -# -# Overview: -# -# 1. Authenticate to Google Cloud -# 2. Deploy it to Cloud Run +# This workflow will deploy source code on Cloud Run when a commit is pushed to +# the $default-branch branch. # # To configure this workflow: # -# 1. Ensure the required Google Cloud APIs are enabled: -# -# Cloud Run run.googleapis.com -# Cloud Build cloudbuild.googleapis.com -# Artifact Registry artifactregistry.googleapis.com -# -# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) -# -# 3. Ensure the required IAM permissions are granted +# 1. Enable the following Google Cloud APIs: # -# Cloud Run -# roles/run.admin -# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# - Artifact Registry (artifactregistry.googleapis.com) +# - Cloud Build (cloudbuild.googleapis.com) +# - Cloud Run (run.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) # -# Cloud Build -# roles/cloudbuild.builds.editor +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. # -# Cloud Storage -# roles/storage.objectAdmin +# 2. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. # -# Artifact Registry -# roles/artifactregistry.admin (project or repository level) +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: # -# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Cloud Run Source Developer (roles/run.sourceDeveloper) # -# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources. # -# 5. Change the values for the SERVICE and REGION environment variables (below). -# -# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run -# -# Further reading: -# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy -# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege +# 3. Change the values in the "env" block to match your values. -name: Deploy to Cloud Run from Source +name: 'Deploy to Cloud Run from Source' on: push: - branches: [ $default-branch ] + branches: + - '$default-branch' env: - PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id - SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name - REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + REGION: 'us-central1' # TODO: update to your region + SERVICE: 'my-service' # TODO: update to your service name jobs: deploy: - # Add 'id-token' with the intended permissions for workload identity federation + runs-on: 'ubuntu-latest' + permissions: contents: 'read' id-token: 'write' - runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v0' + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 with: - workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider - service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com - - # NOTE: Alternative option - authentication via credentials json - # - name: Google Auth - # id: auth - # uses: 'google-github-actions/auth@v0' - # with: - # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: replace with your workload identity provider - - name: Deploy to Cloud Run - id: deploy - uses: google-github-actions/deploy-cloudrun@v0 + - name: 'Deploy to Cloud Run' + uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2 with: - service: ${{ env.SERVICE }} - region: ${{ env.REGION }} - # NOTE: If required, update to the appropriate source folder - source: ./ + service: '${{ env.SERVICE }}' + region: '${{ env.REGION }}' + # NOTE: If using a different source folder, update the image name below: + source: './' - # If required, use the Cloud Run url output in later steps - - name: Show Output - run: echo ${{ steps.deploy.outputs.url }} + # If required, use the Cloud Run URL output in later steps + - name: 'Show output' + run: |- + echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google.yml b/deployments/google.yml index deb987748b..4be4dc47d2 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -1,91 +1,116 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# This workflow will build a docker container, publish it to Google Container +# Registry, and deploy it to GKE when there is a push to the $default-branch +# branch. # # To configure this workflow: # -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# 1. Enable the following Google Cloud APIs: # -# 2. Create and configure a Workload Identity Provider for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# - Artifact Registry (artifactregistry.googleapis.com) +# - Google Kubernetes Engine (container.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) # -# 3. Change the values for the GAR_LOCATION, GKE_ZONE, GKE_CLUSTER, IMAGE, REPOSITORY and DEPLOYMENT_NAME environment variables (below). +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. # -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke-kustomize +# 2. Ensure that your repository contains the necessary configuration for your +# Google Kubernetes Engine cluster, including deployment.yml, +# kustomization.yml, service.yml, etc. +# +# 3. