From 69184c7484fdc04189ae93557415ca14959cd5a7 Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Tue, 17 Aug 2021 07:29:02 -0700 Subject: [PATCH 001/300] Added Cloudrail according to instructions and existing examples --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index cb9305a..f4db277 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,6 @@ { "name": "CodeQL Analysis", - "creator": "GitHub", + "creator": "Indeni", "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] From 188b52b51c31ac79b948c3b4a656b097920e9fe6 Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Tue, 17 Aug 2021 07:29:29 -0700 Subject: [PATCH 002/300] Adding Cloudrail according to documentation and examples --- code-scanning/cloudrail.yml | 58 +++++++++++++++++++ .../properties/cloudrail.properties.json | 7 +++ icons/cloudrail.svg | 53 +++++++++++++++++ 3 files changed, 118 insertions(+) create mode 100644 code-scanning/cloudrail.yml create mode 100644 code-scanning/properties/cloudrail.properties.json create mode 100644 icons/cloudrail.svg diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml new file mode 100644 index 0000000..474b97a --- /dev/null +++ b/code-scanning/cloudrail.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: cloudrail + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + cloudrail: + name: Run Indeni Cloudrail on Terraform code with SARIF output + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v2 + + # For Terraform, Cloudrail requires the plan as input. So we generate it using + # the Terraform core binary. + - uses: hashicorp/setup-terraform@v1 + with: + terraform_version: v0.13.2 + + - run: terraform init + + - run: terraform plan -out=plan.out + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # Confirm we have the plan file + - run: stat plan.out + + - name: Run Cloudrail + uses: indeni/cloudrail-run-ga@v1.3 + with: + tf-plan-file: plan.out # This was created in a "terraform plan" step + cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app + cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() + # is needed to ensure the SARIF file is uploaded + if: always() + with: + sarif_file: cloudrail_results.sarif diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json new file mode 100644 index 0000000..36181c2 --- /dev/null +++ b/code-scanning/properties/cloudrail.properties.json @@ -0,0 +1,7 @@ +{ + "name": "cloudrail", + "creator": "Indeni Cloudrail", + "description": "Cloudrail, by Indeni, can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues. Cloudrail's output uses the SARIF format, which will surface the scan's results directly inside your pull request.", + "iconName": "cloudrail", + "categories": ["Code Scanning", "HCL"] +} diff --git a/icons/cloudrail.svg b/icons/cloudrail.svg new file mode 100644 index 0000000..9aaf9c3 --- /dev/null +++ b/icons/cloudrail.svg @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + From 98bde3b31e53b969eeabcb5a94e5461d3fa0664c Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Tue, 17 Aug 2021 07:32:50 -0700 Subject: [PATCH 003/300] Oops --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index f4db277..cb9305a 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,6 @@ { "name": "CodeQL Analysis", - "creator": "Indeni", + "creator": "GitHub", "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] From b671ee6c7bf976f49aa402423911466d733b218e Mon Sep 17 00:00:00 2001 From: Ruud Senden Date: Mon, 13 Sep 2021 10:13:58 +0200 Subject: [PATCH 004/300] Add original Fortify on Demand workflow --- code-scanning/fortify-on-demand.yml | 92 +++++++++++++++++++ .../fortify-on-demand.properties.json | 7 ++ icons/fortify.svg | 1 + 3 files changed, 100 insertions(+) create mode 100644 code-scanning/fortify-on-demand.yml create mode 100644 code-scanning/properties/fortify-on-demand.properties.json create mode 100644 icons/fortify.svg diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml new file mode 100644 index 0000000..2baf56b --- /dev/null +++ b/code-scanning/fortify-on-demand.yml @@ -0,0 +1,92 @@ +################################################################################################################################################ +# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# +# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # +# or contact our sales team, visit microfocus.com/appsecurity. # +# # +# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# +# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # +# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # +# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # +# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # +# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +################################################################################################################################################ + +name: Fortify on Demand Scan + +# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +on: + workflow_dispatch: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '24 18 * * 5' + +jobs: + FoD-SAST-Scan: + # Use the appropriate runner for building your source code. + # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + runs-on: ubuntu-latest + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v2 + + # Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool) + - name: Setup Java + uses: actions/setup-java@v1 + with: + java-version: 1.8 + + # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. + # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: + # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). + # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. + # ScanCentral has additional options that should be set for PHP and Python projects + # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. + # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ + - name: Download Fortify ScanCentral Client + uses: fortify/gha-setup-scancentral-client@v1 + - name: Package Code + Dependencies + run: scancentral package $PACKAGE_OPTS -o package.zip + env: + PACKAGE_OPTS: "-bt mvn" + + # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java + # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: + # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). + # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. + - name: Download Fortify on Demand Universal CI Tool + uses: fortify/gha-setup-fod-uploader@v1 + - name: Perform SAST Scan + run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" + env: + FOD_TENANT: ${{ secrets.FOD_TENANT }} + FOD_USER: ${{ secrets.FOD_USER }} + FOD_PAT: ${{ secrets.FOD_PAT }} + FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" + FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' + + # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. + # TODO: Review Action inputs. For most users, these will be the same as used in the Perform SAST Scan step. + - name: Download Results + uses: fortify/gha-fod-generate-sarif@1.1.0 + with: + base-url: https://ams.fortify.com + tenant: ${{ secrets.FOD_TENANT }} + user: ${{ secrets.FOD_USER }} + password: ${{ secrets.FOD_PAT }} + release-id: ${{ secrets.FOD_RELEASE_ID }} + output: ./sarif/output.sarif + + # Import Fortify on Demand results to GitHub Security Code Scanning + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./sarif/output.sarif diff --git a/code-scanning/properties/fortify-on-demand.properties.json b/code-scanning/properties/fortify-on-demand.properties.json new file mode 100644 index 0000000..5a7ee5e --- /dev/null +++ b/code-scanning/properties/fortify-on-demand.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Fortify on Demand Scan", + "creator": "Micro Focus", + "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", + "iconName": "fortify", + "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Go", "HTML", "Java", "JavaScript", "JSP", "Kotlin", "MXML", "Objective C", "PHP", "PL/SQL", "Python", "Ruby", "Scala", "Swift", "T-SQL", "TypeScript", "VBScript", "VB.NET", "Visual Basic", "XML"] +} diff --git a/icons/fortify.svg b/icons/fortify.svg new file mode 100644 index 0000000..45a0d77 --- /dev/null +++ b/icons/fortify.svg @@ -0,0 +1 @@ + \ No newline at end of file From 99fae1ecb1b2463b453bd35393072e8385772cb2 Mon Sep 17 00:00:00 2001 From: Ruud Senden Date: Mon, 13 Sep 2021 10:29:38 +0200 Subject: [PATCH 005/300] Update Fortify on Demand workflow --- code-scanning/fortify-on-demand.yml | 34 ++++++++++++++--------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml index 2baf56b..4e3c3b6 100644 --- a/code-scanning/fortify-on-demand.yml +++ b/code-scanning/fortify-on-demand.yml @@ -17,10 +17,7 @@ name: Fortify on Demand Scan on: workflow_dispatch: push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] + branches: [ $default-branch ] schedule: - cron: '24 18 * * 5' @@ -29,13 +26,18 @@ jobs: # Use the appropriate runner for building your source code. # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: # Check out source code - name: Check Out Source Code uses: actions/checkout@v2 - # Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool) + # Java is required to run the various Fortify utilities. + # When scanning a Java application, please use the appropriate Java version for building your application. - name: Setup Java uses: actions/setup-java@v1 with: @@ -64,29 +66,27 @@ jobs: - name: Perform SAST Scan run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" env: + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" FOD_TENANT: ${{ secrets.FOD_TENANT }} FOD_USER: ${{ secrets.FOD_USER }} FOD_PAT: ${{ secrets.FOD_PAT }} FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} - FOD_URL: "https://ams.fortify.com/" - FOD_API_URL: "https://api.ams.fortify.com/" FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - # TODO: Review Action inputs. For most users, these will be the same as used in the Perform SAST Scan step. - - name: Download Results - uses: fortify/gha-fod-generate-sarif@1.1.0 + - name: Export results to GitHub-optimized SARIF + uses: fortify/gha-export-vulnerabilities@v1 with: - base-url: https://ams.fortify.com - tenant: ${{ secrets.FOD_TENANT }} - user: ${{ secrets.FOD_USER }} - password: ${{ secrets.FOD_PAT }} - release-id: ${{ secrets.FOD_RELEASE_ID }} - output: ./sarif/output.sarif + fod_base_url: "https://ams.fortify.com/" + fod_tenant: ${{ secrets.FOD_TENANT }} + fod_user: ${{ secrets.FOD_USER }} + fod_password: ${{ secrets.FOD_PAT }} + fod_release_id: ${{ secrets.FOD_RELEASE_ID }} # Import Fortify on Demand results to GitHub Security Code Scanning - name: Import Results uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ./sarif/output.sarif + sarif_file: ./gh-fortify-sast.sarif From 6d89fb8045968bc5f12cd8989b25a9b6d04cfb3a Mon Sep 17 00:00:00 2001 From: Ruud Senden Date: Tue, 14 Sep 2021 08:56:36 +0200 Subject: [PATCH 006/300] Update Fortify on Demand supported languages --- code-scanning/properties/fortify-on-demand.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/fortify-on-demand.properties.json b/code-scanning/properties/fortify-on-demand.properties.json index 5a7ee5e..100b4bb 100644 --- a/code-scanning/properties/fortify-on-demand.properties.json +++ b/code-scanning/properties/fortify-on-demand.properties.json @@ -3,5 +3,5 @@ "creator": "Micro Focus", "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", "iconName": "fortify", - "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Go", "HTML", "Java", "JavaScript", "JSP", "Kotlin", "MXML", "Objective C", "PHP", "PL/SQL", "Python", "Ruby", "Scala", "Swift", "T-SQL", "TypeScript", "VBScript", "VB.NET", "Visual Basic", "XML"] + "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"] } From 30715e86a480f31a76cecd9b66c04fd1de636d73 Mon Sep 17 00:00:00 2001 From: Ruud Senden Date: Tue, 14 Sep 2021 09:06:33 +0200 Subject: [PATCH 007/300] Add 3rd-party GitHub Actions disclaimer --- code-scanning/fortify-on-demand.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml index 4e3c3b6..da200a6 100644 --- a/code-scanning/fortify-on-demand.yml +++ b/code-scanning/fortify-on-demand.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + ################################################################################################################################################ # Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# # dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # From 48e2865d35bc0e139da46143e78789a0ff753060 Mon Sep 17 00:00:00 2001 From: Tim Etchells Date: Tue, 14 Sep 2021 11:11:27 -0700 Subject: [PATCH 008/300] Update OpenShift workflow to use GHCR by default (#6) - Simplifies required configuration since a registry account is now optional - Update a variety of comments - Use tools-installer to install oc - Other small changes towards a better UX Signed-off-by: Tim Etchells --- deployments/openshift.yml | 147 ++++++++++++++++++++------------------ 1 file changed, 77 insertions(+), 70 deletions(-) diff --git a/deployments/openshift.yml b/deployments/openshift.yml index ec5e0fb..fd090a8 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -3,61 +3,57 @@ # separate terms of service, privacy policy, and support # documentation. -### The OpenShift Starter workflow will: +# 💁 The OpenShift Starter workflow will: # - Checkout your repository -# - Perform a Docker build -# - Push the built image to an image registry +# - Perform a container image build +# - Push the built image to the GitHub Container Registry (GHCR) # - Log in to your OpenShift cluster -# - Create an OpenShift app from the image and expose it to the internet. +# - Create an OpenShift app from the image and expose it to the internet -### Before you begin: -# - Have write access to a container image registry such as quay.io or Dockerhub. -# - Have access to an OpenShift cluster. -# - For instructions to get started with OpenShift see https://www.openshift.com/try -# - The project you wish to add this workflow to should have a Dockerfile. -# - If you don't have a Dockerfile at the repository root, see the buildah-build step. -# - Builds from scratch are also available, but require more configuration. +# ℹ️ Configure your repository and the workflow with the following steps: +# 1. Have access to an OpenShift cluster. Refer to https://www.openshift.com/try +# 2. Create the OPENSHIFT_SERVER and OPENSHIFT_TOKEN repository secrets. Refer to: +# - https://github.com/redhat-actions/oc-login#readme +# - https://docs.github.com/en/actions/reference/encrypted-secrets +# - https://cli.github.com/manual/gh_secret_set +# 3. (Optional) Edit the top-level 'env' section as marked with '🖊️' if the defaults are not suitable for your project. +# 4. (Optional) Edit the build-image step to build your project. +# The default build type is by using a Dockerfile at the root of the repository, +# but can be replaced with a different file, a source-to-image build, or a step-by-step buildah build. +# 5. Commit and push the workflow file to your default branch to trigger a workflow run. -### To get the workflow running: -# 1. Add this workflow to your repository. -# 2. Edit the top-level 'env' section, which contains a list of environment variables that must be configured. -# 3. Create the secrets referenced in the 'env' section under your repository Settings. -# 4. Edit the 'branches' in the 'on' section to trigger the workflow on a push to your branch. -# 5. Commit and push your changes. - -# For a more sophisticated example, see https://github.com/redhat-actions/spring-petclinic/blob/main/.github/workflows/petclinic-sample.yaml -# Also see our GitHub organization, https://github.com/redhat-actions/ -# ▶️ See a video of how to set up this workflow at https://www.youtube.com/watch?v=6hgBO-1pKho +# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. name: OpenShift -# ⬇️ Modify the fields marked with ⬇️ to fit your project, and create any secrets that are referenced. -# https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets env: - # ⬇️ EDIT with your registry and registry path. - REGISTRY: quay.io/ - # ⬇️ EDIT with your registry username. - REGISTRY_USER: - REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} - - # ⬇️ EDIT to log into your OpenShift cluster and set up the context. + # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context. # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. + # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} - - # ⬇️ EDIT with any additional port your application should expose. - # By default, oc new-app action creates a service to the image's lowest numeric exposed port. - APP_PORT: "" - - # ⬇️ EDIT if you wish to set the kube context's namespace after login. Leave blank to use the default namespace. + # 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace. OPENSHIFT_NAMESPACE: "" - # If you wish to manually provide the APP_NAME and TAG, set them here, otherwise they will be auto-detected. + # 🖊️ EDIT to set a name for your OpenShift app, or a default one will be generated below. APP_NAME: "" - TAG: "" + + # 🖊️ EDIT with the port your application should be accessible on. + # If the container image exposes *exactly one* port, this can be left blank. + # Refer to the 'port' input of https://github.com/redhat-actions/oc-new-app + APP_PORT: "" + + # 🖊️ EDIT to change the image registry settings. + # Registries such as GHCR, Quay.io, and Docker Hub are supported. + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + IMAGE_REGISTRY_USER: ${{ github.actor }} + IMAGE_REGISTRY_PASSWORD: ${{ github.token }} + + # 🖊️ EDIT to specify custom tags for the container image, or default tags will be generated below. + IMAGE_TAGS: "" on: - # https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows push: # Edit to the branch(es) you want to build and deploy on each push. branches: [ $default-branch ] @@ -65,32 +61,40 @@ on: jobs: openshift-ci-cd: name: Build and deploy to OpenShift + # ubuntu-20.04 can also be used. runs-on: ubuntu-18.04 environment: production outputs: - ROUTE: ${{ steps.deploy-and-expose.outputs.route }} - SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} steps: - - name: Check if secrets exists + - name: Check for required secrets uses: actions/github-script@v3 with: script: | const secrets = { - REGISTRY_PASSWORD: `${{ secrets.REGISTRY_PASSWORD }}`, OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, }; + const GHCR = "ghcr.io"; + if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { + core.info(`Image registry is ${GHCR} - no registry password required`); + } + else { + core.info("A registry password is required"); + secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; + } + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { if (value.length === 0) { - core.warning(`Secret "${name}" is not set`); + core.error(`Secret "${name}" is not set`); return true; } core.info(`✔️ Secret "${name}" is set`); return false; - }); if (missingSecrets.length > 0) { @@ -104,48 +108,50 @@ jobs: core.info(`✅ All the required secrets are set`); } - - uses: actions/checkout@v2 + - name: Check out repository + uses: actions/checkout@v2 - name: Determine app name if: env.APP_NAME == '' run: | echo "APP_NAME=$(basename $PWD)" | tee -a $GITHUB_ENV - - name: Determine tag - if: env.TAG == '' + - name: Determine image tags + if: env.IMAGE_TAGS == '' run: | - echo "TAG=${GITHUB_SHA::7}" | tee -a $GITHUB_ENV + echo "IMAGE_TAGS=latest ${GITHUB_SHA::12}" | tee -a $GITHUB_ENV # https://github.com/redhat-actions/buildah-build#readme - name: Build from Dockerfile - id: image-build + id: build-image uses: redhat-actions/buildah-build@v2 with: image: ${{ env.APP_NAME }} - tags: ${{ env.TAG }} - # If you don't have a dockerfile, see: - # https://github.com/redhat-actions/buildah-build#scratch-build-inputs - # Otherwise, point this to your Dockerfile relative to the repository root. + tags: ${{ env.IMAGE_TAGS }} + + # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs + # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build + # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root. dockerfiles: | ./Dockerfile # https://github.com/redhat-actions/push-to-registry#readme - name: Push to registry - id: push-to-registry + id: push-image uses: redhat-actions/push-to-registry@v2 with: - image: ${{ steps.image-build.outputs.image }} - tags: ${{ steps.image-build.outputs.tags }} - registry: ${{ env.REGISTRY }} - username: ${{ env.REGISTRY_USER }} - password: ${{ env.REGISTRY_PASSWORD }} + image: ${{ steps.build-image.outputs.image }} + tags: ${{ steps.build-image.outputs.tags }} + registry: ${{ env.IMAGE_REGISTRY }} + username: ${{ env.IMAGE_REGISTRY_USER }} + password: ${{ env.IMAGE_REGISTRY_PASSWORD }} - # The path the image was pushed to is now stored in ${{ steps.push-to-registry.outputs.registry-path }} + # The path the image was pushed to is now stored in ${{ steps.push-image.outputs.registry-path }} - # oc-login works on all platforms, but oc must be installed first. - # The GitHub Ubuntu runner already includes oc. - # Otherwise, https://github.com/redhat-actions/openshift-tools-installer can be used to install oc, - # as well as many other tools. + - name: Install oc + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: 4 # https://github.com/redhat-actions/oc-login#readme - name: Log in to OpenShift @@ -163,18 +169,19 @@ jobs: uses: redhat-actions/oc-new-app@v1 with: app_name: ${{ env.APP_NAME }} - image: ${{ steps.push-to-registry.outputs.registry-path }} + image: ${{ steps.push-image.outputs.registry-path }} namespace: ${{ env.OPENSHIFT_NAMESPACE }} port: ${{ env.APP_PORT }} - - name: View application route + - name: Print application URL + env: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} run: | [[ -n ${{ env.ROUTE }} ]] || (echo "Determining application route failed in previous step"; exit 1) + echo echo "======================== Your application is available at: ========================" echo ${{ env.ROUTE }} echo "===================================================================================" echo echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\"" - env: - ROUTE: ${{ steps.deploy-and-expose.outputs.route }} - SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} From 149cf11287e993f8144ff44dd688d69f1036d73e Mon Sep 17 00:00:00 2001 From: Tim Etchells Date: Tue, 14 Sep 2021 11:52:30 -0700 Subject: [PATCH 009/300] Update github-script major version Co-authored-by: John Bohannon --- deployments/openshift.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/openshift.yml b/deployments/openshift.yml index fd090a8..46ff961 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -71,7 +71,7 @@ jobs: steps: - name: Check for required secrets - uses: actions/github-script@v3 + uses: actions/github-script@v4 with: script: | const secrets = { From 31751181512568e56185350649a5be65fb9c1523 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Wed, 15 Sep 2021 20:02:11 +0530 Subject: [PATCH 010/300] Addressing review comments - Renaming template and updating setup-ruby action version (#1086) * renaming template and updating setup-ruby action version * renaming rubyrails files * renaming rails files --- ci/properties/rails-lint.properties.json | 6 ------ ci/properties/rubyonrails-lint.properties.json | 6 ++++++ ci/{rails-lint.yml => rubyonrails-lint.yml} | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) delete mode 100644 ci/properties/rails-lint.properties.json create mode 100644 ci/properties/rubyonrails-lint.properties.json rename ci/{rails-lint.yml => rubyonrails-lint.yml} (87%) diff --git a/ci/properties/rails-lint.properties.json b/ci/properties/rails-lint.properties.json deleted file mode 100644 index 7a109a1..0000000 --- a/ci/properties/rails-lint.properties.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "Rails - Build and Run Linters", - "description": "Build Rails application and run linters", - "iconName": "ruby", - "categories": ["Ruby", "Rails"] -} diff --git a/ci/properties/rubyonrails-lint.properties.json b/ci/properties/rubyonrails-lint.properties.json new file mode 100644 index 0000000..7dac469 --- /dev/null +++ b/ci/properties/rubyonrails-lint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Rails - Install Dependencies and Run Linters", + "description": "Install dependencies and run linters on Rails application", + "iconName": "ruby", + "categories": ["Ruby", "Rails"] +} diff --git a/ci/rails-lint.yml b/ci/rubyonrails-lint.yml similarity index 87% rename from ci/rails-lint.yml rename to ci/rubyonrails-lint.yml index b2f8832..d95b70e 100644 --- a/ci/rails-lint.yml +++ b/ci/rubyonrails-lint.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. # This workflow will download a prebuilt Ruby version, install dependencies, and run linters -name: Build Rails and run linters +name: Rails - Install dependencies and run linters on: push: @@ -18,7 +18,7 @@ jobs: uses: actions/checkout@v2 - name: Setup Ruby and install gems - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e with: bundler-cache: true # Add or Replace any other security checks here From dda42cb8f2514b6ee4e8cc0a860512821ffaa9f7 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Wed, 15 Sep 2021 20:04:06 +0530 Subject: [PATCH 011/300] Addition to categories to python templates (#1088) * addition to categories for python-app template * adding categories to pylint template * adding categories to python-package template Co-authored-by: Ashwin Sangem --- ci/properties/pylint.properties.json | 2 +- ci/properties/python-app.properties.json | 2 +- ci/properties/python-package.properties.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/properties/pylint.properties.json b/ci/properties/pylint.properties.json index c7d1363..fc751ea 100644 --- a/ci/properties/pylint.properties.json +++ b/ci/properties/pylint.properties.json @@ -2,5 +2,5 @@ "name": "Pylint", "description": "Lint a Python application with pylint.", "iconName": "python", - "categories": ["Python"] + "categories": ["Python", "Bottle", "Flask"] } diff --git a/ci/properties/python-app.properties.json b/ci/properties/python-app.properties.json index 34e4a57..add4d8b 100644 --- a/ci/properties/python-app.properties.json +++ b/ci/properties/python-app.properties.json @@ -2,5 +2,5 @@ "name": "Python application", "description": "Create and test a Python application.", "iconName": "python", - "categories": ["Python"] + "categories": ["Python", "Bottle", "Flask"] } diff --git a/ci/properties/python-package.properties.json b/ci/properties/python-package.properties.json index 4e09d40..06052d9 100644 --- a/ci/properties/python-package.properties.json +++ b/ci/properties/python-package.properties.json @@ -2,5 +2,5 @@ "name": "Python package", "description": "Create and test a Python package on multiple Python versions.", "iconName": "python", - "categories": ["Python"] + "categories": ["Python", "Bottle", "Flask"] } From df5ac56102886236863a9123780741504ddeb9a1 Mon Sep 17 00:00:00 2001 From: Shubham Tiwari <64764738+tiwarishub@users.noreply.github.com> Date: Thu, 16 Sep 2021 11:00:07 +0530 Subject: [PATCH 012/300] Adding category in the template property file (#1092) * adding category in the template property file * added category on ruby template --- ci/properties/ada.properties.json | 2 +- ci/properties/android.properties.json | 2 +- ci/properties/ant.properties.json | 2 +- ci/properties/c-cpp.properties.json | 2 +- ci/properties/clojure.properties.json | 2 +- ci/properties/cmake.properties.json | 2 +- ci/properties/crystal.properties.json | 2 +- ci/properties/d.properties.json | 2 +- ci/properties/dart.properties.json | 2 +- ci/properties/deno.properties.json | 2 +- ci/properties/django.properties.json | 2 +- ci/properties/docker-image.properties.json | 2 +- ci/properties/docker-publish.properties.json | 2 +- ci/properties/dotnet-desktop.properties.json | 2 +- ci/properties/dotnet.properties.json | 2 +- ci/properties/elixir.properties.json | 2 +- ci/properties/erlang.properties.json | 2 +- ci/properties/gem-push.properties.json | 2 +- ci/properties/go.properties.json | 2 +- ci/properties/gradle-publish.properties.json | 2 +- ci/properties/gradle.properties.json | 2 +- ci/properties/grunt.properties.json | 2 +- ci/properties/gulp.properties.json | 2 +- ci/properties/haskell.properties.json | 2 +- ci/properties/ios.properties.json | 1 + ci/properties/jekyll.properties.json | 2 +- ci/properties/laravel.properties.json | 1 + ci/properties/maven-publish.properties.json | 2 +- ci/properties/maven.properties.json | 2 +- ci/properties/msbuild.properties.json | 2 +- ci/properties/node.js.properties.json | 2 +- ci/properties/npm-publish.properties.json | 2 +- ci/properties/php.properties.json | 2 +- ci/properties/pylint.properties.json | 2 +- ci/properties/python-app.properties.json | 2 +- ci/properties/python-package-conda.properties.json | 2 +- ci/properties/python-package.properties.json | 2 +- ci/properties/python-publish.properties.json | 2 +- ci/properties/r.properties.json | 2 +- ci/properties/ruby.properties.json | 2 +- ci/properties/rubyonrails-lint.properties.json | 2 +- ci/properties/rust.properties.json | 2 +- ci/properties/scala.properties.json | 2 +- ci/properties/swift.properties.json | 2 +- ci/properties/webpack.properties.json | 2 +- deployments/properties/openshift.properties.json | 2 +- 46 files changed, 46 insertions(+), 44 deletions(-) diff --git a/ci/properties/ada.properties.json b/ci/properties/ada.properties.json index 71021d0..c4c2b3a 100644 --- a/ci/properties/ada.properties.json +++ b/ci/properties/ada.properties.json @@ -2,5 +2,5 @@ "name": "Ada", "description": "Build Ada project with GPRbuild.", "iconName": "ada", - "categories": ["Ada"] + "categories": ["Continuous integration", "Ada"] } diff --git a/ci/properties/android.properties.json b/ci/properties/android.properties.json index 29d293f..a3ff2cd 100644 --- a/ci/properties/android.properties.json +++ b/ci/properties/android.properties.json @@ -2,5 +2,5 @@ "name": "Android CI", "description": "Build an Android project with Gradle.", "iconName": "android", - "categories": ["Java", "Mobile"] + "categories": ["Continuous integration", "Java", "Mobile"] } diff --git a/ci/properties/ant.properties.json b/ci/properties/ant.properties.json index 5a4d7a9..93d5473 100644 --- a/ci/properties/ant.properties.json +++ b/ci/properties/ant.properties.json @@ -2,5 +2,5 @@ "name": "Java with Ant", "description": "Build and test a Java project with Apache Ant.", "iconName": "ant", - "categories": ["Ant", "Java"] + "categories": ["Continuous integration", "Ant", "Java"] } diff --git a/ci/properties/c-cpp.properties.json b/ci/properties/c-cpp.properties.json index 5d2a2df..2d214a4 100644 --- a/ci/properties/c-cpp.properties.json +++ b/ci/properties/c-cpp.properties.json @@ -2,5 +2,5 @@ "name": "C/C++ with Make", "description": "Build and test a C/C++ project using Make.", "iconName": "c-cpp", - "categories": ["C", "C++"] + "categories": ["Continuous integration", "C", "C++"] } diff --git a/ci/properties/clojure.properties.json b/ci/properties/clojure.properties.json index 5a9e3ed..f57dfdf 100644 --- a/ci/properties/clojure.properties.json +++ b/ci/properties/clojure.properties.json @@ -2,5 +2,5 @@ "name": "Clojure", "description": "Build and test a Clojure project with Leiningen.", "iconName": "clojure", - "categories": ["Clojure", "Java"] + "categories": ["Continuous integration", "Clojure", "Java"] } diff --git a/ci/properties/cmake.properties.json b/ci/properties/cmake.properties.json index ac001c3..a7f5d06 100644 --- a/ci/properties/cmake.properties.json +++ b/ci/properties/cmake.properties.json @@ -2,5 +2,5 @@ "name": "CMake based projects", "description": "Build and test a CMake based project.", "iconName": "cmake", - "categories": ["C", "C++"] + "categories": ["Continuous integration", "C", "C++"] } \ No newline at end of file diff --git a/ci/properties/crystal.properties.json b/ci/properties/crystal.properties.json index bb058f7..244adbf 100644 --- a/ci/properties/crystal.properties.json +++ b/ci/properties/crystal.properties.json @@ -2,5 +2,5 @@ "name": "Crystal", "description": "Build and test a Crystal project.", "iconName": "crystal", - "categories": ["Crystal"] + "categories": ["Continuous integration", "Crystal"] } diff --git a/ci/properties/d.properties.json b/ci/properties/d.properties.json index 5c67054..8e51aa3 100644 --- a/ci/properties/d.properties.json +++ b/ci/properties/d.properties.json @@ -2,5 +2,5 @@ "name": "D", "description": "Build and test a D project with dub.", "iconName": "d", - "categories": [ "D" ] + "categories": ["Continuous integration", "D"] } diff --git a/ci/properties/dart.properties.json b/ci/properties/dart.properties.json index 022a003..f4bf112 100644 --- a/ci/properties/dart.properties.json +++ b/ci/properties/dart.properties.json @@ -2,5 +2,5 @@ "name": "Dart", "description": "Build and test a Dart project with Pub.", "iconName": "dart", - "categories": ["Dart"] + "categories": ["Continuous integration", "Dart"] } diff --git a/ci/properties/deno.properties.json b/ci/properties/deno.properties.json index 8a2c762..6d4d653 100644 --- a/ci/properties/deno.properties.json +++ b/ci/properties/deno.properties.json @@ -2,5 +2,5 @@ "name": "Deno", "description": "Test your Deno project", "iconName": "deno", - "categories": ["JavaScript", "TypeScript", "Deno"] + "categories": ["Continuous integration", "JavaScript", "TypeScript", "Deno"] } diff --git a/ci/properties/django.properties.json b/ci/properties/django.properties.json index 3015441..791fb21 100644 --- a/ci/properties/django.properties.json +++ b/ci/properties/django.properties.json @@ -2,5 +2,5 @@ "name": "Django", "description": "Build and Test a Django Project", "iconName": "django", - "categories": ["Python", "Django"] + "categories": ["Continuous integration", "Python", "Django"] } diff --git a/ci/properties/docker-image.properties.json b/ci/properties/docker-image.properties.json index 8ad7552..b13144c 100644 --- a/ci/properties/docker-image.properties.json +++ b/ci/properties/docker-image.properties.json @@ -2,5 +2,5 @@ "name": "Docker image", "description": "Build a Docker image to deploy, run, or push to a registry.", "iconName": "docker", - "categories": ["Dockerfile"] + "categories": ["Continuous integration", "Dockerfile"] } diff --git a/ci/properties/docker-publish.properties.json b/ci/properties/docker-publish.properties.json index 1b36c0f..890f4af 100644 --- a/ci/properties/docker-publish.properties.json +++ b/ci/properties/docker-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Docker Container", "description": "Build, test and push Docker image to GitHub Packages.", "iconName": "docker", - "categories": ["Dockerfile"] + "categories": ["Continuous integration", "Dockerfile"] } diff --git a/ci/properties/dotnet-desktop.properties.json b/ci/properties/dotnet-desktop.properties.json index f6e1cb8..bbe9d10 100644 --- a/ci/properties/dotnet-desktop.properties.json +++ b/ci/properties/dotnet-desktop.properties.json @@ -2,5 +2,5 @@ "name": ".NET Desktop", "description": "Build, test, sign and publish a desktop application built on .NET.", "iconName": "dotnet", - "categories": ["C#", "Visual Basic", "WPF", ".NET"] + "categories": ["Continuous integration", "C#", "Visual Basic", "WPF", ".NET"] } \ No newline at end of file diff --git a/ci/properties/dotnet.properties.json b/ci/properties/dotnet.properties.json index b3feafb..d4f6eb2 100644 --- a/ci/properties/dotnet.properties.json +++ b/ci/properties/dotnet.properties.json @@ -2,5 +2,5 @@ "name": ".NET", "description": "Build and test a .NET or ASP.NET Core project.", "iconName": "dotnet", - "categories": ["C#", "F#", "Visual Basic", "ASP", "ASP.NET", ".NET"] + "categories": ["Continuous integration", "C#", "F#", "Visual Basic", "ASP", "ASP.NET", ".NET"] } diff --git a/ci/properties/elixir.properties.json b/ci/properties/elixir.properties.json index 572992d..6de4ea0 100644 --- a/ci/properties/elixir.properties.json +++ b/ci/properties/elixir.properties.json @@ -2,5 +2,5 @@ "name": "Elixir", "description": "Build and test an Elixir project with Mix.", "iconName": "elixir", - "categories": ["Elixir", "Erlang"] + "categories": ["Continuous integration", "Elixir", "Erlang"] } diff --git a/ci/properties/erlang.properties.json b/ci/properties/erlang.properties.json index d712b05..eba9af6 100644 --- a/ci/properties/erlang.properties.json +++ b/ci/properties/erlang.properties.json @@ -2,5 +2,5 @@ "name": "Erlang", "description": "Build and test an Erlang project with rebar.", "iconName": "erlang", - "categories": ["Erlang"] + "categories": ["Continuous integration", "Erlang"] } diff --git a/ci/properties/gem-push.properties.json b/ci/properties/gem-push.properties.json index 188d80a..0002ac5 100644 --- a/ci/properties/gem-push.properties.json +++ b/ci/properties/gem-push.properties.json @@ -2,5 +2,5 @@ "name": "Ruby Gem", "description": "Pushes a Ruby Gem to RubyGems and GitHub Package Registry.", "iconName": "ruby-gems", - "categories": ["Ruby"] + "categories": ["Continuous integration", "Ruby"] } diff --git a/ci/properties/go.properties.json b/ci/properties/go.properties.json index b96c0a1..1187f94 100644 --- a/ci/properties/go.properties.json +++ b/ci/properties/go.properties.json @@ -2,5 +2,5 @@ "name": "Go", "description": "Build a Go project.", "iconName": "go", - "categories": ["Go"] + "categories": ["Continuous integration", "Go"] } diff --git a/ci/properties/gradle-publish.properties.json b/ci/properties/gradle-publish.properties.json index 3ec3f4f..0155310 100644 --- a/ci/properties/gradle-publish.properties.json +++ b/ci/properties/gradle-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Java Package with Gradle", "description": "Build a Java Package using Gradle and publish to GitHub Packages.", "iconName": "gradle", - "categories": ["Java", "Gradle", "Spring", "JSF"] + "categories": ["Continuous integration", "Java", "Gradle", "Spring", "JSF"] } \ No newline at end of file diff --git a/ci/properties/gradle.properties.json b/ci/properties/gradle.properties.json index c90f78f..47d1ddb 100644 --- a/ci/properties/gradle.properties.json +++ b/ci/properties/gradle.properties.json @@ -2,5 +2,5 @@ "name": "Java with Gradle", "description": "Build and test a Java project using a Gradle wrapper script.", "iconName": "gradle", - "categories": ["Java", "Gradle", "Spring", "JSF"] + "categories": ["Continuous integration", "Java", "Gradle", "Spring", "JSF"] } diff --git a/ci/properties/grunt.properties.json b/ci/properties/grunt.properties.json index c8a5b9f..34a0a35 100644 --- a/ci/properties/grunt.properties.json +++ b/ci/properties/grunt.properties.json @@ -2,5 +2,5 @@ "name": "Grunt", "description": "Build a NodeJS project with npm and grunt.", "iconName": "grunt", - "categories": ["JavaScript", "TypeScript", "npm", "Grunt"] + "categories": ["Continuous integration", "JavaScript", "TypeScript", "npm", "Grunt"] } diff --git a/ci/properties/gulp.properties.json b/ci/properties/gulp.properties.json index 658325b..3b4201a 100644 --- a/ci/properties/gulp.properties.json +++ b/ci/properties/gulp.properties.json @@ -2,5 +2,5 @@ "name": "Gulp", "description": "Build a NodeJS project with npm and gulp.", "iconName": "gulp", - "categories": ["JavaScript", "TypeScript", "npm", "Gulp"] + "categories": ["Continuous integration", "JavaScript", "TypeScript", "npm", "Gulp"] } diff --git a/ci/properties/haskell.properties.json b/ci/properties/haskell.properties.json index 2dedbf2..798d3d0 100644 --- a/ci/properties/haskell.properties.json +++ b/ci/properties/haskell.properties.json @@ -2,5 +2,5 @@ "name": "Haskell", "description": "Build and test a Haskell project with Cabal.", "iconName": "haskell", - "categories": ["Haskell"] + "categories": ["Continuous integration", "Haskell"] } diff --git a/ci/properties/ios.properties.json b/ci/properties/ios.properties.json index 0b3a9ed..f88edc9 100644 --- a/ci/properties/ios.properties.json +++ b/ci/properties/ios.properties.json @@ -3,6 +3,7 @@ "description": "Build and test an iOS application using xcodebuild and any available iPhone simulator.", "iconName": "xcode", "categories": [ + "Continuous integration", "iOS", "Xcode" ] diff --git a/ci/properties/jekyll.properties.json b/ci/properties/jekyll.properties.json index 38cc6cd..bbe279c 100644 --- a/ci/properties/jekyll.properties.json +++ b/ci/properties/jekyll.properties.json @@ -2,5 +2,5 @@ "name": "Jekyll", "description": "Package a Jekyll site using the jekyll/builder Docker image.", "iconName": "jekyll", - "categories": ["HTML"] + "categories": ["Continuous integration", "HTML"] } diff --git a/ci/properties/laravel.properties.json b/ci/properties/laravel.properties.json index f10a462..1c2e433 100644 --- a/ci/properties/laravel.properties.json +++ b/ci/properties/laravel.properties.json @@ -3,6 +3,7 @@ "description": "Test a Laravel project.", "iconName": "php", "categories": [ + "Continuous integration", "PHP", "Laravel" ] diff --git a/ci/properties/maven-publish.properties.json b/ci/properties/maven-publish.properties.json index 41f2915..2bc750f 100644 --- a/ci/properties/maven-publish.properties.json +++ b/ci/properties/maven-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Java Package with Maven", "description": "Build a Java Package using Maven and publish to GitHub Packages.", "iconName": "maven", - "categories": ["Java", "Maven", "Spring", "JSF"] + "categories": ["Continuous integration", "Java", "Maven", "Spring", "JSF"] } \ No newline at end of file diff --git a/ci/properties/maven.properties.json b/ci/properties/maven.properties.json index 4086470..be8f7bf 100644 --- a/ci/properties/maven.properties.json +++ b/ci/properties/maven.properties.json @@ -2,5 +2,5 @@ "name": "Java with Maven", "description": "Build and test a Java project with Apache Maven.", "iconName": "maven", - "categories": ["Java", "Maven", "Spring", "JSF"] + "categories": ["Continuous integration", "Java", "Maven", "Spring", "JSF"] } diff --git a/ci/properties/msbuild.properties.json b/ci/properties/msbuild.properties.json index b90cad8..c189be2 100644 --- a/ci/properties/msbuild.properties.json +++ b/ci/properties/msbuild.properties.json @@ -2,5 +2,5 @@ "name": "MSBuild based projects", "description": "Build a MSBuild based project.", "iconName": "c-cpp", - "categories": ["C", "C++"] + "categories": ["Continuous integration", "C", "C++"] } \ No newline at end of file diff --git a/ci/properties/node.js.properties.json b/ci/properties/node.js.properties.json index c982d17..32f5306 100644 --- a/ci/properties/node.js.properties.json +++ b/ci/properties/node.js.properties.json @@ -2,5 +2,5 @@ "name": "Node.js", "description": "Build and test a Node.js project with npm.", "iconName": "nodejs", - "categories": ["JavaScript", "npm", "React", "Angular"] + "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular"] } diff --git a/ci/properties/npm-publish.properties.json b/ci/properties/npm-publish.properties.json index 764dbf3..9371d7b 100644 --- a/ci/properties/npm-publish.properties.json +++ b/ci/properties/npm-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Node.js Package", "description": "Publishes a Node.js package to npm and GitHub Packages.", "iconName": "node-package-transparent", - "categories": ["JavaScript", "npm"] + "categories": ["Continuous integration", "JavaScript", "npm"] } diff --git a/ci/properties/php.properties.json b/ci/properties/php.properties.json index 641e536..f345a28 100644 --- a/ci/properties/php.properties.json +++ b/ci/properties/php.properties.json @@ -2,5 +2,5 @@ "name": "PHP", "description": "Build and test a PHP application using Composer", "iconName": "php", - "categories": ["PHP", "Composer"] + "categories": ["Continuous integration", "PHP", "Composer"] } \ No newline at end of file diff --git a/ci/properties/pylint.properties.json b/ci/properties/pylint.properties.json index fc751ea..23c15dc 100644 --- a/ci/properties/pylint.properties.json +++ b/ci/properties/pylint.properties.json @@ -2,5 +2,5 @@ "name": "Pylint", "description": "Lint a Python application with pylint.", "iconName": "python", - "categories": ["Python", "Bottle", "Flask"] + "categories": ["Continuous integration", "Python", "Bottle", "Flask"] } diff --git a/ci/properties/python-app.properties.json b/ci/properties/python-app.properties.json index add4d8b..1229b29 100644 --- a/ci/properties/python-app.properties.json +++ b/ci/properties/python-app.properties.json @@ -2,5 +2,5 @@ "name": "Python application", "description": "Create and test a Python application.", "iconName": "python", - "categories": ["Python", "Bottle", "Flask"] + "categories": ["Continuous integration", "Python", "Bottle", "Flask"] } diff --git a/ci/properties/python-package-conda.properties.json b/ci/properties/python-package-conda.properties.json index 1f6436d..5600766 100644 --- a/ci/properties/python-package-conda.properties.json +++ b/ci/properties/python-package-conda.properties.json @@ -2,5 +2,5 @@ "name": "Python Package using Anaconda", "description": "Create and test a Python package on multiple Python versions using Anaconda for package management.", "iconName": "python", - "categories": ["Python"] + "categories": ["Continuous integration", "Python"] } diff --git a/ci/properties/python-package.properties.json b/ci/properties/python-package.properties.json index 06052d9..8c9dbcf 100644 --- a/ci/properties/python-package.properties.json +++ b/ci/properties/python-package.properties.json @@ -2,5 +2,5 @@ "name": "Python package", "description": "Create and test a Python package on multiple Python versions.", "iconName": "python", - "categories": ["Python", "Bottle", "Flask"] + "categories": ["Continuous integration", "Python", "Bottle", "Flask"] } diff --git a/ci/properties/python-publish.properties.json b/ci/properties/python-publish.properties.json index 4fd9ece..9219e0f 100644 --- a/ci/properties/python-publish.properties.json +++ b/ci/properties/python-publish.properties.json @@ -2,5 +2,5 @@ "name": "Publish Python Package", "description": "Publish a Python Package to PyPI on release.", "iconName": "python", - "categories": ["Python"] + "categories": ["Continuous integration", "Python"] } diff --git a/ci/properties/r.properties.json b/ci/properties/r.properties.json index 84ba0ec..9f83a25 100644 --- a/ci/properties/r.properties.json +++ b/ci/properties/r.properties.json @@ -2,5 +2,5 @@ "name": "R package", "description": "Create and test an R package on multiple R versions.", "iconName": "r", - "categories": ["R"] + "categories": ["Continuous integration", "R"] } diff --git a/ci/properties/ruby.properties.json b/ci/properties/ruby.properties.json index 904f12f..894436b 100644 --- a/ci/properties/ruby.properties.json +++ b/ci/properties/ruby.properties.json @@ -2,5 +2,5 @@ "name": "Ruby", "description": "Build and test a Ruby project with Rake.", "iconName": "ruby", - "categories": ["Ruby"] + "categories": ["Continuous integration", "Ruby"] } diff --git a/ci/properties/rubyonrails-lint.properties.json b/ci/properties/rubyonrails-lint.properties.json index 7dac469..e6e5f69 100644 --- a/ci/properties/rubyonrails-lint.properties.json +++ b/ci/properties/rubyonrails-lint.properties.json @@ -2,5 +2,5 @@ "name": "Rails - Install Dependencies and Run Linters", "description": "Install dependencies and run linters on Rails application", "iconName": "ruby", - "categories": ["Ruby", "Rails"] + "categories": ["Continuous integration", "Ruby", "Rails"] } diff --git a/ci/properties/rust.properties.json b/ci/properties/rust.properties.json index 3a6dc02..3e834d9 100644 --- a/ci/properties/rust.properties.json +++ b/ci/properties/rust.properties.json @@ -2,5 +2,5 @@ "name": "Rust", "description": "Build and test a Rust project with Cargo.", "iconName": "rust", - "categories": ["Rust"] + "categories": ["Continuous integration", "Rust"] } \ No newline at end of file diff --git a/ci/properties/scala.properties.json b/ci/properties/scala.properties.json index a92fc73..34dde26 100644 --- a/ci/properties/scala.properties.json +++ b/ci/properties/scala.properties.json @@ -2,5 +2,5 @@ "name": "Scala", "description": "Build and test a Scala project with SBT.", "iconName": "scala", - "categories": ["Scala", "Java"] + "categories": ["Continuous integration", "Scala", "Java"] } diff --git a/ci/properties/swift.properties.json b/ci/properties/swift.properties.json index 9efd645..b26a264 100644 --- a/ci/properties/swift.properties.json +++ b/ci/properties/swift.properties.json @@ -2,5 +2,5 @@ "name": "Swift", "description": "Build and test a Swift Package.", "iconName": "swift", - "categories": ["Swift"] + "categories": ["Continuous integration", "Swift"] } diff --git a/ci/properties/webpack.properties.json b/ci/properties/webpack.properties.json index 1e22ccb..6d8b1a5 100644 --- a/ci/properties/webpack.properties.json +++ b/ci/properties/webpack.properties.json @@ -2,5 +2,5 @@ "name": "Webpack", "description": "Build a NodeJS project with npm and webpack.", "iconName": "webpack", - "categories": ["JavaScript", "TypeScript", "npm", "Webpack"] + "categories": ["Continuous integration", "JavaScript", "TypeScript", "npm", "Webpack"] } diff --git a/deployments/properties/openshift.properties.json b/deployments/properties/openshift.properties.json index 54948c2..d08351f 100644 --- a/deployments/properties/openshift.properties.json +++ b/deployments/properties/openshift.properties.json @@ -3,5 +3,5 @@ "description": "Build a Docker-based project and deploy it to OpenShift.", "creator": "Red Hat", "iconName": "openshift", - "categories": ["Dockerfile","Deployment" ] + "categories": ["Deployment", "Dockerfile"] } From 1cb322141e9482ee44e8a2756fd4dbc0135696aa Mon Sep 17 00:00:00 2001 From: Ninad Kavimandan Date: Thu, 16 Sep 2021 11:02:21 +0530 Subject: [PATCH 013/300] add `makefile` template (#1093) Co-authored-by: Ashwin Sangem --- ci/makefile.yml | 27 ++++++++++++++++++++++++++ ci/properties/makefile.properties.json | 6 ++++++ icons/makefile.svg | 1 + 3 files changed, 34 insertions(+) create mode 100644 ci/makefile.yml create mode 100644 ci/properties/makefile.properties.json create mode 100644 icons/makefile.svg diff --git a/ci/makefile.yml b/ci/makefile.yml new file mode 100644 index 0000000..eafe622 --- /dev/null +++ b/ci/makefile.yml @@ -0,0 +1,27 @@ +name: Makefile CI + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: configure + run: ./configure + + - name: Install dependencies + run: make + + - name: Run check + run: make check + + - name: Run distcheck + run: make distcheck diff --git a/ci/properties/makefile.properties.json b/ci/properties/makefile.properties.json new file mode 100644 index 0000000..93ecf1e --- /dev/null +++ b/ci/properties/makefile.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Build projects with Make", + "description": "Build and test a project using Make.", + "iconName": "makefile", + "categories": ["Makefile"] +} diff --git a/icons/makefile.svg b/icons/makefile.svg new file mode 100644 index 0000000..694ad2e --- /dev/null +++ b/icons/makefile.svg @@ -0,0 +1 @@ + \ No newline at end of file From 9095e7c9d55b5b9aca2cce211f0a7d6b4fe14371 Mon Sep 17 00:00:00 2001 From: Ninad Kavimandan Date: Thu, 16 Sep 2021 11:17:56 +0530 Subject: [PATCH 014/300] added prefix `npm-` (#1097) --- ci/{grunt.yml => npm-grunt.yml} | 0 ci/{gulp.yml => npm-gulp.yml} | 0 .../{grunt.properties.json => npm-grunt.properties.json} | 0 ci/properties/{gulp.properties.json => npm-gulp.properties.json} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename ci/{grunt.yml => npm-grunt.yml} (100%) rename ci/{gulp.yml => npm-gulp.yml} (100%) rename ci/properties/{grunt.properties.json => npm-grunt.properties.json} (100%) rename ci/properties/{gulp.properties.json => npm-gulp.properties.json} (100%) diff --git a/ci/grunt.yml b/ci/npm-grunt.yml similarity index 100% rename from ci/grunt.yml rename to ci/npm-grunt.yml diff --git a/ci/gulp.yml b/ci/npm-gulp.yml similarity index 100% rename from ci/gulp.yml rename to ci/npm-gulp.yml diff --git a/ci/properties/grunt.properties.json b/ci/properties/npm-grunt.properties.json similarity index 100% rename from ci/properties/grunt.properties.json rename to ci/properties/npm-grunt.properties.json diff --git a/ci/properties/gulp.properties.json b/ci/properties/npm-gulp.properties.json similarity index 100% rename from ci/properties/gulp.properties.json rename to ci/properties/npm-gulp.properties.json From 59daabb07b45f661e2931ea36d8f8a1e42963aa8 Mon Sep 17 00:00:00 2001 From: Ninad Kavimandan Date: Thu, 16 Sep 2021 11:19:17 +0530 Subject: [PATCH 015/300] support `AspNetCore` and `DotNetConsole` (#1096) Co-authored-by: Ashwin Sangem --- ci/properties/dotnet.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/dotnet.properties.json b/ci/properties/dotnet.properties.json index d4f6eb2..1a46604 100644 --- a/ci/properties/dotnet.properties.json +++ b/ci/properties/dotnet.properties.json @@ -2,5 +2,5 @@ "name": ".NET", "description": "Build and test a .NET or ASP.NET Core project.", "iconName": "dotnet", - "categories": ["Continuous integration", "C#", "F#", "Visual Basic", "ASP", "ASP.NET", ".NET"] + "categories": ["Continuous integration", "C#", "F#", "Visual Basic", "ASP", "ASP.NET", ".NET", "AspNetCore", "DotNetConsole"] } From c36ea2c5605bf159b7a6ca8b8bc97c410accc036 Mon Sep 17 00:00:00 2001 From: Ninad Kavimandan Date: Thu, 16 Sep 2021 11:51:53 +0530 Subject: [PATCH 016/300] add `Continuous integration` to makefile props (#1100) --- ci/properties/makefile.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/makefile.properties.json b/ci/properties/makefile.properties.json index 93ecf1e..209bf70 100644 --- a/ci/properties/makefile.properties.json +++ b/ci/properties/makefile.properties.json @@ -2,5 +2,5 @@ "name": "Build projects with Make", "description": "Build and test a project using Make.", "iconName": "makefile", - "categories": ["Makefile"] + "categories": ["Continuous integration", "Makefile"] } From 5e116cb9e84c5d4a3bea833aadc4494a4717c17d Mon Sep 17 00:00:00 2001 From: Manuel Boira Cuevas Date: Thu, 16 Sep 2021 10:47:05 +0200 Subject: [PATCH 017/300] Sysdig Secure Inline Scan with SARIF report to starter workflows --- .../properties/sysdig-scan.properties.json | 7 +++ code-scanning/sysdig-scan.yml | 43 +++++++++++++++++++ icons/sysdig.svg | 37 ++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 code-scanning/properties/sysdig-scan.properties.json create mode 100644 code-scanning/sysdig-scan.yml create mode 100644 icons/sysdig.svg diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json new file mode 100644 index 0000000..02db691 --- /dev/null +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Sysdigh Inline Scan", + "creator": "Sysdig", + "description": "Performs analysis on locally built container image and posts the results in SARIF report", + "iconName": "cst-logo", + "categories": ["Image Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Powershell", "Cobol", "Objective C", "PHP", "Ruby", "Rust", "SQL", "Swift", "Visual Basic"] +} diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml new file mode 100644 index 0000000..ea52006 --- /dev/null +++ b/code-scanning/sysdig-scan.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Sysdig - Build, scan, push and upload sarif report + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + + - name: Build the Docker image + run: docker build . --file Dockerfile --tag ${{ github.head_ref }}:latest + + - name: Sysdig Secure Inline Scan + id: scan + uses: sysdiglabs/scan-action@v3 + with: + # Tag of the image to analyse + image-tag: "${{ github.head_ref }}:latest" + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }} + dockerfile-path: ./Dockerfile + input-type: docker-daemon + ignore-failed-scan: true + + - uses: github/codeql-action/upload-sarif@v1 + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarifReport } diff --git a/icons/sysdig.svg b/icons/sysdig.svg new file mode 100644 index 0000000..e98d27d --- /dev/null +++ b/icons/sysdig.svg @@ -0,0 +1,37 @@ + + + + + + + From 6dfa11d0c4c966b00c10cab65d484232008ec9cb Mon Sep 17 00:00:00 2001 From: Cadu Ribeiro Date: Fri, 17 Sep 2021 17:58:46 -0300 Subject: [PATCH 018/300] Add github/super-linter as starter workflow on CI (#1089) This commit adds github/super-linter as a starter workflow to execute several linters based on the user codebase on changed files. Co-authored-by: Josh Gross --- ci/properties/super-linter.properties.json | 6 +++++ ci/super-linter.yml | 29 ++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 ci/properties/super-linter.properties.json create mode 100644 ci/super-linter.yml diff --git a/ci/properties/super-linter.properties.json b/ci/properties/super-linter.properties.json new file mode 100644 index 0000000..e070300 --- /dev/null +++ b/ci/properties/super-linter.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Super Linter - Run Linters for several languages", + "description": "Run linters for several languages on your code base for changed files", + "iconName": "octicon check-circle", + "categories": ["code-quality", "code-review"] +} diff --git a/ci/super-linter.yml b/ci/super-linter.yml new file mode 100644 index 0000000..bebd82d --- /dev/null +++ b/ci/super-linter.yml @@ -0,0 +1,29 @@ +# This workflow executes several linters on changed files based on languages used in your code base whenever +# you push a code or open a pull request. +# +# You can adjust the behavior by modifying this file. +# For more information, see: +# https://github.com/github/super-linter +name: Lint Code Base + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] +jobs: + run-lint: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + - name: Lint Code Base + uses: github/super-linter@v4 + env: + VALIDATE_ALL_CODEBASE: false + DEFAULT_BRANCH: $default-branch + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 38d4e3bfd23aa791fd5906ba8479c09087f3da7e Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Mon, 20 Sep 2021 11:52:53 +0200 Subject: [PATCH 019/300] Added some extra comments, Github Actions V2 and changed env vars --- code-scanning/sysdig-scan.yml | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index ea52006..58b4543 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -20,24 +20,35 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@v2 - name: Build the Docker image - run: docker build . --file Dockerfile --tag ${{ github.head_ref }}:latest + # Tag image to be built + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below + run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest - name: Sysdig Secure Inline Scan id: scan uses: sysdiglabs/scan-action@v3 with: - # Tag of the image to analyse - image-tag: "${{ github.head_ref }}:latest" + # Tag of the image to analyse. + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above + image-tag: ${{ github.repository }}:latest # API token for Sysdig Scanning auth - sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}} + # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ + # US-East https://secure.sysdig.com + # US-West https://us2.app.sysdig.com + # EU https://eu1.app.sysdig.com + sysdig-secure-url: https://us2.app.sysdig.com dockerfile-path: ./Dockerfile input-type: docker-daemon ignore-failed-scan: true + # Sysdig inline scanner requires privileged rights + run-as-user: root - uses: github/codeql-action/upload-sarif@v1 + #Upload SARIF file if: always() with: - sarif_file: ${{ steps.scan.outputs.sarifReport } + sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file From e4091f2f55dfbfcd692d8e6444562bf0bd7e4e06 Mon Sep 17 00:00:00 2001 From: Ninad Kavimandan Date: Tue, 21 Sep 2021 13:35:26 +0530 Subject: [PATCH 020/300] add `Vue` to nodejs props (#1109) --- ci/properties/node.js.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/node.js.properties.json b/ci/properties/node.js.properties.json index 32f5306..7f68d88 100644 --- a/ci/properties/node.js.properties.json +++ b/ci/properties/node.js.properties.json @@ -2,5 +2,5 @@ "name": "Node.js", "description": "Build and test a Node.js project with npm.", "iconName": "nodejs", - "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular"] + "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"] } From 7d41cdb581da65551176526658e7d4d756ca3078 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 21 Sep 2021 11:03:21 +0200 Subject: [PATCH 021/300] Reviews from PR #1110 --- code-scanning/properties/sysdig-scan.properties.json | 4 ++-- code-scanning/sysdig-scan.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json index 02db691..87c87cd 100644 --- a/code-scanning/properties/sysdig-scan.properties.json +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -2,6 +2,6 @@ "name": "Sysdigh Inline Scan", "creator": "Sysdig", "description": "Performs analysis on locally built container image and posts the results in SARIF report", - "iconName": "cst-logo", - "categories": ["Image Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Powershell", "Cobol", "Objective C", "PHP", "Ruby", "Rust", "SQL", "Swift", "Visual Basic"] + "iconName": "sysdig", + "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] } diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 58b4543..49841d7 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -29,7 +29,7 @@ jobs: - name: Sysdig Secure Inline Scan id: scan - uses: sysdiglabs/scan-action@v3 + uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 with: # Tag of the image to analyse. # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above From 9b4fcbf91135a5c58a6baa6eea122dad129c3dd1 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 21 Sep 2021 11:25:16 +0200 Subject: [PATCH 022/300] Adding 'Dockerfile' to category list --- code-scanning/properties/sysdig-scan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json index 87c87cd..09bbd7b 100644 --- a/code-scanning/properties/sysdig-scan.properties.json +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -3,5 +3,5 @@ "creator": "Sysdig", "description": "Performs analysis on locally built container image and posts the results in SARIF report", "iconName": "sysdig", - "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] + "categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] } From 55f65bcc15417680dcd248f288c788a0879a0db4 Mon Sep 17 00:00:00 2001 From: Fernando de Oliveira <5161098+fedeoliv@users.noreply.github.com> Date: Wed, 22 Sep 2021 08:07:22 -0300 Subject: [PATCH 023/300] Directory structure updated (#1112) Co-authored-by: Fernando de Oliveira <5161098+fernandoBRS@users.noreply.github.com> --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4b5b9f8..77506d4 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,8 @@ These are the workflow files for helping people get started with GitHub Actions. ### Directory structure -* [ci](ci): solutions for Continuous Integration and Deployments +* [ci](ci): solutions for Continuous Integration workflows. +* [deployments](deployments): solutions for Deployment workflows. * [automation](automation): solutions for automating workflows. * [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security) * [icons](icons): svg icons for the relevant template From 97de22b47c64dfc718d0793874168c3fc08a1814 Mon Sep 17 00:00:00 2001 From: Ruud Senden Date: Wed, 22 Sep 2021 14:12:39 +0200 Subject: [PATCH 024/300] Update according to PR review comments --- code-scanning/fortify-on-demand.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml index da200a6..d67d194 100644 --- a/code-scanning/fortify-on-demand.yml +++ b/code-scanning/fortify-on-demand.yml @@ -24,7 +24,7 @@ on: push: branches: [ $default-branch ] schedule: - - cron: '24 18 * * 5' + - cron: $cron-weekly jobs: FoD-SAST-Scan: @@ -56,7 +56,7 @@ jobs: # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ - name: Download Fortify ScanCentral Client - uses: fortify/gha-setup-scancentral-client@v1 + uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 - name: Package Code + Dependencies run: scancentral package $PACKAGE_OPTS -o package.zip env: @@ -67,7 +67,7 @@ jobs: # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. - name: Download Fortify on Demand Universal CI Tool - uses: fortify/gha-setup-fod-uploader@v1 + uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 - name: Perform SAST Scan run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" env: @@ -82,7 +82,7 @@ jobs: # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - name: Export results to GitHub-optimized SARIF - uses: fortify/gha-export-vulnerabilities@v1 + uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b with: fod_base_url: "https://ams.fortify.com/" fod_tenant: ${{ secrets.FOD_TENANT }} From 5a1343bb22091fcb394e257bbfd53a5be55cabd9 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Thu, 23 Sep 2021 10:29:50 +0530 Subject: [PATCH 025/300] Adding template - Build Xcode project (#1095) * adding build for xcode * renaming template Co-authored-by: Ashwin Sangem --- ci/objective-c-xcode.yml | 30 +++++++++++++++++++ .../objective-c-xcode.properties.json | 6 ++++ 2 files changed, 36 insertions(+) create mode 100644 ci/objective-c-xcode.yml create mode 100644 ci/properties/objective-c-xcode.properties.json diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml new file mode 100644 index 0000000..db009b0 --- /dev/null +++ b/ci/objective-c-xcode.yml @@ -0,0 +1,30 @@ +name: Xcode - Build and Analyze + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + name: Build and analyse default scheme using xcodebuild command + runs-on: macos-latest + + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Set Default Scheme + run: | + scheme_list=$(xcodebuild -list -json | tr -d "\n") + default=$(echo $scheme_list | ruby -e "require 'json'; puts JSON.parse(STDIN.gets)['project']['targets'][0]") + echo $default | cat >default + echo Using default scheme: $default + - name: Build + env: + scheme: ${{ 'default' }} + run: | + if [ $scheme = default ]; then scheme=$(cat default); fi + if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi + file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` + xcodebuild clean build analyze -scheme "$scheme" -"$filetype_parameter" "$file_to_build" | xcpretty && exit ${PIPESTATUS[0]} diff --git a/ci/properties/objective-c-xcode.properties.json b/ci/properties/objective-c-xcode.properties.json new file mode 100644 index 0000000..e6068fe --- /dev/null +++ b/ci/properties/objective-c-xcode.