From 9d82221b3c47a53248149b62bc84bfdc8ba6e57d Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 25 Oct 2022 16:23:39 +0200
Subject: [PATCH 01/43] Create sonarqube.yaml
---
code-scanning/sonarqube.yaml | 65 ++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
create mode 100644 code-scanning/sonarqube.yaml
diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml
new file mode 100644
index 0000000..c6fbfce
--- /dev/null
+++ b/code-scanning/sonarqube.yaml
@@ -0,0 +1,65 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow helps you trigger a SonarQube analysis of your code and populates
+# GitHub Code Scanning alerts with the vulnerabilities found.
+# (this feature is available starting from Developer Edition)
+
+# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub)
+
+# 2. Import your project on SonarQube
+# * Add your repository as a new project by clicking "Create project" from your homepage.
+#
+# 3. Select GitHub Actions as your CI and follow the tutorial
+# * a. Copy/paste the Project Key and the Organization Key into the args parameter below
+# (You'll find this information in SonarQube. Click on "Information" at the bottom left)
+#
+# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
+# (On SonarQube, click on your avatar on top-right > My account > Security
+# or go directly to https://sonarcloud.io/account/security/)
+
+# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
+# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
+
+name: SonarQube analysis
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ workflow_dispatch:
+
+permissions:
+ pull-requests: read # allows SonarQube to decorate PRs with analysis results
+
+jobs:
+ Analysis:
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Analyze with SonarQube
+
+ # You can pin the exact commit or the version.
+ # uses: SonarSource/sonarqube-scan-action@v1.1.0
+ uses: SonarSource/sonarqube-scan-action@v1.1.0
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
+ SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret)
+ with:
+ # Additional arguments for the sonarcloud scanner
+ args:
+ # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu)
+ # mandatory
+ -Dsonar.projectKey=
+ # Comma-separated paths to directories containing main source files.
+ #-Dsonar.sources= # optional, default is project base directory
+ # When you need the analysis to take place in a directory other than the one from which it was launched
+ #-Dsonar.projectBaseDir= # optional, default is .
+ # Comma-separated paths to directories containing test source files.
+ #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+ #-Dsonar.verbose= # optional, default is false
From f44ecbf0e28eae370cbcbece24deff8737158257 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 25 Oct 2022 16:29:30 +0200
Subject: [PATCH 02/43] Added comments
---
code-scanning/sonarqube.yaml | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml
index c6fbfce..e9b8d98 100644
--- a/code-scanning/sonarqube.yaml
+++ b/code-scanning/sonarqube.yaml
@@ -13,15 +13,16 @@
# * Add your repository as a new project by clicking "Create project" from your homepage.
#
# 3. Select GitHub Actions as your CI and follow the tutorial
-# * a. Copy/paste the Project Key and the Organization Key into the args parameter below
-# (You'll find this information in SonarQube. Click on "Information" at the bottom left)
+# * a. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
+# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator)
#
-# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
-# (On SonarQube, click on your avatar on top-right > My account > Security
-# or go directly to https://sonarcloud.io/account/security/)
+# * b. Copy/paste your SonarQube host URL to your Github repository's secrets using the name SONAR_HOST_URL
+#
+# * c. Copy/paste the project Key into the args parameter below
+# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage)
-# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
-# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
+# Feel free to take a look at our documentation (https://docs.sonarqube.org/latest/analysis/github-integration/)
+# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/sq/10)
name: SonarQube analysis
From 4a1cad76c04ded3d2d1e1f20778ea3855c9e5d1d Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 25 Oct 2022 16:57:24 +0200
Subject: [PATCH 03/43] Added reference to documentation
---
code-scanning/sonarqube.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml
index e9b8d98..f34d48e 100644
--- a/code-scanning/sonarqube.yaml
+++ b/code-scanning/sonarqube.yaml
@@ -5,7 +5,7 @@
# This workflow helps you trigger a SonarQube analysis of your code and populates
# GitHub Code Scanning alerts with the vulnerabilities found.
-# (this feature is available starting from Developer Edition)
+# (this feature is available starting from SonarQube 9.7, Developer Edition and above)
# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub)
From c7e73d7edc4e376bfdb148a7ee0a1d732c8443f9 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 3 Nov 2022 11:23:48 +0100
