diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000..2d04e26 --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,3 @@ +# Add 'code-scanning' label to any changes within 'code-scanning' folder or any subfolders +code-scanning: +- code-scanning/**/* diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml new file mode 100644 index 0000000..eba05f0 --- /dev/null +++ b/.github/workflows/labeler-triage.yml @@ -0,0 +1,16 @@ +name: "Pull Request Labeler" + +permissions: + contents: read + pull-requests: write + +on: +- pull_request_target + +jobs: + triage: + runs-on: ubuntu-latest + steps: + - uses: actions/labeler@v3 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file diff --git a/README.md b/README.md index e276691..2c2f1b5 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,8 @@ These are the workflow files for helping people get started with GitHub Actions. -**Directory structure:** +### Directory structure + * [ci](ci): solutions for Continuous Integration * [automation](automation): solutions for automating workflows. * [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security) @@ -20,8 +21,16 @@ Each workflow must be written in YAML and have a `.yml` extension. They also nee For example: `ci/django.yml` and `ci/properties/django.properties.json`. -**Valid properties:** +### Valid properties + * `name`: the name shown in onboarding * `description`: the description shown in onboarding * `iconName`: the icon name in the relevant folder, for example `django` should have an icon `icons/django.svg`. Only SVG is supported at this time * `categories`: the categories that it will be shown under + +### Variables +These variables can be placed in the starter workflow and will be substituted as detailed below: + +* `$default-branch`: will substitute the branch from the repository, for example `main` and `master` +* `$protected-branches`: will substitue any protected branches from the repository. +* `$cron-daily`: will substitute a valid but random time within the day diff --git a/ci/deno.yml b/ci/deno.yml index cf91f5e..38f2319 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow will install Deno and run tests across stable and canary builds on Windows, Ubuntu and macOS. +# This workflow will install Deno then run Deno lint and test. # For more information see: https://github.com/denoland/setup-deno name: Deno @@ -16,12 +16,7 @@ on: jobs: test: - runs-on: ${{ matrix.os }} # runs a test on Ubuntu, Windows and macOS - - strategy: - matrix: - deno: ["v1.x", "canary"] - os: [macOS-latest, windows-latest, ubuntu-latest] + runs-on: ubuntu-latest steps: - name: Setup repo @@ -29,9 +24,9 @@ jobs: - name: Setup Deno # uses: denoland/setup-deno@v1 - uses: denoland/setup-deno@4a4e59637fa62bd6c086a216c7e4c5b457ea9e79 + uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e9833173669 with: - deno-version: ${{ matrix.deno }} # tests across multiple Deno versions + deno-version: v1.x # Uncomment this step to verify the use of 'deno fmt' on each commit. # - name: Verify formatting @@ -40,8 +35,5 @@ jobs: - name: Run linter run: deno lint - - name: Cache dependencies - run: deno cache deps.ts - - name: Run tests run: deno test -A --unstable diff --git a/ci/grunt.yml b/ci/grunt.yml new file mode 100644 index 0000000..8c83cb6 --- /dev/null +++ b/ci/grunt.yml @@ -0,0 +1,28 @@ +name: NodeJS with Grunt + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [12.x, 14.x, 16.x] + + steps: + - uses: actions/checkout@v2 + + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v1 + with: + node-version: ${{ matrix.node-version }} + + - name: Build + run: | + npm install + grunt diff --git a/ci/gulp.yml b/ci/gulp.yml new file mode 100644 index 0000000..cc5da13 --- /dev/null +++ b/ci/gulp.yml @@ -0,0 +1,28 @@ +name: NodeJS with Gulp + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [12.x, 14.x, 16.x] + + steps: + - uses: actions/checkout@v2 + + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v1 + with: + node-version: ${{ matrix.node-version }} + + - name: Build + run: | + npm install + gulp diff --git a/ci/ios.yml b/ci/ios.yml index 032b77a..ab92d32 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -26,7 +26,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'`` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` diff --git a/ci/properties/grunt.properties.json b/ci/properties/grunt.properties.json new file mode 100644 index 0000000..c8a5b9f --- /dev/null +++ b/ci/properties/grunt.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Grunt", + "description": "Build a NodeJS project with npm and grunt.", + "iconName": "grunt", + "categories": ["JavaScript", "TypeScript", "npm", "Grunt"] +} diff --git a/ci/properties/gulp.properties.json b/ci/properties/gulp.properties.json new file mode 100644 index 0000000..658325b --- /dev/null +++ b/ci/properties/gulp.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Gulp", + "description": "Build a NodeJS project with npm and gulp.", + "iconName": "gulp", + "categories": ["JavaScript", "TypeScript", "npm", "Gulp"] +} diff --git a/ci/properties/webpack.properties.json b/ci/properties/webpack.properties.json new file mode 100644 index 0000000..1e22ccb --- /dev/null +++ b/ci/properties/webpack.