diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 9b6c10f..0a98861 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -41,7 +41,7 @@ It is not:
- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning).
- [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows:
- [ ] `name`: Name of the Code Scanning integration.
- - [ ] `organization`: Name of the organization producing the Code Scanning integration.
+ - [ ] `creator`: Name of the organization/user producing the Code Scanning integration.
- [ ] `description`: Short description of the Code Scanning integration.
- [ ] `categories`: Array of languages supported by the Code Scanning integration.
- [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons).
diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml
index 0cb9345..98f071a 100644
--- a/.github/workflows/auto-assign-issues.yml
+++ b/.github/workflows/auto-assign-issues.yml
@@ -9,7 +9,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Auto-assign issue'
- uses: pozil/auto-assign-issue@v1.10.0
+ uses: pozil/auto-assign-issue@v1.10.1
with:
assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft
numOfAssignee: 1
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index c319ce1..002f30d 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/stale@v5
+ - uses: actions/stale@v6
with:
stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.'
stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.'
diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml
index aba7780..ddd0484 100644
--- a/.github/workflows/sync-ghes.yaml
+++ b/.github/workflows/sync-ghes.yaml
@@ -2,8 +2,7 @@ name: Sync workflows for GHES
on:
push:
- branches:
- - main
+ branches: [ main ]
jobs:
sync:
diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml
index e88539d..11dd662 100644
--- a/ci/docker-publish.yml
+++ b/ci/docker-publish.yml
@@ -41,9 +41,9 @@ jobs:
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
- uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25
+ uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
with:
- cosign-release: 'v1.9.0'
+ cosign-release: 'v1.11.0'
# Workaround: https://github.com/docker/build-push-action/issues/461
@@ -78,6 +78,9 @@ jobs:
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
+ cache-from: type=gha
+ cache-to: type=gha,mode=max
+
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml
index bd2cb2e..fd82a39 100644
--- a/ci/dotnet-desktop.yml
+++ b/ci/dotnet-desktop.yml
@@ -69,7 +69,7 @@ jobs:
# Install the .NET Core workload
- name: Install .NET Core
- uses: actions/setup-dotnet@v2
+ uses: actions/setup-dotnet@v3
with:
dotnet-version: 6.0.x
diff --git a/ci/dotnet.yml b/ci/dotnet.yml
index a8eccab..7465e23 100644
--- a/ci/dotnet.yml
+++ b/ci/dotnet.yml
@@ -14,7 +14,7 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Setup .NET
- uses: actions/setup-dotnet@v2
+ uses: actions/setup-dotnet@v3
with:
dotnet-version: 6.0.x
- name: Restore dependencies
diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml
new file mode 100644
index 0000000..a249449
--- /dev/null
+++ b/ci/generator-generic-ossf-slsa3-publish.yml
@@ -0,0 +1,68 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you generate SLSA provenance file for your project.
+# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA generic generator
+on:
+ workflow_dispatch:
+ release:
+ types: [created]
+
+permissions: read-all
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ outputs:
+ digests: ${{ steps.hash.outputs.digests }}
+
+ steps:
+ - uses: actions/checkout@v3
+
+ # ========================================================
+ #
+ # Step 1: Build your artifacts.
+ #
+ # ========================================================
+ - name: Build artifacts
+ run: |
+ # These are some amazing artifacts.
+ echo "artifact1" > artifact1
+ echo "artifact2" > artifact2
+
+ # ========================================================
+ #
+ # Step 2: Add a step to generate the provenance subjects
+ # as shown below. Update the sha256 sum arguments
+ # to include all binaries that you generate
+ # provenance for.
+ #
+ # ========================================================
+ - name: Generate subject
+ id: hash
+ run: |
+ set -euo pipefail
+
+ # List the artifacts the provenance will refer to.
+ files=$(ls artifact*)
+ # Generate the subjects (base64 encoded).
+ echo "::set-output name=digests::$(sha256sum $files | base64 -w0)"
+
+ provenance:
+ needs: [build]
+ permissions:
+ actions: read # To read the workflow path.
+ id-token: write # To sign the provenance.
+ contents: write # To add assets to a release.
