diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml
index eba05f0..99fdbc5 100644
--- a/.github/workflows/labeler-triage.yml
+++ b/.github/workflows/labeler-triage.yml
@@ -11,6 +11,6 @@ jobs:
triage:
runs-on: ubuntu-latest
steps:
- - uses: actions/labeler@v3
+ - uses: actions/labeler@v4
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
\ No newline at end of file
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 217078a..c319ce1 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/stale@v3
+ - uses: actions/stale@v5
with:
stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.'
stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.'
diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync_ghes.yaml
index 946218f..fb9c623 100644
--- a/.github/workflows/sync_ghes.yaml
+++ b/.github/workflows/sync_ghes.yaml
@@ -11,12 +11,12 @@ jobs:
contents: write
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- run: |
git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
git config user.email "cschleiden@github.com"
git config user.name "GitHub Actions"
- - uses: actions/setup-node@v2
+ - uses: actions/setup-node@v3
with:
node-version: '12'
- name: Check starter workflows for GHES compat
diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml
index 7d5c1ee..d2ac9a5 100644
--- a/.github/workflows/validate-data.yaml
+++ b/.github/workflows/validate-data.yaml
@@ -10,9 +10,9 @@ jobs:
contents: read
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- - uses: actions/setup-node@v2
+ - uses: actions/setup-node@v3
with:
node-version: "12"
diff --git a/automation/label.yml b/automation/label.yml
index 5cdc45e..a8a1bd7 100644
--- a/automation/label.yml
+++ b/automation/label.yml
@@ -17,6 +17,6 @@ jobs:
pull-requests: write
steps:
- - uses: actions/labeler@v2
+ - uses: actions/labeler@v4
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/automation/stale.yml b/automation/stale.yml
index ff88dc0..1322eaf 100644
--- a/automation/stale.yml
+++ b/automation/stale.yml
@@ -18,7 +18,7 @@ jobs:
pull-requests: write
steps:
- - uses: actions/stale@v3
+ - uses: actions/stale@v5
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'Stale issue message'
diff --git a/ci/ada.yml b/ci/ada.yml
index a27902a..7e94b38 100644
--- a/ci/ada.yml
+++ b/ci/ada.yml
@@ -13,7 +13,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Set up GNAT toolchain
run: >
diff --git a/ci/android.yml b/ci/android.yml
index f289bd5..221fca5 100644
--- a/ci/android.yml
+++ b/ci/android.yml
@@ -12,9 +12,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/ant.yml b/ci/ant.yml
index 0205d40..1614664 100644
--- a/ci/ant.yml
+++ b/ci/ant.yml
@@ -15,9 +15,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/blank.yml b/ci/blank.yml
index 895e5d1..607e2cf 100644
--- a/ci/blank.yml
+++ b/ci/blank.yml
@@ -23,7 +23,7 @@ jobs:
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Runs a single command using the runners shell
- name: Run a one-line script
diff --git a/ci/c-cpp.yml b/ci/c-cpp.yml
index 88d1497..14d2eb9 100644
--- a/ci/c-cpp.yml
+++ b/ci/c-cpp.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: configure
run: ./configure
- name: make
diff --git a/ci/clojure.yml b/ci/clojure.yml
index 098918a..a76631a 100644
--- a/ci/clojure.yml
+++ b/ci/clojure.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Install dependencies
run: lein deps
- name: Run tests
diff --git a/ci/cmake.yml b/ci/cmake.yml
index 6c858b9..6f06f75 100644
--- a/ci/cmake.yml
+++ b/ci/cmake.yml
@@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Configure CMake
# Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
diff --git a/ci/crystal.yml b/ci/crystal.yml
index 6552afa..18cc825 100644
--- a/ci/crystal.yml
+++ b/ci/crystal.yml
@@ -15,7 +15,7 @@ jobs:
image: crystallang/crystal
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Install dependencies
run: shards install
- name: Run tests
diff --git a/ci/d.yml b/ci/d.yml
index 6086681..350eeee 100644
--- a/ci/d.yml
+++ b/ci/d.yml
@@ -10,13 +10,16 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- uses: dlang-community/setup-dlang@4c99aa991ce7d19dd3064de0a4f2f6b2f152e2d7
- name: 'Build & Test'
diff --git a/ci/dart.yml b/ci/dart.yml
index 7486577..7bf352f 100644
--- a/ci/dart.yml
+++ b/ci/dart.yml
@@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Note: This workflow uses the latest stable version of the Dart SDK.
# You can specify other versions if desired, see documentation here:
diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml
new file mode 100644
index 0000000..7056f87
--- /dev/null
+++ b/ci/datadog-synthetics.yml
@@ -0,0 +1,38 @@
+# This workflow will trigger Datadog Synthetic tests within your Datadog organisation
+# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# To get started:
+
+# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/.
+# 2. Start using the action within your workflow
+
+name: Run Datadog Synthetic tests
+
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v2
+
+ # Run Synthetic tests within your GitHub workflow.
+ # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci
+ - name: Run Datadog Synthetic tests
+ uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e
+ with:
+ api_key: ${{secrets.DD_API_KEY}}
+ app_key: ${{secrets.DD_APP_KEY}}
+ test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy
+
+
diff --git a/ci/deno.yml b/ci/deno.yml
index 25e9e2a..2234bf6 100644
--- a/ci/deno.yml
+++ b/ci/deno.yml
@@ -14,13 +14,16 @@ on:
pull_request:
branches: [$default-branch]
+permissions:
+ contents: read
+
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Setup repo
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Setup Deno
# uses: denoland/setup-deno@v1
diff --git a/ci/django.yml b/ci/django.yml
index dbde266..79550cc 100644
--- a/ci/django.yml
+++ b/ci/django.yml
@@ -16,9 +16,9 @@ jobs:
python-version: [3.7, 3.8, 3.9]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- name: Install Dependencies
diff --git a/ci/docker-image.yml b/ci/docker-image.yml
index 78532a3..cc9cd6e 100644
--- a/ci/docker-image.yml
+++ b/ci/docker-image.yml
@@ -13,6 +13,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)
diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml
index 977635a..7b6add3 100644
--- a/ci/docker-publish.yml
+++ b/ci/docker-publish.yml
@@ -35,7 +35,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml
index 0635779..170b3f6 100644
--- a/ci/dotnet-desktop.yml
+++ b/ci/dotnet-desktop.yml
@@ -63,13 +63,13 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
with:
fetch-depth: 0
# Install the .NET Core workload
- name: Install .NET Core
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@v2
with:
dotnet-version: 5.0.x
@@ -109,7 +109,7 @@ jobs:
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
- name: Upload build artifacts
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: MSIX Package
path: ${{ env.Wap_Project_Directory }}\AppPackages
diff --git a/ci/dotnet.yml b/ci/dotnet.yml
index c31cf68..5974d4a 100644
--- a/ci/dotnet.yml
+++ b/ci/dotnet.yml
@@ -12,9 +12,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Setup .NET
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@v2
with:
dotnet-version: 5.0.x
- name: Restore dependencies
diff --git a/ci/elixir.yml b/ci/elixir.yml
index afe01be..6c76f54 100644
--- a/ci/elixir.yml
+++ b/ci/elixir.yml
@@ -1,31 +1,34 @@
-name: Elixir CI
-
-on:
- push:
- branches: [ $default-branch ]
- pull_request:
- branches: [ $default-branch ]
-
-jobs:
- build:
-
- name: Build and test
- runs-on: ubuntu-latest
-
- steps:
- - uses: actions/checkout@v2
- - name: Set up Elixir
- uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
- with:
- elixir-version: '1.12.3' # Define the elixir version [required]
- otp-version: '24.1' # Define the OTP version [required]
- - name: Restore dependencies cache
- uses: actions/cache@v2
- with:
- path: deps
- key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }}
- restore-keys: ${{ runner.os }}-mix-
- - name: Install dependencies
- run: mix deps.get
- - name: Run tests
- run: mix test
+name: Elixir CI
+
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+
+ name: Build and test
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+ - name: Set up Elixir
+ uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
+ with:
+ elixir-version: '1.12.3' # Define the elixir version [required]
+ otp-version: '24.1' # Define the OTP version [required]
+ - name: Restore dependencies cache
+ uses: actions/cache@v3
+ with:
+ path: deps
+ key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }}
+ restore-keys: ${{ runner.os }}-mix-
+ - name: Install dependencies
+ run: mix deps.get
+ - name: Run tests
+ run: mix test
diff --git a/ci/erlang.yml b/ci/erlang.yml
index 25cb893..984b83a 100644
--- a/ci/erlang.yml
+++ b/ci/erlang.yml
@@ -6,6 +6,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
@@ -16,7 +19,7 @@ jobs:
image: erlang:22.0.7
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Compile
run: rebar3 compile
- name: Run tests
diff --git a/ci/gem-push.yml b/ci/gem-push.yml
index 3dc62be..8905272 100644
--- a/ci/gem-push.yml
+++ b/ci/gem-push.yml
@@ -15,7 +15,7 @@ jobs:
packages: write
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Ruby 2.6
uses: actions/setup-ruby@v1
with:
diff --git a/ci/go.yml b/ci/go.yml
index afff652..6f498a6 100644
--- a/ci/go.yml
+++ b/ci/go.yml
@@ -11,10 +11,10 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Go
- uses: actions/setup-go@v2
+ uses: actions/setup-go@v3
with:
go-version: 1.17
diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml
index 9fdc851..9aeb2b8 100644
--- a/ci/gradle-publish.yml
+++ b/ci/gradle-publish.yml
@@ -20,9 +20,9 @@ jobs:
packages: write
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
@@ -30,14 +30,14 @@ jobs:
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Build with Gradle
- uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7
+ uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
with:
arguments: build
# The USERNAME and TOKEN need to correspond to the credentials environment variables used in
# the publishing section of your build.gradle
- name: Publish to GitHub Packages
- uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7
+ uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
with:
arguments: publish
env:
diff --git a/ci/gradle.yml b/ci/gradle.yml
index 11b4ea6..4642c75 100644
--- a/ci/gradle.yml
+++ b/ci/gradle.yml
@@ -22,13 +22,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
- name: Build with Gradle
- uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7
+ uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
with:
arguments: build
diff --git a/ci/haskell.yml b/ci/haskell.yml
index c1d7dc7..5693f90 100644
--- a/ci/haskell.yml
+++ b/ci/haskell.yml
@@ -6,20 +6,23 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- uses: actions/setup-haskell@v1
with:
ghc-version: '8.10.3'
cabal-version: '3.2'
- name: Cache
- uses: actions/cache@v1
+ uses: actions/cache@v3
env:
cache-name: cache-cabal
with:
diff --git a/ci/ios.yml b/ci/ios.yml
index ab92d32..5cec5e7 100644
--- a/ci/ios.yml
+++ b/ci/ios.yml
@@ -13,7 +13,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Set Default Scheme
run: |
scheme_list=$(xcodebuild -list -json | tr -d "\n")
diff --git a/ci/jekyll.yml b/ci/jekyll.yml
index 71920c1..6a98dea 100644
--- a/ci/jekyll.yml
+++ b/ci/jekyll.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build the site in the jekyll/builder container
run: |
docker run \
diff --git a/ci/laravel.yml b/ci/laravel.yml
index 5f4e6c9..e778d7b 100644
--- a/ci/laravel.yml
+++ b/ci/laravel.yml
@@ -15,7 +15,7 @@ jobs:
- uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e
with:
php-version: '8.0'
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Copy .env
run: php -r "file_exists('.env') || copy('.env.example', '.env');"
- name: Install Dependencies
diff --git a/ci/makefile.yml b/ci/makefile.yml
index eafe622..0156944 100644
--- a/ci/makefile.yml
+++ b/ci/makefile.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: configure
run: ./configure
diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml
index 319f9a1..dab69fe 100644
--- a/ci/maven-publish.yml
+++ b/ci/maven-publish.yml
@@ -16,9 +16,9 @@ jobs:
packages: write
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/maven.yml b/ci/maven.yml
index f301fe0..65e0dff 100644
--- a/ci/maven.yml
+++ b/ci/maven.yml
@@ -15,9 +15,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/msbuild.yml b/ci/msbuild.yml
index 29b6ace..3cd8f01 100644
--- a/ci/msbuild.yml
+++ b/ci/msbuild.yml
@@ -1,6 +1,10 @@
name: MSBuild
-on: [push]
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
env:
# Path to the solution file relative to the root of the project.
@@ -16,7 +20,7 @@ jobs:
runs-on: windows-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Add MSBuild to PATH
uses: microsoft/setup-msbuild@v1.0.2
diff --git a/ci/node.js.yml b/ci/node.js.yml
index 8d1b9c7..87ef0d8 100644
--- a/ci/node.js.yml
+++ b/ci/node.js.yml
@@ -20,9 +20,9 @@ jobs:
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v2
+ uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml
index 8c83cb6..eda97e1 100644
--- a/ci/npm-grunt.yml
+++ b/ci/npm-grunt.yml
@@ -15,10 +15,10 @@ jobs:
node-version: [12.x, 14.x, 16.x]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v1
+ uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml
index cc5da13..504f22e 100644
--- a/ci/npm-gulp.yml
+++ b/ci/npm-gulp.yml
@@ -15,10 +15,10 @@ jobs:
node-version: [12.x, 14.x, 16.x]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v1
+ uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml
index 09ff0b3..638ccf8 100644
--- a/ci/npm-publish-github-packages.yml
+++ b/ci/npm-publish-github-packages.yml
@@ -11,8 +11,8 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
- - uses: actions/setup-node@v2
+ - uses: actions/checkout@v3
+ - uses: actions/setup-node@v3
with:
node-version: 16
- run: npm ci
@@ -25,8 +25,8 @@ jobs:
contents: read
packages: write
steps:
- - uses: actions/checkout@v2
- - uses: actions/setup-node@v2
+ - uses: actions/checkout@v3
+ - uses: actions/setup-node@v3
with:
node-version: 16
registry-url: $registry-url(npm)
diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml
index ef8c690..c461c85 100644
--- a/ci/npm-publish.yml
+++ b/ci/npm-publish.yml
@@ -11,8 +11,8 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
- - uses: actions/setup-node@v2
+ - uses: actions/checkout@v3
+ - uses: actions/setup-node@v3
with:
node-version: 16
- run: npm ci
@@ -22,8 +22,8 @@ jobs:
needs: build
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
- - uses: actions/setup-node@v2
+ - uses: actions/checkout@v3
+ - uses: actions/setup-node@v3
with:
node-version: 16
registry-url: https://registry.npmjs.org/
diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml
index db009b0..1373878 100644
--- a/ci/objective-c-xcode.yml
+++ b/ci/objective-c-xcode.yml
@@ -13,7 +13,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Set Default Scheme
run: |
scheme_list=$(xcodebuild -list -json | tr -d "\n")
diff --git a/ci/php.yml b/ci/php.yml
index 6acfdd1..a3bdfd7 100644
--- a/ci/php.yml
+++ b/ci/php.yml
@@ -6,20 +6,23 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Validate composer.json and composer.lock
run: composer validate --strict
- name: Cache Composer packages
id: composer-cache
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: vendor
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json
new file mode 100644
index 0000000..edbb086
--- /dev/null
+++ b/ci/properties/datadog-synthetics.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Datadog Synthetics",
+ "description": "Run Datadog Synthetic tests within your GitHub Actions workflow",
+ "creator": "Datadog",
+ "iconName": "datadog",
+ "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"]
+}
diff --git a/ci/pylint.yml b/ci/pylint.yml
index 7b555fe..383e65c 100644
--- a/ci/pylint.yml
+++ b/ci/pylint.yml
@@ -9,9 +9,9 @@ jobs:
matrix:
python-version: ["3.8", "3.9", "3.10"]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
diff --git a/ci/python-app.yml b/ci/python-app.yml
index 2cfc2a3..4b7fa5f 100644
--- a/ci/python-app.yml
+++ b/ci/python-app.yml
@@ -9,15 +9,18 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python 3.10
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: "3.10"
- name: Install dependencies
diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml
index 9bd6d2b..57940bd 100644
--- a/ci/python-package-conda.yml
+++ b/ci/python-package-conda.yml
@@ -9,9 +9,9 @@ jobs:
max-parallel: 5
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python 3.10
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: 3.10
- name: Add conda to system path
diff --git a/ci/python-package.yml b/ci/python-package.yml
index b0a63cf..583a366 100644
--- a/ci/python-package.yml
+++ b/ci/python-package.yml
@@ -19,9 +19,9 @@ jobs:
python-version: ["3.8", "3.9", "3.10"]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index 3bfabfc..f55528c 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -18,9 +18,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: '3.x'
- name: Install dependencies
diff --git a/ci/r.yml b/ci/r.yml
index 305c2cf..68f02d7 100644
--- a/ci/r.yml
+++ b/ci/r.yml
@@ -14,6 +14,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: macos-latest
@@ -22,7 +25,7 @@ jobs:
r-version: ['3.6.3', '4.1.1']
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up R ${{ matrix.r-version }}
uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a
with:
diff --git a/ci/ruby.yml b/ci/ruby.yml
index f6ae1e3..256aa14 100644
--- a/ci/ruby.yml
+++ b/ci/ruby.yml
@@ -13,6 +13,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
test:
@@ -22,7 +25,7 @@ jobs:
ruby-version: ['2.6', '2.7', '3.0']
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Ruby
# To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
# change this to (see https://github.com/ruby/setup-ruby#versioning):
diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml
index b7b3624..2ad891f 100644
--- a/ci/rubyonrails.yml
+++ b/ci/rubyonrails.yml
@@ -27,7 +27,7 @@ jobs:
DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test"
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Add or replace dependency steps here
- name: Install Ruby and gems
uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
@@ -44,7 +44,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Install Ruby and gems
uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
with:
diff --git a/ci/rust.yml b/ci/rust.yml
index 6c82c61..d51f1af 100644
--- a/ci/rust.yml
+++ b/ci/rust.yml
@@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build
run: cargo build --verbose
- name: Run tests
diff --git a/ci/scala.yml b/ci/scala.yml
index af6b2ed..c985f74 100644
--- a/ci/scala.yml
+++ b/ci/scala.yml
@@ -6,15 +6,18 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/super-linter.yml b/ci/super-linter.yml
index bebd82d..275b34f 100644
--- a/ci/super-linter.yml
+++ b/ci/super-linter.yml
@@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
with:
# Full git history is needed to get a proper list of changed files within `super-linter`
fetch-depth: 0
diff --git a/ci/swift.yml b/ci/swift.yml
index df062b5..3668fc0 100644
--- a/ci/swift.yml
+++ b/ci/swift.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: macos-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build
run: swift build -v
- name: Run tests
diff --git a/ci/symfony.yml b/ci/symfony.yml
index 7d1ca74..d1ac71a 100644
--- a/ci/symfony.yml
+++ b/ci/symfony.yml
@@ -6,6 +6,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
symfony-tests:
runs-on: ubuntu-latest
@@ -16,12 +19,12 @@ jobs:
- uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28
with:
php-version: '8.0'
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Copy .env.test.local
run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');"
- name: Cache Composer packages
id: composer-cache
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: vendor
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
diff --git a/ci/webpack.yml b/ci/webpack.yml
index 8edb34f..6449fe7 100644
--- a/ci/webpack.yml
+++ b/ci/webpack.yml
@@ -15,10 +15,10 @@ jobs:
node-version: [12.x, 14.x, 16.x]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v1
+ uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml
index fcca708..64264e4 100644
--- a/code-scanning/anchore.yml
+++ b/code-scanning/anchore.yml
@@ -31,7 +31,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout the code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml
index 3aa06ca..4737d06 100644
--- a/code-scanning/apisec-scan.yml
+++ b/code-scanning/apisec-scan.yml
@@ -42,8 +42,13 @@ on:
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
Trigger APIsec scan:
+ permissions:
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
@@ -61,4 +66,4 @@ jobs:
- name: Import results
uses: github/codeql-action/upload-sarif@v1
with:
- sarif_file: ./apisec-results.sarif
\ No newline at end of file
+ sarif_file: ./apisec-results.sarif
diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml
index ae5215a..3237551 100644
--- a/code-scanning/brakeman.yml
+++ b/code-scanning/brakeman.yml
@@ -17,14 +17,20 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
brakeman-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Customize the ruby version depending on your needs
- name: Setup Ruby
diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml
index d012bce..d86d4f9 100644
--- a/code-scanning/checkmarx.yml
+++ b/code-scanning/checkmarx.yml
@@ -34,7 +34,7 @@ jobs:
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
- name: Checkmarx CxFlow Action
uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314
diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml
new file mode 100644
index 0000000..4150cbb
--- /dev/null
+++ b/code-scanning/clj-holmes.yml
@@ -0,0 +1,43 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: clj-holmes
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ clj-holmes:
+ name: Run clj-holmes scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Scan code
+ uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
+ with:
+ rules-repository: 'git://org/private-rules-repo#main'
+ output-type: 'sarif'
+ output-file: 'clj-holmes-results.sarif'
+ fail-on-result: 'false'
+
+ - name: Upload analysis results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
+ ait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml
index 00e270a..0d6b3de 100644
--- a/code-scanning/cloudrail.yml
+++ b/code-scanning/cloudrail.yml
@@ -24,7 +24,7 @@ jobs:
steps:
- name: Clone repo
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# For Terraform, Cloudrail requires the plan as input. So we generate it using
