Merge branch 'main' into users/yongyan-gh/hadolint
This commit is contained in:
@@ -90,4 +90,4 @@ jobs:
|
||||
COSIGN_EXPERIMENTAL: "true"
|
||||
# This step uses the identity token to provision an ephemeral certificate
|
||||
# against the sigstore community Fulcio instance.
|
||||
run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
|
||||
run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }}
|
||||
|
||||
@@ -105,7 +105,7 @@ jobs:
|
||||
|
||||
# Remove the pfx
|
||||
- name: Remove the pfx
|
||||
run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate
|
||||
run: Remove-Item -path $env:Wap_Project_Directory\GitHubActionsWorkflow.pfx
|
||||
|
||||
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
|
||||
- name: Upload build artifacts
|
||||
|
||||
@@ -48,8 +48,11 @@ jobs:
|
||||
# If you wish to specify custom queries, you can do so here or in a config file.
|
||||
# By default, queries listed here will override any specified in a config file.
|
||||
# Prefix the list here with "+" to use these queries and those in the config file.
|
||||
# queries: ./path/to/local/query, your-org/your-repo/queries@main
|
||||
|
||||
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
|
||||
# queries: security-extended,security-and-quality
|
||||
|
||||
|
||||
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
||||
# If this step fails, then you should remove it and run the build manually (see below)
|
||||
- name: Autobuild
|
||||
@@ -58,13 +61,12 @@ jobs:
|
||||
# ℹ️ Command-line programs to run using the OS shell.
|
||||
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
|
||||
|
||||
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
|
||||
# and modify them (or add more) to build your code if your project
|
||||
# uses a compiled language
|
||||
# If the Autobuild fails above, remove it and uncomment the following three lines.
|
||||
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
|
||||
|
||||
#- run: |
|
||||
# make bootstrap
|
||||
# make release
|
||||
# - run: |
|
||||
# echo "Run, Build Application using script"
|
||||
# ./location_of_script_within_repo/buildscript.sh
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v2
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "Dependency Review",
|
||||
"description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository",
|
||||
"description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable dependencies to the repository",
|
||||
"iconName": "octicon mark-github",
|
||||
"categories": [
|
||||
"Dependency review",
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#!/usr/bin/env npx ts-node
|
||||
import { promises as fs } from "fs";
|
||||
import { safeLoad } from "js-yaml";
|
||||
import { basename, extname, join } from "path";
|
||||
import { basename, extname, join, dirname } from "path";
|
||||
import { Validator as validator } from "jsonschema";
|
||||
import { endGroup, error, info, setFailed, startGroup } from '@actions/core';
|
||||
|
||||
@@ -14,6 +14,7 @@ interface WorkflowWithErrors {
|
||||
interface WorkflowProperties {
|
||||
name: string;
|
||||
description: string;
|
||||
creator: string;
|
||||
iconName: string;
|
||||
categories: string[];
|
||||
}
|
||||
@@ -40,7 +41,7 @@ const propertiesSchema = {
|
||||
}
|
||||
}
|
||||
|
||||
async function checkWorkflows(folders: string[], allowed_categories: string[]): Promise<WorkflowWithErrors[]> {
|
||||
async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise<WorkflowWithErrors[]> {
|
||||
const result: WorkflowWithErrors[] = []
|
||||
const workflow_template_names = new Set()
|
||||
for (const folder of folders) {
|
||||
@@ -69,7 +70,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[]):
|
||||
return result;
|
||||
}
|
||||
|
||||
async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[]): Promise<WorkflowWithErrors> {
|
||||
async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise<WorkflowWithErrors> {
|
||||
let workflowErrors: WorkflowWithErrors = {
|
||||
id: workflowPath,
|
||||
name: null,
|
||||
@@ -104,9 +105,19 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow
|
||||
}
|
||||
|
||||
}
|
||||
if (!workflowPath.endsWith("blank.yml") && (!properties.categories ||
|
||||
!properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) {
|
||||
workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`)
|
||||
var path = dirname(workflowPath)
|
||||
var folder_categories = allowed_categories.find( category => category["path"] == path)["categories"]
|
||||
if (!workflowPath.endsWith("blank.yml")) {
|
||||
if(!properties.categories || properties.categories.length == 0) {
|
||||
workflowErrors.errors.push(`Workflow categories cannot be null or empty`)
|
||||
}
|
||||
else if(!folder_categories.some(category => properties.categories[0].toLowerCase() == category.toLowerCase())) {
|
||||
workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}. Either move the workflow to an appropriate directory or change the category."`)
|
||||
}
|
||||
}
|
||||
|
||||
if(basename(path).toLowerCase() == 'deployments' && !properties.creator) {
|
||||
workflowErrors.errors.push(`The "creator" in properties.json must be present.`)
|
||||
}
|
||||
} catch (e) {
|
||||
workflowErrors.errors.push(e.toString())
|
||||
|
||||
@@ -5,11 +5,22 @@
|
||||
"../../deployments",
|
||||
"../../code-scanning"
|
||||
],
|
||||
"allowed_categories" : [
|
||||
"Continuous integration",
|
||||
"Deployment",
|
||||
"Code Scanning",
|
||||
"Dependency review",
|
||||
"Automation"
|
||||
"allowed_categories": [
|
||||
{
|
||||
"path": "../../ci",
|
||||
"categories": ["Continuous integration"]
|
||||
},
|
||||
{
|
||||
"path": "../../automation",
|
||||
"categories": ["Automation"]
|
||||
},
|
||||
{
|
||||
"path": "../../deployments",
|
||||
"categories": ["Deployment"]
|
||||
},
|
||||
{
|
||||
"path": "../../code-scanning",
|
||||
"categories": ["Code Scanning", "Dependency review"]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user