+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
+ with:
+ base64-subjects: "${{ needs.build.outputs.digests }}"
+ upload-assets: true # Optional: Upload to a new release
diff --git a/ci/jekyll.yml b/ci/jekyll-docker.yml
similarity index 100%
rename from ci/jekyll.yml
rename to ci/jekyll-docker.yml
diff --git a/ci/node.js.yml b/ci/node.js.yml
index 87ef0d8..a89108d 100644
--- a/ci/node.js.yml
+++ b/ci/node.js.yml
@@ -16,7 +16,7 @@ jobs:
strategy:
matrix:
- node-version: [12.x, 14.x, 16.x]
+ node-version: [14.x, 16.x, 18.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
steps:
diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml
index eda97e1..e39ddbf 100644
--- a/ci/npm-grunt.yml
+++ b/ci/npm-grunt.yml
@@ -12,7 +12,7 @@ jobs:
strategy:
matrix:
- node-version: [12.x, 14.x, 16.x]
+ node-version: [14.x, 16.x, 18.x]
steps:
- uses: actions/checkout@v3
diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml
index 504f22e..7606dea 100644
--- a/ci/npm-gulp.yml
+++ b/ci/npm-gulp.yml
@@ -12,7 +12,7 @@ jobs:
strategy:
matrix:
- node-version: [12.x, 14.x, 16.x]
+ node-version: [14.x, 16.x, 18.x]
steps:
- uses: actions/checkout@v3
diff --git a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json
new file mode 100644
index 0000000..32cf63d
--- /dev/null
+++ b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SLSA Generic generator",
+ "creator": "Open Source Security Foundation (OpenSSF)",
+ "description": "Generate SLSA3 provenance for your existing release workflows",
+ "iconName": "generator-generic-ossf-slsa3-publish",
+ "categories": ["Continuous integration", "Go", "Elixir", "Erlang", "PHP", "Haskell", "Rust", "Java", "Scala", "Gradle", "Maven", "Python", "C", "C++", "TypeScript", "JavaScript", "npm", "Ruby", "HTML", "Composer", "Makefile", "Ada"]
+}
diff --git a/ci/properties/jekyll.properties.json b/ci/properties/jekyll-docker.properties.json
similarity index 100%
rename from ci/properties/jekyll.properties.json
rename to ci/properties/jekyll-docker.properties.json
diff --git a/ci/webpack.yml b/ci/webpack.yml
index 6449fe7..0bc6406 100644
--- a/ci/webpack.yml
+++ b/ci/webpack.yml
@@ -12,7 +12,7 @@ jobs:
strategy:
matrix:
- node-version: [12.x, 14.x, 16.x]
+ node-version: [14.x, 16.x, 18.x]
steps:
- uses: actions/checkout@v3
diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml
index a3d2eed..818fb70 100644
--- a/code-scanning/anchore.yml
+++ b/code-scanning/anchore.yml
@@ -9,7 +9,7 @@
# and parameters, see https://github.com/anchore/scan-action. For more
# information on Anchore's container image scanning tool Grype, see
# https://github.com/anchore/grype
-name: Anchore Container Scan
+name: Anchore Grype vulnerability scan
on:
push:
@@ -28,20 +28,21 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- - name: Checkout the code
+ - name: Check out the code
uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
- uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
+ - name: Run the Anchore Grype scan action
+ uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
+ id: scan
with:
image: "localbuild/testimage:latest"
- acs-report-enable: true
- fail-build: false
- - name: Upload Anchore Scan Report
+ fail-build: true
+ severity-cutoff: critical
+ - name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
with:
- sarif_file: results.sarif
+ sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml
index 4bd22d8..209e882 100644
--- a/code-scanning/apisec-scan.yml
+++ b/code-scanning/apisec-scan.yml
@@ -50,6 +50,7 @@ jobs:
Trigger_APIsec_scan:
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml
index b04cabf..957343c 100644
--- a/code-scanning/brakeman.yml
+++ b/code-scanning/brakeman.yml
@@ -25,6 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml
index e060654..9bdb136 100644
--- a/code-scanning/checkmarx.yml
+++ b/code-scanning/checkmarx.yml
@@ -29,6 +29,7 @@ jobs:
issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml
index 3cfde14..4487e23 100644
--- a/code-scanning/clj-holmes.yml
+++ b/code-scanning/clj-holmes.yml
@@ -24,6 +24,7 @@ jobs:
permissions:
contents: read
security-events: write
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v2
diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml
index 2e4ab3c..76903a9 100644
--- a/code-scanning/clj-watson.yml
+++ b/code-scanning/clj-watson.yml
@@ -29,6 +29,7 @@ jobs:
permissions:
contents: read
security-events: write
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v2
diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml
index b74e449..7b705bd 100644