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Xcode - Build and Analyze", + "description": "Build Xcode project using xcodebuild", + "iconName": "xcode", + "categories": ["Continuous integration", "Xcode", "Objective-C"] +} From 4a9a1680df0712aead69b443e6f41ef5a3aaff80 Mon Sep 17 00:00:00 2001 From: Randy Kleinman <76182417+rkleinman-hpe@users.noreply.github.com> Date: Fri, 24 Sep 2021 17:05:34 -0500 Subject: [PATCH 026/300] Update README grammar (#1123) substitue -> substitute --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 77506d4..f39892f 100644 --- a/README.md +++ b/README.md @@ -45,5 +45,5 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. These variables can be placed in the starter workflow and will be substituted as detailed below: * `$default-branch`: will substitute the branch from the repository, for example `main` and `master` -* `$protected-branches`: will substitue any protected branches from the repository. +* `$protected-branches`: will substitute any protected branches from the repository * `$cron-daily`: will substitute a valid but random time within the day From b58a4e21c6a523516a4c6d5d108a28281e9b7814 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Mon, 27 Sep 2021 20:32:30 +0100 Subject: [PATCH 027/300] start validating code-scanning workflows --- script/validate-data/index.ts | 2 +- script/validate-data/settings.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 8413653..8153936 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -49,7 +49,7 @@ async function checkWorkflows(folders: string[]): Promise }); for (const e of dir) { - if (e.isFile()) { + if (e.isFile() && extname(e.name) === ".yml") { const fileType = basename(e.name, extname(e.name)) const workflowFilePath = join(folder, e.name); diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index f7c08cf..01092cc 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -2,6 +2,7 @@ "folders": [ "../../ci", "../../automation", - "../../deployments" + "../../deployments", + "../../code-scanning" ] } \ No newline at end of file From cb6678504a1584c607f7472df3c5ecc7ba72ad31 Mon Sep 17 00:00:00 2001 From: Ruud Senden Date: Tue, 28 Sep 2021 10:24:29 +0200 Subject: [PATCH 028/300] File renames as requested in PR comments --- code-scanning/{fortify-on-demand.yml => fortify.yml} | 0 .../{fortify-on-demand.properties.json => fortify.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename code-scanning/{fortify-on-demand.yml => fortify.yml} (100%) rename code-scanning/properties/{fortify-on-demand.properties.json => fortify.json} (100%) diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify.yml similarity index 100% rename from code-scanning/fortify-on-demand.yml rename to code-scanning/fortify.yml diff --git a/code-scanning/properties/fortify-on-demand.properties.json b/code-scanning/properties/fortify.json similarity index 100% rename from code-scanning/properties/fortify-on-demand.properties.json rename to code-scanning/properties/fortify.json From 70655750b2798ee5171c044e10795b992e27ee6f Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Tue, 28 Sep 2021 09:37:43 +0100 Subject: [PATCH 029/300] check for yml and yaml extensions --- script/validate-data/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 8153936..84518d7 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -49,7 +49,7 @@ async function checkWorkflows(folders: string[]): Promise }); for (const e of dir) { - if (e.isFile() && extname(e.name) === ".yml") { + if (e.isFile() && [".yml", ".yaml"].includes(extname(e.name))) { const fileType = basename(e.name, extname(e.name)) const workflowFilePath = join(folder, e.name); From f0b8c8ad72c009ca3093b9919e70a6325b49aa44 Mon Sep 17 00:00:00 2001 From: Gary Houbre Date: Tue, 28 Sep 2021 11:41:17 +0200 Subject: [PATCH 030/300] Starter workflow Symfony (#1069) * Add Symfony to starter Workflow * Added Properties from Symfony * Update symfony.yml * Update symfony.yml * Update symfony.yml * Fix Wrong Configuration * Review and fixing * Update Symfony Properties Category Co-authored-by: Ashwin Sangem --- ci/properties/symfony.properties.json | 10 +++++++ ci/symfony.yml | 39 +++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 ci/properties/symfony.properties.json create mode 100644 ci/symfony.yml diff --git a/ci/properties/symfony.properties.json b/ci/properties/symfony.properties.json new file mode 100644 index 0000000..ea9a950 --- /dev/null +++ b/ci/properties/symfony.properties.json @@ -0,0 +1,10 @@ +{ + "name": "Symfony", + "description": "Test a Symfony project.", + "iconName": "php", + "categories": [ + "Continuous integration", + "PHP", + "Symfony" + ] +} \ No newline at end of file diff --git a/ci/symfony.yml b/ci/symfony.yml new file mode 100644 index 0000000..7d1ca74 --- /dev/null +++ b/ci/symfony.yml @@ -0,0 +1,39 @@ +name: Symfony + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + symfony-tests: + runs-on: ubuntu-latest + steps: + # To automatically get bug fixes and new Php versions for shivammathur/setup-php, + # change this to (see https://github.com/shivammathur/setup-php#bookmark-versioning): + # uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28 + with: + php-version: '8.0' + - uses: actions/checkout@v2 + - name: Copy .env.test.local + run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" + - name: Cache Composer packages + id: composer-cache + uses: actions/cache@v2 + with: + path: vendor + key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} + restore-keys: | + ${{ runner.os }}-php- + - name: Install Dependencies + run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist + - name: Create Database + run: | + mkdir -p data + touch data/database.sqlite + - name: Execute tests (Unit and Feature tests) via PHPUnit + env: + DATABASE_URL: sqlite:///%kernel.project_dir%/data/database.sqlite + run: vendor/bin/phpunit From 7f30309ccedb0e3dee186e0ee58c232752a78e24 Mon Sep 17 00:00:00 2001 From: Fernando de Oliveira <5161098+fedeoliv@users.noreply.github.com> Date: Wed, 29 Sep 2021 02:02:01 -0300 Subject: [PATCH 031/300] Azure Data Factory CI starter workflow (#1111) * Azure Data Factory CI starter workflow * fix: data factory starter categories * fix: checkout step formatting * fix: data-factory-export targeting latest version * feature: latest adf validate and export versions * feature: Azure Data Factory tech_stack category for CI starter Co-authored-by: Fernando de Oliveira <5161098+fernandoBRS@users.noreply.github.com> --- ci/azure-data-factory.yml | 47 +++++++++++++++++++ .../azure-data-factory.properties.json | 7 +++ icons/azure-data-factory.svg | 1 + 3 files changed, 55 insertions(+) create mode 100644 ci/azure-data-factory.yml create mode 100644 ci/properties/azure-data-factory.properties.json create mode 100644 icons/azure-data-factory.svg diff --git a/ci/azure-data-factory.yml b/ci/azure-data-factory.yml new file mode 100644 index 0000000..776e250 --- /dev/null +++ b/ci/azure-data-factory.yml @@ -0,0 +1,47 @@ +# Sample workflow to validate Azure Data Factory resources and export its ARM template as an artifact +# Note: Ensure you have the following package.json in the same directory of your ADF resources + +# { +# "scripts":{ +# "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index" +# }, +# "dependencies":{ +# "@microsoft/azure-data-factory-utilities":"^0.1.5" +# } +# } + +name: Data Factory CI + +on: + pull_request: + branches: [ $default-branch, $protected-branches ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Code checkout + uses: actions/checkout@v2 + + - name: Validate + uses: Azure/data-factory-validate-action@v1.1.3 + # with: + # path: # replace by the folder that contains the Data Factory resources and the package.json + + # Generate the ARM template into the destination folder, which is the same as selecting "Publish" from the UX. + # The ARM template generated isn't published to the live version of the factory. + - name: Export ARM Template + id: export + uses: Azure/data-factory-export-action@v1.1.0 + # with: + # path: # replace by the folder that contains the Data Factory resources and the package.json + + - name: Publish artifact + uses: actions/upload-artifact@v2 + with: + name: Data Factory package + path: ${{ steps.export.outputs.arm-template-directory }} + if-no-files-found: error diff --git a/ci/properties/azure-data-factory.properties.json b/ci/properties/azure-data-factory.properties.json new file mode 100644 index 0000000..f1e7f5b --- /dev/null +++ b/ci/properties/azure-data-factory.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Azure Data Factory", + "creator": "Microsoft Azure", + "description": "Build and validate Azure Data Factory resources", + "iconName": "azure-data-factory", + "categories": ["Continuous integration", "Azure Data Factory"] +} diff --git a/icons/azure-data-factory.svg b/icons/azure-data-factory.svg new file mode 100644 index 0000000..2237336 --- /dev/null +++ b/icons/azure-data-factory.svg @@ -0,0 +1 @@ +Icon-databases-126 \ No newline at end of file From 8c91a4c02f685e9ef8bf91b40cc51016d7b7e090 Mon Sep 17 00:00:00 2001 From: Sheldon Warkentin Date: Wed, 29 Sep 2021 13:45:57 -0600 Subject: [PATCH 032/300] Remoev mention of trial for Mayhem for API A free plan is now in place with a professional trial that may be opted into afterward. --- code-scanning/mayhem-for-api.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 0aab0b4..59d66a0 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -10,7 +10,7 @@ # To use this workflow, you will need to: # # 1. Create a Mayhem for API account at -# https://mayhem4api.forallsecure.com/signup (30-day free trial) +# https://mayhem4api.forallsecure.com/signup # # 2. Create a service account token `mapi organization service-account create # ` From 6b053712bee09ee0862f8768f1810139cc3a95c4 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Thu, 30 Sep 2021 07:31:43 +0530 Subject: [PATCH 033/300] Added dockerfile to relevant CD template categories. (#1136) * Added Dockerfile to Category for relevant CD templates. * Update terraform.properties.json --- deployments/properties/alibabacloud.properties.json | 2 +- deployments/properties/google.properties.json | 2 +- deployments/properties/ibm.properties.json | 2 +- deployments/properties/tencent.properties.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/deployments/properties/alibabacloud.properties.json b/deployments/properties/alibabacloud.properties.json index 1ce285f..d416d88 100644 --- a/deployments/properties/alibabacloud.properties.json +++ b/deployments/properties/alibabacloud.properties.json @@ -3,5 +3,5 @@ "description": "Deploy a container to Alibaba Cloud Container Service for Kubernetes (ACK).", "creator": "Alibaba Cloud", "iconName": "alibabacloud", - "categories": ["Deployment"] + "categories": ["Deployment", "Dockerfile"] } diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json index c7f216f..6318106 100644 --- a/deployments/properties/google.properties.json +++ b/deployments/properties/google.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", "iconName": "googlegke", - "categories": ["Deployment"] + "categories": ["Deployment", "Dockerfile"] } \ No newline at end of file diff --git a/deployments/properties/ibm.properties.json b/deployments/properties/ibm.properties.json index 4219690..8e5b047 100644 --- a/deployments/properties/ibm.properties.json +++ b/deployments/properties/ibm.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to IBM Cloud Container Registry, and deploy to IBM Cloud Kubernetes Service.", "creator": "IBM", "iconName": "ibm", - "categories": ["Deployment"] + "categories": ["Deployment", "Dockerfile"] } \ No newline at end of file diff --git a/deployments/properties/tencent.properties.json b/deployments/properties/tencent.properties.json index 32d0da7..df18356 100644 --- a/deployments/properties/tencent.properties.json +++ b/deployments/properties/tencent.properties.json @@ -3,5 +3,5 @@ "description": "This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE).", "creator": "Tencent Cloud", "iconName": "tencentcloud", - "categories": ["Deployment"] + "categories": ["Deployment", "Dockerfile"] } \ No newline at end of file From 02d91c6ccfbd5c7bfe25e397dfe80882a725b364 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Thu, 30 Sep 2021 10:19:20 +0530 Subject: [PATCH 034/300] checking for allowed category in validate-data script (#1131) * checking for allowed category * Update index.ts --- ci/properties/super-linter.properties.json | 2 +- script/validate-data/index.ts | 13 ++++++++----- script/validate-data/settings.json | 6 ++++++ 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/ci/properties/super-linter.properties.json b/ci/properties/super-linter.properties.json index e070300..0be52e1 100644 --- a/ci/properties/super-linter.properties.json +++ b/ci/properties/super-linter.properties.json @@ -2,5 +2,5 @@ "name": "Super Linter - Run Linters for several languages", "description": "Run linters for several languages on your code base for changed files", "iconName": "octicon check-circle", - "categories": ["code-quality", "code-review"] + "categories": ["Continuous integration", "code-quality", "code-review"] } diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 84518d7..7dce3d1 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -40,7 +40,7 @@ const propertiesSchema = { } } -async function checkWorkflows(folders: string[]): Promise { +async function checkWorkflows(folders: string[], allowed_categories: string[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() for (const folder of folders) { @@ -55,7 +55,7 @@ async function checkWorkflows(folders: string[]): Promise const workflowFilePath = join(folder, e.name); const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) - const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath); + const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } @@ -69,13 +69,12 @@ async function checkWorkflows(folders: string[]): Promise return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, errors: [] } - try { const workflowFileContent = await fs.readFile(workflowPath, "utf8"); safeLoad(workflowFileContent); // Validate yaml parses without error @@ -105,6 +104,10 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom } } + if (!workflowPath.endsWith("blank.yml") && (!properties.categories || + !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) { + workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`) + } } catch (e) { workflowErrors.errors.push(e.toString()) } @@ -115,7 +118,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders + settings.folders, settings.allowed_categories ) if (erroredWorkflows.length > 0) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 01092cc..ce89e36 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -4,5 +4,11 @@ "../../automation", "../../deployments", "../../code-scanning" + ], + "allowed_categories" : [ + "Continuous integration", + "Deployment", + "Code Scanning", + "Automation" ] } \ No newline at end of file From 7b9e3b68582d04b65cb955fb75c48342450b7f3b Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 1 Oct 2021 18:50:08 +0530 Subject: [PATCH 035/300] Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. --- ci/azure-data-factory.yml | 47 ------------------- .../azure-data-factory.properties.json | 7 --- icons/azure-data-factory.svg | 1 - 3 files changed, 55 deletions(-) delete mode 100644 ci/azure-data-factory.yml delete mode 100644 ci/properties/azure-data-factory.properties.json delete mode 100644 icons/azure-data-factory.svg diff --git a/ci/azure-data-factory.yml b/ci/azure-data-factory.yml deleted file mode 100644 index 776e250..0000000 --- a/ci/azure-data-factory.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Sample workflow to validate Azure Data Factory resources and export its ARM template as an artifact -# Note: Ensure you have the following package.json in the same directory of your ADF resources - -# { -# "scripts":{ -# "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index" -# }, -# "dependencies":{ -# "@microsoft/azure-data-factory-utilities":"^0.1.5" -# } -# } - -name: Data Factory CI - -on: - pull_request: - branches: [ $default-branch, $protected-branches ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Code checkout - uses: actions/checkout@v2 - - - name: Validate - uses: Azure/data-factory-validate-action@v1.1.3 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - # Generate the ARM template into the destination folder, which is the same as selecting "Publish" from the UX. - # The ARM template generated isn't published to the live version of the factory. - - name: Export ARM Template - id: export - uses: Azure/data-factory-export-action@v1.1.0 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - - name: Publish artifact - uses: actions/upload-artifact@v2 - with: - name: Data Factory package - path: ${{ steps.export.outputs.arm-template-directory }} - if-no-files-found: error diff --git a/ci/properties/azure-data-factory.properties.json b/ci/properties/azure-data-factory.properties.json deleted file mode 100644 index f1e7f5b..0000000 --- a/ci/properties/azure-data-factory.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Azure Data Factory", - "creator": "Microsoft Azure", - "description": "Build and validate Azure Data Factory resources", - "iconName": "azure-data-factory", - "categories": ["Continuous integration", "Azure Data Factory"] -} diff --git a/icons/azure-data-factory.svg b/icons/azure-data-factory.svg deleted file mode 100644 index 2237336..0000000 --- a/icons/azure-data-factory.svg +++ /dev/null @@ -1 +0,0 @@ -Icon-databases-126 \ No newline at end of file From 596b345944af4fbcae1bdcfaca339abd10bd82ed Mon Sep 17 00:00:00 2001 From: Sarah Edwards Date: Fri, 1 Oct 2021 12:07:03 -0700 Subject: [PATCH 036/300] use env variables for user-set values (#1117) Co-authored-by: Josh Gross --- deployments/aws.yml | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/deployments/aws.yml b/deployments/aws.yml index 8b10116..6a6643c 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -5,29 +5,40 @@ # # 1. Create an ECR repository to store your images. # For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. -# Replace the value of `ECR_REPOSITORY` in the workflow below with your repository's name. -# Replace the value of `aws-region` in the workflow below with your repository's region. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. # # 2. Create an ECS task definition, an ECS cluster, and an ECS service. # For example, follow the Getting Started guide on the ECS console: # https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun -# Replace the values for `service` and `cluster` in the workflow below with your service and cluster names. +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. # # 3. Store your ECS task definition as a JSON file in your repository. # The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. -# Replace the value of `task-definition` in the workflow below with your JSON file's name. -# Replace the value of `container-name` in the workflow below with the name of the container +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container # in the `containerDefinitions` section of the task definition. # # 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. # See the documentation for each action used below for the recommended IAM policies for this IAM user, # and best practices on handling the access key credentials. +name: Deploy to Amazon ECS + on: release: types: [created] -name: Deploy to Amazon ECS +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition jobs: deploy: @@ -44,7 +55,7 @@ jobs: with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-2 + aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr @@ -54,7 +65,6 @@ jobs: id: build-image env: ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - ECR_REPOSITORY: my-ecr-repo IMAGE_TAG: ${{ github.sha }} run: | # Build a docker container and @@ -68,14 +78,14 @@ jobs: id: task-def uses: aws-actions/amazon-ecs-render-task-definition@v1 with: - task-definition: task-definition.json - container-name: sample-app + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} image: ${{ steps.build-image.outputs.image }} - name: Deploy Amazon ECS task definition uses: aws-actions/amazon-ecs-deploy-task-definition@v1 with: task-definition: ${{ steps.task-def.outputs.task-definition }} - service: sample-app-service - cluster: default + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} wait-for-service-stability: true From c705225b8f52e676371b168efc00b6f60347c22d Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Mon, 4 Oct 2021 09:48:47 -0700 Subject: [PATCH 037/300] Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson --- code-scanning/cloudrail.yml | 2 +- code-scanning/properties/cloudrail.properties.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 474b97a..9f95c5c 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -43,7 +43,7 @@ jobs: - run: stat plan.out - name: Run Cloudrail - uses: indeni/cloudrail-run-ga@v1.3 + uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622 with: tf-plan-file: plan.out # This was created in a "terraform plan" step cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json index 36181c2..830d966 100644 --- a/code-scanning/properties/cloudrail.properties.json +++ b/code-scanning/properties/cloudrail.properties.json @@ -1,7 +1,7 @@ { "name": "cloudrail", "creator": "Indeni Cloudrail", - "description": "Cloudrail, by Indeni, can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues. Cloudrail's output uses the SARIF format, which will surface the scan's results directly inside your pull request.", + "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.", "iconName": "cloudrail", "categories": ["Code Scanning", "HCL"] } From 85d2a866f0a645ca63143b55efeabd510673b5d4 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Tue, 5 Oct 2021 11:22:46 +0530 Subject: [PATCH 038/300] removing "deployment" templates from sync-ghes (#1127) --- script/sync-ghes/settings.json | 1 - 1 file changed, 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index e4f50fa..9648ab4 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,6 @@ "folders": [ "../../ci", "../../automation", - "../../deployments", "../../code-scanning" ], "enabledActions": [ From 2a1abda503bbc05d90f27f56dc0820c20dfdb17c Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 09:30:45 +0200 Subject: [PATCH 039/300] Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson --- code-scanning/properties/sysdig-scan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json index 09bbd7b..e61c2e1 100644 --- a/code-scanning/properties/sysdig-scan.properties.json +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -2,6 +2,6 @@ "name": "Sysdigh Inline Scan", "creator": "Sysdig", "description": "Performs analysis on locally built container image and posts the results in SARIF report", - "iconName": "sysdig", + "iconName": "sysdig-scan", "categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] } From b7d9f15826dd424115512f2e638a9b1c952a3787 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 09:30:53 +0200 Subject: [PATCH 040/300] Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson --- code-scanning/properties/sysdig-scan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json index e61c2e1..d39072e 100644 --- a/code-scanning/properties/sysdig-scan.properties.json +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -1,5 +1,5 @@ { - "name": "Sysdigh Inline Scan", + "name": "Sysdig Inline Scan", "creator": "Sysdig", "description": "Performs analysis on locally built container image and posts the results in SARIF report", "iconName": "sysdig-scan", From b55a65157e3ea87ec372ce9a4c4fdbacf6c12f1b Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 10:39:56 +0200 Subject: [PATCH 041/300] Changed svg logo --- icons/sysdig.svg | 51 ++++++++++++++---------------------------------- 1 file changed, 15 insertions(+), 36 deletions(-) diff --git a/icons/sysdig.svg b/icons/sysdig.svg index e98d27d..31101c8 100644 --- a/icons/sysdig.svg +++ b/icons/sysdig.svg @@ -1,37 +1,16 @@ - - - - - - + + + + + + + + + + + + + From b258b332347865c37c04023d8a5b24a6289e1523 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 15:02:00 +0200 Subject: [PATCH 042/300] Rename sysdig.svg to sysdig-scan.svg --- icons/{sysdig.svg => sysdig-scan.svg} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename icons/{sysdig.svg => sysdig-scan.svg} (100%) diff --git a/icons/sysdig.svg b/icons/sysdig-scan.svg similarity index 100% rename from icons/sysdig.svg rename to icons/sysdig-scan.svg From 3c200bdb2180e82004d0c31c6d76685718232883 Mon Sep 17 00:00:00 2001 From: manuelbcd Date: Tue, 5 Oct 2021 15:09:31 +0200 Subject: [PATCH 043/300] Switched svg logo (again) for a better fit --- icons/sysdig-scan.svg | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/icons/sysdig-scan.svg b/icons/sysdig-scan.svg index 31101c8..85d5de0 100644 --- a/icons/sysdig-scan.svg +++ b/icons/sysdig-scan.svg @@ -1,16 +1 @@ - - - - - - - - - - - - - - +Artboard 1 \ No newline at end of file From 6a1dba2d716a1156f1214755bd3e97f97189e0e8 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Tue, 5 Oct 2021 20:44:48 +0100 Subject: [PATCH 044/300] Rename fortify.json to fortify.properties.json --- .../properties/{fortify.json => fortify.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/properties/{fortify.json => fortify.properties.json} (100%) diff --git a/code-scanning/properties/fortify.json b/code-scanning/properties/fortify.properties.json similarity index 100% rename from code-scanning/properties/fortify.json rename to code-scanning/properties/fortify.properties.json From 2e38bc8da2eb1245a9e7426f57d9246d55d649f4 Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Wed, 6 Oct 2021 12:52:26 -0700 Subject: [PATCH 045/300] Correct character-case of "c" in Cloudrail --- code-scanning/cloudrail.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 9f95c5c..00e270a 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -name: cloudrail +name: Cloudrail on: push: From cbd5b645f1a79cf3496950ff6d0b66ddf0b71542 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 8 Oct 2021 17:31:42 +0530 Subject: [PATCH 046/300] Merge pull request #1110 from manuelbcd/main (#1155) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd --- ci/azure-data-factory.yml | 47 --------- .../azure-data-factory.properties.json | 7 -- code-scanning/cloudrail.yml | 58 +++++++++++ code-scanning/fortify.yml | 97 +++++++++++++++++++ .../properties/cloudrail.properties.json | 7 ++ .../properties/fortify.properties.json | 7 ++ .../properties/sysdig-scan.properties.json | 7 ++ code-scanning/sysdig-scan.yml | 54 +++++++++++ deployments/aws.yml | 34 ++++--- icons/azure-data-factory.svg | 1 - icons/cloudrail.svg | 53 ++++++++++ icons/fortify.svg | 1 + icons/sysdig-scan.svg | 1 + script/sync-ghes/settings.json | 1 - 14 files changed, 307 insertions(+), 68 deletions(-) delete mode 100644 ci/azure-data-factory.yml delete mode 100644 ci/properties/azure-data-factory.properties.json create mode 100644 code-scanning/cloudrail.yml create mode 100644 code-scanning/fortify.yml create mode 100644 code-scanning/properties/cloudrail.properties.json create mode 100644 code-scanning/properties/fortify.properties.json create mode 100644 code-scanning/properties/sysdig-scan.properties.json create mode 100644 code-scanning/sysdig-scan.yml delete mode 100644 icons/azure-data-factory.svg create mode 100644 icons/cloudrail.svg create mode 100644 icons/fortify.svg create mode 100644 icons/sysdig-scan.svg diff --git a/ci/azure-data-factory.yml b/ci/azure-data-factory.yml deleted file mode 100644 index 776e250..0000000 --- a/ci/azure-data-factory.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Sample workflow to validate Azure Data Factory resources and export its ARM template as an artifact -# Note: Ensure you have the following package.json in the same directory of your ADF resources - -# { -# "scripts":{ -# "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index" -# }, -# "dependencies":{ -# "@microsoft/azure-data-factory-utilities":"^0.1.5" -# } -# } - -name: Data Factory CI - -on: - pull_request: - branches: [ $default-branch, $protected-branches ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Code checkout - uses: actions/checkout@v2 - - - name: Validate - uses: Azure/data-factory-validate-action@v1.1.3 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - # Generate the ARM template into the destination folder, which is the same as selecting "Publish" from the UX. - # The ARM template generated isn't published to the live version of the factory. - - name: Export ARM Template - id: export - uses: Azure/data-factory-export-action@v1.1.0 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - - name: Publish artifact - uses: actions/upload-artifact@v2 - with: - name: Data Factory package - path: ${{ steps.export.outputs.arm-template-directory }} - if-no-files-found: error diff --git a/ci/properties/azure-data-factory.properties.json b/ci/properties/azure-data-factory.properties.json deleted file mode 100644 index f1e7f5b..0000000 --- a/ci/properties/azure-data-factory.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Azure Data Factory", - "creator": "Microsoft Azure", - "description": "Build and validate Azure Data Factory resources", - "iconName": "azure-data-factory", - "categories": ["Continuous integration", "Azure Data Factory"] -} diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml new file mode 100644 index 0000000..9f95c5c --- /dev/null +++ b/code-scanning/cloudrail.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: cloudrail + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + cloudrail: + name: Run Indeni Cloudrail on Terraform code with SARIF output + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v2 + + # For Terraform, Cloudrail requires the plan as input. So we generate it using + # the Terraform core binary. + - uses: hashicorp/setup-terraform@v1 + with: + terraform_version: v0.13.2 + + - run: terraform init + + - run: terraform plan -out=plan.out + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # Confirm we have the plan file + - run: stat plan.out + + - name: Run Cloudrail + uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622 + with: + tf-plan-file: plan.out # This was created in a "terraform plan" step + cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app + cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() + # is needed to ensure the SARIF file is uploaded + if: always() + with: + sarif_file: cloudrail_results.sarif diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml new file mode 100644 index 0000000..d67d194 --- /dev/null +++ b/code-scanning/fortify.yml @@ -0,0 +1,97 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +################################################################################################################################################ +# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# +# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # +# or contact our sales team, visit microfocus.com/appsecurity. # +# # +# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# +# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # +# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # +# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # +# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # +# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +################################################################################################################################################ + +name: Fortify on Demand Scan + +# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +on: + workflow_dispatch: + push: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + FoD-SAST-Scan: + # Use the appropriate runner for building your source code. + # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v2 + + # Java is required to run the various Fortify utilities. + # When scanning a Java application, please use the appropriate Java version for building your application. + - name: Setup Java + uses: actions/setup-java@v1 + with: + java-version: 1.8 + + # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. + # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: + # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). + # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. + # ScanCentral has additional options that should be set for PHP and Python projects + # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. + # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ + - name: Download Fortify ScanCentral Client + uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 + - name: Package Code + Dependencies + run: scancentral package $PACKAGE_OPTS -o package.zip + env: + PACKAGE_OPTS: "-bt mvn" + + # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java + # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: + # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). + # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. + - name: Download Fortify on Demand Universal CI Tool + uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 + - name: Perform SAST Scan + run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" + env: + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" + FOD_TENANT: ${{ secrets.FOD_TENANT }} + FOD_USER: ${{ secrets.FOD_USER }} + FOD_PAT: ${{ secrets.FOD_PAT }} + FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} + FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' + + # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. + - name: Export results to GitHub-optimized SARIF + uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b + with: + fod_base_url: "https://ams.fortify.com/" + fod_tenant: ${{ secrets.FOD_TENANT }} + fod_user: ${{ secrets.FOD_USER }} + fod_password: ${{ secrets.FOD_PAT }} + fod_release_id: ${{ secrets.FOD_RELEASE_ID }} + + # Import Fortify on Demand results to GitHub Security Code Scanning + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./gh-fortify-sast.sarif diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json new file mode 100644 index 0000000..830d966 --- /dev/null +++ b/code-scanning/properties/cloudrail.properties.json @@ -0,0 +1,7 @@ +{ + "name": "cloudrail", + "creator": "Indeni Cloudrail", + "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.", + "iconName": "cloudrail", + "categories": ["Code Scanning", "HCL"] +} diff --git a/code-scanning/properties/fortify.properties.json b/code-scanning/properties/fortify.properties.json new file mode 100644 index 0000000..100b4bb --- /dev/null +++ b/code-scanning/properties/fortify.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Fortify on Demand Scan", + "creator": "Micro Focus", + "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", + "iconName": "fortify", + "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"] +} diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json new file mode 100644 index 0000000..d39072e --- /dev/null +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Sysdig Inline Scan", + "creator": "Sysdig", + "description": "Performs analysis on locally built container image and posts the results in SARIF report", + "iconName": "sysdig-scan", + "categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] +} diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml new file mode 100644 index 0000000..49841d7 --- /dev/null +++ b/code-scanning/sysdig-scan.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Sysdig - Build, scan, push and upload sarif report + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Build the Docker image + # Tag image to be built + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below + run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest + + - name: Sysdig Secure Inline Scan + id: scan + uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 + with: + # Tag of the image to analyse. + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above + image-tag: ${{ github.repository }}:latest + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}} + # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ + # US-East https://secure.sysdig.com + # US-West https://us2.app.sysdig.com + # EU https://eu1.app.sysdig.com + sysdig-secure-url: https://us2.app.sysdig.com + dockerfile-path: ./Dockerfile + input-type: docker-daemon + ignore-failed-scan: true + # Sysdig inline scanner requires privileged rights + run-as-user: root + + - uses: github/codeql-action/upload-sarif@v1 + #Upload SARIF file + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file diff --git a/deployments/aws.yml b/deployments/aws.yml index 8b10116..6a6643c 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -5,29 +5,40 @@ # # 1. Create an ECR repository to store your images. # For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. -# Replace the value of `ECR_REPOSITORY` in the workflow below with your repository's name. -# Replace the value of `aws-region` in the workflow below with your repository's region. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. # # 2. Create an ECS task definition, an ECS cluster, and an ECS service. # For example, follow the Getting Started guide on the ECS console: # https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun -# Replace the values for `service` and `cluster` in the workflow below with your service and cluster names. +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. # # 3. Store your ECS task definition as a JSON file in your repository. # The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. -# Replace the value of `task-definition` in the workflow below with your JSON file's name. -# Replace the value of `container-name` in the workflow below with the name of the container +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container # in the `containerDefinitions` section of the task definition. # # 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. # See the documentation for each action used below for the recommended IAM policies for this IAM user, # and best practices on handling the access key credentials. +name: Deploy to Amazon ECS + on: release: types: [created] -name: Deploy to Amazon ECS +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition jobs: deploy: @@ -44,7 +55,7 @@ jobs: with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-2 + aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr @@ -54,7 +65,6 @@ jobs: id: build-image env: ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - ECR_REPOSITORY: my-ecr-repo IMAGE_TAG: ${{ github.sha }} run: | # Build a docker container and @@ -68,14 +78,14 @@ jobs: id: task-def uses: aws-actions/amazon-ecs-render-task-definition@v1 with: - task-definition: task-definition.json - container-name: sample-app + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} image: ${{ steps.build-image.outputs.image }} - name: Deploy Amazon ECS task definition uses: aws-actions/amazon-ecs-deploy-task-definition@v1 with: task-definition: ${{ steps.task-def.outputs.task-definition }} - service: sample-app-service - cluster: default + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} wait-for-service-stability: true diff --git a/icons/azure-data-factory.svg b/icons/azure-data-factory.svg deleted file mode 100644 index 2237336..0000000 --- a/icons/azure-data-factory.svg +++ /dev/null @@ -1 +0,0 @@ -Icon-databases-126 \ No newline at end of file diff --git a/icons/cloudrail.svg b/icons/cloudrail.svg new file mode 100644 index 0000000..9aaf9c3 --- /dev/null +++ b/icons/cloudrail.svg @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + diff --git a/icons/fortify.svg b/icons/fortify.svg new file mode 100644 index 0000000..45a0d77 --- /dev/null +++ b/icons/fortify.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/sysdig-scan.svg b/icons/sysdig-scan.svg new file mode 100644 index 0000000..85d5de0 --- /dev/null +++ b/icons/sysdig-scan.svg @@ -0,0 +1 @@ +Artboard 1 \ No newline at end of file diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index e4f50fa..9648ab4 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,6 @@ "folders": [ "../../ci", "../../automation", - "../../deployments", "../../code-scanning" ], "enabledActions": [ From ad91ff259d7cecd18ae3822a3276cd861b05fd5d Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 11 Oct 2021 14:58:21 +0530 Subject: [PATCH 047/300] AWS template also used Docker --- deployments/properties/aws.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/aws.properties.json b/deployments/properties/aws.properties.json index 10a7ed3..1b5955a 100644 --- a/deployments/properties/aws.properties.json +++ b/deployments/properties/aws.properties.json @@ -3,5 +3,5 @@ "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Dockerfile"] +} From 6b14bf21cbdaa4a53dd4b2254999f6b8e4116e77 Mon Sep 17 00:00:00 2001 From: Sarah Edwards Date: Mon, 11 Oct 2021 12:53:15 -0700 Subject: [PATCH 048/300] trigger on push instead of release (#1157) Co-authored-by: Josh Gross --- deployments/alibabacloud.yml | 7 ++++--- deployments/aws.yml | 7 ++++--- deployments/azure.yml | 7 ++++--- deployments/google.yml | 7 ++++--- deployments/ibm.yml | 7 ++++--- deployments/tencent.yml | 7 ++++--- 6 files changed, 24 insertions(+), 18 deletions(-) diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 9ccc033..ded9178 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -1,5 +1,5 @@ # This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR), -# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when a release is created. +# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the $default-branch branch. # # To use this workflow, you will need to complete the following set-up steps: # @@ -20,8 +20,9 @@ name: Build and Deploy to ACK on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow. env: diff --git a/deployments/aws.yml b/deployments/aws.yml index 6a6643c..dab851f 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -1,5 +1,5 @@ # This workflow will build and push a new container image to Amazon ECR, -# and then will deploy a new task definition to Amazon ECS, when a release is created +# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. # # To use this workflow, you will need to complete the following set-up steps: # @@ -27,8 +27,9 @@ name: Deploy to Amazon ECS on: - release: - types: [created] + push: + branches: + - $default-branch env: AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 diff --git a/deployments/azure.yml b/deployments/azure.yml index 0262b49..904ff25 100644 --- a/deployments/azure.yml +++ b/deployments/azure.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a release is created. +# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan @@ -16,8 +16,9 @@ # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions # For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples on: - release: - types: [created] + push: + branches: + - $default-branch env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name diff --git a/deployments/google.yml b/deployments/google.yml index 5e803ed..267d3cb 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when a release is created +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -13,8 +13,9 @@ name: Build and Deploy to GKE on: - release: - types: [created] + push: + branches: + - $default-branch env: PROJECT_ID: ${{ secrets.GKE_PROJECT }} diff --git a/deployments/ibm.yml b/deployments/ibm.yml index a8502cd..216b04d 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when a release is created +# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -9,8 +9,9 @@ name: Build and Deploy to IKS on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 0be339e..83bde94 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE). +# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE) when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -16,8 +16,9 @@ name: Tencent Kubernetes Engine on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow env: From ffef54a02cbf054ebab8ea72d504f2653e697196 Mon Sep 17 00:00:00 2001 From: Abir Majumdar Date: Fri, 15 Oct 2021 08:37:05 -0400 Subject: [PATCH 049/300] Adding MobSF starter workflow --- code-scanning/mobsf.yml | 36 ++++++ .../properties/mobsf.properties.json | 14 +++ icons/mobsf.svg | 114 ++++++++++++++++++ 3 files changed, 164 insertions(+) create mode 100644 code-scanning/mobsf.yml create mode 100644 code-scanning/properties/mobsf.properties.json create mode 100644 icons/mobsf.svg diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml new file mode 100644 index 0000000..1bd737b --- /dev/null +++ b/code-scanning/mobsf.yml @@ -0,0 +1,36 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: MobSF + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + + workflow_dispatch: + +jobs: + mobile-security: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup python + uses: actions/setup-python@v2 + with: + python-version: 3.8 + + - name: mobsfscan + uses: MobSF/mobsfscan@main + with: + args: . --sarif --output results.sarif || true + + - name: Upload mobsfscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/code-scanning/properties/mobsf.properties.json b/code-scanning/properties/mobsf.properties.json new file mode 100644 index 0000000..6bca14e --- /dev/null +++ b/code-scanning/properties/mobsf.properties.json @@ -0,0 +1,14 @@ +{ + "name": "mobsf", + "creator": "mobsf", + "description": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.", + "iconName": "mobsf", + "categories": [ + "Code Scanning", + "Java", + "Swift", + "Objective-C", + "Kotlin", + "Mobile" + ] +} \ No newline at end of file diff --git a/icons/mobsf.svg b/icons/mobsf.svg new file mode 100644 index 0000000..46dd154 --- /dev/null +++ b/icons/mobsf.svg @@ -0,0 +1,114 @@ + + + + From 6e44c89176192da113b52f836a4c538a30ba2656 Mon Sep 17 00:00:00 2001 From: Abir Majumdar Date: Fri, 15 Oct 2021 08:55:34 -0400 Subject: [PATCH 050/300] Adhering to pull request guidelines --- code-scanning/mobsf.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 1bd737b..1da2611 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -7,11 +7,11 @@ name: MobSF on: push: - branches: [ master ] + branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ master ] - - workflow_dispatch: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly jobs: mobile-security: @@ -25,7 +25,7 @@ jobs: with: python-version: 3.8 - - name: mobsfscan + - name: Run mobsfscan uses: MobSF/mobsfscan@main with: args: . --sarif --output results.sarif || true From 21775ad05bf2415ebd480c17a803fd8a83065a72 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Fri, 15 Oct 2021 15:32:54 -0700 Subject: [PATCH 051/300] Rename "azure.yml" to Node-specific name --- .../{azure.yml => azure-webapps-node.yml} | 30 +++++++++++++++---- ...son => azure-webapps-node.properties.json} | 0 2 files changed, 24 insertions(+), 6 deletions(-) rename deployments/{azure.yml => azure-webapps-node.yml} (81%) rename deployments/properties/{azure.properties.json => azure-webapps-node.properties.json} (100%) diff --git a/deployments/azure.yml b/deployments/azure-webapps-node.yml similarity index 81% rename from deployments/azure.yml rename to deployments/azure-webapps-node.yml index 0262b49..ab144ba 100644 --- a/deployments/azure.yml +++ b/deployments/azure-webapps-node.yml @@ -25,23 +25,41 @@ env: NODE_VERSION: '10.x' # set this to the node version to use jobs: - build-and-deploy: - name: Build and Deploy + build: runs-on: ubuntu-latest - environment: production steps: - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} + + - name: Set up Node.js uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test run: | - # Build and test the project, then - # deploy to Azure Web App. npm install npm run build --if-present npm run test --if-present + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: node-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Production' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: node-app + - name: 'Deploy to Azure WebApp' uses: azure/webapps-deploy@v2 with: diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure-webapps-node.properties.json similarity index 100% rename from deployments/properties/azure.properties.json rename to deployments/properties/azure-webapps-node.properties.json From e59c11c494c0a2a443cf8577b496e63f618c8169 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Fri, 15 Oct 2021 15:33:45 -0700 Subject: [PATCH 052/300] Add templates and properties for other languages --- deployments/azure-webapps-container.yml | 59 ++++++++++++++++ deployments/azure-webapps-java-jar.yml | 56 ++++++++++++++++ deployments/azure-webapps-python.yml | 67 +++++++++++++++++++ .../azure-webapps-container.properties.json | 7 ++ .../azure-webapps-java-jar.properties.json | 7 ++ .../azure-webapps-python.properties.json | 7 ++ 6 files changed, 203 insertions(+) create mode 100644 deployments/azure-webapps-container.yml create mode 100644 deployments/azure-webapps-java-jar.yml create mode 100644 deployments/azure-webapps-python.yml create mode 100644 deployments/properties/azure-webapps-container.properties.json create mode 100644 deployments/properties/azure-webapps-java-jar.properties.json create mode 100644 deployments/properties/azure-webapps-python.properties.json diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml new file mode 100644 index 0000000..b9dab0d --- /dev/null +++ b/deployments/azure-webapps-container.yml @@ -0,0 +1,59 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy a container to an Azure Web App + +env: + AZURE_WEBAPP_NAME: '' # set this to the name of your Azure Web App + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Log in to GitHub container registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Lowercase the repo name + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Build and push container image to registry + uses: docker/build-push-action@v2 + with: + push: true + tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} + file: ./Dockerfile + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Production' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Lowercase the repo name + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' \ No newline at end of file diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml new file mode 100644 index 0000000..ae1cb87 --- /dev/null +++ b/deployments/azure-webapps-java-jar.yml @@ -0,0 +1,56 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy JAR app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + JAVA_VERSION: '11' # set this to the Java version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Java version + uses: actions/setup-java@v1 + with: + java-version: ${{ env.JAVA_VERSION }} + + - name: Build with Maven + run: mvn clean install + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: java-app + path: '${{ github.workspace }}/target/*.jar' + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: Production + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: java-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: '*.jar' \ No newline at end of file diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml new file mode 100644 index 0000000..a934a02 --- /dev/null +++ b/deployments/azure-webapps-python.yml @@ -0,0 +1,67 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions +# More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions + +name: Build and deploy Python app to Azure Web App - __sitename__ + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + PYTHON_VERSION: '11' # set this to the Python version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Python version + uses: actions/setup-python@v1 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Create and start virtual environment + run: | + python -m venv venv + source venv/bin/activate + + - name: Install dependencies + run: pip install -r requirements.txt + + # Optional: Add step to run tests here (PyTest, Django test suites, etc.) + + - name: Upload artifact for deployment jobs + uses: actions/upload-artifact@v2 + with: + name: python-app + path: | + . + !venv/ + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: '__slotname__' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: python-app + path: . + + - name: 'Deploy to Azure Web App' + uses: azure/webapps-deploy@v2 + id: deploy-to-webapp + with: + app-name: '__sitename__' + slot-name: '__slotname__' + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/properties/azure-webapps-container.properties.json b/deployments/properties/azure-webapps-container.properties.json new file mode 100644 index 0000000..1335e3a --- /dev/null +++ b/deployments/properties/azure-webapps-container.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a container to an Azure Web App", + "description": "Build a container and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file diff --git a/deployments/properties/azure-webapps-java-jar.properties.json b/deployments/properties/azure-webapps-java-jar.properties.json new file mode 100644 index 0000000..f2418fa --- /dev/null +++ b/deployments/properties/azure-webapps-java-jar.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a Java .jar app to an Azure Web App", + "description": "Build a Java project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file diff --git a/deployments/properties/azure-webapps-python.properties.json b/deployments/properties/azure-webapps-python.properties.json new file mode 100644 index 0000000..f749848 --- /dev/null +++ b/deployments/properties/azure-webapps-python.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a Python app to an Azure Web App", + "description": "Build a Python app and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file From 4fad808870ff1d108b443339ba43616c6f88c6ca Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Fri, 15 Oct 2021 15:47:30 -0700 Subject: [PATCH 053/300] Add workflow for .NET Core --- deployments/azure-webapps-dotnet-core.yml | 59 +++++++++++++++++++ .../properties/azure-webapps-donet-core.json | 7 +++ 2 files changed, 66 insertions(+) create mode 100644 deployments/azure-webapps-dotnet-core.yml create mode 100644 deployments/properties/azure-webapps-donet-core.json diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml new file mode 100644 index 0000000..532efc4 --- /dev/null +++ b/deployments/azure-webapps-dotnet-core.yml @@ -0,0 +1,59 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy ASP.Net Core app to an Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + DOTNET_VERSION: '5' # set this to the .NET Core version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up .NET Core + uses: actions/setup-dotnet@v1 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: Build with dotnet + run: dotnet build --configuration Release + + - name: dotnet publish + run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: .net-app + path: ${{env.DOTNET_ROOT}}/myapp + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Production' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: .net-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/properties/azure-webapps-donet-core.json b/deployments/properties/azure-webapps-donet-core.json new file mode 100644 index 0000000..3ac2f8c --- /dev/null +++ b/deployments/properties/azure-webapps-donet-core.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a .NET Core app to an Azure Web App", + "description": "Build a .NET Core project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file From e6620ddc5b73399da7e03af6164e62d93790fe51 Mon Sep 17 00:00:00 2001 From: Rui Chen Date: Wed, 20 Oct 2021 00:02:48 -0400 Subject: [PATCH 054/300] python: update to use python 3.10 Signed-off-by: Rui Chen --- ci/pylint.yml | 4 ++-- ci/python-app.yml | 4 ++-- ci/python-package-conda.yml | 4 ++-- ci/python-package.yml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/pylint.yml b/ci/pylint.yml index 0805af7..e217f63 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -9,10 +9,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.9 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: 3.10 - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-app.yml b/ci/python-app.yml index f6ad69a..30b2b8f 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -16,10 +16,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.9 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: 3.10 - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 7bae7e2..9bd6d2b 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -10,10 +10,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.8 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.10 - name: Add conda to system path run: | # $CONDA is an environment variable pointing to the root of the miniconda directory diff --git a/ci/python-package.yml b/ci/python-package.yml index b079b1c..9690811 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -16,7 +16,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: [3.7, 3.8, 3.9] + python-version: [3.8, 3.9, 3.10] steps: - uses: actions/checkout@v2 From c765d6316fb380d15d81206ede83b0042cdac377 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Thu, 21 Oct 2021 14:27:06 +0530 Subject: [PATCH 055/300] Added new templates for 3 clouds. --- deployments/aws_docker.yml | 92 +++++++++++++++++++ deployments/aws_node.yml | 92 +++++++++++++++++++ deployments/azure_docker.yml | 51 ++++++++++ deployments/azure_node.yml | 51 ++++++++++ deployments/google_java.yml | 81 ++++++++++++++++ deployments/google_python.yml | 81 ++++++++++++++++ .../properties/aws_docker.properties.json | 7 ++ .../properties/aws_node.properties.json | 7 ++ .../properties/azure_docker.properties.json | 7 ++ .../properties/azure_node.properties.json | 7 ++ .../properties/google_java.properties.json | 7 ++ .../properties/google_python.properties.json | 7 ++ 12 files changed, 490 insertions(+) create mode 100644 deployments/aws_docker.yml create mode 100644 deployments/aws_node.yml create mode 100644 deployments/azure_docker.yml create mode 100644 deployments/azure_node.yml create mode 100644 deployments/google_java.yml create mode 100644 deployments/google_python.yml create mode 100644 deployments/properties/aws_docker.properties.json create mode 100644 deployments/properties/aws_node.properties.json create mode 100644 deployments/properties/azure_docker.properties.json create mode 100644 deployments/properties/azure_node.properties.json create mode 100644 deployments/properties/google_java.properties.json create mode 100644 deployments/properties/google_python.properties.json diff --git a/deployments/aws_docker.yml b/deployments/aws_docker.yml new file mode 100644 index 0000000..dab851f --- /dev/null +++ b/deployments/aws_docker.yml @@ -0,0 +1,92 @@ +# This workflow will build and push a new container image to Amazon ECR, +# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. +# +# To use this workflow, you will need to complete the following set-up steps: +# +# 1. Create an ECR repository to store your images. +# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. +# +# 2. Create an ECS task definition, an ECS cluster, and an ECS service. +# For example, follow the Getting Started guide on the ECS console: +# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. +# +# 3. Store your ECS task definition as a JSON file in your repository. +# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container +# in the `containerDefinitions` section of the task definition. +# +# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. +# See the documentation for each action used below for the recommended IAM policies for this IAM user, +# and best practices on handling the access key credentials. + +name: Deploy to Amazon ECS + +on: + push: + branches: + - $default-branch + +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition + +jobs: + deploy: + name: Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build, tag, and push image to Amazon ECR + id: build-image + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + IMAGE_TAG: ${{ github.sha }} + run: | + # Build a docker container and + # push it to ECR so that it can + # be deployed to ECS. + docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . + docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" + + - name: Fill in the new image ID in the Amazon ECS task definition + id: task-def + uses: aws-actions/amazon-ecs-render-task-definition@v1 + with: + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} + image: ${{ steps.build-image.outputs.image }} + + - name: Deploy Amazon ECS task definition + uses: aws-actions/amazon-ecs-deploy-task-definition@v1 + with: + task-definition: ${{ steps.task-def.outputs.task-definition }} + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} + wait-for-service-stability: true diff --git a/deployments/aws_node.yml b/deployments/aws_node.yml new file mode 100644 index 0000000..dab851f --- /dev/null +++ b/deployments/aws_node.yml @@ -0,0 +1,92 @@ +# This workflow will build and push a new container image to Amazon ECR, +# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. +# +# To use this workflow, you will need to complete the following set-up steps: +# +# 1. Create an ECR repository to store your images. +# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. +# +# 2. Create an ECS task definition, an ECS cluster, and an ECS service. +# For example, follow the Getting Started guide on the ECS console: +# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. +# +# 3. Store your ECS task definition as a JSON file in your repository. +# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container +# in the `containerDefinitions` section of the task definition. +# +# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. +# See the documentation for each action used below for the recommended IAM policies for this IAM user, +# and best practices on handling the access key credentials. + +name: Deploy to Amazon ECS + +on: + push: + branches: + - $default-branch + +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition + +jobs: + deploy: + name: Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build, tag, and push image to Amazon ECR + id: build-image + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + IMAGE_TAG: ${{ github.sha }} + run: | + # Build a docker container and + # push it to ECR so that it can + # be deployed to ECS. + docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . + docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" + + - name: Fill in the new image ID in the Amazon ECS task definition + id: task-def + uses: aws-actions/amazon-ecs-render-task-definition@v1 + with: + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} + image: ${{ steps.build-image.outputs.image }} + + - name: Deploy Amazon ECS task definition + uses: aws-actions/amazon-ecs-deploy-task-definition@v1 + with: + task-definition: ${{ steps.task-def.outputs.task-definition }} + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} + wait-for-service-stability: true diff --git a/deployments/azure_docker.yml b/deployments/azure_docker.yml new file mode 100644 index 0000000..904ff25 --- /dev/null +++ b/deployments/azure_docker.yml @@ -0,0 +1,51 @@ +# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan +# +# To configure this workflow: +# +# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. +# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings +# +# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +on: + push: + branches: + - $default-branch + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + NODE_VERSION: '10.x' # set this to the node version to use + +jobs: + build-and-deploy: + name: Build and Deploy + runs-on: ubuntu-latest + environment: production + steps: + - uses: actions/checkout@v2 + - name: Use Node.js ${{ env.NODE_VERSION }} + uses: actions/setup-node@v2 + with: + node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test + run: | + # Build and test the project, then + # deploy to Azure Web App. + npm install + npm run build --if-present + npm run test --if-present + - name: 'Deploy to Azure WebApp' + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/deployments/azure_node.yml b/deployments/azure_node.yml new file mode 100644 index 0000000..904ff25 --- /dev/null +++ b/deployments/azure_node.yml @@ -0,0 +1,51 @@ +# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan +# +# To configure this workflow: +# +# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. +# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings +# +# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +on: + push: + branches: + - $default-branch + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + NODE_VERSION: '10.x' # set this to the node version to use + +jobs: + build-and-deploy: + name: Build and Deploy + runs-on: ubuntu-latest + environment: production + steps: + - uses: actions/checkout@v2 + - name: Use Node.js ${{ env.NODE_VERSION }} + uses: actions/setup-node@v2 + with: + node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test + run: | + # Build and test the project, then + # deploy to Azure Web App. + npm install + npm run build --if-present + npm run test --if-present + - name: 'Deploy to Azure WebApp' + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/deployments/google_java.yml b/deployments/google_java.yml new file mode 100644 index 0000000..267d3cb --- /dev/null +++ b/deployments/google_java.yml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide diff --git a/deployments/google_python.yml b/deployments/google_python.yml new file mode 100644 index 0000000..267d3cb --- /dev/null +++ b/deployments/google_python.yml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide diff --git a/deployments/properties/aws_docker.properties.json b/deployments/properties/aws_docker.properties.json new file mode 100644 index 0000000..1b5955a --- /dev/null +++ b/deployments/properties/aws_docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Amazon ECS", + "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "creator": "Amazon Web Services", + "iconName": "aws", + "categories": ["Deployment", "Dockerfile"] +} diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json new file mode 100644 index 0000000..d099e52 --- /dev/null +++ b/deployments/properties/aws_node.