From 9d82221b3c47a53248149b62bc84bfdc8ba6e57d Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:23:39 +0200 Subject: [PATCH 01/43] Create sonarqube.yaml --- code-scanning/sonarqube.yaml | 65 ++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 code-scanning/sonarqube.yaml diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml new file mode 100644 index 0000000..c6fbfce --- /dev/null +++ b/code-scanning/sonarqube.yaml @@ -0,0 +1,65 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow helps you trigger a SonarQube analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. +# (this feature is available starting from Developer Edition) + +# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub) + +# 2. Import your project on SonarQube +# * Add your repository as a new project by clicking "Create project" from your homepage. +# +# 3. Select GitHub Actions as your CI and follow the tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarQube. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarQube, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + +name: SonarQube analysis + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + workflow_dispatch: + +permissions: + pull-requests: read # allows SonarQube to decorate PRs with analysis results + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + - name: Analyze with SonarQube + + # You can pin the exact commit or the version. + # uses: SonarSource/sonarqube-scan-action@v1.1.0 + uses: SonarSource/sonarqube-scan-action@v1.1.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu) + # mandatory + -Dsonar.projectKey= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From f44ecbf0e28eae370cbcbece24deff8737158257 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:29:30 +0200 Subject: [PATCH 02/43] Added comments --- code-scanning/sonarqube.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml index c6fbfce..e9b8d98 100644 --- a/code-scanning/sonarqube.yaml +++ b/code-scanning/sonarqube.yaml @@ -13,15 +13,16 @@ # * Add your repository as a new project by clicking "Create project" from your homepage. # # 3. Select GitHub Actions as your CI and follow the tutorial -# * a. Copy/paste the Project Key and the Organization Key into the args parameter below -# (You'll find this information in SonarQube. Click on "Information" at the bottom left) +# * a. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator) # -# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN -# (On SonarQube, click on your avatar on top-right > My account > Security -# or go directly to https://sonarcloud.io/account/security/) +# * b. Copy/paste your SonarQube host URL to your Github repository's secrets using the name SONAR_HOST_URL +# +# * c. Copy/paste the project Key into the args parameter below +# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage) -# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) -# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) +# Feel free to take a look at our documentation (https://docs.sonarqube.org/latest/analysis/github-integration/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/sq/10) name: SonarQube analysis From 4a1cad76c04ded3d2d1e1f20778ea3855c9e5d1d Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:57:24 +0200 Subject: [PATCH 03/43] Added reference to documentation --- code-scanning/sonarqube.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml index e9b8d98..f34d48e 100644 --- a/code-scanning/sonarqube.yaml +++ b/code-scanning/sonarqube.yaml @@ -5,7 +5,7 @@ # This workflow helps you trigger a SonarQube analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. -# (this feature is available starting from Developer Edition) +# (this feature is available starting from SonarQube 9.7, Developer Edition and above) # 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub) From c7e73d7edc4e376bfdb148a7ee0a1d732c8443f9 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:23:48 +0100 Subject: [PATCH 04/43] Update sonarqube.yaml --- code-scanning/sonarqube.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml index f34d48e..23f79da 100644 --- a/code-scanning/sonarqube.yaml +++ b/code-scanning/sonarqube.yaml @@ -13,10 +13,10 @@ # * Add your repository as a new project by clicking "Create project" from your homepage. # # 3. Select GitHub Actions as your CI and follow the tutorial -# * a. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN # (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator) # -# * b. Copy/paste your SonarQube host URL to your Github repository's secrets using the name SONAR_HOST_URL +# * b. Copy/paste your SonarQube host URL to your GitHub repository's secrets using the name SONAR_HOST_URL # # * c. Copy/paste the project Key into the args parameter below # (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage) From ca67faa01ca580695b67779e7cc67cf4b6586ddd Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:25:29 +0100 Subject: [PATCH 05/43] Rename sonarqube.yaml to sonarqube.yml --- code-scanning/{sonarqube.yaml => sonarqube.