From eeb84c9ae6f1844ca670440d5e8259830defcdfd Mon Sep 17 00:00:00 2001 From: Abir Majumdar Date: Thu, 28 Oct 2021 10:55:20 -0400 Subject: [PATCH 01/44] Adding Psalm PHP scanning to Starter Workflows --- .../properties/psalm.properties.json | 10 +++++++ code-scanning/psalm.yml | 30 +++++++++++++++++++ icons/psalm.svg | 23 ++++++++++++++ 3 files changed, 63 insertions(+) create mode 100644 code-scanning/properties/psalm.properties.json create mode 100644 code-scanning/psalm.yml create mode 100644 icons/psalm.svg diff --git a/code-scanning/properties/psalm.properties.json b/code-scanning/properties/psalm.properties.json new file mode 100644 index 0000000..711fd39 --- /dev/null +++ b/code-scanning/properties/psalm.properties.json @@ -0,0 +1,10 @@ +{ + "name": "Psalm Security Scan", + "creator": "psalm", + "description": "Psalm is a static analysis tool for finding errors in PHP applications", + "iconName": "mobsf", + "categories": [ + "Code Scanning", + "PHP" + ] +} \ No newline at end of file diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml new file mode 100644 index 0000000..b4c7aba --- /dev/null +++ b/code-scanning/psalm.yml @@ -0,0 +1,30 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Psalm Security Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + php-security: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Psalm Security Scan + uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 + + - name: Upload Security Analysis results to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/icons/psalm.svg b/icons/psalm.svg new file mode 100644 index 0000000..3533e2d --- /dev/null +++ b/icons/psalm.svg @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + + + + + + + + + + From ec35be8871f419348e0b448a3a5a5e2987287522 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 10 Nov 2021 11:31:39 -0500 Subject: [PATCH 02/44] Update psalm.properties.json --- code-scanning/properties/psalm.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/psalm.properties.json b/code-scanning/properties/psalm.properties.json index 711fd39..cba67b4 100644 --- a/code-scanning/properties/psalm.properties.json +++ b/code-scanning/properties/psalm.properties.json @@ -2,9 +2,9 @@ "name": "Psalm Security Scan", "creator": "psalm", "description": "Psalm is a static analysis tool for finding errors in PHP applications", - "iconName": "mobsf", + "iconName": "psalm", "categories": [ "Code Scanning", "PHP" ] -} \ No newline at end of file +} From f35be5c494bbd11675293a19c91e471191d9d66d Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 13:58:39 +0100 Subject: [PATCH 03/44] icon: refresh psalm logo Signed-off-by: Emmanuel Roullit --- icons/psalm.svg | 24 +----------------------- 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/icons/psalm.svg b/icons/psalm.svg index 3533e2d..fd9d347 100644 --- a/icons/psalm.svg +++ b/icons/psalm.svg @@ -1,23 +1 @@ - - - - - - - - - - - - - - - - - - - - - - - + \ No newline at end of file From ac13a846c956442df592a674cac09e7208c1ed3e Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 14:04:26 +0100 Subject: [PATCH 04/44] ci: remove trailing whitespaces Signed-off-by: Emmanuel Roullit --- code-scanning/properties/psalm.properties.json | 2 +- code-scanning/psalm.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/properties/psalm.properties.json b/code-scanning/properties/psalm.properties.json index cba67b4..381a312 100644 --- a/code-scanning/properties/psalm.properties.json +++ b/code-scanning/properties/psalm.properties.json @@ -4,7 +4,7 @@ "description": "Psalm is a static analysis tool for finding errors in PHP applications", "iconName": "psalm", "categories": [ - "Code Scanning", + "Code Scanning", "PHP" ] } diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index b4c7aba..d6226a1 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -9,21 +9,21 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly jobs: php-security: runs-on: ubuntu-latest - + steps: - name: Checkout code uses: actions/checkout@v2 - name: Psalm Security Scan uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 - + - name: Upload Security Analysis results to GitHub uses: github/codeql-action/upload-sarif@v1 with: From f07709949e75d13e1511700953273eb80da4635c Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 14:13:04 +0100 Subject: [PATCH 05/44] ci: restrict starter workflow permissions Signed-off-by: Emmanuel Roullit --- code-scanning/psalm.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index d6226a1..d35787e 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -9,13 +9,21 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: php-security: runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code @@ -27,4 +35,4 @@ jobs: - name: Upload Security Analysis results to GitHub uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From 3a818c491024917b28e503cbac0e1aa1d07a8fbd Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 14:13:37 +0100 Subject: [PATCH 06/44] ci: bump github actions version Signed-off-by: Emmanuel Roullit --- code-scanning/psalm.