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Webpack", + "description": "Build a NodeJS project with npm and webpack.", + "iconName": "webpack", + "categories": ["JavaScript", "TypeScript", "npm", "Webpack"] +} diff --git a/ci/tencent.yml b/ci/tencent.yml index 1a059a6..0be339e 100644 --- a/ci/tencent.yml +++ b/ci/tencent.yml @@ -43,7 +43,7 @@ jobs: - name: Login TKE Registry run: | - docker login -u ${{ secrets.TENCENT_CLOUD_ACCOUNT_ID }} -p ${{ secrets.TKE_REGISTRY_PASSWORD }} ${TKE_IMAGE_URL} + docker login -u ${{ secrets.TENCENT_CLOUD_ACCOUNT_ID }} -p '${{ secrets.TKE_REGISTRY_PASSWORD }}' ${TKE_IMAGE_URL} # Push the Docker image to TKE Registry - name: Publish @@ -73,4 +73,4 @@ jobs: ./kustomize edit set image ${TKE_IMAGE_URL}:${GITHUB_SHA} ./kustomize build . | kubectl apply -f - kubectl rollout status deployment/${DEPLOYMENT_NAME} - kubectl get services -o wide \ No newline at end of file + kubectl get services -o wide diff --git a/ci/webpack.yml b/ci/webpack.yml new file mode 100644 index 0000000..8edb34f --- /dev/null +++ b/ci/webpack.yml @@ -0,0 +1,28 @@ +name: NodeJS with Webpack + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [12.x, 14.x, 16.x] + + steps: + - uses: actions/checkout@v2 + + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v1 + with: + node-version: ${{ matrix.node-version }} + + - name: Build + run: | + npm install + npx webpack diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml new file mode 100644 index 0000000..080953e --- /dev/null +++ b/code-scanning/flawfinder.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: flawfinder + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + flawfinder: + name: Flawfinder + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: flawfinder_scan + uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c + with: + arguments: '--sarif ./' + output: 'flawfinder_results.sarif' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{github.workspace}}/flawfinder_results.sarif \ No newline at end of file diff --git a/code-scanning/properties/flawfinder.properties.json b/code-scanning/properties/flawfinder.properties.json new file mode 100644 index 0000000..f784d03 --- /dev/null +++ b/code-scanning/properties/flawfinder.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Flawfinder", + "creator": "David A. Wheeler", + "description": "Flawfinder is a simple program that scans C/C++ source code and reports potential security flaws.", + "iconName": "flawfinder", + "categories": [ "Code Scanning", "C", "C++" ] +} \ No newline at end of file diff --git a/code-scanning/properties/stackhawk.properties.json b/code-scanning/properties/stackhawk.properties.json new file mode 100644 index 0000000..f422535 --- /dev/null +++ b/code-scanning/properties/stackhawk.properties.json @@ -0,0 +1,24 @@ +{ + "name": "StackHawk", + "creator": "StackHawk", + "description": "Integrate dynamic application security testing (DAST) and API security testing into your CI pipeline with StackHawk", + "iconName": "stackhawk", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml new file mode 100644 index 0000000..9701b1f --- /dev/null +++ b/code-scanning/stackhawk.yml @@ -0,0 +1,57 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# 🦅 STACKHAWK https://stackhawk.com + +# The StackHawk HawkScan action makes it easy to integrate dynamic application security testing (DAST) into your +# CI pipeline. See the Getting Started guide (https://docs.stackhawk.com/hawkscan/) to get up and running with +# StackHawk quickly. + +# To use this workflow, you must: +# +# 1. Create an API Key and Application: Sign up for a free StackHawk account to obtain an API Key and +# create your first app and configuration file at https://app.stackhawk.com. +# +# 2. Save your API Key as a Secret: Save your API key as a GitHub Secret named HAWK_API_KEY. +# +# 3. Add your Config File: Add your stackhawk.yml configuration file to the base of your repository directory. +# +# 4. Set the Scan Failure Threshold: Add the hawk.failureThreshold configuration option +# (https://docs.stackhawk.com/hawkscan/configuration/#hawk) to your stackhawk.yml configuration file. If your scan +# produces alerts that meet or exceed the hawk.failureThreshold alert level, the scan will return exit code 42 +# and trigger a Code Scanning alert with a link to your scan results. +# +# 5. Update the "Start your service" Step: Update the "Start your service" step in the StackHawk workflow below to +# start your service so that it can be scanned with the "Run HawkScan" step. + + +name: "StackHawk" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + stackhawk: + name: StackHawk + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Start your service + run: ./your-service.sh & # ✏️ Update this to run your own service to be scanned + + - name: Run HawkScan + uses: stackhawk/hawkscan-action@4c3258cd62248dac6d9fe91dd8d45928c697dee0 + continue-on-error: true # ✏️ Set to false to break your build on scan errors + with: + apiKey: ${{ secrets.HAWK_API_KEY }} + codeScanningAlerts: true + githubToken: ${{ github.token }} diff --git a/icons/flawfinder.svg b/icons/flawfinder.svg new file mode 100644 index 0000000..2324dca --- /dev/null +++ b/icons/flawfinder.svg @@ -0,0 +1,16 @@ + + + + + + + + + + + + + + + + diff --git a/icons/stackhawk.svg b/icons/stackhawk.svg new file mode 100644 index 0000000..6b47520 --- /dev/null +++ b/icons/stackhawk.svg @@ -0,0 +1,17 @@ + + + + + + + + + + + + + + + + +