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/{sonarqube.yaml => sonarqube.yml} (100%) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yml similarity index 100% rename from code-scanning/sonarqube.yaml rename to code-scanning/sonarqube.yml From a5ee5608b9f19e8c4949b365711030820ead5d69 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:27:23 +0100 Subject: [PATCH 06/43] Create sonarqube.properties.json --- code-scanning/properties/sonarqube.properties.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 code-scanning/properties/sonarqube.properties.json diff --git a/code-scanning/properties/sonarqube.properties.json b/code-scanning/properties/sonarqube.properties.json new file mode 100644 index 0000000..9912c51 --- /dev/null +++ b/code-scanning/properties/sonarqube.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SonarQube", + "creator": "Sonar", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", + "iconName": "sonarqube", + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] +} From 4c8f3a77aa64cc3b5da5b5b244d75e07285e77d3 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:28:50 +0100 Subject: [PATCH 07/43] Add files via upload --- icons/SonarQube icon.svg | 1 + 1 file changed, 1 insertion(+) create mode 100644 icons/SonarQube icon.svg diff --git a/icons/SonarQube icon.svg b/icons/SonarQube icon.svg new file mode 100644 index 0000000..b5c23d8 --- /dev/null +++ b/icons/SonarQube icon.svg @@ -0,0 +1 @@ +SonarQube icon \ No newline at end of file From 5081d1525082e71f7be1c3eb381c7e5443e28f95 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:29:30 +0100 Subject: [PATCH 08/43] Rename SonarQube icon.svg to sonarqube.svg --- icons/{SonarQube icon.svg => sonarqube.svg} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename icons/{SonarQube icon.svg => sonarqube.svg} (94%) diff --git a/icons/SonarQube icon.svg b/icons/sonarqube.svg similarity index 94% rename from icons/SonarQube icon.svg rename to icons/sonarqube.svg index b5c23d8..a4bba35 100644 --- a/icons/SonarQube icon.svg +++ b/icons/sonarqube.svg @@ -1 +1 @@ -SonarQube icon \ No newline at end of file +SonarQube icon From a31c09a4f1fd94bb31fb3e8955e4c05c0b855cc1 Mon Sep 17 00:00:00 2001 From: Arjan Keeman Date: Tue, 15 Nov 2022 09:52:54 +0100 Subject: [PATCH 09/43] update deprecated syntax see https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ --- deployments/aws.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/aws.yml b/deployments/aws.yml index 9585844..af7d87d 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -75,7 +75,7 @@ jobs: # be deployed to ECS. docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" + echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT - name: Fill in the new image ID in the Amazon ECS task definition id: task-def From a749535e85718bb29553b8e7f6b5217e71a5ccd1 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 16 Nov 2022 01:05:10 +0100 Subject: [PATCH 10/43] Add lint workflow --- .github/workflows/lint.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/lint.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000..cd3fb3d --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,32 @@ +name: Lint + +on: + pull_request: + branches: + - main + +jobs: + + pre-commit: + name: pre-commit + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - uses: actions/setup-python@v4 + with: + python-version: 3.8 + cache: 'pip' + + - name: Cache pre-commit + uses: actions/cache@v3 + with: + path: ~/.cache/pre-commit + key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} + + - name: Install pre-commit + run: pip3 install pre-commit + + - name: Run pre-commit + run: pre-commit run --all-files --show-diff-on-failure --color always \ No newline at end of file From 6cd7a70d9f1db1f8485ccb48d863ef766fa0fbc1 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 16 Nov 2022 01:05:19 +0100 Subject: [PATCH 11/43] Add pre-commit configuration file --- .pre-commit-config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..7699e82 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,5 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.3.0 + hooks: + - id: trailing-whitespace \ No newline at end of file From 5bc87732339ec6887dbd6275cb90686464b3de3c Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 16 Nov 2022 01:16:46 +0100 Subject: [PATCH 12/43] Remove pip cache --- .github/workflows/lint.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index cd3fb3d..76c82c2 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -17,7 +17,6 @@ jobs: - uses: actions/setup-python@v4 with: python-version: 3.8 - cache: 'pip' - name: Cache pre-commit uses: actions/cache@v3 From edcef6ec3eb410566c2f21feaae17d5c4eacef6c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 22 Nov 2022 19:23:58 +0000 Subject: [PATCH 13/43] update --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 11e305f..0e42bae 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -41,11 +41,11 @@ jobs: with: results_file: results.sarif results_format: sarif - # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecards on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + # repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers From d0d2da4fd3080c5a70fddd00f554a21a5aeef591 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 22 Nov 2022 13:38:23 -0600 Subject: [PATCH 14/43] Astro: Update to use the detected package manager --- pages/astro.