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. +# +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: +# +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Kubernetes Engine Developer (roles/container.developer) +# +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources +# +# 5. Change the values in the "env" block to match your values. -name: Build and Deploy to GKE +name: 'Build and Deploy to GKE' on: push: - branches: [ $default-branch ] + branches: + - '$default-branch' env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GAR_LOCATION: us-central1 # TODO: update region of the Artifact Registry - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - REPOSITORY: samples # TODO: update to Artifact Registry docker repository - IMAGE: static-site + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + GAR_LOCATION: 'us-central1' # TODO: update to your region + GKE_CLUSTER: 'cluster-1' # TODO: update to your cluster name + GKE_ZONE: 'us-central1-c' # TODO: update to your cluster zone + DEPLOYMENT_NAME: 'gke-test' # TODO: update to your deployment name + REPOSITORY: 'samples' # TODO: update to your Artifact Registry docker repository name + IMAGE: 'static-site' + WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider jobs: setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production + name: 'Setup, Build, Publish, and Deploy' + runs-on: 'ubuntu-latest' + environment: 'production' permissions: contents: 'read' id-token: 'write' steps: - - name: Checkout - uses: actions/checkout@v4 + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 + + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 + with: + workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}' + + # Authenticate Docker to Google Cloud Artifact Registry + - name: 'Docker Auth' + uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3 + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.auth_token }}' + registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + + # Get the GKE credentials so we can deploy to the cluster + - name: 'Set up GKE credentials' + uses: 'google-github-actions/get-gke-credentials@6051de21ad50fbb1767bc93c11357a49082ad116' # google-github-actions/get-gke-credentials@v2 + with: + cluster_name: '${{ env.GKE_CLUSTER }}' + location: '${{ env.GKE_ZONE }}' + + # Build the Docker image + - name: 'Build and push Docker container' + run: |- + DOCKER_TAG="${GAR_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${REPOSITORY}/${IMAGE}:${GITHUB_SHA}" - # Configure Workload Identity Federation and generate an access token. - - id: 'auth' - name: 'Authenticate to Google Cloud' - uses: 'google-github-actions/auth@v0' - with: - token_format: 'access_token' - workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' - service_account: 'my-service-account@my-project.iam.gserviceaccount.com' + docker build \ + --tag "${DOCKER_TAG}" \ + --build-arg GITHUB_SHA="${GITHUB_SHA}" \ + --build-arg GITHUB_REF="${GITHUB_REF}" \ + . - # Alternative option - authentication via credentials json - # - id: 'auth' - # uses: 'google-github-actions/auth@v0' - # with: - # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + docker push "${DOCKER_TAG}" - - name: Docker configuration - run: |- - echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev - # Get the GKE credentials so we can deploy to the cluster - - name: Set up GKE credentials - uses: google-github-actions/get-gke-credentials@v0 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} + # Set up kustomize + - name: 'Set up Kustomize' + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.4.3/kustomize_v5.4.3_linux_amd64.tar.gz + chmod u+x ./kustomize - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - # Push the Docker image to Google Artifact Registry - - name: Publish - run: |- - docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - # replacing the image name in the k8s template - ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide + # Deploy the Docker image to the GKE cluster + - name: 'Deploy to GKE' + run: |- + # replacing the image name in the k8s template + ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide From 6ac176a96e50b319149785b0bf59c1c9c1116933 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Fri, 23 Aug 2024 10:49:57 -0400 Subject: [PATCH 836/844] CodeQL - Add unique name vs default setup --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 3e48389ae3..7e46549fc5 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -9,7 +9,7 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -name: "CodeQL" +name: "CodeQL Advanced" on: push: From 9db23a2437ff17f6ad52e8b92dfc8197ed8314dd Mon Sep 17 00:00:00 2001 From: ginilpg Date: Tue, 10 Sep 2024 20:11:53 +0530 Subject: [PATCH 837/844] Add Appknox starter workflow (#2447) * Added appknox.yml for code scanning * Create appknox.json * Create appknox.svg * Update appknox.json * Update appknox.svg * Rename appknox.json to appknox.properties.json * Update appknox.yml * Update appknox.yml * Update appknox.properties.json * Formatting yml --- code-scanning/appknox.yml | 56 +++++++++++++++++++ .../properties/appknox.properties.json | 23 ++++++++ icons/appknox.svg | 10 ++++ 3 files changed, 89 insertions(+) create mode 100644 code-scanning/appknox.yml create mode 100644 code-scanning/properties/appknox.properties.json create mode 100644 icons/appknox.svg diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml new file mode 100644 index 0000000000..0282b6cff7 --- /dev/null +++ b/code-scanning/appknox.yml @@ -0,0 +1,56 @@ +# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support documentation. +# +# Appknox: Leader in Mobile Application Security Testing Solutions +# +# To use this workflow, you must be an existing Appknox customer with GitHub Advanced Security (GHAS) enabled for your +# repository. +# +# If you *are not* an existing customer, click here to contact us for licensing and pricing details: +# . +# +# Instructions: +# +# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the +# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token +# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings +# and create a token labeled GitHub +# +# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the +# action executes, check the 'Security' tab for results + +name: Appknox + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] +jobs: + appknox: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up JDK 1.8 + uses: actions/setup-java@v1 + with: + java-version: 1.8 + - name: Grant execute permission for gradlew + run: chmod +x gradlew + + - name: Build the app + run: ./gradlew build # Update this to build your Android or iOS application + + - name: Appknox GitHub action + uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 + with: + appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }} + file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here + risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] + sarif: Enable + + - name: Upload SARIF to GHAS + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: report.sarif diff --git a/code-scanning/properties/appknox.properties.json b/code-scanning/properties/appknox.properties.json new file mode 100644 index 0000000000..4164291b69 --- /dev/null +++ b/code-scanning/properties/appknox.properties.json @@ -0,0 +1,23 @@ +{ + "name": "Appknox", + "creator": "Appknox", + "description": "Use Appknox action for faster and precise security assessments of your iOS and Android apps developed using any programming language", + "iconName": "appknox", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C", + "C", + "C++", + "C#", + "Rust", + "JavaScript", + "TypeScript", + "Node" + ], + "labels": ["preview"] + +} diff --git a/icons/appknox.svg b/icons/appknox.svg new file mode 100644 index 0000000000..36148e7018 --- /dev/null +++ b/icons/appknox.svg @@ -0,0 +1,10 @@ + + + + + + + + + + From 53980cb868e646a5e8c7881a33599f3287729eb7 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Tue, 10 Sep 2024 11:10:00 -0700 Subject: [PATCH 838/844] Update eslint.yml Ensure suppressed warnings don't make it into the SARIF. --- code-scanning/eslint.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 7304e8358a..4c34d46ddb 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -36,6 +36,8 @@ jobs: npm install @microsoft/eslint-formatter-sarif@2.1.7 - name: Run ESLint + env: + SARIF_ESLINT_IGNORE_SUPPRESSED: "true" run: npx eslint . --config .eslintrc.js --ext .js,.jsx,.ts,.tsx @@ -47,4 +49,4 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: eslint-results.sarif - wait-for-processing: true \ No newline at end of file + wait-for-processing: true From ddb47be88806996b76adbe1a1cb77d51be4925d8 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Tue, 10 Sep 2024 11:46:17 -0700 Subject: [PATCH 839/844] Update appknox.yml Fix linting errors (remove whitespace). --- code-scanning/appknox.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml index 0282b6cff7..7c4b5065d5 100644 --- a/code-scanning/appknox.yml +++ b/code-scanning/appknox.yml @@ -11,12 +11,12 @@ # # Instructions: # -# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the -# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token -# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings +# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the +# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token +# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings # and create a token labeled GitHub # -# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the +# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the # action executes, check the 'Security' tab for results name: Appknox @@ -37,10 +37,10 @@ jobs: java-version: 1.8 - name: Grant execute permission for gradlew run: chmod +x gradlew - + - name: Build the app run: ./gradlew build # Update this to build your Android or iOS application - + - name: Appknox GitHub action uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 with: @@ -48,7 +48,7 @@ jobs: file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] sarif: Enable - + - name: Upload SARIF to GHAS if: always() uses: github/codeql-action/upload-sarif@v3 From 9d2ae7c02812c6bcf7c52ea07edbd40ac70515a5 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Tue, 10 Sep 2024 11:50:28 -0700 Subject: [PATCH 840/844] Update appknox.yml Fix more whitespace issues. --- code-scanning/appknox.