Subject: [PATCH 04/43] Update sonarqube.yaml
---
code-scanning/sonarqube.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml
index f34d48e..23f79da 100644
--- a/code-scanning/sonarqube.yaml
+++ b/code-scanning/sonarqube.yaml
@@ -13,10 +13,10 @@
# * Add your repository as a new project by clicking "Create project" from your homepage.
#
# 3. Select GitHub Actions as your CI and follow the tutorial
-# * a. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
+# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN
# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator)
#
-# * b. Copy/paste your SonarQube host URL to your Github repository's secrets using the name SONAR_HOST_URL
+# * b. Copy/paste your SonarQube host URL to your GitHub repository's secrets using the name SONAR_HOST_URL
#
# * c. Copy/paste the project Key into the args parameter below
# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage)
From ca67faa01ca580695b67779e7cc67cf4b6586ddd Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 3 Nov 2022 11:25:29 +0100
Subject: [PATCH 05/43] Rename sonarqube.yaml to sonarqube.yml
---
code-scanning/{sonarqube.yaml => sonarqube.yml} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename code-scanning/{sonarqube.yaml => sonarqube.yml} (100%)
diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yml
similarity index 100%
rename from code-scanning/sonarqube.yaml
rename to code-scanning/sonarqube.yml
From a5ee5608b9f19e8c4949b365711030820ead5d69 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 3 Nov 2022 11:27:23 +0100
Subject: [PATCH 06/43] Create sonarqube.properties.json
---
code-scanning/properties/sonarqube.properties.json | 7 +++++++
1 file changed, 7 insertions(+)
create mode 100644 code-scanning/properties/sonarqube.properties.json
diff --git a/code-scanning/properties/sonarqube.properties.json b/code-scanning/properties/sonarqube.properties.json
new file mode 100644
index 0000000..9912c51
--- /dev/null
+++ b/code-scanning/properties/sonarqube.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SonarQube",
+ "creator": "Sonar",
+ "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!",
+ "iconName": "sonarqube",
+ "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
+}
From 4c8f3a77aa64cc3b5da5b5b244d75e07285e77d3 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 3 Nov 2022 11:28:50 +0100
Subject: [PATCH 07/43] Add files via upload
---
icons/SonarQube icon.svg | 1 +
1 file changed, 1 insertion(+)
create mode 100644 icons/SonarQube icon.svg
diff --git a/icons/SonarQube icon.svg b/icons/SonarQube icon.svg
new file mode 100644
index 0000000..b5c23d8
--- /dev/null
+++ b/icons/SonarQube icon.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
From 5081d1525082e71f7be1c3eb381c7e5443e28f95 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 3 Nov 2022 11:29:30 +0100
Subject: [PATCH 08/43] Rename SonarQube icon.svg to sonarqube.svg
---
icons/{SonarQube icon.svg => sonarqube.svg} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename icons/{SonarQube icon.svg => sonarqube.svg} (94%)
diff --git a/icons/SonarQube icon.svg b/icons/sonarqube.svg
similarity index 94%
rename from icons/SonarQube icon.svg
rename to icons/sonarqube.svg
index b5c23d8..a4bba35 100644
--- a/icons/SonarQube icon.svg
+++ b/icons/sonarqube.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
From a31c09a4f1fd94bb31fb3e8955e4c05c0b855cc1 Mon Sep 17 00:00:00 2001
From: Arjan Keeman
Date: Tue, 15 Nov 2022 09:52:54 +0100
Subject: [PATCH 09/43] update deprecated syntax
see https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
---
deployments/aws.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/deployments/aws.yml b/deployments/aws.yml
index 9585844..af7d87d 100644
--- a/deployments/aws.yml
+++ b/deployments/aws.yml
@@ -75,7 +75,7 @@ jobs:
# be deployed to ECS.
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
- echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
+ echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
From a749535e85718bb29553b8e7f6b5217e71a5ccd1 Mon Sep 17 00:00:00 2001
From: jorgectf
Date: Wed, 16 Nov 2022 01:05:10 +0100
Subject: [PATCH 10/43] Add lint workflow
---
.github/workflows/lint.yaml | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
create mode 100644 .github/workflows/lint.yaml
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
new file mode 100644
index 0000000..cd3fb3d
--- /dev/null
+++ b/.github/workflows/lint.yaml
@@ -0,0 +1,32 @@
+name: Lint
+
+on:
+ pull_request:
+ branches:
+ - main
+
+jobs:
+
+ pre-commit:
+ name: pre-commit
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+
+ - uses: actions/setup-python@v4
+ with:
+ python-version: 3.8
+ cache: 'pip'
+
+ - name: Cache pre-commit
+ uses: actions/cache@v3
+ with:
+ path: ~/.cache/pre-commit
+ key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
+
+ - name: Install pre-commit
+ run: pip3 install pre-commit
+
+ - name: Run pre-commit
+ run: pre-commit run --all-files --show-diff-on-failure --color always
\ No newline at end of file
From 6cd7a70d9f1db1f8485ccb48d863ef766fa0fbc1 Mon Sep 17 00:00:00 2001
From: jorgectf
Date: Wed, 16 Nov 2022 01:05:19 +0100
Subject: [PATCH 11/43] Add pre-commit configuration file
---
.pre-commit-config.yaml | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 .pre-commit-config.yaml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..7699e82
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,5 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v4.3.0
+ hooks:
+ - id: trailing-whitespace
\ No newline at end of file