# the Terraform core binary.
diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml
index 50185ad..8100be8 100644
--- a/code-scanning/codacy.yml
+++ b/code-scanning/codacy.yml
@@ -22,14 +22,20 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
codacy-security-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Codacy Security Scan
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
- name: Run Codacy Analysis CLI
diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index 57b4b69..cd9a683 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -38,7 +38,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml
index 5886843..bc65eb0 100644
--- a/code-scanning/codescan.yml
+++ b/code-scanning/codescan.yml
@@ -22,9 +22,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Cache files
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: |
~/.sonar
diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml
index e8e2447..07cd73a 100644
--- a/code-scanning/crunch42.yml
+++ b/code-scanning/crunch42.yml
@@ -43,7 +43,7 @@ jobs:
security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: 42Crunch REST API Static Security Testing
uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1
diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml
index a8610c3..1118c3d 100644
--- a/code-scanning/detekt.yml
+++ b/code-scanning/detekt.yml
@@ -45,7 +45,7 @@ jobs:
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Gets the download URL associated with the $DETEKT_RELEASE_TAG
- name: Get Detekt download URL
diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml
index 3a5c45f..e057348 100644
--- a/code-scanning/devskim.yml
+++ b/code-scanning/devskim.yml
@@ -23,7 +23,7 @@ jobs:
security-events: write
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@v1
diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml
index 080953e..697e561 100644
--- a/code-scanning/flawfinder.yml
+++ b/code-scanning/flawfinder.yml
@@ -24,7 +24,7 @@ jobs:
security-events: write
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: flawfinder_scan
uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c
diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml
index d67d194..83f99c1 100644
--- a/code-scanning/fortify.yml
+++ b/code-scanning/fortify.yml
@@ -39,14 +39,15 @@ jobs:
steps:
# Check out source code
- name: Check Out Source Code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Java is required to run the various Fortify utilities.
# When scanning a Java application, please use the appropriate Java version for building your application.
- name: Setup Java
- uses: actions/setup-java@v1
+ uses: actions/setup-java@v3
with:
- java-version: 1.8
+ java-version: 8
+ distribution: 'temurin'
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml
index 1cad70c..81ebaa7 100644
--- a/code-scanning/kubesec.yml
+++ b/code-scanning/kubesec.yml
@@ -24,7 +24,7 @@ jobs:
security-events: write
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Run kubesec scanner
uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14
diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml
index 59d66a0..ed424f1 100644
--- a/code-scanning/mayhem-for-api.yml
+++ b/code-scanning/mayhem-for-api.yml
@@ -42,7 +42,7 @@ jobs:
contents: read
security-events: write
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Run your API in the background. Ideally, the API would run in debug
# mode & send stacktraces back on "500 Internal Server Error" responses
diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml
index 689a1a0..96655af 100644
--- a/code-scanning/mobsf.yml
+++ b/code-scanning/mobsf.yml
@@ -13,15 +13,21 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
mobile-security:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Setup python
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: 3.8
@@ -33,4 +39,4 @@ jobs:
- name: Upload mobsfscan report
uses: github/codeql-action/upload-sarif@v1
with:
- sarif_file: results.sarif
\ No newline at end of file
+ sarif_file: results.sarif
diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml
index 1503319..13e58ef 100644
--- a/code-scanning/msvc.yml
+++ b/code-scanning/msvc.yml
@@ -20,14 +20,20 @@ env:
# Path to the CMake build directory.
build: '${{ github.workspace }}/build'
+permissions:
+ contents: read
+
jobs:
analyze:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Analyze
runs-on: windows-latest
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Configure CMake
run: cmake -B ${{ env.build }}
@@ -53,7 +59,7 @@ jobs:
# Upload SARIF file as an Artifact to download and view
# - name: Upload SARIF as an Artifact
- # uses: actions/upload-artifact@v2
+ # uses: actions/upload-artifact@v3
# with:
# name: sarif-file
# path: ${{ steps.run-analysis.outputs.sarif }}
diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml
index 8077f76..16ade3b 100644
--- a/code-scanning/njsscan.yml
+++ b/code-scanning/njsscan.yml
@@ -17,13 +17,19 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
njsscan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
- name: Checkout the code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711
diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml
index 92126bd..fbca537 100644
--- a/code-scanning/nowsecure.yml
+++ b/code-scanning/nowsecure.yml
@@ -34,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Build your application
run: ./gradlew assembleDebug # Update this to build your Android or iOS application
diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml
index b5aefa4..a6f6aa7 100644
--- a/code-scanning/ossar.yml
+++ b/code-scanning/ossar.yml
@@ -25,7 +25,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Ensure a compatible version of dotnet is installed.