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml index 7c4b5065d5..15d51e0b10 100644 --- a/code-scanning/appknox.yml +++ b/code-scanning/appknox.yml @@ -25,7 +25,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] jobs: appknox: runs-on: ubuntu-latest From dea60ba593828d8920e6169345ef3c469b80798d Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Wed, 11 Sep 2024 11:12:06 -0700 Subject: [PATCH 841/844] Update code-scanning/eslint.yml --- code-scanning/eslint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 4c34d46ddb..b0aaeb3180 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -33,7 +33,7 @@ jobs: - name: Install ESLint run: | npm install eslint@8.10.0 - npm install @microsoft/eslint-formatter-sarif@2.1.7 + npm install @microsoft/eslint-formatter-sarif@3.1.0 - name: Run ESLint env: From 666350e29b10d665a82d5c6d1501a29e50d63c29 Mon Sep 17 00:00:00 2001 From: ginilpg Date: Wed, 18 Sep 2024 00:20:21 +0530 Subject: [PATCH 842/844] Added appknox.yml for code scanning (#2498) Create appknox.json Create appknox.svg Update appknox.json Update appknox.svg Rename appknox.json to appknox.properties.json Update appknox.yml Update appknox.yml Update appknox.properties.json Formatting yml Removed preview mode from appknox scanner Removed preview mode from appknox scanner Add Appknox starter workflow (#2447) * Added appknox.yml for code scanning * Create appknox.json * Create appknox.svg * Update appknox.json * Update appknox.svg * Rename appknox.json to appknox.properties.json * Update appknox.yml * Update appknox.yml * Update appknox.properties.json * Formatting yml removed preview mode removed preview mode precommit lint --- code-scanning/appknox.yml | 8 +++----- code-scanning/properties/appknox.properties.json | 4 +--- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml index 15d51e0b10..68e4672392 100644 --- a/code-scanning/appknox.yml +++ b/code-scanning/appknox.yml @@ -30,11 +30,9 @@ jobs: appknox: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 - with: - java-version: 1.8 + - name: Checkout Code + uses: actions/checkout@v2 + - name: Grant execute permission for gradlew run: chmod +x gradlew diff --git a/code-scanning/properties/appknox.properties.json b/code-scanning/properties/appknox.properties.json index 4164291b69..8e8b1f268c 100644 --- a/code-scanning/properties/appknox.properties.json +++ b/code-scanning/properties/appknox.properties.json @@ -17,7 +17,5 @@ "JavaScript", "TypeScript", "Node" - ], - "labels": ["preview"] - + ] } From 09fa3b9723362634eb5877b2dd60fb884cb1f341 Mon Sep 17 00:00:00 2001 From: Ilya Khivrich Date: Mon, 21 Oct 2024 23:01:52 +0300 Subject: [PATCH 843/844] add jfrog-sast flow --- code-scanning/jfrog-sast.yml | 54 +++++++++++++++++++ .../properties/jfrog-sast.properties.json | 15 ++++++ 2 files changed, 69 insertions(+) create mode 100644 code-scanning/jfrog-sast.yml create mode 100644 code-scanning/properties/jfrog-sast.properties.json diff --git a/code-scanning/jfrog-sast.yml b/code-scanning/jfrog-sast.yml new file mode 100644 index 0000000000..aba617d86d --- /dev/null +++ b/code-scanning/jfrog-sast.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# JFrog SAST performs 1st party source code security analysis +# For more information, see +# https://docs.jfrog-applications.jfrog.io/jfrog-security-features/sast + +name: "JFrog SAST Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch, $protected-branches ] + schedule: + - cron: $cron-weekly + +env: + # [Mandatory] + # JFrog platform URL and access token for + # a JFrog platform instance with active + # JFrog Advanced Security subscription + JF_URL: ${{ secrets.JF_URL }} + JF_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + + - name: Install and configure JFrog CLI + run: | + npm install -g jfrog-cli-v2-jf + jf c add --interactive=false --url=$JF_URL --access-token=$JF_TOKEN + + - name: Run JFrog SAST + run: | + jf audit --sast --format=sarif > jfrog_sast.sarif + + + - name: Upload output to generate autofix + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: jfrog_sast.sarif \ No newline at end of file diff --git a/code-scanning/properties/jfrog-sast.properties.json b/code-scanning/properties/jfrog-sast.properties.json new file mode 100644 index 0000000000..093d9c252a --- /dev/null +++ b/code-scanning/properties/jfrog-sast.properties.json @@ -0,0 +1,15 @@ +{ + "name": "JFrog SAST", + "description": "Scan for security vulnerabilities in source code using JFrog SAST", + "iconName": "frogbot", + "categories": + [ + "Code Scanning", + "python", + "java", + "javascript", + "typescript", + "go" + ], + "creator": "JFrog" +} \ No newline at end of file From 7f50c702183846c848e2eb13df950a942ffd2374 Mon Sep 17 00:00:00 2001 From: Ilya Khivrich Date: Tue, 22 Oct 2024 11:53:35 +0300 Subject: [PATCH 844/844] pass token over stdin, add security to properties --- code-scanning/jfrog-sast.yml | 2 +- code-scanning/properties/jfrog-sast.properties.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/jfrog-sast.yml b/code-scanning/jfrog-sast.yml index aba617d86d..4ff7ef7e06 100644 --- a/code-scanning/jfrog-sast.yml +++ b/code-scanning/jfrog-sast.yml @@ -41,7 +41,7 @@ jobs: - name: Install and configure JFrog CLI run: | npm install -g jfrog-cli-v2-jf - jf c add --interactive=false --url=$JF_URL --access-token=$JF_TOKEN + echo $JF_TOKEN | jf c add --interactive=false --url=$JF_URL --access-token-stdin - name: Run JFrog SAST run: | diff --git a/code-scanning/properties/jfrog-sast.properties.json b/code-scanning/properties/jfrog-sast.properties.json index 093d9c252a..7ffa897e9f 100644 --- a/code-scanning/properties/jfrog-sast.properties.json +++ b/code-scanning/properties/jfrog-sast.properties.json @@ -5,6 +5,7 @@ "categories": [ "Code Scanning", + "security", "python", "java", "javascript",