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index d35787e..1e88766 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -27,12 +27,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Psalm Security Scan uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 - name: Upload Security Analysis results to GitHub - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif From c26da3749c8d37900fd0ac34b90056670424a926 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Thu, 2 Feb 2023 17:31:49 +0000 Subject: [PATCH 07/44] adding credo workflow --- code-scanning/credo.yml | 60 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 code-scanning/credo.yml diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml new file mode 100644 index 0000000..f69159b --- /dev/null +++ b/code-scanning/credo.yml @@ -0,0 +1,60 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + + +# Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency. +# https://github.com/rrrene/credo +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 1. Add :credo as a dependency to your project's mix.exs with version ~> 1.7.0-rc.1 - https://github.com/rrrene/credo#installation-and-usage +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. + +name: Credo + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + otp: [version] + elixir: [version] + steps: + - uses: actions/checkout@v3 + - uses: erlef/setup-beam@v1 + with: + otp-version: ${{matrix.otp}} + elixir-version: ${{matrix.elixir}} + - name: get dependencies + run: mix deps.get + - name: compile dependencies + run: mix deps.compile + - name: compile + run: mix compile + - name: credo-scan + run: mix credo --format=sarif > credo_output.sarif + - name: upload sarif + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: credo_output.sarif From 77bc6e809fc1431ae3f609be5f4c35b63a5964d0 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Wed, 22 Feb 2023 15:39:47 +0000 Subject: [PATCH 08/44] add credo properties --- code-scanning/properties/credo.properties.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 code-scanning/properties/credo.properties.json diff --git a/code-scanning/properties/credo.properties.json b/code-scanning/properties/credo.properties.json new file mode 100644 index 0000000..3a86a10 --- /dev/null +++ b/code-scanning/properties/credo.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Credo Scan", + "creator": "Credo", + "description": "Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.", + "categories": ["Code Scanning", "Elixir"] +} \ No newline at end of file From f5cfb3ea9c17d9f3031dc88a7b065108653916e8 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Tue, 7 Mar 2023 14:52:54 -0600 Subject: [PATCH 09/44] Update code-scanning/credo.yml Co-authored-by: Sampark Sharma --- code-scanning/credo.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index f69159b..7861c02 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -33,6 +33,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest strategy: fail-fast: false From 07c72062df203ca1bd7062f410eaeaf37992e0b1 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Tue, 7 Mar 2023 20:56:57 +0000 Subject: [PATCH 10/44] adding commit sha to for action --- code-scanning/credo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index 7861c02..9a77881 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -42,7 +42,7 @@ jobs: elixir: [version] steps: - uses: actions/checkout@v3 - - uses: erlef/setup-beam@v1 + - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: otp-version: ${{matrix.otp}} elixir-version: ${{matrix.elixir}} From 19a9f5df85afdfd434d0d1cbec9b033e4feb9b8c Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 9 Mar 2023 13:49:38 -0500 Subject: [PATCH 11/44] Add runner size docs --- code-scanning/codeql.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index f0c3beb..79a4a7c 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -23,6 +23,11 @@ on: jobs: analyze: name: Analyze + # Runner size impacts CodeQL analysis time. Please see: + # https://gh.io/recommended-hardware-resources-for-running-codeql + # https://gh.io/supported-runners-and-hardware-resources + # https://gh.io/using-larger-runners + # to learn more. runs-on: ubuntu-latest permissions: actions: read From fc5ffa2714ad1088b5c57c94e31093aaeeb0f592 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Fri, 24 Mar 2023 14:14:25 +0000 Subject: [PATCH 12/44] removed whitespace --- code-scanning/credo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index 9a77881..c1fb8d1 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -46,7 +46,7 @@ jobs: with: otp-version: ${{matrix.otp}} elixir-version: ${{matrix.elixir}} - - name: get dependencies + - name: get dependencies run: mix deps.get - name: compile dependencies run: mix deps.compile From b9b82275918a75a68714fe4edda0810552a65e23 Mon Sep 17 00:00:00 2001 From: Issy Long Date: Tue, 11 Apr 2023 15:40:06 +0100 Subject: [PATCH 13/44] Add Swift to the list of CodeQL-supported languages - This is in public beta. --- code-scanning/properties/codeql.