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Amazon ECS", + "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "creator": "Amazon Web Services", + "iconName": "aws", + "categories": ["Deployment", "JavaScript", "npm"] +} diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json new file mode 100644 index 0000000..a5fd8ea --- /dev/null +++ b/deployments/properties/azure_docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy Node.js to Azure Web App", + "description": "Build a Node.js project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Dockerfile"] +} \ No newline at end of file diff --git a/deployments/properties/azure_node.properties.json b/deployments/properties/azure_node.properties.json new file mode 100644 index 0000000..90a3717 --- /dev/null +++ b/deployments/properties/azure_node.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy Node.js to Azure Web App", + "description": "Build a Node.js project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "JavaScript", "npm"] +} \ No newline at end of file diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json new file mode 100644 index 0000000..cc17c30 --- /dev/null +++ b/deployments/properties/google_java.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Build and Deploy to GKE", + "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "creator": "Google Cloud", + "iconName": "googlegke", + "categories": ["Deployment", "Java"] +} \ No newline at end of file diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json new file mode 100644 index 0000000..3ded1a9 --- /dev/null +++ b/deployments/properties/google_python.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Build and Deploy to GKE", + "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "creator": "Google Cloud", + "iconName": "googlegke", + "categories": ["Deployment", "Python"] +} \ No newline at end of file From e3fc80f30e9fe153a43658a7b96ec53b75be6ac7 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Thu, 21 Oct 2021 08:59:43 +0000 Subject: [PATCH 056/300] Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. --- deployments/aws_docker.yml | 92 ------------------- deployments/aws_node.yml | 92 ------------------- deployments/azure_docker.yml | 51 ---------- deployments/azure_node.yml | 51 ---------- deployments/google_java.yml | 81 ---------------- deployments/google_python.yml | 81 ---------------- .../properties/aws_docker.properties.json | 7 -- .../properties/aws_node.properties.json | 7 -- .../properties/azure_docker.properties.json | 7 -- .../properties/azure_node.properties.json | 7 -- .../properties/google_java.properties.json | 7 -- .../properties/google_python.properties.json | 7 -- 12 files changed, 490 deletions(-) delete mode 100644 deployments/aws_docker.yml delete mode 100644 deployments/aws_node.yml delete mode 100644 deployments/azure_docker.yml delete mode 100644 deployments/azure_node.yml delete mode 100644 deployments/google_java.yml delete mode 100644 deployments/google_python.yml delete mode 100644 deployments/properties/aws_docker.properties.json delete mode 100644 deployments/properties/aws_node.properties.json delete mode 100644 deployments/properties/azure_docker.properties.json delete mode 100644 deployments/properties/azure_node.properties.json delete mode 100644 deployments/properties/google_java.properties.json delete mode 100644 deployments/properties/google_python.properties.json diff --git a/deployments/aws_docker.yml b/deployments/aws_docker.yml deleted file mode 100644 index dab851f..0000000 --- a/deployments/aws_docker.yml +++ /dev/null @@ -1,92 +0,0 @@ -# This workflow will build and push a new container image to Amazon ECR, -# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. -# -# To use this workflow, you will need to complete the following set-up steps: -# -# 1. Create an ECR repository to store your images. -# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. -# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. -# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. -# -# 2. Create an ECS task definition, an ECS cluster, and an ECS service. -# For example, follow the Getting Started guide on the ECS console: -# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun -# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. -# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. -# -# 3. Store your ECS task definition as a JSON file in your repository. -# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. -# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. -# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container -# in the `containerDefinitions` section of the task definition. -# -# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. -# See the documentation for each action used below for the recommended IAM policies for this IAM user, -# and best practices on handling the access key credentials. - -name: Deploy to Amazon ECS - -on: - push: - branches: - - $default-branch - -env: - AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 - ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name - ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name - ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name - ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition - # file, e.g. .aws/task-definition.json - CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the - # containerDefinitions section of your task definition - -jobs: - deploy: - name: Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ env.AWS_REGION }} - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - name: Build, tag, and push image to Amazon ECR - id: build-image - env: - ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - IMAGE_TAG: ${{ github.sha }} - run: | - # Build a docker container and - # push it to ECR so that it can - # be deployed to ECS. - docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . - docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" - - - name: Fill in the new image ID in the Amazon ECS task definition - id: task-def - uses: aws-actions/amazon-ecs-render-task-definition@v1 - with: - task-definition: ${{ env.ECS_TASK_DEFINITION }} - container-name: ${{ env.CONTAINER_NAME }} - image: ${{ steps.build-image.outputs.image }} - - - name: Deploy Amazon ECS task definition - uses: aws-actions/amazon-ecs-deploy-task-definition@v1 - with: - task-definition: ${{ steps.task-def.outputs.task-definition }} - service: ${{ env.ECS_SERVICE }} - cluster: ${{ env.ECS_CLUSTER }} - wait-for-service-stability: true diff --git a/deployments/aws_node.yml b/deployments/aws_node.yml deleted file mode 100644 index dab851f..0000000 --- a/deployments/aws_node.yml +++ /dev/null @@ -1,92 +0,0 @@ -# This workflow will build and push a new container image to Amazon ECR, -# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. -# -# To use this workflow, you will need to complete the following set-up steps: -# -# 1. Create an ECR repository to store your images. -# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. -# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. -# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. -# -# 2. Create an ECS task definition, an ECS cluster, and an ECS service. -# For example, follow the Getting Started guide on the ECS console: -# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun -# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. -# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. -# -# 3. Store your ECS task definition as a JSON file in your repository. -# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. -# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. -# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container -# in the `containerDefinitions` section of the task definition. -# -# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. -# See the documentation for each action used below for the recommended IAM policies for this IAM user, -# and best practices on handling the access key credentials. - -name: Deploy to Amazon ECS - -on: - push: - branches: - - $default-branch - -env: - AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 - ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name - ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name - ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name - ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition - # file, e.g. .aws/task-definition.json - CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the - # containerDefinitions section of your task definition - -jobs: - deploy: - name: Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ env.AWS_REGION }} - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - name: Build, tag, and push image to Amazon ECR - id: build-image - env: - ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - IMAGE_TAG: ${{ github.sha }} - run: | - # Build a docker container and - # push it to ECR so that it can - # be deployed to ECS. - docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . - docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" - - - name: Fill in the new image ID in the Amazon ECS task definition - id: task-def - uses: aws-actions/amazon-ecs-render-task-definition@v1 - with: - task-definition: ${{ env.ECS_TASK_DEFINITION }} - container-name: ${{ env.CONTAINER_NAME }} - image: ${{ steps.build-image.outputs.image }} - - - name: Deploy Amazon ECS task definition - uses: aws-actions/amazon-ecs-deploy-task-definition@v1 - with: - task-definition: ${{ steps.task-def.outputs.task-definition }} - service: ${{ env.ECS_SERVICE }} - cluster: ${{ env.ECS_CLUSTER }} - wait-for-service-stability: true diff --git a/deployments/azure_docker.yml b/deployments/azure_docker.yml deleted file mode 100644 index 904ff25..0000000 --- a/deployments/azure_docker.yml +++ /dev/null @@ -1,51 +0,0 @@ -# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan -# -# To configure this workflow: -# -# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. -# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings -# -# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -on: - push: - branches: - - $default-branch - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the node version to use - -jobs: - build-and-deploy: - name: Build and Deploy - runs-on: ubuntu-latest - environment: production - steps: - - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODE_VERSION }} - - name: npm install, build, and test - run: | - # Build and test the project, then - # deploy to Azure Web App. - npm install - npm run build --if-present - npm run test --if-present - - name: 'Deploy to Azure WebApp' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/deployments/azure_node.yml b/deployments/azure_node.yml deleted file mode 100644 index 904ff25..0000000 --- a/deployments/azure_node.yml +++ /dev/null @@ -1,51 +0,0 @@ -# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan -# -# To configure this workflow: -# -# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. -# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings -# -# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -on: - push: - branches: - - $default-branch - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the node version to use - -jobs: - build-and-deploy: - name: Build and Deploy - runs-on: ubuntu-latest - environment: production - steps: - - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODE_VERSION }} - - name: npm install, build, and test - run: | - # Build and test the project, then - # deploy to Azure Web App. - npm install - npm run build --if-present - npm run test --if-present - - name: 'Deploy to Azure WebApp' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/deployments/google_java.yml b/deployments/google_java.yml deleted file mode 100644 index 267d3cb..0000000 --- a/deployments/google_java.yml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide diff --git a/deployments/google_python.yml b/deployments/google_python.yml deleted file mode 100644 index 267d3cb..0000000 --- a/deployments/google_python.yml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide diff --git a/deployments/properties/aws_docker.properties.json b/deployments/properties/aws_docker.properties.json deleted file mode 100644 index 1b5955a..0000000 --- a/deployments/properties/aws_docker.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy to Amazon ECS", - "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", - "creator": "Amazon Web Services", - "iconName": "aws", - "categories": ["Deployment", "Dockerfile"] -} diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json deleted file mode 100644 index d099e52..0000000 --- a/deployments/properties/aws_node.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy to Amazon ECS", - "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", - "creator": "Amazon Web Services", - "iconName": "aws", - "categories": ["Deployment", "JavaScript", "npm"] -} diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json deleted file mode 100644 index a5fd8ea..0000000 --- a/deployments/properties/azure_docker.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy Node.js to Azure Web App", - "description": "Build a Node.js project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Dockerfile"] -} \ No newline at end of file diff --git a/deployments/properties/azure_node.properties.json b/deployments/properties/azure_node.properties.json deleted file mode 100644 index 90a3717..0000000 --- a/deployments/properties/azure_node.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy Node.js to Azure Web App", - "description": "Build a Node.js project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "JavaScript", "npm"] -} \ No newline at end of file diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json deleted file mode 100644 index cc17c30..0000000 --- a/deployments/properties/google_java.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Build and Deploy to GKE", - "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", - "creator": "Google Cloud", - "iconName": "googlegke", - "categories": ["Deployment", "Java"] -} \ No newline at end of file diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json deleted file mode 100644 index 3ded1a9..0000000 --- a/deployments/properties/google_python.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Build and Deploy to GKE", - "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", - "creator": "Google Cloud", - "iconName": "googlegke", - "categories": ["Deployment", "Python"] -} \ No newline at end of file From 042eac38589af8f0329cea45533e79e4b75eb8ba Mon Sep 17 00:00:00 2001 From: David Verdeguer Date: Thu, 21 Oct 2021 22:11:00 +0200 Subject: [PATCH 057/300] Add ruby and update workflow --- code-scanning/codeql.yml | 3 +-- code-scanning/properties/codeql.properties.json | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index b32675e..57b4b69 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,8 +34,7 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - name: Checkout repository diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index cb9305a..2919e98 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,7 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", - "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", + "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, Go and Ruby developers. \n ", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] + "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } From bafed29a86e2e7f904577674c70739ef99c7da55 Mon Sep 17 00:00:00 2001 From: Daniel Winsor Date: Thu, 21 Oct 2021 14:14:02 -0700 Subject: [PATCH 058/300] Add workflow for Microsoft C++ Code Analysis --- code-scanning/msvc.yml | 57 +++++++++++++++++++ code-scanning/properties/msvc.properties.json | 7 +++ icons/microsoft.svg | 34 +++++++++++ 3 files changed, 98 insertions(+) create mode 100644 code-scanning/msvc.yml create mode 100644 code-scanning/properties/msvc.properties.json create mode 100644 icons/microsoft.svg diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml new file mode 100644 index 0000000..85cb475 --- /dev/null +++ b/code-scanning/msvc.yml @@ -0,0 +1,57 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Find more information at: +# https://github.com/microsoft/msvc-code-analysis-action + +name: Microsoft C++ Code Analysis + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +env: + # Path to the CMake build directory. + build: '${{ github.workspace }}/build' + +jobs: + build: + steps: + # Configure project with CMake + - name: Configure CMake + uses: lukka/run-cmake@v3 + with: + buildDirectory: ${{ env.build }} + # Build is not require unless generated source files are used + buildWithCMake: false + cmakeGenerator: 'VS16Win64' + cmakeListsTxtPath: ${{ github.workspace }}/CMakeLists.txt + + # Run Microsoft Visual C++ code analysis + - name: Initialize MSVC Code Analysis + uses: microsoft/msvc-code-analysis-action + # Provide a unique ID to access the sarif output path + id: run-analysis + with: + cmakeBuildDirectory: ${{ env.build }} + # Ruleset file that will determine what checks will be run + ruleset: NativeRecommendRules.ruleset + + # Upload SARIF file to GitHub Code Scanning Alerts + - name: Upload SARIF to Github + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.run-analysis.outputs.sarif }} + + # Upload SARIF file as an Artifact to download and view + # - name: Upload SARIF as an Artifact + # uses: actions/upload-artifact@v2 + # with: + # name: sarif-file + # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/properties/msvc.properties.json b/code-scanning/properties/msvc.properties.json new file mode 100644 index 0000000..03c4500 --- /dev/null +++ b/code-scanning/properties/msvc.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Microsoft C++ Code Analysis", + "creator": "Microsoft", + "description": "Code Analysis with the Microsoft C & C++ Compiler for CMake base projects.", + "iconName": "microsoft", + "categories": ["Code Scanning", "C", "C++"] +} diff --git a/icons/microsoft.svg b/icons/microsoft.svg new file mode 100644 index 0000000..990fa84 --- /dev/null +++ b/icons/microsoft.svg @@ -0,0 +1,34 @@ +microsoft + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From 9fccb15dc69faf8e0b7ce3d05701675a51d780d9 Mon Sep 17 00:00:00 2001 From: Daniel Winsor Date: Thu, 21 Oct 2021 16:18:11 -0700 Subject: [PATCH 059/300] Updated action to meet guidelines --- code-scanning/msvc.yml | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 85cb475..c6bb29f 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -21,21 +21,23 @@ env: build: '${{ github.workspace }}/build' jobs: - build: - steps: - # Configure project with CMake - - name: Configure CMake - uses: lukka/run-cmake@v3 - with: - buildDirectory: ${{ env.build }} - # Build is not require unless generated source files are used - buildWithCMake: false - cmakeGenerator: 'VS16Win64' - cmakeListsTxtPath: ${{ github.workspace }}/CMakeLists.txt + analyze: + name: Analyze + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Configure CMake + run: cmake -B ${{ env.build }} + + # Build is not required unless generated source files are used + # - name: Build CMake + # run: cmake --build ${{ env.build }} - # Run Microsoft Visual C++ code analysis - name: Initialize MSVC Code Analysis - uses: microsoft/msvc-code-analysis-action + uses: microsoft/msvc-code-analysis-action@502db28262ba134c9a621d5a509b9f7e696c99b6 # Provide a unique ID to access the sarif output path id: run-analysis with: @@ -44,7 +46,7 @@ jobs: ruleset: NativeRecommendRules.ruleset # Upload SARIF file to GitHub Code Scanning Alerts - - name: Upload SARIF to Github + - name: Upload SARIF to GitHub uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} From 40f0709bd652afee23c304a26984fb30dd82c869 Mon Sep 17 00:00:00 2001 From: Rui Chen Date: Fri, 22 Oct 2021 01:14:49 -0400 Subject: [PATCH 060/300] quote the version strings --- ci/pylint.yml | 9 +++++---- ci/python-app.yml | 2 +- ci/python-package.yml | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/ci/pylint.yml b/ci/pylint.yml index e217f63..10c49c6 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -4,15 +4,16 @@ on: [push] jobs: build: - runs-on: ubuntu-latest - + strategy: + matrix: + python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v2 - - name: Set up Python 3.10 + - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: - python-version: 3.10 + python-version: ${{ matrix.python-version }} - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-app.yml b/ci/python-app.yml index 30b2b8f..2cfc2a3 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.10 + python-version: "3.10" - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-package.yml b/ci/python-package.yml index 9690811..b0a63cf 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -16,7 +16,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: [3.8, 3.9, 3.10] + python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v2 From 149db50d434d371436226749011c7e56fb556195 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Fri, 22 Oct 2021 09:33:24 +0100 Subject: [PATCH 061/300] correct typo in msvc.properties.json --- code-scanning/properties/msvc.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/msvc.properties.json b/code-scanning/properties/msvc.properties.json index 03c4500..641d5e6 100644 --- a/code-scanning/properties/msvc.properties.json +++ b/code-scanning/properties/msvc.properties.json @@ -1,7 +1,7 @@ { "name": "Microsoft C++ Code Analysis", "creator": "Microsoft", - "description": "Code Analysis with the Microsoft C & C++ Compiler for CMake base projects.", + "description": "Code Analysis with the Microsoft C & C++ Compiler for CMake based projects.", "iconName": "microsoft", "categories": ["Code Scanning", "C", "C++"] } From dcdce00205973405ccc4e12ee599432018005edc Mon Sep 17 00:00:00 2001 From: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Date: Fri, 22 Oct 2021 10:54:14 +0200 Subject: [PATCH 062/300] Update codeql.properties.json --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index 2919e98..219f517 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,7 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", - "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, Go and Ruby developers. \n ", + "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, Go and Ruby developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } From 4e20b526184631f70591dc040dbed47a83f712b3 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 22 Oct 2021 14:47:00 +0530 Subject: [PATCH 063/300] Sync partner_templates branch with main (#1184) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json * Correct character-case of "c" in Cloudrail * AWS template also used Docker * trigger on push instead of release (#1157) Co-authored-by: Josh Gross * Added new templates for 3 clouds. * Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. * Add workflow for Microsoft C++ Code Analysis * Updated action to meet guidelines * correct typo in msvc.properties.json Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd Co-authored-by: Daniel Winsor --- code-scanning/cloudrail.yml | 2 +- code-scanning/msvc.yml | 59 +++++++++++++++++++ code-scanning/properties/msvc.properties.json | 7 +++ deployments/alibabacloud.yml | 7 ++- deployments/aws.yml | 7 ++- deployments/azure.yml | 7 ++- deployments/google.yml | 7 ++- deployments/ibm.yml | 7 ++- deployments/properties/aws.properties.json | 4 +- deployments/tencent.yml | 7 ++- icons/microsoft.svg | 34 +++++++++++ 11 files changed, 127 insertions(+), 21 deletions(-) create mode 100644 code-scanning/msvc.yml create mode 100644 code-scanning/properties/msvc.properties.json create mode 100644 icons/microsoft.svg diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 9f95c5c..00e270a 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -name: cloudrail +name: Cloudrail on: push: diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml new file mode 100644 index 0000000..c6bb29f --- /dev/null +++ b/code-scanning/msvc.yml @@ -0,0 +1,59 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Find more information at: +# https://github.com/microsoft/msvc-code-analysis-action + +name: Microsoft C++ Code Analysis + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +env: + # Path to the CMake build directory. + build: '${{ github.workspace }}/build' + +jobs: + analyze: + name: Analyze + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Configure CMake + run: cmake -B ${{ env.build }} + + # Build is not required unless generated source files are used + # - name: Build CMake + # run: cmake --build ${{ env.build }} + + - name: Initialize MSVC Code Analysis + uses: microsoft/msvc-code-analysis-action@502db28262ba134c9a621d5a509b9f7e696c99b6 + # Provide a unique ID to access the sarif output path + id: run-analysis + with: + cmakeBuildDirectory: ${{ env.build }} + # Ruleset file that will determine what checks will be run + ruleset: NativeRecommendRules.ruleset + + # Upload SARIF file to GitHub Code Scanning Alerts + - name: Upload SARIF to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.run-analysis.outputs.sarif }} + + # Upload SARIF file as an Artifact to download and view + # - name: Upload SARIF as an Artifact + # uses: actions/upload-artifact@v2 + # with: + # name: sarif-file + # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/properties/msvc.properties.json b/code-scanning/properties/msvc.properties.json new file mode 100644 index 0000000..641d5e6 --- /dev/null +++ b/code-scanning/properties/msvc.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Microsoft C++ Code Analysis", + "creator": "Microsoft", + "description": "Code Analysis with the Microsoft C & C++ Compiler for CMake based projects.", + "iconName": "microsoft", + "categories": ["Code Scanning", "C", "C++"] +} diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 9ccc033..ded9178 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -1,5 +1,5 @@ # This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR), -# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when a release is created. +# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the $default-branch branch. # # To use this workflow, you will need to complete the following set-up steps: # @@ -20,8 +20,9 @@ name: Build and Deploy to ACK on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow. env: diff --git a/deployments/aws.yml b/deployments/aws.yml index 6a6643c..dab851f 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -1,5 +1,5 @@ # This workflow will build and push a new container image to Amazon ECR, -# and then will deploy a new task definition to Amazon ECS, when a release is created +# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. # # To use this workflow, you will need to complete the following set-up steps: # @@ -27,8 +27,9 @@ name: Deploy to Amazon ECS on: - release: - types: [created] + push: + branches: + - $default-branch env: AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 diff --git a/deployments/azure.yml b/deployments/azure.yml index 0262b49..904ff25 100644 --- a/deployments/azure.yml +++ b/deployments/azure.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a release is created. +# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan @@ -16,8 +16,9 @@ # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions # For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples on: - release: - types: [created] + push: + branches: + - $default-branch env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name diff --git a/deployments/google.yml b/deployments/google.yml index 5e803ed..267d3cb 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when a release is created +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -13,8 +13,9 @@ name: Build and Deploy to GKE on: - release: - types: [created] + push: + branches: + - $default-branch env: PROJECT_ID: ${{ secrets.GKE_PROJECT }} diff --git a/deployments/ibm.yml b/deployments/ibm.yml index a8502cd..216b04d 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when a release is created +# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -9,8 +9,9 @@ name: Build and Deploy to IKS on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/properties/aws.properties.json b/deployments/properties/aws.properties.json index 10a7ed3..1b5955a 100644 --- a/deployments/properties/aws.properties.json +++ b/deployments/properties/aws.properties.json @@ -3,5 +3,5 @@ "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Dockerfile"] +} diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 0be339e..83bde94 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE). +# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE) when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -16,8 +16,9 @@ name: Tencent Kubernetes Engine on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow env: diff --git a/icons/microsoft.svg b/icons/microsoft.svg new file mode 100644 index 0000000..990fa84 --- /dev/null +++ b/icons/microsoft.svg @@ -0,0 +1,34 @@ +microsoft + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From 281a35c5efb80a3e487989aaf181825136c93d66 Mon Sep 17 00:00:00 2001 From: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Date: Fri, 22 Oct 2021 11:37:35 +0200 Subject: [PATCH 064/300] Update code-scanning/properties/codeql.properties.json Co-authored-by: Arthur Baars --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index 219f517..e9acea5 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,7 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", - "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, Go and Ruby developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python and Ruby developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } From 3a3f99717d9571d5f89d1334e5cce9e6691a31bd Mon Sep 17 00:00:00 2001 From: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Date: Fri, 22 Oct 2021 11:40:38 +0200 Subject: [PATCH 065/300] Update codeql.properties.json --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index e9acea5..f8082c7 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,7 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", - "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python and Ruby developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } From 0f29a0acbb3cafbbe38e9aa926e80cb45a78392a Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 22 Oct 2021 15:12:17 +0530 Subject: [PATCH 066/300] Add files via upload --- deployments/aws_docker.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/aws_node.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/azure_docker.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/azure_node.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/google_java.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/google_python.yml | 81 +++++++++++++++++++++++++++++++++++ 6 files changed, 486 insertions(+) create mode 100644 deployments/aws_docker.yaml create mode 100644 deployments/aws_node.yaml create mode 100644 deployments/azure_docker.yaml create mode 100644 deployments/azure_node.yaml create mode 100644 deployments/google_java.yaml create mode 100644 deployments/google_python.yml diff --git a/deployments/aws_docker.yaml b/deployments/aws_docker.yaml new file mode 100644 index 0000000..0c789fa --- /dev/null +++ b/deployments/aws_docker.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/aws_node.yaml b/deployments/aws_node.yaml new file mode 100644 index 0000000..0c789fa --- /dev/null +++ b/deployments/aws_node.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/azure_docker.yaml b/deployments/azure_docker.yaml new file mode 100644 index 0000000..0c789fa --- /dev/null +++ b/deployments/azure_docker.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/azure_node.yaml b/deployments/azure_node.yaml new file mode 100644 index 0000000..0c789fa --- /dev/null +++ b/deployments/azure_node.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/google_java.yaml b/deployments/google_java.yaml new file mode 100644 index 0000000..0c789fa --- /dev/null +++ b/deployments/google_java.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/google_python.yml b/deployments/google_python.yml new file mode 100644 index 0000000..0c789fa --- /dev/null +++ b/deployments/google_python.yml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file From a3270e70de1372f795ccd0b5f6c234b62743de79 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 22 Oct 2021 15:13:09 +0530 Subject: [PATCH 067/300] Add files via upload --- deployments/properties/aws_dockerfile.properties.json | 7 +++++++ deployments/properties/aws_node.properties.json | 7 +++++++ deployments/properties/azure_docker.properties.json | 7 +++++++ deployments/properties/azure_node.properties.json | 7 +++++++ deployments/properties/google_java.properties.json | 7 +++++++ deployments/properties/google_python.properties.json | 7 +++++++ 6 files changed, 42 insertions(+) create mode 100644 deployments/properties/aws_dockerfile.properties.json create mode 100644 deployments/properties/aws_node.properties.json create mode 100644 deployments/properties/azure_docker.properties.json create mode 100644 deployments/properties/azure_node.properties.json create mode 100644 deployments/properties/google_java.properties.json create mode 100644 deployments/properties/google_python.properties.json diff --git a/deployments/properties/aws_dockerfile.properties.json b/deployments/properties/aws_dockerfile.properties.json new file mode 100644 index 0000000..ca3ebc9 --- /dev/null +++ b/deployments/properties/aws_dockerfile.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Docker]Deploy to Amazon ECS", + "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "creator": "Amazon Web Services", + "iconName": "aws", + "categories": ["Deployment", "Dockerfile"] +} \ No newline at end of file diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json new file mode 100644 index 0000000..0466c39 --- /dev/null +++ b/deployments/properties/aws_node.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Node]Deploy to Amazon ECS", + "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "creator": "Amazon Web Services", + "iconName": "aws", + "categories": ["Deployment", "JavaScript", "npm"] +} \ No newline at end of file diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json new file mode 100644 index 0000000..8fb260c --- /dev/null +++ b/deployments/properties/azure_docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Docker]Deploy Node.js to Azure Web App", + "description": "Build a Node.js project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Dockerfile"] +} \ No newline at end of file diff --git a/deployments/properties/azure_node.properties.json b/deployments/properties/azure_node.properties.json new file mode 100644 index 0000000..f2124ad --- /dev/null +++ b/deployments/properties/azure_node.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Node]Deploy Node.js to Azure Web App", + "description": "Build a Node.js project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "JavaScript", "npm"] +} \ No newline at end of file diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json new file mode 100644 index 0000000..88e3c2e --- /dev/null +++ b/deployments/properties/google_java.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Java]Build and Deploy to GKE", + "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "creator": "Google Cloud", + "iconName": "googlegke", + "categories": ["Deployment", "Java"] +} \ No newline at end of file diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json new file mode 100644 index 0000000..ff8561c --- /dev/null +++ b/deployments/properties/google_python.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Python]Build and Deploy to GKE", + "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "creator": "Google Cloud", + "iconName": "googlegke", + "categories": ["Deployment", "Python"] +} \ No newline at end of file From 4a9a12a0998bfea1d52c1ba1f04f2ed83165a434 Mon Sep 17 00:00:00 2001 From: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Date: Fri, 22 Oct 2021 11:52:12 +0200 Subject: [PATCH 068/300] Update codeql.properties.json --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index f8082c7..ddb4627 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -3,5 +3,5 @@ "creator": "GitHub", "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } From d6e33d5f35d8477542daaac02ccc53b091deb0fe Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 15:48:49 +0530 Subject: [PATCH 069/300] fix dummy template names (#1185) --- deployments/azure_node.yaml | 81 ------------------- .../properties/aws_dockerfile.properties.json | 4 +- deployments/properties/azure.properties.json | 2 +- .../properties/azure_docker.properties.json | 4 +- .../properties/azure_node.properties.json | 7 -- .../properties/google_python.properties.json | 4 +- 6 files changed, 7 insertions(+), 95 deletions(-) delete mode 100644 deployments/azure_node.yaml delete mode 100644 deployments/properties/azure_node.properties.json diff --git a/deployments/azure_node.yaml b/deployments/azure_node.yaml deleted file mode 100644 index 0c789fa..0000000 --- a/deployments/azure_node.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/properties/aws_dockerfile.properties.json b/deployments/properties/aws_dockerfile.properties.json index ca3ebc9..e22ba46 100644 --- a/deployments/properties/aws_dockerfile.properties.json +++ b/deployments/properties/aws_dockerfile.properties.json @@ -1,6 +1,6 @@ { - "name": "[Specific Docker]Deploy to Amazon ECS", - "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "name": "[Specific Docker] Deploy dockerfile to Amazon EKS", + "description": "Deploy a container to an Amazon ECS.", "creator": "Amazon Web Services", "iconName": "aws", "categories": ["Deployment", "Dockerfile"] diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure.properties.json index 362d5d1..90a3717 100644 --- a/deployments/properties/azure.properties.json +++ b/deployments/properties/azure.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] + "categories": ["Deployment", "JavaScript", "npm"] } \ No newline at end of file diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json index 8fb260c..bbf4a81 100644 --- a/deployments/properties/azure_docker.properties.json +++ b/deployments/properties/azure_docker.properties.json @@ -1,6 +1,6 @@ { - "name": "[Specific Docker]Deploy Node.js to Azure Web App", - "description": "Build a Node.js project and deploy it to an Azure Web App.", + "name": "[Specific Docker] Deploy Node.js to AKS", + "description": "Build a Node.js project and deploy it to AKS.", "creator": "Microsoft Azure", "iconName": "azure", "categories": ["Deployment", "Dockerfile"] diff --git a/deployments/properties/azure_node.properties.json b/deployments/properties/azure_node.properties.json deleted file mode 100644 index f2124ad..0000000 --- a/deployments/properties/azure_node.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Node]Deploy Node.js to Azure Web App", - "description": "Build a Node.js project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "JavaScript", "npm"] -} \ No newline at end of file diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json index ff8561c..21c631f 100644 --- a/deployments/properties/google_python.properties.json +++ b/deployments/properties/google_python.properties.json @@ -1,6 +1,6 @@ { - "name": "[Specific Python]Build and Deploy to GKE", - "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "name": "[Specific Python] Build and Deploy to GCE", + "description": "Build a docker container, publish it to Google compute engine.", "creator": "Google Cloud", "iconName": "googlegke", "categories": ["Deployment", "Python"] From c3f7e66294d486c8e262a3ac75dbb668b696bce8 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 15:53:33 +0530 Subject: [PATCH 070/300] Update azure_docker.properties.json --- deployments/properties/azure_docker.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json index bbf4a81..2b7babf 100644 --- a/deployments/properties/azure_docker.properties.json +++ b/deployments/properties/azure_docker.properties.json @@ -1,7 +1,7 @@ { - "name": "[Specific Docker] Deploy Node.js to AKS", + "name": "[Specific Docker] Deploy dockerfile to AKS", "description": "Build a Node.js project and deploy it to AKS.", "creator": "Microsoft Azure", "iconName": "azure", "categories": ["Deployment", "Dockerfile"] -} \ No newline at end of file +} From 1d19515d9576cc6df6a0e2beeaa7aa448cea7c58 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 15:58:29 +0530 Subject: [PATCH 071/300] Update google_java.properties.json --- deployments/properties/google_java.properties.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json index 88e3c2e..0a87690 100644 --- a/deployments/properties/google_java.properties.json +++ b/deployments/properties/google_java.properties.json @@ -1,7 +1,7 @@ { - "name": "[Specific Java]Build and Deploy to GKE", - "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "name": "[Specific Java] Build and Deploy Java to GCE", + "description": "Build and deploy Java application to Google Compute engine.", "creator": "Google Cloud", "iconName": "googlegke", "categories": ["Deployment", "Java"] -} \ No newline at end of file +} From 1ff952c678c7ccb754cbcb5f33fc2d4e3478f2d4 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:00:12 +0530 Subject: [PATCH 072/300] Update aws_node.properties.json --- deployments/properties/aws_node.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json index 0466c39..dd932f0 100644 --- a/deployments/properties/aws_node.properties.json +++ b/deployments/properties/aws_node.properties.json @@ -1,7 +1,7 @@ { "name": "[Specific Node]Deploy to Amazon ECS", - "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "description": "Deploy a Java app to Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", "categories": ["Deployment", "JavaScript", "npm"] -} \ No newline at end of file +} From ff38066101192d26bc67c20561c01f1f6f3c90e2 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:00:18 +0530 Subject: [PATCH 073/300] Create aws_node.properties.json From 62a3686226d6d270103408b1c31a7ed19cb4ca60 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:00:55 +0530 Subject: [PATCH 074/300] Rename aws_node.properties.json to aws_java.properties.json --- .../{aws_node.properties.json => aws_java.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployments/properties/{aws_node.properties.json => aws_java.properties.json} (100%) diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_java.properties.json similarity index 100% rename from deployments/properties/aws_node.properties.json rename to deployments/properties/aws_java.properties.json From a7e746ef4ebc6f9a54f1b0a34d33c8e5625589fa Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:01:43 +0530 Subject: [PATCH 075/300] Rename aws_node.yaml to aws_java.yaml --- deployments/{aws_node.yaml => aws_java.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename deployments/{aws_node.yaml => aws_java.yaml} (98%) diff --git a/deployments/aws_node.yaml b/deployments/aws_java.yaml similarity index 98% rename from deployments/aws_node.yaml rename to deployments/aws_java.yaml index 0c789fa..267d3cb 100644 --- a/deployments/aws_node.yaml +++ b/deployments/aws_java.yaml @@ -78,4 +78,4 @@ jobs: ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA ./kustomize build . | kubectl apply -f - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file + kubectl get services -o wide From 41027f9cb5d57b442d39278c6618552596e2969a Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:08:40 +0530 Subject: [PATCH 076/300] Update aws_dockerfile.properties.json --- deployments/properties/aws_dockerfile.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/aws_dockerfile.properties.json b/deployments/properties/aws_dockerfile.properties.json index e22ba46..dc886ae 100644 --- a/deployments/properties/aws_dockerfile.properties.json +++ b/deployments/properties/aws_dockerfile.properties.json @@ -1,7 +1,7 @@ { "name": "[Specific Docker] Deploy dockerfile to Amazon EKS", - "description": "Deploy a container to an Amazon ECS.", + "description": "Deploy a container to an Amazon EKS.", "creator": "Amazon Web Services", "iconName": "aws", "categories": ["Deployment", "Dockerfile"] -} \ No newline at end of file +} From 34a94290c1c9302a04c793a6e3493e69855a9c01 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:10:51 +0530 Subject: [PATCH 077/300] Update aws_java.properties.json --- deployments/properties/aws_java.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/aws_java.properties.json b/deployments/properties/aws_java.properties.json index dd932f0..070837b 100644 --- a/deployments/properties/aws_java.properties.json +++ b/deployments/properties/aws_java.properties.json @@ -1,6 +1,6 @@ { "name": "[Specific Node]Deploy to Amazon ECS", - "description": "Deploy a Java app to Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "description": "Deploy a Node app to Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", "categories": ["Deployment", "JavaScript", "npm"] From 2b39072b92cca434b145494f409ae8b72be3cac3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:11:39 +0530 Subject: [PATCH 078/300] Rename aws_java.properties.json to aws_node.properties.json --- .../{aws_java.properties.json => aws_node.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployments/properties/{aws_java.properties.json => aws_node.properties.json} (100%) diff --git a/deployments/properties/aws_java.properties.json b/deployments/properties/aws_node.properties.json similarity index 100% rename from deployments/properties/aws_java.properties.json rename to deployments/properties/aws_node.properties.json From 7b8fcf2d84798a1106efc90dcef79ed5fc0411a7 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:11:57 +0530 Subject: [PATCH 079/300] Rename aws_java.yaml to aws_node.yaml --- deployments/{aws_java.yaml => aws_node.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployments/{aws_java.yaml => aws_node.yaml} (100%) diff --git a/deployments/aws_java.yaml b/deployments/aws_node.yaml similarity index 100% rename from deployments/aws_java.yaml rename to deployments/aws_node.yaml From 4abed744e3963827eba227a342798d3526e9acc3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:12:34 +0530 Subject: [PATCH 080/300] Update azure_docker.properties.json --- deployments/properties/azure_docker.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json index 2b7babf..840dcea 100644 --- a/deployments/properties/azure_docker.properties.json +++ b/deployments/properties/azure_docker.properties.json @@ -1,6 +1,6 @@ { "name": "[Specific Docker] Deploy dockerfile to AKS", - "description": "Build a Node.js project and deploy it to AKS.", + "description": "Build a dockerfile project and deploy it to AKS.", "creator": "Microsoft Azure", "iconName": "azure", "categories": ["Deployment", "Dockerfile"] From cd0b591526109d7aca2799ff3815105df7315544 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:13:36 +0530 Subject: [PATCH 081/300] Update google_python.properties.json --- deployments/properties/google_python.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json index 21c631f..31e5e4f 100644 --- a/deployments/properties/google_python.properties.json +++ b/deployments/properties/google_python.properties.json @@ -1,7 +1,7 @@ { "name": "[Specific Python] Build and Deploy to GCE", - "description": "Build a docker container, publish it to Google compute engine.", + "description": "Build and deploy a python application to Google compute engine.", "creator": "Google Cloud", "iconName": "googlegke", "categories": ["Deployment", "Python"] -} \ No newline at end of file +} From 39293c24520b95f8e8d17bdfd4325f71a1bc0498 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 22 Oct 2021 16:24:02 +0530 Subject: [PATCH 082/300] Deleting gcp dummy templates. (#1186) --- deployments/google_java.yaml | 81 ------------------- deployments/google_python.yml | 81 ------------------- .../properties/google_java.properties.json | 7 -- .../properties/google_python.properties.json | 7 -- 4 files changed, 176 deletions(-) delete mode 100644 deployments/google_java.yaml delete mode 100644 deployments/google_python.yml delete mode 100644 deployments/properties/google_java.properties.json delete mode 100644 deployments/properties/google_python.properties.json diff --git a/deployments/google_java.yaml b/deployments/google_java.yaml deleted file mode 100644 index 0c789fa..0000000 --- a/deployments/google_java.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/google_python.yml b/deployments/google_python.yml deleted file mode 100644 index 0c789fa..0000000 --- a/deployments/google_python.yml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json deleted file mode 100644 index 0a87690..0000000 --- a/deployments/properties/google_java.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Java] Build and Deploy Java to GCE", - "description": "Build and deploy Java application to Google Compute engine.", - "creator": "Google Cloud", - "iconName": "googlegke", - "categories": ["Deployment", "Java"] -} diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json deleted file mode 100644 index 31e5e4f..0000000 --- a/deployments/properties/google_python.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Python] Build and Deploy to GCE", - "description": "Build and deploy a python application to Google compute engine.", - "creator": "Google Cloud", - "iconName": "googlegke", - "categories": ["Deployment", "Python"] -} From 27ebc235eed1c6b89291b0a5b8a787321620aab8 Mon Sep 17 00:00:00 2001 From: Simona Cotin Date: Fri, 22 Oct 2021 13:00:26 +0200 Subject: [PATCH 083/300] Add partner templates for Azure Static Web Apps --- deployments/azure-staticwebapp.yml | 64 +++++++++++++++++++ .../azure-staticwebapp.properties.json | 7 ++ icons/azure-staticwebapp.svg | 17 +++++ 3 files changed, 88 insertions(+) create mode 100644 deployments/azure-staticwebapp.yml create mode 100644 deployments/properties/azure-staticwebapp.properties.json create mode 100644 icons/azure-staticwebapp.svg diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml new file mode 100644 index 0000000..d170d57 --- /dev/null +++ b/deployments/azure-staticwebapp.yml @@ -0,0 +1,64 @@ +# This workflow will build and push a web application to an Azure Static Web App when you change your code. +# +# This workflow assumes you have already created the target Azure Static Web App. +# For instructions see https://docs.microsoft.com/azure/static-web-apps/get-started-portal?tabs=vanilla-javascript +# +# To configure this workflow: +# +# 1. Set up a secret in your repository named AZURE_STATIC_WEB_APPS_API_TOKEN with the value of your Static Web Apps deployment token. +# For instructions on obtaining the deployment token see: https://docs.microsoft.com/azure/static-web-apps/deployment-token-management +# +# 3. Change the values for the APP_LOCATION, API_LOCATION and APP_ARTIFACT_LOCATION, AZURE_STATIC_WEB_APPS_API_TOKEN environment variables (below). +# For instructions on setting up the appropriate configuration values go to https://docs.microsoft.com/azure/static-web-apps/front-end-frameworks +name: Deploy web app to Azure Static Web Apps + +on: + push: + branches: + - $default-branch + pull_request: + types: [opened, synchronize, reopened, closed] + branches: + - $default-branch + +# Environment variables available to all jobs and steps in this workflow +env: + APP_LOCATION: "/" # location of your client code + API_LOCATION: "api" # location of your api source code - optional + APP_ARTIFACT_LOCATION: "build" # location of client code build output + AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app + +jobs: + build_and_deploy_job: + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') + runs-on: ubuntu-latest + name: Build and Deploy Job + steps: + - uses: actions/checkout@v2 + with: + submodules: true + - name: Build And Deploy + id: builddeploy + uses: Azure/static-web-apps-deploy@v1 + with: + azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app + repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) + action: "upload" + ###### Repository/Build Configurations - These values can be configured to match you app requirements. ###### + # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig + app_location: ${{ env.APP_LOCATION }} + api_location: ${{ env.API_LOCATION }} + app_artifact_location: ${{ env.APP_ARTIFACT_LOCATION }} + ###### End of Repository/Build Configurations ###### + + close_pull_request_job: + if: github.event_name == 'pull_request' && github.event.action == 'closed' + runs-on: ubuntu-latest + name: Close Pull Request Job + steps: + - name: Close Pull Request + id: closepullrequest + uses: Azure/static-web-apps-deploy@latest + with: + azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app + action: "close" diff --git a/deployments/properties/azure-staticwebapp.properties.json b/deployments/properties/azure-staticwebapp.properties.json new file mode 100644 index 0000000..8bc5f6a --- /dev/null +++ b/deployments/properties/azure-staticwebapp.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy web app to Azure Static Web Apps", + "description": "Build and deploy web application to an Azure Static Web App.", + "creator": "Microsoft Azure", + "iconName": "azure-staticwebapp", + "categories": ["Deployment", "React", "Angular", "Vue", "Svelte", "Gatsby", "Next", "Nuxt", "Jekyll"] +} \ No newline at end of file diff --git a/icons/azure-staticwebapp.svg b/icons/azure-staticwebapp.svg new file mode 100644 index 0000000..327517d --- /dev/null +++ b/icons/azure-staticwebapp.svg @@ -0,0 +1,17 @@ + + + + + + + + + + + + + + + + + \ No newline at end of file From a702d187d139aa4b2f22db55a7bcd8fb5d796027 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Sun, 24 Oct 2021 21:37:36 -0700 Subject: [PATCH 084/300] Add workflow and properties file for PHP --- deployments/azure-webapps-php.yml | 64 +++++++++++++++++++ .../azure-webapps-php.properties.json | 7 ++ 2 files changed, 71 insertions(+) create mode 100644 deployments/azure-webapps-php.yml create mode 100644 deployments/properties/azure-webapps-php.properties.json diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml new file mode 100644 index 0000000..261184b --- /dev/null +++ b/deployments/azure-webapps-php.yml @@ -0,0 +1,64 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy PHP app to Azure Web App - __sitename__ + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + NODE_VERSION: '10.x' # set this to the PHP version to use + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ env.NODE_VERSION }} + + - name: Check if composer.json exists + id: check_files + uses: andstor/file-existence-action@v1 + with: + files: 'composer.json' + + - name: Run composer install if composer.json exists + if: steps.check_files.outputs.files_exists == 'true' + run: composer validate --no-check-publish && composer install --prefer-dist --no-progress + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: php-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Production' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: php-app + + - name: 'Deploy to Azure Web App' + uses: azure/webapps-deploy@v2 + id: deploy-to-webapp + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/properties/azure-webapps-php.properties.json b/deployments/properties/azure-webapps-php.properties.json new file mode 100644 index 0000000..42fd724 --- /dev/null +++ b/deployments/properties/azure-webapps-php.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a PHP app to an Azure Web App", + "description": "Build a PHP app and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file From 704eb638ced8cd324890dcf8b1cbe0e21498e65c Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Sun, 24 Oct 2021 21:45:21 -0700 Subject: [PATCH 085/300] Updates from PR review --- deployments/azure-webapps-container.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-node.yml | 2 +- deployments/azure-webapps-php.yml | 8 ++++---- deployments/azure-webapps-python.yml | 9 ++++----- .../properties/azure-webapps-container.properties.json | 4 ++-- ...ps-donet-core.json => azure-webapps-dotnet-core.json} | 4 ++-- .../properties/azure-webapps-java-jar.properties.json | 4 ++-- .../properties/azure-webapps-node.properties.json | 4 ++-- deployments/properties/azure-webapps-php.properties.json | 4 ++-- .../properties/azure-webapps-python.properties.json | 4 ++-- 12 files changed, 24 insertions(+), 25 deletions(-) rename deployments/properties/{azure-webapps-donet-core.json => azure-webapps-dotnet-core.json} (78%) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index b9dab0d..e2dec98 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -43,7 +43,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: 'Production' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 532efc4..9948969 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: 'Production' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index ae1cb87..a46026d 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: Production + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index ab144ba..f3221c2 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -51,7 +51,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: 'Production' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 261184b..936e0db 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -46,7 +46,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: 'Production' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: @@ -59,6 +59,6 @@ jobs: uses: azure/webapps-deploy@v2 id: deploy-to-webapp with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index a934a02..c4ba186 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -2,11 +2,11 @@ # More GitHub Actions for Azure: https://github.com/Azure/actions # More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions -name: Build and deploy Python app to Azure Web App - __sitename__ +name: Build and deploy Python app to Azure Web App env: AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - PYTHON_VERSION: '11' # set this to the Python version to use + PYTHON_VERSION: '3.8' # set this to the Python version to use on: push: @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: '__slotname__' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: @@ -62,6 +62,5 @@ jobs: uses: azure/webapps-deploy@v2 id: deploy-to-webapp with: - app-name: '__sitename__' - slot-name: '__slotname__' + app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/properties/azure-webapps-container.properties.json b/deployments/properties/azure-webapps-container.properties.json index 1335e3a..fcd62b2 100644 --- a/deployments/properties/azure-webapps-container.properties.json +++ b/deployments/properties/azure-webapps-container.properties.json @@ -3,5 +3,5 @@ "description": "Build a container and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Dockerfile"] +} diff --git a/deployments/properties/azure-webapps-donet-core.json b/deployments/properties/azure-webapps-dotnet-core.json similarity index 78% rename from deployments/properties/azure-webapps-donet-core.json rename to deployments/properties/azure-webapps-dotnet-core.json index 3ac2f8c..9074a2a 100644 --- a/deployments/properties/azure-webapps-donet-core.json +++ b/deployments/properties/azure-webapps-dotnet-core.json @@ -3,5 +3,5 @@ "description": "Build a .NET Core project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "C#", "dotNetCore"] +} diff --git a/deployments/properties/azure-webapps-java-jar.properties.json b/deployments/properties/azure-webapps-java-jar.properties.json index f2418fa..6654463 100644 --- a/deployments/properties/azure-webapps-java-jar.properties.json +++ b/deployments/properties/azure-webapps-java-jar.properties.json @@ -3,5 +3,5 @@ "description": "Build a Java project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Java"] +} diff --git a/deployments/properties/azure-webapps-node.properties.json b/deployments/properties/azure-webapps-node.properties.json index 362d5d1..f24fd04 100644 --- a/deployments/properties/azure-webapps-node.properties.json +++ b/deployments/properties/azure-webapps-node.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Node"] +} diff --git a/deployments/properties/azure-webapps-php.properties.json b/deployments/properties/azure-webapps-php.properties.json index 42fd724..48554de 100644 --- a/deployments/properties/azure-webapps-php.properties.json +++ b/deployments/properties/azure-webapps-php.properties.json @@ -3,5 +3,5 @@ "description": "Build a PHP app and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "PHP"] +} diff --git a/deployments/properties/azure-webapps-python.properties.json b/deployments/properties/azure-webapps-python.properties.json index f749848..73f0cf5 100644 --- a/deployments/properties/azure-webapps-python.properties.json +++ b/deployments/properties/azure-webapps-python.properties.json @@ -3,5 +3,5 @@ "description": "Build a Python app and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Python"] +} From b5113430d97e147627681b7acb9e8799b18338b0 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Sun, 24 Oct 2021 21:46:13 -0700 Subject: [PATCH 086/300] Fix EOF --- deployments/azure-webapps-container.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index e2dec98..66c49d8 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -56,4 +56,4 @@ jobs: with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' \ No newline at end of file + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index a46026d..8e4f5fb 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -53,4 +53,4 @@ jobs: with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: '*.jar' \ No newline at end of file + package: '*.jar' From c78dd727e93078bf584efad509341f4758d7ad5a Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Sun, 24 Oct 2021 21:47:00 -0700 Subject: [PATCH 087/300] Use latest versions --- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-python.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 8e4f5fb..45ec6f8 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -21,7 +21,7 @@ jobs: - uses: actions/checkout@v2 - name: Set up Java version - uses: actions/setup-java@v1 + uses: actions/setup-java@v2.3.1 with: java-version: ${{ env.JAVA_VERSION }} diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index c4ba186..7ad005e 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -22,7 +22,7 @@ jobs: - uses: actions/checkout@v2 - name: Set up Python version - uses: actions/setup-python@v1 + uses: actions/setup-python@v2.2.2 with: python-version: ${{ env.PYTHON_VERSION }} From 87a12c3391c7e723a2a49fd712ae8407d8c457dd Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 25 Oct 2021 19:30:04 +0530 Subject: [PATCH 088/300] Undo bug bash changes and Sync with the main branch (#1193) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json * Correct character-case of "c" in Cloudrail * AWS template also used Docker * trigger on push instead of release (#1157) Co-authored-by: Josh Gross * Added new templates for 3 clouds. * Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. * Add workflow for Microsoft C++ Code Analysis * Updated action to meet guidelines * correct typo in msvc.properties.json * Removed the dummy templates used in bug_bash. Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd Co-authored-by: Daniel Winsor --- deployments/aws_docker.yaml | 81 ------------------- deployments/aws_node.yaml | 81 ------------------- deployments/azure_docker.yaml | 81 ------------------- .../properties/aws_dockerfile.properties.json | 7 -- .../properties/aws_node.properties.json | 7 -- .../properties/azure_docker.properties.json | 7 -- 6 files changed, 264 deletions(-) delete mode 100644 deployments/aws_docker.yaml delete mode 100644 deployments/aws_node.yaml delete mode 100644 deployments/azure_docker.yaml delete mode 100644 deployments/properties/aws_dockerfile.properties.json delete mode 100644 deployments/properties/aws_node.properties.json delete mode 100644 deployments/properties/azure_docker.properties.json diff --git a/deployments/aws_docker.yaml b/deployments/aws_docker.yaml deleted file mode 100644 index 0c789fa..0000000 --- a/deployments/aws_docker.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/aws_node.yaml b/deployments/aws_node.yaml deleted file mode 100644 index 267d3cb..0000000 --- a/deployments/aws_node.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide diff --git a/deployments/azure_docker.yaml b/deployments/azure_docker.yaml deleted file mode 100644 index 0c789fa..0000000 --- a/deployments/azure_docker.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/properties/aws_dockerfile.properties.json b/deployments/properties/aws_dockerfile.properties.json deleted file mode 100644 index dc886ae..0000000 --- a/deployments/properties/aws_dockerfile.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Docker] Deploy dockerfile to Amazon EKS", - "description": "Deploy a container to an Amazon EKS.", - "creator": "Amazon Web Services", - "iconName": "aws", - "categories": ["Deployment", "Dockerfile"] -} diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json deleted file mode 100644 index 070837b..0000000 --- a/deployments/properties/aws_node.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Node]Deploy to Amazon ECS", - "description": "Deploy a Node app to Amazon ECS service powered by AWS Fargate or Amazon EC2.", - "creator": "Amazon Web Services", - "iconName": "aws", - "categories": ["Deployment", "JavaScript", "npm"] -} diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json deleted file mode 100644 index 840dcea..0000000 --- a/deployments/properties/azure_docker.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Docker] Deploy dockerfile to AKS", - "description": "Build a dockerfile project and deploy it to AKS.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Dockerfile"] -} From 9ce2a5b56fdbf317dc8c33602b79858e9ecd8077 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 25 Oct 2021 21:16:06 +0530 Subject: [PATCH 089/300] Dummy azure templates for showcasing the CD Ordering Behavior (#1194) * Rename "azure.yml" to Node-specific name * Add templates and properties for other languages * Add workflow for .NET Core * Add workflow and properties file for PHP * Updates from PR review * Fix EOF * Use latest versions * Renamed the file appropriately. Co-authored-by: Jason Freeberg --- deployments/dummy-azure-webapps-container.yml | 59 +++++++++++++++++ .../dummy-azure-webapps-dotnet-core.yml | 59 +++++++++++++++++ deployments/dummy-azure-webapps-java-jar.yml | 56 ++++++++++++++++ ...azure.yml => dummy-azure-webapps-node.yml} | 30 +++++++-- deployments/dummy-azure-webapps-php.yml | 64 ++++++++++++++++++ deployments/dummy-azure-webapps-python.yml | 66 +++++++++++++++++++ ...my-azure-webapps-container.properties.json | 7 ++ ...