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 1d4ec5f..54d4672 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -40,12 +40,10 @@ jobs: if [ -f "${{ github.workspace }}/yarn.lock" ]; then echo "::set-output name=manager::yarn" echo "::set-output name=command::install" - echo "::set-output name=runner::yarn" exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then echo "::set-output name=manager::npm" echo "::set-output name=command::ci" - echo "::set-output name=runner::npx --no-install" exit 0 else echo "Unable to determine packager manager" @@ -57,9 +55,14 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json - - run: npm install && npm run build + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} working-directory: ${{ env.BUILD_PATH }} - - uses: actions/upload-pages-artifact@v1 + - name: Build with Astro + run: ${{ steps.detect-package-manager.outputs.manager }} run build + working-directory: ${{ env.BUILD_PATH }} + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 with: path: ${{ env.BUILD_PATH }}/dist From 1ffc2dce9f0e0d25af6d872223730be7badd2a93 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 22 Nov 2022 13:43:51 -0600 Subject: [PATCH 15/43] Pages: Update Node.js-based workflows to use non-deprecated mechanism for setting outputs See https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ --- pages/astro.yml | 8 ++++---- pages/gatsby.yml | 8 ++++---- pages/nextjs.yml | 12 ++++++------ pages/nuxtjs.yml | 8 ++++---- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 54d4672..9f845f3 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -38,12 +38,12 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 4f2857d..7db9291 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -39,12 +39,12 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 5c2bf67..7e39f83 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -34,14 +34,14 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" - echo "::set-output name=runner::yarn" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT + echo "runner=yarn" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" - echo "::set-output name=runner::npx --no-install" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT + echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 4178f18..660202e 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -34,12 +34,12 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" From c868fdbf8caaf8ec83c4b4e884a8546044d8c46b Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 22 Nov 2022 21:47:03 -0600 Subject: [PATCH 16/43] Pages: Configure Astro origin and base path using CLI arguments --- pages/astro.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pages/astro.yml b/pages/astro.yml index 9f845f3..77f2924 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -40,10 +40,12 @@ jobs: if [ -f "${{ github.workspace }}/yarn.lock" ]; then echo "manager=yarn" >> $GITHUB_OUTPUT echo "command=install" >> $GITHUB_OUTPUT + echo "runner=yarn" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then echo "manager=npm" >> $GITHUB_OUTPUT echo "command=ci" >> $GITHUB_OUTPUT + echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" @@ -55,11 +57,17 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json + - name: Setup Pages + id: pages + uses: actions/configure-pages@v2 - name: Install dependencies run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} working-directory: ${{ env.BUILD_PATH }} - name: Build with Astro - run: ${{ steps.detect-package-manager.outputs.manager }} run build + run: | + ${{ steps.detect-package-manager.outputs.runner }} astro build \ + --site "${{ steps.pages.outputs.origin }}" \ + --base "${{ steps.pages.outputs.base_path }}" working-directory: ${{ env.BUILD_PATH }} - name: Upload artifact uses: actions/upload-pages-artifact@v1 From 2f81287648d16dc1cda091d44b06368c5e73af73 Mon Sep 17 00:00:00 2001 From: Nguyen Long Nhat <27698189+torn4dom4n@users.noreply.github.com> Date: Mon, 21 Nov 2022 01:17:23 +0700 Subject: [PATCH 17/43] Using node 18 --- pages/gatsby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 7db9291..a288d7d 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -53,7 +53,7 @@ jobs: - name: Setup Node uses: actions/setup-node@v3 with: - node-version: "16" + node-version: "18" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages From e493e52668ef051fc37be7453871d17470f56e0e Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 29 Nov 2022 17:48:50 +0530 Subject: [PATCH 18/43] Check only certain files --- .pre-commit-config.