--- a/code-scanning/codacy.yml
+++ b/code-scanning/codacy.yml
@@ -30,6 +30,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Codacy Security Scan
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index a113b59..00ffcdb 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -70,3 +70,5 @@ jobs:
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
+ with:
+ category: "/language:${{matrix.language}}"
diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml
index 92707b1..a9f1053 100644
--- a/code-scanning/codescan.yml
+++ b/code-scanning/codescan.yml
@@ -25,6 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout repository
diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml
index 61ffd7a..4e4deb7 100644
--- a/code-scanning/contrast-scan.yml
+++ b/code-scanning/contrast-scan.yml
@@ -30,6 +30,7 @@ jobs:
permissions:
contents: read # for actions/checkout
security-events: write # for github/codeql-action/upload-sarif
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
# check out project
steps:
diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml
index 9067a7d..54b01c8 100644
--- a/code-scanning/eslint.yml
+++ b/code-scanning/eslint.yml
@@ -25,6 +25,7 @@ jobs:
permissions:
contents: read
security-events: write
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml
index 56725f5..0089f10 100644
--- a/code-scanning/frogbot-scan-and-fix.yml
+++ b/code-scanning/frogbot-scan-and-fix.yml
@@ -10,14 +10,11 @@
name: "Frogbot Scan and Fix"
on:
push:
- branches:
- # The scanning and creation of pull requests with fixes are triggered by pushing code to one of the these branches.
- # You can edit the list of branches you wish to open fix pull requests on.
- - "main"
- - "master"
+ branches: [ $default-branch ]
permissions:
contents: write
pull-requests: write
+ security-events: write
jobs:
create-fix-pull-requests:
runs-on: ubuntu-latest
@@ -40,7 +37,7 @@ jobs:
# node-version: "16.x"
- - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416
+ - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
env:
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml
index bdc71b4..bd1a9c2 100644
--- a/code-scanning/frogbot-scan-pr.yml
+++ b/code-scanning/frogbot-scan-pr.yml
@@ -42,7 +42,7 @@ jobs:
# The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
- - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416
+ - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
env:
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml
index 2f554e4..3153652 100644
--- a/code-scanning/hadolint.yml
+++ b/code-scanning/hadolint.yml
@@ -27,7 +27,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml
new file mode 100644
index 0000000..350df19
--- /dev/null
+++ b/code-scanning/lintr.yml
@@ -0,0 +1,55 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# lintr provides static code analysis for R.
+# It checks for adherence to a given style,
+# identifying syntax errors and possible semantic issues,
+# then reports them to you so you can take action.
+# More details at https://lintr.r-lib.org/
+
+name: lintr
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ lintr:
+ name: Run lintr scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Setup R
+ uses: r-lib/actions/setup-r@4e1feaf90520ec1215d1882fdddfe3411c08e492
+
+ - name: Setup lintr
+ uses: r-lib/actions/setup-r-dependencies@4e1feaf90520ec1215d1882fdddfe3411c08e492
+ with:
+ extra-packages: lintr
+
+ - name: Run lintr
+ run: lintr::sarif_output(lintr::lint_dir("."), "lintr-results.sarif")
+ shell: Rscript {0}
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: lintr-results.sarif
+ wait-for-processing: true
diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml
index 6d2bfb8..1013749 100644
--- a/code-scanning/mobsf.yml
+++ b/code-scanning/mobsf.yml
@@ -21,6 +21,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml
index 863fbcb..e8dac88 100644
--- a/code-scanning/msvc.yml
+++ b/code-scanning/msvc.yml
@@ -28,6 +28,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Analyze
runs-on: windows-latest
diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml
index 8c359b8..d766a6f 100644
--- a/code-scanning/njsscan.yml
+++ b/code-scanning/njsscan.yml
@@ -25,6 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
diff --git a/code-scanning/nowsecure-mobile-sbom.yml b/code-scanning/nowsecure-mobile-sbom.yml
new file mode 100644
index 0000000..b9cf039
--- /dev/null
+++ b/code-scanning/nowsecure-mobile-sbom.yml
@@ -0,0 +1,55 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# NowSecure: The Mobile Security Experts .