From 5bc87732339ec6887dbd6275cb90686464b3de3c Mon Sep 17 00:00:00 2001
From: jorgectf
Date: Wed, 16 Nov 2022 01:16:46 +0100
Subject: [PATCH 12/43] Remove pip cache
---
.github/workflows/lint.yaml | 1 -
1 file changed, 1 deletion(-)
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index cd3fb3d..76c82c2 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -17,7 +17,6 @@ jobs:
- uses: actions/setup-python@v4
with:
python-version: 3.8
- cache: 'pip'
- name: Cache pre-commit
uses: actions/cache@v3
From edcef6ec3eb410566c2f21feaae17d5c4eacef6c Mon Sep 17 00:00:00 2001
From: laurentsimon
Date: Tue, 22 Nov 2022 19:23:58 +0000
Subject: [PATCH 13/43] update
---
code-scanning/scorecards.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml
index 11e305f..0e42bae 100644
--- a/code-scanning/scorecards.yml
+++ b/code-scanning/scorecards.yml
@@ -41,11 +41,11 @@ jobs:
with:
results_file: results.sarif
results_format: sarif
- # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+ # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecards on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
- # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+ # repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
From d0d2da4fd3080c5a70fddd00f554a21a5aeef591 Mon Sep 17 00:00:00 2001
From: "James M. Greene"
Date: Tue, 22 Nov 2022 13:38:23 -0600
Subject: [PATCH 14/43] Astro: Update to use the detected package manager
---
pages/astro.yml | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/pages/astro.yml b/pages/astro.yml
index 1d4ec5f..54d4672 100644
--- a/pages/astro.yml
+++ b/pages/astro.yml
@@ -40,12 +40,10 @@ jobs:
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
echo "::set-output name=manager::yarn"
echo "::set-output name=command::install"
- echo "::set-output name=runner::yarn"
exit 0
elif [ -f "${{ github.workspace }}/package.json" ]; then
echo "::set-output name=manager::npm"
echo "::set-output name=command::ci"
- echo "::set-output name=runner::npx --no-install"
exit 0
else
echo "Unable to determine packager manager"
@@ -57,9 +55,14 @@ jobs:
node-version: "16"
cache: ${{ steps.detect-package-manager.outputs.manager }}
cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json
- - run: npm install && npm run build
+ - name: Install dependencies
+ run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
working-directory: ${{ env.BUILD_PATH }}
- - uses: actions/upload-pages-artifact@v1
+ - name: Build with Astro
+ run: ${{ steps.detect-package-manager.outputs.manager }} run build
+ working-directory: ${{ env.BUILD_PATH }}
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
with:
path: ${{ env.BUILD_PATH }}/dist
From 1ffc2dce9f0e0d25af6d872223730be7badd2a93 Mon Sep 17 00:00:00 2001
From: "James M. Greene"
Date: Tue, 22 Nov 2022 13:43:51 -0600
Subject: [PATCH 15/43] Pages: Update Node.js-based workflows to use
non-deprecated mechanism for setting outputs
See https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
---
pages/astro.yml | 8 ++++----
pages/gatsby.yml | 8 ++++----
pages/nextjs.yml | 12 ++++++------
pages/nuxtjs.yml | 8 ++++----
4 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/pages/astro.yml b/pages/astro.yml
index 54d4672..9f845f3 100644
--- a/pages/astro.yml
+++ b/pages/astro.yml
@@ -38,12 +38,12 @@ jobs:
id: detect-package-manager
run: |
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
- echo "::set-output name=manager::yarn"
- echo "::set-output name=command::install"
+ echo "manager=yarn" >> $GITHUB_OUTPUT
+ echo "command=install" >> $GITHUB_OUTPUT
exit 0
elif [ -f "${{ github.workspace }}/package.json" ]; then
- echo "::set-output name=manager::npm"
- echo "::set-output name=command::ci"
+ echo "manager=npm" >> $GITHUB_OUTPUT
+ echo "command=ci" >> $GITHUB_OUTPUT
exit 0
else
echo "Unable to determine packager manager"
diff --git a/pages/gatsby.yml b/pages/gatsby.yml
index 4f2857d..7db9291 100644
--- a/pages/gatsby.yml
+++ b/pages/gatsby.yml
@@ -39,12 +39,12 @@ jobs:
id: detect-package-manager
run: |
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
- echo "::set-output name=manager::yarn"
- echo "::set-output name=command::install"
+ echo "manager=yarn" >> $GITHUB_OUTPUT
+ echo "command=install" >> $GITHUB_OUTPUT
exit 0
elif [ -f "${{ github.workspace }}/package.json" ]; then
- echo "::set-output name=manager::npm"
- echo "::set-output name=command::ci"
+ echo "manager=npm" >> $GITHUB_OUTPUT
+ echo "command=ci" >> $GITHUB_OUTPUT
exit 0
else
echo "Unable to determine packager manager"
diff --git a/pages/nextjs.yml b/pages/nextjs.yml
index 5c2bf67..7e39f83 100644
--- a/pages/nextjs.yml
+++ b/pages/nextjs.yml
@@ -34,14 +34,14 @@ jobs:
id: detect-package-manager
run: |
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
- echo "::set-output name=manager::yarn"
- echo "::set-output name=command::install"
- echo "::set-output name=runner::yarn"
+ echo "manager=yarn" >> $GITHUB_OUTPUT
+ echo "command=install" >> $GITHUB_OUTPUT
+ echo "runner=yarn" >> $GITHUB_OUTPUT
exit 0
elif [ -f "${{ github.workspace }}/package.json" ]; then
- echo "::set-output name=manager::npm"
- echo "::set-output name=command::ci"
- echo "::set-output name=runner::npx --no-install"
+ echo "manager=npm" >> $GITHUB_OUTPUT
+ echo "command=ci" >> $GITHUB_OUTPUT
+ echo "runner=npx --no-install" >> $GITHUB_OUTPUT
exit 0
else
echo "Unable to determine packager manager"
diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml
index 4178f18..660202e 100644
--- a/pages/nuxtjs.yml
+++ b/pages/nuxtjs.yml
@@ -34,12 +34,12 @@ jobs:
id: detect-package-manager
run: |
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