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
@@ -33,7 +33,7 @@ jobs:
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
# - name: Install .NET
- # uses: actions/setup-dotnet@v1
+ # uses: actions/setup-dotnet@v2
# with:
# dotnet-version: '3.1.x'
diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml
index 0604734..cd88c34 100644
--- a/code-scanning/pmd.yml
+++ b/code-scanning/pmd.yml
@@ -17,9 +17,9 @@ jobs:
pmd-code-scan:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml
index dfbf452..e70dd96 100644
--- a/code-scanning/powershell.yml
+++ b/code-scanning/powershell.yml
@@ -22,7 +22,7 @@ jobs:
name: PSScriptAnalyzer
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Run PSScriptAnalyzer
uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061
diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml
index 5323d1b..07be948 100644
--- a/code-scanning/prisma.yml
+++ b/code-scanning/prisma.yml
@@ -21,13 +21,19 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
prisma_cloud_iac_scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- id: iac-scan
name: Run Scan on CFT files in the repository
uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3
diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json
new file mode 100644
index 0000000..71f29c0
--- /dev/null
+++ b/code-scanning/properties/clj-holmes.properties.json
@@ -0,0 +1,10 @@
+{
+ "name": "clj-holmes",
+ "creator": "Matheus Bernardes",
+ "description": "A Static Application Security Testing tool to find vulnerable Clojure code via rules that use a simple pattern language.",
+ "iconName": "clj-holmes",
+ "categories": [
+ "Code Scanning",
+ "clojure"
+ ]
+}
\ No newline at end of file
diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml
index 373d5b6..4ab8001 100644
--- a/code-scanning/rubocop.yml
+++ b/code-scanning/rubocop.yml
@@ -23,7 +23,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# If running on a self-hosted runner, check it meets the requirements
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml
index 618ce28..a6bde3a 100644
--- a/code-scanning/scorecards.yml
+++ b/code-scanning/scorecards.yml
@@ -22,12 +22,12 @@ jobs:
steps:
- name: "Checkout code"
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+ uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
with:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2
+ uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
with:
results_file: results.sarif
results_format: sarif
@@ -42,7 +42,7 @@ jobs:
# Upload the results as artifacts (optional).
- name: "Upload artifact"
- uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
+ uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
with:
name: SARIF file
path: results.sarif
diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml
index 3063c7a..0b2fa57 100644
--- a/code-scanning/securitycodescan.yml
+++ b/code-scanning/securitycodescan.yml
@@ -21,7 +21,7 @@ jobs:
SCS:
runs-on: windows-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1
- uses: microsoft/setup-msbuild@v1.0.2
diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml
index 827387b..86c3647 100644
--- a/code-scanning/semgrep.yml
+++ b/code-scanning/semgrep.yml
@@ -19,13 +19,19 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
semgrep:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Scan
runs-on: ubuntu-latest
steps:
# Checkout project source
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Scan code using project's configuration on https://semgrep.dev/manage
- uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735
diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml
index 48b86d3..d1154d1 100644
--- a/code-scanning/shiftleft.yml
+++ b/code-scanning/shiftleft.yml
@@ -22,7 +22,7 @@ jobs:
# Scan runs on ubuntu, mac and windows
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Instructions
# 1. Setup JDK, Node.js, Python etc depending on your project type
# 2. Compile or build the project before invoking scan
diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml
index 8ff2c9a..48ccbe9 100644
--- a/code-scanning/snyk-container.yml
+++ b/code-scanning/snyk-container.yml
@@ -26,7 +26,7 @@ jobs:
snyk:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build a Docker image
run: docker build -t your/image-to-test .
- name: Run Snyk to check Docker image for vulnerabilities
diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml
index b79bf34..2799bfc 100644
--- a/code-scanning/snyk-infrastructure.yml
+++ b/code-scanning/snyk-infrastructure.yml
@@ -25,7 +25,7 @@ jobs:
snyk:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Run Snyk to check configuration files for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the issues to GitHub Code Scanning
diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml
index 9701b1f..64e9b9b 100644
--- a/code-scanning/stackhawk.yml
+++ b/code-scanning/stackhawk.yml
@@ -37,13 +37,19 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
stackhawk:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info
name: StackHawk
runs-on: ubuntu-20.04
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Start your service
run: ./your-service.sh & # ✏️ Update this to run your own service to be scanned
diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml
index 0c1ff16..c73eb17 100644
--- a/code-scanning/synopsys-io.yml
+++ b/code-scanning/synopsys-io.yml
@@ -25,7 +25,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Synopsys Intelligent Security Scan
id: prescription
diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml
index 49841d7..92082e5 100644
--- a/code-scanning/sysdig-scan.yml
+++ b/code-scanning/sysdig-scan.yml
@@ -13,14 +13,21 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
build:
+ permissions:
+ checks: write # for sysdiglabs/scan-action to publish the checks
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build the Docker image
# Tag image to be built
@@ -51,4 +58,4 @@ jobs:
#Upload SARIF file
if: always()
with:
- sarif_file: ${{ steps.scan.outputs.sarifReport }}
\ No newline at end of file
+ sarif_file: ${{ steps.scan.outputs.sarifReport }}
diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml
index 479f713..10a77ab 100644
--- a/code-scanning/tfsec.yml
+++ b/code-scanning/tfsec.yml
@@ -24,7 +24,7 @@ jobs:
steps:
- name: Clone repo
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Run tfsec
uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
index 3d5373f..d6633be 100644
--- a/code-scanning/trivy.yml
+++ b/code-scanning/trivy.yml
@@ -26,7 +26,7 @@ jobs:
runs-on: "ubuntu-18.04"
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml
index e38fffd..2ce3212 100644
--- a/code-scanning/veracode.yml
+++ b/code-scanning/veracode.yml
@@ -17,15 +17,21 @@ on:
- cron: $cron-weekly
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+permissions:
+ contents: read
+
jobs:
# This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
build-and-pipeline-scan:
# The type of runner that the job will run on
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
with:
repository: ''
@@ -35,9 +41,10 @@ jobs:
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- run: unzip -o pipeline-scan-LATEST.zip
- - uses: actions/setup-java@v1
+ - uses: actions/setup-java@v3
with:
- java-version: 1.8
+ java-version: 8
+ distribution: 'temurin'
- run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip
continue-on-error: true
- name: Convert pipeline scan output to SARIF format
diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml
index 3bfb9ed..c20c741 100644
--- a/code-scanning/xanitizer.yml
+++ b/code-scanning/xanitizer.yml
@@ -50,14 +50,15 @@ jobs:
steps:
# Check out the repository
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Set up the correct Java version for your project
# Please comment out, if your project does not contain Java source code.
- name: Set up JDK 11
- uses: actions/setup-java@v1
+ uses: actions/setup-java@v3
with:
java-version: 11
+ distribution: 'temurin'
# Compile the code for Java projects and get all libraries, e.g. via Maven
# Please adapt, if your project uses another build system to compile Java source code.
@@ -79,7 +80,7 @@ jobs:
license: ${{ secrets.XANITIZER_LICENSE }}
# Archiving the findings list reports
- - uses: actions/upload-artifact@v2
+ - uses: actions/upload-artifact@v3
with:
name: Xanitizer-Reports
path: |
diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml
index ded9178..841a2fd 100644
--- a/deployments/alibabacloud.yml
+++ b/deployments/alibabacloud.yml
@@ -47,7 +47,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# 1.1 Login to ACR
- name: Login to ACR with the AccessKey pair
@@ -74,7 +74,7 @@ jobs:
tag: "${{ env.TAG }}"
# 2.1 (Optional) Login to ACR EE
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Login to ACR EE with the AccessKey pair
uses: aliyun/acr-login@v1
with:
diff --git a/deployments/aws.yml b/deployments/aws.yml
index dab851f..fe5e076 100644
--- a/deployments/aws.yml
+++ b/deployments/aws.yml
@@ -49,7 +49,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml
index 57fe362..c882bde 100644
--- a/deployments/azure-container-webapp.yml
+++ b/deployments/azure-container-webapp.yml
@@ -40,7 +40,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml
new file mode 100644
index 0000000..948e7db
--- /dev/null
+++ b/deployments/azure-kubernetes-service-helm.yml
@@ -0,0 +1,122 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+#
+# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm.
+# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration.
+# - CHART_PATH (path to your helm chart)
+# - CHART_OVERRIDE_PATH (path to your helm chart with override values)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS with Helm
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
+ CHART_PATH: "your-chart-path"
+ CHART_OVERRIDE_PATH: "your-chart-override-path"
+
+jobs:
+ build:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Retrieves the credentials for pulling images from your Azure Container Registry
+ - name: Get ACR credentials
+ run: |
+ az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
+ ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
+ ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::set-output name=password::${ACR_PASSWORD}"
+ id: get-acr-creds
+
+ # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
+ - name: Create K8s secret for pulling image from ACR
+ uses: Azure/k8s-create-secret@v1.1
+ with:
+ container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
+ container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
+ container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ # Runs Helm to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2.1
+ with:
+ renderEngine: 'helm'
+ helmChart: ${{ env.CHART_PATH }}
+ overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
+ overrides: |
+ replicas:2
+ helm-version: 'latest'
+ id: bake
+
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v3.0
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
+ imagepullsecrets: |
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml
new file mode 100644
index 0000000..7c25319
--- /dev/null
+++ b/deployments/azure-kubernetes-service-kompose.yml
@@ -0,0 +1,111 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+#
+# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose.
+# Set your dockerComposeFile and kompose-version to suit your configuration.
+# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS with Kompose
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
+ DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path"
+
+jobs:
+ build:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Retrieves the credentials for pulling images from your Azure Container Registry
+ - name: Get ACR credentials
+ run: |
+ az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
+ ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
+ ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::set-output name=password::${ACR_PASSWORD}"
+ id: get-acr-creds
+
+ # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
+ - name: Create K8s secret for pulling image from ACR
+ uses: Azure/k8s-create-secret@v1.1
+ with:
+ container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
+ container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
+ container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ # Runs Kompose to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2.1
+ with:
+ renderEngine: 'kompose'
+ dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }}
+ kompose-version: 'latest'
+ id: bake
+
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v3.0
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
+ imagepullsecrets: |
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml
new file mode 100644
index 0000000..f6928d0
--- /dev/null
+++ b/deployments/azure-kubernetes-service-kustomize.yml
@@ -0,0 +1,117 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+#
+# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize.
+# Set your kustomizationPath and kubectl-version to suit your configuration.
+# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS with Kustomize
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
+ KUSTOMIZE_PATH: "your-kustomize-path"
+
+jobs:
+ build:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Retrieves the credentials for pulling images from your Azure Container Registry
+ - name: Get ACR credentials
+ run: |
+ az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
+ ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
+ ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::set-output name=password::${ACR_PASSWORD}"
+ id: get-acr-creds
+
+ # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
+ - name: Create K8s secret for pulling image from ACR
+ uses: Azure/k8s-create-secret@v1.1
+ with:
+ container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
+ container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
+ container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ # Runs Kustomize to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2.1
+ with:
+ renderEngine: 'kustomize'
+ kustomizationPath: ${{ env.KUSTOMIZE_PATH }}
+ kubectl-version: latest
+ id: bake
+
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v3.0
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
+ imagepullsecrets: |
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml
index 08988ff..bb513d4 100644
--- a/deployments/azure-kubernetes-service.yml
+++ b/deployments/azure-kubernetes-service.yml
@@ -1,80 +1,105 @@
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
#
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
-# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
-# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
-# https://github.com/Azure/aks-create-action
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://github.com/Azure/aks-create-action
#
# To configure this workflow:
#
-# 1. Set the following secrets in your repository:
-# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret)
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
#
# 2. Set the following environment variables (or replace the values below):
-# - AZURE_CONTAINER_REGISTRY (name of your container registry)
-# - PROJECT_NAME
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
-#
-# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set
-# any needed environment variables such as:
-# - CHART_PATH
-# - CHART_OVERRIDE_PATH
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment)
#
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
-# For more options with the actions used below please see the folllowing
-# https://github.com/Azure/login
-# https://github.com/Azure/aks-set-context
-# https://github.com/marketplace/actions/azure-cli-action
-# https://github.com/Azure/k8s-bake
-# https://github.com/Azure/k8s-deploy
+# For more options with the actions used below please refer to https://github.com/Azure/login
-on: [push]
+name: Build and deploy an app to AKS
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
+ DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path'
jobs:
build:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@master
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
- - name: Azure Login
- uses: azure/login@v1
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
with:
- creds: ${{ secrets.AZURE_CREDENTIALS }}
-
- - name: Build image on ACR
- uses: azure/CLI@v1
- with:
- azcliversion: 2.29.1
- inlineScript: |
- az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }}
- az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }}
-
- - name: Gets K8s context
- uses: azure/aks-set-context@v1
- with:
- creds: ${{ secrets.AZURE_CREDENTIALS }}
- resource-group: ${{ env.RESOURCE_GROUP }}
- cluster-name: ${{ env.CLUSTER_NAME }}
- id: login
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
- - name: Configure deployment
- uses: azure/k8s-bake@v1
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
with:
- renderEngine: 'helm'
- helmChart: ${{ env.CHART_PATH }}
- overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
- overrides: |
- replicas:2
- helm-version: 'latest'
- id: bake
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+ # Retrieves the credentials for pulling images from your Azure Container Registry
+ - name: Get ACR credentials
+ run: |
+ az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
+ ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
+ ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::set-output name=password::${ACR_PASSWORD}"
+ id: get-acr-creds
+
+ # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
+ - name: Create K8s secret for pulling image from ACR
+ uses: Azure/k8s-create-secret@v1.1
+ with:
+ container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
+ container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
+ container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ # Deploys application based on given manifest file
- name: Deploys application
- - uses: Azure/k8s-deploy@v1
+ uses: Azure/k8s-deploy@v3.0
with:
- manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ action: deploy
+ manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }}
images: |
- ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }}
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
imagepullsecrets: |
- ${{ env.PROJECT_NAME }}
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml
index 8e1faf7..becfede 100644
--- a/deployments/azure-staticwebapp.yml
+++ b/deployments/azure-staticwebapp.yml
@@ -34,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
name: Build and Deploy Job
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
with:
submodules: true
- name: Build And Deploy
diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml
index 7a2a84f..3357dc8 100644
--- a/deployments/azure-webapps-dotnet-core.yml
+++ b/deployments/azure-webapps-dotnet-core.yml
@@ -35,15 +35,15 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up .NET Core
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@v2
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Set up dependency caching for faster builds
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
@@ -57,7 +57,7 @@ jobs:
run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: .net-app
path: ${{env.DOTNET_ROOT}}/myapp
@@ -71,7 +71,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@v3
with:
name: .net-app
diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml
index f386250..5f58dbf 100644
--- a/deployments/azure-webapps-java-jar.yml
+++ b/deployments/azure-webapps-java-jar.yml
@@ -34,10 +34,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Java version
- uses: actions/setup-java@v2.3.1
+ uses: actions/setup-java@v3.0.0
with:
java-version: ${{ env.JAVA_VERSION }}
cache: 'maven'
@@ -46,7 +46,7 @@ jobs:
run: mvn clean install
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: java-app
path: '${{ github.workspace }}/target/*.jar'
@@ -60,7 +60,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@v3
with:
name: java-app
diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml
index b7cb51f..c967bdb 100644
--- a/deployments/azure-webapps-node.yml
+++ b/deployments/azure-webapps-node.yml
@@ -32,10 +32,10 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Node.js
- uses: actions/setup-node@v2
+ uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
@@ -47,7 +47,7 @@ jobs:
npm run test --if-present
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: node-app
path: .