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7699e82..5d6f7eb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,5 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.3.0 + files: ^automation|ci|code-scanning|deployments|pages hooks: - - id: trailing-whitespace \ No newline at end of file + - id: trailing-whitespace From ec11d3549bcc7ca2a1df7f76461d31c70313d391 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 29 Nov 2022 18:13:36 +0530 Subject: [PATCH 19/43] Check for only certain files --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5d6f7eb..19bf39d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.3.0 - files: ^automation|ci|code-scanning|deployments|pages hooks: - id: trailing-whitespace + files: (automation/|ci/|code-scanning/|deployments/|pages/).*(yaml|yml|json)$ From 1716d2dcd64d64e5a33a6f72146ebc51010a7d6d Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 30 Nov 2022 10:21:45 +0000 Subject: [PATCH 20/43] Fix whitespace lint --- .github/workflows/lint.yaml | 2 +- code-scanning/checkmarx-one.yml | 12 ++++++------ .../properties/dependency-review.properties.json | 2 +- code-scanning/properties/mobsf.properties.json | 8 ++++---- code-scanning/properties/pmd.properties.json | 12 ++++++------ code-scanning/properties/semgrep.properties.json | 2 +- code-scanning/properties/sobelow.properties.json | 1 - code-scanning/properties/sonarcloud.properties.json | 2 +- 8 files changed, 20 insertions(+), 21 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 76c82c2..2bb90ed 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,7 +1,7 @@ name: Lint on: - pull_request: + pull_request_target: branches: - main diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index d85c0c5..6214ab1 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -3,12 +3,12 @@ # separate terms of service, privacy policy, and support # documentation. -# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. -# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository -# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling +# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. +# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository +# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling # scan customization using the full functionality and flexibility of the CLI tool. -# This is a basic workflow to help you get started with Using Checkmarx One Action, +# This is a basic workflow to help you get started with Using Checkmarx One Action, # documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html name: Checkmarx Scan @@ -30,7 +30,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif - + # The type of runner that the job will run on runs-on: ubuntu-latest @@ -39,7 +39,7 @@ jobs: # This step checks out a copy of your repository. - name: Checkout repository uses: actions/checkout@v3 - # This step creates the Checkmarx One scan + # This step creates the Checkmarx One scan - name: Checkmarx One scan uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc with: diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index c195c73..f76aacd 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -13,4 +13,4 @@ "Ruby", "Actions", "PHP"] -} +} diff --git a/code-scanning/properties/mobsf.properties.json b/code-scanning/properties/mobsf.properties.json index a6afbfa..fb5d65b 100644 --- a/code-scanning/properties/mobsf.properties.json +++ b/code-scanning/properties/mobsf.properties.json @@ -4,10 +4,10 @@ "description": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.", "iconName": "mobsf", "categories": [ - "Code Scanning", - "Java", - "Swift", - "Objective-C", + "Code Scanning", + "Java", + "Swift", + "Objective-C", "Kotlin" ] } \ No newline at end of file diff --git a/code-scanning/properties/pmd.properties.json b/code-scanning/properties/pmd.properties.json index b96ecb7..7b79709 100644 --- a/code-scanning/properties/pmd.properties.json +++ b/code-scanning/properties/pmd.properties.json @@ -4,12 +4,12 @@ "description": "PMD is a static source code analyzer. It supports Java, JavaScript, Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.", "iconName": "pmd", "categories": [ - "Code Scanning", - "Java", - "JavaScript", - "Apex", - "Modelica", - "PLSQL", + "Code Scanning", + "Java", + "JavaScript", + "Apex", + "Modelica", + "PLSQL", "Apache Velocity", "XML", "XSl", diff --git a/code-scanning/properties/semgrep.properties.json b/code-scanning/properties/semgrep.properties.json index 5f74ed5..c694b38 100644 --- a/code-scanning/properties/semgrep.properties.json +++ b/code-scanning/properties/semgrep.properties.json @@ -4,4 +4,4 @@ "description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.", "iconName": "semgrep", "categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"] -} \ No newline at end of file +} \ No newline at end of file diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json index 163e866..960ac8a 100644 --- a/code-scanning/properties/sobelow.properties.json +++ b/code-scanning/properties/sobelow.properties.json @@ -8,4 +8,3 @@ "Elixir" ] } - \ No newline at end of file diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 9b88a78..0f4e151 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -3,5 +3,5 @@ "creator": "Sonar", "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", "iconName": "sonarcloud", - "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From 6adaff50c1b390ca04c9c668f07e996dee1a25ac Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 30 Nov 2022 10:26:21 +0000 Subject: [PATCH 21/43] Fix no newline at EOF --- code-scanning/properties/semgrep.