-azure-webapps-dotnet-core.properties.json | 7 ++ ...mmy-azure-webapps-java-jar.properties.json | 7 ++ ... dummy-azure-webapps-node.properties.json} | 2 +- .../dummy-azure-webapps-php.properties.json | 7 ++ ...dummy-azure-webapps-python.properties.json | 7 ++ 12 files changed, 364 insertions(+), 7 deletions(-) create mode 100644 deployments/dummy-azure-webapps-container.yml create mode 100644 deployments/dummy-azure-webapps-dotnet-core.yml create mode 100644 deployments/dummy-azure-webapps-java-jar.yml rename deployments/{azure.yml => dummy-azure-webapps-node.yml} (82%) create mode 100644 deployments/dummy-azure-webapps-php.yml create mode 100644 deployments/dummy-azure-webapps-python.yml create mode 100644 deployments/properties/dummy-azure-webapps-container.properties.json create mode 100644 deployments/properties/dummy-azure-webapps-dotnet-core.properties.json create mode 100644 deployments/properties/dummy-azure-webapps-java-jar.properties.json rename deployments/properties/{azure.properties.json => dummy-azure-webapps-node.properties.json} (73%) create mode 100644 deployments/properties/dummy-azure-webapps-php.properties.json create mode 100644 deployments/properties/dummy-azure-webapps-python.properties.json diff --git a/deployments/dummy-azure-webapps-container.yml b/deployments/dummy-azure-webapps-container.yml new file mode 100644 index 0000000..66c49d8 --- /dev/null +++ b/deployments/dummy-azure-webapps-container.yml @@ -0,0 +1,59 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy a container to an Azure Web App + +env: + AZURE_WEBAPP_NAME: '' # set this to the name of your Azure Web App + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Log in to GitHub container registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Lowercase the repo name + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Build and push container image to registry + uses: docker/build-push-action@v2 + with: + push: true + tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} + file: ./Dockerfile + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Lowercase the repo name + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' diff --git a/deployments/dummy-azure-webapps-dotnet-core.yml b/deployments/dummy-azure-webapps-dotnet-core.yml new file mode 100644 index 0000000..9948969 --- /dev/null +++ b/deployments/dummy-azure-webapps-dotnet-core.yml @@ -0,0 +1,59 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy ASP.Net Core app to an Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + DOTNET_VERSION: '5' # set this to the .NET Core version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up .NET Core + uses: actions/setup-dotnet@v1 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: Build with dotnet + run: dotnet build --configuration Release + + - name: dotnet publish + run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: .net-app + path: ${{env.DOTNET_ROOT}}/myapp + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: .net-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/dummy-azure-webapps-java-jar.yml b/deployments/dummy-azure-webapps-java-jar.yml new file mode 100644 index 0000000..45ec6f8 --- /dev/null +++ b/deployments/dummy-azure-webapps-java-jar.yml @@ -0,0 +1,56 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy JAR app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + JAVA_VERSION: '11' # set this to the Java version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Java version + uses: actions/setup-java@v2.3.1 + with: + java-version: ${{ env.JAVA_VERSION }} + + - name: Build with Maven + run: mvn clean install + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: java-app + path: '${{ github.workspace }}/target/*.jar' + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: java-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: '*.jar' diff --git a/deployments/azure.yml b/deployments/dummy-azure-webapps-node.yml similarity index 82% rename from deployments/azure.yml rename to deployments/dummy-azure-webapps-node.yml index 904ff25..62f7a8f 100644 --- a/deployments/azure.yml +++ b/deployments/dummy-azure-webapps-node.yml @@ -26,23 +26,41 @@ env: NODE_VERSION: '10.x' # set this to the node version to use jobs: - build-and-deploy: - name: Build and Deploy + build: runs-on: ubuntu-latest - environment: production steps: - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} + + - name: Set up Node.js uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test run: | - # Build and test the project, then - # deploy to Azure Web App. npm install npm run build --if-present npm run test --if-present + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: node-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: node-app + - name: 'Deploy to Azure WebApp' uses: azure/webapps-deploy@v2 with: diff --git a/deployments/dummy-azure-webapps-php.yml b/deployments/dummy-azure-webapps-php.yml new file mode 100644 index 0000000..5862766 --- /dev/null +++ b/deployments/dummy-azure-webapps-php.yml @@ -0,0 +1,64 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy PHP app to Azure Web App + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + PHP_VERSION: '10.x' # set this to the PHP version to use + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ env.PHP_VERSION }} + + - name: Check if composer.json exists + id: check_files + uses: andstor/file-existence-action@v1 + with: + files: 'composer.json' + + - name: Run composer install if composer.json exists + if: steps.check_files.outputs.files_exists == 'true' + run: composer validate --no-check-publish && composer install --prefer-dist --no-progress + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: php-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: php-app + + - name: 'Deploy to Azure Web App' + uses: azure/webapps-deploy@v2 + id: deploy-to-webapp + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/dummy-azure-webapps-python.yml b/deployments/dummy-azure-webapps-python.yml new file mode 100644 index 0000000..7ad005e --- /dev/null +++ b/deployments/dummy-azure-webapps-python.yml @@ -0,0 +1,66 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions +# More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions + +name: Build and deploy Python app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + PYTHON_VERSION: '3.8' # set this to the Python version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Python version + uses: actions/setup-python@v2.2.2 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Create and start virtual environment + run: | + python -m venv venv + source venv/bin/activate + + - name: Install dependencies + run: pip install -r requirements.txt + + # Optional: Add step to run tests here (PyTest, Django test suites, etc.) + + - name: Upload artifact for deployment jobs + uses: actions/upload-artifact@v2 + with: + name: python-app + path: | + . + !venv/ + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: python-app + path: . + + - name: 'Deploy to Azure Web App' + uses: azure/webapps-deploy@v2 + id: deploy-to-webapp + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/properties/dummy-azure-webapps-container.properties.json b/deployments/properties/dummy-azure-webapps-container.properties.json new file mode 100644 index 0000000..fcd62b2 --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-container.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a container to an Azure Web App", + "description": "Build a container and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Dockerfile"] +} diff --git a/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json b/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json new file mode 100644 index 0000000..9074a2a --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a .NET Core app to an Azure Web App", + "description": "Build a .NET Core project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "C#", "dotNetCore"] +} diff --git a/deployments/properties/dummy-azure-webapps-java-jar.properties.json b/deployments/properties/dummy-azure-webapps-java-jar.properties.json new file mode 100644 index 0000000..6654463 --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-java-jar.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a Java .jar app to an Azure Web App", + "description": "Build a Java project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Java"] +} diff --git a/deployments/properties/azure.properties.json b/deployments/properties/dummy-azure-webapps-node.properties.json similarity index 73% rename from deployments/properties/azure.properties.json rename to deployments/properties/dummy-azure-webapps-node.properties.json index 90a3717..905267e 100644 --- a/deployments/properties/azure.properties.json +++ b/deployments/properties/dummy-azure-webapps-node.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "JavaScript", "npm"] + "categories": ["Deployment", "JavaScript", "TypeScript", "npm"] } \ No newline at end of file diff --git a/deployments/properties/dummy-azure-webapps-php.properties.json b/deployments/properties/dummy-azure-webapps-php.properties.json new file mode 100644 index 0000000..48554de --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-php.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a PHP app to an Azure Web App", + "description": "Build a PHP app and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "PHP"] +} diff --git a/deployments/properties/dummy-azure-webapps-python.properties.json b/deployments/properties/dummy-azure-webapps-python.properties.json new file mode 100644 index 0000000..73f0cf5 --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-python.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a Python app to an Azure Web App", + "description": "Build a Python app and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Python"] +} From c0fe29b09da4d6c929909465c322ce67c7cf7a94 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 25 Oct 2021 22:06:21 +0530 Subject: [PATCH 090/300] Added Azure Id template back. (#1195) * Rename "azure.yml" to Node-specific name * Add templates and properties for other languages * Add workflow for .NET Core * Add workflow and properties file for PHP * Updates from PR review * Fix EOF * Use latest versions * Renamed the file appropriately. * Put the azure file back. * Added azure back. Co-authored-by: Jason Freeberg --- deployments/{dummy-azure-webapps-node.yml => azure.yml} | 0 ...y-azure-webapps-node.properties.json => azure.properties.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename deployments/{dummy-azure-webapps-node.yml => azure.yml} (100%) rename deployments/properties/{dummy-azure-webapps-node.properties.json => azure.properties.json} (100%) diff --git a/deployments/dummy-azure-webapps-node.yml b/deployments/azure.yml similarity index 100% rename from deployments/dummy-azure-webapps-node.yml rename to deployments/azure.yml diff --git a/deployments/properties/dummy-azure-webapps-node.properties.json b/deployments/properties/azure.properties.json similarity index 100% rename from deployments/properties/dummy-azure-webapps-node.properties.json rename to deployments/properties/azure.properties.json From 09b078fd769d655b44b5d6ce530d085d6b93cf13 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Mon, 25 Oct 2021 21:40:31 -0400 Subject: [PATCH 091/300] Update code-scanning/mobsf.yml Co-authored-by: Nick Fyson --- code-scanning/mobsf.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 1da2611..689a1a0 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -26,7 +26,7 @@ jobs: python-version: 3.8 - name: Run mobsfscan - uses: MobSF/mobsfscan@main + uses: MobSF/mobsfscan@a60d10a83af68e23e0b30611c6515da604f06f65 with: args: . --sarif --output results.sarif || true From ed8c87df74c93fb5c021586db8653c55e7d99e00 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Mon, 25 Oct 2021 21:40:48 -0400 Subject: [PATCH 092/300] Update code-scanning/properties/mobsf.properties.json Co-authored-by: Nick Fyson --- code-scanning/properties/mobsf.properties.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/properties/mobsf.properties.json b/code-scanning/properties/mobsf.properties.json index 6bca14e..a6afbfa 100644 --- a/code-scanning/properties/mobsf.properties.json +++ b/code-scanning/properties/mobsf.properties.json @@ -8,7 +8,6 @@ "Java", "Swift", "Objective-C", - "Kotlin", - "Mobile" + "Kotlin" ] } \ No newline at end of file From 767ba11df2322f72416beb52046b83f6d626a5bd Mon Sep 17 00:00:00 2001 From: Simona Cotin Date: Tue, 26 Oct 2021 13:15:05 +0200 Subject: [PATCH 093/300] update action version to v1 --- deployments/azure-staticwebapp.yml | 2 +- deployments/properties/azure-staticwebapp.properties.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index d170d57..8e1faf7 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -58,7 +58,7 @@ jobs: steps: - name: Close Pull Request id: closepullrequest - uses: Azure/static-web-apps-deploy@latest + uses: Azure/static-web-apps-deploy@v1 with: azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app action: "close" diff --git a/deployments/properties/azure-staticwebapp.properties.json b/deployments/properties/azure-staticwebapp.properties.json index 8bc5f6a..a2552b0 100644 --- a/deployments/properties/azure-staticwebapp.properties.json +++ b/deployments/properties/azure-staticwebapp.properties.json @@ -3,5 +3,5 @@ "description": "Build and deploy web application to an Azure Static Web App.", "creator": "Microsoft Azure", "iconName": "azure-staticwebapp", - "categories": ["Deployment", "React", "Angular", "Vue", "Svelte", "Gatsby", "Next", "Nuxt", "Jekyll"] -} \ No newline at end of file + "categories": ["Deployment", "React", "Angular", "Vue", "Svelte", "Gatsby", "Next", "Nuxt", "Jekyll", "Blazor"] +} From 83bdb0fcd6967ac99c2187051cd2e28defc282fb Mon Sep 17 00:00:00 2001 From: Daniel Winsor Date: Tue, 26 Oct 2021 21:37:36 -0700 Subject: [PATCH 094/300] Fixed typo in workflow that will cause every run to fail --- code-scanning/msvc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index c6bb29f..2cd7b0f 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -43,7 +43,7 @@ jobs: with: cmakeBuildDirectory: ${{ env.build }} # Ruleset file that will determine what checks will be run - ruleset: NativeRecommendRules.ruleset + ruleset: NativeRecommendedRules.ruleset # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub From d9dc2c2f72f5b952d02905df5d9cbd586e8eb62b Mon Sep 17 00:00:00 2001 From: Daniel Winsor Date: Tue, 26 Oct 2021 21:48:19 -0700 Subject: [PATCH 095/300] Update commit SHA --- code-scanning/msvc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 2cd7b0f..1503319 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -37,7 +37,7 @@ jobs: # run: cmake --build ${{ env.build }} - name: Initialize MSVC Code Analysis - uses: microsoft/msvc-code-analysis-action@502db28262ba134c9a621d5a509b9f7e696c99b6 + uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99 # Provide a unique ID to access the sarif output path id: run-analysis with: From 3893e3d7c85c519d9c6125372276812811dbac3b Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 27 Oct 2021 12:20:09 -0700 Subject: [PATCH 096/300] Add setup instructions to the top --- deployments/azure-webapps-container.yml | 20 ++++++++++++++-- deployments/azure-webapps-dotnet-core.yml | 23 ++++++++++++++++--- deployments/azure-webapps-java-jar.yml | 20 ++++++++++++++-- deployments/azure-webapps-node.yml | 25 ++++++++++++-------- deployments/azure-webapps-php.yml | 28 ++++++++++++++++++----- deployments/azure-webapps-python.yml | 23 +++++++++++++++---- 6 files changed, 112 insertions(+), 27 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 66c49d8..18cc860 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -1,5 +1,21 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions +# This workflow will build and push a Docker container to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples name: Build and deploy a container to an Azure Web App diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 9948969..656136c 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -1,10 +1,27 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions +# This workflow will build and push a .NET Core app to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and DOTNET_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples name: Build and deploy ASP.Net Core app to an Azure Web App env: AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root DOTNET_VERSION: '5' # set this to the .NET Core version to use on: @@ -56,4 +73,4 @@ jobs: with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 45ec6f8..48e9e88 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -1,5 +1,21 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the JAVA_VERSION environment variable below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples name: Build and deploy JAR app to Azure Web App diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index f3221c2..8c80255 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -1,23 +1,27 @@ -# This workflow will build and push a node.js application to an Azure Web App when a release is created. +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli # # To configure this workflow: # -# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. -# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials # -# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. # For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret # -# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables below. # -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + on: - release: - types: [created] + push: + branches: + - $default-branch + workflow_dispatch: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name @@ -61,6 +65,7 @@ jobs: name: node-app - name: 'Deploy to Azure WebApp' + id: deploy-to-webapp uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 936e0db..19af463 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -1,7 +1,23 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and PHP_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples -name: Build and deploy PHP app to Azure Web App - __sitename__ +name: Build and deploy PHP app to Azure Web App on: push: @@ -12,7 +28,7 @@ on: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the PHP version to use + PHP_VERSION: '8.x' # set this to the PHP version to use jobs: build: @@ -24,7 +40,7 @@ jobs: - name: Setup PHP uses: shivammathur/setup-php@v2 with: - php-version: ${{ env.NODE_VERSION }} + php-version: ${{ env.PHP_VERSION }} - name: Check if composer.json exists id: check_files @@ -56,8 +72,8 @@ jobs: name: php-app - name: 'Deploy to Azure Web App' - uses: azure/webapps-deploy@v2 id: deploy-to-webapp + uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 7ad005e..208c8c1 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -1,6 +1,21 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions -# More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and PYTHON_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples name: Build and deploy Python app to Azure Web App @@ -59,8 +74,8 @@ jobs: path: . - name: 'Deploy to Azure Web App' - uses: azure/webapps-deploy@v2 id: deploy-to-webapp + uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} From e176cd52cd2a6c5e8a5f15a500af05a40748416c Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 27 Oct 2021 12:20:29 -0700 Subject: [PATCH 097/300] Add more tech stack metadata to the properties files --- ...tnet-core.json => azure-webapps-dotnet-core.properties.json} | 0 deployments/properties/azure-webapps-java-jar.properties.json | 2 +- deployments/properties/azure-webapps-node.properties.json | 2 +- deployments/properties/azure-webapps-python.properties.json | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) rename deployments/properties/{azure-webapps-dotnet-core.json => azure-webapps-dotnet-core.properties.json} (100%) diff --git a/deployments/properties/azure-webapps-dotnet-core.json b/deployments/properties/azure-webapps-dotnet-core.properties.json similarity index 100% rename from deployments/properties/azure-webapps-dotnet-core.json rename to deployments/properties/azure-webapps-dotnet-core.properties.json diff --git a/deployments/properties/azure-webapps-java-jar.properties.json b/deployments/properties/azure-webapps-java-jar.properties.json index 6654463..289d95c 100644 --- a/deployments/properties/azure-webapps-java-jar.properties.json +++ b/deployments/properties/azure-webapps-java-jar.properties.json @@ -3,5 +3,5 @@ "description": "Build a Java project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Java"] + "categories": ["Deployment", "Java", "Maven"] } diff --git a/deployments/properties/azure-webapps-node.properties.json b/deployments/properties/azure-webapps-node.properties.json index f24fd04..89a9542 100644 --- a/deployments/properties/azure-webapps-node.properties.json +++ b/deployments/properties/azure-webapps-node.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Node"] + "categories": ["Deployment", "Javascript", "Typescript", "npm"] } diff --git a/deployments/properties/azure-webapps-python.properties.json b/deployments/properties/azure-webapps-python.properties.json index 73f0cf5..391af32 100644 --- a/deployments/properties/azure-webapps-python.properties.json +++ b/deployments/properties/azure-webapps-python.properties.json @@ -3,5 +3,5 @@ "description": "Build a Python app and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Python"] + "categories": ["Deployment", "Python", "Django", "Flask", "Pip"] } From e1ca1f58becaa3ee88a3b990b3504f0010b3749d Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 27 Oct 2021 12:23:24 -0700 Subject: [PATCH 098/300] typos --- deployments/azure-webapps-container.yml | 2 +- .../properties/azure-webapps-dotnet-core.properties.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 18cc860..3fb2bbd 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -20,7 +20,7 @@ name: Build and deploy a container to an Azure Web App env: - AZURE_WEBAPP_NAME: '' # set this to the name of your Azure Web App + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App on: push: diff --git a/deployments/properties/azure-webapps-dotnet-core.properties.json b/deployments/properties/azure-webapps-dotnet-core.properties.json index 9074a2a..a9d5e20 100644 --- a/deployments/properties/azure-webapps-dotnet-core.properties.json +++ b/deployments/properties/azure-webapps-dotnet-core.properties.json @@ -3,5 +3,5 @@ "description": "Build a .NET Core project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "C#", "dotNetCore"] + "categories": ["Deployment", "C#", "aspNetCore"] } From c3c12f195022fed5b024d1c014e36f3370119723 Mon Sep 17 00:00:00 2001 From: Abir Majumdar Date: Wed, 27 Oct 2021 15:35:18 -0400 Subject: [PATCH 099/300] Adding pmd --- code-scanning/pmd.yml | 58 ++++++++++++++++++++ code-scanning/properties/pmd.properties.json | 19 +++++++ 2 files changed, 77 insertions(+) create mode 100644 code-scanning/pmd.yml create mode 100644 code-scanning/properties/pmd.properties.json diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml new file mode 100644 index 0000000..69596a4 --- /dev/null +++ b/code-scanning/pmd.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: pmd + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + mobile-security: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup python + uses: actions/setup-python@v2 + with: + python-version: 3.8 + + - name: Run Full PMD Analysis on Apex Code + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + id: pmd-full-analysis + uses: abirismyname/pmd@master + with: + analyse-all-code: 'true' + pmd-version: 'latest' + file-path: './src' + rules-path: 'rulesets/apex/quickstart.xml' + + # - name: Run Full PMD Analysis on Java Code + # if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + # id: pmd-full-analysis + # uses: abirismyname/pmd@master + # with: + # analyse-all-code: 'true' + # pmd-version: 'latest' + # file-path: './src' + # rules-path: 'rulesets/java/quickstart.xml' + + - name: Upload pmdscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: pmd-output.sarif + + - name: No PMD Errors? + run: | + if ${{ steps.pmd-full-analysis.outputs.error-found }} ${{ steps.pmd-partial-analysis.outputs.error-found }} + then + exit 3 + fi diff --git a/code-scanning/properties/pmd.properties.json b/code-scanning/properties/pmd.properties.json new file mode 100644 index 0000000..8608022 --- /dev/null +++ b/code-scanning/properties/pmd.properties.json @@ -0,0 +1,19 @@ +{ + "name": "pmd", + "creator": "pmd", + "description": "PMD is a static source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, Salesforce.com Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.", + "iconName": "pmd", + "categories": [ + "Code Scanning", + "Java", + "JavaScript", + "Apex", + "Modelica", + "PLSQL", + "Apache Velocity", + "XML", + "XSl", + "Scala", + "Apex" + ] +} \ No newline at end of file From 1d8891efc2151b2290b1d93e8489f9b1f41bd047 Mon Sep 17 00:00:00 2001 From: rui Date: Thu, 28 Oct 2021 11:37:36 -0400 Subject: [PATCH 100/300] r: use setup-r@1 and include r@4 for starter (#1169) * r: use setup-r@1 and include r@4 for starter Signed-off-by: Rui Chen * use sha instead of tag for external action Co-authored-by: Josh Gross Co-authored-by: Josh Gross --- ci/r.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/r.yml b/ci/r.yml index f257fbd..305c2cf 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -19,12 +19,12 @@ jobs: runs-on: macos-latest strategy: matrix: - r-version: [3.5, 3.6] + r-version: ['3.6.3', '4.1.1'] steps: - uses: actions/checkout@v2 - name: Set up R ${{ matrix.r-version }} - uses: r-lib/actions/setup-r@ffe45a39586f073cc2e9af79c4ba563b657dc6e3 + uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: r-version: ${{ matrix.r-version }} - name: Install dependencies From de6c8cbcf0d4f8f40042d425fe053a22ac4beaa7 Mon Sep 17 00:00:00 2001 From: gambtho Date: Thu, 28 Oct 2021 22:58:17 -0400 Subject: [PATCH 101/300] add aks starter --- deployments/aks.yml | 76 ++++++++++++++++++++++ deployments/properties/aks.properties.json | 7 ++ 2 files changed, 83 insertions(+) create mode 100644 deployments/aks.yml create mode 100644 deployments/properties/aks.properties.json diff --git a/deployments/aks.yml b/deployments/aks.yml new file mode 100644 index 0000000..c235d28 --- /dev/null +++ b/deployments/aks.yml @@ -0,0 +1,76 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository: +# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret) +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry) +# - PROJECT_NAME +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# +# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set +# any needed environment variables such as: +# - CHART_PATH +# - CHART_OVERRIDE_PATH +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please see the folllowing +# https://github.com/Azure/login +# https://github.com/Azure/aks-set-context +# https://github.com/marketplace/actions/azure-cli-action +# https://github.com/Azure/k8s-bake +# https://github.com/Azure/k8s-deploy + +on: [push] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Azure CLI script + uses: azure/CLI@v1 + with: + azcliversion: 2.29.1 + inlineScript: | + az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} + az acr build -t -t ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + + - uses: azure/aks-set-context@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + id: login + + - uses: azure/k8s-bake@v1 + with: + renderEngine: 'helm' + helmChart: ${{ env.CHART_PATH }} + overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} + overrides: | + replicas:2 + helm-version: 'latest' + id: bake + + - uses: Azure/k8s-deploy@v1 + with: + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.PROJECT_NAME }} diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json new file mode 100644 index 0000000..22c5550 --- /dev/null +++ b/deployments/properties/aks.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to a AKS Cluster", + "description": "Deploy an application to a Azure Kubernetes Service Cluster", + "creator": "Microsoft Azure", + "iconName": "aks", + "categories": ["Deployment", "AKS", "Kompose", "Helm", "Kustomize", "Kubernetes"] +} From 644f0a59aa2237d2a0917ed946edecf98b27db5a Mon Sep 17 00:00:00 2001 From: gambtho Date: Thu, 28 Oct 2021 23:05:42 -0400 Subject: [PATCH 102/300] step names and registry path --- deployments/aks.yml | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/deployments/aks.yml b/deployments/aks.yml index c235d28..65e3782 100644 --- a/deployments/aks.yml +++ b/deployments/aks.yml @@ -42,22 +42,24 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Azure CLI script + - name: Build image on ACR uses: azure/CLI@v1 with: azcliversion: 2.29.1 inlineScript: | - az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} - az acr build -t -t ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} + az acr build -t -t ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} - - uses: azure/aks-set-context@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - id: login + - name: Gets K8s context + uses: azure/aks-set-context@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + id: login - - uses: azure/k8s-bake@v1 + - name: Configure deployment + uses: azure/k8s-bake@v1 with: renderEngine: 'helm' helmChart: ${{ env.CHART_PATH }} @@ -67,10 +69,11 @@ jobs: helm-version: 'latest' id: bake + - name: Deploys application - uses: Azure/k8s-deploy@v1 with: manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | - ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} imagepullsecrets: | ${{ env.PROJECT_NAME }} From cde6fc6c141cfaa1441a95bbb8b7bbf53065b977 Mon Sep 17 00:00:00 2001 From: Tom Gamble Date: Mon, 1 Nov 2021 09:41:55 -0400 Subject: [PATCH 103/300] Update aks.properties.json --- deployments/properties/aks.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json index 22c5550..a5c9f63 100644 --- a/deployments/properties/aks.properties.json +++ b/deployments/properties/aks.properties.json @@ -2,6 +2,6 @@ "name": "Deploy to a AKS Cluster", "description": "Deploy an application to a Azure Kubernetes Service Cluster", "creator": "Microsoft Azure", - "iconName": "aks", + "iconName": "azure", "categories": ["Deployment", "AKS", "Kompose", "Helm", "Kustomize", "Kubernetes"] } From 69f26d5fd6ff080f5e949cde398a9f46270ef32a Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 3 Nov 2021 17:58:38 -0700 Subject: [PATCH 104/300] Copy/paste error --- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- deployments/azure-webapps-python.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 48e9e88..edb630e 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 19af463..0be746f 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# This workflow will build and push a PHP application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 208c8c1..6cb093b 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# This workflow will build and push a Python application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli From a561392dff9de9a2623fb6de09e74b551e5d451e Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 3 Nov 2021 18:02:06 -0700 Subject: [PATCH 105/300] Update azure-webapps-container.yml --- deployments/azure-webapps-container.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 3fb2bbd..823a36f 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -39,7 +39,7 @@ jobs: uses: docker/setup-buildx-action@v1 - name: Log in to GitHub container registry - uses: docker/login-action@v1 + uses: docker/login-action@v1.10.0 with: registry: ghcr.io username: ${{ github.actor }} From 5354877aa04d5e0970f648f356bc9d9f0a9c94b7 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 3 Nov 2021 18:10:02 -0700 Subject: [PATCH 106/300] enable caching --- deployments/azure-webapps-java-jar.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index edb630e..e533f3f 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -40,6 +40,7 @@ jobs: uses: actions/setup-java@v2.3.1 with: java-version: ${{ env.JAVA_VERSION }} + cache: 'maven' - name: Build with Maven run: mvn clean install From 56c93ff7521bd818b4186cd504aba6e2b7b42643 Mon Sep 17 00:00:00 2001 From: rui Date: Mon, 8 Nov 2021 11:14:50 -0500 Subject: [PATCH 107/300] elixir: refresh dependencies (#1212) - setup action got renamed into `setup-beam` - update elixir and erlang versions --- ci/elixir.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index 3f64657..afe01be 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -15,10 +15,10 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Elixir - uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24 + uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: - elixir-version: '1.10.3' # Define the elixir version [required] - otp-version: '22.3' # Define the OTP version [required] + elixir-version: '1.12.3' # Define the elixir version [required] + otp-version: '24.1' # Define the OTP version [required] - name: Restore dependencies cache uses: actions/cache@v2 with: From d739e93e5ea8b39749d14c9c60f0002c99a0f924 Mon Sep 17 00:00:00 2001 From: Tom Gamble Date: Tue, 9 Nov 2021 07:01:43 -0500 Subject: [PATCH 108/300] Update aks.properties.json --- deployments/properties/aks.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json index a5c9f63..a510f3e 100644 --- a/deployments/properties/aks.properties.json +++ b/deployments/properties/aks.properties.json @@ -3,5 +3,5 @@ "description": "Deploy an application to a Azure Kubernetes Service Cluster", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "AKS", "Kompose", "Helm", "Kustomize", "Kubernetes"] + "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes"] } From 50fcc151be4d81289d1e466265954becdd3cb56f Mon Sep 17 00:00:00 2001 From: Tom Gamble Date: Fri, 12 Nov 2021 07:11:40 -0500 Subject: [PATCH 109/300] Update aks.properties.json --- deployments/properties/aks.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json index a510f3e..a228aa2 100644 --- a/deployments/properties/aks.properties.json +++ b/deployments/properties/aks.properties.json @@ -1,7 +1,7 @@ { "name": "Deploy to a AKS Cluster", - "description": "Deploy an application to a Azure Kubernetes Service Cluster", + "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes"] + "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes, "Dockerfile"] } From 2f7dd7431854932290267a5ff770cd41b633e231 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 15 Nov 2021 13:40:30 +0530 Subject: [PATCH 110/300] Dummy azure templates (#1249) * Rename "azure.yml" to Node-specific name * Add templates and properties for other languages * Add workflow for .NET Core * Add workflow and properties file for PHP * Updates from PR review * Fix EOF * Use latest versions * Renamed the file appropriately. * Put the azure file back. * Added azure back. * Revert "Dummy azure templates for showcasing the CD Ordering Behavior (#1194)" This reverts commit 9ce2a5b56fdbf317dc8c33602b79858e9ecd8077. Co-authored-by: Jason Freeberg --- deployments/azure.yml | 30 ++------- deployments/dummy-azure-webapps-container.yml | 59 ----------------- .../dummy-azure-webapps-dotnet-core.yml | 59 ----------------- deployments/dummy-azure-webapps-java-jar.yml | 56 ---------------- deployments/dummy-azure-webapps-php.yml | 64 ------------------ deployments/dummy-azure-webapps-python.yml | 66 ------------------- deployments/properties/azure.properties.json | 2 +- ...my-azure-webapps-container.properties.json | 7 -- ...-azure-webapps-dotnet-core.properties.json | 7 -- ...mmy-azure-webapps-java-jar.properties.json | 7 -- .../dummy-azure-webapps-php.properties.json | 7 -- ...dummy-azure-webapps-python.properties.json | 7 -- 12 files changed, 7 insertions(+), 364 deletions(-) delete mode 100644 deployments/dummy-azure-webapps-container.yml delete mode 100644 deployments/dummy-azure-webapps-dotnet-core.yml delete mode 100644 deployments/dummy-azure-webapps-java-jar.yml delete mode 100644 deployments/dummy-azure-webapps-php.yml delete mode 100644 deployments/dummy-azure-webapps-python.yml delete mode 100644 deployments/properties/dummy-azure-webapps-container.properties.json delete mode 100644 deployments/properties/dummy-azure-webapps-dotnet-core.properties.json delete mode 100644 deployments/properties/dummy-azure-webapps-java-jar.properties.json delete mode 100644 deployments/properties/dummy-azure-webapps-php.properties.json delete mode 100644 deployments/properties/dummy-azure-webapps-python.properties.json diff --git a/deployments/azure.yml b/deployments/azure.yml index 62f7a8f..904ff25 100644 --- a/deployments/azure.yml +++ b/deployments/azure.yml @@ -26,41 +26,23 @@ env: NODE_VERSION: '10.x' # set this to the node version to use jobs: - build: + build-and-deploy: + name: Build and Deploy runs-on: ubuntu-latest + environment: production steps: - uses: actions/checkout@v2 - - - name: Set up Node.js + - name: Use Node.js ${{ env.NODE_VERSION }} uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} - - name: npm install, build, and test run: | + # Build and test the project, then + # deploy to Azure Web App. npm install npm run build --if-present npm run test --if-present - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 - with: - name: node-app - path: . - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: node-app - - name: 'Deploy to Azure WebApp' uses: azure/webapps-deploy@v2 with: diff --git a/deployments/dummy-azure-webapps-container.yml b/deployments/dummy-azure-webapps-container.yml deleted file mode 100644 index 66c49d8..0000000 --- a/deployments/dummy-azure-webapps-container.yml +++ /dev/null @@ -1,59 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy a container to an Azure Web App - -env: - AZURE_WEBAPP_NAME: '' # set this to the name of your Azure Web App - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Log in to GitHub container registry - uses: docker/login-action@v1 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Lowercase the repo name - run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Build and push container image to registry - uses: docker/build-push-action@v2 - with: - push: true - tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} - file: ./Dockerfile - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Lowercase the repo name - run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' diff --git a/deployments/dummy-azure-webapps-dotnet-core.yml b/deployments/dummy-azure-webapps-dotnet-core.yml deleted file mode 100644 index 9948969..0000000 --- a/deployments/dummy-azure-webapps-dotnet-core.yml +++ /dev/null @@ -1,59 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy ASP.Net Core app to an Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - DOTNET_VERSION: '5' # set this to the .NET Core version to use - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Set up .NET Core - uses: actions/setup-dotnet@v1 - with: - dotnet-version: ${{ env.DOTNET_VERSION }} - - - name: Build with dotnet - run: dotnet build --configuration Release - - - name: dotnet publish - run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 - with: - name: .net-app - path: ${{env.DOTNET_ROOT}}/myapp - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: .net-app - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . diff --git a/deployments/dummy-azure-webapps-java-jar.yml b/deployments/dummy-azure-webapps-java-jar.yml deleted file mode 100644 index 45ec6f8..0000000 --- a/deployments/dummy-azure-webapps-java-jar.yml +++ /dev/null @@ -1,56 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy JAR app to Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - JAVA_VERSION: '11' # set this to the Java version to use - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Set up Java version - uses: actions/setup-java@v2.3.1 - with: - java-version: ${{ env.JAVA_VERSION }} - - - name: Build with Maven - run: mvn clean install - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 - with: - name: java-app - path: '${{ github.workspace }}/target/*.jar' - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: java-app - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: '*.jar' diff --git a/deployments/dummy-azure-webapps-php.yml b/deployments/dummy-azure-webapps-php.yml deleted file mode 100644 index 5862766..0000000 --- a/deployments/dummy-azure-webapps-php.yml +++ /dev/null @@ -1,64 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy PHP app to Azure Web App - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - PHP_VERSION: '10.x' # set this to the PHP version to use - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Setup PHP - uses: shivammathur/setup-php@v2 - with: - php-version: ${{ env.PHP_VERSION }} - - - name: Check if composer.json exists - id: check_files - uses: andstor/file-existence-action@v1 - with: - files: 'composer.json' - - - name: Run composer install if composer.json exists - if: steps.check_files.outputs.files_exists == 'true' - run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 - with: - name: php-app - path: . - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: php-app - - - name: 'Deploy to Azure Web App' - uses: azure/webapps-deploy@v2 - id: deploy-to-webapp - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . diff --git a/deployments/dummy-azure-webapps-python.yml b/deployments/dummy-azure-webapps-python.yml deleted file mode 100644 index 7ad005e..0000000 --- a/deployments/dummy-azure-webapps-python.yml +++ /dev/null @@ -1,66 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions -# More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions - -name: Build and deploy Python app to Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - PYTHON_VERSION: '3.8' # set this to the Python version to use - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Set up Python version - uses: actions/setup-python@v2.2.2 - with: - python-version: ${{ env.PYTHON_VERSION }} - - - name: Create and start virtual environment - run: | - python -m venv venv - source venv/bin/activate - - - name: Install dependencies - run: pip install -r requirements.txt - - # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - - - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v2 - with: - name: python-app - path: | - . - !venv/ - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: python-app - path: . - - - name: 'Deploy to Azure Web App' - uses: azure/webapps-deploy@v2 - id: deploy-to-webapp - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure.properties.json index 905267e..90a3717 100644 --- a/deployments/properties/azure.properties.json +++ b/deployments/properties/azure.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "JavaScript", "TypeScript", "npm"] + "categories": ["Deployment", "JavaScript", "npm"] } \ No newline at end of file diff --git a/deployments/properties/dummy-azure-webapps-container.properties.json b/deployments/properties/dummy-azure-webapps-container.properties.json deleted file mode 100644 index fcd62b2..0000000 --- a/deployments/properties/dummy-azure-webapps-container.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a container to an Azure Web App", - "description": "Build a container and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Dockerfile"] -} diff --git a/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json b/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json deleted file mode 100644 index 9074a2a..0000000 --- a/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a .NET Core app to an Azure Web App", - "description": "Build a .NET Core project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "C#", "dotNetCore"] -} diff --git a/deployments/properties/dummy-azure-webapps-java-jar.properties.json b/deployments/properties/dummy-azure-webapps-java-jar.properties.json deleted file mode 100644 index 6654463..0000000 --- a/deployments/properties/dummy-azure-webapps-java-jar.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a Java .jar app to an Azure Web App", - "description": "Build a Java project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Java"] -} diff --git a/deployments/properties/dummy-azure-webapps-php.properties.json b/deployments/properties/dummy-azure-webapps-php.properties.json deleted file mode 100644 index 48554de..0000000 --- a/deployments/properties/dummy-azure-webapps-php.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a PHP app to an Azure Web App", - "description": "Build a PHP app and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "PHP"] -} diff --git a/deployments/properties/dummy-azure-webapps-python.properties.json b/deployments/properties/dummy-azure-webapps-python.properties.json deleted file mode 100644 index 73f0cf5..0000000 --- a/deployments/properties/dummy-azure-webapps-python.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a Python app to an Azure Web App", - "description": "Build a Python app and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Python"] -} From b1b3ae86ee9db474a243c896fea923eeae001d79 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 15 Nov 2021 13:47:17 +0530 Subject: [PATCH 111/300] Sync partner_templates with the main Branch. (#1250) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json * Correct character-case of "c" in Cloudrail * AWS template also used Docker * trigger on push instead of release (#1157) Co-authored-by: Josh Gross * Adding MobSF starter workflow * Adhering to pull request guidelines * python: update to use python 3.10 Signed-off-by: Rui Chen * Added new templates for 3 clouds. * Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. * Add ruby and update workflow * Add workflow for Microsoft C++ Code Analysis * Updated action to meet guidelines * quote the version strings * correct typo in msvc.properties.json * Update codeql.properties.json * Update code-scanning/properties/codeql.properties.json Co-authored-by: Arthur Baars * Update codeql.properties.json * Update codeql.properties.json * Update code-scanning/mobsf.yml Co-authored-by: Nick Fyson * Update code-scanning/properties/mobsf.properties.json Co-authored-by: Nick Fyson * Fixed typo in workflow that will cause every run to fail * Update commit SHA * r: use setup-r@1 and include r@4 for starter (#1169) * r: use setup-r@1 and include r@4 for starter Signed-off-by: Rui Chen * use sha instead of tag for external action Co-authored-by: Josh Gross Co-authored-by: Josh Gross * elixir: refresh dependencies (#1212) - setup action got renamed into `setup-beam` - update elixir and erlang versions Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd Co-authored-by: Abir Majumdar Co-authored-by: Rui Chen Co-authored-by: David Verdeguer Co-authored-by: Daniel Winsor Co-authored-by: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Co-authored-by: Arthur Baars Co-authored-by: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Co-authored-by: Marco Gario Co-authored-by: Andy McKay --- ci/elixir.yml | 6 +- ci/pylint.yml | 9 +- ci/python-app.yml | 4 +- ci/python-package-conda.yml | 4 +- ci/python-package.yml | 2 +- ci/r.yml | 4 +- code-scanning/codeql.yml | 3 +- code-scanning/mobsf.yml | 36 ++++++ code-scanning/msvc.yml | 6 +- .../properties/codeql.properties.json | 4 +- .../properties/mobsf.properties.json | 13 ++ icons/mobsf.svg | 114 ++++++++++++++++++ 12 files changed, 184 insertions(+), 21 deletions(-) create mode 100644 code-scanning/mobsf.yml create mode 100644 code-scanning/properties/mobsf.properties.json create mode 100644 icons/mobsf.svg diff --git a/ci/elixir.yml b/ci/elixir.yml index 3f64657..afe01be 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -15,10 +15,10 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Elixir - uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24 + uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: - elixir-version: '1.10.3' # Define the elixir version [required] - otp-version: '22.3' # Define the OTP version [required] + elixir-version: '1.12.3' # Define the elixir version [required] + otp-version: '24.1' # Define the OTP version [required] - name: Restore dependencies cache uses: actions/cache@v2 with: diff --git a/ci/pylint.yml b/ci/pylint.yml index 0805af7..10c49c6 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -4,15 +4,16 @@ on: [push] jobs: build: - runs-on: ubuntu-latest - + strategy: + matrix: + python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v2 - - name: Set up Python 3.9 + - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: ${{ matrix.python-version }} - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-app.yml b/ci/python-app.yml index f6ad69a..2cfc2a3 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -16,10 +16,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.9 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: "3.10" - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 7bae7e2..9bd6d2b 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -10,10 +10,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.8 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.10 - name: Add conda to system path run: | # $CONDA is an environment variable pointing to the root of the miniconda directory diff --git a/ci/python-package.yml b/ci/python-package.yml index b079b1c..b0a63cf 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -16,7 +16,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: [3.7, 3.8, 3.9] + python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v2 diff --git a/ci/r.yml b/ci/r.yml index f257fbd..305c2cf 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -19,12 +19,12 @@ jobs: runs-on: macos-latest strategy: matrix: - r-version: [3.5, 3.6] + r-version: ['3.6.3', '4.1.1'] steps: - uses: actions/checkout@v2 - name: Set up R ${{ matrix.r-version }} - uses: r-lib/actions/setup-r@ffe45a39586f073cc2e9af79c4ba563b657dc6e3 + uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: r-version: ${{ matrix.r-version }} - name: Install dependencies diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index b32675e..57b4b69 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,8 +34,7 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - name: Checkout repository diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml new file mode 100644 index 0000000..689a1a0 --- /dev/null +++ b/code-scanning/mobsf.yml @@ -0,0 +1,36 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: MobSF + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + mobile-security: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup python + uses: actions/setup-python@v2 + with: + python-version: 3.8 + + - name: Run mobsfscan + uses: MobSF/mobsfscan@a60d10a83af68e23e0b30611c6515da604f06f65 + with: + args: . --sarif --output results.sarif || true + + - name: Upload mobsfscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index c6bb29f..f14ae3e 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -37,13 +37,13 @@ jobs: # run: cmake --build ${{ env.build }} - name: Initialize MSVC Code Analysis - uses: microsoft/msvc-code-analysis-action@502db28262ba134c9a621d5a509b9f7e696c99b6 + uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99 # Provide a unique ID to access the sarif output path id: run-analysis with: cmakeBuildDirectory: ${{ env.build }} # Ruleset file that will determine what checks will be run - ruleset: NativeRecommendRules.ruleset + ruleset: NativeRecommendedRules.ruleset # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub @@ -56,4 +56,4 @@ jobs: # uses: actions/upload-artifact@v2 # with: # name: sarif-file - # path: ${{ steps.run-analysis.outputs.sarif }} + # path: ${{ steps.run-analysis.outputs.sarif }} \ No newline at end of file diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index cb9305a..ddb4627 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,7 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", - "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } diff --git a/code-scanning/properties/mobsf.properties.json b/code-scanning/properties/mobsf.properties.json new file mode 100644 index 0000000..a6afbfa --- /dev/null +++ b/code-scanning/properties/mobsf.properties.json @@ -0,0 +1,13 @@ +{ + "name": "mobsf", + "creator": "mobsf", + "description": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.", + "iconName": "mobsf", + "categories": [ + "Code Scanning", + "Java", + "Swift", + "Objective-C", + "Kotlin" + ] +} \ No newline at end of file diff --git a/icons/mobsf.svg b/icons/mobsf.svg new file mode 100644 index 0000000..46dd154 --- /dev/null +++ b/icons/mobsf.svg @@ -0,0 +1,114 @@ + + + + From 4f8abda415d1c6f0876a9a8060aba95a43d871ab Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 15 Nov 2021 18:03:36 +0530 Subject: [PATCH 112/300] Updated the azure properties file to the main branch version. (#1251) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json * Correct character-case of "c" in Cloudrail * AWS template also used Docker * trigger on push instead of release (#1157) Co-authored-by: Josh Gross * Adding MobSF starter workflow * Adhering to pull request guidelines * python: update to use python 3.10 Signed-off-by: Rui Chen * Added new templates for 3 clouds. * Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. * Add ruby and update workflow * Add workflow for Microsoft C++ Code Analysis * Updated action to meet guidelines * quote the version strings * correct typo in msvc.properties.json * Update codeql.properties.json * Update code-scanning/properties/codeql.properties.json Co-authored-by: Arthur Baars * Update codeql.properties.json * Update codeql.properties.json * Update code-scanning/mobsf.yml Co-authored-by: Nick Fyson * Update code-scanning/properties/mobsf.properties.json Co-authored-by: Nick Fyson * Fixed typo in workflow that will cause every run to fail * Update commit SHA * r: use setup-r@1 and include r@4 for starter (#1169) * r: use setup-r@1 and include r@4 for starter Signed-off-by: Rui Chen * use sha instead of tag for external action Co-authored-by: Josh Gross Co-authored-by: Josh Gross * elixir: refresh dependencies (#1212) - setup action got renamed into `setup-beam` - update elixir and erlang versions * Updated to main branch version. Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd Co-authored-by: Abir Majumdar Co-authored-by: Rui Chen Co-authored-by: David Verdeguer Co-authored-by: Daniel Winsor Co-authored-by: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Co-authored-by: Arthur Baars Co-authored-by: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Co-authored-by: Marco Gario Co-authored-by: Andy McKay --- deployments/properties/azure.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure.properties.json index 90a3717..362d5d1 100644 --- a/deployments/properties/azure.properties.json +++ b/deployments/properties/azure.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "JavaScript", "npm"] + "categories": ["Deployment"] } \ No newline at end of file From f61ca9907b39f2023bf9abaa26adc2e0c56193d8 Mon Sep 17 00:00:00 2001 From: Keegan Saunders Date: Fri, 12 Nov 2021 09:55:14 -0500 Subject: [PATCH 113/300] Add NowSecure starter workflow --- code-scanning/nowsecure.yml | 52 +++++++++++++++++++ .../properties/nowsecure.properties.json | 21 ++++++++ icons/nowsecure.svg | 21 ++++++++ 3 files changed, 94 insertions(+) create mode 100644 code-scanning/nowsecure.yml create mode 100644 code-scanning/properties/nowsecure.properties.json create mode 100644 icons/nowsecure.svg diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml new file mode 100644 index 0000000..92126bd --- /dev/null +++ b/code-scanning/nowsecure.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# NowSecure: The Mobile Security Experts . +# +# To use this workflow, you must be an existing NowSecure customer with GitHub Advanced Security (GHAS) enabled for your +# repository. +# +# If you *are not* an existing customer, click here to contact us for licensing and pricing details: +# . +# +# Instructions: +# +# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and +# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit +# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub". +# +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. + +name: "NowSecure" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +jobs: + nowsecure: + name: NowSecure + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Build your application + run: ./gradlew assembleDebug # Update this to build your Android or iOS application + + - name: Run NowSecure + uses: nowsecure/nowsecure-action@3b439db31b6dce857b09f5222fd13ffc3159ad26 + with: + token: ${{ secrets.NS_TOKEN }} + app_file: app-debug.apk # Update this to a path to your .ipa or .apk + group_id: {{ groupId }} # Update this to your desired Platform group ID + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: NowSecure.sarif diff --git a/code-scanning/properties/nowsecure.properties.json b/code-scanning/properties/nowsecure.properties.json new file mode 100644 index 0000000..dfc9f60 --- /dev/null +++ b/code-scanning/properties/nowsecure.properties.json @@ -0,0 +1,21 @@ +{ + "name": "NowSecure", + "creator": "NowSecure", + "description": "The NowSecure Action delivers fast, accurate, automated security analysis of iOS and Android apps coded in any language", + "iconName": "nowsecure", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C", + "C", + "C++", + "C#", + "Rust", + "JavaScript", + "TypeScript", + "Node" + ] +} diff --git a/icons/nowsecure.svg b/icons/nowsecure.svg new file mode 100644 index 0000000..0cec9f3 --- /dev/null +++ b/icons/nowsecure.svg @@ -0,0 +1,21 @@ + + + + + + + + From 214aeaaafe01dc791220ab91d9043e79d34db66f Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Tue, 16 Nov 2021 09:43:18 -0800 Subject: [PATCH 114/300] Update quickstart link --- deployments/azure-webapps-container.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- deployments/azure-webapps-python.yml | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 823a36f..407279e 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -1,7 +1,7 @@ # This workflow will build and push a Docker container to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-custom-container?tabs=dotnet&pivots=container-linux # # To configure this workflow: # diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 656136c..fe81148 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -1,7 +1,7 @@ # This workflow will build and push a .NET Core app to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?tabs=net60&pivots=development-environment-vscode # # To configure this workflow: # diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index e533f3f..f386250 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -1,7 +1,7 @@ # This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-java?tabs=javase&pivots=platform-linux # # To configure this workflow: # diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 0be746f..c900dfa 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -1,7 +1,7 @@ # This workflow will build and push a PHP application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-php?pivots=platform-linux # # To configure this workflow: # diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 6cb093b..216742f 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -1,7 +1,7 @@ # This workflow will build and push a Python application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-python?tabs=bash&pivots=python-framework-flask # # To configure this workflow: # @@ -11,7 +11,7 @@ # 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. # For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret # -# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and PYTHON_VERSION environment variables below. +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the PYTHON_VERSION environment variables below. # # For more information on GitHub Actions for Azure: https://github.com/Azure/Actions # For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy From 11147495c0f5cbaf48672a428f8914c23b23f914 Mon Sep 17 00:00:00 2001 From: gambtho Date: Thu, 18 Nov 2021 07:30:10 -0500 Subject: [PATCH 115/300] variable cleanup and comment additions --- deployments/aks.yml | 3 ++- deployments/properties/aks.properties.json | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/deployments/aks.yml b/deployments/aks.yml index 65e3782..08988ff 100644 --- a/deployments/aks.yml +++ b/deployments/aks.yml @@ -3,6 +3,7 @@ # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) # For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# https://github.com/Azure/aks-create-action # # To configure this workflow: # @@ -48,7 +49,7 @@ jobs: azcliversion: 2.29.1 inlineScript: | az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} - az acr build -t -t ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} - name: Gets K8s context uses: azure/aks-set-context@v1 diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json index a228aa2..28f3725 100644 --- a/deployments/properties/aks.properties.json +++ b/deployments/properties/aks.properties.json @@ -3,5 +3,5 @@ "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes, "Dockerfile"] + "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"] } From 42dcf88eb9dde18e9c0b9e05840c92d47d26a28c Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Fri, 19 Nov 2021 16:41:15 +0100 Subject: [PATCH 116/300] add detekt workflow --- code-scanning/detekt.yml | 109 ++++++++++++++++++ .../properties/detekt.properties.json | 9 ++ icons/detekt.svg | 32 +++++ 3 files changed, 150 insertions(+) create mode 100644 code-scanning/detekt.yml create mode 100644 code-scanning/properties/detekt.properties.json create mode 100644 icons/detekt.svg diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml new file mode 100644 index 0000000..0edc8b5 --- /dev/null +++ b/code-scanning/detekt.yml @@ -0,0 +1,109 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your Kotlin source code using +# Detekt. +# +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event +# +# The workflow should work with no modifications, but you might like to use a +# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG +# environment variable. +name: Scan with Detekt + +on: + # Triggers the workflow on push or pull request events but only for default and protected branches + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +env: + # Release tag associated with version of Detekt to be installed + # SARIF support (required for this workflow) was introduced in Detekt v1.15.0 + DETEKT_RELEASE_TAG: v1.15.0 + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "scan" + scan: + name: Scan + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Gets the download URL associated with the $DETEKT_RELEASE_TAG + - name: Get Detekt download URL + id: detekt_info + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + DETEKT_DOWNLOAD_URL=$( gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' + query getReleaseAssetDownloadUrl($tagName: String!) { + repository(name: "detekt", owner: "detekt") { + release(tagName: $tagName) { + # it doesn't look like there is an alternative semantics for this with a specific SHA, is this release tag immutable? + releaseAssets(name: "detekt", first: 1) { + nodes { + downloadUrl + } + } + } + } + } + ' | \ + jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' ) + echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" + + # Sets up the detekt cli + - name: Setup Detekt + run: | + dest=$( mktemp -d ) + curl --request GET \ + --url ${{ steps.detekt_info.outputs.download_url }} \ + --silent \ + --location \ + --output $dest/detekt + chmod a+x $dest/detekt + echo $dest >> $GITHUB_PATH + + # Performs static analysis using Detekt + - name: Run Detekt + continue-on-error: true + run: | + detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json + + # Modifies the SARIF output produced by Detekt so that absolute URIs are relative + # This is so we can easily map results onto their source files + # This can be removed once relative URI support lands in Detekt: https://git.io/JLBbA + - name: Make artifact location URIs relative + continue-on-error: true + run: | + echo "$( + jq \ + --arg github_workspace ${{ github.workspace }} \ + '. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \ + ${{ github.workspace }}/detekt.sarif.json + )" > ${{ github.workspace }}/detekt.sarif.json + + # Uploads results to GitHub repository using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: ${{ github.workspace }}/detekt.sarif.json + checkout_path: ${{ github.workspace }} diff --git a/code-scanning/properties/detekt.properties.json b/code-scanning/properties/detekt.properties.json new file mode 100644 index 0000000..d51a6ad --- /dev/null +++ b/code-scanning/properties/detekt.properties.json @@ -0,0 +1,9 @@ +{ + "name": "Detekt", + "creator": "Detekt", + "description": "Static code analysis for Kotlin", + "iconName": "detekt", + "categories": ["Code Scanning", "Kotlin"] +} + + \ No newline at end of file diff --git a/icons/detekt.svg b/icons/detekt.svg new file mode 100644 index 0000000..1526170 --- /dev/null +++ b/icons/detekt.svg @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 52edf1b58088d3acb5c1444b65bf9988e1d1b498 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Fri, 19 Nov 2021 16:55:27 +0100 Subject: [PATCH 117/300] add a bunch of code scanning workflows --- code-scanning/42crunch.yml | 53 ++ code-scanning/anchore.yml | 39 + code-scanning/brakeman.yml | 51 ++ code-scanning/checkmarx.yml | 44 + code-scanning/codacy.yml | 54 ++ code-scanning/codescan.yml | 42 + code-scanning/njsscan.yml | 35 + code-scanning/ossar.yml | 49 ++ code-scanning/prisma.yml | 54 ++ .../properties/42crunch.properties.json | 7 + .../properties/anchore.properties.json | 7 + .../properties/brakeman.properties.json | 7 + .../properties/checkmarx.properties.json | 7 + .../properties/codacy.properties.json | 7 + .../properties/codescan.properties.json | 7 + .../properties/njsscan.properties.json | 7 + .../properties/ossar.properties.json | 7 + .../properties/prisma.properties.json | 7 + .../properties/rubocop.properties.json | 7 + .../securitycodescan.properties.json | 7 + .../properties/semgrep.properties.json | 7 + .../properties/shiftleft.properties.json | 7 + .../properties/snyk-container.properties.json | 7 + .../snyk-infrastructure.properties.json | 7 + .../properties/trivy.properties.json | 8 + .../properties/xanitizer.properties.json | 7 + code-scanning/rubocop.yml | 52 ++ code-scanning/securitycodescan.yml | 41 + code-scanning/semgrep.yml | 42 + code-scanning/shiftleft.yml | 47 ++ code-scanning/snyk-container.yml | 48 ++ code-scanning/snyk-infrastructure.yml | 47 ++ code-scanning/trivy.yml | 41 + code-scanning/xanitizer.yml | 92 +++ icons/42crunch.svg | 19 + icons/anchore.svg | 1 + icons/brakeman.svg | 464 +++++++++++ icons/checkmarx.svg | 14 + icons/codacy.svg | 16 + icons/codescan.svg | 69 ++ icons/njsscan.svg | 755 ++++++++++++++++++ icons/prisma.svg | 16 + icons/rubocop.svg | 1 + icons/securitycodescan.svg | 3 + icons/semgrep.svg | 4 + icons/shiftleft.svg | 6 + icons/snyk.svg | 31 + icons/trivy.svg | 93 +++ icons/xanitizer.svg | 50 ++ 49 files changed, 2493 insertions(+) create mode 100644 code-scanning/42crunch.yml create mode 100644 code-scanning/anchore.yml create mode 100644 code-scanning/brakeman.yml create mode 100644 code-scanning/checkmarx.yml create mode 100644 code-scanning/codacy.yml create mode 100644 code-scanning/codescan.yml create mode 100644 code-scanning/njsscan.yml create mode 100644 code-scanning/ossar.yml create mode 100644 code-scanning/prisma.yml create mode 100644 code-scanning/properties/42crunch.properties.json create mode 100644 code-scanning/properties/anchore.properties.json create mode 100644 code-scanning/properties/brakeman.properties.json create mode 100644 code-scanning/properties/checkmarx.properties.json create mode 100644 code-scanning/properties/codacy.properties.json create mode 100644 code-scanning/properties/codescan.properties.json create mode 100644 code-scanning/properties/njsscan.properties.json create mode 100644 code-scanning/properties/ossar.properties.json create mode 100644 code-scanning/properties/prisma.properties.json create mode 100644 code-scanning/properties/rubocop.properties.json create mode 100644 code-scanning/properties/securitycodescan.properties.json create mode 100644 code-scanning/properties/semgrep.properties.json create mode 100644 code-scanning/properties/shiftleft.properties.json create mode 100644 code-scanning/properties/snyk-container.properties.json create mode 100644 code-scanning/properties/snyk-infrastructure.properties.json create mode 100644 code-scanning/properties/trivy.properties.json create mode 100644 code-scanning/properties/xanitizer.properties.json create mode 100644 code-scanning/rubocop.yml create mode 100644 code-scanning/securitycodescan.yml create mode 100644 code-scanning/semgrep.yml create mode 100644 code-scanning/shiftleft.yml create mode 100644 code-scanning/snyk-container.yml create mode 100644 code-scanning/snyk-infrastructure.yml create mode 100644 code-scanning/trivy.yml create mode 100644 code-scanning/xanitizer.yml create mode 100644 icons/42crunch.svg create mode 100644 icons/anchore.svg create mode 100644 icons/brakeman.svg create mode 100644 icons/checkmarx.svg create mode 100644 icons/codacy.svg create mode 100644 icons/codescan.svg create mode 100644 icons/njsscan.svg create mode 100644 icons/prisma.svg create mode 100644 icons/rubocop.svg create mode 100644 icons/securitycodescan.svg create mode 100644 icons/semgrep.svg create mode 100644 icons/shiftleft.svg create mode 100644 icons/snyk.svg create mode 100644 icons/trivy.svg create mode 100644 icons/xanitizer.svg diff --git a/code-scanning/42crunch.yml b/code-scanning/42crunch.yml new file mode 100644 index 0000000..1d44bf9 --- /dev/null +++ b/code-scanning/42crunch.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow locates REST API file contracts +# (Swagger or OpenAPI format, v2 and v3, JSON and YAML) +# and runs 200+ security checks on them using 42Crunch Security Audit technology. +# +# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# +# To use this workflow, you will need to complete the following setup steps. +# +# 1. Create a free 42Crunch account at https://platform.42crunch.com/register +# +# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# to create an API Token on the 42Crunch platform +# +# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm, +# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow +# +# If you have any questions or need help contact https://support.42crunch.com + +name: "42Crunch REST API Static Security Testing" + +# follow standard Code Scanning triggers +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rest-api-static-security-testing: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: 42Crunch REST API Static Security Testing + uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 + with: + # Please create free account at https://platform.42crunch.com/register + # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm + api-token: ${{ secrets.API_TOKEN }} + # Fail if any OpenAPI file scores lower than 75 + min-score: 75 + # Upload results to Github code scanning + upload-to-code-scanning: true + # Github token for uploading the results + github-token: ${{ github.token }} diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml new file mode 100644 index 0000000..d90f68c --- /dev/null +++ b/code-scanning/anchore.yml @@ -0,0 +1,39 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security +# code scanning feature. For more information on the Anchore scan action usage +# and parameters, see https://github.com/anchore/scan-action. For more +# information on Anchore's container image scanning tool Grype, see +# https://github.com/anchore/grype +name: Anchore Container Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + Anchore-Build-Scan: + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled + uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd + with: + image: "localbuild/testimage:latest" + acs-report-enable: true + - name: Upload Anchore Scan Report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml new file mode 100644 index 0000000..ae5215a --- /dev/null +++ b/code-scanning/brakeman.yml @@ -0,0 +1,51 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Brakeman with GitHub's Code Scanning feature +# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications + +name: Brakeman Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + brakeman-scan: + name: Brakeman Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Customize the ruby version depending on your needs + - name: Setup Ruby + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + with: + ruby-version: '2.7' + + - name: Setup Brakeman + env: + BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+ + run: | + gem install brakeman --version $BRAKEMAN_VERSION + + # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis + - name: Scan + continue-on-error: true + run: | + brakeman -f sarif -o output.sarif.json . + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml new file mode 100644 index 0000000..ee97108 --- /dev/null +++ b/code-scanning/checkmarx.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action + +name: CxFlow + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + runs-on: ubuntu-latest + + # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs + - name: Checkmarx CxFlow Action + uses: checkmarx-ts/checkmarx-cxflow-github-action@04e6403dbbfee0fd3fb076e5791202c31c54fe6b + with: + project: GithubActionTest + team: '\CxServer\SP\Checkmarx' + checkmarx_url: ${{ secrets.CHECKMARX_URL }} + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + # Upload the Report for CodeQL/Security Alerts + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: cx.sarif diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml new file mode 100644 index 0000000..50185ad --- /dev/null +++ b/code-scanning/codacy.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + codacy-security-scan: + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v2 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml new file mode 100644 index 0000000..5886843 --- /dev/null +++ b/code-scanning/codescan.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow requires that you have an existing account with codescan.io +# For more information about configuring your workflow, +# read our documentation at https://github.com/codescan-io/codescan-scanner-action +name: CodeScan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + CodeScan: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Cache files + uses: actions/cache@v2 + with: + path: | + ~/.sonar + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Run Analysis + uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12 + with: + login: ${{ secrets.CODESCAN_AUTH_TOKEN }} + organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} + projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: codescan.sarif diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml new file mode 100644 index 0000000..8077f76 --- /dev/null +++ b/code-scanning/njsscan.yml @@ -0,0 +1,35 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates njsscan with GitHub's Code Scanning feature +# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications + +name: njsscan sarif + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + njsscan: + runs-on: ubuntu-latest + name: njsscan code scanning + steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: nodejsscan scan + id: njsscan + uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 + with: + args: '. --sarif --output results.sarif || true' + - name: Upload njsscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml new file mode 100644 index 0000000..b5aefa4 --- /dev/null +++ b/code-scanning/ossar.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates a collection of open source static analysis tools +# with GitHub code scanning. For documentation, or to provide feedback, visit +# https://github.com/github/ossar-action +name: OSSAR + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + OSSAR-Scan: + # OSSAR runs on windows-latest. + # ubuntu-latest and macos-latest support coming soon + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Ensure a compatible version of dotnet is installed. + # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. + # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. + # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. + # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: + # - name: Install .NET + # uses: actions/setup-dotnet@v1 + # with: + # dotnet-version: '3.1.x' + + # Run open source static analysis tools + - name: Run OSSAR + uses: github/ossar-action@v1 + id: ossar + + # Upload results to the Security tab + - name: Upload OSSAR results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml new file mode 100644 index 0000000..5323d1b --- /dev/null +++ b/code-scanning/prisma.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow that checks for security issues using +# the Prisma Cloud Infrastructure as Code Scan Action on +# the IaC files present in the repository. +# The results are uploaded to GitHub Security Code Scanning +# +# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action + +name: Prisma Cloud IaC Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + prisma_cloud_iac_scan: + runs-on: ubuntu-latest + name: Run Prisma Cloud IaC Scan to check + steps: + - name: Checkout + uses: actions/checkout@v2 + - id: iac-scan + name: Run Scan on CFT files in the repository + uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 + with: + # You will need Prisma Cloud API Access Token + # More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action + prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }} + access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }} + secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }} + # Scan sources on Prisma Cloud are uniquely identified by their name + asset_name: 'my-asset-name' + # The service need to know the type of IaC being scanned + template_type: 'CFT' + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. + # And alternative it to add `continue-on-error: true` to the previous step + if: success() || failure() + with: + # The SARIF Log file name is configurable on scan action + # therefore the file name is best read from the steps output + sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }} diff --git a/code-scanning/properties/42crunch.properties.json b/code-scanning/properties/42crunch.properties.json new file mode 100644 index 0000000..9fbeca9 --- /dev/null +++ b/code-scanning/properties/42crunch.properties.json @@ -0,0 +1,7 @@ +{ + "name": "42Crunch API Security Audit", + "creator": "42crunch", + "description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.", + "iconName": "42crunch", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/anchore.properties.json b/code-scanning/properties/anchore.properties.json new file mode 100644 index 0000000..d997da4 --- /dev/null +++ b/code-scanning/properties/anchore.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Anchore Container Scan", + "creator": "Indeni Cloudrail", + "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.", + "iconName": "anchore", + "categories": ["Code Scanning", "dockerfile"] +} \ No newline at end of file diff --git a/code-scanning/properties/brakeman.properties.json b/code-scanning/properties/brakeman.properties.json new file mode 100644 index 0000000..5597919 --- /dev/null +++ b/code-scanning/properties/brakeman.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Brakeman", + "creator": "Brakeman", + "description": "Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications.", + "iconName": "brakeman", + "categories": ["Code Scanning", "ruby"] +} \ No newline at end of file diff --git a/code-scanning/properties/checkmarx.properties.json b/code-scanning/properties/checkmarx.properties.json new file mode 100644 index 0000000..473a103 --- /dev/null +++ b/code-scanning/properties/checkmarx.properties.json @@ -0,0 +1,7 @@ +{ + "name": "CxSAST", + "creator": "Checkmarx", + "description": "Scan your code with Checkmarx CxSAST and see your results in the GitHub security tab.", + "iconName": "checkmarx", + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] +} \ No newline at end of file diff --git a/code-scanning/properties/codacy.properties.json b/code-scanning/properties/codacy.properties.json new file mode 100644 index 0000000..4ee4362 --- /dev/null +++ b/code-scanning/properties/codacy.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Codacy Security Scan", + "creator": "Codacy", + "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.", + "iconName": "codacy", + "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"] +} \ No newline at end of file diff --git a/code-scanning/properties/codescan.properties.json b/code-scanning/properties/codescan.properties.json new file mode 100644 index 0000000..74b66ca --- /dev/null +++ b/code-scanning/properties/codescan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "CodeScan", + "creator": "CodeScan Enterprises, LLC", + "description": "CodeScan allows for better visibility on your code quality checks based on your custom rulesets.", + "iconName": "codescan", + "categories": ["Code Scanning", "javascript", "apex"] +} \ No newline at end of file diff --git a/code-scanning/properties/njsscan.properties.json b/code-scanning/properties/njsscan.properties.json new file mode 100644 index 0000000..c6510a1 --- /dev/null +++ b/code-scanning/properties/njsscan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "njsscan", + "creator": "NodeJSScan", + "description": "nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications.", + "iconName": "njsscan", + "categories": ["Code Scanning", "JavaScript", "TypeScript"] +} \ No newline at end of file diff --git a/code-scanning/properties/ossar.properties.json b/code-scanning/properties/ossar.properties.json new file mode 100644 index 0000000..d295205 --- /dev/null +++ b/code-scanning/properties/ossar.properties.json @@ -0,0 +1,7 @@ +{ + "name": "OSSAR", + "creator": "GitHub", + "description": "Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).", + "iconName": "octicon mark-github", + "categories": ["Code Scanning", "python", "javascript"] +} \ No newline at end of file diff --git a/code-scanning/properties/prisma.properties.json b/code-scanning/properties/prisma.properties.json new file mode 100644 index 0000000..7d8be17 --- /dev/null +++ b/code-scanning/properties/prisma.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Prisma Cloud IaC Scan", + "creator": "Palo Alto Prisma Cloud", + "description": "Scan your Infrastructure as Code files with Prisma Cloud to detect security issues", + "iconName": "prisma", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/rubocop.properties.json b/code-scanning/properties/rubocop.properties.json new file mode 100644 index 0000000..79f026b --- /dev/null +++ b/code-scanning/properties/rubocop.properties.json @@ -0,0 +1,7 @@ +{ + "name": "RuboCop Linting", + "creator": "arthurnn", + "description": "A Ruby static code analyzer and formatter, based on the community Ruby style guide.", + "iconName": "rubocop", + "categories": ["Code Scanning", "ruby"] +} \ No newline at end of file diff --git a/code-scanning/properties/securitycodescan.properties.json b/code-scanning/properties/securitycodescan.properties.json new file mode 100644 index 0000000..aa57969 --- /dev/null +++ b/code-scanning/properties/securitycodescan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SecurityCodeScan", + "creator": "@security-code-scan", + "description": "Vulnerability Patterns Detector for C# and VB.NET", + "iconName": "securitycodescan", + "categories": ["Code Scanning", "C#", "Visual Basic .NET"] +} \ No newline at end of file diff --git a/code-scanning/properties/semgrep.properties.json b/code-scanning/properties/semgrep.properties.json new file mode 100644 index 0000000..5f74ed5 --- /dev/null +++ b/code-scanning/properties/semgrep.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Semgrep", + "creator": "Returntocorp", + "description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.", + "iconName": "semgrep", + "categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"] +} \ No newline at end of file diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json new file mode 100644 index 0000000..1cb36c9 --- /dev/null +++ b/code-scanning/properties/shiftleft.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Scan", + "creator": "ShiftLeft", + "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.", + "iconName": "shiftleft", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/snyk-container.properties.json b/code-scanning/properties/snyk-container.properties.json new file mode 100644 index 0000000..0b1ddb4 --- /dev/null +++ b/code-scanning/properties/snyk-container.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Snyk Container", + "creator": "Snyk", + "description": "Detect vulnerabilities in your container images and surface the issues in GitHub code scanning.", + "iconName": "snyk", + "categories": ["Code Scanning", "dockerfile"] +} \ No newline at end of file diff --git a/code-scanning/properties/snyk-infrastructure.properties.json b/code-scanning/properties/snyk-infrastructure.properties.json new file mode 100644 index 0000000..3680109 --- /dev/null +++ b/code-scanning/properties/snyk-infrastructure.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Snyk Infrastructure as Code", + "creator": "Snyk", + "description": "Detect vulnerabilities in your infrastructure as code files and surface the issues in GitHub code scanning.", + "iconName": "snyk", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/trivy.properties.json b/code-scanning/properties/trivy.properties.json new file mode 100644 index 0000000..4f9613c --- /dev/null +++ b/code-scanning/properties/trivy.properties.json @@ -0,0 +1,8 @@ +{ + "name": "Trivy", + "creator": "Aqua Security", + "description": "Scan Docker container images for vulnerabilities in OS packages and language dependencies with Trivy from Aqua Security.", + "iconName": "trivy", + "categories": ["Code Scanning", "dockerfile"], + "enterprise_requirements": ["docker"] +} \ No newline at end of file diff --git a/code-scanning/properties/xanitizer.properties.json b/code-scanning/properties/xanitizer.properties.json new file mode 100644 index 0000000..6e578c3 --- /dev/null +++ b/code-scanning/properties/xanitizer.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Xanitizer", + "creator": "RIGS IT", + "description": "Automatically scan your code for vulnerabilities and generate compliance reports with the static security analysis tool Xanitizer (SAST).", + "iconName": "xanitizer", + "categories": ["Code Scanning", "javascript", "java", "scala", "typescript", "xml", "json"] +} \ No newline at end of file diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml new file mode 100644 index 0000000..373d5b6 --- /dev/null +++ b/code-scanning/rubocop.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# pulled from repo +name: "Rubocop" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rubocop: + runs-on: ubuntu-latest + strategy: + fail-fast: false + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # If running on a self-hosted runner, check it meets the requirements + # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners + - name: Set up Ruby + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + with: + ruby-version: 2.6 + + # This step is not necessary if you add the gem to your Gemfile + - name: Install Code Scanning integration + run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install + + - name: Install dependencies + run: bundle install + + - name: Rubocop run + run: | + bash -c " + bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif + [[ $? -ne 2 ]] + " + + - name: Upload Sarif output + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: rubocop.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml new file mode 100644 index 0000000..3063c7a --- /dev/null +++ b/code-scanning/securitycodescan.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature +# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET + +name: SecurityCodeScan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + SCS: + runs-on: windows-latest + steps: + - uses: actions/checkout@v2 + - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 + - uses: microsoft/setup-msbuild@v1.0.2 + + - name: Set up projects for analysis + uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d + + - name: Restore dependencies + run: dotnet restore + + - name: Build + run: dotnet build --no-restore + + - name: Convert sarif for uploading to GitHub + uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 + + - name: Upload sarif + uses: github/codeql-action/upload-sarif@v1 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml new file mode 100644 index 0000000..827387b --- /dev/null +++ b/code-scanning/semgrep.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow file requires a free account on Semgrep.dev to +# manage rules, file ignores, notifications, and more. +# +# See https://semgrep.dev/docs + +name: Semgrep + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + semgrep: + name: Scan + runs-on: ubuntu-latest + steps: + # Checkout project source + - uses: actions/checkout@v2 + + # Scan code using project's configuration on https://semgrep.dev/manage + - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + generateSarif: "1" + + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: semgrep.sarif + if: always() diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml new file mode 100644 index 0000000..48b86d3 --- /dev/null +++ b/code-scanning/shiftleft.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Scan with GitHub's code scanning feature +# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft +# Visit https://slscan.io/en/latest/integrations/code-scan for help +name: SL Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + Scan-Build: + # Scan runs on ubuntu, mac and windows + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # Instructions + # 1. Setup JDK, Node.js, Python etc depending on your project type + # 2. Compile or build the project before invoking scan + # Example: mvn compile, or npm install or pip install goes here + # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url + + - name: Perform Scan + uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64 + env: + WORKSPACE: "" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SCAN_AUTO_BUILD: true + with: + output: reports + # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type + # type: credscan,java + # type: python + + - name: Upload report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: reports diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml new file mode 100644 index 0000000..8ff2c9a --- /dev/null +++ b/code-scanning/snyk-container.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out the code, builds a container +# image using Docker and scans that image for vulnerabilities using +# Snyk. The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity +# issues, monitor images for newly disclosed vulnerabilities in Snyk and +# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ + +name: Snyk Container + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build a Docker image + run: docker build -t your/image-to-test . + - name: Run Snyk to check Docker image for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: your/image-to-test + args: --file=Dockerfile + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml new file mode 100644 index 0000000..b79bf34 --- /dev/null +++ b/code-scanning/snyk-infrastructure.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your Infrastructure as Code Configuration files, +# such as Kubernetes, Helm & Terraform and scans them for any security issues. +# The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Infrastructure as Code + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Run Snyk to check configuration files for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + # Add the path to the configuration file that you would like to test. + # For example `deployment.yaml` for a Kubernetes deployment manifest + # or `main.tf` for a Terraform configuration file + file: your-file-to-test.yaml + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml new file mode 100644 index 0000000..f778492 --- /dev/null +++ b/code-scanning/trivy.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: build + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + build: + name: Build + runs-on: "ubuntu-18.04" + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml new file mode 100644 index 0000000..3bfb9ed --- /dev/null +++ b/code-scanning/xanitizer.yml @@ -0,0 +1,92 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it, +# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository. +# +# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action +# +# To use this basic workflow, you will need to complete the following setup steps: +# +# 1. The underlying Xanitizer, used in this workflow, needs a separate license file. +# Licenses are free of charge for open source projects and for educational usage. +# To get more information about the Xanitizer licenses and how to obtain a license file, +# please consult https://www.xanitizer.com/xanitizer-pricing/. +# +# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository. +# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. +# +# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action. +# Example: +# - name: Xanitizer Security Analysis +# uses: RIGS-IT/xanitizer-action@v1 +# with: +# license: ${{ secrets.XANITIZER_LICENSE }} +# +# 4. As a static application security testing (SAST) tool, +# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully. +# So you have to install all used libraries and build your project before running the security analysis, +# e.g. via `mvn compile` for Java or `npm install` for JavaScript + +name: "Xanitizer Security Analysis" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + workflow_dispatch: + +jobs: + xanitizer-security-analysis: + # Xanitizer runs on ubuntu-latest and windows-latest. + runs-on: ubuntu-latest + + steps: + # Check out the repository + - name: Checkout + uses: actions/checkout@v2 + + # Set up the correct Java version for your project + # Please comment out, if your project does not contain Java source code. + - name: Set up JDK 11 + uses: actions/setup-java@v1 + with: + java-version: 11 + + # Compile the code for Java projects and get all libraries, e.g. via Maven + # Please adapt, if your project uses another build system to compile Java source code. + # Please comment out, if your project does not contain Java source code. + - name: Compile Java code + run: mvn -B compile + + # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm + # Please adapt to run `npm install` in the correct directories. + # Please adapt, if your project uses another package manager for getting JavaScript libraries. + # Please comment out, if your project does not use a package manager for getting JavaScript libraries. + - name: Install JavaScript libraries + run: npm install + + # Run the security analysis with default settings + - name: Xanitizer Security Analysis + uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316 + with: + license: ${{ secrets.XANITIZER_LICENSE }} + + # Archiving the findings list reports + - uses: actions/upload-artifact@v2 + with: + name: Xanitizer-Reports + path: | + *-Findings-List.pdf + *-Findings-List.sarif + + # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: Xanitizer-Findings-List.sarif diff --git a/icons/42crunch.svg b/icons/42crunch.svg new file mode 100644 index 0000000..96cd102 --- /dev/null +++ b/icons/42crunch.svg @@ -0,0 +1,19 @@ + + + + + + + + diff --git a/icons/anchore.svg b/icons/anchore.svg new file mode 100644 index 0000000..2381f20 --- /dev/null +++ b/icons/anchore.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/brakeman.svg b/icons/brakeman.svg new file mode 100644 index 0000000..ce91881 --- /dev/null +++ b/icons/brakeman.svg @@ -0,0 +1,464 @@ + +image/svg+xml \ No newline at end of file diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg new file mode 100644 index 0000000..6bf5ad3 --- /dev/null +++ b/icons/checkmarx.svg @@ -0,0 +1,14 @@ + + + + + + diff --git a/icons/codacy.svg b/icons/codacy.svg new file mode 100644 index 0000000..736d60c --- /dev/null +++ b/icons/codacy.svg @@ -0,0 +1,16 @@ + + + +codacy-white + + + + + + + + + + + diff --git a/icons/codescan.svg b/icons/codescan.svg new file mode 100644 index 0000000..5a44c2a --- /dev/null +++ b/icons/codescan.svg @@ -0,0 +1,69 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/njsscan.svg b/icons/njsscan.svg new file mode 100644 index 0000000..a9989e8 --- /dev/null +++ b/icons/njsscan.svg @@ -0,0 +1,755 @@ + + + + diff --git a/icons/prisma.svg b/icons/prisma.svg new file mode 100644 index 0000000..dfb5fdf --- /dev/null +++ b/icons/prisma.svg @@ -0,0 +1,16 @@ + + + + + + + + + + + + + + + + diff --git a/icons/rubocop.svg b/icons/rubocop.svg new file mode 100644 index 0000000..3add056 --- /dev/null +++ b/icons/rubocop.svg @@ -0,0 +1 @@ + diff --git a/icons/securitycodescan.svg b/icons/securitycodescan.svg new file mode 100644 index 0000000..db0181a --- /dev/null +++ b/icons/securitycodescan.svg @@ -0,0 +1,3 @@ + + + diff --git a/icons/semgrep.svg b/icons/semgrep.svg new file mode 100644 index 0000000..1a3e2a9 --- /dev/null +++ b/icons/semgrep.svg @@ -0,0 +1,4 @@ + + + + diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg new file mode 100644 index 0000000..f8e944a --- /dev/null +++ b/icons/shiftleft.svg @@ -0,0 +1,6 @@ + + + + + + diff --git a/icons/snyk.svg b/icons/snyk.svg new file mode 100644 index 0000000..8a934ac --- /dev/null +++ b/icons/snyk.svg @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/trivy.svg b/icons/trivy.svg new file mode 100644 index 0000000..ba2d477 --- /dev/null +++ b/icons/trivy.svg @@ -0,0 +1,93 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/xanitizer.svg b/icons/xanitizer.svg new file mode 100644 index 0000000..1d5fe16 --- /dev/null +++ b/icons/xanitizer.svg @@ -0,0 +1,50 @@ + +image/svg+xml \ No newline at end of file From 28856d6071d6bbeb7c0111aab7f0ef7f2b71bce1 Mon Sep 17 00:00:00 2001 From: Fedor Isakov Date: Fri, 19 Nov 2021 20:46:53 +0300 Subject: [PATCH 118/300] Update google deployment starter workflow --- deployments/google.yml | 47 ++++++++++--------- deployments/properties/google.properties.json | 2 +- 2 files changed, 27 insertions(+), 22 deletions(-) diff --git a/deployments/google.yml b/deployments/google.yml index 267d3cb..bfb5de6 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -4,11 +4,11 @@ # # 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. # -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# 2. Create and configure a Workload Identity Provider for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) # -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# 3. Change the values for the GAR_LOCATION, GKE_ZONE, GKE_CLUSTER, IMAGE, REPOSITORY and DEPLOYMENT_NAME environment variables (below). # -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke-kustomize name: Build and Deploy to GKE @@ -19,11 +19,17 @@ on: env: PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GAR_LOCATION: us-central1 # TODO: update region of the Artifact Registry GKE_CLUSTER: cluster-1 # TODO: update to cluster name GKE_ZONE: us-central1-c # TODO: update to cluster zone DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + REPOSITORY: samples # TODO: update to Artifact Registry docker repository IMAGE: static-site +permissions: + contents: 'read' + id-token: 'write' + jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy @@ -34,48 +40,47 @@ jobs: - name: Checkout uses: actions/checkout@v2 - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 + # Configure Workload Identity Federation and generate an access token. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@v0.4.0' with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker + token_format: 'access_token' + workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' + service_account: 'my-service-account@my-project.iam.gserviceaccount.com' + - name: Docker configuration + run: |- + echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 + - name: Set up GKE credentials + uses: google-github-actions/get-gke-credentials@v0.4.0 with: cluster_name: ${{ env.GKE_CLUSTER }} location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} # Build the Docker image - name: Build run: |- docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \ --build-arg GITHUB_SHA="$GITHUB_SHA" \ --build-arg GITHUB_REF="$GITHUB_REF" \ . - - # Push the Docker image to Google Container Registry + # Push the Docker image to Google Artifact Registry - name: Publish run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - + docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" # Set up kustomize - name: Set up Kustomize run: |- curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 chmod u+x ./kustomize - # Deploy the Docker image to the GKE cluster - name: Deploy run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + # replacing the image name in the k8s template + ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA ./kustomize build . | kubectl apply -f - kubectl rollout status deployment/$DEPLOYMENT_NAME kubectl get services -o wide diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json index 6318106..f1bd883 100644 --- a/deployments/properties/google.properties.json +++ b/deployments/properties/google.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", "iconName": "googlegke", - "categories": ["Deployment", "Dockerfile"] + "categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"] } \ No newline at end of file From 499e38bc3ee1fea3ced5760aa8d1668e781b768e Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Mon, 22 Nov 2021 20:35:15 +0530 Subject: [PATCH 119/300] Added starter workflow to help you get started with APIsec-Scan Actions. --- code-scanning/apisec-scan.yml | 63 +++++++++++++++++++ .../properties/apisec-scan.properties.json | 24 +++++++ icons/apisec.svg | 17 +++++ 3 files changed, 104 insertions(+) create mode 100644 code-scanning/apisec-scan.yml create mode 100644 code-scanning/properties/apisec-scan.properties.json create mode 100644 icons/apisec.svg diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml new file mode 100644 index 0000000..55356ad --- /dev/null +++ b/code-scanning/apisec-scan.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# APIsec addresses the critical need to secure APIs before they reach production. +# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. +# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities. + +# How to Get Started with APIsec.ai +# 1. Schedule a demo at https://www.apisec.ai/request-a-demo . +# +# 2. Register your account at https://cloud.fxlabs.io/#/signup . +# +# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly. +# +# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions +# +# apisec-run-scan +# +# This action triggers the on-demand scans for projects registered in APIsec. +# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings. +# Else you can view the scan results from the project home page in APIsec Platform. +# The link to view the scan results is also displayed on the console on successful completion of action. + +# This is a starter workflow to help you get started with APIsec-Scan Actions + +name: APIsec + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the $default-branch branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + +jobs: + Trigger-APIsec-Scan: + runs-on: ubuntu-latest + + steps: + - name: APIsec Scan + uses: apisec-inc/apisec-run-scan@master + with: + # The APIsec username with which the scans will be executed + apisec-username: ${{ secrets.apisec_username }} + # The Password of the APIsec user with which the scans will be executed + apisec-password: ${{ secrets.apisec_password}} + # The name of the project for security scan + apisec-project: "VAmPI" + # The name of the sarif format result file The file is written only if this property is provided. + sarif-result-file: "apisec-results.sarif" + + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./apisec-results.sarif \ No newline at end of file diff --git a/code-scanning/properties/apisec-scan.properties.json b/code-scanning/properties/apisec-scan.properties.json new file mode 100644 index 0000000..9e7db58 --- /dev/null +++ b/code-scanning/properties/apisec-scan.properties.json @@ -0,0 +1,24 @@ +{ + "name": "APIsec Scan", + "creator": "APIsec", + "description": "APIsec addresses the critical need to secure APIs before they reach production. APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.", + "iconName": "apisec", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/icons/apisec.svg b/icons/apisec.svg new file mode 100644 index 0000000..664dfa9 --- /dev/null +++ b/icons/apisec.svg @@ -0,0 +1,17 @@ + + + Group + + + + \ No newline at end of file From 6439d558f42430c1a7e94c9ca7aa587dcbe8d1ed Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Mon, 22 Nov 2021 21:14:54 +0530 Subject: [PATCH 120/300] Updated the names as per the pull request checklist. --- code-scanning/apisec-scan.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 55356ad..67937ac 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -32,21 +32,23 @@ on: # Triggers the workflow on push or pull request events but only for the $default-branch branch # Customize trigger events based on your DevSecOps processes. push: - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] pull_request: branches: [ $default-branch ] + schedule: + - cron: $cron-weekly # Allows you to run this workflow manually from the Actions tab workflow_dispatch: jobs: - Trigger-APIsec-Scan: + Trigger APIsec scan: runs-on: ubuntu-latest steps: - - name: APIsec Scan - uses: apisec-inc/apisec-run-scan@master + - name: APIsec scan + uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993 with: # The APIsec username with which the scans will be executed apisec-username: ${{ secrets.apisec_username }} @@ -57,7 +59,7 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - - name: Import Results + - name: Import results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ./apisec-results.sarif \ No newline at end of file From 0debae5ec754be64d660b4f9992796fa31f4f0db Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 23 Nov 2021 09:37:32 +0100 Subject: [PATCH 121/300] fix crunch42 template id so it overrides old template as required --- code-scanning/{42crunch.yml => crunch42.yml} | 0 .../{42crunch.properties.json => crunch42.properties.json} | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename code-scanning/{42crunch.yml => crunch42.yml} (100%) rename code-scanning/properties/{42crunch.properties.json => crunch42.properties.json} (90%) diff --git a/code-scanning/42crunch.yml b/code-scanning/crunch42.yml similarity index 100% rename from code-scanning/42crunch.yml rename to code-scanning/crunch42.yml diff --git a/code-scanning/properties/42crunch.properties.json b/code-scanning/properties/crunch42.properties.json similarity index 90% rename from code-scanning/properties/42crunch.properties.json rename to code-scanning/properties/crunch42.properties.json index 9fbeca9..82ae816 100644 --- a/code-scanning/properties/42crunch.properties.json +++ b/code-scanning/properties/crunch42.properties.json @@ -1,6 +1,6 @@ { "name": "42Crunch API Security Audit", - "creator": "42crunch", + "creator": "42Crunch", "description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.", "iconName": "42crunch", "categories": ["Code Scanning"] From c4dadecc05874dd13684bcea151993acf42199f7 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 23 Nov 2021 21:14:53 +0100 Subject: [PATCH 122/300] find a way to pin the SHA for detekt workflow template --- code-scanning/detekt.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 0edc8b5..a8610c3 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -53,21 +53,30 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - DETEKT_DOWNLOAD_URL=$( gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' + gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' query getReleaseAssetDownloadUrl($tagName: String!) { repository(name: "detekt", owner: "detekt") { release(tagName: $tagName) { - # it doesn't look like there is an alternative semantics for this with a specific SHA, is this release tag immutable? releaseAssets(name: "detekt", first: 1) { nodes { downloadUrl } } + tagCommit { + oid + } } } } - ' | \ - jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' ) + ' 1> gh_response.json + + DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json) + if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then + echo "Release tag doesn't match expected commit SHA" + exit 1 + fi + + DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" # Sets up the detekt cli From 8fd6550c33440825258777a9a357dabe11fd35b2 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 24 Nov 2021 14:20:00 -0800 Subject: [PATCH 123/300] Revert overwrite from upstream pull --- deployments/azure-webapps-node.yml | 32 +++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index a1330cc..fcfb75e 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -29,27 +29,45 @@ env: NODE_VERSION: '10.x' # set this to the node version to use jobs: - build-and-deploy: - name: Build and Deploy + build: runs-on: ubuntu-latest - environment: production steps: - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} + + - name: Set up Node.js uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test run: | - # Build and test the project, then - # deploy to Azure Web App. npm install npm run build --if-present npm run test --if-present + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: node-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: node-app + - name: 'Deploy to Azure WebApp' id: deploy-to-webapp uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} \ No newline at end of file From 278aa7a82e206a81e3a9057063117e4d94cf5356 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 24 Nov 2021 14:26:16 -0800 Subject: [PATCH 124/300] Add dependency caching for .NET, Node, PHP, and Python workflows --- deployments/azure-webapps-dotnet-core.yml | 8 ++++++++ deployments/azure-webapps-node.yml | 1 + deployments/azure-webapps-php.yml | 15 +++++++++++++++ deployments/azure-webapps-python.yml | 8 ++++++++ 4 files changed, 32 insertions(+) diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index fe81148..7a2a84f 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -41,6 +41,14 @@ jobs: uses: actions/setup-dotnet@v1 with: dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: Set up dependency caching for faster builds + uses: actions/cache@v2 + with: + path: ~/.nuget/packages + key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} + restore-keys: | + ${{ runner.os }}-nuget- - name: Build with dotnet run: dotnet build --configuration Release diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index fcfb75e..8546fea 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -38,6 +38,7 @@ jobs: uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} + cache: 'npm' - name: npm install, build, and test run: | diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index c900dfa..ad351dc 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -48,6 +48,21 @@ jobs: with: files: 'composer.json' + - name: Get Composer Cache Directory + id: composer-cache + if: steps.check_files.outputs.files_exists == 'true' + run: | + echo "::set-output name=dir::$(composer config cache-files-dir)" + + - name: Set up dependency caching for faster installs + uses: actions/cache@v2 + if: steps.check_files.outputs.files_exists == 'true' + with: + path: ${{ steps.composer-cache.outputs.dir }} + key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} + restore-keys: | + ${{ runner.os }}-composer- + - name: Run composer install if composer.json exists if: steps.check_files.outputs.files_exists == 'true' run: composer validate --no-check-publish && composer install --prefer-dist --no-progress diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 216742f..1212caa 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -46,6 +46,14 @@ jobs: python -m venv venv source venv/bin/activate + - name: Set up dependency caching for faster installs + uses: actions/cache@v2 + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} + restore-keys: | + ${{ runner.os }}-pip- + - name: Install dependencies run: pip install -r requirements.txt From 1a67e08a9eb41fc63c6d5ef750ed6e8f37a9595a Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 24 Nov 2021 15:58:25 -0800 Subject: [PATCH 125/300] Update azure-webapps-container.yml --- deployments/azure-webapps-container.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 407279e..7c7bb2a 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -11,7 +11,14 @@ # 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. # For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret # -# 3. Change the value for the AZURE_WEBAPP_NAME. +# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions. +# +# 4. Create three app settings on your Azure Web app: +# DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io" +# DOCKER_REGISTRY_SERVER_USERNAME: Set this to the GitHub username or organization that owns the repository +# DOCKER_REGISTRY_SERVER_PASSWORD: Set this to the value of your PAT token from the previous step +# +# 5. Change the value for the AZURE_WEBAPP_NAME. # # For more information on GitHub Actions for Azure: https://github.com/Azure/Actions # For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy @@ -43,9 +50,9 @@ jobs: with: registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ github.token }} - - name: Lowercase the repo name + - name: Lowercase the repo name and username run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - name: Build and push container image to registry @@ -63,7 +70,7 @@ jobs: url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: - - name: Lowercase the repo name + - name: Lowercase the repo name and username run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - name: Deploy to Azure Web App From b4ee59804382c997e64cf73a3ef4469686644589 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Thu, 25 Nov 2021 10:03:14 +0000 Subject: [PATCH 126/300] use setup cache option instead of action --- deployments/azure-webapps-python.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 1212caa..cb19cda 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -40,19 +40,12 @@ jobs: uses: actions/setup-python@v2.2.2 with: python-version: ${{ env.PYTHON_VERSION }} + cache: 'pip' - name: Create and start virtual environment run: | python -m venv venv source venv/bin/activate - - - name: Set up dependency caching for faster installs - uses: actions/cache@v2 - with: - path: ~/.cache/pip - key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} - restore-keys: | - ${{ runner.os }}-pip- - name: Install dependencies run: pip install -r requirements.txt From 3258466b267d3c4857b4f962fced64d71f920d35 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 29 Nov 2021 08:51:54 +0000 Subject: [PATCH 127/300] Adding commit sha for 3rd party actions --- deployments/azure-webapps-php.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index ad351dc..700f83a 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -38,13 +38,13 @@ jobs: - uses: actions/checkout@v2 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc with: php-version: ${{ env.PHP_VERSION }} - name: Check if composer.json exists id: check_files - uses: andstor/file-existence-action@v1 + uses: andstor/file-existence-action@87d74d4732ddb824259d80c8a508c0124bf1c673 with: files: 'composer.json' From 1a37cd53451ca29b380e72f0f307050d81f9d589 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Fri, 19 Nov 2021 16:42:04 +0100 Subject: [PATCH 128/300] add veracode workflow --- .../properties/veracode.properties.json | 7 ++ code-scanning/veracode.yml | 66 +++++++++++++++++++ icons/veracode.svg | 1 + 3 files changed, 74 insertions(+) create mode 100644 code-scanning/properties/veracode.properties.json create mode 100644 code-scanning/veracode.yml create mode 100644 icons/veracode.svg diff --git a/code-scanning/properties/veracode.properties.json b/code-scanning/properties/veracode.properties.json new file mode 100644 index 0000000..e42ac9f --- /dev/null +++ b/code-scanning/properties/veracode.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Veracode Static Analysis", + "creator": "Veracode", + "description": "Get fast feedback on flaws with Veracode Static Analysis and the pipeline scan. Break the build based on flaw severity and CWE category.", + "iconName": "veracode", + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "kotlin", "scala", "groovy", "tsql", "plsql", "perl", "cobol"] +} \ No newline at end of file diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml new file mode 100644 index 0000000..31fa989 --- /dev/null +++ b/code-scanning/veracode.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert + +name: Veracode Static Analysis Pipeline Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter + build-and-pipeline-scan: + # The type of runner that the job will run on + runs-on: ubuntu-latest + steps: + + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps + - uses: actions/checkout@v2 + with: + repository: '' + + - uses: vimtor/action-zip@5f1c4aa587ea41db1110df6a99981dbe19cee310 + with: + files: / + recursive: true + dest: veracode-pipeline-scan-results-to-sarif.zip + + - uses: actions/upload-artifact@v1 + with: + name: my-artifact + path: veracode-pipeline-scan-results-to-sarif.zip + + # download the Veracode Static Analysis Pipeline scan jar + - uses: wei/curl@012398a392d02480afa2720780031f8621d5f94c + with: + args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + - run: unzip -o pipeline-scan-LATEST.zip + + - uses: actions/setup-java@v1 + with: + java-version: 1.8 + - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-pipeline-scan-results-to-sarif.zip + continue-on-error: true + - uses: actions/upload-artifact@v1 + with: + name: ScanResults + path: results.json + - name: Convert pipeline scan output to SARIF format + id: convert + uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be + with: + pipeline-results-json: results.json + - uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif diff --git a/icons/veracode.svg b/icons/veracode.svg new file mode 100644 index 0000000..6c70e79 --- /dev/null +++ b/icons/veracode.svg @@ -0,0 +1 @@ + \ No newline at end of file From b6299984305a9e6dfa939d1691051301339ed1d2 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 30 Nov 2021 09:56:40 +0100 Subject: [PATCH 129/300] replace unnecessary actions with shell commands --- code-scanning/veracode.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 31fa989..64c732f 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -29,11 +29,7 @@ jobs: with: repository: '' - - uses: vimtor/action-zip@5f1c4aa587ea41db1110df6a99981dbe19cee310 - with: - files: / - recursive: true - dest: veracode-pipeline-scan-results-to-sarif.zip + - run: zip -r veracode-pipeline-scan-results-to-sarif.zip ./ - uses: actions/upload-artifact@v1 with: @@ -41,9 +37,7 @@ jobs: path: veracode-pipeline-scan-results-to-sarif.zip # download the Veracode Static Analysis Pipeline scan jar - - uses: wei/curl@012398a392d02480afa2720780031f8621d5f94c - with: - args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - run: unzip -o pipeline-scan-LATEST.zip - uses: actions/setup-java@v1 From 3f39a5a76b03f05e551caec5165369544e4bf35f Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Wed, 1 Dec 2021 13:27:02 +0530 Subject: [PATCH 130/300] Removed the unwanted space in actions file. Updated the logo to have only the shield portion. --- code-scanning/apisec-scan.yml | 1 - icons/apisec.svg | 16 ++++------------ 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 67937ac..3aa06ca 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -58,7 +58,6 @@ jobs: apisec-project: "VAmPI" # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - - name: Import results uses: github/codeql-action/upload-sarif@v1 with: diff --git a/icons/apisec.svg b/icons/apisec.svg index 664dfa9..8b2760b 100644 --- a/icons/apisec.svg +++ b/icons/apisec.svg @@ -1,17 +1,9 @@ - - Group + + Fill 11 - \ No newline at end of file From 4238ac653e5124c1e1f118cc0b0bd428b8973953 Mon Sep 17 00:00:00 2001 From: Myles Borins Date: Wed, 1 Dec 2021 14:38:35 -0500 Subject: [PATCH 131/300] chore: split npm publish into 2 workflows (#1281) Currently we suggest that folks dual publish to both npm + gpr. There are a large number of edge cases related to doing this and IMHO it is not the best practice. Let's make two separate workflows. --- ci/npm-publish-github-packages.yml | 36 +++++++++++++++++++ ci/npm-publish.yml | 21 ++--------- ...pm-publish-github-packages.properties.json | 6 ++++ ci/properties/npm-publish.properties.json | 2 +- 4 files changed, 45 insertions(+), 20 deletions(-) create mode 100644 ci/npm-publish-github-packages.yml create mode 100644 ci/properties/npm-publish-github-packages.properties.json diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml new file mode 100644 index 0000000..09ff0b3 --- /dev/null +++ b/ci/npm-publish-github-packages.yml @@ -0,0 +1,36 @@ +# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created +# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages + +name: Node.js Package + +on: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-node@v2 + with: + node-version: 16 + - run: npm ci + - run: npm test + + publish-gpr: + needs: build + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-node@v2 + with: + node-version: 16 + registry-url: $registry-url(npm) + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 025976d..ef8c690 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 with: - node-version: 14 + node-version: 16 - run: npm ci - run: npm test @@ -25,26 +25,9 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 with: - node-version: 14 + node-version: 16 registry-url: https://registry.npmjs.org/ - run: npm ci - run: npm publish env: NODE_AUTH_TOKEN: ${{secrets.npm_token}} - - publish-gpr: - needs: build - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 - with: - node-version: 14 - registry-url: $registry-url(npm) - - run: npm ci - - run: npm publish - env: - NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/ci/properties/npm-publish-github-packages.properties.json b/ci/properties/npm-publish-github-packages.properties.json new file mode 100644 index 0000000..180b73a --- /dev/null +++ b/ci/properties/npm-publish-github-packages.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Publish Node.js Package to GitHub Packages", + "description": "Publishes a Node.js package to GitHub Packages.", + "iconName": "node-package-transparent", + "categories": ["Continuous integration", "JavaScript", "npm"] +} diff --git a/ci/properties/npm-publish.properties.json b/ci/properties/npm-publish.properties.json index 9371d7b..cc2c707 100644 --- a/ci/properties/npm-publish.properties.json +++ b/ci/properties/npm-publish.properties.json @@ -1,6 +1,6 @@ { "name": "Publish Node.js Package", - "description": "Publishes a Node.js package to npm and GitHub Packages.", + "description": "Publishes a Node.js package to npm.", "iconName": "node-package-transparent", "categories": ["Continuous integration", "JavaScript", "npm"] } From ce771c75d8e1fe4b0075873cdcfb9b55117af9d9 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 1 Dec 2021 15:50:22 -0500 Subject: [PATCH 132/300] Referencing new official PMD github action --- code-scanning/pmd.yml | 52 ++++++++++++++----------------------------- 1 file changed, 17 insertions(+), 35 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 69596a4..8689961 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -14,45 +14,27 @@ on: - cron: $cron-weekly jobs: - mobile-security: + pmd-code-scan: runs-on: ubuntu-latest - steps: - uses: actions/checkout@v2 - - - name: Setup python - uses: actions/setup-python@v2 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - python-version: 3.8 - - - name: Run Full PMD Analysis on Apex Code - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - id: pmd-full-analysis - uses: abirismyname/pmd@master + java-version: '11' + distribution: 'adopt' + cache: maven + - name: Run PMD + id: pmd + uses: pmd/pmd-github-action@v1 with: - analyse-all-code: 'true' - pmd-version: 'latest' - file-path: './src' - rules-path: 'rulesets/apex/quickstart.xml' - - # - name: Run Full PMD Analysis on Java Code - # if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - # id: pmd-full-analysis - # uses: abirismyname/pmd@master - # with: - # analyse-all-code: 'true' - # pmd-version: 'latest' - # file-path: './src' - # rules-path: 'rulesets/java/quickstart.xml' - - - name: Upload pmdscan report + rulesets: 'rulesets/java/quickstart.xml' + sourcePath: 'src/main/java' + - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: pmd-output.sarif - - - name: No PMD Errors? - run: | - if ${{ steps.pmd-full-analysis.outputs.error-found }} ${{ steps.pmd-partial-analysis.outputs.error-found }} - then - exit 3 - fi + sarif_file: pmd-report.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: pmd-report.sarif \ No newline at end of file From d2bba6f2d932e0692a43de925bef2c57274303c8 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 1 Dec 2021 16:03:49 -0500 Subject: [PATCH 133/300] Adding icon --- icons/pmd.svg | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 icons/pmd.svg diff --git a/icons/pmd.svg b/icons/pmd.svg new file mode 100644 index 0000000..c0b3415 --- /dev/null +++ b/icons/pmd.svg @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file From 435b265ae0e53ff80428fe76b33752eb76074cac Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 1 Dec 2021 17:02:40 -0500 Subject: [PATCH 134/300] Removing dupe --- code-scanning/pmd.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 8689961..c876da5 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -34,7 +34,3 @@ jobs: uses: github/codeql-action/upload-sarif@v1 with: sarif_file: pmd-report.sarif - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: pmd-report.sarif \ No newline at end of file From a48ef3a64354a224371396a3b719d48f50ff67bb Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 1 Dec 2021 17:52:36 -0800 Subject: [PATCH 135/300] Update azure-webapps-node.yml (#1282) --- deployments/azure-webapps-node.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 8546fea..b7cb51f 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -26,7 +26,7 @@ on: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the node version to use + NODE_VERSION: '14.x' # set this to the node version to use jobs: build: @@ -71,4 +71,4 @@ jobs: with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} \ No newline at end of file + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} From 9920cac8e993e7080faf048ed69586c2e5aa8103 Mon Sep 17 00:00:00 2001 From: Marcel Wagner Date: Thu, 2 Dec 2021 04:51:29 +0100 Subject: [PATCH 136/300] Update text flow for cmake comment (#1054) --- ci/cmake.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ci/cmake.yml b/ci/cmake.yml index 1634140..6c858b9 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -12,9 +12,8 @@ env: jobs: build: - # The CMake configure and build commands are platform agnostic and should work equally - # well on Windows or Mac. You can convert this to a matrix build if you need - # cross-platform coverage. + # The CMake configure and build commands are platform agnostic and should work equally well on Windows or Mac. + # You can convert this to a matrix build if you need cross-platform coverage. # See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix runs-on: ubuntu-latest From f7b1f1515d467adea6cbb6ea0b0b419c69a3ef7b Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Thu, 2 Dec 2021 15:22:55 -0700 Subject: [PATCH 137/300] Use `gradle-build-action` in starter workflows (#1237) The `gradle-build-action` provides enhanced execution and caching functionality for Gradle. This change updates starter workflows to use `v2.0.0` of `gradle-build-action`. Improvements over invoking Gradle directly include: - Easier to run the workflow with a particular Gradle version - More sophisticated and more efficient caching of Gradle User Home between invocations - Detailed reporting of cache usage and cache configuration options - Automatic capture of Build Scan links Co-authored-by: Josh Gross --- ci/gradle-publish.yml | 12 ++++++++++-- ci/gradle.yml | 11 +++++++---- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index a74a1ce..f24c004 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. # This workflow will build a package using Gradle and then publish it to GitHub packages when a release is created # For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-gradle @@ -26,12 +30,16 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - run: gradle build + uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + with: + arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - run: gradle publish + uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + with: + arguments: publish env: USERNAME: ${{ github.actor }} TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ci/gradle.yml b/ci/gradle.yml index 5ecabba..b83458c 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. # This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle @@ -21,8 +25,7 @@ jobs: with: java-version: '11' distribution: 'adopt' - cache: gradle - - name: Grant execute permission for gradlew - run: chmod +x gradlew - name: Build with Gradle - run: ./gradlew build + uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + with: + arguments: build From 649bca8dab3f93f2fa14671d79d813ef6d5e2c73 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Fri, 3 Dec 2021 10:33:18 -0500 Subject: [PATCH 138/300] Updating logo and adding sha to workflow --- code-scanning/pmd.yml | 2 +- icons/pmd.svg | 79 +++++++++++++++++++++++++++++++++++++++---- 2 files changed, 73 insertions(+), 8 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index c876da5..7920c88 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -26,7 +26,7 @@ jobs: cache: maven - name: Run PMD id: pmd - uses: pmd/pmd-github-action@v1 + uses: pmd/pmd-github-action@7ed79622882840855e297f090460face22328ece with: rulesets: 'rulesets/java/quickstart.xml' sourcePath: 'src/main/java' diff --git a/icons/pmd.svg b/icons/pmd.svg index c0b3415..bc1cb58 100644 --- a/icons/pmd.svg +++ b/icons/pmd.svg @@ -1,8 +1,73 @@ - - - - - - + +image/svg+xml + + + + + - \ No newline at end of file + From 4e6641ed7425cb2c2e9beb20339a03b9955d286d Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Fri, 3 Dec 2021 13:19:43 -0500 Subject: [PATCH 139/300] Updating pmd logo --- icons/pmd.svg | 72 +++++++++++++++++---------------------------------- 1 file changed, 24 insertions(+), 48 deletions(-) diff --git a/icons/pmd.svg b/icons/pmd.svg index bc1cb58..61f1842 100644 --- a/icons/pmd.svg +++ b/icons/pmd.svg @@ -1,72 +1,48 @@ image/svg+xml + rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> From 60d206d0900a9e3b4de3779cb2f5277c6304c887 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 6 Dec 2021 09:05:19 -0800 Subject: [PATCH 140/300] Have the starter `docker-publish` action sign digests. (#1255) * Have the starter `docker-publish` action sign digests. This change installs `sigstore/cosign` using the `cosign-installer` action, and uses sigstore's "keyless" signing process to sign the resulting image digest using the action's identity token (see: `id-token: write`). Signed-off-by: Matt Moore * Fully qualify the digest, add setup-buildx-action as workaround * Drop --force, add public repo check * Use built-in 'private' bit --- ci/docker-publish.