@@ -61,7 +61,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@v3
with:
name: node-app
diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml
index 700f83a..04f55f4 100644
--- a/deployments/azure-webapps-php.yml
+++ b/deployments/azure-webapps-php.yml
@@ -35,7 +35,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Setup PHP
uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc
@@ -55,7 +55,7 @@ jobs:
echo "::set-output name=dir::$(composer config cache-files-dir)"
- name: Set up dependency caching for faster installs
- uses: actions/cache@v2
+ uses: actions/cache@v3
if: steps.check_files.outputs.files_exists == 'true'
with:
path: ${{ steps.composer-cache.outputs.dir }}
@@ -68,7 +68,7 @@ jobs:
run: composer validate --no-check-publish && composer install --prefer-dist --no-progress
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: php-app
path: .
@@ -82,7 +82,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@v3
with:
name: php-app
diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml
index cb19cda..af6a9dd 100644
--- a/deployments/azure-webapps-python.yml
+++ b/deployments/azure-webapps-python.yml
@@ -34,10 +34,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python version
- uses: actions/setup-python@v2.2.2
+ uses: actions/setup-python@v3.0.0
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
@@ -53,7 +53,7 @@ jobs:
# Optional: Add step to run tests here (PyTest, Django test suites, etc.)
- name: Upload artifact for deployment jobs
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: python-app
path: |
@@ -69,7 +69,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@v3
with:
name: python-app
path: .
diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml
new file mode 100644
index 0000000..b8d0511
--- /dev/null
+++ b/deployments/google-cloudrun-docker.yml
@@ -0,0 +1,114 @@
+# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch
+#
+# Overview:
+#
+# 1. Authenticate to Google Cloud
+# 2. Authenticate Docker to Artifact Registry
+# 3. Build a docker container
+# 4. Publish it to Google Artifact Registry
+# 5. Deploy it to Cloud Run
+#
+# To configure this workflow:
+#
+# 1. Ensure the required Google Cloud APIs are enabled:
+#
+# Cloud Run run.googleapis.com
+# Artifact Registry artifactregistry.googleapis.com
+#
+# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
+#
+# 3. Ensure the required IAM permissions are granted
+#
+# Cloud Run
+# roles/run.admin
+# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
+#
+# Artifact Registry
+# roles/artifactregistry.admin (project or repository level)
+#
+# NOTE: You should always follow the principle of least privilege when assigning IAM roles
+#
+# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
+#
+# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below).
+#
+# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io
+#
+# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
+#
+# Further reading:
+# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying
+# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles
+# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
+# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
+
+name: Build and Deploy to Cloud Run
+
+on:
+ push:
+ branches:
+ - $default-branch
+
+env:
+ PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
+ GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location
+ SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
+ REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
+
+jobs:
+ deploy:
+ # Add 'id-token' with the intended permissions for workload identity federation
+ permissions:
+ contents: 'read'
+ id-token: 'write'
+
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Google Auth
+ id: auth
+ uses: 'google-github-actions/auth@v0'
+ with:
+ token_format: 'access_token'
+ workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
+ service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com
+
+ # NOTE: Alternative option - authentication via credentials json
+ # - name: Google Auth
+ # id: auth
+ # uses: 'google-github-actions/auth@v0'
+ # with:
+ # credentials_json: '${{ secrets.GCP_CREDENTIALS }}''
+
+ # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted)
+
+ # Authenticate Docker to Google Cloud Artifact Registry
+ - name: Docker Auth
+ id: docker-auth
+ uses: 'docker/login-action@v1'
+ with:
+ username: 'oauth2accesstoken'
+ password: '${{ steps.auth.outputs.access_token }}'
+ registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'
+
+ - name: Build and Push Container
+ run: |-
+ docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./
+ docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}"
+
+ # END - Docker auth and build
+
+ - name: Deploy to Cloud Run
+ id: deploy
+ uses: google-github-actions/deploy-cloudrun@v0
+ with:
+ service: ${{ env.SERVICE }}
+ region: ${{ env.REGION }}
+ # NOTE: If using a pre-built image, update the image name here
+ image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
+
+ # If required, use the Cloud Run url output in later steps
+ - name: Show Output
+ run: echo ${{ steps.deploy.outputs.url }}
diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml
new file mode 100644
index 0000000..2916b45
--- /dev/null
+++ b/deployments/google-cloudrun-source.yml
@@ -0,0 +1,96 @@
+# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch
+#
+# Overview:
+#
+# 1. Authenticate to Google Cloud
+# 2. Deploy it to Cloud Run
+#
+# To configure this workflow:
+#
+# 1. Ensure the required Google Cloud APIs are enabled:
+#
+# Cloud Run run.googleapis.com
+# Cloud Build cloudbuild.googleapis.com
+# Artifact Registry artifactregistry.googleapis.com
+#
+# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
+#
+# 3. Ensure the required IAM permissions are granted
+#
+# Cloud Run
+# roles/run.admin
+# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
+#
+# Cloud Build
+# roles/cloudbuild.builds.editor
+#
+# Cloud Storage
+# roles/storage.objectAdmin
+#
+# Artifact Registry
+# roles/artifactregistry.admin (project or repository level)
+#
+# NOTE: You should always follow the principle of least privilege when assigning IAM roles
+#
+# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
+#
+# 5. Change the values for the SERVICE and REGION environment variables (below).