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index f5e78bf..8aaa8f5 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -2,7 +2,7 @@ "name": "CodeQL Analysis", "creator": "GitHub", "enterprise": true, - "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby and Kotlin developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Kotlin and Swift developers.", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin", "Swift"] } From 744aa3940ae8bc1de5fb3d4a5d58832d1fa70573 Mon Sep 17 00:00:00 2001 From: daz Date: Tue, 18 Apr 2023 12:10:27 -0600 Subject: [PATCH 14/44] Update to v2.4.2 of gradle/gradle-build-action This update contains important fixes and we recommend that all new workflows use this version. --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 42eae27..326c3ca 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 + uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 + uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index 2be0b58..461a705 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -29,6 +29,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 + uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 with: arguments: build From f6b2d354a2ab0113314ab63a77d94d6532475e47 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Apr 2023 20:56:17 +0000 Subject: [PATCH 15/44] Bump peter-evans/close-issue from 2 to 3 Bumps [peter-evans/close-issue](https://github.com/peter-evans/close-issue) from 2 to 3. - [Release notes](https://github.com/peter-evans/close-issue/releases) - [Commits](https://github.com/peter-evans/close-issue/compare/v2...v3) --- updated-dependencies: - dependency-name: peter-evans/close-issue dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/label-feature.yml | 2 +- .github/workflows/label-support.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/label-feature.yml b/.github/workflows/label-feature.yml index 122caac..aaf1e7e 100644 --- a/.github/workflows/label-feature.yml +++ b/.github/workflows/label-feature.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close Issue - uses: peter-evans/close-issue@v2 + uses: peter-evans/close-issue@v3 if: contains(github.event.issue.labels.*.name, 'feature') with: comment: | diff --git a/.github/workflows/label-support.yml b/.github/workflows/label-support.yml index e762afc..639ae0a 100644 --- a/.github/workflows/label-support.yml +++ b/.github/workflows/label-support.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close Issue - uses: peter-evans/close-issue@v2 + uses: peter-evans/close-issue@v3 if: contains(github.event.issue.labels.*.name, 'support') with: comment: | From 2f530b0cd479c1e07141f409afdd623b43179869 Mon Sep 17 00:00:00 2001 From: Stephen Chudleigh Date: Wed, 26 Apr 2023 01:21:31 -0700 Subject: [PATCH 16/44] Update elixir.yml Fixes the build error on the default build action and updates the Erlang/Elixir versions. --- ci/elixir.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index 371ff24..9890efd 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -23,10 +23,10 @@ jobs: steps: - uses: actions/checkout@v3 - name: Set up Elixir - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f + uses: erlef/setup-beam@v1 with: - elixir-version: '1.12.3' # Define the elixir version [required] - otp-version: '24.1' # Define the OTP version [required] + elixir-version: '1.14.4' # Define the elixir version [required] + otp-version: '25.3' # Define the OTP version [required] - name: Restore dependencies cache uses: actions/cache@v3 with: From 4c95f1b7e49b61adcfe16b906abc6955919baa4e Mon Sep 17 00:00:00 2001 From: Leo Kettmeir Date: Wed, 3 May 2023 12:17:51 +0200 Subject: [PATCH 17/44] Update denoland/setup-deno workflow --- ci/deno.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/deno.yml b/ci/deno.yml index 5ee940d..c48292e 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -27,7 +27,7 @@ jobs: - name: Setup Deno # uses: denoland/setup-deno@v1 - uses: denoland/setup-deno@9db7f66e8e16b5699a514448ce994936c63f0d54 + uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 with: deno-version: v1.x From b54241071aa42253f58aefd5d960e98471d97f37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Mon, 15 May 2023 21:44:39 +0300 Subject: [PATCH 18/44] use intermediate environment variables to avoid risks of script injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- ci/docker-publish.