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index ab266ef..3b55fce 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -29,11 +29,24 @@ jobs: permissions: contents: read packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write steps: - name: Checkout repository uses: actions/checkout@v2 + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} @@ -55,9 +68,26 @@ jobs: # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image + id: build-and-push uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc with: context: . push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + # Sign the resulting Docker image digest except on PRs and private repos + # The keyless signing process records signatures on the Rekor public + # transparency log, so signing is disabled for private repos by default + # to avoid leaking private data. If you wish to sign things anyways, + # then this check can be removed and --force can be added to the cosign + # command below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' && !github.event.repository.private }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance, and records it to the + # sigstore community Rekor transparency log. + run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} From 1c56988c5df7b85a0d1fbcbb4a2d6dcee44b7b51 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 7 Dec 2021 11:35:26 +0100 Subject: [PATCH 141/300] remove unnecessary uses of the upload-artifact action and improve input file name --- code-scanning/veracode.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 64c732f..e38fffd 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -29,12 +29,7 @@ jobs: with: repository: '' - - run: zip -r veracode-pipeline-scan-results-to-sarif.zip ./ - - - uses: actions/upload-artifact@v1 - with: - name: my-artifact - path: veracode-pipeline-scan-results-to-sarif.zip + - run: zip -r veracode-scan-target.zip ./ # download the Veracode Static Analysis Pipeline scan jar - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip @@ -43,12 +38,8 @@ jobs: - uses: actions/setup-java@v1 with: java-version: 1.8 - - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-pipeline-scan-results-to-sarif.zip + - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip continue-on-error: true - - uses: actions/upload-artifact@v1 - with: - name: ScanResults - path: results.json - name: Convert pipeline scan output to SARIF format id: convert uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be From c059d06679620e5a2c8d2c74b677879420f0922a Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Tue, 7 Dec 2021 14:16:20 +0000 Subject: [PATCH 142/300] renaming azure template to fix the order --- ...azure-webapps-container.yml => azure-containerized-webapp.yml} | 0 deployments/{aks.yml => azure-kubernetes-service.yml} | 0 ...properties.json => azure-containerized-webapp.properties.json} | 0 ...s.properties.json => azure-kubernetes-service.properties.json} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename deployments/{azure-webapps-container.yml => azure-containerized-webapp.yml} (100%) rename deployments/{aks.yml => azure-kubernetes-service.yml} (100%) rename deployments/properties/{azure-webapps-container.properties.json => azure-containerized-webapp.properties.json} (100%) rename deployments/properties/{aks.properties.json => azure-kubernetes-service.properties.json} (100%) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-containerized-webapp.yml similarity index 100% rename from deployments/azure-webapps-container.yml rename to deployments/azure-containerized-webapp.yml diff --git a/deployments/aks.yml b/deployments/azure-kubernetes-service.yml similarity index 100% rename from deployments/aks.yml rename to deployments/azure-kubernetes-service.yml diff --git a/deployments/properties/azure-webapps-container.properties.json b/deployments/properties/azure-containerized-webapp.properties.json similarity index 100% rename from deployments/properties/azure-webapps-container.properties.json rename to deployments/properties/azure-containerized-webapp.properties.json diff --git a/deployments/properties/aks.properties.json b/deployments/properties/azure-kubernetes-service.properties.json similarity index 100% rename from deployments/properties/aks.properties.json rename to deployments/properties/azure-kubernetes-service.properties.json From 17c64f97fed1f39b1ec676d1b2446b0f0f772949 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Wed, 8 Dec 2021 05:01:06 +0000 Subject: [PATCH 143/300] resolving comments --- ...{azure-containerized-webapp.yml => azure-container-webapp.yml} | 0 ...app.properties.json => azure-container-webapp.properties.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename deployments/{azure-containerized-webapp.yml => azure-container-webapp.yml} (100%) rename deployments/properties/{azure-containerized-webapp.properties.json => azure-container-webapp.properties.json} (100%) diff --git a/deployments/azure-containerized-webapp.yml b/deployments/azure-container-webapp.yml similarity index 100% rename from deployments/azure-containerized-webapp.yml rename to deployments/azure-container-webapp.yml diff --git a/deployments/properties/azure-containerized-webapp.properties.json b/deployments/properties/azure-container-webapp.properties.json similarity index 100% rename from deployments/properties/azure-containerized-webapp.properties.json rename to deployments/properties/azure-container-webapp.properties.json From 00db25fc1e0c3432105036075404c4429dfda403 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 13 Dec 2021 12:17:02 -0800 Subject: [PATCH 144/300] Enable keyless signing for private repos. (#1295) Now that cosign 1.4 is out, we can perform keyless signing without panicking on private images (and without `--force` uploading to Rekor). Signed-off-by: Matt Moore --- ci/docker-publish.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 3b55fce..977635a 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -42,6 +42,9 @@ jobs: - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + with: + cosign-release: 'v1.4.0' + # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx @@ -76,18 +79,15 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - # Sign the resulting Docker image digest except on PRs and private repos - # The keyless signing process records signatures on the Rekor public - # transparency log, so signing is disabled for private repos by default - # to avoid leaking private data. If you wish to sign things anyways, - # then this check can be removed and --force can be added to the cosign - # command below. + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' && !github.event.repository.private }} + if: ${{ github.event_name != 'pull_request' }} env: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance, and records it to the - # sigstore community Rekor transparency log. + # against the sigstore community Fulcio instance. run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} From 73a17a51b52614ac5865c750577d62c43ce3aa14 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Thu, 16 Dec 2021 10:55:17 +0000 Subject: [PATCH 145/300] deleting azure.yml --- deployments/azure.yml | 51 ------------------------------------------- 1 file changed, 51 deletions(-) delete mode 100644 deployments/azure.yml diff --git a/deployments/azure.yml b/deployments/azure.yml deleted file mode 100644 index 904ff25..0000000 --- a/deployments/azure.yml +++ /dev/null @@ -1,51 +0,0 @@ -# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan -# -# To configure this workflow: -# -# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. -# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings -# -# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -on: - push: - branches: - - $default-branch - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the node version to use - -jobs: - build-and-deploy: - name: Build and Deploy - runs-on: ubuntu-latest - environment: production - steps: - - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODE_VERSION }} - - name: npm install, build, and test - run: | - # Build and test the project, then - # deploy to Azure Web App. - npm install - npm run build --if-present - npm run test --if-present - - name: 'Deploy to Azure WebApp' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} From 615c63babc0be77daa72c0eca79dbb9b4a60d606 Mon Sep 17 00:00:00 2001 From: Andreas Dangel Date: Mon, 20 Dec 2021 11:44:55 +0100 Subject: [PATCH 146/300] Update pmd to v1.1.0 Use pmd/pmd-github-action@6d98898be0d59f46ec37dafcea33d8f8f55acfd1 which is v1.1.0 Use temurin as java distribution --- code-scanning/pmd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 7920c88..ba895fe 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -22,11 +22,11 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' cache: maven - name: Run PMD id: pmd - uses: pmd/pmd-github-action@7ed79622882840855e297f090460face22328ece + uses: pmd/pmd-github-action@6d98898be0d59f46ec37dafcea33d8f8f55acfd1 with: rulesets: 'rulesets/java/quickstart.xml' sourcePath: 'src/main/java' From 0b45ddae0d6a1bb5d2524384ae316a929f3d0e96 Mon Sep 17 00:00:00 2001 From: DhavalPatelPersistent Date: Fri, 24 Dec 2021 15:55:11 +0530 Subject: [PATCH 147/300] Update / Add "uses","project","teams","scanners","params" attributes. --- code-scanning/checkmarx.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index ee97108..c0785da 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,14 +29,16 @@ jobs: - uses: actions/checkout@v2 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@04e6403dbbfee0fd3fb076e5791202c31c54fe6b + uses: checkmarx-ts/checkmarx-cxflow-github-action@master with: - project: GithubActionTest - team: '\CxServer\SP\Checkmarx' + project: ${{ secrets.CHECKMARX_PROJECT }} + team: ${{ secrets.CHECKMARX_TEAMS }} checkmarx_url: ${{ secrets.CHECKMARX_URL }} checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + scanners: sast + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 From 97020d0adc1a32ef799bcafcffa18b2297ca4da3 Mon Sep 17 00:00:00 2001 From: DhavalPatelPersistent <93903969+DhavalPatelPersistent@users.noreply.github.com> Date: Thu, 30 Dec 2021 16:39:28 +0530 Subject: [PATCH 148/300] Update checkmarx.yml Point to SHA instead for master --- code-scanning/checkmarx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index c0785da..96b9897 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,7 +29,7 @@ jobs: - uses: actions/checkout@v2 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@master + uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 with: project: ${{ secrets.CHECKMARX_PROJECT }} team: ${{ secrets.CHECKMARX_TEAMS }} From 794e910e12b7f31ea222a4be4c11f8c7dd2bcf86 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 10 Dec 2021 17:49:59 +0000 Subject: [PATCH 149/300] add scorecards config --- .../properties/scorecards.properties.json | 10 +++ code-scanning/scorecards.yml | 74 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 code-scanning/properties/scorecards.properties.json create mode 100644 code-scanning/scorecards.yml diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json new file mode 100644 index 0000000..54362eb --- /dev/null +++ b/code-scanning/properties/scorecards.properties.json @@ -0,0 +1,10 @@ +{ + "name": "OSSF Scorecards supply-chain security analysis", + "creator": "Open Source Security Foundation (OpenSSF) - https://github.com/ossf", + "description": "Scorecards is a static analysis tool to assess the security posture of your project", + "iconName": "scorecards", + "categories": [ + "code-quality", "testing", + "supply-chain", "security", "scanning" + ] +} diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml new file mode 100644 index 0000000..23dc0c1 --- /dev/null +++ b/code-scanning/scorecards.yml @@ -0,0 +1,74 @@ +name: Scorecards supply-chain security +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + # Weekly on Saturdays. + - cron: '30 1 * * 6' + push: + branches: [ $default-branch ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + + steps: + - name: "Checkout code" + uses: actions/checkout@v1 + + - name: "Run analysis" + # TODO: update with a hash once we have a release. + uses: ossf/scorecard-action@feat/rempol + with: + results_file: results.sarif + results_format: sarif + # For the token, + # 1. Create a PAT token at https://github.com/settings/tokens/new + # with the following read permissions: + # - Note: OSSF Scorecard read-only token + # - Expiration: No expiration + # - Scopes: + # * repo > public_repo + # * admin:org > read:org + # * admin:repo_hook > read:repo_hook + # * write:discussion > read:discussion + # + # Create and copy the token. + # + # 2. Create a new repository secret at https://github.com///settings/secrets/actions + # with the following settings: + # - Name: SCORECARD_TOKEN + # - Value: the value of the token created in step 1 above. + repo_token: ${{ secrets.SCORECARD_TOKEN }} + # The Scorecard team runs a weekly scan of public GitHub repositories in order to track + # the overall security health of the open source ecosystem. + # Setting `publish_results: true` replaces the results of the team's weelky scans, + # helping us scale by cutting down on repeated workflows and GitHub API requests. + # This option is needed to enable badges on the repo. + publish_results: true + + # Upload the results as artifacts. + # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts + # This is optional. + - name: "Upload artifact" + # Note: scorecard will flag this line if not pinned by hash. + uses: actions/upload-artifact@v2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + # This is required to visualize the results on GitHub website. + - name: "Upload to code-scanning" + # Note: scorecard will flag this line if not pinned by hash. + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif From 0e50194de868de89ba9545e296fc254c13aaf4cc Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 10 Dec 2021 17:56:35 +0000 Subject: [PATCH 150/300] use hash --- code-scanning/scorecards.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 23dc0c1..709da7e 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -24,8 +24,7 @@ jobs: uses: actions/checkout@v1 - name: "Run analysis" - # TODO: update with a hash once we have a release. - uses: ossf/scorecard-action@feat/rempol + uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b with: results_file: results.sarif results_format: sarif From a00db4437c100515400041ae9ec3d00bc4e3f0b2 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 16 Dec 2021 18:25:53 +0000 Subject: [PATCH 151/300] comments --- code-scanning/properties/scorecards.properties.json | 5 +---- code-scanning/scorecards.yml | 3 +-- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json index 54362eb..d45274b 100644 --- a/code-scanning/properties/scorecards.properties.json +++ b/code-scanning/properties/scorecards.properties.json @@ -3,8 +3,5 @@ "creator": "Open Source Security Foundation (OpenSSF) - https://github.com/ossf", "description": "Scorecards is a static analysis tool to assess the security posture of your project", "iconName": "scorecards", - "categories": [ - "code-quality", "testing", - "supply-chain", "security", "scanning" - ] + "categories": ["Code Scanning"] } diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 709da7e..27ffc2f 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -3,8 +3,7 @@ on: # Only the default branch is supported. branch_protection_rule: schedule: - # Weekly on Saturdays. - - cron: '30 1 * * 6' + - cron: $cron-weekly push: branches: [ $default-branch ] From a894da71d16be3f3b970d067d20d12cc1f23042f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 28 Dec 2021 17:49:56 +0000 Subject: [PATCH 152/300] pin actions --- code-scanning/scorecards.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 27ffc2f..88f47ee 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -20,7 +20,9 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v1 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + with: + persist-credentials: false - name: "Run analysis" uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b @@ -56,8 +58,7 @@ jobs: # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts # This is optional. - name: "Upload artifact" - # Note: scorecard will flag this line if not pinned by hash. - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: SARIF file path: results.sarif @@ -66,7 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. # This is required to visualize the results on GitHub website. - name: "Upload to code-scanning" - # Note: scorecard will flag this line if not pinned by hash. - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 with: sarif_file: results.sarif From 9e49744dc2534cee2fbb4986f45287bfce589fb6 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 28 Dec 2021 18:13:49 +0000 Subject: [PATCH 153/300] url --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 88f47ee..b04a28d 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -42,7 +42,7 @@ jobs: # # Create and copy the token. # - # 2. Create a new repository secret at https://github.com///settings/secrets/actions + # 2. Create a new repository secret at https://github.com///settings/secrets/actions/new # with the following settings: # - Name: SCORECARD_TOKEN # - Value: the value of the token created in step 1 above. From f38127b0623a68a7a5faee31773d3adbb8bd3cfb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 22:51:32 +0000 Subject: [PATCH 154/300] update text --- code-scanning/scorecards.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index b04a28d..c8f9993 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -48,10 +48,12 @@ jobs: # - Value: the value of the token created in step 1 above. repo_token: ${{ secrets.SCORECARD_TOKEN }} # The Scorecard team runs a weekly scan of public GitHub repositories in order to track - # the overall security health of the open source ecosystem. + # the overall security health of the open source ecosystem. The results are publicly + # available as described at https://github.com/ossf/scorecard#public-data. # Setting `publish_results: true` replaces the results of the team's weelky scans, # helping us scale by cutting down on repeated workflows and GitHub API requests. - # This option is needed to enable badges on the repo. + # This option is needed to enable badges on the repo. If you're installing the action + # on a private repo, set it to `publish_results: false` or do not set the value at all. publish_results: true # Upload the results as artifacts. From 48edda6acad5d9b718bedba3c63e8198f1f7c08f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 22:56:18 +0000 Subject: [PATCH 155/300] reduce text --- code-scanning/scorecards.yml | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index c8f9993..a647577 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -29,23 +29,8 @@ jobs: with: results_file: results.sarif results_format: sarif - # For the token, - # 1. Create a PAT token at https://github.com/settings/tokens/new - # with the following read permissions: - # - Note: OSSF Scorecard read-only token - # - Expiration: No expiration - # - Scopes: - # * repo > public_repo - # * admin:org > read:org - # * admin:repo_hook > read:repo_hook - # * write:discussion > read:discussion - # - # Create and copy the token. - # - # 2. Create a new repository secret at https://github.com///settings/secrets/actions/new - # with the following settings: - # - Name: SCORECARD_TOKEN - # - Value: the value of the token created in step 1 above. + # Read-only PAT token. To create it, follow the steps + # in https://github.com/ossf/scorecard-action/main#pat-token-creation repo_token: ${{ secrets.SCORECARD_TOKEN }} # The Scorecard team runs a weekly scan of public GitHub repositories in order to track # the overall security health of the open source ecosystem. The results are publicly @@ -56,9 +41,7 @@ jobs: # on a private repo, set it to `publish_results: false` or do not set the value at all. publish_results: true - # Upload the results as artifacts. - # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts - # This is optional. + # Upload the results as artifacts (optional). - name: "Upload artifact" uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: @@ -67,7 +50,6 @@ jobs: retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - # This is required to visualize the results on GitHub website. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 with: From 07be376c3a753560b12712d3e1c614031a2cf117 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 23:02:46 +0000 Subject: [PATCH 156/300] updates --- code-scanning/scorecards.yml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a647577..b9efa21 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -29,16 +29,13 @@ jobs: with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, follow the steps - # in https://github.com/ossf/scorecard-action/main#pat-token-creation + # Read-only PAT token. To create it, + # follow the steps in https://github.com/ossf/scorecard-action/blob/main#pat-token-creation. repo_token: ${{ secrets.SCORECARD_TOKEN }} - # The Scorecard team runs a weekly scan of public GitHub repositories in order to track - # the overall security health of the open source ecosystem. The results are publicly - # available as described at https://github.com/ossf/scorecard#public-data. - # Setting `publish_results: true` replaces the results of the team's weelky scans, - # helping us scale by cutting down on repeated workflows and GitHub API requests. - # This option is needed to enable badges on the repo. If you're installing the action - # on a private repo, set it to `publish_results: false` or do not set the value at all. + # Publish the results to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action/blob/main#publishing-results. + # If you are installing the action on a private repo, set it to `publish_results: false` + # or do not set the value at all. publish_results: true # Upload the results as artifacts (optional). From 7c57e8a703516f380383aedcc599bac86c30b6e2 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 23:07:26 +0000 Subject: [PATCH 157/300] updates --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index b9efa21..209dc37 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -35,7 +35,7 @@ jobs: # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action/blob/main#publishing-results. # If you are installing the action on a private repo, set it to `publish_results: false` - # or do not set the value at all. + # or comment out the following line. publish_results: true # Upload the results as artifacts (optional). From 40772919fb6683dd374c85974123e699aff4872c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 23:11:08 +0000 Subject: [PATCH 158/300] updates --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 209dc37..dbfbecd 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -30,10 +30,10 @@ jobs: results_file: results.sarif results_format: sarif # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action/blob/main#pat-token-creation. + # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. repo_token: ${{ secrets.SCORECARD_TOKEN }} # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action/blob/main#publishing-results. + # https://github.com/ossf/scorecard-action#publishing-results. # If you are installing the action on a private repo, set it to `publish_results: false` # or comment out the following line. publish_results: true From b73f59a3e8a02531a5ca5623bab1ad5387d8072d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 4 Jan 2022 18:08:50 +0000 Subject: [PATCH 159/300] add icon --- icons/scorecards.svg | 365 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 365 insertions(+) create mode 100644 icons/scorecards.svg diff --git a/icons/scorecards.svg b/icons/scorecards.svg new file mode 100644 index 0000000..9db608c --- /dev/null +++ b/icons/scorecards.svg @@ -0,0 +1,365 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From d0dba5262b9d520abb5b6a16c3c7631df3414a9d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 4 Jan 2022 18:13:24 +0000 Subject: [PATCH 160/300] use v0.0.1 --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index dbfbecd..8b2346a 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b + uses: ossf/scorecard-action@175f59783fa96e44dd6fa96619ab7bdacab56b5c # v0.0.1 with: results_file: results.sarif results_format: sarif From f42f92e60ce9599cfd74f77191f8b0dfd5bbe08e Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Wed, 5 Jan 2022 09:50:26 -0800 Subject: [PATCH 161/300] Update erlang.yml Add token permissions --- ci/erlang.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ci/erlang.yml b/ci/erlang.yml index 25cb893..3bebb1f 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -6,10 +6,14 @@ on: pull_request: branches: [ $default-branch ] +permissions: read-all + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest container: From 00e08539ca5ff25307997d8c845296376a1cd858 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 10 Jan 2022 23:19:46 +0000 Subject: [PATCH 162/300] prepare release --- code-scanning/scorecards.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 8b2346a..ba42ef0 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,6 +17,8 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write + actions: read + contents: read steps: - name: "Checkout code" @@ -34,8 +36,8 @@ jobs: repo_token: ${{ secrets.SCORECARD_TOKEN }} # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. - # If you are installing the action on a private repo, set it to `publish_results: false` - # or comment out the following line. + # Note: for private repositories, the value of `publish_results` set here + # is ignored and defaults to false. publish_results: true # Upload the results as artifacts (optional). From b0f310cefc1cd8acd28eb8680356f1b084414f09 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 10 Jan 2022 23:52:58 +0000 Subject: [PATCH 163/300] update token name --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index ba42ef0..6cbdaaf 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -33,7 +33,7 @@ jobs: results_format: sarif # Read-only PAT token. To create it, # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_TOKEN }} + repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. # Note: for private repositories, the value of `publish_results` set here From f78e23c19de6d564883c07e34c2340f14f797048 Mon Sep 17 00:00:00 2001 From: shubham malik Date: Thu, 13 Jan 2022 11:12:14 +0530 Subject: [PATCH 164/300] Update trivy.yml --- code-scanning/trivy.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index f778492..307950e 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -14,8 +14,13 @@ on: schedule: - cron: $cron-weekly +permissions: read-all + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Build runs-on: "ubuntu-18.04" steps: From aa643dfa0c1ddbdc15fe80baa4c7bf5a60eca2a6 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 13 Jan 2022 22:29:39 +0000 Subject: [PATCH 165/300] bump hash --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 6cbdaaf..a756c2b 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@175f59783fa96e44dd6fa96619ab7bdacab56b5c # v0.0.1 + uses: ossf/scorecard-action@0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a # v1.0.0 with: results_file: results.sarif results_format: sarif From 1b10c28ff42916ad2a9d5f9566d39656df9e6372 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 14 Jan 2022 03:00:11 +0000 Subject: [PATCH 166/300] rem tabs and update comment --- code-scanning/scorecards.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a756c2b..cbd0e01 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -1,5 +1,5 @@ name: Scorecards supply-chain security -on: +on: # Only the default branch is supported. branch_protection_rule: schedule: @@ -19,7 +19,7 @@ jobs: security-events: write actions: read contents: read - + steps: - name: "Checkout code" uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 @@ -36,8 +36,8 @@ jobs: repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. - # Note: for private repositories, the value of `publish_results` set here - # is ignored and defaults to false. + # For private repositories, `publish_results` will automatically be set to `false`, + # regardless of the value entered here. publish_results: true # Upload the results as artifacts (optional). @@ -47,7 +47,7 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 From 588f02dade95e45435f1a970cde5258223b6f9ab Mon Sep 17 00:00:00 2001 From: Manuel Date: Sat, 15 Jan 2022 00:05:31 +0100 Subject: [PATCH 167/300] Switch java distribution from 'adopt' to 'temurin' (#1065) adopt is rebranded into temurin see https://blog.adoptopenjdk.net/2021/03/transition-to-eclipse-an-update/ --- ci/android.yml | 2 +- ci/ant.yml | 2 +- ci/gradle-publish.yml | 2 +- ci/gradle.yml | 2 +- ci/maven-publish.yml | 2 +- ci/maven.yml | 2 +- ci/scala.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/android.yml b/ci/android.yml index 3037b9f..f289bd5 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -17,7 +17,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' cache: gradle - name: Grant execute permission for gradlew diff --git a/ci/ant.yml b/ci/ant.yml index 655a94c..0205d40 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -20,6 +20,6 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' - name: Build with Ant run: ant -noinput -buildfile build.xml diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index f24c004..26bc0df 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -25,7 +25,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file diff --git a/ci/gradle.yml b/ci/gradle.yml index b83458c..cc63e9a 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -24,7 +24,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' - name: Build with Gradle uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 with: diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 18dd937..319f9a1 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -21,7 +21,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file diff --git a/ci/maven.yml b/ci/maven.yml index ac3b6de..f301fe0 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -20,7 +20,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' cache: maven - name: Build with Maven run: mvn -B package --file pom.xml diff --git a/ci/scala.yml b/ci/scala.yml index 4a3c112..af6b2ed 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -17,6 +17,6 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' - name: Run tests run: sbt test From b224dd844994cf72698787cfaa6e91d3b9bcef14 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 14 Jan 2022 21:38:04 +0000 Subject: [PATCH 168/300] update icon --- code-scanning/scorecards.yml | 2 +- icons/scorecards.svg | 366 +---------------------------------- 2 files changed, 2 insertions(+), 366 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index cbd0e01..2172aba 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a # v1.0.0 + uses: ossf/scorecard-action@f5a7da46837397de5331ea22ce0099e2bfe265d0 # v1.0.1 with: results_file: results.sarif results_format: sarif diff --git a/icons/scorecards.svg b/icons/scorecards.svg index 9db608c..9433c91 100644 --- a/icons/scorecards.svg +++ b/icons/scorecards.svg @@ -1,365 +1 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + \ No newline at end of file From 94100d1d4a908d4b49a2c82511353ec7b670cc07 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 14 Jan 2022 21:44:30 +0000 Subject: [PATCH 169/300] bump --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 2172aba..dbae361 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@f5a7da46837397de5331ea22ce0099e2bfe265d0 # v1.0.1 + uses: ossf/scorecard-action@e3e75cf2ffbf9364bbff86cdbdf52b23176fe492 # v1.0.1 with: results_file: results.sarif results_format: sarif From f31e3a9c9dda4c8027904038d1e7e1c54695dc7d Mon Sep 17 00:00:00 2001 From: Beth G Date: Sat, 15 Jan 2022 07:11:46 +0100 Subject: [PATCH 170/300] Add Datadog Synthetics GitHub action to starter workflows (#1342) --- ci/datadog-synthetics.yml | 38 +++++++++++++++++++ .../datadog-synthetics.properties.json | 6 +++ icons/datadog.svg | 4 ++ 3 files changed, 48 insertions(+) create mode 100644 ci/datadog-synthetics.yml create mode 100644 ci/properties/datadog-synthetics.properties.json create mode 100644 icons/datadog.svg diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml new file mode 100644 index 0000000..7056f87 --- /dev/null +++ b/ci/datadog-synthetics.yml @@ -0,0 +1,38 @@ +# This workflow will trigger Datadog Synthetic tests within your Datadog organisation +# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# To get started: + +# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. +# 2. Start using the action within your workflow + +name: Run Datadog Synthetic tests + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + # Run Synthetic tests within your GitHub workflow. + # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci + - name: Run Datadog Synthetic tests + uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e + with: + api_key: ${{secrets.DD_API_KEY}} + app_key: ${{secrets.DD_APP_KEY}} + test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy + + diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json new file mode 100644 index 0000000..5a4f74d --- /dev/null +++ b/ci/properties/datadog-synthetics.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Datadog Synthetics", + "description": "Run Datadog Synthetic tests within your GitHub Actions workflow", + "iconName": "datadog", + "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"] +} diff --git a/icons/datadog.svg b/icons/datadog.svg new file mode 100644 index 0000000..91cb3b6 --- /dev/null +++ b/icons/datadog.svg @@ -0,0 +1,4 @@ + + + + From 11778e9eb06ef161f9f8fc44f9d82ca4b79675e3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Mon, 17 Jan 2022 13:17:29 +0530 Subject: [PATCH 171/300] Add check for GITHUB_TOKEN permissions (#1354) --- .github/pull_request_template.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 6494e8d..752dd99 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,6 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. +- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** From 5635bf05bcf0ed0db83494aca58ccaf979eed483 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Arko?= Date: Mon, 17 Jan 2022 12:34:33 -0800 Subject: [PATCH 172/300] Upgrade Rails workflow to true CI (#1353) * Upgrade Rails workflow to true CI The existing Rails CI example only runs linters, which is not continuous integration. This change brings the Rails example workflow up to par with the other web framework CI flows, like Django. This example is optimized for Rails 7, which does not include NodeJS, webpack, or yarn by default. No Rails application code changes are required for this flow to run the tests, and both minitest and rspec are supported via the `test` rake task. * add Rails icon * use env vars, hopefully * use the full hash for ruby/setup-ruby * remove PORT since services cannot use it * stop repeating identical step envs * resolve env var declaration error * update setup-ruby to the SHA of v1.92 * use setup-ruby SHA for lint job too Co-authored-by: Bishal Prasad --- .../rubyonrails-lint.properties.json | 6 -- ci/properties/rubyonrails.properties.json | 6 ++ ci/rubyonrails-lint.yml | 32 ---------- ci/rubyonrails.yml | 58 +++++++++++++++++++ icons/rails.svg | 1 + 5 files changed, 65 insertions(+), 38 deletions(-) delete mode 100644 ci/properties/rubyonrails-lint.properties.json create mode 100644 ci/properties/rubyonrails.properties.json delete mode 100644 ci/rubyonrails-lint.yml create mode 100644 ci/rubyonrails.yml create mode 100644 icons/rails.svg diff --git a/ci/properties/rubyonrails-lint.properties.json b/ci/properties/rubyonrails-lint.properties.json deleted file mode 100644 index e6e5f69..0000000 --- a/ci/properties/rubyonrails-lint.properties.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "Rails - Install Dependencies and Run Linters", - "description": "Install dependencies and run linters on Rails application", - "iconName": "ruby", - "categories": ["Continuous integration", "Ruby", "Rails"] -} diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json new file mode 100644 index 0000000..49b29a4 --- /dev/null +++ b/ci/properties/rubyonrails.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Ruby on Rails continuous integration", + "description": "Build, lint, and test a Rails application", + "iconName": "rails", + "categories": ["Continuous integration", "Ruby", "Rails"] +} diff --git a/ci/rubyonrails-lint.yml b/ci/rubyonrails-lint.yml deleted file mode 100644 index d95b70e..0000000 --- a/ci/rubyonrails-lint.yml +++ /dev/null @@ -1,32 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# This workflow will download a prebuilt Ruby version, install dependencies, and run linters -name: Rails - Install dependencies and run linters - -on: - push: - branches: [ $default-branch ] - pull_request: - branches: [ $default-branch ] -jobs: - run-lint: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Setup Ruby and install gems - uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e - with: - bundler-cache: true - # Add or Replace any other security checks here - - name: Run security checks - run: | - bin/bundler-audit --update - bin/brakeman -q -w2 - # Add or Replace any other Linters here - - name: Run linters - run: | - bin/rubocop --parallel \ No newline at end of file diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml new file mode 100644 index 0000000..b7b3624 --- /dev/null +++ b/ci/rubyonrails.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. They are +# provided by a third-party and are governed by separate terms of service, +# privacy policy, and support documentation. +# +# This workflow will install a prebuilt Ruby version, install dependencies, and +# run tests and linters. +name: "Ruby on Rails CI" +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] +jobs: + test: + runs-on: ubuntu-latest + services: + postgres: + image: postgres:11-alpine + ports: + - "5432:5432" + env: + POSTGRES_DB: rails_test + POSTGRES_USER: rails + POSTGRES_PASSWORD: password + env: + RAILS_ENV: test + DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test" + steps: + - name: Checkout code + uses: actions/checkout@v2 + # Add or replace dependency steps here + - name: Install Ruby and gems + uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 + with: + bundler-cache: true + # Add or replace database setup steps here + - name: Set up database schema + run: bin/rails db:schema:load + # Add or replace test runners here + - name: Run tests + run: bin/rake + + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Install Ruby and gems + uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 + with: + bundler-cache: true + # Add or replace any other lints here + - name: Security audit dependencies + run: bin/bundler-audit --update + - name: Security audit application code + run: bin/brakeman -q -w2 + - name: Lint Ruby files + run: bin/rubocop --parallel diff --git a/icons/rails.svg b/icons/rails.svg new file mode 100644 index 0000000..5e1f8f8 --- /dev/null +++ b/icons/rails.svg @@ -0,0 +1 @@ + From ba97234b6070487094b58c0bd01959c47d29c20d Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Tue, 18 Jan 2022 14:07:26 -0800 Subject: [PATCH 173/300] Fix indentation error (#1356) --- deployments/azure-container-webapp.yml | 34 +++++++++++++------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 7c7bb2a..57fe362 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -62,21 +62,21 @@ jobs: tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} file: ./Dockerfile - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - steps: - - name: Lowercase the repo name and username - run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' + steps: + - name: Lowercase the repo name and username + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' From a96d2407b59e6e123df45d05c846d2ae3073d6aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9sar=20Rom=C3=A1n?= Date: Wed, 19 Jan 2022 15:41:20 -0800 Subject: [PATCH 174/300] fix(ci): pylint.yml (#1108) ref: #636. `pylint` command does not work I've had success running the modified command [here](https://github.com/thecesrom/incendium/blob/project/.github/workflows/pylint.yml). Co-authored-by: Josh Gross --- ci/pylint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/pylint.yml b/ci/pylint.yml index 10c49c6..7b555fe 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -20,4 +20,4 @@ jobs: pip install pylint - name: Analysing the code with pylint run: | - pylint `ls -R|grep .py$|xargs` + pylint $(git ls-files '*.py') From ffa80e095edd0b21cda81cc3836cf3b7c863c355 Mon Sep 17 00:00:00 2001 From: Andrew Wiltshire <62200778+AW1534@users.noreply.github.com> Date: Thu, 20 Jan 2022 03:30:56 +0000 Subject: [PATCH 175/300] fixed grammatical error in node.js.yml (#1358) --- ci/node.js.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/node.js.yml b/ci/node.js.yml index 89b24fe..8d1b9c7 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -1,4 +1,4 @@ -# This workflow will do a clean install of node dependencies, cache/restore them, build the source code and run tests across different versions of node +# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node # For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions name: Node.js CI From eedf8fbcb38fafd48d3aa00644bd01325b89abaa Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Fri, 21 Jan 2022 12:23:16 -0800 Subject: [PATCH 176/300] Update erlang.yml Setting contents: read at workflow level, and removing from job level --- ci/erlang.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ci/erlang.yml b/ci/erlang.yml index 3bebb1f..fc11dac 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -6,14 +6,13 @@ on: pull_request: branches: [ $default-branch ] -permissions: read-all +permissions: + contents: read jobs: build: - permissions: - contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest container: From 41e7dd427d1cc358f8c78d1e511ba122d68f761e Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Mon, 24 Jan 2022 08:27:33 -0800 Subject: [PATCH 177/300] Scorecards: update hash to v1.0.2 We fixed a small issue and need to update the hash --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index dbae361..618ce28 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e3e75cf2ffbf9364bbff86cdbdf52b23176fe492 # v1.0.1 + uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2 with: results_file: results.sarif results_format: sarif From 3b8f20ff6ffebfd48548a91beae21864b3bc56d9 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Wed, 26 Jan 2022 22:42:19 +0530 Subject: [PATCH 178/300] updated permission --- code-scanning/trivy.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 307950e..3d5373f 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -14,7 +14,8 @@ on: schedule: - cron: $cron-weekly -permissions: read-all +permissions: + contents: read jobs: build: From 7a56117f9857b2b4b87c448f9ba839d0e1549a47 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 27 Jan 2022 10:27:08 +0530 Subject: [PATCH 179/300] Rename node.js.yml to bishal-node.js.yml --- ci/{node.js.yml => bishal-node.js.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename ci/{node.js.yml => bishal-node.js.yml} (100%) diff --git a/ci/node.js.yml b/ci/bishal-node.js.yml similarity index 100% rename from ci/node.js.yml rename to ci/bishal-node.js.yml From c0b54905907ff685ff46b29437472d3ff5844709 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 27 Jan 2022 10:27:32 +0530 Subject: [PATCH 180/300] Rename ci/bishal-node.js.yml to node.js.yml --- ci/bishal-node.js.yml => node.js.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename ci/bishal-node.js.yml => node.js.yml (100%) diff --git a/ci/bishal-node.js.yml b/node.js.yml similarity index 100% rename from ci/bishal-node.js.yml rename to node.js.yml From 80404f48bc4162e425999b01ab82ec254a061371 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 27 Jan 2022 10:28:39 +0530 Subject: [PATCH 181/300] Rename node.js.yml to ci/node.js.yml --- node.js.yml => ci/node.js.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename node.js.yml => ci/node.js.yml (100%) diff --git a/node.js.yml b/ci/node.js.yml similarity index 100% rename from node.js.yml rename to ci/node.js.yml From 4f0f3e716db32badb9a62be949ebaa26967d0bca Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Thu, 27 Jan 2022 15:38:23 +0530 Subject: [PATCH 182/300] Update crunch42.yml --- code-scanning/crunch42.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 1d44bf9..e8e2447 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -33,8 +33,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: rest-api-static-security-testing: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From 1220bda7e4d820b469f0312332df5902cdf9257d Mon Sep 17 00:00:00 2001 From: Aarnav Pai <52203828+arnu515@users.noreply.github.com> Date: Thu, 27 Jan 2022 21:21:47 +0530 Subject: [PATCH 183/300] Fix version of `denoland/setup-deno` (#1369) * Fix version of `denoland/setup-deno` * Update deno.yml --- ci/deno.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/deno.yml b/ci/deno.yml index 38f2319..25e9e2a 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -24,7 +24,7 @@ jobs: - name: Setup Deno # uses: denoland/setup-deno@v1 - uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e9833173669 + uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e983317366 with: deno-version: v1.x From c005c55b8b1593cb6ccb3ad53cc595a3bdb532d3 Mon Sep 17 00:00:00 2001 From: Fedor Isakov Date: Sun, 30 Jan 2022 09:07:53 +0300 Subject: [PATCH 184/300] update google workflow (#1359) --- deployments/google.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/deployments/google.yml b/deployments/google.yml index bfb5de6..003e53b 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -26,16 +26,16 @@ env: REPOSITORY: samples # TODO: update to Artifact Registry docker repository IMAGE: static-site -permissions: - contents: 'read' - id-token: 'write' - jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest environment: production + permissions: + contents: 'read' + id-token: 'write' + steps: - name: Checkout uses: actions/checkout@v2 @@ -43,18 +43,24 @@ jobs: # Configure Workload Identity Federation and generate an access token. - id: 'auth' name: 'Authenticate to Google Cloud' - uses: 'google-github-actions/auth@v0.4.0' + uses: 'google-github-actions/auth@v0' with: token_format: 'access_token' workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' service_account: 'my-service-account@my-project.iam.gserviceaccount.com' + # Alternative option - authentication via credentials json + # - id: 'auth' + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + - name: Docker configuration run: |- echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev # Get the GKE credentials so we can deploy to the cluster - name: Set up GKE credentials - uses: google-github-actions/get-gke-credentials@v0.4.0 + uses: google-github-actions/get-gke-credentials@v0 with: cluster_name: ${{ env.GKE_CLUSTER }} location: ${{ env.GKE_ZONE }} From 8430b6f878f9e8318ab48462eeed25731396f568 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 31 Jan 2022 14:23:00 +0530 Subject: [PATCH 185/300] Update --- code-scanning/anchore.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index d90f68c..fcca708 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -20,8 +20,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout the code @@ -36,4 +42,4 @@ jobs: - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From 34d35389d179c8f3da46255ed31976853cb6ebcb Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 31 Jan 2022 14:23:00 +0530 Subject: [PATCH 186/300] updated gh_token permissions for anchore/scan-action --- code-scanning/anchore.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index d90f68c..fcca708 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -20,8 +20,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout the code @@ -36,4 +42,4 @@ jobs: - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From 890150c289fca8efec79fadc5f3df37820ecd855 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 31 Jan 2022 10:48:11 +0000 Subject: [PATCH 187/300] Fixing some code scanning workflows description --- code-scanning/properties/apisec-scan.properties.json | 2 +- code-scanning/properties/cloudrail.properties.json | 2 +- code-scanning/properties/pmd.properties.json | 5 ++--- code-scanning/properties/scorecards.properties.json | 6 +++--- 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/code-scanning/properties/apisec-scan.properties.json b/code-scanning/properties/apisec-scan.properties.json index 9e7db58..b0872c8 100644 --- a/code-scanning/properties/apisec-scan.properties.json +++ b/code-scanning/properties/apisec-scan.properties.json @@ -1,7 +1,7 @@ { "name": "APIsec Scan", "creator": "APIsec", - "description": "APIsec addresses the critical need to secure APIs before they reach production. APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.", + "description": "APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.", "iconName": "apisec", "categories": [ "Code Scanning", diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json index 830d966..e87f3ca 100644 --- a/code-scanning/properties/cloudrail.properties.json +++ b/code-scanning/properties/cloudrail.properties.json @@ -1,7 +1,7 @@ { "name": "cloudrail", "creator": "Indeni Cloudrail", - "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.", + "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues.", "iconName": "cloudrail", "categories": ["Code Scanning", "HCL"] } diff --git a/code-scanning/properties/pmd.properties.json b/code-scanning/properties/pmd.properties.json index 8608022..b96ecb7 100644 --- a/code-scanning/properties/pmd.properties.json +++ b/code-scanning/properties/pmd.properties.json @@ -1,7 +1,7 @@ { "name": "pmd", "creator": "pmd", - "description": "PMD is a static source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, Salesforce.com Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.", + "description": "PMD is a static source code analyzer. It supports Java, JavaScript, Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.", "iconName": "pmd", "categories": [ "Code Scanning", @@ -13,7 +13,6 @@ "Apache Velocity", "XML", "XSl", - "Scala", - "Apex" + "Scala" ] } \ No newline at end of file diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json index d45274b..a98834c 100644 --- a/code-scanning/properties/scorecards.properties.json +++ b/code-scanning/properties/scorecards.properties.json @@ -1,7 +1,7 @@ { - "name": "OSSF Scorecards supply-chain security analysis", - "creator": "Open Source Security Foundation (OpenSSF) - https://github.com/ossf", - "description": "Scorecards is a static analysis tool to assess the security posture of your project", + "name": "OSSF Scorecards", + "creator": "Open Source Security Foundation (OpenSSF)", + "description": "Scorecards is a static supply-chain security analysis tool to assess the security posture of your project", "iconName": "scorecards", "categories": ["Code Scanning"] } From 776a96049686c7602b1fc0706bc21d1db9f7bfcc Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Mon, 31 Jan 2022 14:47:10 -0700 Subject: [PATCH 188/300] Update for `gradle-build-action@v2.1.2` release (#1375) --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 26bc0df..0fecd23 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index cc63e9a..bc64e5e 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -26,6 +26,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 with: arguments: build From d71bfc344e4081dfbeb2fcca7cd8839ae5d06e31 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Tue, 1 Feb 2022 22:34:47 +0530 Subject: [PATCH 189/300] Create checkmarx.yml --- code-scanning/checkmarx.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 96b9897..d012bce 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,10 +17,18 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) From a76776b484009a5dc3accadfb53dbbc4d953d9e2 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Wed, 2 Feb 2022 23:49:53 +0530 Subject: [PATCH 190/300] Update codacy.yml --- code-scanning/codacy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 50185ad..4892930 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Codacy Security Scan runs-on: ubuntu-latest steps: From 98bd06c9adbcd9070c1ae4916193a9a898b2a7fa Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Thu, 3 Feb 2022 14:24:19 -0700 Subject: [PATCH 191/300] Update for gradle/gradle-build-action@v2.1.3 (#1384) --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 0fecd23..9fdc851 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index bc64e5e..fc8cf2f 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -26,6 +26,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: build From de41169eb0a60341cf326c9b790a79a99e147793 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 4 Feb 2022 09:45:26 +0530 Subject: [PATCH 192/300] Revert "Add Datadog Synthetics GitHub action to starter workflows (#1342)" (#1385) This reverts commit f31e3a9c9dda4c8027904038d1e7e1c54695dc7d. --- ci/datadog-synthetics.yml | 38 ------------------- .../datadog-synthetics.properties.json | 6 --- icons/datadog.svg | 4 -- 3 files changed, 48 deletions(-) delete mode 100644 ci/datadog-synthetics.yml delete mode 100644 ci/properties/datadog-synthetics.properties.json delete mode 100644 icons/datadog.svg diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml deleted file mode 100644 index 7056f87..0000000 --- a/ci/datadog-synthetics.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This workflow will trigger Datadog Synthetic tests within your Datadog organisation -# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# To get started: - -# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. -# 2. Start using the action within your workflow - -name: Run Datadog Synthetic tests - -on: - push: - branches: [ $default-branch ] - pull_request: - branches: [ $default-branch ] - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - # Run Synthetic tests within your GitHub workflow. - # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci - - name: Run Datadog Synthetic tests - uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e - with: - api_key: ${{secrets.DD_API_KEY}} - app_key: ${{secrets.DD_APP_KEY}} - test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy - - diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json deleted file mode 100644 index 5a4f74d..0000000 --- a/ci/properties/datadog-synthetics.properties.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "Datadog Synthetics", - "description": "Run Datadog Synthetic tests within your GitHub Actions workflow", - "iconName": "datadog", - "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"] -} diff --git a/icons/datadog.svg b/icons/datadog.svg deleted file mode 100644 index 91cb3b6..0000000 --- a/icons/datadog.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - - From d580918e060b0b513a57c8644e9712cd51e021bd Mon Sep 17 00:00:00 2001 From: Andreas Dangel Date: Thu, 10 Feb 2022 18:08:47 +0100 Subject: [PATCH 193/300] Update pmd to v1.2.0 * Use pmd/pmd-github-action@967a81f8b657c87f7c3e96b62301cb1a48efef29 which is v1.2.0 * Remove "cache: maven" setting, which fails if no pom.xml file is existing * Set parameter "analyzeModifiedFilesOnly: false" to prevent incomplete analysis results. See also https://github.com/pmd/pmd-github-action/issues/35 --- code-scanning/pmd.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index ba895fe..0604734 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -23,13 +23,13 @@ jobs: with: java-version: '11' distribution: 'temurin' - cache: maven - name: Run PMD id: pmd - uses: pmd/pmd-github-action@6d98898be0d59f46ec37dafcea33d8f8f55acfd1 + uses: pmd/pmd-github-action@967a81f8b657c87f7c3e96b62301cb1a48efef29 with: rulesets: 'rulesets/java/quickstart.xml' sourcePath: 'src/main/java' + analyzeModifiedFilesOnly: false - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: From b88366bf0e067c779927710896ffd772d554574c Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:47:51 +0530 Subject: [PATCH 194/300] added token permissions --- code-scanning/snyk-infrastructure.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index b79bf34..be7c2f0 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -21,8 +21,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From 2a4545affa629f8317733e2a81401b069cd07692 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:50:05 +0530 Subject: [PATCH 195/300] added github_token permissions --- code-scanning/xanitizer.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3bfb9ed..1e511aa 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -42,9 +42,15 @@ on: - cron: $cron-weekly workflow_dispatch: +permissions: + contents: read + jobs: xanitizer-security-analysis: # Xanitizer runs on ubuntu-latest and windows-latest. + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: From 494ea2d29d4639345a238dc8a98c06abd89f4f4c Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:52:39 +0530 Subject: [PATCH 196/300] added github_token permissions --- code-scanning/powershell.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index dfbf452..22e5ea7 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: PSScriptAnalyzer runs-on: ubuntu-latest steps: From 4579cb5c54c0244e7ae7935f290bc26d979761ee Mon Sep 17 00:00:00 2001 From: Chris Gavin Date: Fri, 11 Feb 2022 15:03:41 +0000 Subject: [PATCH 197/300] Fix some workflows not being excluded from Enterprise syncing. --- code-scanning/properties/detekt.properties.json | 5 ++--- script/sync-ghes/index.ts | 3 +++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/detekt.properties.json b/code-scanning/properties/detekt.properties.json index d51a6ad..c133cc1 100644 --- a/code-scanning/properties/detekt.properties.json +++ b/code-scanning/properties/detekt.properties.json @@ -3,7 +3,6 @@ "creator": "Detekt", "description": "Static code analysis for Kotlin", "iconName": "detekt", - "categories": ["Code Scanning", "Kotlin"] + "categories": ["Code Scanning", "Kotlin"], + "enterprise": false } - - \ No newline at end of file diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 9edc70e..608e73d 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -21,6 +21,8 @@ interface WorkflowProperties { categories: string[] | null; creator?: string; + + enterprise?: boolean; } interface WorkflowsCheckResult { @@ -59,6 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && + workflowProperties.enterprise !== false && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From 14ce90e99f9db28d05cc0a81e2b63370e034db38 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:13:30 +0530 Subject: [PATCH 198/300] added github_token permissions --- code-scanning/semgrep.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index 827387b..f99d441 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -19,8 +19,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Scan runs-on: ubuntu-latest steps: From 63beace25d14ca0b8918b467dbfe7bc0f3281742 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:16:12 +0530 Subject: [PATCH 199/300] added github_token permission --- deployments/terraform.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 589f1f3..b7cbc3a 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -50,6 +50,9 @@ on: - $default-branch pull_request: +permissions: + contents: read + jobs: terraform: name: 'Terraform' From dc2daec13461e79d070e114e1c6acdedc695ca50 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:27:43 +0530 Subject: [PATCH 200/300] added token permissions --- ci/msbuild.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/msbuild.yml b/ci/msbuild.yml index 29b6ace..2cf2a88 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -11,6 +11,9 @@ env: # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix BUILD_CONFIGURATION: Release +permissions: + contents: read + jobs: build: runs-on: windows-latest From ccd26a97cbd594ff3af6632ba294d570b2e5c797 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:30:57 +0530 Subject: [PATCH 201/300] added token permissions --- ci/d.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/d.yml b/ci/d.yml index 6086681..c78e2ce 100644 --- a/ci/d.yml +++ b/ci/d.yml @@ -10,6 +10,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From b90ea0582ae3866c2a11e47fc3708e4d97a5ad3f Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:43:26 +0530 Subject: [PATCH 202/300] Update veracode.yml --- code-scanning/veracode.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index e38fffd..073d1b6 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -17,10 +17,16 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + jobs: # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter build-and-pipeline-scan: # The type of runner that the job will run on + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: From d50a73e3b85ca935b2a475373e3645a277b0757b Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:47:03 +0530 Subject: [PATCH 203/300] Update python-publish.yml --- ci/python-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 3bfabfc..489d5e6 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -12,6 +12,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: deploy: From fa522381039cec2072a9f83de5f7fd077faf57d4 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:57:42 +0530 Subject: [PATCH 204/300] Update gradle.yml --- ci/gradle.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/gradle.yml b/ci/gradle.yml index fc8cf2f..11b4ea6 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -13,6 +13,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From d8a2673986720cf4f579448519c77a37d861d53e Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:59:51 +0530 Subject: [PATCH 205/300] Update prisma.yml --- code-scanning/prisma.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5323d1b..5b11482 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -21,8 +21,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: prisma_cloud_iac_scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: From fd8ffb3d9c4336e2e4584baebffce4196086e794 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:01:38 +0530 Subject: [PATCH 206/300] Update aws.yml --- deployments/aws.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/aws.yml b/deployments/aws.yml index dab851f..65f445f 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -41,6 +41,9 @@ env: CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the # containerDefinitions section of your task definition +permissions: + contents: read + jobs: deploy: name: Deploy From d6dfba970ff1b09095fe860bf15860fbfc788840 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:03:20 +0530 Subject: [PATCH 207/300] Update deno.yml --- ci/deno.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/deno.yml b/ci/deno.yml index 25e9e2a..6393f5f 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -14,6 +14,9 @@ on: pull_request: branches: [$default-branch] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest From baf5276476b911e377a006890698a2bfd211e47d Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:05:59 +0530 Subject: [PATCH 208/300] Update ruby.yml --- ci/ruby.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/ruby.yml b/ci/ruby.yml index f6ae1e3..9f90687 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -13,6 +13,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: test: From 4333c79965dc3415883fbb3d4c4b2d4e6d6f2e3f Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:08:08 +0530 Subject: [PATCH 209/300] Update codacy.yml --- code-scanning/codacy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 50185ad..4892930 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Codacy Security Scan runs-on: ubuntu-latest steps: From b93e51dac62613e75ab7b232cead7c400368d461 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:11:47 +0530 Subject: [PATCH 210/300] Update msvc.yml --- code-scanning/msvc.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 1503319..83d4571 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -20,8 +20,14 @@ env: # Path to the CMake build directory. build: '${{ github.workspace }}/build' +permissions: + contents: read + jobs: analyze: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Analyze runs-on: windows-latest From ab9bdce2e320816516a6b28bf58c3f503daa0bb3 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Mon, 14 Feb 2022 15:19:56 +0530 Subject: [PATCH 211/300] Update apisec-scan.yml --- code-scanning/apisec-scan.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 3aa06ca..4737d06 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -42,8 +42,13 @@ on: workflow_dispatch: +permissions: + contents: read + jobs: Trigger APIsec scan: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -61,4 +66,4 @@ jobs: - name: Import results uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ./apisec-results.sarif \ No newline at end of file + sarif_file: ./apisec-results.sarif From f6474e2bfa207cc53531f4de21c1f9243ec7c46a Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Mon, 14 Feb 2022 15:23:03 +0530 Subject: [PATCH 212/300] Update brakeman.yml --- code-scanning/brakeman.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index ae5215a..d0b25ac 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: brakeman-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Brakeman Scan runs-on: ubuntu-latest steps: From aa4aa29543b6a72c397d9285abd94d91c41984fd Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Mon, 14 Feb 2022 15:51:06 +0530 Subject: [PATCH 213/300] Update stackhawk.yml --- code-scanning/stackhawk.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index 9701b1f..af220c0 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -37,8 +37,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: stackhawk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info name: StackHawk runs-on: ubuntu-20.04 steps: From 8bcdd73aa893896b02a33bf844682a4a632c099a Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:36:24 +0530 Subject: [PATCH 214/300] added github_token permission --- deployments/alibabacloud.