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/semgrep.properties.json b/code-scanning/properties/semgrep.properties.json index c694b38..f1fffe3 100644 --- a/code-scanning/properties/semgrep.properties.json +++ b/code-scanning/properties/semgrep.properties.json @@ -4,4 +4,4 @@ "description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.", "iconName": "semgrep", "categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"] -} \ No newline at end of file +} From f53db96ce1ca57bf1214bda95a59f2a7ec45d8b8 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 30 Nov 2022 11:04:14 +0000 Subject: [PATCH 22/43] Add supported tech stack list --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7ff406f..fc1bd90 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * `description`: the description shown in onboarding * `iconName`: the icon name in the relevant folder, for example, `django` should have an icon `icons/django.svg`. Only SVG is supported at this time. Another option is to use [octicon](https://primer.style/octicons/). The format to use an octicon is `octicon <>`. Example: `octicon person` * `creator`: creator of the template shown in onboarding. All the workflow templates from an author will have the same `creator` field. -* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml). When a user views the available templates, those templates that match the same language will feature more prominently. +* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml) and the list of tech stacks available [here](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml). When a user views the available templates, those templates that match the same language will feature more prominently. ### Categories * continuous-integration From 4f469603129f59fefca0072e32a2eed15002fe4c Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 1 Dec 2022 06:55:46 +0000 Subject: [PATCH 23/43] Add instructions to test templates --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 7ff406f..1048694 100644 --- a/README.md +++ b/README.md @@ -50,3 +50,23 @@ These variables can be placed in the starter workflow and will be substituted as * `$default-branch`: will substitute the branch from the repository, for example `main` and `master` * `$protected-branches`: will substitute any protected branches from the repository * `$cron-daily`: will substitute a valid but random time within the day + +## How to test templates before publishing + +### Disable template for public +The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX. +Example `properties.json` file: +```json +{ + "name": "Node.js", + "description": "Build and test a Node.js project with npm.", + "iconName": "nodejs", + "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"], + "labels": ["preview"] +} +``` + +Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible. + +### Enable template for public +Remove the `labels` array from `properties.json` file to publish the template to public From bd3d623e07d9ec600ba22e97a047b9afb91075f9 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 1 Dec 2022 13:06:55 +0530 Subject: [PATCH 24/43] Apply suggestions from code review Co-authored-by: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1048694..e455e13 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ These variables can be placed in the starter workflow and will be substituted as ## How to test templates before publishing ### Disable template for public -The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX. +The template author adds a `labels` array in the template's `properties.json` file with a label `preview`. This will hide the template from users, unless user uses query parameter `preview=true` in the URL. Example `properties.json` file: ```json { @@ -66,7 +66,7 @@ Example `properties.json` file: } ``` -Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible. +For viewing the templates with `preview` label, provide query parameter `preview=true` to the `new workflow` page URL. Eg. `https://github.com///actions/new?preview=true`. ### Enable template for public Remove the `labels` array from `properties.json` file to publish the template to public From db5c5c4b5e88807a37600118dc80be71301ba48b Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 1 Dec 2022 17:08:17 +0100 Subject: [PATCH 25/43] Apply suggestions from code review Co-authored-by: Sampark Sharma --- code-scanning/sonarqube.