+#
+# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer,
+# you can find it in NowSecure Platform.
+#
+# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access:
+# .
+#
+# Instructions:
+#
+# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and
+# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit
+# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub".
+#
+# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
+# and review the "Dependency graph" tab in the "Insights" pane once the action has run.
+
+name: "NowSecure Mobile SBOM"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ nowsecure:
+ name: NowSecure Mobile SBOM
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Build your application
+ run: ./gradlew assembleDebug # Update this to build your Android or iOS application
+
+ - name: NowSecure upload app
+ uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c
+ with:
+ token: ${{ secrets.NS_TOKEN }}
+ app_file: app-debug.apk # Update this to a path to your .ipa or .apk
+ group_id: {{ groupId }} # Update this to your desired Platform group ID
diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml
index cbef5a2..2bd91dd 100644
--- a/code-scanning/ossar.yml
+++ b/code-scanning/ossar.yml
@@ -27,6 +27,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: windows-latest
steps:
diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml
index 91f4b2d..d10ace1 100644
--- a/code-scanning/phpmd.yml
+++ b/code-scanning/phpmd.yml
@@ -34,6 +34,7 @@ jobs:
permissions:
contents: read # for checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml
index a1e32c4..8115116 100644
--- a/code-scanning/pmd.yml
+++ b/code-scanning/pmd.yml
@@ -21,6 +21,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml
index 1d72a9b..02e5de7 100644
--- a/code-scanning/powershell.yml
+++ b/code-scanning/powershell.yml
@@ -25,13 +25,14 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: PSScriptAnalyzer
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run PSScriptAnalyzer
- uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061
+ uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f
with:
# Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options.
# The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules.
diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml
index 6f2031b..1a12b86 100644
--- a/code-scanning/prisma.yml
+++ b/code-scanning/prisma.yml
@@ -29,6 +29,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
diff --git a/code-scanning/properties/anchore-syft.properties.json b/code-scanning/properties/anchore-syft.properties.json
index 815f8b2..aa4cb1e 100644
--- a/code-scanning/properties/anchore-syft.properties.json
+++ b/code-scanning/properties/anchore-syft.properties.json
@@ -1,6 +1,6 @@
{
"name": "Anchore Syft SBOM Scan",
- "organization": "Anchore",
+ "creator": "Anchore",
"description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.",
"iconName": "anchore",
"categories": ["Code Scanning", "dockerfile", "dependency-management"]
diff --git a/code-scanning/properties/anchore.properties.json b/code-scanning/properties/anchore.properties.json
index d997da4..94634dd 100644
--- a/code-scanning/properties/anchore.properties.json
+++ b/code-scanning/properties/anchore.properties.json
@@ -1,7 +1,7 @@
{
- "name": "Anchore Container Scan",
- "creator": "Indeni Cloudrail",
- "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.",
+ "name": "Anchore Grype Vulnerability Scan",
+ "creator": "Anchore",
+ "description": "Produce source and container vulnerability reports based on Anchore's open source Grype tool.",
"iconName": "anchore",
"categories": ["Code Scanning", "dockerfile"]
-}
\ No newline at end of file
+}
diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json
index ddb4627..8ee80b4 100644
--- a/code-scanning/properties/codeql.properties.json
+++ b/code-scanning/properties/codeql.properties.json
@@ -1,6 +1,7 @@
{
"name": "CodeQL Analysis",
"creator": "GitHub",
+ "enterprise": true,
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
"iconName": "octicon mark-github",
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]
diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json
index a84646a..2a1271f 100644
--- a/code-scanning/properties/eslint.properties.json
+++ b/code-scanning/properties/eslint.properties.json
@@ -2,10 +2,11 @@
"name": "ESLint",
"description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.",
"iconName": "eslint",
+ "enterprise": false,
"categories": [
"Code Scanning",
"JavaScript",
"EcmaScript",
"TypeScript"
]
-}
\ No newline at end of file
+}
diff --git a/code-scanning/properties/lintr.properties.json b/code-scanning/properties/lintr.properties.json
