diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 8a042a5..f8e709f 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 with: - cosign-release: 'v2.1.1' + cosign-release: 'v2.2.4' # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache diff --git a/ci/gradle.yml b/ci/gradle.yml index 65a332b..74dffb5 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -28,7 +28,7 @@ jobs: java-version: '17' distribution: 'temurin' - # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. + # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 6fdadb1..655fc59 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -76,6 +76,7 @@ jobs: # â„šī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - if: matrix.build-mode == 'manual' + shell: bash run: | echo 'If you are using a "manual" build mode for one or more of the' \ 'languages you are analyzing, replace this with the commands to build' \ diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index c52b70e..01611e8 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -4,32 +4,31 @@ # documentation. ################################################################################################################################################ -# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# -# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # -# or contact our sales team, visit microfocus.com/appsecurity. # +# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # +# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # # # -# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# -# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # -# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # -# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # -# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # -# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # +# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # +# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # +# documentation. If you need additional assistance, please contact Fortify support. # ################################################################################################################################################ -name: Fortify on Demand Scan +name: Fortify AST Scan -# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +# Customize trigger events based on your DevSecOps process and/or policy on: - workflow_dispatch: push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly + workflow_dispatch: jobs: - FoD-SAST-Scan: - # Use the appropriate runner for building your source code. - # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + Fortify-AST-Scan: + # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). runs-on: ubuntu-latest permissions: actions: read @@ -41,58 +40,45 @@ jobs: - name: Check Out Source Code uses: actions/checkout@v4 - # Java is required to run the various Fortify utilities. - # When scanning a Java application, please use the appropriate Java version for building your application. + # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner. - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: - java-version: 8 + java-version: 17 distribution: 'temurin' - # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. - # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: - # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). - # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. - # ScanCentral has additional options that should be set for PHP and Python projects - # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. - # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ - - name: Download Fortify ScanCentral Client - uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 - - name: Package Code + Dependencies - run: scancentral package $PACKAGE_OPTS -o package.zip - env: - PACKAGE_OPTS: "-bt mvn" - - # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java - # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: - # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). - # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. - - name: Download Fortify on Demand Universal CI Tool - uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 - - name: Perform SAST Scan - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" - env: - FOD_URL: "https://ams.fortify.com/" - FOD_API_URL: "https://api.ams.fortify.com/" - FOD_TENANT: ${{ secrets.FOD_TENANT }} - FOD_USER: ${{ secrets.FOD_USER }} - FOD_PAT: ${{ secrets.FOD_PAT }} - FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} - FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" - FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' - - # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - - name: Export results to GitHub-optimized SARIF - uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b + # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then + # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is + # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools + # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for + # details. + - name: Run FoD SAST Scan + uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418 with: - fod_base_url: "https://ams.fortify.com/" - fod_tenant: ${{ secrets.FOD_TENANT }} - fod_user: ${{ secrets.FOD_USER }} - fod_password: ${{ secrets.FOD_PAT }} - fod_release_id: ${{ secrets.FOD_RELEASE_ID }} - - # Import Fortify on Demand results to GitHub Security Code Scanning - - name: Import Results - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ./gh-fortify-sast.sarif + sast-scan: true + env: + ### Required configuration when integrating with Fortify on Demand + FOD_URL: https://ams.fortify.com + FOD_TENANT: ${{secrets.FOD_TENANT}} + FOD_USER: ${{secrets.FOD_USER}} + FOD_PASSWORD: ${{secrets.FOD_PAT}} + ### Optional configuration when integrating with Fortify on Demand + # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if + # Debricked SCA scan is enabled on Fortify on Demand + # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /:; may + # replace app+release name with numeric release ID + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard + ### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # SSC_URL: ${{secrets.SSC_URL}} # SSC URL + # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken + # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token + # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan; + # usually defined as organization or repo variable + ### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options + # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: /: + # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard diff --git a/code-scanning/policy-validator-cfn.yaml b/code-scanning/policy-validator-cfn.yaml index b2cd163..8d32ce1 100644 --- a/code-scanning/policy-validator-cfn.yaml +++ b/code-scanning/policy-validator-cfn.yaml @@ -20,7 +20,8 @@ env: AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template. - ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. jobs: @@ -45,7 +46,7 @@ jobs: # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - name: Run AWS AccessAnalyzer ValidatePolicy check id: run-aws-validate-policy - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "VALIDATE_POLICY" template-path: ${{ env.TEMPLATE_PATH}} @@ -57,11 +58,12 @@ jobs: # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - name: Run AWS AccessAnalyzer CheckAccessNotGranted check id: run-aws-check-access-not-granted - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "CHECK_ACCESS_NOT_GRANTED" template-path: ${{ env.TEMPLATE_PATH}} actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} region: ${{ env.REGION }} # Print result from CHECK_ACCESS_NOT_GRANTED check - name: Print the result for CheckAccessNotGranted check @@ -71,14 +73,26 @@ jobs: # reference-policy is stored in GitHub secrets - name: Run AWS AccessAnalyzer CheckNoNewAccess check id: run-aws-check-no-new-access - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "CHECK_NO_NEW_ACCESS" template-path: ${{ env.TEMPLATE_PATH}} - reference-policy: ${{ env.REFERENCE }} + reference-policy: ${{ env.REFERENCE_POLICY }} reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} region: ${{env.REGION }} # Print result from CHECK_NO_NEW_ACCESS check - name: Print the result for CheckNoNewAccess check if: success() || failure() run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" diff --git a/code-scanning/policy-validator-tf.yaml b/code-scanning/policy-validator-tf.yaml index 1ca77b5..07f884f 100644 --- a/code-scanning/policy-validator-tf.yaml +++ b/code-scanning/policy-validator-tf.yaml @@ -21,7 +21,8 @@ env: AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON - ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. @@ -48,7 +49,7 @@ jobs: # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator - name: Run AWS AccessAnalyzer ValidatePolicy check id: run-aws-validate-policy - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "VALIDATE_POLICY" template-path: ${{ env.TEMPLATE_PATH }} @@ -60,11 +61,12 @@ jobs: # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator - name: Run AWS AccessAnalyzer CheckAccessNotGranted check id: run-aws-check-access-not-granted - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "CHECK_ACCESS_NOT_GRANTED" template-path: ${{ env.TEMPLATE_PATH }} actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} region: ${{ env.REGION }} # Print result from CHECK_ACCESS_NOT_GRANTED check - name: Print the result for CheckAccessNotGranted check @@ -74,7 +76,7 @@ jobs: # reference-policy is stored in GitHub secrets - name: Run AWS AccessAnalyzer CheckNoNewAccess check id: run-aws-check-no-new-access - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "CHECK_NO_NEW_ACCESS" template-path: ${{ env.TEMPLATE_PATH }} @@ -85,3 +87,15 @@ jobs: - name: Print the result CheckNoNewAccess check if: success() || failure() run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" diff --git a/code-scanning/properties/fortify.properties.json b/code-scanning/properties/fortify.properties.json index 100b4bb..9a7511c 100644 --- a/code-scanning/properties/fortify.properties.json +++ b/code-scanning/properties/fortify.properties.json @@ -1,7 +1,7 @@ { - "name": "Fortify on Demand Scan", - "creator": "Micro Focus", - "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", + "name": "Fortify Scan", + "creator": "OpenText", + "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 33+ languages into your DevSecOps workflows.", "iconName": "fortify", - "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"] + "categories": ["Code Scanning", "ABAP", "ActionScript", "Bicep", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Dart", "Go", "HCL", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Solidity", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML", "YAML"] } diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 41075e4..0e7f274 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -46,13 +46,12 @@ jobs: - name: Analyze with SonarCloud # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + # uses: SonarSource/sonarcloud-github-action@v2.2.0 + uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: - # Additional arguments for the sonarcloud scanner + # Additional arguments for the SonarScanner CLI args: # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) # mandatory @@ -60,9 +59,9 @@ jobs: -Dsonar.organization= # Comma-separated paths to directories containing main source files. #-Dsonar.sources= # optional, default is project base directory - # When you need the analysis to take place in a directory other than the one from which it was launched - #-Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. #-Dsonar.verbose= # optional, default is false + # When you need the analysis to take place in a directory other than the one from which it was launched, default is . + projectBaseDir: . diff --git a/icons/fortify.svg b/icons/fortify.svg index 45a0d77..7033960 100644 --- a/icons/fortify.svg +++ b/icons/fortify.svg @@ -1 +1,29 @@ - \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/pages/hugo.yml b/pages/hugo.yml index 141ad91..b4f316a 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -31,7 +31,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.124.1 + HUGO_VERSION: 0.128.0 steps: - name: Install Hugo CLI run: | @@ -50,9 +50,8 @@ jobs: run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Build with Hugo env: - # For maximum backward compatibility with Hugo modules + HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache HUGO_ENVIRONMENT: production - HUGO_ENV: production run: | hugo \ --minify \ diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index f53d220..fcdaaad 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -156,13 +156,22 @@ async function checkWorkflow( await exec("git", ["checkout", "ghes"]); // In order to sync from main, we might need to remove some workflows, add some - // and modify others. The lazy approach is to delete all workflows first, and then + // and modify others. The lazy approach is to delete all workflows first (except from read-only folders), and then // just bring the compatible ones over from the main branch. We let git figure out // whether it's a deletion, add, or modify and commit the new state. console.log("Remove all workflows"); await exec("rm", ["-fr", ...settings.folders]); await exec("rm", ["-fr", "../../icons"]); + // Bring back the read-only folders + console.log("Restore read-only folders"); + for (let i = 0; i < settings.readOnlyFolders.length; i++) { + await exec("git", [ + "checkout", + settings.readOnlyFolders[i] + ]); + } + console.log("Sync changes from main for compatible workflows"); await exec("git", [ "checkout", @@ -171,10 +180,13 @@ async function checkWorkflow( ...Array.prototype.concat.apply( [], result.compatibleWorkflows.map((x) => { - const r = [ - join(x.folder, `${x.id}.yml`), - join(x.folder, "properties", `${x.id}.properties.json`), - ]; + const r = []; + + // Don't touch read-only folders + if (!settings.readOnlyFolders.includes(x.folder)) { + r.push(join(x.folder, `${x.id}.yml`)); + r.push(join(x.folder, "properties", `${x.id}.properties.json`)); + }; if (x.iconType === "svg") { r.push(join("../../icons", `${x.iconName}.svg`)); diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 41d6bcd..ce18eb6 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -5,6 +5,9 @@ "../../code-scanning", "../../pages" ], + "readOnlyFolders": [ + "../../pages" + ], "enabledActions": [ "actions/cache", "actions/checkout",