From e35bb09c200dd3bc2dccb7cf1e4f1aa5fce0a9a4 Mon Sep 17 00:00:00 2001 From: omerzi Date: Sun, 7 Aug 2022 09:32:25 +0300 Subject: [PATCH 1/2] Code review changes --- code-scanning/frogbot-fix.yml | 5 ++- code-scanning/frogbot-scan-pr.yml | 58 ++++++------------------------- 2 files changed, 14 insertions(+), 49 deletions(-) diff --git a/code-scanning/frogbot-fix.yml b/code-scanning/frogbot-fix.yml index 278e8fa..b51c269 100644 --- a/code-scanning/frogbot-fix.yml +++ b/code-scanning/frogbot-fix.yml @@ -2,6 +2,9 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# Frogbot Scan and Fix does the following: +# Automatically creates pull requests with fixes for vulnerable project dependencies. +# Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot name: "Frogbot Fix" @@ -37,7 +40,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@v2 + - uses: jfrog/frogbot@2291fc454e8aeea77386cfcb85a1ae36765bb1f4 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 54304d3..325cc24 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -2,6 +2,10 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# Frogbot Scan Pull Requests does the following: +# Automatically scans new pull requests for security vulnerabilities. +# Uses JFrog Xray to scan the project. +# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot name: "Frogbot Scan" on: @@ -35,23 +39,9 @@ jobs: # with: # node-version: "16.x" - # - uses: gradle/gradle-build-action@v2 + # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - # - uses: actions/setup-dotnet@v2 - # with: - # dotnet-version: "3.1.x" - - # - uses: nuget/setup-nuget@v1 - # with: - # nuget-version: "5.x" - - # - uses: actions/setup-python@v3 - # with: - # python-version: "3.x" - - # - run: pipx install pipenv - - - uses: jfrog/frogbot@v2 + - uses: jfrog/frogbot@2291fc454e8aeea77386cfcb85a1ae36765bb1f4 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) @@ -69,7 +59,9 @@ jobs: # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Uncomment the below options if you'd like to use them. + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory when using npm] # The command that installs the dependencies @@ -79,34 +71,4 @@ jobs: # The command that installs the dependencies # JF_INSTALL_DEPS_CMD: "dotnet restore" - # [Optional when using Nuget] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "nuget restore" - - # [Optional when using Pip] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "pip install" - - # [Optional when using Pipenv] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "pipenv install" - - # [Optional, default: https://api.github.com] - # API endpoint to GitHub - # JF_GIT_API_ENDPOINT: https://github.example.com - - # [Mandatory if JF_USER and JF_PASSWORD are not provided] - # JFrog access token with 'read' permissions on Xray service - # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - - # [Optional, default: "."] - # Relative path to the project in the git repository - # JF_WORKING_DIR: path/to/working/dir - - # [Optional] - # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches - # JF_WATCHES: ,... - - # [Optional] - # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects - # JF_PROJECT: \ No newline at end of file + # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request \ No newline at end of file From 552d98b770dc070aabb54827ef43ef6a8234969f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Aug 2022 13:23:06 +0000 Subject: [PATCH 2/2] Bump pozil/auto-assign-issue from 1.8.0 to 1.9.0 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index a30a190..ec278a6 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.8.0 + uses: pozil/auto-assign-issue@v1.9.0 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1