+#
+# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
+#
+# Further reading:
+# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity
+# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy
+# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code
+# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
+
+name: Deploy to Cloud Run from Source
+
+on:
+ push:
+ branches:
+ - $default-branch
+
+env:
+ PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
+ SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
+ REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
+
+jobs:
+ deploy:
+ # Add 'id-token' with the intended permissions for workload identity federation
+ permissions:
+ contents: 'read'
+ id-token: 'write'
+
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Google Auth
+ id: auth
+ uses: 'google-github-actions/auth@v0'
+ with:
+ workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
+ service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com
+
+ # NOTE: Alternative option - authentication via credentials json
+ # - name: Google Auth
+ # id: auth
+ # uses: 'google-github-actions/auth@v0'
+ # with:
+ # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+
+ - name: Deploy to Cloud Run
+ id: deploy
+ uses: google-github-actions/deploy-cloudrun@v0
+ with:
+ service: ${{ env.SERVICE }}
+ region: ${{ env.REGION }}
+ # NOTE: If required, update to the appropriate source folder
+ source: ./
+
+ # If required, use the Cloud Run url output in later steps
+ - name: Show Output
+ run: echo ${{ steps.deploy.outputs.url }}
diff --git a/deployments/google.yml b/deployments/google.yml
index 003e53b..6150672 100644
--- a/deployments/google.yml
+++ b/deployments/google.yml
@@ -38,7 +38,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Configure Workload Identity Federation and generate an access token.
- id: 'auth'
diff --git a/deployments/ibm.yml b/deployments/ibm.yml
index 216b04d..cb3080f 100644
--- a/deployments/ibm.yml
+++ b/deployments/ibm.yml
@@ -33,7 +33,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Download and Install IBM Cloud CLI
- name: Install IBM Cloud CLI
diff --git a/deployments/openshift.yml b/deployments/openshift.yml
index 46ff961..5775cb0 100644
--- a/deployments/openshift.yml
+++ b/deployments/openshift.yml
@@ -71,7 +71,7 @@ jobs:
steps:
- name: Check for required secrets
- uses: actions/github-script@v4
+ uses: actions/github-script@v6
with:
script: |
const secrets = {
@@ -109,7 +109,7 @@ jobs:
}
- name: Check out repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Determine app name
if: env.APP_NAME == ''
diff --git a/deployments/properties/azure-kubernetes-service-helm.properties.json b/deployments/properties/azure-kubernetes-service-helm.properties.json
new file mode 100644
index 0000000..92478b3
--- /dev/null
+++ b/deployments/properties/azure-kubernetes-service-helm.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to AKS with Helm",
+ "description": "Deploy an application to an Azure Kubernetes Service cluster using Helm",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Helm", "Kubernetes", "Dockerfile"]
+}
diff --git a/deployments/properties/azure-kubernetes-service-kompose.properties.json b/deployments/properties/azure-kubernetes-service-kompose.properties.json
new file mode 100644
index 0000000..de246c3
--- /dev/null
+++ b/deployments/properties/azure-kubernetes-service-kompose.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to AKS with Kompose",
+ "description": "Deploy an application to an Azure Kubernetes Service cluster using Kompose",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Kompose", "Kubernetes", "Dockerfile"]
+}
diff --git a/deployments/properties/azure-kubernetes-service-kustomize.properties.json b/deployments/properties/azure-kubernetes-service-kustomize.properties.json
new file mode 100644
index 0000000..bfc71cc
--- /dev/null
+++ b/deployments/properties/azure-kubernetes-service-kustomize.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to AKS with Kustomize",
+ "description": "Deploy an application to an Azure Kubernetes Service cluster using Kustomize",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Kustomize", "Kubernetes", "Dockerfile"]
+}
diff --git a/deployments/properties/azure-kubernetes-service.properties.json b/deployments/properties/azure-kubernetes-service.properties.json
index 28f3725..45d4a69 100644
--- a/deployments/properties/azure-kubernetes-service.properties.json
+++ b/deployments/properties/azure-kubernetes-service.properties.json
@@ -1,7 +1,7 @@
{
- "name": "Deploy to a AKS Cluster",
- "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials",
+ "name": "Deploy to AKS",
+ "description": "Deploy an application to an Azure Kubernetes Service cluster",
"creator": "Microsoft Azure",
"iconName": "azure",
- "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"]
+ "categories": ["Deployment", "Kubernetes", "Dockerfile"]
}
diff --git a/deployments/properties/google-cloudrun-docker.properties.json b/deployments/properties/google-cloudrun-docker.properties.json
new file mode 100644
index 0000000..b1a2b2b
--- /dev/null
+++ b/deployments/properties/google-cloudrun-docker.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Build and Deploy to Cloud Run",
+ "description": "Build a Docker container, publish it to Google Artifact Registry, and deploy to Google Cloud Run.",
+ "creator": "Google Cloud",
+ "iconName": "google-cloud",
+ "categories": ["Deployment", "Containers", "Dockerfile", "Cloud Run", "Serverless"]
+}
diff --git a/deployments/properties/google-cloudrun-source.properties.json b/deployments/properties/google-cloudrun-source.properties.json
new file mode 100644
index 0000000..2735d80
--- /dev/null
+++ b/deployments/properties/google-cloudrun-source.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to Cloud Run from Source",
+ "description": "Deploy to Google Cloud Run directly from source.",
+ "creator": "Google Cloud",
+ "iconName": "google-cloud",
+ "categories": ["Deployment", "Containers", "Cloud Run", "Serverless", "Buildpacks"]
+}
diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json
index f1bd883..e226385 100644
--- a/deployments/properties/google.properties.json
+++ b/deployments/properties/google.properties.json
@@ -2,6 +2,6 @@
"name": "Build and Deploy to GKE",
"description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.",
"creator": "Google Cloud",
- "iconName": "googlegke",
+ "iconName": "google-cloud",
"categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"]
}
\ No newline at end of file
diff --git a/deployments/tencent.yml b/deployments/tencent.yml
index 83bde94..2bf2a68 100644
--- a/deployments/tencent.yml
+++ b/deployments/tencent.yml
@@ -35,7 +35,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Build
- name: Build Docker image
diff --git a/deployments/terraform.yml b/deployments/terraform.yml
index 589f1f3..96e44e0 100644
--- a/deployments/terraform.yml
+++ b/deployments/terraform.yml
@@ -64,7 +64,7 @@ jobs:
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
diff --git a/icons/clj-holmes.svg b/icons/clj-holmes.svg
new file mode 100644
index 0000000..74459e5
--- /dev/null
+++ b/icons/clj-holmes.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/datadog.svg b/icons/datadog.svg
new file mode 100644
index 0000000..91cb3b6
--- /dev/null
+++ b/icons/datadog.svg
@@ -0,0 +1,4 @@
+
diff --git a/icons/googlegke.svg b/icons/google-cloud.svg
similarity index 100%
rename from icons/googlegke.svg
rename to icons/google-cloud.svg