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index d57b2f1..4aaca04 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,10 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 + uses: sigstore/cosign-installer@03d0fecf172873164a163bbc64bed0f3bf114ed7 #v3.4.0 with: - cosign-release: 'v1.13.1' - + cosign-release: 'v2.0.2' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx @@ -90,7 +89,9 @@ jobs: - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} env: - COSIGN_EXPERIMENTAL: "true" + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} From b015c848b62afa863d3f5607a61b1604ee66ebea Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Mon, 22 May 2023 10:10:15 -0700 Subject: [PATCH 19/44] CodeQL: Reduce job timeout to 2h if the target language is Swift Some projects observed intermittent build timeouts with Swift. In case this happens, and our CodeQL-level mitigations do not prevent the problem, we want to avoid using up 6h of the customer's billed macOS Actions minutes (which is the default timeout), so we suggest a reduced timeout of 2h. This value is chosen to accommodate the total job time (build + CodeQL extraction + CodeQL analysis) we expect for large Swift projects. We may choose to adjust it in future. --- code-scanning/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index bd394ae..e901a24 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -24,6 +24,7 @@ jobs: analyze: name: Analyze runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: actions: read contents: read From ee518ae76c27a9700e06499dd8f8c1c99d6d0316 Mon Sep 17 00:00:00 2001 From: Beth Brennan <34719884+elbrenn@users.noreply.github.com> Date: Wed, 31 May 2023 13:38:11 -0400 Subject: [PATCH 20/44] Update CODEOWNERS --- CODEOWNERS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 0a7c0a5..a47bd5b 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,4 +1,4 @@ -* @actions/starter-workflows +* @actions/actions-workflow-development-reviewers -/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows -/pages/ @actions/pages @actions/starter-workflows +/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers +/pages/ @actions/pages @actions/actions-workflow-development-reviewers From 437d407a8a0b4ff654b5ccc6f3ef59c946cb5210 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Tue, 6 Jun 2023 16:22:48 -0700 Subject: [PATCH 21/44] add Endor Labs --- code-scanning/endorlabs.yml | 46 ++ .../properties/endorlabs.properties.json | 7 + icons/endorlabs.svg | 426 ++++++++++++++++++ 3 files changed, 479 insertions(+) create mode 100644 code-scanning/endorlabs.yml create mode 100644 code-scanning/properties/endorlabs.properties.json create mode 100644 icons/endorlabs.svg diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml new file mode 100644 index 0000000..5f6e867 --- /dev/null +++ b/code-scanning/endorlabs.yml @@ -0,0 +1,46 @@ +name: Endor Labs Scan +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly +jobs: + scan: + permissions: + security-events: write # Used to upload sarif artifact to GitHub + contents: read # Used to checkout a private repository but actions/checkout. + actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required. + id-token: write # Used for keyless authentication to Endor Labs + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v3 + #### Package Build Instructions + ### Use this section to define the build steps used by your software package. + ### Endor Labs does this for you when possible. + # - name: Setup Java + # uses: actions/setup-java@v3 + # with: + # distribution: 'microsoft' + # java-version: '17' + # - name: Build Package + # run: mvn clean install + - name: Endor Labs Scan Pull Request + if: github.event_name == 'pull_request' + uses: endorlabs/github-action@main + with: + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + sarif_file: findings.sarif + - name: Endor Labs Scan Push to main + if: github.event_name == 'push' + uses: endorlabs/github-action@main + with: + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + ci_run: "false" + sarif_file: findings.sarif + - name: Upload SARIF to github + uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd + with: + sarif_file: findings.sarif \ No newline at end of file diff --git a/code-scanning/properties/endorlabs.properties.json b/code-scanning/properties/endorlabs.properties.json new file mode 100644 index 0000000..8c4cbb0 --- /dev/null +++ b/code-scanning/properties/endorlabs.