diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index dc4882c..c116b93 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -12,7 +12,6 @@ jobs: steps: - uses: actions/stale@v3 with: - repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' stale-issue-label: 'no-issue-activity' diff --git a/automation/greetings.yml b/automation/greetings.yml index ebb00a0..ee1cb11 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -5,6 +5,9 @@ on: [pull_request, issues] jobs: greeting: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/first-interaction@v1 with: diff --git a/automation/label.yml b/automation/label.yml index 7c724a6..5cdc45e 100644 --- a/automation/label.yml +++ b/automation/label.yml @@ -12,6 +12,9 @@ jobs: label: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/labeler@v2 diff --git a/automation/stale.yml b/automation/stale.yml index b671fc0..30c3dd9 100644 --- a/automation/stale.yml +++ b/automation/stale.yml @@ -8,6 +8,9 @@ jobs: stale: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/stale@v3 diff --git a/ci/cmake.yml b/ci/cmake.yml index 005915e..1634140 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -1,6 +1,10 @@ name: CMake -on: [push] +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] env: # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.) @@ -17,30 +21,18 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Create Build Environment - # Some projects don't allow in-source building, so create a separate build directory - # We'll use this as our working directory for all subsequent commands - run: cmake -E make_directory ${{github.workspace}}/build - - name: Configure CMake - # Use a bash shell so we can use the same syntax for environment variable - # access regardless of the host operating system - shell: bash - working-directory: ${{github.workspace}}/build - # Note the current convention is to use the -S and -B options here to specify source - # and build directories, but this is only available with CMake 3.13 and higher. - # The CMake binaries on the Github Actions machines are (as of this writing) 3.12 - run: cmake $GITHUB_WORKSPACE -DCMAKE_BUILD_TYPE=$BUILD_TYPE + # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. + # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type + run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} - name: Build - working-directory: ${{github.workspace}}/build - shell: bash - # Execute the build. You can specify a specific target with "--target " - run: cmake --build . --config $BUILD_TYPE + # Build your program with the given configuration + run: cmake --build ${{github.workspace}}/build --config ${{env.BUILD_TYPE}} - name: Test working-directory: ${{github.workspace}}/build - shell: bash # Execute tests defined by the CMake configuration. # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail - run: ctest -C $BUILD_TYPE + run: ctest -C ${{env.BUILD_TYPE}} + diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 76756db..ba69744 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -44,6 +44,10 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'push' + permissions: + contents: read + packages: write + steps: - uses: actions/checkout@v2 diff --git a/ci/gem-push.yml b/ci/gem-push.yml index a1edfbc..3dc62be 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -10,6 +10,9 @@ jobs: build: name: Build + Publish runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index ef99e13..a74a1ce 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -11,6 +11,9 @@ jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 diff --git a/ci/laravel.yml b/ci/laravel.yml index d54921e..5f4e6c9 100644 --- a/ci/laravel.yml +++ b/ci/laravel.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: shivammathur/setup-php@b7d1d9c9a92d8d8463ce36d7f60da34d461724f8 + - uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e with: php-version: '8.0' - uses: actions/checkout@v2 diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index c3f4855..18dd937 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -11,6 +11,9 @@ jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 1b4952d..8462902 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -35,6 +35,9 @@ jobs: publish-gpr: needs: build runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 diff --git a/ci/python-package.yml b/ci/python-package.yml index c88f6ce..b079b1c 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -14,6 +14,7 @@ jobs: runs-on: ubuntu-latest strategy: + fail-fast: false matrix: python-version: [3.7, 3.8, 3.9] diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index d88fe52..b32675e 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -24,6 +24,10 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write strategy: fail-fast: false diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 8d3d0eb..1cad70c 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -18,6 +18,10 @@ jobs: lint: name: Kubesec runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 1601ff5..0aab0b4 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -37,6 +37,10 @@ jobs: name: Mayhem for API # Mayhem for API runs on linux, mac and windows runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: - uses: actions/checkout@v2 diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml new file mode 100644 index 0000000..dfbf452 --- /dev/null +++ b/code-scanning/powershell.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# https://github.com/microsoft/action-psscriptanalyzer +# For more information on PSScriptAnalyzer in general, see +# https://github.com/PowerShell/PSScriptAnalyzer + +name: PSScriptAnalyzer + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + build: + name: PSScriptAnalyzer + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Run PSScriptAnalyzer + uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061 + with: + # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. + # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. + path: .\ + recurse: true + # Include your own basic security rules. Removing this option will run all the rules + includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' + output: results.sarif + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/code-scanning/properties/powershell.properties.json b/code-scanning/properties/powershell.properties.json new file mode 100644 index 0000000..95420ae --- /dev/null +++ b/code-scanning/properties/powershell.properties.json @@ -0,0 +1,7 @@ +{ + "name": "PSScriptAnalyzer", + "creator": "Microsoft Corporation", + "description": "A static code checker for PowerShell modules and scripts. PSScriptAnalyzer checks the quality of PowerShell code by running a set of rules.", + "iconName": "powershell", + "categories": ["Code Scanning", "PowerShell"] +} \ No newline at end of file diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 9b5a080..0c1ff16 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -18,6 +18,10 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: - name: Checkout repository diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 05879a1..9040659 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -17,6 +17,10 @@ jobs: tfsec: name: Run tfsec sarif report runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: - name: Clone repo @@ -26,7 +30,6 @@ jobs: uses: tfsec/tfsec-sarif-action@2ec44316ed27c50d48c931c3c628adc4c8bb1d2b with: sarif_file: tfsec.sarif - github_token: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 diff --git a/icons/powershell.svg b/icons/powershell.svg new file mode 100644 index 0000000..ec01c8c --- /dev/null +++ b/icons/powershell.svg @@ -0,0 +1,29 @@ + + + + + + + + + + + \ No newline at end of file