new file mode 100644
index 0000000..07e9741
--- /dev/null
+++ b/code-scanning/properties/lintr.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "lintr",
+ "description": "lintr provides static code analysis for R.",
+ "iconName": "lintr",
+ "categories": [ "Code Scanning", "R" ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/nowsecure-mobile-sbom.properties.json b/code-scanning/properties/nowsecure-mobile-sbom.properties.json
new file mode 100644
index 0000000..32a7964
--- /dev/null
+++ b/code-scanning/properties/nowsecure-mobile-sbom.properties.json
@@ -0,0 +1,21 @@
+{
+ "name": "NowSecure Mobile SBOM",
+ "creator": "NowSecure",
+ "description": "Generate a Mobile SBOM for an application and submit to Dependency Graph",
+ "iconName": "nowsecure",
+ "categories": [
+ "Code Scanning",
+ "Java",
+ "Kotlin",
+ "Scala",
+ "Swift",
+ "Objective C",
+ "C",
+ "C++",
+ "C#",
+ "Rust",
+ "JavaScript",
+ "TypeScript",
+ "Node"
+ ]
+}
diff --git a/code-scanning/properties/zscan.properties.json b/code-scanning/properties/zscan.properties.json
new file mode 100644
index 0000000..6b55756
--- /dev/null
+++ b/code-scanning/properties/zscan.properties.json
@@ -0,0 +1,14 @@
+{
+ "name": "zScan",
+ "creator": "Zimperium",
+ "description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ",
+ "iconName": "zscan",
+ "categories": [
+ "Code Scanning",
+ "Java",
+ "Kotlin",
+ "Scala",
+ "Swift",
+ "Objective C"
+ ]
+}
diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml
index d41b65b..50b86db 100644
--- a/code-scanning/puppet-lint.yml
+++ b/code-scanning/puppet-lint.yml
@@ -29,6 +29,7 @@ jobs:
permissions:
contents: read # for checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml
index e9c426a..c5f10ee 100644
--- a/code-scanning/rust-clippy.yml
+++ b/code-scanning/rust-clippy.yml
@@ -25,6 +25,7 @@ jobs:
permissions:
contents: read
security-events: write
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v2
diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml
index e4f1d0f..31a4fa1 100644
--- a/code-scanning/scorecards.yml
+++ b/code-scanning/scorecards.yml
@@ -17,12 +17,12 @@ jobs:
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
- # Used to receive a badge. (Upcoming feature)
+ # Used to receive a badge.
id-token: write
# Needs for private repositories.
contents: read
actions: read
-
+
steps:
- name: "Checkout code"
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
@@ -30,7 +30,7 @@ jobs:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1
+ uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3
with:
results_file: results.sarif
results_format: sarif
@@ -41,8 +41,8 @@ jobs:
# repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
# Publish the results for public repositories to enable scorecard badges. For more details, see
- # https://github.com/ossf/scorecard-action#publishing-results.
- # For private repositories, `publish_results` will automatically be set to `false`, regardless
+ # https://github.com/ossf/scorecard-action#publishing-results.
+ # For private repositories, `publish_results` will automatically be set to `false`, regardless
# of the value entered here.
publish_results: true
@@ -54,7 +54,7 @@ jobs:
name: SARIF file
path: results.sarif
retention-days: 5
-
+
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml
index fae9885..b10a930 100644
--- a/code-scanning/semgrep.yml
+++ b/code-scanning/semgrep.yml
@@ -27,6 +27,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Scan
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml
index 0fbbf87..a232c53 100644
--- a/code-scanning/snyk-container.yml
+++ b/code-scanning/snyk-container.yml
@@ -30,6 +30,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml
index a685323..3ca1035 100644
--- a/code-scanning/snyk-infrastructure.yml
+++ b/code-scanning/snyk-infrastructure.yml
@@ -29,6 +29,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml
index 21cb6e7..7d38c77 100644
--- a/code-scanning/sobelow.yml
+++ b/code-scanning/sobelow.yml
@@ -28,6 +28,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml
index cf3b1b7..9b58e90 100644
--- a/code-scanning/soos-dast-scan.yml
+++ b/code-scanning/soos-dast-scan.yml
@@ -3,13 +3,18 @@
# separate terms of service, privacy policy, and support
# documentation.
#
-# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/
+# SOOS is the easy-to-integrate and affordable software security solution for your whole team.
+# Learn more at https://soos.io/
#
-# To use this action you need to fill the following requirements:
+# To use this action, perform the following steps:
#
-# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product).
+# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA and DAST products.
#
-# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload)
+# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here.
+#
+# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID.
+#
+# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token.
#
name: "SOOS DAST Scan"
diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml
index f075a80..f9b61b9 100644
--- a/code-scanning/sysdig-scan.yml
+++ b/code-scanning/sysdig-scan.yml
@@ -24,6 +24,7 @@ jobs:
checks: write # for sysdiglabs/scan-action to publish the checks
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
index 63be947..f56d9e5 100644
--- a/code-scanning/trivy.yml
+++ b/code-scanning/trivy.yml
@@ -22,6 +22,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: "ubuntu-18.04"
steps:
diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml
index b8a5b37..89d35df 100644
--- a/code-scanning/veracode.yml
+++ b/code-scanning/veracode.yml
@@ -27,6 +27,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml
index 3462eaa..5724a97 100644
--- a/code-scanning/xanitizer.yml
+++ b/code-scanning/xanitizer.yml
@@ -51,6 +51,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml
new file mode 100644
index 0000000..1ac6bbd
--- /dev/null
+++ b/code-scanning/zscan.yml
@@ -0,0 +1,61 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android)
+# and identifies security, privacy, and compliance-related vulnerabilities.
+#
+# Prerequisites:
+# * An active Zimperium zScan account is required. If you are not an existing Zimperium
+# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us.
+# * Either GitHub Advanced Security (GHAS) or a public repository is required to display
+# issues and view the remediation information inside of GitHub code scanning alerts.
+#
+# For additional information and setup instructions
+# please visit: https://github.com/Zimperium/zScanMarketplace#readme
+
+name: "Zimperium zScan"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+
+permissions:
+ contents: read
+
+jobs:
+ zscan:
+ name: zScan
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+
+ - name: Execute gradle build
+ run: ./gradlew build # Change this to build your mobile application
+
+ - name: Run Zimperium zScan
+ uses: zimperium/zscanmarketplace@bfc6670f6648d796098c251ccefcfdb98983174d
+ timeout-minutes: 60
+ with:
+ # REPLACE: Zimperium Client Environment Name
+ client_env: env_string
+ # REPLACE: Zimperium Client ID
+ client_id: id_string
+ # REPLACE: Zimperium Client Secret
+ client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }}
+ # REPLACE: The path to an .ipa or .apk
+ app_file: app-release-unsigned.apk
+
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: Zimperium.sarif
+
\ No newline at end of file
diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml
index d7c27d9..9853b75 100644
--- a/deployments/alibabacloud.yml
+++ b/deployments/alibabacloud.yml
@@ -21,8 +21,7 @@ name: Build and Deploy to ACK
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
# Environment variables available to all jobs and steps in this workflow.
env:
diff --git a/deployments/aws.yml b/deployments/aws.yml
index 47253bf..9585844 100644
--- a/deployments/aws.yml
+++ b/deployments/aws.yml
@@ -28,8 +28,7 @@ name: Deploy to Amazon ECS
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
env:
AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1
diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml
index 8b69065..cc2e1dd 100644
--- a/deployments/azure-container-webapp.yml
+++ b/deployments/azure-container-webapp.yml
@@ -31,8 +31,7 @@ env:
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
permissions:
diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml
index a6a2f4e..83a9163 100644
--- a/deployments/azure-kubernetes-service-helm.yml
+++ b/deployments/azure-kubernetes-service-helm.yml
@@ -34,8 +34,7 @@ name: Build and deploy an app to AKS with Helm
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml
index 60fe536..0e76365 100644
--- a/deployments/azure-kubernetes-service-kompose.yml
+++ b/deployments/azure-kubernetes-service-kompose.yml
@@ -33,8 +33,7 @@ name: Build and deploy an app to AKS with Kompose
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml
index d46cadb..1a89f3c 100644
--- a/deployments/azure-kubernetes-service-kustomize.yml
+++ b/deployments/azure-kubernetes-service-kustomize.yml
@@ -33,8 +33,7 @@ name: Build and deploy an app to AKS with Kustomize
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml