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded9178..c783305 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From db842e7ec591aa2ff0545d82f159c0719a0087d8 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:39:46 +0530 Subject: [PATCH 215/300] added github_token permission --- ci/scala.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/scala.yml b/ci/scala.yml index af6b2ed..95c1957 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From f0d5cb15453edac00fb14288d0ca9ae895bf76b0 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:42:06 +0530 Subject: [PATCH 216/300] added token permission --- ci/python-app.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/python-app.yml b/ci/python-app.yml index 2cfc2a3..cdd6c6c 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -9,6 +9,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From 6706b36121ab6c4b497c145160f85b056fe12347 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Tue, 15 Feb 2022 16:04:39 +0530 Subject: [PATCH 217/300] Update njsscan.yml --- code-scanning/njsscan.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8077f76..a6da087 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: njsscan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: njsscan code scanning steps: From 3394a8e62f54f84b23c843b970d4ca143013db12 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Tue, 15 Feb 2022 16:38:05 +0530 Subject: [PATCH 218/300] Update mobsf.yml --- code-scanning/mobsf.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 689a1a0..d8eaa92 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: mobile-security: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -33,4 +39,4 @@ jobs: - name: Upload mobsfscan report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From 6a5dc3a7538ff504a39f33cc73855ad4dedcf3e0 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:50:23 +0530 Subject: [PATCH 219/300] Update sysdig-scan.yml --- code-scanning/sysdig-scan.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 49841d7..f9b29fc 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -13,10 +13,17 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + checks: write # for sysdiglabs/scan-action to publish the checks + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -51,4 +58,4 @@ jobs: #Upload SARIF file if: always() with: - sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file + sarif_file: ${{ steps.scan.outputs.sarifReport }} From 93dc183837a934693bd89af6bf3e1ed076f9b958 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:55:16 +0530 Subject: [PATCH 220/300] Update r.yml --- ci/r.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/r.yml b/ci/r.yml index 305c2cf..456e552 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -14,6 +14,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: macos-latest From 8c75e2d11fd9040bc7a3492d7bcfcb4c92a194d7 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:57:59 +0530 Subject: [PATCH 221/300] Update pmd.yml --- code-scanning/pmd.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 0604734..cf4b01d 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: pmd-code-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From ed9202263d2954cd84dc11e0068ea5744268e8ab Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 18 Feb 2022 01:00:27 +0000 Subject: [PATCH 222/300] Update hash for scorecard's v1.0.4 release --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 618ce28..d63b462 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2 + uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 with: results_file: results.sarif results_format: sarif From 300f303442f956de563b7f301f652d94acb60cde Mon Sep 17 00:00:00 2001 From: Atul Malaviya Date: Sun, 20 Feb 2022 02:18:18 -0600 Subject: [PATCH 223/300] Added PR trigger (#1448) --- ci/msbuild.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ci/msbuild.yml b/ci/msbuild.yml index 29b6ace..e650e2a 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -1,6 +1,10 @@ name: MSBuild -on: [push] +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] env: # Path to the solution file relative to the root of the project. From 0b1f2442e511ac2e36f9c551899079d28f0fade5 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 14:58:57 +0100 Subject: [PATCH 224/300] Create sonarcloud.yml --- code-scanning/sonarcloud.yml | 51 ++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 code-scanning/sonarcloud.yml diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml new file mode 100644 index 0000000..d15db93 --- /dev/null +++ b/code-scanning/sonarcloud.yml @@ -0,0 +1,51 @@ +This workflow helps you trigger a SonarCloud analysis of your code. +name: SonarCloud analysis + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + + workflow_dispatch: + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + + - name: Analyze with SonarCloud + + # 1. Import your project to SonarCloud. + # 2. Import it on SonarCloud + # * Open sonarcloud.io, connect with your GitHub account and add your GitHub organization and your repository as a new project. + # * Please note that your project might be ready for AutoScan which means that it will be analysed without the need for GitHub Actions (it will be built automatically). + # * This behavior can be changed in Administration > Analysis Method. + # + # 3. Copy/paste the Projet Key and the Organization Key in the args below + # * On SonarCloud, click on Information at the bottom left + # 4. Generate a new token and add it to your Github's repository Secrets as SONAR_TOKEN + # * On SonarCloud, click on your avatar on top-right > My account > Security + + # You may pin to the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + uses: SonarSource/sonarcloud-github-action@v1.6 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments to the sonarcloud scanner + args: > + # Set the sonar.projectBaseDir analysis property + projectBaseDir: . # optional, default is . + # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) + -Dsonar.projectKey= # mandatory + # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu) + -Dsonar.organization= # mandatory + # Comma-separated paths to directories containing main source files. + -Dsonar.sources= # optional, default is project base directory + # Comma-separated paths to directories containing test source files. + -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + -Dsonar.verbose= # optional, default is false From b80e458c6205c8b77c2a7bd419be52d6a82fc64f Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:29:12 +0100 Subject: [PATCH 225/300] Added documentation links --- code-scanning/sonarcloud.yml | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index d15db93..387f34c 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,4 +1,19 @@ -This workflow helps you trigger a SonarCloud analysis of your code. +# This workflow helps you trigger a SonarCloud analysis of your code. + +# 1. Login to SonarCloud.io using your GitHub account +# 2. Import your project on SonarCloud +# * Add your GitHub organization first, then add your repository as a new project. +# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically). +# * This behavior can be changed in Administration > Analysis Method. +# +# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below +# * You'll find those info on SonarCloud. Click on "Information" at the bottom left +# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN +# * On SonarCloud, click on your avatar on top-right > My account > Security + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + name: SonarCloud analysis on: @@ -15,18 +30,7 @@ jobs: steps: - - name: Analyze with SonarCloud - - # 1. Import your project to SonarCloud. - # 2. Import it on SonarCloud - # * Open sonarcloud.io, connect with your GitHub account and add your GitHub organization and your repository as a new project. - # * Please note that your project might be ready for AutoScan which means that it will be analysed without the need for GitHub Actions (it will be built automatically). - # * This behavior can be changed in Administration > Analysis Method. - # - # 3. Copy/paste the Projet Key and the Organization Key in the args below - # * On SonarCloud, click on Information at the bottom left - # 4. Generate a new token and add it to your Github's repository Secrets as SONAR_TOKEN - # * On SonarCloud, click on your avatar on top-right > My account > Security + - name: Analyze with SonarCloud # You may pin to the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 @@ -36,15 +40,15 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments to the sonarcloud scanner - args: > - # Set the sonar.projectBaseDir analysis property - projectBaseDir: . # optional, default is . + args: # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.projectKey= # mandatory # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.organization= # mandatory # Comma-separated paths to directories containing main source files. -Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + -Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. From c5a70f040535fbdb74601570225b59bc8516a3b7 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:29:42 +0100 Subject: [PATCH 226/300] Removed extra spaces --- code-scanning/sonarcloud.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 387f34c..3441617 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -21,15 +21,13 @@ on: branches: [ master ] pull_request: branches: [ master ] - workflow_dispatch: jobs: Analysis: runs-on: ubuntu-latest - + steps: - - name: Analyze with SonarCloud # You may pin to the exact commit or the version. From 429537d3207f07a271ed289b60a664da53be9b86 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:36:07 +0100 Subject: [PATCH 227/300] Added workflow variables for branches --- code-scanning/sonarcloud.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 3441617..97f364d 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -18,9 +18,9 @@ name: SonarCloud analysis on: push: - branches: [ master ] + branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ master ] + branches: [ $default-branch ] workflow_dispatch: jobs: From b48f15df6228157c0181ee9fdca8f52f091a3703 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:36:37 +0100 Subject: [PATCH 228/300] Added space between paragraph --- code-scanning/sonarcloud.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 97f364d..0b58f05 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,6 +1,7 @@ # This workflow helps you trigger a SonarCloud analysis of your code. # 1. Login to SonarCloud.io using your GitHub account + # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. # * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically). @@ -8,6 +9,7 @@ # # 3. Copy/paste the Projet Key and the Organization Key in the args parameter below # * You'll find those info on SonarCloud. Click on "Information" at the bottom left + # 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN # * On SonarCloud, click on your avatar on top-right > My account > Security From fb2b1099ec558e4666229e557860eb8a8dd58ac7 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:39:07 +0100 Subject: [PATCH 229/300] Fixed intro text --- code-scanning/sonarcloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 0b58f05..c4ab0e4 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,4 +1,4 @@ -# This workflow helps you trigger a SonarCloud analysis of your code. +# This workflow helps you trigger a SonarCloud analysis of your code and populates GitHub Code Scanning alerts with the vulnerabilities found. # 1. Login to SonarCloud.io using your GitHub account From d3fb4810d7ded6721dd323f60d1b3c63d901b307 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 2 Mar 2022 10:53:29 -0800 Subject: [PATCH 230/300] Add clj-holmes starter workflow --- code-scanning/clj-holmes.yml | 40 +++++++++++++++++++ .../properties/clj-holmes.properties.json | 10 +++++ icons/clj-holmes.svg | 1 + 3 files changed, 51 insertions(+) create mode 100644 code-scanning/clj-holmes.yml create mode 100644 code-scanning/properties/clj-holmes.properties.json create mode 100644 icons/clj-holmes.svg diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml new file mode 100644 index 0000000..62364b3 --- /dev/null +++ b/code-scanning/clj-holmes.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: clj-holmes + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + clj-holmes: + name: Run clj-holmes scanning + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Scan code + uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb + with: + rules-repository: 'git://org/private-rules-repo#main' + output-type: 'sarif' + output-file: 'clj-holmes-results.sarif' + fail-on-result: 'false' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{github.workspace}}/clj-holmes-results.sarif \ No newline at end of file diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json new file mode 100644 index 0000000..41950bb --- /dev/null +++ b/code-scanning/properties/clj-holmes.properties.json @@ -0,0 +1,10 @@ +{ + "name": "clj-holmes", + "creator": "Matheus Bernardes", + "description": "A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language.", + "iconName": "clj-holmes", + "categories": [ + "Code Scanning", + "clojure" + ] +} \ No newline at end of file diff --git a/icons/clj-holmes.svg b/icons/clj-holmes.svg new file mode 100644 index 0000000..74459e5 --- /dev/null +++ b/icons/clj-holmes.svg @@ -0,0 +1 @@ + \ No newline at end of file From 0d462e1c6b547f7df41b16f6ef94d08d27f26176 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 3 Mar 2022 22:43:12 +0530 Subject: [PATCH 231/300] Port reworked AKS templates to main (#1450) --- deployments/azure-kubernetes-service-helm.yml | 122 +++++++++++++++++ .../azure-kubernetes-service-kompose.yml | 111 +++++++++++++++ .../azure-kubernetes-service-kustomize.yml | 117 ++++++++++++++++ deployments/azure-kubernetes-service.yml | 127 +++++++++++------- ...re-kubernetes-service-helm.properties.json | 7 + ...kubernetes-service-kompose.properties.json | 7 + ...bernetes-service-kustomize.properties.json | 7 + .../azure-kubernetes-service.properties.json | 6 +- 8 files changed, 450 insertions(+), 54 deletions(-) create mode 100644 deployments/azure-kubernetes-service-helm.yml create mode 100644 deployments/azure-kubernetes-service-kompose.yml create mode 100644 deployments/azure-kubernetes-service-kustomize.yml create mode 100644 deployments/properties/azure-kubernetes-service-helm.properties.json create mode 100644 deployments/properties/azure-kubernetes-service-kompose.properties.json create mode 100644 deployments/properties/azure-kubernetes-service-kustomize.properties.json diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml new file mode 100644 index 0000000..506819d --- /dev/null +++ b/deployments/azure-kubernetes-service-helm.yml @@ -0,0 +1,122 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. +# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. +# - CHART_PATH (path to your helm chart) +# - CHART_OVERRIDE_PATH (path to your helm chart with override values) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Helm + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + CHART_PATH: "your-chart-path" + CHART_OVERRIDE_PATH: "your-chart-override-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Helm to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'helm' + helmChart: ${{ env.CHART_PATH }} + overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} + overrides: | + replicas:2 + helm-version: 'latest' + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml new file mode 100644 index 0000000..1d33fe3 --- /dev/null +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -0,0 +1,111 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. +# Set your dockerComposeFile and kompose-version to suit your configuration. +# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kompose + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Kompose to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'kompose' + dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} + kompose-version: 'latest' + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml new file mode 100644 index 0000000..51b7d69 --- /dev/null +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -0,0 +1,117 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. +# Set your kustomizationPath and kubectl-version to suit your configuration. +# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kustomize + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + KUSTOMIZE_PATH: "your-kustomize-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Kustomize to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'kustomize' + kustomizationPath: ${{ env.KUSTOMIZE_PATH }} + kubectl-version: latest + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index 08988ff..e61e64e 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -1,80 +1,105 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) -# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal -# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal -# https://github.com/Azure/aks-create-action +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository: -# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret) +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): -# - AZURE_CONTAINER_REGISTRY (name of your container registry) -# - PROJECT_NAME +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# -# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set -# any needed environment variables such as: -# - CHART_PATH -# - CHART_OVERRIDE_PATH +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) # # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions # For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -# For more options with the actions used below please see the folllowing -# https://github.com/Azure/login -# https://github.com/Azure/aks-set-context -# https://github.com/marketplace/actions/azure-cli-action -# https://github.com/Azure/k8s-bake -# https://github.com/Azure/k8s-deploy +# For more options with the actions used below please refer to https://github.com/Azure/login -on: [push] +name: Build and deploy an app to AKS + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' jobs: build: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest steps: + # Checks out the repository this file is in - uses: actions/checkout@master - - name: Azure Login - uses: azure/login@v1 + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Build image on ACR - uses: azure/CLI@v1 - with: - azcliversion: 2.29.1 - inlineScript: | - az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} - az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} - - - name: Gets K8s context - uses: azure/aks-set-context@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - id: login + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - name: Configure deployment - uses: azure/k8s-bake@v1 + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 with: - renderEngine: 'helm' - helmChart: ${{ env.CHART_PATH }} - overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} - overrides: | - replicas:2 - helm-version: 'latest' - id: bake + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Deploys application based on given manifest file - name: Deploys application - - uses: Azure/k8s-deploy@v1 + uses: Azure/k8s-deploy@v3.0 with: - manifests: ${{ steps.bake.outputs.manifestsBundle }} + action: deploy + manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.PROJECT_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/properties/azure-kubernetes-service-helm.properties.json b/deployments/properties/azure-kubernetes-service-helm.properties.json new file mode 100644 index 0000000..92478b3 --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-helm.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Helm", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Helm", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Helm", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service-kompose.properties.json b/deployments/properties/azure-kubernetes-service-kompose.properties.json new file mode 100644 index 0000000..de246c3 --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-kompose.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Kompose", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Kompose", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Kompose", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service-kustomize.properties.json b/deployments/properties/azure-kubernetes-service-kustomize.properties.json new file mode 100644 index 0000000..bfc71cc --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-kustomize.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Kustomize", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Kustomize", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Kustomize", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service.properties.json b/deployments/properties/azure-kubernetes-service.properties.json index 28f3725..45d4a69 100644 --- a/deployments/properties/azure-kubernetes-service.properties.json +++ b/deployments/properties/azure-kubernetes-service.properties.json @@ -1,7 +1,7 @@ { - "name": "Deploy to a AKS Cluster", - "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials", + "name": "Deploy to AKS", + "description": "Deploy an application to an Azure Kubernetes Service cluster", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"] + "categories": ["Deployment", "Kubernetes", "Dockerfile"] } From 023a52c48804fd4e0a7b11ad54367e7d645d8e25 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 7 Mar 2022 09:26:30 -0800 Subject: [PATCH 232/300] remove specifying permissions Co-authored-by: Nick Fyson --- code-scanning/clj-holmes.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 62364b3..704a01e 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -13,6 +13,8 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly +permissions: + contents: read jobs: clj-holmes: From 90d3b1b63b0f9cbe985a3de257df4f43dd94b1a0 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 7 Mar 2022 09:27:40 -0800 Subject: [PATCH 233/300] Update tool description Co-authored-by: Nick Fyson --- code-scanning/properties/clj-holmes.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json index 41950bb..71f29c0 100644 --- a/code-scanning/properties/clj-holmes.properties.json +++ b/code-scanning/properties/clj-holmes.properties.json @@ -1,7 +1,7 @@ { "name": "clj-holmes", "creator": "Matheus Bernardes", - "description": "A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language.", + "description": "A Static Application Security Testing tool to find vulnerable Clojure code via rules that use a simple pattern language.", "iconName": "clj-holmes", "categories": [ "Code Scanning", From af777b030efdf58461a737904e9307ad3e652562 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Tue, 8 Mar 2022 14:19:19 -0800 Subject: [PATCH 234/300] update permissions setting --- code-scanning/clj-holmes.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 704a01e..ca53f99 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -13,15 +13,12 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly -permissions: - contents: read jobs: clj-holmes: name: Run clj-holmes scanning runs-on: ubuntu-latest permissions: - actions: read contents: read security-events: write steps: @@ -39,4 +36,5 @@ jobs: - name: Upload analysis results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ${{github.workspace}}/clj-holmes-results.sarif \ No newline at end of file + sarif_file: ${{github.workspace}}/clj-holmes-results.sarif + ait-for-processing: true \ No newline at end of file From 5665b8b5b8c5bbb0de5142879029ce57022e219c Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 9 Mar 2022 11:18:14 -0800 Subject: [PATCH 235/300] Update code-scanning/clj-holmes.yml Co-authored-by: Nick Fyson --- code-scanning/clj-holmes.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index ca53f99..4150cbb 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -14,6 +14,9 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: clj-holmes: name: Run clj-holmes scanning From f6596c95685b9d20a9cd83bf0d9df24153043b69 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:41:26 +0100 Subject: [PATCH 236/300] Update sonarcloud.yml --- code-scanning/sonarcloud.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index c4ab0e4..084feca 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -4,14 +4,15 @@ # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. -# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically). +# * Please note that many languages are eligible for automatic analysis, which means that the analysis will start automatically without the need to set up GitHub Actions. # * This behavior can be changed in Administration > Analysis Method. # -# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below -# * You'll find those info on SonarCloud. Click on "Information" at the bottom left - -# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN -# * On SonarCloud, click on your avatar on top-right > My account > Security +# 3. Follow the SonarCloud's online tutorial +# * a. Copy/paste the Projet Key and the Organization Key in the args parameter below +# (You'll find those info on SonarCloud. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) # or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) From 8fd84d60c85e501ce9d34a7c694fda9f3822daab Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:42:52 +0100 Subject: [PATCH 237/300] Create sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 1 + 1 file changed, 1 insertion(+) create mode 100644 code-scanning/properties/sonarcloud.properties.json diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/code-scanning/properties/sonarcloud.properties.json @@ -0,0 +1 @@ + From 6f8fa063712f344fab4c84487b2c885fca2f61a3 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:45:15 +0100 Subject: [PATCH 238/300] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 8b13789..88e2dbf 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1 +1,7 @@ - +{ + "name": "SonarCloud Security Scan", + "creator": "SonarSource", + "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.", + "iconName": "sonarcloud", + "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"] +} From c944a105460e766a441f6bc07dc9f798bbb4bc1c Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 17:15:34 +0100 Subject: [PATCH 239/300] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 88e2dbf..428d899 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1,7 +1,7 @@ { - "name": "SonarCloud Security Scan", - "creator": "SonarSource", - "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.", + "name": "SonarCloud", + "creator": "Sonar", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Free for open source projects", "iconName": "sonarcloud", - "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"] + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From d955f56f6791a99e9264a41707cd43f1ff228d67 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 17:17:43 +0100 Subject: [PATCH 240/300] Add files via upload --- icons/sonarcloud.svg | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 icons/sonarcloud.svg diff --git a/icons/sonarcloud.svg b/icons/sonarcloud.svg new file mode 100644 index 0000000..5f946d2 --- /dev/null +++ b/icons/sonarcloud.svg @@ -0,0 +1,20 @@ + + + + +SonarCloud icon + + + + From 46017054a3c90b341c23f8cb09c6a6bfa9046cb8 Mon Sep 17 00:00:00 2001 From: Jonathan Tamsut Date: Mon, 14 Mar 2022 07:35:28 -0700 Subject: [PATCH 241/300] Update `download-artifact` and `upload-artifact` from `v2` to `v3` (#1465) * migrate to v3 * update download-artifact --- ci/dotnet-desktop.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 ++-- deployments/azure-webapps-java-jar.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- deployments/azure-webapps-php.yml | 4 ++-- deployments/azure-webapps-python.yml | 4 ++-- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 0635779..06ce344 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: MSIX Package path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 83d4571..0abb409 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -59,7 +59,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v2 + # uses: actions/upload-artifact@v3 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3bfb9ed..dc3c9ce 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -79,7 +79,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v3 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 7a2a84f..ed45e22 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -57,7 +57,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -71,7 +71,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index f386250..210fd90 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -46,7 +46,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -60,7 +60,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b7cb51f..b6089d4 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -47,7 +47,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: node-app path: . @@ -61,7 +61,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 700f83a..a2dd57b 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -68,7 +68,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: php-app path: . @@ -82,7 +82,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index cb19cda..8605e0a 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -53,7 +53,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: python-app path: | @@ -69,7 +69,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: python-app path: . From c4cc28d92dcac4ba6ecd2d89ea90b5593363ef67 Mon Sep 17 00:00:00 2001 From: Mike Verbanic Date: Wed, 16 Mar 2022 15:00:00 -0400 Subject: [PATCH 242/300] feat: add google cloud run starter workflows (#1392) * feat: add google cloud run starter workflows * fix: pr comments * fix: pr comments * fix: properties naming * fix: docker registry path --- deployments/google-cloudrun-docker.yml | 114 ++++++++++++++++++ deployments/google-cloudrun-source.yml | 96 +++++++++++++++ .../google-cloudrun-docker.properties.json | 7 ++ .../google-cloudrun-source.properties.json | 7 ++ deployments/properties/google.properties.json | 2 +- icons/{googlegke.svg => google-cloud.svg} | 0 6 files changed, 225 insertions(+), 1 deletion(-) create mode 100644 deployments/google-cloudrun-docker.yml create mode 100644 deployments/google-cloudrun-source.yml create mode 100644 deployments/properties/google-cloudrun-docker.properties.json create mode 100644 deployments/properties/google-cloudrun-source.properties.json rename icons/{googlegke.svg => google-cloud.svg} (100%) diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml new file mode 100644 index 0000000..b8d0511 --- /dev/null +++ b/deployments/google-cloudrun-docker.yml @@ -0,0 +1,114 @@ +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Authenticate Docker to Artifact Registry +# 3. Build a docker container +# 4. Publish it to Google Artifact Registry +# 5. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). +# +# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Build and Deploy to Cloud Run + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + token_format: 'access_token' + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' + + # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) + + # Authenticate Docker to Google Cloud Artifact Registry + - name: Docker Auth + id: docker-auth + uses: 'docker/login-action@v1' + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.access_token }}' + registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + + - name: Build and Push Container + run: |- + docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./ + docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + + # END - Docker auth and build + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If using a pre-built image, update the image name here + image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml new file mode 100644 index 0000000..2916b45 --- /dev/null +++ b/deployments/google-cloudrun-source.yml @@ -0,0 +1,96 @@ +# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Cloud Build cloudbuild.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Cloud Build +# roles/cloudbuild.builds.editor +# +# Cloud Storage +# roles/storage.objectAdmin +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the SERVICE and REGION environment variables (below). +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy +# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Deploy to Cloud Run from Source + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If required, update to the appropriate source folder + source: ./ + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/properties/google-cloudrun-docker.properties.json b/deployments/properties/google-cloudrun-docker.properties.json new file mode 100644 index 0000000..b1a2b2b --- /dev/null +++ b/deployments/properties/google-cloudrun-docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Build and Deploy to Cloud Run", + "description": "Build a Docker container, publish it to Google Artifact Registry, and deploy to Google Cloud Run.", + "creator": "Google Cloud", + "iconName": "google-cloud", + "categories": ["Deployment", "Containers", "Dockerfile", "Cloud Run", "Serverless"] +} diff --git a/deployments/properties/google-cloudrun-source.properties.json b/deployments/properties/google-cloudrun-source.properties.json new file mode 100644 index 0000000..2735d80 --- /dev/null +++ b/deployments/properties/google-cloudrun-source.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Cloud Run from Source", + "description": "Deploy to Google Cloud Run directly from source.", + "creator": "Google Cloud", + "iconName": "google-cloud", + "categories": ["Deployment", "Containers", "Cloud Run", "Serverless", "Buildpacks"] +} diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json index f1bd883..e226385 100644 --- a/deployments/properties/google.properties.json +++ b/deployments/properties/google.properties.json @@ -2,6 +2,6 @@ "name": "Build and Deploy to GKE", "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", - "iconName": "googlegke", + "iconName": "google-cloud", "categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"] } \ No newline at end of file diff --git a/icons/googlegke.svg b/icons/google-cloud.svg similarity index 100% rename from icons/googlegke.svg rename to icons/google-cloud.svg From 3b2d5d9c43c2889e9aaed43da59a7332ee5e51b7 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 17 Mar 2022 18:07:03 +0100 Subject: [PATCH 243/300] Added small fixes --- code-scanning/sonarcloud.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 084feca..d627b96 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -13,6 +13,7 @@ # # * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN # (On SonarCloud, click on your avatar on top-right > My account > Security) +# (or go directly to https://sonarcloud.io/account/security/) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) # or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) @@ -44,13 +45,13 @@ jobs: args: # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.projectKey= # mandatory - # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu) + # Unique organization key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.organization= # mandatory # Comma-separated paths to directories containing main source files. - -Dsonar.sources= # optional, default is project base directory + #-Dsonar.sources= # optional, default is project base directory # When you need the analysis to take place in a directory other than the one from which it was launched - -Dsonar.projectBaseDir= # optional, default is . + #-Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. - -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ - # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - -Dsonar.verbose= # optional, default is false + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From 75a7f2983bbe23e5ab84449c61053dfc20206b74 Mon Sep 17 00:00:00 2001 From: Peeter Piegaze <61758048+peeter-piegaze-sonarsource@users.noreply.github.com> Date: Fri, 18 Mar 2022 11:13:00 +0100 Subject: [PATCH 244/300] Update sonarcloud.yml Fix phrasing/word-choice --- code-scanning/sonarcloud.yml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index d627b96..69eac6a 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,19 +1,21 @@ -# This workflow helps you trigger a SonarCloud analysis of your code and populates GitHub Code Scanning alerts with the vulnerabilities found. +# This workflow helps you trigger a SonarCloud analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. # 1. Login to SonarCloud.io using your GitHub account # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. -# * Please note that many languages are eligible for automatic analysis, which means that the analysis will start automatically without the need to set up GitHub Actions. +# * Please note that many languages are eligible for automatic analysis, +# which means that the analysis will start automatically without the need to set up GitHub Actions. # * This behavior can be changed in Administration > Analysis Method. # -# 3. Follow the SonarCloud's online tutorial -# * a. Copy/paste the Projet Key and the Organization Key in the args parameter below -# (You'll find those info on SonarCloud. Click on "Information" at the bottom left) +# 3. Follow the SonarCloud in-product tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) # -# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN -# (On SonarCloud, click on your avatar on top-right > My account > Security) -# (or go directly to https://sonarcloud.io/account/security/) +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) # or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) @@ -34,14 +36,14 @@ jobs: steps: - name: Analyze with SonarCloud - # You may pin to the exact commit or the version. + # You can pin the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 uses: SonarSource/sonarcloud-github-action@v1.6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: - # Additional arguments to the sonarcloud scanner + # Additional arguments for the sonarcloud scanner args: # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.projectKey= # mandatory From 4740e068c130da4a35f6c535f07f6154ea4a4f43 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:46:17 +0530 Subject: [PATCH 245/300] Update codescan.yml --- code-scanning/codescan.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 5886843..74a7156 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: CodeScan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout repository From 3a1a8562bf027aa2426256a7c187344e6a48f3ab Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:49:21 +0530 Subject: [PATCH 246/300] Update snyk-container.yml --- code-scanning/snyk-container.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 8ff2c9a..2373377 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From 18952126dca8c9b124ee6e15eed336f4a2f5e656 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:54:27 +0530 Subject: [PATCH 247/300] Update ossar.yml --- code-scanning/ossar.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index b5aefa4..f09b611 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -17,10 +17,16 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: OSSAR-Scan: # OSSAR runs on windows-latest. # ubuntu-latest and macos-latest support coming soon + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: windows-latest steps: From 962b63852bcaf3eb7e38772047448700ada94d5f Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:56:24 +0530 Subject: [PATCH 248/300] Update alibabacloud.yml --- deployments/alibabacloud.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded9178..c783305 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From a1fe90c10dbf737fb1787b358028b5e33641dcc0 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:00:04 +0530 Subject: [PATCH 249/300] Update tencent.yml --- deployments/tencent.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 83bde94..165981a 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -27,6 +27,9 @@ env: TKE_CLUSTER_ID: cls-mywebapp DEPLOYMENT_NAME: tke-test +permissions: + contents: read + jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy From ceada66602af669fcb1fee31ae307f1e47c85a2f Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:32:12 +0530 Subject: [PATCH 250/300] Update haskell.yml --- ci/haskell.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/haskell.yml b/ci/haskell.yml index c1d7dc7..20dbb4c 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From 02fa52f6c02fc3004eb878379efba7e1b6d071b7 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:34:10 +0530 Subject: [PATCH 251/300] Update symfony.yml --- ci/symfony.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/symfony.yml b/ci/symfony.yml index 7d1ca74..ab80492 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: symfony-tests: runs-on: ubuntu-latest From c5f542db49696973e6dbe4fc4d83305434656a96 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:35:53 +0530 Subject: [PATCH 252/300] Update php.yml --- ci/php.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/php.yml b/ci/php.yml index 6acfdd1..4937d3e 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From 9ab1bbfdcc4ce2235ab206d529853732f82c40d2 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Mon, 21 Mar 2022 10:08:04 +0100 Subject: [PATCH 253/300] Added Github disclaimer --- code-scanning/sonarcloud.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 69eac6a..d0cc73b 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + # This workflow helps you trigger a SonarCloud analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. From f2990d6b8371d3c22b0f47639e92f844b1af0ccf Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Wed, 23 Mar 2022 09:54:13 -0600 Subject: [PATCH 254/300] Update to v2.1.4 of gradle-build-action (#1489) * Update to new version of gradle-build-action * Update to new version of gradle-build-action --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 9fdc851..35f2d9c 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index fc8cf2f..7e4ece5 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -26,6 +26,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: build From e59567a947c1c63e8d7fcfb494c87e8e199ee44a Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 25 Mar 2022 16:03:59 +0530 Subject: [PATCH 255/300] Bringing back Datadog Synthetics workflow (#1503) * Revert "Revert "Add Datadog Synthetics GitHub action to starter workflows (#1342)" (#1385)" This reverts commit de41169eb0a60341cf326c9b790a79a99e147793. * Add creator --- ci/datadog-synthetics.yml | 38 +++++++++++++++++++ .../datadog-synthetics.properties.json | 7 ++++ icons/datadog.svg | 4 ++ 3 files changed, 49 insertions(+) create mode 100644 ci/datadog-synthetics.yml create mode 100644 ci/properties/datadog-synthetics.properties.json create mode 100644 icons/datadog.svg diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml new file mode 100644 index 0000000..7056f87 --- /dev/null +++ b/ci/datadog-synthetics.yml @@ -0,0 +1,38 @@ +# This workflow will trigger Datadog Synthetic tests within your Datadog organisation +# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# To get started: + +# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. +# 2. Start using the action within your workflow + +name: Run Datadog Synthetic tests + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + # Run Synthetic tests within your GitHub workflow. + # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci + - name: Run Datadog Synthetic tests + uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e + with: + api_key: ${{secrets.DD_API_KEY}} + app_key: ${{secrets.DD_APP_KEY}} + test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy + + diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json new file mode 100644 index 0000000..edbb086 --- /dev/null +++ b/ci/properties/datadog-synthetics.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Datadog Synthetics", + "description": "Run Datadog Synthetic tests within your GitHub Actions workflow", + "creator": "Datadog", + "iconName": "datadog", + "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"] +} diff --git a/icons/datadog.svg b/icons/datadog.svg new file mode 100644 index 0000000..91cb3b6 --- /dev/null +++ b/icons/datadog.svg @@ -0,0 +1,4 @@ + + + + From 3be3c5deec708a2becaca71ec12dce81ae3d6080 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Mon, 28 Mar 2022 09:47:44 +0530 Subject: [PATCH 256/300] Update cache action to v3 (#1507) --- ci/elixir.yml | 2 +- ci/haskell.yml | 2 +- ci/php.yml | 2 +- ci/symfony.yml | 2 +- code-scanning/codescan.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index afe01be..525d175 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -20,7 +20,7 @@ jobs: elixir-version: '1.12.3' # Define the elixir version [required] otp-version: '24.1' # Define the OTP version [required] - name: Restore dependencies cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: deps key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} diff --git a/ci/haskell.yml b/ci/haskell.yml index c1d7dc7..b9b1d4e 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -19,7 +19,7 @@ jobs: cabal-version: '3.2' - name: Cache - uses: actions/cache@v1 + uses: actions/cache@v3 env: cache-name: cache-cabal with: diff --git a/ci/php.yml b/ci/php.yml index 6acfdd1..4a1d36b 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -19,7 +19,7 @@ jobs: - name: Cache Composer packages id: composer-cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: vendor key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} diff --git a/ci/symfony.yml b/ci/symfony.yml index 7d1ca74..ba3d49c 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -21,7 +21,7 @@ jobs: run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" - name: Cache Composer packages id: composer-cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: vendor key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 5886843..ff376a9 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -24,7 +24,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v2 - name: Cache files - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | ~/.sonar diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index ed45e22..d4690a5 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -43,7 +43,7 @@ jobs: dotnet-version: ${{ env.DOTNET_VERSION }} - name: Set up dependency caching for faster builds - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.nuget/packages key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index a2dd57b..f971d1c 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -55,7 +55,7 @@ jobs: echo "::set-output name=dir::$(composer config cache-files-dir)" - name: Set up dependency caching for faster installs - uses: actions/cache@v2 + uses: actions/cache@v3 if: steps.check_files.outputs.files_exists == 'true' with: path: ${{ steps.composer-cache.outputs.dir }} From 69cce6ad3afa0ae834dd79e191f20b0104b1dde8 Mon Sep 17 00:00:00 2001 From: Hiroyuki Onaka Date: Mon, 28 Mar 2022 19:39:18 +0900 Subject: [PATCH 257/300] Add env variable to set the Java distribution to use --- deployments/azure-webapps-java-jar.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 210fd90..c211a0f 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -22,6 +22,7 @@ name: Build and deploy JAR app to Azure Web App env: AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App JAVA_VERSION: '11' # set this to the Java version to use + DISTRIBUTION: zulu # set this to the Java distribution on: push: @@ -40,6 +41,7 @@ jobs: uses: actions/setup-java@v2.3.1 with: java-version: ${{ env.JAVA_VERSION }} + distribution: ${{ env.DISTRIBUTION }} cache: 'maven' - name: Build with Maven From 1d9d6d7fb0a8a27ef98efbbfa9689cd14c906383 Mon Sep 17 00:00:00 2001 From: Thomas Boop <52323235+thboop@users.noreply.github.com> Date: Mon, 28 Mar 2022 13:10:48 -0400 Subject: [PATCH 258/300] Update Actions to node16 (#1469) * update actions * address merge conflicts * fix java updates * update github script * update cache to v3 Co-authored-by: Bishal Prasad --- .github/workflows/labeler-triage.yml | 2 +- .github/workflows/stale.yml | 2 +- .github/workflows/sync_ghes.yaml | 4 +- .github/workflows/validate-data.yaml | 4 +- automation/label.yml | 2 +- automation/stale.yml | 2 +- ci/ada.yml | 2 +- ci/android.yml | 4 +- ci/ant.yml | 4 +- ci/blank.yml | 2 +- ci/c-cpp.yml | 2 +- ci/clojure.yml | 2 +- ci/cmake.yml | 2 +- ci/crystal.yml | 2 +- ci/d.yml | 2 +- ci/dart.yml | 2 +- ci/deno.yml | 2 +- ci/django.yml | 4 +- ci/docker-image.yml | 2 +- ci/docker-publish.yml | 2 +- ci/dotnet-desktop.yml | 4 +- ci/dotnet.yml | 4 +- ci/elixir.yml | 62 +++++++++---------- ci/erlang.yml | 2 +- ci/gem-push.yml | 2 +- ci/go.yml | 4 +- ci/gradle-publish.yml | 4 +- ci/gradle.yml | 4 +- ci/haskell.yml | 2 +- ci/ios.yml | 2 +- ci/jekyll.yml | 2 +- ci/laravel.yml | 2 +- ci/makefile.yml | 2 +- ci/maven-publish.yml | 4 +- ci/maven.yml | 4 +- ci/msbuild.yml | 2 +- ci/node.js.yml | 4 +- ci/npm-grunt.yml | 4 +- ci/npm-gulp.yml | 4 +- ci/npm-publish-github-packages.yml | 8 +-- ci/npm-publish.yml | 8 +-- ci/objective-c-xcode.yml | 2 +- ci/php.yml | 2 +- ci/pylint.yml | 4 +- ci/python-app.yml | 4 +- ci/python-package-conda.yml | 4 +- ci/python-package.yml | 4 +- ci/python-publish.yml | 4 +- ci/r.yml | 2 +- ci/ruby.yml | 2 +- ci/rubyonrails.yml | 4 +- ci/rust.yml | 2 +- ci/scala.yml | 4 +- ci/super-linter.yml | 2 +- ci/swift.yml | 2 +- ci/symfony.yml | 2 +- ci/webpack.yml | 4 +- code-scanning/anchore.yml | 2 +- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/cloudrail.yml | 2 +- code-scanning/codacy.yml | 2 +- code-scanning/codeql.yml | 2 +- code-scanning/codescan.yml | 2 +- code-scanning/crunch42.yml | 2 +- code-scanning/detekt.yml | 2 +- code-scanning/devskim.yml | 2 +- code-scanning/flawfinder.yml | 2 +- code-scanning/fortify.yml | 7 ++- code-scanning/kubesec.yml | 2 +- code-scanning/mayhem-for-api.yml | 2 +- code-scanning/mobsf.yml | 4 +- code-scanning/msvc.yml | 2 +- code-scanning/njsscan.yml | 2 +- code-scanning/nowsecure.yml | 2 +- code-scanning/ossar.yml | 4 +- code-scanning/pmd.yml | 4 +- code-scanning/powershell.yml | 2 +- code-scanning/prisma.yml | 2 +- code-scanning/rubocop.yml | 2 +- code-scanning/scorecards.yml | 4 +- code-scanning/securitycodescan.yml | 2 +- code-scanning/semgrep.yml | 2 +- code-scanning/shiftleft.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/stackhawk.yml | 2 +- code-scanning/synopsys-io.yml | 2 +- code-scanning/sysdig-scan.yml | 2 +- code-scanning/tfsec.yml | 2 +- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 7 ++- code-scanning/xanitizer.yml | 5 +- deployments/alibabacloud.yml | 4 +- deployments/aws.yml | 2 +- deployments/azure-container-webapp.yml | 2 +- deployments/azure-kubernetes-service-helm.yml | 2 +- .../azure-kubernetes-service-kompose.yml | 2 +- .../azure-kubernetes-service-kustomize.yml | 2 +- deployments/azure-kubernetes-service.yml | 2 +- deployments/azure-staticwebapp.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 +- deployments/azure-webapps-java-jar.yml | 4 +- deployments/azure-webapps-node.yml | 4 +- deployments/azure-webapps-php.yml | 2 +- deployments/azure-webapps-python.yml | 4 +- deployments/google.yml | 2 +- deployments/ibm.yml | 2 +- deployments/openshift.yml | 4 +- deployments/tencent.yml | 2 +- deployments/terraform.yml | 2 +- 111 files changed, 188 insertions(+), 185 deletions(-) diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml index eba05f0..99fdbc5 100644 --- a/.github/workflows/labeler-triage.yml +++ b/.github/workflows/labeler-triage.yml @@ -11,6 +11,6 @@ jobs: triage: runs-on: ubuntu-latest steps: - - uses: actions/labeler@v3 + - uses: actions/labeler@v4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 217078a..c319ce1 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v3 + - uses: actions/stale@v5 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync_ghes.yaml index 946218f..fb9c623 100644 --- a/.github/workflows/sync_ghes.yaml +++ b/.github/workflows/sync_ghes.yaml @@ -11,12 +11,12 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" git config user.name "GitHub Actions" - - uses: actions/setup-node@v2 + - uses: actions/setup-node@v3 with: node-version: '12' - name: Check starter workflows for GHES compat diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 7d5c1ee..d2ac9a5 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -10,9 +10,9 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - - uses: actions/setup-node@v2 + - uses: actions/setup-node@v3 with: node-version: "12" diff --git a/automation/label.yml b/automation/label.yml index 5cdc45e..a8a1bd7 100644 --- a/automation/label.yml +++ b/automation/label.yml @@ -17,6 +17,6 @@ jobs: pull-requests: write steps: - - uses: actions/labeler@v2 + - uses: actions/labeler@v4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/automation/stale.yml b/automation/stale.yml index ff88dc0..1322eaf 100644 --- a/automation/stale.yml +++ b/automation/stale.yml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v3 + - uses: actions/stale@v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'Stale issue message' diff --git a/ci/ada.yml b/ci/ada.yml index a27902a..7e94b38 100644 --- a/ci/ada.yml +++ b/ci/ada.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set up GNAT toolchain run: > diff --git a/ci/android.yml b/ci/android.yml index f289bd5..221fca5 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/ant.yml b/ci/ant.yml index 0205d40..1614664 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/blank.yml b/ci/blank.yml index 895e5d1..607e2cf 100644 --- a/ci/blank.yml +++ b/ci/blank.yml @@ -23,7 +23,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs a single command using the runners shell - name: Run a one-line script diff --git a/ci/c-cpp.yml b/ci/c-cpp.yml index 88d1497..14d2eb9 100644 --- a/ci/c-cpp.yml +++ b/ci/c-cpp.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: configure run: ./configure - name: make diff --git a/ci/clojure.yml b/ci/clojure.yml index 098918a..a76631a 100644 --- a/ci/clojure.yml +++ b/ci/clojure.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install dependencies run: lein deps - name: Run tests diff --git a/ci/cmake.yml b/ci/cmake.yml index 6c858b9..6f06f75 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. diff --git a/ci/crystal.yml b/ci/crystal.yml index 6552afa..18cc825 100644 --- a/ci/crystal.yml +++ b/ci/crystal.yml @@ -15,7 +15,7 @@ jobs: image: crystallang/crystal steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install dependencies run: shards install - name: Run tests diff --git a/ci/d.yml b/ci/d.yml index 6086681..878716a 100644 --- a/ci/d.yml +++ b/ci/d.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: dlang-community/setup-dlang@4c99aa991ce7d19dd3064de0a4f2f6b2f152e2d7 - name: 'Build & Test' diff --git a/ci/dart.yml b/ci/dart.yml index 7486577..7bf352f 100644 --- a/ci/dart.yml +++ b/ci/dart.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Note: This workflow uses the latest stable version of the Dart SDK. # You can specify other versions if desired, see documentation here: diff --git a/ci/deno.yml b/ci/deno.yml index 25e9e2a..24d3d9b 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Setup repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup Deno # uses: denoland/setup-deno@v1 diff --git a/ci/django.yml b/ci/django.yml index dbde266..79550cc 100644 --- a/ci/django.yml +++ b/ci/django.yml @@ -16,9 +16,9 @@ jobs: python-version: [3.7, 3.8, 3.9] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install Dependencies diff --git a/ci/docker-image.yml b/ci/docker-image.yml index 78532a3..cc9cd6e 100644 --- a/ci/docker-image.yml +++ b/ci/docker-image.yml @@ -13,6 +13,6 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 977635a..7b6add3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 06ce344..170b3f6 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -63,13 +63,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 # Install the .NET Core workload - name: Install .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: 5.0.x diff --git a/ci/dotnet.yml b/ci/dotnet.yml index c31cf68..5974d4a 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup .NET - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: 5.0.x - name: Restore dependencies diff --git a/ci/elixir.yml b/ci/elixir.yml index 525d175..5b5aabb 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -1,31 +1,31 @@ -name: Elixir CI - -on: - push: - branches: [ $default-branch ] - pull_request: - branches: [ $default-branch ] - -jobs: - build: - - name: Build and test - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: Set up Elixir - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f - with: - elixir-version: '1.12.3' # Define the elixir version [required] - otp-version: '24.1' # Define the OTP version [required] - - name: Restore dependencies cache - uses: actions/cache@v3 - with: - path: deps - key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} - restore-keys: ${{ runner.os }}-mix- - - name: Install dependencies - run: mix deps.get - - name: Run tests - run: mix test +name: Elixir CI + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + + name: Build and test + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - name: Set up Elixir + uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f + with: + elixir-version: '1.12.3' # Define the elixir version [required] + otp-version: '24.1' # Define the OTP version [required] + - name: Restore dependencies cache + uses: actions/cache@v3 + with: + path: deps + key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} + restore-keys: ${{ runner.os }}-mix- + - name: Install dependencies + run: mix deps.get + - name: Run tests + run: mix test diff --git a/ci/erlang.yml b/ci/erlang.yml index 25cb893..20e269f 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -16,7 +16,7 @@ jobs: image: erlang:22.0.7 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Compile run: rebar3 compile - name: Run tests diff --git a/ci/gem-push.yml b/ci/gem-push.yml index 3dc62be..8905272 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -15,7 +15,7 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Ruby 2.6 uses: actions/setup-ruby@v1 with: diff --git a/ci/go.yml b/ci/go.yml index afff652..6f498a6 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -11,10 +11,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v3 with: go-version: 1.17 diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 35f2d9c..9aeb2b8 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -20,9 +20,9 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/gradle.yml b/ci/gradle.yml index 7e4ece5..8e0d1e4 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -19,9 +19,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/haskell.yml b/ci/haskell.yml index b9b1d4e..827d177 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: actions/setup-haskell@v1 with: ghc-version: '8.10.3' diff --git a/ci/ios.yml b/ci/ios.yml index ab92d32..5cec5e7 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/jekyll.yml b/ci/jekyll.yml index 71920c1..6a98dea 100644 --- a/ci/jekyll.yml +++ b/ci/jekyll.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the site in the jekyll/builder container run: | docker run \ diff --git a/ci/laravel.yml b/ci/laravel.yml index 5f4e6c9..e778d7b 100644 --- a/ci/laravel.yml +++ b/ci/laravel.yml @@ -15,7 +15,7 @@ jobs: - uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e with: php-version: '8.0' - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Copy .env run: php -r "file_exists('.env') || copy('.env.example', '.env');" - name: Install Dependencies diff --git a/ci/makefile.yml b/ci/makefile.yml index eafe622..0156944 100644 --- a/ci/makefile.yml +++ b/ci/makefile.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: configure run: ./configure diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 319f9a1..dab69fe 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -16,9 +16,9 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/maven.yml b/ci/maven.yml index f301fe0..65e0dff 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/msbuild.yml b/ci/msbuild.yml index e650e2a..3cd8f01 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -20,7 +20,7 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Add MSBuild to PATH uses: microsoft/setup-msbuild@v1.0.2 diff --git a/ci/node.js.yml b/ci/node.js.yml index 8d1b9c7..87ef0d8 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -20,9 +20,9 @@ jobs: # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} cache: 'npm' diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index 8c83cb6..eda97e1 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index cc5da13..504f22e 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index 09ff0b3..638ccf8 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -11,8 +11,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: npm ci @@ -25,8 +25,8 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 registry-url: $registry-url(npm) diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index ef8c690..c461c85 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -11,8 +11,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: npm ci @@ -22,8 +22,8 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 registry-url: https://registry.npmjs.org/ diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml index db009b0..1373878 100644 --- a/ci/objective-c-xcode.yml +++ b/ci/objective-c-xcode.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/php.yml b/ci/php.yml index 4a1d36b..ba84657 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Validate composer.json and composer.lock run: composer validate --strict diff --git a/ci/pylint.yml b/ci/pylint.yml index 7b555fe..383e65c 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -9,9 +9,9 @@ jobs: matrix: python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/ci/python-app.yml b/ci/python-app.yml index 2cfc2a3..89823c1 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.10 - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: "3.10" - name: Install dependencies diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 9bd6d2b..57940bd 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -9,9 +9,9 @@ jobs: max-parallel: 5 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.10 - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.10 - name: Add conda to system path diff --git a/ci/python-package.yml b/ci/python-package.yml index b0a63cf..583a366 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -19,9 +19,9 @@ jobs: python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 3bfabfc..f55528c 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -18,9 +18,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: '3.x' - name: Install dependencies diff --git a/ci/r.yml b/ci/r.yml index 305c2cf..afb870e 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -22,7 +22,7 @@ jobs: r-version: ['3.6.3', '4.1.1'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up R ${{ matrix.r-version }} uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: diff --git a/ci/ruby.yml b/ci/ruby.yml index f6ae1e3..d8e672a 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -22,7 +22,7 @@ jobs: ruby-version: ['2.6', '2.7', '3.0'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Ruby # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index b7b3624..2ad891f 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -27,7 +27,7 @@ jobs: DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Install Ruby and gems uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 with: diff --git a/ci/rust.yml b/ci/rust.yml index 6c82c61..d51f1af 100644 --- a/ci/rust.yml +++ b/ci/rust.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build run: cargo build --verbose - name: Run tests diff --git a/ci/scala.yml b/ci/scala.yml index af6b2ed..ed24363 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/super-linter.yml b/ci/super-linter.yml index bebd82d..275b34f 100644 --- a/ci/super-linter.yml +++ b/ci/super-linter.