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Endor Labs Scan", + "creator": "EndorLabs", + "description": "Identify, prioritize and address open source and code governance issues with Endor Labs.", + "iconName": "endorlabs", + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "ruby", "go", "kotlin", "scala" ] +} \ No newline at end of file diff --git a/icons/endorlabs.svg b/icons/endorlabs.svg new file mode 100644 index 0000000..04f1287 --- /dev/null +++ b/icons/endorlabs.svg @@ -0,0 +1,426 @@ + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From 43f7851be318b6c6d3f53cc2dcc716304ce0b1f4 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Tue, 6 Jun 2023 20:20:00 -0700 Subject: [PATCH 22/44] Change to specified version --- code-scanning/endorlabs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 5f6e867..cc7ebaa 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -35,7 +35,7 @@ jobs: sarif_file: findings.sarif - name: Endor Labs Scan Push to main if: github.event_name == 'push' - uses: endorlabs/github-action@main + uses: endorlabs/github-action@v1.0.0 with: namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. ci_run: "false" @@ -43,4 +43,4 @@ jobs: - name: Upload SARIF to github uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd with: - sarif_file: findings.sarif \ No newline at end of file + sarif_file: findings.sarif From ea40b7a2671cddb7c82f6daf4ac2f299bd4ca475 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Tue, 6 Jun 2023 20:22:38 -0700 Subject: [PATCH 23/44] Update to commit sha --- code-scanning/endorlabs.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index cc7ebaa..b3d92c4 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -29,13 +29,13 @@ jobs: # run: mvn clean install - name: Endor Labs Scan Pull Request if: github.event_name == 'pull_request' - uses: endorlabs/github-action@main + uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. sarif_file: findings.sarif - - name: Endor Labs Scan Push to main - if: github.event_name == 'push' - uses: endorlabs/github-action@v1.0.0 + - name: Endor Labs Scan Monitor + if: github.event_name == 'push' + uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. ci_run: "false" From bb9bbc31d84c8b28e3aad02f5a7124bf710ccc72 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Wed, 7 Jun 2023 17:28:33 -0500 Subject: [PATCH 24/44] add line at eof and adding icon --- code-scanning/properties/credo.properties.json | 3 ++- icons/code.svg | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 icons/code.svg diff --git a/code-scanning/properties/credo.properties.json b/code-scanning/properties/credo.properties.json index 3a86a10..cdc621f 100644 --- a/code-scanning/properties/credo.properties.json +++ b/code-scanning/properties/credo.properties.json @@ -2,5 +2,6 @@ "name": "Credo Scan", "creator": "Credo", "description": "Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.", + "iconName": "code", "categories": ["Code Scanning", "Elixir"] -} \ No newline at end of file +} diff --git a/icons/code.svg b/icons/code.svg new file mode 100644 index 0000000..ee64cbc --- /dev/null +++ b/icons/code.svg @@ -0,0 +1 @@ + \ No newline at end of file From 82f55d00bdc01e81e34edf2ce29733c6f96f0ef1 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 8 Jun 2023 12:08:28 -0400 Subject: [PATCH 25/44] Bump DR to take advantage of latest features --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index fe461b4..b0dedc4 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@v2 + uses: actions/dependency-review-action@v3 From 47e25f909529738fcd02d3f6a07224e4cd35f0b6 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Mon, 12 Jun 2023 11:13:06 +0100 Subject: [PATCH 26/44] CodeQL: Update autobuild comment Add Swift to the list of compiled languages that autobuild will try to build. --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index e901a24..0b8af33 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -56,7 +56,7 @@ jobs: # queries: security-extended,security-and-quality - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@v2 From fae93dfd03b4d95ea199d016c0177a0e9acf5036 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Mon, 12 Jun 2023 19:05:57 -0700 Subject: [PATCH 27/44] Update endorlabs.properties.json --- code-scanning/properties/endorlabs.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/endorlabs.properties.json b/code-scanning/properties/endorlabs.properties.json index 8c4cbb0..f251c7b 100644 --- a/code-scanning/properties/endorlabs.properties.json +++ b/code-scanning/properties/endorlabs.properties.json @@ -4,4 +4,4 @@ "description": "Identify, prioritize and address open source and code governance issues with Endor Labs.", "iconName": "endorlabs", "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "ruby", "go", "kotlin", "scala" ] -} \ No newline at end of file +} From 9988e13794684252e6aed931cfe876d5eb0afdf4 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Mon, 12 Jun 2023 19:08:27 -0700 Subject: [PATCH 28/44] Update endorlabs.yml --- code-scanning/endorlabs.