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml index 23f79da..68585a9 100644 --- a/code-scanning/sonarqube.yml +++ b/code-scanning/sonarqube.yml @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Analyze with SonarQube + - name: Analyze with SonarQube # You can pin the exact commit or the version. # uses: SonarSource/sonarqube-scan-action@v1.1.0 @@ -52,7 +52,7 @@ jobs: SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments for the sonarcloud scanner - args: + args: # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu) # mandatory -Dsonar.projectKey= @@ -63,4 +63,4 @@ jobs: # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false + #-Dsonar.verbose= # optional, default is false From 0cd0541922d9efdce53b33f9c49b01d6cd6ca54b Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 1 Dec 2022 17:13:18 +0100 Subject: [PATCH 26/43] added SHA to action definition --- code-scanning/sonarqube.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml index 68585a9..f01b9dc 100644 --- a/code-scanning/sonarqube.yml +++ b/code-scanning/sonarqube.yml @@ -45,7 +45,7 @@ jobs: # You can pin the exact commit or the version. # uses: SonarSource/sonarqube-scan-action@v1.1.0 - uses: SonarSource/sonarqube-scan-action@v1.1.0 + uses: SonarSource/sonarqube-scan-action@7295e71c9583053f5bf40e9d4068a0c974603ec8 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) From 3408b65a7132d3f0ffa75a4e7a42aa2849f04a1d Mon Sep 17 00:00:00 2001 From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com> Date: Thu, 8 Dec 2022 14:38:34 +1300 Subject: [PATCH 27/43] Update Go version to 1.19 Go 1.18 will be at end of life sometime within the coming months (Q1 2023). Go 1.19 will be around until Q3 2023, by which point 1.20 will have been released. --- ci/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go.yml b/ci/go.yml index 4d95674..e89f6c9 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.18 + go-version: 1.19 - name: Build run: go build -v ./... From 7a584505f5655db11a8c6f01d1913bc7ab3b0a50 Mon Sep 17 00:00:00 2001 From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com> Date: Thu, 8 Dec 2022 14:41:48 +1300 Subject: [PATCH 28/43] Fixed misspelling of "privileged" --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 0a98861..05cb4b1 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,7 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. -- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. +- [ ] Should specify least privileged [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** From fe2a38622547802426adddc16f8a700ac2ed0edc Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 8 Dec 2022 11:35:13 +0530 Subject: [PATCH 29/43] Update README.md Co-authored-by: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fc1bd90..cc272b5 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * `description`: the description shown in onboarding * `iconName`: the icon name in the relevant folder, for example, `django` should have an icon `icons/django.svg`. Only SVG is supported at this time. Another option is to use [octicon](https://primer.style/octicons/). The format to use an octicon is `octicon <>`. Example: `octicon person` * `creator`: creator of the template shown in onboarding. All the workflow templates from an author will have the same `creator` field. -* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml) and the list of tech stacks available [here](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml). When a user views the available templates, those templates that match the same language will feature more prominently. +* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml) and the list of tech stacks available [here](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml). When a user views the available templates, those templates that match the language and tech stacks will feature more prominently. ### Categories * continuous-integration From 1899cb68914da2e7df727fdabfc8f4277c76463d Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 8 Dec 2022 06:10:22 +0000 Subject: [PATCH 30/43] Fix whitespaces --- code-scanning/properties/sonarqube.properties.json | 2 +- code-scanning/sonarqube.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/properties/sonarqube.properties.json b/code-scanning/properties/sonarqube.properties.json index 9912c51..009602b 100644 --- a/code-scanning/properties/sonarqube.properties.json +++ b/code-scanning/properties/sonarqube.properties.json @@ -3,5 +3,5 @@ "creator": "Sonar", "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", "iconName": "sonarqube", - "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml index f01b9dc..220e43a 100644 --- a/code-scanning/sonarqube.yml +++ b/code-scanning/sonarqube.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow helps you trigger a SonarQube analysis of your code and populates +# This workflow helps you trigger a SonarQube analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. # (this feature is available starting from SonarQube 9.7, Developer Edition and above) @@ -11,7 +11,7 @@ # 2. Import your project on SonarQube # * Add your repository as a new project by clicking "Create project" from your homepage. -# +# # 3. Select GitHub Actions as your CI and follow the tutorial # * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN # (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator) @@ -39,7 +39,7 @@ permissions: jobs: Analysis: runs-on: ubuntu-latest - + steps: - name: Analyze with SonarQube From 384d799f2c7135d7c1a8c2de7c45c7b829b37c84 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 23 Nov 2022 16:19:36 +0200 Subject: [PATCH 31/43] add Datree --- code-scanning/datree.yml | 44 +++++++++++++++++++ .../properties/datree.properties.json | 7 +++ icons/datree.svg | 1 + 3 files changed, 52 insertions(+) create mode 100644 code-scanning/datree.yml create mode 100644 code-scanning/properties/datree.properties.json create mode 100644 icons/datree.svg diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml new file mode 100644 index 0000000..682ab5d --- /dev/null +++ b/code-scanning/datree.