- echo "::set-output name=manager::yarn"
- echo "::set-output name=command::install"
+ echo "manager=yarn" >> $GITHUB_OUTPUT
+ echo "command=install" >> $GITHUB_OUTPUT
exit 0
elif [ -f "${{ github.workspace }}/package.json" ]; then
- echo "::set-output name=manager::npm"
- echo "::set-output name=command::ci"
+ echo "manager=npm" >> $GITHUB_OUTPUT
+ echo "command=ci" >> $GITHUB_OUTPUT
exit 0
else
echo "Unable to determine packager manager"
From c868fdbf8caaf8ec83c4b4e884a8546044d8c46b Mon Sep 17 00:00:00 2001
From: "James M. Greene"
Date: Tue, 22 Nov 2022 21:47:03 -0600
Subject: [PATCH 16/43] Pages: Configure Astro origin and base path using CLI
arguments
---
pages/astro.yml | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/pages/astro.yml b/pages/astro.yml
index 9f845f3..77f2924 100644
--- a/pages/astro.yml
+++ b/pages/astro.yml
@@ -40,10 +40,12 @@ jobs:
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
echo "manager=yarn" >> $GITHUB_OUTPUT
echo "command=install" >> $GITHUB_OUTPUT
+ echo "runner=yarn" >> $GITHUB_OUTPUT
exit 0
elif [ -f "${{ github.workspace }}/package.json" ]; then
echo "manager=npm" >> $GITHUB_OUTPUT
echo "command=ci" >> $GITHUB_OUTPUT
+ echo "runner=npx --no-install" >> $GITHUB_OUTPUT
exit 0
else
echo "Unable to determine packager manager"
@@ -55,11 +57,17 @@ jobs:
node-version: "16"
cache: ${{ steps.detect-package-manager.outputs.manager }}
cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v2
- name: Install dependencies
run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
working-directory: ${{ env.BUILD_PATH }}
- name: Build with Astro
- run: ${{ steps.detect-package-manager.outputs.manager }} run build
+ run: |
+ ${{ steps.detect-package-manager.outputs.runner }} astro build \
+ --site "${{ steps.pages.outputs.origin }}" \
+ --base "${{ steps.pages.outputs.base_path }}"
working-directory: ${{ env.BUILD_PATH }}
- name: Upload artifact
uses: actions/upload-pages-artifact@v1
From 2f81287648d16dc1cda091d44b06368c5e73af73 Mon Sep 17 00:00:00 2001
From: Nguyen Long Nhat <27698189+torn4dom4n@users.noreply.github.com>
Date: Mon, 21 Nov 2022 01:17:23 +0700
Subject: [PATCH 17/43] Using node 18
---
pages/gatsby.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pages/gatsby.yml b/pages/gatsby.yml
index 7db9291..a288d7d 100644
--- a/pages/gatsby.yml
+++ b/pages/gatsby.yml
@@ -53,7 +53,7 @@ jobs:
- name: Setup Node
uses: actions/setup-node@v3
with:
- node-version: "16"
+ node-version: "18"
cache: ${{ steps.detect-package-manager.outputs.manager }}
- name: Setup Pages
id: pages
From e493e52668ef051fc37be7453871d17470f56e0e Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Tue, 29 Nov 2022 17:48:50 +0530
Subject: [PATCH 18/43] Check only certain files
---
.pre-commit-config.yaml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 7699e82..5d6f7eb 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,5 +1,6 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.3.0
+ files: ^automation|ci|code-scanning|deployments|pages
hooks:
- - id: trailing-whitespace
\ No newline at end of file
+ - id: trailing-whitespace
From ec11d3549bcc7ca2a1df7f76461d31c70313d391 Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Tue, 29 Nov 2022 18:13:36 +0530
Subject: [PATCH 19/43] Check for only certain files
---
.pre-commit-config.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 5d6f7eb..19bf39d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.3.0
- files: ^automation|ci|code-scanning|deployments|pages
hooks:
- id: trailing-whitespace
+ files: (automation/|ci/|code-scanning/|deployments/|pages/).*(yaml|yml|json)$
From 1716d2dcd64d64e5a33a6f72146ebc51010a7d6d Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Wed, 30 Nov 2022 10:21:45 +0000
Subject: [PATCH 20/43] Fix whitespace lint
---
.github/workflows/lint.yaml | 2 +-
code-scanning/checkmarx-one.yml | 12 ++++++------
.../properties/dependency-review.properties.json | 2 +-
code-scanning/properties/mobsf.properties.json | 8 ++++----
code-scanning/properties/pmd.properties.json | 12 ++++++------
code-scanning/properties/semgrep.properties.json | 2 +-
code-scanning/properties/sobelow.properties.json | 1 -
code-scanning/properties/sonarcloud.properties.json | 2 +-
8 files changed, 20 insertions(+), 21 deletions(-)
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 76c82c2..2bb90ed 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,7 +1,7 @@
name: Lint
on:
- pull_request:
+ pull_request_target:
branches:
- main
diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml
index d85c0c5..6214ab1 100644
--- a/code-scanning/checkmarx-one.yml
+++ b/code-scanning/checkmarx-one.yml
@@ -3,12 +3,12 @@
# separate terms of service, privacy policy, and support
# documentation.
-# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow.
-# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository
-# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling
+# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow.
+# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository
+# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling
# scan customization using the full functionality and flexibility of the CLI tool.
-# This is a basic workflow to help you get started with Using Checkmarx One Action,
+# This is a basic workflow to help you get started with Using Checkmarx One Action,
# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html
name: Checkmarx Scan
@@ -30,7 +30,7 @@ jobs:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif
-
+
# The type of runner that the job will run on
runs-on: ubuntu-latest
@@ -39,7 +39,7 @@ jobs:
# This step checks out a copy of your repository.
- name: Checkout repository
uses: actions/checkout@v3
- # This step creates the Checkmarx One scan
+ # This step creates the Checkmarx One scan
- name: Checkmarx One scan
uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc
with:
diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json
index c195c73..f76aacd 100644
--- a/code-scanning/properties/dependency-review.properties.json
+++ b/code-scanning/properties/dependency-review.properties.json
@@ -13,4 +13,4 @@
"Ruby",
"Actions",
"PHP"]
-}
+}
diff --git a/code-scanning/properties/mobsf.properties.json b/code-scanning/properties/mobsf.properties.json
index a6afbfa..fb5d65b 100644
--- a/code-scanning/properties/mobsf.properties.json
+++ b/code-scanning/properties/mobsf.properties.json
@@ -4,10 +4,10 @@
"description": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.",
"iconName": "mobsf",
"categories": [
- "Code Scanning",
- "Java",
- "Swift",
- "Objective-C",
+ "Code Scanning",
+ "Java",
+ "Swift",
+ "Objective-C",
"Kotlin"
]
}
\ No newline at end of file
diff --git a/code-scanning/properties/pmd.properties.json b/code-scanning/properties/pmd.properties.json
index b96ecb7..7b79709 100644
--- a/code-scanning/properties/pmd.properties.json
+++ b/code-scanning/properties/pmd.properties.json
@@ -4,12 +4,12 @@
"description": "PMD is a static source code analyzer. It supports Java, JavaScript, Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.",
"iconName": "pmd",
"categories": [
- "Code Scanning",
- "Java",
- "JavaScript",
- "Apex",
- "Modelica",
- "PLSQL",
+ "Code Scanning",
+ "Java",
+ "JavaScript",
+ "Apex",
+ "Modelica",
+ "PLSQL",
"Apache Velocity",
"XML",
"XSl",
diff --git a/code-scanning/properties/semgrep.properties.json b/code-scanning/properties/semgrep.properties.json
index 5f74ed5..c694b38 100644
--- a/code-scanning/properties/semgrep.properties.json
+++ b/code-scanning/properties/semgrep.properties.json
@@ -4,4 +4,4 @@
"description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.",
"iconName": "semgrep",
"categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"]
-}
\ No newline at end of file
+}
\ No newline at end of file
diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json
index 163e866..960ac8a 100644
--- a/code-scanning/properties/sobelow.properties.json
+++ b/code-scanning/properties/sobelow.properties.json
@@ -8,4 +8,3 @@
"Elixir"
]
}
-
\ No newline at end of file
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
index 9b88a78..0f4e151 100644
--- a/code-scanning/properties/sonarcloud.properties.json
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -3,5 +3,5 @@
"creator": "Sonar",
"description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!",
"iconName": "sonarcloud",
- "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
+ "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
}
From 6adaff50c1b390ca04c9c668f07e996dee1a25ac Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Wed, 30 Nov 2022 10:26:21 +0000
Subject: [PATCH 21/43] Fix no newline at EOF
---
code-scanning/properties/semgrep.properties.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/properties/semgrep.properties.json b/code-scanning/properties/semgrep.properties.json
index c694b38..f1fffe3 100644
--- a/code-scanning/properties/semgrep.properties.json
+++ b/code-scanning/properties/semgrep.properties.json
@@ -4,4 +4,4 @@
"description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.",
"iconName": "semgrep",
"categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"]
-}
\ No newline at end of file
+}
From f53db96ce1ca57bf1214bda95a59f2a7ec45d8b8 Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Wed, 30 Nov 2022 11:04:14 +0000
Subject: [PATCH 22/43] Add supported tech stack list
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 7ff406f..fc1bd90 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`.
* `description`: the description shown in onboarding
* `iconName`: the icon name in the relevant folder, for example, `django` should have an icon `icons/django.svg`. Only SVG is supported at this time. Another option is to use [octicon](https://primer.style/octicons/). The format to use an octicon is `octicon <>`. Example: `octicon person`
* `creator`: creator of the template shown in onboarding. All the workflow templates from an author will have the same `creator` field.
-* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml). When a user views the available templates, those templates that match the same language will feature more prominently.
+* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml) and the list of tech stacks available [here](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml). When a user views the available templates, those templates that match the same language will feature more prominently.
### Categories
* continuous-integration
From 4f469603129f59fefca0072e32a2eed15002fe4c Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Thu, 1 Dec 2022 06:55:46 +0000
Subject: [PATCH 23/43] Add instructions to test templates
---
README.md | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/README.md b/README.md
index 7ff406f..1048694 100644
--- a/README.md
+++ b/README.md
@@ -50,3 +50,23 @@ These variables can be placed in the starter workflow and will be substituted as
* `$default-branch`: will substitute the branch from the repository, for example `main` and `master`
* `$protected-branches`: will substitute any protected branches from the repository
* `$cron-daily`: will substitute a valid but random time within the day
+
+## How to test templates before publishing
+
+### Disable template for public
+The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX.
+Example `properties.json` file:
+```json
+{
+ "name": "Node.js",
+ "description": "Build and test a Node.js project with npm.",
+ "iconName": "nodejs",
+ "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"],
+ "labels": ["preview"]
+}
+```
+
+Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible.
+
+### Enable template for public
+Remove the `labels` array from `properties.json` file to publish the template to public
From bd3d623e07d9ec600ba22e97a047b9afb91075f9 Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Thu, 1 Dec 2022 13:06:55 +0530
Subject: [PATCH 24/43] Apply suggestions from code review
Co-authored-by: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com>
---
README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 1048694..e455e13 100644
--- a/README.md
+++ b/README.md
@@ -54,7 +54,7 @@ These variables can be placed in the starter workflow and will be substituted as
## How to test templates before publishing
### Disable template for public
-The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX.
+The template author adds a `labels` array in the template's `properties.json` file with a label `preview`. This will hide the template from users, unless user uses query parameter `preview=true` in the URL.
Example `properties.json` file:
```json
{
@@ -66,7 +66,7 @@ Example `properties.json` file:
}
```
-Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible.
+For viewing the templates with `preview` label, provide query parameter `preview=true` to the `new workflow` page URL. Eg. `https://github.com///actions/new?preview=true`.