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index b3d92c4..cc9d71f 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -15,7 +15,7 @@ jobs: id-token: write # Used for keyless authentication to Endor Labs runs-on: ubuntu-latest steps: - - name: Checkout Repository + - name: Checkout repository uses: actions/checkout@v3 #### Package Build Instructions ### Use this section to define the build steps used by your software package. @@ -27,13 +27,13 @@ jobs: # java-version: '17' # - name: Build Package # run: mvn clean install - - name: Endor Labs Scan Pull Request + - name: Endor Labs scan pull request if: github.event_name == 'pull_request' uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. sarif_file: findings.sarif - - name: Endor Labs Scan Monitor + - name: Endor Labs scan monitor if: github.event_name == 'push' uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: From 018bc7064380b34483c023064f31435f65011ecd Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Mon, 12 Jun 2023 19:08:58 -0700 Subject: [PATCH 29/44] Update endorlabs.yml --- code-scanning/endorlabs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index cc9d71f..7c69cb4 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -1,4 +1,4 @@ -name: Endor Labs Scan +name: Endor Labs on: push: branches: [ $default-branch ] From c6e2cb88e6e745ed8ad5c23581c173668afb4319 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Thu, 15 Jun 2023 09:11:51 -0700 Subject: [PATCH 30/44] Add comments header --- code-scanning/endorlabs.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 7c69cb4..59a9a29 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -1,7 +1,12 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Endor Labs on: push: - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] pull_request: branches: [ $default-branch ] schedule: From 6da5a650b9818dfd8ecff77ba25ff5d79d0119fb Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Thu, 15 Jun 2023 09:13:08 -0700 Subject: [PATCH 31/44] Update case and spacing --- code-scanning/properties/endorlabs.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/endorlabs.properties.json b/code-scanning/properties/endorlabs.properties.json index f251c7b..4347f4c 100644 --- a/code-scanning/properties/endorlabs.properties.json +++ b/code-scanning/properties/endorlabs.properties.json @@ -1,6 +1,6 @@ { - "name": "Endor Labs Scan", - "creator": "EndorLabs", + "name": "Endor Labs scan", + "creator": "Endor Labs", "description": "Identify, prioritize and address open source and code governance issues with Endor Labs.", "iconName": "endorlabs", "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "ruby", "go", "kotlin", "scala" ] From 03ce4e088fd4b766979b2642c82187dcff28b83c Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Thu, 15 Jun 2023 10:36:30 -0700 Subject: [PATCH 32/44] Fix Linter Issues --- code-scanning/endorlabs.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 59a9a29..1ad0e26 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -15,7 +15,7 @@ jobs: scan: permissions: security-events: write # Used to upload sarif artifact to GitHub - contents: read # Used to checkout a private repository but actions/checkout. + contents: read # Used to checkout a private repository by actions/checkout. actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required. id-token: write # Used for keyless authentication to Endor Labs runs-on: ubuntu-latest @@ -23,8 +23,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 #### Package Build Instructions - ### Use this section to define the build steps used by your software package. - ### Endor Labs does this for you when possible. + ### Use this section to define the build steps used by your software package. + ### Endor Labs builds your software for you where possible but the required build tools must be made availible. # - name: Setup Java # uses: actions/setup-java@v3 # with: @@ -36,13 +36,13 @@ jobs: if: github.event_name == 'pull_request' uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: - namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. sarif_file: findings.sarif - name: Endor Labs scan monitor - if: github.event_name == 'push' + if: github.event_name == 'push' uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: - namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. ci_run: "false" sarif_file: findings.sarif - name: Upload SARIF to github From 2402be0dd2440854bd9c695066d297daaf836468 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 15 Jun 2023 16:46:40 -0400 Subject: [PATCH 33/44] Update code-scanning/codeql.yml Co-authored-by: Nick Liffen --- code-scanning/codeql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 79a4a7c..15398a7 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -27,7 +27,8 @@ jobs: # https://gh.io/recommended-hardware-resources-for-running-codeql # https://gh.io/supported-runners-and-hardware-resources # https://gh.io/using-larger-runners - # to learn more. + # to learn more. + # Consider using larger runners for possible analysis time improvements. runs-on: ubuntu-latest permissions: actions: read From fcf8a26d9d738ab865ef0fa1413a579df8424b6f Mon Sep 17 00:00:00 2001 From: Dmitry Shibanov Date: Mon, 19 Jun 2023 11:47:56 +0200 Subject: [PATCH 34/44] bump go version and use single quotes --- ci/go.