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your code and scans your desired k8s config files for misconfigurations using the Datree CLI. +# The results are then uploaded to GitHub Security Code Scanning. +# +# For more information and configurations options, see https://github.com/datreeio/action-datree/ + +name: Datree + +on: + push: + branches: [ main ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ main ] + +jobs: + datree: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Run Datree policy check + continue-on-error: true + uses: hadar-co/action-datree@main + env: + # In order to use the Datree action you will need to have a Datree token. + # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. + DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} + with: + # Add the path to the configuration file/s that you would like to test. + # See https://github.com/datreeio/action-datree#usage for all available options. + path: test-file.yaml + # Setting a SARIF output will generate a file named "datree.sarif" containing your test results + cliArguments: "-o sarif" + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: datree.sarif \ No newline at end of file diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json new file mode 100644 index 0000000..99e07a5 --- /dev/null +++ b/code-scanning/properties/datree.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Datree", + "creator": "Datree", + "description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning", + "iconName": "datree", + "categories": ["Code Scanning", "YAML"] +} \ No newline at end of file diff --git a/icons/datree.svg b/icons/datree.svg new file mode 100644 index 0000000..ca986c6 --- /dev/null +++ b/icons/datree.svg @@ -0,0 +1 @@ + \ No newline at end of file From b79ff384b92634dae9948e7acda99c752827710a Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 23 Nov 2022 16:37:43 +0200 Subject: [PATCH 32/43] add Datree --- code-scanning/datree.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index 682ab5d..df301c7 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -12,10 +12,10 @@ name: Datree on: push: - branches: [ main ] + branches: [ $default-branch, $protected-branches ] pull_request: # The branches below must be a subset of the branches above - branches: [ main ] + branches: [ $default-branch ] jobs: datree: From 2fe9028318a16ee399cbb6fc832b30e3486f93b6 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 7 Dec 2022 16:23:25 +0200 Subject: [PATCH 33/43] fix workflow --- code-scanning/datree.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index df301c7..44afd69 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -17,6 +17,9 @@ on: # The branches below must be a subset of the branches above branches: [ $default-branch ] +permissions: + contents: read + jobs: datree: permissions: @@ -27,7 +30,7 @@ jobs: - uses: actions/checkout@v3 - name: Run Datree policy check continue-on-error: true - uses: hadar-co/action-datree@main + uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a env: # In order to use the Datree action you will need to have a Datree token. # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. @@ -41,4 +44,4 @@ jobs: - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: datree.sarif \ No newline at end of file + sarif_file: datree.sarif From eaef38b7d53821181be4769ca49cd73b29a1dc95 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 7 Dec 2022 16:24:28 +0200 Subject: [PATCH 34/43] fix workflow --- code-scanning/properties/datree.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json index 99e07a5..b7c695c 100644 --- a/code-scanning/properties/datree.properties.json +++ b/code-scanning/properties/datree.properties.json @@ -4,4 +4,4 @@ "description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning", "iconName": "datree", "categories": ["Code Scanning", "YAML"] -} \ No newline at end of file +} From bf83018c61c4c637421536d74854c789df696c20 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Thu, 8 Dec 2022 09:57:36 +0200 Subject: [PATCH 35/43] Update code-scanning/datree.yml Co-authored-by: Sampark Sharma --- code-scanning/datree.