### Enable template for public
Remove the `labels` array from `properties.json` file to publish the template to public
From db5c5c4b5e88807a37600118dc80be71301ba48b Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 1 Dec 2022 17:08:17 +0100
Subject: [PATCH 25/43] Apply suggestions from code review
Co-authored-by: Sampark Sharma
---
code-scanning/sonarqube.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml
index 23f79da..68585a9 100644
--- a/code-scanning/sonarqube.yml
+++ b/code-scanning/sonarqube.yml
@@ -41,7 +41,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - name: Analyze with SonarQube
+ - name: Analyze with SonarQube
# You can pin the exact commit or the version.
# uses: SonarSource/sonarqube-scan-action@v1.1.0
@@ -52,7 +52,7 @@ jobs:
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret)
with:
# Additional arguments for the sonarcloud scanner
- args:
+ args:
# Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu)
# mandatory
-Dsonar.projectKey=
@@ -63,4 +63,4 @@ jobs:
# Comma-separated paths to directories containing test source files.
#-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
- #-Dsonar.verbose= # optional, default is false
+ #-Dsonar.verbose= # optional, default is false
From 0cd0541922d9efdce53b33f9c49b01d6cd6ca54b Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 1 Dec 2022 17:13:18 +0100
Subject: [PATCH 26/43] added SHA to action definition
---
code-scanning/sonarqube.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml
index 68585a9..f01b9dc 100644
--- a/code-scanning/sonarqube.yml
+++ b/code-scanning/sonarqube.yml
@@ -45,7 +45,7 @@ jobs:
# You can pin the exact commit or the version.
# uses: SonarSource/sonarqube-scan-action@v1.1.0
- uses: SonarSource/sonarqube-scan-action@v1.1.0
+ uses: SonarSource/sonarqube-scan-action@7295e71c9583053f5bf40e9d4068a0c974603ec8
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
From 3408b65a7132d3f0ffa75a4e7a42aa2849f04a1d Mon Sep 17 00:00:00 2001
From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com>
Date: Thu, 8 Dec 2022 14:38:34 +1300
Subject: [PATCH 27/43] Update Go version to 1.19
Go 1.18 will be at end of life sometime within the coming months (Q1 2023). Go 1.19 will be around until Q3 2023, by which point 1.20 will have been released.
---
ci/go.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ci/go.yml b/ci/go.yml
index 4d95674..e89f6c9 100644
--- a/ci/go.yml
+++ b/ci/go.yml
@@ -19,7 +19,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v3
with:
- go-version: 1.18
+ go-version: 1.19
- name: Build
run: go build -v ./...
From 7a584505f5655db11a8c6f01d1913bc7ab3b0a50 Mon Sep 17 00:00:00 2001
From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com>
Date: Thu, 8 Dec 2022 14:41:48 +1300
Subject: [PATCH 28/43] Fixed misspelling of "privileged"
---
.github/pull_request_template.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 0a98861..05cb4b1 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -26,7 +26,7 @@ It is not:
- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
-- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
+- [ ] Should specify least privileged [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
**For _CI_ workflows, the workflow:**
From fe2a38622547802426adddc16f8a700ac2ed0edc Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Thu, 8 Dec 2022 11:35:13 +0530
Subject: [PATCH 29/43] Update README.md
Co-authored-by: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com>
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index fc1bd90..cc272b5 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`.
* `description`: the description shown in onboarding
* `iconName`: the icon name in the relevant folder, for example, `django` should have an icon `icons/django.svg`. Only SVG is supported at this time. Another option is to use [octicon](https://primer.style/octicons/). The format to use an octicon is `octicon <>`. Example: `octicon person`
* `creator`: creator of the template shown in onboarding. All the workflow templates from an author will have the same `creator` field.
-* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml) and the list of tech stacks available [here](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml). When a user views the available templates, those templates that match the same language will feature more prominently.
+* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml) and the list of tech stacks available [here](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml). When a user views the available templates, those templates that match the language and tech stacks will feature more prominently.
### Categories
* continuous-integration
From 1899cb68914da2e7df727fdabfc8f4277c76463d Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Thu, 8 Dec 2022 06:10:22 +0000
Subject: [PATCH 30/43] Fix whitespaces
---
code-scanning/properties/sonarqube.properties.json | 2 +-
code-scanning/sonarqube.yml | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/code-scanning/properties/sonarqube.properties.json b/code-scanning/properties/sonarqube.properties.json
index 9912c51..009602b 100644
--- a/code-scanning/properties/sonarqube.properties.json
+++ b/code-scanning/properties/sonarqube.properties.json
@@ -3,5 +3,5 @@
"creator": "Sonar",
"description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!",
"iconName": "sonarqube",
- "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
+ "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
}
diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml
index f01b9dc..220e43a 100644
--- a/code-scanning/sonarqube.yml
+++ b/code-scanning/sonarqube.yml
@@ -3,7 +3,7 @@
# separate terms of service, privacy policy, and support
# documentation.
-# This workflow helps you trigger a SonarQube analysis of your code and populates
+# This workflow helps you trigger a SonarQube analysis of your code and populates
# GitHub Code Scanning alerts with the vulnerabilities found.
# (this feature is available starting from SonarQube 9.7, Developer Edition and above)
@@ -11,7 +11,7 @@
# 2. Import your project on SonarQube
# * Add your repository as a new project by clicking "Create project" from your homepage.
-#
+#
# 3. Select GitHub Actions as your CI and follow the tutorial
# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN
# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator)
@@ -39,7 +39,7 @@ permissions:
jobs:
Analysis:
runs-on: ubuntu-latest
-
+
steps:
- name: Analyze with SonarQube
From 384d799f2c7135d7c1a8c2de7c45c7b829b37c84 Mon Sep 17 00:00:00 2001
From: hadar-co
Date: Wed, 23 Nov 2022 16:19:36 +0200
Subject: [PATCH 31/43] add Datree
---
code-scanning/datree.yml | 44 +++++++++++++++++++
.../properties/datree.properties.json | 7 +++
icons/datree.svg | 1 +
3 files changed, 52 insertions(+)
create mode 100644 code-scanning/datree.yml
create mode 100644 code-scanning/properties/datree.properties.json
create mode 100644 icons/datree.svg
diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml
new file mode 100644
index 0000000..682ab5d
--- /dev/null
+++ b/code-scanning/datree.yml
@@ -0,0 +1,44 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which checks out your code and scans your desired k8s config files for misconfigurations using the Datree CLI.