index d04a2ac..3e49419 100644
--- a/deployments/azure-kubernetes-service.yml
+++ b/deployments/azure-kubernetes-service.yml
@@ -29,8 +29,7 @@ name: Build and deploy an app to AKS
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml
index a40ecc2..8fe07ce 100644
--- a/deployments/azure-staticwebapp.yml
+++ b/deployments/azure-staticwebapp.yml
@@ -14,12 +14,10 @@ name: Deploy web app to Azure Static Web Apps
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
pull_request:
types: [opened, synchronize, reopened, closed]
- branches:
- - $default-branch
+ branches: [ $default-branch ]
# Environment variables available to all jobs and steps in this workflow
env:
diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml
index 0b59686..9b21895 100644
--- a/deployments/azure-webapps-dotnet-core.yml
+++ b/deployments/azure-webapps-dotnet-core.yml
@@ -26,8 +26,7 @@ env:
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
permissions:
diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml
index 6e3df8d..60fa68c 100644
--- a/deployments/azure-webapps-java-jar.yml
+++ b/deployments/azure-webapps-java-jar.yml
@@ -26,8 +26,7 @@ env:
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
permissions:
diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml
index 1480c92..98e72c2 100644
--- a/deployments/azure-webapps-node.yml
+++ b/deployments/azure-webapps-node.yml
@@ -19,8 +19,7 @@
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml
index 98e8dc7..4d08dbd 100644
--- a/deployments/azure-webapps-php.yml
+++ b/deployments/azure-webapps-php.yml
@@ -21,8 +21,7 @@ name: Build and deploy PHP app to Azure Web App
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml
index 50f4823..d7aa802 100644
--- a/deployments/azure-webapps-python.yml
+++ b/deployments/azure-webapps-python.yml
@@ -25,8 +25,7 @@ env:
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
permissions:
diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml
index b8d0511..bd748f8 100644
--- a/deployments/google-cloudrun-docker.yml
+++ b/deployments/google-cloudrun-docker.yml
@@ -46,8 +46,7 @@ name: Build and Deploy to Cloud Run
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
env:
PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml
index 2916b45..e6fcb52 100644
--- a/deployments/google-cloudrun-source.yml
+++ b/deployments/google-cloudrun-source.yml
@@ -48,8 +48,7 @@ name: Deploy to Cloud Run from Source
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
env:
PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
diff --git a/deployments/google.yml b/deployments/google.yml
index 6150672..846452a 100644
--- a/deployments/google.yml
+++ b/deployments/google.yml
@@ -14,8 +14,7 @@ name: Build and Deploy to GKE
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
env:
PROJECT_ID: ${{ secrets.GKE_PROJECT }}
diff --git a/deployments/ibm.yml b/deployments/ibm.yml
index cb3080f..53a58c5 100644
--- a/deployments/ibm.yml
+++ b/deployments/ibm.yml
@@ -10,8 +10,7 @@ name: Build and Deploy to IKS
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
# Environment variables available to all jobs and steps in this workflow
env:
diff --git a/deployments/tencent.yml b/deployments/tencent.yml
index 4e9e9f6..ba65fe5 100644
--- a/deployments/tencent.yml
+++ b/deployments/tencent.yml
@@ -17,8 +17,7 @@ name: Tencent Kubernetes Engine
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
# Environment variables available to all jobs and steps in this workflow
env:
diff --git a/deployments/terraform.yml b/deployments/terraform.yml
index 53efe48..c06f685 100644
--- a/deployments/terraform.yml
+++ b/deployments/terraform.yml
@@ -46,8 +46,7 @@ name: 'Terraform'
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
pull_request:
permissions:
diff --git a/icons/generator-generic-ossf-slsa3-publish.svg b/icons/generator-generic-ossf-slsa3-publish.svg
new file mode 100644
index 0000000..ea77468
--- /dev/null
+++ b/icons/generator-generic-ossf-slsa3-publish.svg
@@ -0,0 +1,11 @@
+
+
diff --git a/icons/lintr.svg b/icons/lintr.svg
new file mode 100644
index 0000000..cdc40d8
--- /dev/null
+++ b/icons/lintr.svg
@@ -0,0 +1,679 @@
+
+
+
+
diff --git a/icons/zscan.svg b/icons/zscan.svg
new file mode 100644
index 0000000..1dff416
--- /dev/null
+++ b/icons/zscan.svg
@@ -0,0 +1,11 @@
+
+
+
diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts
index 608e73d..a320d36 100755
--- a/script/sync-ghes/index.ts
+++ b/script/sync-ghes/index.ts
@@ -61,7 +61,7 @@ async function checkWorkflows(