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index 44afd69..2e44682 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -34,7 +34,7 @@ jobs: env: # In order to use the Datree action you will need to have a Datree token. # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. - DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} + DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} with: # Add the path to the configuration file/s that you would like to test. # See https://github.com/datreeio/action-datree#usage for all available options. From 9e27144d52a9ebe6f2660accc372e55385044204 Mon Sep 17 00:00:00 2001 From: Florin Coada Date: Fri, 9 Dec 2022 15:35:44 +0000 Subject: [PATCH 36/43] Add explanation on which value to use to scan Kotlin and TypeScript Added comments explaining which values should be used if the user would like to scan Kotlin or TypeScript. --- code-scanning/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 3f0ecfb..002e424 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,6 +34,8 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: From 5f790e392edb9bda28c53cb73e24c08e22aac844 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Mon, 12 Dec 2022 16:44:33 -0300 Subject: [PATCH 37/43] update soos dast to latest version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 95dfd67..6a5a047 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db # Use latest version from https://github.com/marketplace/actions/soos-dast + uses: soos-io/soos-dast-github-action@3e71b27756f4ed77d7ad3c0ad92afddb47a40e4d # Use latest version from https://github.com/marketplace/actions/soos-dast with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From 89d867e0d8e0e6a099005135a107deee089c5a32 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Tue, 13 Dec 2022 10:30:16 +0000 Subject: [PATCH 38/43] Fix code-scanning filtering for relative paths --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index a320d36..f53d220 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - (workflowProperties.enterprise === true || folder !== 'code-scanning') && + (workflowProperties.enterprise === true || basename(folder) !== 'code-scanning') && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From 1006a379d3e0ef603884037fa614bb831b9387f6 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Tue, 13 Dec 2022 08:40:14 -0300 Subject: [PATCH 39/43] linter --- code-scanning/soos-dast-scan.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 9b4f470..99b9027 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -45,6 +45,4 @@ jobs: - name: Upload SOOS DAST SARIF Report uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: results.sarif - - + sarif_file: results.sarif \ No newline at end of file From a2fbfc40767ff866fed3e15b2123cf514445cf24 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 13 Dec 2022 17:58:04 +0530 Subject: [PATCH 40/43] Update lint.yaml --- .github/workflows/lint.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 2bb90ed..a76800c 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,7 +1,7 @@ name: Lint on: - pull_request_target: + pull_request: branches: - main @@ -28,4 +28,4 @@ jobs: run: pip3 install pre-commit - name: Run pre-commit - run: pre-commit run --all-files --show-diff-on-failure --color always \ No newline at end of file + run: pre-commit run --all-files --show-diff-on-failure --color always From ef331a6ad4a8dcd60a1eb62f2e7ebc150d967e91 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 13 Dec 2022 18:02:56 +0530 Subject: [PATCH 41/43] Update lint.yaml --- .github/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index a76800c..737e69c 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,7 +1,7 @@ name: Lint on: - pull_request: + pull_request_target: branches: - main From 95cee2a6f2019101ee71a6b954d2feb092acef0d Mon Sep 17 00:00:00 2001 From: Chris Gavin Date: Wed, 14 Dec 2022 12:23:14 +0000 Subject: [PATCH 42/43] Add Kotlin to CodeQL supported languages. --- code-scanning/properties/codeql.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index 8ee80b4..f5e78bf 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -2,7 +2,7 @@ "name": "CodeQL Analysis", "creator": "GitHub", "enterprise": true, - "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby and Kotlin developers.", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin"] } From 50c4e6f5a82cc11652504253929532f8db08f684 Mon Sep 17 00:00:00 2001 From: Joe Mooring Date: Mon, 12 Dec 2022 13:58:51 -0800 Subject: [PATCH 43/43] Fix and improve Hugo starter action Closes #1854 --- pages/hugo.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index f273fb2..05a5b50 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -30,12 +30,14 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.102.3 + HUGO_VERSION: 0.108.0 steps: - name: Install Hugo CLI run: | - wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_Linux-64bit.deb \ + wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \ && sudo dpkg -i ${{ runner.temp }}/hugo.deb + - name: Install Dart Sass Embedded + run: sudo snap install dart-sass-embedded - name: Checkout uses: actions/checkout@v3 with: @@ -43,6 +45,8 @@ jobs: - name: Setup Pages id: pages uses: actions/configure-pages@v2 + - name: Install Node.js dependencies + run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Build with Hugo env: # For maximum backward compatibility with Hugo modules