+# The results are then uploaded to GitHub Security Code Scanning.
+#
+# For more information and configurations options, see https://github.com/datreeio/action-datree/
+
+name: Datree
+
+on:
+ push:
+ branches: [ main ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ main ]
+
+jobs:
+ datree:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Run Datree policy check
+ continue-on-error: true
+ uses: hadar-co/action-datree@main
+ env:
+ # In order to use the Datree action you will need to have a Datree token.
+ # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token.
+ DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
+ with:
+ # Add the path to the configuration file/s that you would like to test.
+ # See https://github.com/datreeio/action-datree#usage for all available options.
+ path: test-file.yaml
+ # Setting a SARIF output will generate a file named "datree.sarif" containing your test results
+ cliArguments: "-o sarif"
+ - name: Upload result to GitHub Code Scanning
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: datree.sarif
\ No newline at end of file
diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json
new file mode 100644
index 0000000..99e07a5
--- /dev/null
+++ b/code-scanning/properties/datree.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Datree",
+ "creator": "Datree",
+ "description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning",
+ "iconName": "datree",
+ "categories": ["Code Scanning", "YAML"]
+}
\ No newline at end of file
diff --git a/icons/datree.svg b/icons/datree.svg
new file mode 100644
index 0000000..ca986c6
--- /dev/null
+++ b/icons/datree.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
From b79ff384b92634dae9948e7acda99c752827710a Mon Sep 17 00:00:00 2001
From: hadar-co
Date: Wed, 23 Nov 2022 16:37:43 +0200
Subject: [PATCH 32/43] add Datree
---
code-scanning/datree.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml
index 682ab5d..df301c7 100644
--- a/code-scanning/datree.yml
+++ b/code-scanning/datree.yml
@@ -12,10 +12,10 @@ name: Datree
on:
push:
- branches: [ main ]
+ branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
- branches: [ main ]
+ branches: [ $default-branch ]
jobs:
datree:
From 2fe9028318a16ee399cbb6fc832b30e3486f93b6 Mon Sep 17 00:00:00 2001
From: hadar-co
Date: Wed, 7 Dec 2022 16:23:25 +0200
Subject: [PATCH 33/43] fix workflow
---
code-scanning/datree.yml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml
index df301c7..44afd69 100644
--- a/code-scanning/datree.yml
+++ b/code-scanning/datree.yml
@@ -17,6 +17,9 @@ on:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
datree:
permissions:
@@ -27,7 +30,7 @@ jobs:
- uses: actions/checkout@v3
- name: Run Datree policy check
continue-on-error: true
- uses: hadar-co/action-datree@main
+ uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a
env:
# In order to use the Datree action you will need to have a Datree token.
# See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token.
@@ -41,4 +44,4 @@ jobs:
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
- sarif_file: datree.sarif
\ No newline at end of file
+ sarif_file: datree.sarif
From eaef38b7d53821181be4769ca49cd73b29a1dc95 Mon Sep 17 00:00:00 2001
From: hadar-co
Date: Wed, 7 Dec 2022 16:24:28 +0200
Subject: [PATCH 34/43] fix workflow
---
code-scanning/properties/datree.properties.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json
index 99e07a5..b7c695c 100644
--- a/code-scanning/properties/datree.properties.json
+++ b/code-scanning/properties/datree.properties.json
@@ -4,4 +4,4 @@
"description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning",
"iconName": "datree",
"categories": ["Code Scanning", "YAML"]
-}
\ No newline at end of file
+}
From bf83018c61c4c637421536d74854c789df696c20 Mon Sep 17 00:00:00 2001
From: hadar-co
Date: Thu, 8 Dec 2022 09:57:36 +0200
Subject: [PATCH 35/43] Update code-scanning/datree.yml
Co-authored-by: Sampark Sharma
---
code-scanning/datree.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml
index 44afd69..2e44682 100644
--- a/code-scanning/datree.yml
+++ b/code-scanning/datree.yml
@@ -34,7 +34,7 @@ jobs:
env:
# In order to use the Datree action you will need to have a Datree token.
# See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token.
- DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
+ DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
with:
# Add the path to the configuration file/s that you would like to test.
# See https://github.com/datreeio/action-datree#usage for all available options.
From 9e27144d52a9ebe6f2660accc372e55385044204 Mon Sep 17 00:00:00 2001
From: Florin Coada
Date: Fri, 9 Dec 2022 15:35:44 +0000
Subject: [PATCH 36/43] Add explanation on which value to use to scan Kotlin
and TypeScript
Added comments explaining which values should be used if the user would like to scan Kotlin or TypeScript.
