diff --git a/.github/labeler.yml b/.github/labeler.yml
new file mode 100644
index 0000000..2d04e26
--- /dev/null
+++ b/.github/labeler.yml
@@ -0,0 +1,3 @@
+# Add 'code-scanning' label to any changes within 'code-scanning' folder or any subfolders
+code-scanning:
+- code-scanning/**/*
diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml
new file mode 100644
index 0000000..eba05f0
--- /dev/null
+++ b/.github/workflows/labeler-triage.yml
@@ -0,0 +1,16 @@
+name: "Pull Request Labeler"
+
+permissions:
+ contents: read
+ pull-requests: write
+
+on:
+- pull_request_target
+
+jobs:
+ triage:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/labeler@v3
+ with:
+ repo-token: "${{ secrets.GITHUB_TOKEN }}"
\ No newline at end of file
diff --git a/README.md b/README.md
index e276691..2c2f1b5 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,8 @@ These are the workflow files for helping people get started with GitHub Actions.
-**Directory structure:**
+### Directory structure
+
* [ci](ci): solutions for Continuous Integration
* [automation](automation): solutions for automating workflows.
* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security)
@@ -20,8 +21,16 @@ Each workflow must be written in YAML and have a `.yml` extension. They also nee
For example: `ci/django.yml` and `ci/properties/django.properties.json`.
-**Valid properties:**
+### Valid properties
+
* `name`: the name shown in onboarding
* `description`: the description shown in onboarding
* `iconName`: the icon name in the relevant folder, for example `django` should have an icon `icons/django.svg`. Only SVG is supported at this time
* `categories`: the categories that it will be shown under
+
+### Variables
+These variables can be placed in the starter workflow and will be substituted as detailed below:
+
+* `$default-branch`: will substitute the branch from the repository, for example `main` and `master`
+* `$protected-branches`: will substitue any protected branches from the repository.
+* `$cron-daily`: will substitute a valid but random time within the day
diff --git a/ci/deno.yml b/ci/deno.yml
index cf91f5e..38f2319 100644
--- a/ci/deno.yml
+++ b/ci/deno.yml
@@ -3,7 +3,7 @@
# separate terms of service, privacy policy, and support
# documentation.
-# This workflow will install Deno and run tests across stable and canary builds on Windows, Ubuntu and macOS.
+# This workflow will install Deno then run Deno lint and test.
# For more information see: https://github.com/denoland/setup-deno
name: Deno
@@ -16,12 +16,7 @@ on:
jobs:
test:
- runs-on: ${{ matrix.os }} # runs a test on Ubuntu, Windows and macOS
-
- strategy:
- matrix:
- deno: ["v1.x", "canary"]
- os: [macOS-latest, windows-latest, ubuntu-latest]
+ runs-on: ubuntu-latest
steps:
- name: Setup repo
@@ -29,9 +24,9 @@ jobs:
- name: Setup Deno
# uses: denoland/setup-deno@v1
- uses: denoland/setup-deno@4a4e59637fa62bd6c086a216c7e4c5b457ea9e79
+ uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e9833173669
with:
- deno-version: ${{ matrix.deno }} # tests across multiple Deno versions
+ deno-version: v1.x
# Uncomment this step to verify the use of 'deno fmt' on each commit.
# - name: Verify formatting
@@ -40,8 +35,5 @@ jobs:
- name: Run linter
run: deno lint
- - name: Cache dependencies
- run: deno cache deps.ts
-
- name: Run tests
run: deno test -A --unstable
diff --git a/ci/grunt.yml b/ci/grunt.yml
new file mode 100644
index 0000000..8c83cb6
--- /dev/null
+++ b/ci/grunt.yml
@@ -0,0 +1,28 @@
+name: NodeJS with Grunt
+
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ strategy:
+ matrix:
+ node-version: [12.x, 14.x, 16.x]
+
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: Use Node.js ${{ matrix.node-version }}
+ uses: actions/setup-node@v1
+ with:
+ node-version: ${{ matrix.node-version }}
+
+ - name: Build
+ run: |
+ npm install
+ grunt
diff --git a/ci/gulp.yml b/ci/gulp.yml
new file mode 100644
index 0000000..cc5da13
--- /dev/null
+++ b/ci/gulp.yml
@@ -0,0 +1,28 @@
+name: NodeJS with Gulp
+
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ strategy:
+ matrix:
+ node-version: [12.x, 14.x, 16.x]
+
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: Use Node.js ${{ matrix.node-version }}
+ uses: actions/setup-node@v1
+ with:
+ node-version: ${{ matrix.node-version }}
+
+ - name: Build
+ run: |
+ npm install
+ gulp
diff --git a/ci/ios.yml b/ci/ios.yml
index 032b77a..ab92d32 100644
--- a/ci/ios.yml
+++ b/ci/ios.yml
@@ -26,7 +26,7 @@ jobs:
platform: ${{ 'iOS Simulator' }}
run: |
# xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959)
- device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'``
+ device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'`
if [ $scheme = default ]; then scheme=$(cat default); fi
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
diff --git a/ci/properties/grunt.properties.json b/ci/properties/grunt.properties.json
new file mode 100644
index 0000000..c8a5b9f
--- /dev/null
+++ b/ci/properties/grunt.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Grunt",
+ "description": "Build a NodeJS project with npm and grunt.",
+ "iconName": "grunt",
+ "categories": ["JavaScript", "TypeScript", "npm", "Grunt"]
+}
diff --git a/ci/properties/gulp.properties.json b/ci/properties/gulp.properties.json
new file mode 100644
index 0000000..658325b
--- /dev/null
+++ b/ci/properties/gulp.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Gulp",
+ "description": "Build a NodeJS project with npm and gulp.",
+ "iconName": "gulp",
+ "categories": ["JavaScript", "TypeScript", "npm", "Gulp"]
+}
diff --git a/ci/properties/webpack.properties.json b/ci/properties/webpack.properties.json
new file mode 100644
index 0000000..1e22ccb
--- /dev/null
+++ b/ci/properties/webpack.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Webpack",
+ "description": "Build a NodeJS project with npm and webpack.",
+ "iconName": "webpack",
+ "categories": ["JavaScript", "TypeScript", "npm", "Webpack"]
+}
diff --git a/ci/tencent.yml b/ci/tencent.yml
index 1a059a6..0be339e 100644
--- a/ci/tencent.yml
+++ b/ci/tencent.yml
@@ -43,7 +43,7 @@ jobs:
- name: Login TKE Registry
run: |
- docker login -u ${{ secrets.TENCENT_CLOUD_ACCOUNT_ID }} -p ${{ secrets.TKE_REGISTRY_PASSWORD }} ${TKE_IMAGE_URL}
+ docker login -u ${{ secrets.TENCENT_CLOUD_ACCOUNT_ID }} -p '${{ secrets.TKE_REGISTRY_PASSWORD }}' ${TKE_IMAGE_URL}
# Push the Docker image to TKE Registry
- name: Publish
@@ -73,4 +73,4 @@ jobs:
./kustomize edit set image ${TKE_IMAGE_URL}:${GITHUB_SHA}
./kustomize build . | kubectl apply -f -
kubectl rollout status deployment/${DEPLOYMENT_NAME}
- kubectl get services -o wide
\ No newline at end of file
+ kubectl get services -o wide
diff --git a/ci/webpack.yml b/ci/webpack.yml
new file mode 100644
index 0000000..8edb34f
--- /dev/null
+++ b/ci/webpack.yml
@@ -0,0 +1,28 @@
+name: NodeJS with Webpack
+
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ strategy:
+ matrix:
+ node-version: [12.x, 14.x, 16.x]
+
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: Use Node.js ${{ matrix.node-version }}
+ uses: actions/setup-node@v1
+ with:
+ node-version: ${{ matrix.node-version }}
+
+ - name: Build
+ run: |
+ npm install
+ npx webpack
diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml
new file mode 100644
index 0000000..080953e
--- /dev/null
+++ b/code-scanning/flawfinder.yml
@@ -0,0 +1,38 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: flawfinder
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ flawfinder:
+ name: Flawfinder
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: flawfinder_scan
+ uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c
+ with:
+ arguments: '--sarif ./'
+ output: 'flawfinder_results.sarif'
+
+ - name: Upload analysis results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: ${{github.workspace}}/flawfinder_results.sarif
\ No newline at end of file
diff --git a/code-scanning/properties/flawfinder.properties.json b/code-scanning/properties/flawfinder.properties.json
new file mode 100644
index 0000000..f784d03
--- /dev/null
+++ b/code-scanning/properties/flawfinder.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Flawfinder",
+ "creator": "David A. Wheeler",
+ "description": "Flawfinder is a simple program that scans C/C++ source code and reports potential security flaws.",
+ "iconName": "flawfinder",
+ "categories": [ "Code Scanning", "C", "C++" ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/stackhawk.properties.json b/code-scanning/properties/stackhawk.properties.json
new file mode 100644
index 0000000..f422535
--- /dev/null
+++ b/code-scanning/properties/stackhawk.properties.json
@@ -0,0 +1,24 @@
+{
+ "name": "StackHawk",
+ "creator": "StackHawk",
+ "description": "Integrate dynamic application security testing (DAST) and API security testing into your CI pipeline with StackHawk",
+ "iconName": "stackhawk",
+ "categories": [
+ "Code Scanning",
+ "C",
+ "C#",
+ "C++",
+ "Go",
+ "Java",
+ "JavaScript",
+ "Kotlin",
+ "Objective C",
+ "PHP",
+ "Python",
+ "Ruby",
+ "Rust",
+ "Scala",
+ "Swift",
+ "TypeScript"
+ ]
+}
diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml
new file mode 100644
index 0000000..9701b1f
--- /dev/null
+++ b/code-scanning/stackhawk.yml
@@ -0,0 +1,57 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# 🦅 STACKHAWK https://stackhawk.com
+
+# The StackHawk HawkScan action makes it easy to integrate dynamic application security testing (DAST) into your
+# CI pipeline. See the Getting Started guide (https://docs.stackhawk.com/hawkscan/) to get up and running with
+# StackHawk quickly.
+
+# To use this workflow, you must:
+#
+# 1. Create an API Key and Application: Sign up for a free StackHawk account to obtain an API Key and
+# create your first app and configuration file at https://app.stackhawk.com.
+#
+# 2. Save your API Key as a Secret: Save your API key as a GitHub Secret named HAWK_API_KEY.
+#
+# 3. Add your Config File: Add your stackhawk.yml configuration file to the base of your repository directory.
+#
+# 4. Set the Scan Failure Threshold: Add the hawk.failureThreshold configuration option
+# (https://docs.stackhawk.com/hawkscan/configuration/#hawk) to your stackhawk.yml configuration file. If your scan
+# produces alerts that meet or exceed the hawk.failureThreshold alert level, the scan will return exit code 42
+# and trigger a Code Scanning alert with a link to your scan results.
+#
+# 5. Update the "Start your service" Step: Update the "Start your service" step in the StackHawk workflow below to
+# start your service so that it can be scanned with the "Run HawkScan" step.
+
+
+name: "StackHawk"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ stackhawk:
+ name: StackHawk
+ runs-on: ubuntu-20.04
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Start your service
+ run: ./your-service.sh & # ✏️ Update this to run your own service to be scanned
+
+ - name: Run HawkScan
+ uses: stackhawk/hawkscan-action@4c3258cd62248dac6d9fe91dd8d45928c697dee0
+ continue-on-error: true # ✏️ Set to false to break your build on scan errors
+ with:
+ apiKey: ${{ secrets.HAWK_API_KEY }}
+ codeScanningAlerts: true
+ githubToken: ${{ github.token }}
diff --git a/icons/flawfinder.svg b/icons/flawfinder.svg
new file mode 100644
index 0000000..2324dca
--- /dev/null
+++ b/icons/flawfinder.svg
@@ -0,0 +1,16 @@
+
diff --git a/icons/stackhawk.svg b/icons/stackhawk.svg
new file mode 100644
index 0000000..6b47520
--- /dev/null
+++ b/icons/stackhawk.svg
@@ -0,0 +1,17 @@
+