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 diff --git a/ci/swift.yml b/ci/swift.yml index df062b5..3668fc0 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -12,7 +12,7 @@ jobs: runs-on: macos-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build run: swift build -v - name: Run tests diff --git a/ci/symfony.yml b/ci/symfony.yml index ba3d49c..533d379 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -16,7 +16,7 @@ jobs: - uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28 with: php-version: '8.0' - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Copy .env.test.local run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" - name: Cache Composer packages diff --git a/ci/webpack.yml b/ci/webpack.yml index 8edb34f..6449fe7 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index fcca708..64264e4 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index d0b25ac..3237551 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -30,7 +30,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Customize the ruby version depending on your needs - name: Setup Ruby diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index d012bce..d86d4f9 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -34,7 +34,7 @@ jobs: # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 00e270a..0d6b3de 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 # For Terraform, Cloudrail requires the plan as input. So we generate it using # the Terraform core binary. diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 4892930..8100be8 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -35,7 +35,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 57b4b69..cd9a683 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index ff376a9..bc65eb0 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Cache files uses: actions/cache@v3 with: diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index e8e2447..07cd73a 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -43,7 +43,7 @@ jobs: security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: 42Crunch REST API Static Security Testing uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index a8610c3..1118c3d 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -45,7 +45,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Gets the download URL associated with the $DETEKT_RELEASE_TAG - name: Get Detekt download URL diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 3a5c45f..e057348 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -23,7 +23,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run DevSkim scanner uses: microsoft/DevSkim-Action@v1 diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index 080953e..697e561 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: flawfinder_scan uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index d67d194..83f99c1 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -39,14 +39,15 @@ jobs: steps: # Check out source code - name: Check Out Source Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Java is required to run the various Fortify utilities. # When scanning a Java application, please use the appropriate Java version for building your application. - name: Setup Java - uses: actions/setup-java@v1 + uses: actions/setup-java@v3 with: - java-version: 1.8 + java-version: 8 + distribution: 'temurin' # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 1cad70c..81ebaa7 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run kubesec scanner uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 59d66a0..ed424f1 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -42,7 +42,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Run your API in the background. Ideally, the API would run in debug # mode & send stacktraces back on "500 Internal Server Error" responses diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index d8eaa92..96655af 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -24,10 +24,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.8 diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0abb409..13e58ef 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Configure CMake run: cmake -B ${{ env.build }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index a6da087..16ade3b 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -29,7 +29,7 @@ jobs: name: njsscan code scanning steps: - name: Checkout the code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: nodejsscan scan id: njsscan uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 92126bd..fbca537 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build your application run: ./gradlew assembleDebug # Update this to build your Android or iOS application diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index b5aefa4..a6f6aa7 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Ensure a compatible version of dotnet is installed. # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. @@ -33,7 +33,7 @@ jobs: # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: # - name: Install .NET - # uses: actions/setup-dotnet@v1 + # uses: actions/setup-dotnet@v2 # with: # dotnet-version: '3.1.x' diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 0604734..cd88c34 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -17,9 +17,9 @@ jobs: pmd-code-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index dfbf452..e70dd96 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -22,7 +22,7 @@ jobs: name: PSScriptAnalyzer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Run PSScriptAnalyzer uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061 diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5b11482..07be948 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -33,7 +33,7 @@ jobs: name: Run Prisma Cloud IaC Scan to check steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - id: iac-scan name: Run Scan on CFT files in the repository uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index 373d5b6..4ab8001 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index d63b462..a6bde3a 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -22,7 +22,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 with: persist-credentials: false @@ -42,7 +42,7 @@ jobs: # Upload the results as artifacts (optional). - name: "Upload artifact" - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 with: name: SARIF file path: results.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 3063c7a..0b2fa57 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -21,7 +21,7 @@ jobs: SCS: runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 - uses: microsoft/setup-msbuild@v1.0.2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index f99d441..86c3647 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: # Checkout project source - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Scan code using project's configuration on https://semgrep.dev/manage - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml index 48b86d3..d1154d1 100644 --- a/code-scanning/shiftleft.yml +++ b/code-scanning/shiftleft.yml @@ -22,7 +22,7 @@ jobs: # Scan runs on ubuntu, mac and windows runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Instructions # 1. Setup JDK, Node.js, Python etc depending on your project type # 2. Compile or build the project before invoking scan diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 8ff2c9a..48ccbe9 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -26,7 +26,7 @@ jobs: snyk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build a Docker image run: docker build -t your/image-to-test . - name: Run Snyk to check Docker image for vulnerabilities diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index b79bf34..2799bfc 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -25,7 +25,7 @@ jobs: snyk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Run Snyk to check configuration files for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the issues to GitHub Code Scanning diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index af220c0..64e9b9b 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Start your service run: ./your-service.sh & # ✏️ Update this to run your own service to be scanned diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 0c1ff16..c73eb17 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Synopsys Intelligent Security Scan id: prescription diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f9b29fc..92082e5 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the Docker image # Tag image to be built diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 479f713..10a77ab 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run tfsec uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 3d5373f..d6633be 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -26,7 +26,7 @@ jobs: runs-on: "ubuntu-18.04" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build an image from Dockerfile run: | diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 073d1b6..2ce3212 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -31,7 +31,7 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: repository: '' @@ -41,9 +41,10 @@ jobs: - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - run: unzip -o pipeline-scan-LATEST.zip - - uses: actions/setup-java@v1 + - uses: actions/setup-java@v3 with: - java-version: 1.8 + java-version: 8 + distribution: 'temurin' - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip continue-on-error: true - name: Convert pipeline scan output to SARIF format diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index dc3c9ce..c20c741 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -50,14 +50,15 @@ jobs: steps: # Check out the repository - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Set up the correct Java version for your project # Please comment out, if your project does not contain Java source code. - name: Set up JDK 11 - uses: actions/setup-java@v1 + uses: actions/setup-java@v3 with: java-version: 11 + distribution: 'temurin' # Compile the code for Java projects and get all libraries, e.g. via Maven # Please adapt, if your project uses another build system to compile Java source code. diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded9178..841a2fd 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # 1.1 Login to ACR - name: Login to ACR with the AccessKey pair @@ -74,7 +74,7 @@ jobs: tag: "${{ env.TAG }}" # 2.1 (Optional) Login to ACR EE - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Login to ACR EE with the AccessKey pair uses: aliyun/acr-login@v1 with: diff --git a/deployments/aws.yml b/deployments/aws.yml index dab851f..fe5e076 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -49,7 +49,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 57fe362..c882bde 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -40,7 +40,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 506819d..948e7db 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -57,7 +57,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 1d33fe3..7c25319 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 51b7d69..f6928d0 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -55,7 +55,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index e61e64e..bb513d4 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -52,7 +52,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index 8e1faf7..becfede 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest name: Build and Deploy Job steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - name: Build And Deploy diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index d4690a5..3357dc8 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -35,10 +35,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: ${{ env.DOTNET_VERSION }} diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 210fd90..5f58dbf 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -34,10 +34,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Java version - uses: actions/setup-java@v2.3.1 + uses: actions/setup-java@v3.0.0 with: java-version: ${{ env.JAVA_VERSION }} cache: 'maven' diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b6089d4..c967bdb 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -32,10 +32,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Node.js - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index f971d1c..04f55f4 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup PHP uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 8605e0a..af6a9dd 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -34,10 +34,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python version - uses: actions/setup-python@v2.2.2 + uses: actions/setup-python@v3.0.0 with: python-version: ${{ env.PYTHON_VERSION }} cache: 'pip' diff --git a/deployments/google.yml b/deployments/google.yml index 003e53b..6150672 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Configure Workload Identity Federation and generate an access token. - id: 'auth' diff --git a/deployments/ibm.yml b/deployments/ibm.yml index 216b04d..cb3080f 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Download and Install IBM Cloud CLI - name: Install IBM Cloud CLI diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 46ff961..5775cb0 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -71,7 +71,7 @@ jobs: steps: - name: Check for required secrets - uses: actions/github-script@v4 + uses: actions/github-script@v6 with: script: | const secrets = { @@ -109,7 +109,7 @@ jobs: } - name: Check out repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Determine app name if: env.APP_NAME == '' diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 83bde94..2bf2a68 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Build - name: Build Docker image diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 589f1f3..96e44e0 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -64,7 +64,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform From d8be55169b88f4cf8f90c7a7fe03f63244b2afb2 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 21 Mar 2022 11:40:07 -0700 Subject: [PATCH 259/300] add Security Gallery entry for new Dependency Review Action --- dependency-graph/dependency-review.yml | 11 +++++++++++ .../dependency-review.properties.json | 17 +++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 dependency-graph/dependency-review.yml create mode 100644 dependency-graph/properties/dependency-review.properties.json diff --git a/dependency-graph/dependency-review.yml b/dependency-graph/dependency-review.yml new file mode 100644 index 0000000..6e46018 --- /dev/null +++ b/dependency-graph/dependency-review.yml @@ -0,0 +1,11 @@ +name: 'Dependency Review' +on: [pull_request] + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: github/dependency-review-action@main diff --git a/dependency-graph/properties/dependency-review.properties.json b/dependency-graph/properties/dependency-review.properties.json new file mode 100644 index 0000000..e8a14a1 --- /dev/null +++ b/dependency-graph/properties/dependency-review.properties.json @@ -0,0 +1,17 @@ +{ + "name": "Dependency Review", + "creator": "GitHub", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", + "iconName": "octicon mark-github", + "categories": [ + "Dependency Graph", + "Dependency Review", + "Go", + "Java", + "JavaScript", + "TypeScript", + "Python", + "Ruby", + "Actions", + "PHP"] +} From c5111ef87154111daba867bf116825b8848ad936 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Thu, 24 Mar 2022 13:09:18 -0700 Subject: [PATCH 260/300] update org the final, open-sourced DR Action will be hosted under for GA release --- dependency-graph/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-graph/dependency-review.yml b/dependency-graph/dependency-review.yml index 6e46018..8e94ea0 100644 --- a/dependency-graph/dependency-review.yml +++ b/dependency-graph/dependency-review.yml @@ -8,4 +8,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: github/dependency-review-action@main + uses: actions/dependency-review-action@main From 6537e55e9700a5fa61e5b5f612e4b1efb0251124 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 10:58:48 -0700 Subject: [PATCH 261/300] post-review: use default "creator" entry: "By GitHub" --- dependency-graph/properties/dependency-review.properties.json | 1 - 1 file changed, 1 deletion(-) diff --git a/dependency-graph/properties/dependency-review.properties.json b/dependency-graph/properties/dependency-review.properties.json index e8a14a1..3ccbf1f 100644 --- a/dependency-graph/properties/dependency-review.properties.json +++ b/dependency-graph/properties/dependency-review.properties.json @@ -1,6 +1,5 @@ { "name": "Dependency Review", - "creator": "GitHub", "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ From c3a21a83b2a61aa77fecbf9f85c70d6e6f2ad01a Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 13:33:59 -0700 Subject: [PATCH 262/300] post-review: move DR Action spec and props file into code-scanning/ dir tree temporarily, until maintainers refactor this to security/ --- {dependency-graph => code-scanning}/dependency-review.yml | 0 .../properties/dependency-review.properties.json | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {dependency-graph => code-scanning}/dependency-review.yml (100%) rename {dependency-graph => code-scanning}/properties/dependency-review.properties.json (100%) diff --git a/dependency-graph/dependency-review.yml b/code-scanning/dependency-review.yml similarity index 100% rename from dependency-graph/dependency-review.yml rename to code-scanning/dependency-review.yml diff --git a/dependency-graph/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json similarity index 100% rename from dependency-graph/properties/dependency-review.properties.json rename to code-scanning/properties/dependency-review.properties.json From 4aa004f885b18219244520462aa3b46af0146cd0 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 13:39:46 -0700 Subject: [PATCH 263/300] linter: add tags to props file appropriate for code-scanning/ entries (security gallery) --- code-scanning/properties/dependency-review.properties.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 3ccbf1f..3badf40 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,6 +3,8 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ + "Code Scanning", + "Automation", "Dependency Graph", "Dependency Review", "Go", From 5bd031f3071b0e3ef3c7d0cda4fdc064790c734f Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 16:50:23 -0700 Subject: [PATCH 264/300] add explanatory comments with links to DR security gallery workflow template file --- code-scanning/dependency-review.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 8e94ea0..c342269 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,3 +1,9 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement name: 'Dependency Review' on: [pull_request] From aee1a2083533d8f67f8f771a3671c3cba9de020a Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 16:57:03 -0700 Subject: [PATCH 265/300] add tigher scoped repo perms to workflow run template file --- code-scanning/dependency-review.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index c342269..eb3a90b 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -7,6 +7,9 @@ name: 'Dependency Review' on: [pull_request] +permissions: + repo: read + jobs: dependency-review: runs-on: ubuntu-latest From cdc592d6034f2f17c52a825dd1b456e6e9e6f576 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Tue, 29 Mar 2022 08:52:08 -0700 Subject: [PATCH 266/300] update action version used in template to "v1" branch; set perms to "contents: read" --- code-scanning/dependency-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index eb3a90b..0e72a00 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -8,7 +8,7 @@ name: 'Dependency Review' on: [pull_request] permissions: - repo: read + contents: read jobs: dependency-review: @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@main + uses: actions/dependency-review-action@v1 From 1e0060ae0f820f0e350f84c656ca66e287005124 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 30 Mar 2022 10:27:25 +0200 Subject: [PATCH 267/300] Added mention to free plan --- code-scanning/sonarcloud.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index d0cc73b..bd6a3e1 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -5,6 +5,7 @@ # This workflow helps you trigger a SonarCloud analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. +# Free for open source project. # 1. Login to SonarCloud.io using your GitHub account From 10092345c8d227804b7dc9f587d10813d85199c5 Mon Sep 17 00:00:00 2001 From: h0x0er Date: Wed, 30 Mar 2022 15:08:50 +0530 Subject: [PATCH 268/300] fixing conflict --- ci/elixir.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/elixir.yml b/ci/elixir.yml index 5b5aabb..6c76f54 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From 3fc061974d6849a15c6ddfd7ccb7c16ed93f38c2 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Wed, 30 Mar 2022 12:52:01 -0700 Subject: [PATCH 269/300] remove "Automation" tag from properites file --- code-scanning/properties/dependency-review.properties.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 3badf40..568af90 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,10 +3,9 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Code Scanning", - "Automation", - "Dependency Graph", "Dependency Review", + "Code Scanning", + "Dependency Graph", "Go", "Java", "JavaScript", From 589aeb1674483e39ab864dd33cfa5cf63882462a Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 31 Mar 2022 10:34:04 +0200 Subject: [PATCH 270/300] Added restrictive permissions for GITHUB_TOKEN --- code-scanning/sonarcloud.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index bd6a3e1..dade659 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -35,6 +35,9 @@ on: branches: [ $default-branch ] workflow_dispatch: +permissions: + pull-requests: read # allows SonarCloud to decorate PRs with analysis results + jobs: Analysis: runs-on: ubuntu-latest @@ -46,7 +49,7 @@ jobs: # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 uses: SonarSource/sonarcloud-github-action@v1.6 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments for the sonarcloud scanner From 439bf3cc34005f8b68d877f9bc5e288e491784e3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 31 Mar 2022 14:28:28 +0530 Subject: [PATCH 271/300] Change to small case --- code-scanning/properties/dependency-review.properties.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 568af90..e84278c 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,9 +3,8 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Dependency Review", - "Code Scanning", - "Dependency Graph", + "Dependency review", + "Dependency graph", "Go", "Java", "JavaScript", From 8d8c6f77d6d743a4b096c8b5b1eee8467552de77 Mon Sep 17 00:00:00 2001 From: Thomas Boop Date: Thu, 31 Mar 2022 08:24:35 -0400 Subject: [PATCH 272/300] update to v2 --- code-scanning/anchore.yml | 2 +- code-scanning/apisec-scan.yml | 2 +- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/cloudrail.yml | 2 +- code-scanning/codacy.yml | 2 +- code-scanning/codeql.yml | 6 +++--- code-scanning/codescan.yml | 2 +- code-scanning/detekt.yml | 2 +- code-scanning/devskim.yml | 2 +- code-scanning/flawfinder.yml | 2 +- code-scanning/fortify.yml | 2 +- code-scanning/kubesec.yml | 2 +- code-scanning/mayhem-for-api.yml | 2 +- code-scanning/mobsf.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/njsscan.yml | 2 +- code-scanning/nowsecure.yml | 2 +- code-scanning/ossar.yml | 2 +- code-scanning/pmd.yml | 2 +- code-scanning/powershell.yml | 2 +- code-scanning/prisma.yml | 2 +- code-scanning/rubocop.yml | 2 +- code-scanning/securitycodescan.yml | 2 +- code-scanning/semgrep.yml | 2 +- code-scanning/shiftleft.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/synopsys-io.yml | 2 +- code-scanning/sysdig-scan.yml | 2 +- code-scanning/tfsec.yml | 2 +- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- 34 files changed, 36 insertions(+), 36 deletions(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index fcca708..66dd09f 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -40,6 +40,6 @@ jobs: image: "localbuild/testimage:latest" acs-report-enable: true - name: Upload Anchore Scan Report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 4737d06..5a9b751 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -64,6 +64,6 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - name: Import results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./apisec-results.sarif diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index d0b25ac..f54f6e7 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -52,6 +52,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index d012bce..dc96cde 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -49,6 +49,6 @@ jobs: params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: cx.sarif diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 00e270a..dd70bdf 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -50,7 +50,7 @@ jobs: cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() # is needed to ensure the SARIF file is uploaded if: always() diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 4892930..6b0df9e 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -55,6 +55,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 57b4b69..07b48e7 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -53,7 +53,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -67,4 +67,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 5886843..b87586c 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -37,6 +37,6 @@ jobs: organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: codescan.sarif diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index a8610c3..505e31a 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -111,7 +111,7 @@ jobs: )" > ${{ github.workspace }}/detekt.sarif.json # Uploads results to GitHub repository using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: ${{ github.workspace }}/detekt.sarif.json diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 3a5c45f..a435448 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -29,6 +29,6 @@ jobs: uses: microsoft/DevSkim-Action@v1 - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: devskim-results.sarif diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index 080953e..179d56f 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -33,6 +33,6 @@ jobs: output: 'flawfinder_results.sarif' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{github.workspace}}/flawfinder_results.sarif \ No newline at end of file diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index d67d194..1d37bc0 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -92,6 +92,6 @@ jobs: # Import Fortify on Demand results to GitHub Security Code Scanning - name: Import Results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./gh-fortify-sast.sarif diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 1cad70c..ac7085e 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -36,6 +36,6 @@ jobs: exit-code: "0" - name: Upload Kubesec scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 59d66a0..94bdc4a 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -61,6 +61,6 @@ jobs: sarif-report: mapi.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: mapi.sarif diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index d8eaa92..03aec53 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -37,6 +37,6 @@ jobs: args: . --sarif --output results.sarif || true - name: Upload mobsfscan report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0abb409..078399f 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -53,7 +53,7 @@ jobs: # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index a6da087..421aa31 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -36,6 +36,6 @@ jobs: with: args: '. --sarif --output results.sarif || true' - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 92126bd..161c786 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -47,6 +47,6 @@ jobs: group_id: {{ groupId }} # Update this to your desired Platform group ID - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: NowSecure.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index b5aefa4..b3d5b39 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -44,6 +44,6 @@ jobs: # Upload results to the Security tab - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 0604734..e4702d8 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -31,6 +31,6 @@ jobs: sourcePath: 'src/main/java' analyzeModifiedFilesOnly: false - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: pmd-report.sarif diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index dfbf452..5252cf0 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -37,6 +37,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5b11482..729cbac 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -48,7 +48,7 @@ jobs: # The service need to know the type of IaC being scanned template_type: 'CFT' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 # Results are generated only on a success or failure # this is required since GitHub by default won't run the next step # when the previous one has failed. diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index 373d5b6..8f32c73 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -47,6 +47,6 @@ jobs: " - name: Upload Sarif output - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: rubocop.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 3063c7a..471c216 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -38,4 +38,4 @@ jobs: uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 - name: Upload sarif - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index f99d441..f88ad21 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -42,7 +42,7 @@ jobs: # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: semgrep.sarif if: always() diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml index 48b86d3..552bc99 100644 --- a/code-scanning/shiftleft.yml +++ b/code-scanning/shiftleft.yml @@ -42,6 +42,6 @@ jobs: # type: python - name: Upload report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: reports diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 8ff2c9a..d0a95bf 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -43,6 +43,6 @@ jobs: image: your/image-to-test args: --file=Dockerfile - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index b79bf34..ee4723d 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -42,6 +42,6 @@ jobs: # or `main.tf` for a Terraform configuration file file: your-file-to-test.yaml - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 0c1ff16..e320303 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -71,7 +71,7 @@ jobs: - name: Upload SARIF file if: ${{steps.prescription.outputs.sastScan == 'true' }} - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: workflowengine-results.sarif.json diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f9b29fc..0b5af83 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -54,7 +54,7 @@ jobs: # Sysdig inline scanner requires privileged rights run-as-user: root - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 #Upload SARIF file if: always() with: diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 479f713..275bf45 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -32,7 +32,7 @@ jobs: sarif_file: tfsec.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 3d5373f..3bb0b1c 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -42,6 +42,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 073d1b6..c764551 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -51,7 +51,7 @@ jobs: uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be with: pipeline-results-json: results.json - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: veracode-results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index dc3c9ce..ec0019a 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -87,6 +87,6 @@ jobs: *-Findings-List.sarif # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: sarif_file: Xanitizer-Findings-List.sarif From 24a0860545c9fb8bc75902a3944350e15b2ca893 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Thu, 31 Mar 2022 10:34:19 -0700 Subject: [PATCH 273/300] fix broken build due to missing required category --- code-scanning/properties/dependency-review.properties.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index e84278c..57ca502 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,8 +3,9 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Dependency review", - "Dependency graph", + "Code Scanning", + "Dependency Review", + "Dependency Graph", "Go", "Java", "JavaScript", From dbba84eb877092dade4cc207fe0f2721d9ed60f2 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 1 Apr 2022 10:03:32 +0530 Subject: [PATCH 274/300] revert back to "Dependency review" category The CI test needs to be fixed and not the other way round. --- code-scanning/properties/dependency-review.properties.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 57ca502..e84278c 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,9 +3,8 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Code Scanning", - "Dependency Review", - "Dependency Graph", + "Dependency review", + "Dependency graph", "Go", "Java", "JavaScript", From d629c82ad7b53ccd396ab5ca9f8b97bf9a67ca68 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 1 Apr 2022 10:04:38 +0530 Subject: [PATCH 275/300] Include "Dependency review" in allowed categories --- script/validate-data/settings.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index ce89e36..ef8ee60 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -9,6 +9,7 @@ "Continuous integration", "Deployment", "Code Scanning", + "Dependency review", "Automation" ] -} \ No newline at end of file +} From 3f1969e60bade312dd53ca604e2479900b6a6a5f Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 10:26:21 +0200 Subject: [PATCH 276/300] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 428d899..8835ff8 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1,7 +1,7 @@ { "name": "SonarCloud", "creator": "Sonar", - "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Free for open source projects", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start analyzing your code in minutes!", "iconName": "sonarcloud", "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From 1132fdda5ded5388ebc46d62f1892bece49f3c26 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 10:43:06 +0200 Subject: [PATCH 277/300] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 8835ff8..9b88a78 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1,7 +1,7 @@ { "name": "SonarCloud", "creator": "Sonar", - "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start analyzing your code in minutes!", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", "iconName": "sonarcloud", "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From 50c02af8cf04a5cba88c5f47d64db3d2860ddcff Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 10:59:27 +0200 Subject: [PATCH 278/300] changed version to exact SHA Co-authored-by: Sampark Sharma --- code-scanning/sonarcloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index dade659..fe9afb4 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -47,7 +47,7 @@ jobs: # You can pin the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@v1.6 + uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) From 090ead86a92181d20a19219314dd1858ec87a787 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 14:51:15 +0200 Subject: [PATCH 279/300] Update syntax for validation --- code-scanning/sonarcloud.yml | 42 ++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index fe9afb4..ff388c8 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -45,24 +45,24 @@ jobs: steps: - name: Analyze with SonarCloud - # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) - with: - # Additional arguments for the sonarcloud scanner - args: - # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) - -Dsonar.projectKey= # mandatory - # Unique organization key of your project. You can find it in SonarCloud > Information (bottom-left menu) - -Dsonar.organization= # mandatory - # Comma-separated paths to directories containing main source files. - #-Dsonar.sources= # optional, default is project base directory - # When you need the analysis to take place in a directory other than the one from which it was launched - #-Dsonar.projectBaseDir= # optional, default is . - # Comma-separated paths to directories containing test source files. - #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ - # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false + # You can pin the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) + # mandatory + -Dsonar.projectKey= + -Dsonar.organization= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From cca97c83b88349992531d905e3456a9227e2a391 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Sat, 9 Apr 2022 01:28:14 -0700 Subject: [PATCH 280/300] Add rust-clippy starter workflow (#1462) * Add rust-clippy starter workflow * fix parameter `wait-for-processing` indent of action github/codeql-action/upload-sarif@v1 * Use commit sha instead of tag * addressing pr comments * Update creator * Add comments --- .../properties/rust-clippy.properties.json | 10 ++++ code-scanning/rust-clippy.yml | 54 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 code-scanning/properties/rust-clippy.properties.json create mode 100644 code-scanning/rust-clippy.yml diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json new file mode 100644 index 0000000..ea5c871 --- /dev/null +++ b/code-scanning/properties/rust-clippy.properties.json @@ -0,0 +1,10 @@ +{ + "name": "rust-clippy", + "creator": "Rust", + "description": "A collection of lints to catch common mistakes and improve your Rust code.", + "iconName": "rust", + "categories": [ + "Code Scanning", + "rust" + ] +} \ No newline at end of file diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml new file mode 100644 index 0000000..e9c426a --- /dev/null +++ b/code-scanning/rust-clippy.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# rust-clippy is a tool that runs a bunch of lints to catch common +# mistakes in your Rust code and help improve your Rust code. +# More details at https://github.com/rust-lang/rust-clippy +# and https://rust-lang.github.io/rust-clippy/ + +name: rust-clippy analyze + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rust-clippy-analyze: + name: Run rust-clippy analyzing + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install Rust toolchain + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1 + with: + profile: minimal + toolchain: stable + components: clippy + override: true + + - name: Install required cargo + run: cargo install clippy-sarif sarif-fmt + + - name: Run rust-clippy + run: + cargo clippy + --all-features + --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: rust-clippy-results.sarif + wait-for-processing: true \ No newline at end of file From 769950ce816c2f79f8df05cf138640f9aa08625d Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Sun, 10 Apr 2022 17:20:15 +0530 Subject: [PATCH 281/300] Removing code-scanning/shiftleft as per author request (#1513) Co-authored-by: Bishal Prasad --- .../properties/shiftleft.properties.json | 7 --- code-scanning/shiftleft.yml | 47 ------------------- icons/shiftleft.svg | 6 --- 3 files changed, 60 deletions(-) delete mode 100644 code-scanning/properties/shiftleft.properties.json delete mode 100644 code-scanning/shiftleft.yml delete mode 100644 icons/shiftleft.svg diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json deleted file mode 100644 index 1cb36c9..0000000 --- a/code-scanning/properties/shiftleft.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Scan", - "creator": "ShiftLeft", - "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.", - "iconName": "shiftleft", - "categories": ["Code Scanning"] -} \ No newline at end of file diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml deleted file mode 100644 index b042670..0000000 --- a/code-scanning/shiftleft.yml +++ /dev/null @@ -1,47 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates Scan with GitHub's code scanning feature -# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft -# Visit https://slscan.io/en/latest/integrations/code-scan for help -name: SL Scan - -on: - push: - branches: [ $default-branch, $protected-branches ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ $default-branch ] - schedule: - - cron: $cron-weekly - -jobs: - Scan-Build: - # Scan runs on ubuntu, mac and windows - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - # Instructions - # 1. Setup JDK, Node.js, Python etc depending on your project type - # 2. Compile or build the project before invoking scan - # Example: mvn compile, or npm install or pip install goes here - # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url - - - name: Perform Scan - uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64 - env: - WORKSPACE: "" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SCAN_AUTO_BUILD: true - with: - output: reports - # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type - # type: credscan,java - # type: python - - - name: Upload report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: reports diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg deleted file mode 100644 index f8e944a..0000000 --- a/icons/shiftleft.svg +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - From 31b35634e10474dd37c3d2929577d2778e781cbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Sun, 10 Apr 2022 15:07:11 +0200 Subject: [PATCH 282/300] Fix pull request trigger in greetings.yml (#1518) --- automation/greetings.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index ee1cb11..18ba13f 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -1,6 +1,6 @@ name: Greetings -on: [pull_request, issues] +on: [pull_request_target, issues] jobs: greeting: From d80712faf41487f0d71d06018ec3bae11b859987 Mon Sep 17 00:00:00 2001 From: Anthony Roussel Date: Sun, 10 Apr 2022 15:29:47 +0200 Subject: [PATCH 283/300] Disable Terraform interactive prompts during apply & plan (#1467) --- deployments/terraform.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 96e44e0..6142d2c 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -82,10 +82,10 @@ jobs: # Generates an execution plan for Terraform - name: Terraform Plan - run: terraform plan + run: terraform plan -input=false # On push to $default-branch, build or change infrastructure according to Terraform configuration files # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - name: Terraform Apply if: github.ref == 'refs/heads/$default-branch' && github.event_name == 'push' - run: terraform apply -auto-approve + run: terraform apply -auto-approve -input=false From 970a7b52557fbdf7dc31c20e64499c21f45deff2 Mon Sep 17 00:00:00 2001 From: dlorenc Date: Sun, 10 Apr 2022 13:06:23 -0500 Subject: [PATCH 284/300] =?UTF-8?q?Update=20the=20cosign-install=20action?= =?UTF-8?q?=20and=20default=20version=20from=201.4.0=20to=201.=E2=80=A6=20?= =?UTF-8?q?(#1452)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update the cosign-install action and default version from 1.4.0 to 1.5.1. Signed-off-by: Dan Lorenc * Update to 1.7.1 and the latest cosign-installer action. Signed-off-by: Dan Lorenc Co-authored-by: Bishal Prasad --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 7b6add3..75f9770 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605 with: - cosign-release: 'v1.4.0' + cosign-release: 'v1.7.1' # Workaround: https://github.com/docker/build-push-action/issues/461 From eeb7d2860d40ef8ccea22e7cc47f0a7088dc886a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Bedran?= Date: Sun, 10 Apr 2022 16:46:50 -0300 Subject: [PATCH 285/300] Removes " Simulator" substring from device name. (#1470) --- ci/ios.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/ios.yml b/ci/ios.yml index 5cec5e7..693a7d5 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -26,7 +26,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` @@ -37,7 +37,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` From 9e81e73fe1c6c6786692b02864aeb1271734d235 Mon Sep 17 00:00:00 2001 From: Andrew Freckelton <7751633+frecks@users.noreply.github.com> Date: Mon, 11 Apr 2022 15:04:06 -0400 Subject: [PATCH 286/300] chore: Update go version to 1.18 --- ci/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go.yml b/ci/go.yml index 6f498a6..bb3ec96 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -16,7 +16,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.17 + go-version: 1.18 - name: Build run: go build -v ./... From 66f87f9dfe82ccc8055c7063ef35ee994f1a3ae1 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 11 Apr 2022 21:41:27 -0700 Subject: [PATCH 287/300] Add clj-watson starter workflow (#1460) * Add clj-watson starter workflow * update permissions * update to latest release * Update clj-watson-action to official release * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * update categories * update categories * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * Update code-scanning/properties/clj-watson.properties.json Co-authored-by: Bishal Prasad * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * add comments to yml file * Update clj-watson.properties.json * use codeql-action/upload-sarif v2 Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> Co-authored-by: Bishal Prasad --- code-scanning/clj-watson.yml | 53 +++++++++++++++++++ .../properties/clj-watson.properties.json | 9 ++++ icons/clj-watson.svg | 1 + 3 files changed, 63 insertions(+) create mode 100644 code-scanning/clj-watson.yml create mode 100644 code-scanning/properties/clj-watson.properties.json create mode 100644 icons/clj-watson.svg diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml new file mode 100644 index 0000000..2e4ab3c --- /dev/null +++ b/code-scanning/clj-watson.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# clj-watson scans dependencies in a clojure deps.edn +# seeking for vulnerable direct/transitive dependencies and +# build a report with all the information needed to help you +# understand how the vulnerability manifest in your software. +# More details at https://github.com/clj-holmes/clj-watson + +name: clj-watson + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + clj-holmes: + name: Run clj-watson scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Dependency scan + uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c + with: + clj-watson-sha: "65d928c" + clj-watson-tag: "v4.0.1" + database-strategy: github-advisory + aliases: clojure-lsp,test + deps-edn-path: deps.edn + suggest-fix: true + output-type: sarif + output-file: clj-watson-results.sarif + fail-on-result: false + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{github.workspace}}/clj-watson-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/clj-watson.properties.json b/code-scanning/properties/clj-watson.properties.json new file mode 100644 index 0000000..966314a --- /dev/null +++ b/code-scanning/properties/clj-watson.properties.json @@ -0,0 +1,9 @@ +{ + "name": "clj-watson", + "description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.", + "iconName": "clj-watson", + "categories": [ + "Code Scanning", + "Clojure" + ] +} diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg new file mode 100644 index 0000000..74459e5 --- /dev/null +++ b/icons/clj-watson.svg @@ -0,0 +1 @@ + \ No newline at end of file From 94d3aff4c62f40e4751c3c71c61b23c4ec02a072 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Tue, 12 Apr 2022 10:27:04 +0530 Subject: [PATCH 288/300] Remove creator property from rust-clippy This is owned by @josepalafox's BD team in GitHub. --- code-scanning/properties/rust-clippy.properties.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json index ea5c871..4737786 100644 --- a/code-scanning/properties/rust-clippy.properties.json +++ b/code-scanning/properties/rust-clippy.properties.json @@ -1,10 +1,9 @@ { "name": "rust-clippy", - "creator": "Rust", "description": "A collection of lints to catch common mistakes and improve your Rust code.", "iconName": "rust", "categories": [ "Code Scanning", "rust" ] -} \ No newline at end of file +} From ae0ff4dd3a81c243bea35ec3e2035ab14b94bc9e Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Tue, 12 Apr 2022 10:29:04 +0530 Subject: [PATCH 289/300] Add Actions team as CODEOWNERS for code-scanning starter workflows --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 8866d17..91153de 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,3 @@ * @actions/starter-workflows -/code-scanning/ @actions/advanced-security-code-scanning +/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows From 92b20ce19b85f9e2d7eb558aa665eb6ac9287cb5 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 13 Apr 2022 23:04:48 -0700 Subject: [PATCH 290/300] Add ESLint starter workflow (#1461) * Add ESLint starter workflow * Specify versions * update permission * Add typescript to categories * Update codeql action to v2; add comments * address review feedbacks * update categories --- code-scanning/eslint.yml | 49 +++++++++++++++++++ .../properties/eslint.properties.json | 11 +++++ icons/eslint.svg | 1 + 3 files changed, 61 insertions(+) create mode 100644 code-scanning/eslint.yml create mode 100644 code-scanning/properties/eslint.properties.json create mode 100644 icons/eslint.svg diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml new file mode 100644 index 0000000..9067a7d --- /dev/null +++ b/code-scanning/eslint.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# ESLint is a tool for identifying and reporting on patterns +# found in ECMAScript/JavaScript code. +# More details at https://github.com/eslint/eslint +# and https://eslint.org + +name: ESLint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + eslint: + name: Run eslint scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install ESLint + run: | + npm install eslint@8.10.0 + npm install @microsoft/eslint-formatter-sarif@2.1.7 + + - name: Run ESLint + run: npx eslint . + --config .eslintrc.js + --ext .js,.jsx,.ts,.tsx + --format @microsoft/eslint-formatter-sarif + --output-file eslint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: eslint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json new file mode 100644 index 0000000..a84646a --- /dev/null +++ b/code-scanning/properties/eslint.properties.json @@ -0,0 +1,11 @@ +{ + "name": "ESLint", + "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", + "iconName": "eslint", + "categories": [ + "Code Scanning", + "JavaScript", + "EcmaScript", + "TypeScript" + ] +} \ No newline at end of file diff --git a/icons/eslint.svg b/icons/eslint.svg new file mode 100644 index 0000000..23964aa --- /dev/null +++ b/icons/eslint.svg @@ -0,0 +1 @@ + \ No newline at end of file From ac3c29ff5b1f47eab61e718d9a62519799d1a7a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Arko?= Date: Sun, 17 Apr 2022 03:07:19 -0700 Subject: [PATCH 291/300] Shorten Rails workflow name, in line with others The workflows for Ruby, RubyGem, Jekyll, and similar are all just the name of the language, package, or framework. This name change brings Rails in line with the other starters. --- ci/properties/rubyonrails.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json index 49b29a4..7a2c18a 100644 --- a/ci/properties/rubyonrails.properties.json +++ b/ci/properties/rubyonrails.properties.json @@ -1,5 +1,5 @@ { - "name": "Ruby on Rails continuous integration", + "name": "Ruby on Rails", "description": "Build, lint, and test a Rails application", "iconName": "rails", "categories": ["Continuous integration", "Ruby", "Rails"] From 2885b083c9ae49c16188ad79cf15bab9e2107547 Mon Sep 17 00:00:00 2001 From: Jesse Glick Date: Mon, 18 Apr 2022 15:39:08 -0400 Subject: [PATCH 292/300] Update docker/build-push-action https://github.com/docker/build-push-action/commit/ac9327eae2b366085ac7f6a2d02df8aa8ead720a to pick up https://github.com/docker/build-push-action/pull/569 --- ci/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 75f9770..a9fd4b3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -72,7 +72,7 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: context: . push: ${{ github.event_name != 'pull_request' }} From c06604910c9a4312db162077a4e46fa7aad61356 Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya <35347859+jaiveerk@users.noreply.github.com> Date: Fri, 22 Apr 2022 04:10:20 -0400 Subject: [PATCH 293/300] Parallelize Jobs for AKS Starter Workflows (#1534) * Reworked AKS deployment workflows (#1403) * rebased to partner_templates * Renaming workflow * Updated corresponding properties.json files for the new aks workflows under deployments. * Updated properties.json titles for aks workflows * Renamed SECRET_NAME to IMAGE_PULL_SECRET_NAME * Moved permissions down to the job level * Updated documentation links * Updated permission for action to read * Removing redundant permissions * write -> read for actions * Updated descriptions * Less reference documentation in header * Added comments to each AKS Starter Workflow step Co-authored-by: Tommy Barnes * Update AKS workflows to not use imagePullSecrets (#1494) * removing old method of adding imagePullSecrets * fixing step casing * For testing: Dependency review starter workflow * changed back to image pull secret, added mask, clarified website and pull secret instructions * made changes to other aks files * Added back imagepullsecrets param to deploy action, reordered env vars * changing release version of deploy action * restructured starter workflows to parallelize secret creation and image building * renamed to buildImage and removed extra space * cleaned up some random newlines * removed extra space * removing changes from partner branch * removing changes from partner branch * through mistake in changing PR, two files lost step for createSecret Co-authored-by: Tommy Barnes Co-authored-by: Tommy Barnes Co-authored-by: Israel Miller Co-authored-by: Bishal Prasad Co-authored-by: Jaiveer Katariya Co-authored-by: Jaiveer Katariya --- deployments/azure-kubernetes-service-helm.yml | 55 ++++++++++++++--- .../azure-kubernetes-service-kompose.yml | 60 +++++++++++++++--- .../azure-kubernetes-service-kustomize.yml | 61 ++++++++++++++++--- deployments/azure-kubernetes-service.yml | 55 ++++++++++++++--- 4 files changed, 199 insertions(+), 32 deletions(-) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 948e7db..a5edeaa 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. # Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. @@ -48,12 +48,11 @@ env: CHART_OVERRIDE_PATH: "your-chart-override-path" jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -72,6 +71,21 @@ jobs: run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -85,7 +99,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -96,7 +112,30 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Helm to create manifest files - name: Bake deployment @@ -112,11 +151,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 7c25319..5b7e4d1 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. # Set your dockerComposeFile and kompose-version to suit your configuration. @@ -40,12 +40,11 @@ env: DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -63,7 +62,22 @@ jobs: - name: Build and push image to ACR run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - + + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -77,7 +91,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -88,7 +104,33 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Kompose to create manifest files - name: Bake deployment @@ -101,11 +143,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index f6928d0..305d6de 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. # Set your kustomizationPath and kubectl-version to suit your configuration. @@ -46,12 +46,11 @@ env: KUSTOMIZE_PATH: "your-kustomize-path" jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -69,6 +68,24 @@ jobs: - name: Build and push image to ACR run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context @@ -83,7 +100,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -94,7 +113,33 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Kustomize to create manifest files - name: Bake deployment @@ -107,11 +152,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index bb513d4..c471793 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -8,8 +8,7 @@ # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID @@ -19,7 +18,7 @@ # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) # - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) # # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions @@ -43,12 +42,11 @@ env: DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -67,6 +65,21 @@ jobs: run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -80,7 +93,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -93,13 +108,39 @@ jobs: container-registry-password: ${{ steps.get-acr-creds.outputs.password }} secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + # Deploys application based on given manifest file - name: Deploys application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file From ad9daa8da372928e50064995bb1c2f542c0c345c Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya <35347859+jaiveerk@users.noreply.github.com> Date: Sat, 23 Apr 2022 00:40:21 -0400 Subject: [PATCH 294/300] removed actions read permission from createSecret and buildImage steps (#1539) --- deployments/azure-kubernetes-service-helm.yml | 2 -- deployments/azure-kubernetes-service-kompose.yml | 2 -- deployments/azure-kubernetes-service-kustomize.yml | 2 -- deployments/azure-kubernetes-service.yml | 2 -- 4 files changed, 8 deletions(-) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index a5edeaa..510abcd 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -50,7 +50,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -73,7 +72,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 5b7e4d1..0cf23ba 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -42,7 +42,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -65,7 +64,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 305d6de..14469db 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -48,7 +48,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -71,7 +70,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index c471793..d04a2ac 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -44,7 +44,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -67,7 +66,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest From a52cd5a16a7422970cf0d09ddd7489c0abcd1cf3 Mon Sep 17 00:00:00 2001 From: Tristram Oaten Date: Mon, 25 Apr 2022 15:02:37 +0100 Subject: [PATCH 295/300] Update setup-ruby to the latest release The default github action ruby template references this old commit which doesn't have any modern rubies https://github.com/ruby/setup-ruby/commit/473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e The fix is to update the pinned version to the latest release https://github.com/alphagov/forms-api/pull/3/commits/e3c8ad2759088a12ba9f3040d2c47c23799c8455 --- ci/ruby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 256aa14..7daf2cc 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e + uses: ruby/setup-ruby@e3c8ad2759088a12ba9f3040d2c47c23799c8455 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically From a2a01a4b0b9b9f8f39c20efdd1f1eee8fd9772d2 Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Tue, 26 Apr 2022 02:26:34 -0700 Subject: [PATCH 296/300] CodeQL starter workflow: Replace git.io links git.io is deprecated. Replace the references with full links or aka.ms links to the same documentation. --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 37109ab..0e57f4b 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,7 +34,7 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] - # Learn more about CodeQL language support at https://git.io/codeql-language-support + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - name: Checkout repository @@ -56,7 +56,7 @@ jobs: uses: github/codeql-action/autobuild@v2 # ℹ️ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines # and modify them (or add more) to build your code if your project From 0ae51b0d1063d99894068034e0f6e7de60e6ec5b Mon Sep 17 00:00:00 2001 From: Tristram Oaten Date: Thu, 28 Apr 2022 10:58:56 +0100 Subject: [PATCH 297/300] fix sha --- ci/ruby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 7daf2cc..81ea363 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@e3c8ad2759088a12ba9f3040d2c47c23799c8455 + uses: ruby/setup-ruby@2b019609e2b0f1ea1a2bc8ca11cb82ab46ada124 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 662e915c0fe85c4d078b6de037bce62ebc69fe96 Mon Sep 17 00:00:00 2001 From: Bar Hofesh Date: Thu, 28 Apr 2022 22:01:20 +0300 Subject: [PATCH 298/300] Add NeuraLegion to starter workflows (#1203) * Added Neuralegion to starter workflows * Using an action * Fixed Indentation :) * Update neuralegion.yml Co-authored-by: Bishal Prasad --- code-scanning/neuralegion.yml | 175 ++++++++++++++++++ .../properties/neuralegion.properties.json | 24 +++ icons/neuralegion.svg | 57 ++++++ 3 files changed, 256 insertions(+) create mode 100644 code-scanning/neuralegion.yml create mode 100644 code-scanning/properties/neuralegion.properties.json create mode 100644 icons/neuralegion.svg diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml new file mode 100644 index 0000000..e24e14a --- /dev/null +++ b/code-scanning/neuralegion.yml @@ -0,0 +1,175 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Run a Nexploit Scan +# This action runs a new security scan in Nexploit, or reruns an existing one. +# Build Secure Apps & APIs. Fast. +# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love. +# Automatically Tests Every Aspect of Your Apps & APIs +# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports +# Seamlessly integrates with the Tools and Workflows You Already Use +# +# NeuraLegion works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. +# Spin-Up, Configure and Control Scans with Code +# One file. One command. One scan. No UI needed. +# +# Super-Fast Scans +# +# Interacts with applications and APIs, instead of just crawling them and guessing. +# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks. +# +# No False Positives +# +# Stop chasing ghosts and wasting time. NeuraLegion doesn’t return false positives, so you can focus on releasing code. +# +# Comprehensive Security Testing +# +# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities. +# +# More information is available on NeuraLegion’s: +# * [Website](https://www.neuralegion.com/) +# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart) +# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw) +# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+) +# +# Inputs +# +# `name` +# +# **Required**. Scan name. +# +# _Example:_ `name: GitHub scan ${{ github.sha }}` +# +# `api_token` +# +# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens). +# +# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}` +# +# `restart_scan` +# +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# +# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` +# +# `discovery_types` +# +# **Required**. Array of discovery types. The following types are available: +# * `archive` - uses an uploaded HAR-file for a scan +# * `crawler` - uses a crawler to define the attack surface for a scan +# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default. +# +# _Example:_ +# +# ```yml +# discovery_types: | +# [ "crawler", "archive" ] +# ``` +# +# `file_id` +# +# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login). +# +# _Example:_ +# +# ``` +# FILE_ID=$(nexploit-cli archive:upload \ +# --token ${{ secrets.NEXPLOIT_TOKEN }} \ +# --discard true \ +# ./example.har) +# ``` +# +# `crawler_urls` +# +# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface. +# +# _Example:_ +# +# ``` +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# ``` +# +# `hosts_filter` +# +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# +# Outputs +# +# `url` +# +# Url of the resulting scan +# +# `id` +# +# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions: +# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues) +# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan) +# +# Example usage +# +# Start a new scan with parameters +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# discovery_types: | +# [ "crawler", "archive" ] +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# file_id: LiYknMYSdbSZbqgMaC9Sj +# hosts_filter: | +# [ ] +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" +# ``` +# +# Restart an existing scan +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" + + +name: "NeuraLegion" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + neuralegion_scan: + runs-on: ubuntu-18.04 + name: A job to run a Nexploit scan + steps: + - uses: actions/checkout@v2 + - name: Start Nexploit Scan 🏁 + id: start + uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe + with: + api_token: ${{ secrets.NEURALEGION_TOKEN }} + name: GitHub scan ${{ github.sha }} + discovery_types: | + [ "crawler" ] + crawler_urls: | + [ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan diff --git a/code-scanning/properties/neuralegion.properties.json b/code-scanning/properties/neuralegion.properties.json new file mode 100644 index 0000000..ee64a52 --- /dev/null +++ b/code-scanning/properties/neuralegion.properties.json @@ -0,0 +1,24 @@ +{ + "name": "NeuraLegion", + "creator": "NeuraLegion", + "description": "Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports", + "iconName": "neuralegion", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/icons/neuralegion.svg b/icons/neuralegion.svg new file mode 100644 index 0000000..0534225 --- /dev/null +++ b/icons/neuralegion.svg @@ -0,0 +1,57 @@ + + + + + + + + + NeuraLegion Logo + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From d09e57c7a386f2c92c1d0d5af960c03c79b02eb0 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Thu, 28 Apr 2022 15:22:57 -0400 Subject: [PATCH 299/300] Adding workflow for sobelow (static analysis tool for the Phoenix framework) (#1528) * Adding sobelow workflow * Removing setup-beam dependency * Updating instructions --- .../properties/sobelow.properties.json | 11 +++++ code-scanning/sobelow.yml | 40 +++++++++++++++++++ icons/sobelow.svg | 20 ++++++++++ 3 files changed, 71 insertions(+) create mode 100644 code-scanning/properties/sobelow.properties.json create mode 100644 code-scanning/sobelow.yml create mode 100644 icons/sobelow.svg diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json new file mode 100644 index 0000000..163e866 --- /dev/null +++ b/code-scanning/properties/sobelow.properties.json @@ -0,0 +1,11 @@ +{ + "name": "Sobelow", + "creator": "nccgroup", + "description": "Sobelow is a security-focused static analysis tool for the Phoenix framework.", + "iconName": "sobelow", + "categories": [ + "Code Scanning", + "Elixir" + ] + } + \ No newline at end of file diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml new file mode 100644 index 0000000..21cb6e7 --- /dev/null +++ b/code-scanning/sobelow.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/ +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. +name: Sobelow + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - id: run-action + uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 + - name: Upload report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/icons/sobelow.svg b/icons/sobelow.svg new file mode 100644 index 0000000..4d243ea --- /dev/null +++ b/icons/sobelow.svg @@ -0,0 +1,20 @@ + + + + + + + + From ca970a212491702286740f8f0b943e097bdb4de3 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Mon, 2 May 2022 12:23:29 +0530 Subject: [PATCH 300/300] Fix typo --- code-scanning/properties/dependency-review.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index e84278c..c195c73 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -1,6 +1,6 @@ { "name": "Dependency Review", - "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable dependencies to the repository", "iconName": "octicon mark-github", "categories": [ "Dependency review",