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/go.yml b/ci/go.yml index e89f6c9..9f74f87 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -17,9 +17,9 @@ jobs: - uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: - go-version: 1.19 + go-version: '1.20' - name: Build run: go build -v ./... From c6191f3c154ba8fc2b63183ac0d8e67897ea3c23 Mon Sep 17 00:00:00 2001 From: Joe Mooring Date: Tue, 20 Jun 2023 22:39:07 -0700 Subject: [PATCH 35/44] Update Hugo version and switch to Dart Sass --- pages/hugo.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index fd6c4b4..8d9fc97 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -31,14 +31,14 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.108.0 + HUGO_VERSION: 0.114.0 steps: - name: Install Hugo CLI run: | wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \ && sudo dpkg -i ${{ runner.temp }}/hugo.deb - - name: Install Dart Sass Embedded - run: sudo snap install dart-sass-embedded + - name: Install Dart Sass + run: sudo snap install dart-sass - name: Checkout uses: actions/checkout@v3 with: From 0c238aec84e18522e7befaa32ccb39537e7dc44d Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 10 Jul 2023 23:00:03 -0500 Subject: [PATCH 36/44] Update all Pages starter workflows to use upload-pages-artifact@v2 --- pages/astro.yml | 2 +- pages/gatsby.yml | 2 +- pages/hugo.yml | 2 +- pages/jekyll-gh-pages.yml | 2 +- pages/jekyll.yml | 2 +- pages/mdbook.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- pages/static.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 4278958..ccbae47 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -71,7 +71,7 @@ jobs: --base "${{ steps.pages.outputs.base_path }}" working-directory: ${{ env.BUILD_PATH }} - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ${{ env.BUILD_PATH }}/dist diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 1fe2d24..676740b 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -80,7 +80,7 @@ jobs: PREFIX_PATHS: 'true' run: ${{ steps.detect-package-manager.outputs.manager }} run build - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./public diff --git a/pages/hugo.yml b/pages/hugo.yml index fd6c4b4..9e0fb88 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -58,7 +58,7 @@ jobs: --minify \ --baseURL "${{ steps.pages.outputs.base_url }}/" - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./public diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 851f2ce..044e34c 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -36,7 +36,7 @@ jobs: source: ./ destination: ./_site - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 # Deployment job deploy: diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 5adebe4..bd2f2e8 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -49,7 +49,7 @@ jobs: JEKYLL_ENV: production - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 # Deployment job deploy: diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 78d664e..0fae7a4 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -43,7 +43,7 @@ jobs: - name: Build with mdBook run: mdbook build - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./book diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 81073e6..308b76e 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -78,7 +78,7 @@ jobs: - name: Static HTML export with Next.js run: ${{ steps.detect-package-manager.outputs.runner }} next export - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./out diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index ddf8f4f..2951136 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -73,7 +73,7 @@ jobs: - name: Static HTML export with Nuxt run: ${{ steps.detect-package-manager.outputs.manager }} run generate - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./dist diff --git a/pages/static.yml b/pages/static.yml index 43bec60..31ac428 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -34,7 +34,7 @@ jobs: - name: Setup Pages uses: actions/configure-pages@v3 - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: # Upload entire repository path: '.' From 356930494d1828026e574eb42892964e6b1ce089 Mon Sep 17 00:00:00 2001 From: Natalie Somersall Date: Wed, 12 Jul 2023 15:25:09 +0000 Subject: [PATCH 37/44] move gem workflow to ruby/setup-ruby, same as ruby --- ci/gem-push.