const enabled =
!isPartnerWorkflow &&
- workflowProperties.enterprise !== false &&
+ (workflowProperties.enterprise === true || folder !== 'code-scanning') &&
(await checkWorkflow(workflowFilePath, enabledActions));
const workflowDesc: WorkflowDesc = {
diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json
index 9648ab4..41d6bcd 100644
--- a/script/sync-ghes/settings.json
+++ b/script/sync-ghes/settings.json
@@ -2,20 +2,27 @@
"folders": [
"../../ci",
"../../automation",
- "../../code-scanning"
+ "../../code-scanning",
+ "../../pages"
],
"enabledActions": [
+ "actions/cache",
"actions/checkout",
+ "actions/configure-pages",
"actions/create-release",
"actions/delete-package-versions",
+ "actions/deploy-pages",
"actions/download-artifact",
+ "actions/jekyll-build-pages",
"actions/setup-dotnet",
"actions/setup-go",
"actions/setup-java",
"actions/setup-node",
+ "actions/setup-python",
"actions/stale",
"actions/starter-workflows",
"actions/upload-artifact",
+ "actions/upload-pages-artifact",
"actions/upload-release-asset",
"github/codeql-action"
],
diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json
index e660b6a..358c661 100644
--- a/script/validate-data/package-lock.json
+++ b/script/validate-data/package-lock.json
@@ -9,7 +9,7 @@
"version": "1.0.0",
"license": "MIT",
"dependencies": {
- "@actions/core": "^1.2.6",
+ "@actions/core": "^1.9.1",
"js-yaml": "^3.13.1",
"jsonschema": "^1.2.6"
},
@@ -21,9 +21,21 @@
}
},
"node_modules/@actions/core": {
- "version": "1.2.6",
- "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz",
- "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA=="
+ "version": "1.9.1",
+ "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+ "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
+ "dependencies": {
+ "@actions/http-client": "^2.0.1",
+ "uuid": "^8.3.2"
+ }
+ },
+ "node_modules/@actions/http-client": {
+ "version": "2.0.1",
+ "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+ "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
+ "dependencies": {
+ "tunnel": "^0.0.6"
+ }
},
"node_modules/@types/js-yaml": {
"version": "3.12.4",
@@ -153,6 +165,14 @@
"typescript": ">=2.7"
}
},
+ "node_modules/tunnel": {
+ "version": "0.0.6",
+ "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+ "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
+ "engines": {
+ "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
+ }
+ },
"node_modules/typescript": {
"version": "3.9.2",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz",
@@ -166,6 +186,14 @@
"node": ">=4.2.0"
}
},
+ "node_modules/uuid": {
+ "version": "8.3.2",
+ "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+ "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+ "bin": {
+ "uuid": "dist/bin/uuid"
+ }
+ },
"node_modules/yn": {
"version": "3.1.1",
"resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz",
@@ -178,9 +206,21 @@
},
"dependencies": {
"@actions/core": {
- "version": "1.2.6",
- "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz",
- "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA=="
+ "version": "1.9.1",
+ "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+ "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
+ "requires": {
+ "@actions/http-client": "^2.0.1",
+ "uuid": "^8.3.2"
+ }
+ },
+ "@actions/http-client": {
+ "version": "2.0.1",
+ "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+ "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
+ "requires": {
+ "tunnel": "^0.0.6"
+ }
},
"@types/js-yaml": {
"version": "3.12.4",
@@ -279,12 +319,22 @@
"yn": "3.1.1"
}
},
+ "tunnel": {
+ "version": "0.0.6",
+ "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+ "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
+ },
"typescript": {
"version": "3.9.2",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz",
"integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==",
"dev": true
},
+ "uuid": {
+ "version": "8.3.2",
+ "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+ "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
+ },
"yn": {
"version": "3.1.1",
"resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz",
diff --git a/script/validate-data/package.json b/script/validate-data/package.json
index e6403ee..6811f19 100644
--- a/script/validate-data/package.json
+++ b/script/validate-data/package.json
@@ -14,7 +14,7 @@
"typescript": "^3.9.2"
},
"dependencies": {
- "@actions/core": "^1.2.6",
+ "@actions/core": "^1.9.1",
"js-yaml": "^3.13.1",
"jsonschema": "^1.2.6"
}