---
code-scanning/codeql.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index 3f0ecfb..002e424 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -34,6 +34,8 @@ jobs:
matrix:
language: [ $detected-codeql-languages ]
# CodeQL supports [ $supported-codeql-languages ]
+ # Use only 'java' to analyze code written in Java, Kotlin or both
+ # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
From 5f790e392edb9bda28c53cb73e24c08e22aac844 Mon Sep 17 00:00:00 2001
From: SOOS-JAlvarez
Date: Mon, 12 Dec 2022 16:44:33 -0300
Subject: [PATCH 37/43] update soos dast to latest version
---
code-scanning/soos-dast-scan.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml
index 95dfd67..6a5a047 100644
--- a/code-scanning/soos-dast-scan.yml
+++ b/code-scanning/soos-dast-scan.yml
@@ -34,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Run SOOS DAST Scan
- uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db # Use latest version from https://github.com/marketplace/actions/soos-dast
+ uses: soos-io/soos-dast-github-action@3e71b27756f4ed77d7ad3c0ad92afddb47a40e4d # Use latest version from https://github.com/marketplace/actions/soos-dast
with:
client_id: ${{ secrets.SOOS_CLIENT_ID }}
api_key: ${{ secrets.SOOS_API_KEY }}
From 89d867e0d8e0e6a099005135a107deee089c5a32 Mon Sep 17 00:00:00 2001
From: Simon Engledew
Date: Tue, 13 Dec 2022 10:30:16 +0000
Subject: [PATCH 38/43] Fix code-scanning filtering for relative paths
---
script/sync-ghes/index.ts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts
index a320d36..f53d220 100755
--- a/script/sync-ghes/index.ts
+++ b/script/sync-ghes/index.ts
@@ -61,7 +61,7 @@ async function checkWorkflows(
const enabled =
!isPartnerWorkflow &&
- (workflowProperties.enterprise === true || folder !== 'code-scanning') &&
+ (workflowProperties.enterprise === true || basename(folder) !== 'code-scanning') &&
(await checkWorkflow(workflowFilePath, enabledActions));
const workflowDesc: WorkflowDesc = {
From 1006a379d3e0ef603884037fa614bb831b9387f6 Mon Sep 17 00:00:00 2001
From: SOOS-JAlvarez
Date: Tue, 13 Dec 2022 08:40:14 -0300
Subject: [PATCH 39/43] linter
---
code-scanning/soos-dast-scan.yml | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml
index 9b4f470..99b9027 100644
--- a/code-scanning/soos-dast-scan.yml
+++ b/code-scanning/soos-dast-scan.yml
@@ -45,6 +45,4 @@ jobs:
- name: Upload SOOS DAST SARIF Report
uses: github/codeql-action/upload-sarif@v2
with:
- sarif_file: results.sarif
-
-
+ sarif_file: results.sarif
\ No newline at end of file
From a2fbfc40767ff866fed3e15b2123cf514445cf24 Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Tue, 13 Dec 2022 17:58:04 +0530
Subject: [PATCH 40/43] Update lint.yaml
---
.github/workflows/lint.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 2bb90ed..a76800c 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,7 +1,7 @@
name: Lint
on:
- pull_request_target:
+ pull_request:
branches:
- main
@@ -28,4 +28,4 @@ jobs:
run: pip3 install pre-commit
- name: Run pre-commit
- run: pre-commit run --all-files --show-diff-on-failure --color always
\ No newline at end of file
+ run: pre-commit run --all-files --show-diff-on-failure --color always
From ef331a6ad4a8dcd60a1eb62f2e7ebc150d967e91 Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Tue, 13 Dec 2022 18:02:56 +0530
Subject: [PATCH 41/43] Update lint.yaml
---
.github/workflows/lint.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index a76800c..737e69c 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,7 +1,7 @@
name: Lint
on:
- pull_request:
+ pull_request_target:
branches:
- main
From 95cee2a6f2019101ee71a6b954d2feb092acef0d Mon Sep 17 00:00:00 2001
From: Chris Gavin
Date: Wed, 14 Dec 2022 12:23:14 +0000
Subject: [PATCH 42/43] Add Kotlin to CodeQL supported languages.
---
code-scanning/properties/codeql.properties.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json
index 8ee80b4..f5e78bf 100644
--- a/code-scanning/properties/codeql.properties.json
+++ b/code-scanning/properties/codeql.properties.json
@@ -2,7 +2,7 @@
"name": "CodeQL Analysis",
"creator": "GitHub",
"enterprise": true,
- "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
+ "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby and Kotlin developers.",
"iconName": "octicon mark-github",
- "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]
+ "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin"]
}
From 50c4e6f5a82cc11652504253929532f8db08f684 Mon Sep 17 00:00:00 2001
From: Joe Mooring
Date: Mon, 12 Dec 2022 13:58:51 -0800
Subject: [PATCH 43/43] Fix and improve Hugo starter action
Closes #1854
---
pages/hugo.yml | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/pages/hugo.yml b/pages/hugo.yml
index f273fb2..05a5b50 100644
--- a/pages/hugo.yml
+++ b/pages/hugo.yml
@@ -30,12 +30,14 @@ jobs:
build:
runs-on: ubuntu-latest
env:
- HUGO_VERSION: 0.102.3
+ HUGO_VERSION: 0.108.0
steps:
- name: Install Hugo CLI
run: |
- wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_Linux-64bit.deb \
+ wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
&& sudo dpkg -i ${{ runner.temp }}/hugo.deb
+ - name: Install Dart Sass Embedded
+ run: sudo snap install dart-sass-embedded
- name: Checkout
uses: actions/checkout@v3
with:
@@ -43,6 +45,8 @@ jobs:
- name: Setup Pages
id: pages
uses: actions/configure-pages@v2
+ - name: Install Node.js dependencies
+ run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
- name: Build with Hugo
env:
# For maximum backward compatibility with Hugo modules