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ci/gem-push.yml b/ci/gem-push.yml index 8905272..dd6d867 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -17,7 +17,10 @@ jobs: steps: - uses: actions/checkout@v3 - name: Set up Ruby 2.6 - uses: actions/setup-ruby@v1 + # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, + # change this to (see https://github.com/ruby/setup-ruby#versioning): + # uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: 2.6.x From 830d0c7c9dc9cb64457807f740440982e68a1a77 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:30:22 -0500 Subject: [PATCH 38/44] Add comment containing friendly version number --- ci/deno.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/deno.yml b/ci/deno.yml index c48292e..92338c9 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -27,7 +27,7 @@ jobs: - name: Setup Deno # uses: denoland/setup-deno@v1 - uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 + uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 # v1.1.2 with: deno-version: v1.x From d0ceca4feaff32caa6d0957e1b1ae9314b619167 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:36:51 -0500 Subject: [PATCH 39/44] Compress the comment --- code-scanning/codeql.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 15398a7..18667cf 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -23,11 +23,10 @@ on: jobs: analyze: name: Analyze - # Runner size impacts CodeQL analysis time. Please see: - # https://gh.io/recommended-hardware-resources-for-running-codeql - # https://gh.io/supported-runners-and-hardware-resources - # https://gh.io/using-larger-runners - # to learn more. + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners # Consider using larger runners for possible analysis time improvements. runs-on: ubuntu-latest permissions: From ec351ca4a9ea59041fccee4d2bbaf1fcf1a98e31 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:39:44 -0500 Subject: [PATCH 40/44] Delete trailing whitespace --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 660514a..f53c061 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -27,7 +27,7 @@ jobs: # - https://gh.io/recommended-hardware-resources-for-running-codeql # - https://gh.io/supported-runners-and-hardware-resources # - https://gh.io/using-larger-runners - # Consider using larger runners for possible analysis time improvements. + # Consider using larger runners for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: From a07603e5efb78778ca8291d20a54900f0024e0b8 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:51:15 -0500 Subject: [PATCH 41/44] Update to latest cosign versions --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 4aaca04..31da0e3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@03d0fecf172873164a163bbc64bed0f3bf114ed7 #v3.4.0 + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 with: - cosign-release: 'v2.0.2' + cosign-release: 'v2.1.1' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx From cbe6296a3534c58492e4553dbc21063c347bbe7b Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 10:30:20 -0500 Subject: [PATCH 42/44] Update ci/elixir.yml --- ci/elixir.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index 9890efd..a8513c1 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -23,7 +23,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Set up Elixir - uses: erlef/setup-beam@v1 + uses: erlef/setup-beam@61e01a43a562a89bfc54c7f9a378ff67b03e4a21 # v1.16.0 with: elixir-version: '1.14.4' # Define the elixir version [required] otp-version: '25.3' # Define the OTP version [required] From 49efc3d27f757ab3bb8e7ee7ee9233c32a27de77 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 10:30:29 -0500 Subject: [PATCH 43/44] Update ci/elixir.yml --- ci/elixir.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index a8513c1..58f0b27 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -25,8 +25,8 @@ jobs: - name: Set up Elixir uses: erlef/setup-beam@61e01a43a562a89bfc54c7f9a378ff67b03e4a21 # v1.16.0 with: - elixir-version: '1.14.4' # Define the elixir version [required] - otp-version: '25.3' # Define the OTP version [required] + elixir-version: '1.15.2' # [Required] Define the Elixir version + otp-version: '26.0' # [Required] Define the Erlang/OTP version - name: Restore dependencies cache uses: actions/cache@v3 with: From 72d4aceb2f6ab012523440e972bab7b0e8747d95 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 10:38:10 -0500 Subject: [PATCH 44/44] Bumping version to latest --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 326c3ca..3e30133 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 + uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 + uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index 461a705..51645f9 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -29,6 +29,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 + uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0 with: arguments: build