Testing Partner Toggle, Synced with Main (#1083)
* Secure workflows (#1) (#1072) * Restrict permissions for the GITHUB_TOKEN in .github/workflows/label-feature.yml * Restrict permissions for the GITHUB_TOKEN in .github/workflows/label-support.yml * Restrict permissions for the GITHUB_TOKEN in .github/workflows/stale.yml * Restrict permissions for the GITHUB_TOKEN in .github/workflows/sync_ghes.yaml * Restrict permissions for the GITHUB_TOKEN in .github/workflows/validate-data.yaml Co-authored-by: Step Security <bot@stepsecurity.io> Co-authored-by: step-security[bot] <89328102+step-security[bot]@users.noreply.github.com> Co-authored-by: Step Security <bot@stepsecurity.io> * Directory for deployments (#1071) * moving deployment templates * including deployment directory in scripts * validate categories script init * introducing scout * introducing workflow * Update validate-categories.yaml * Update validate-categories.yaml * Update validate-categories.yaml * Update validate.rb * Update validate.rb * Update validate.rb * Update validate.rb * Update validate-categories.yaml * Update validate-categories.yaml * Update validate-categories.yaml * Update validate.rb * Update validate-categories.yaml * Update validate-categories.yaml * Create test_comment.yaml * rename * using [enter] * testing newline * test * setting up variable * using echo -e * using join * testing space space new line * setting multi line in echo * removing checkout * setting rows-generator * fixing error * using join * commit * Update test_comment.yaml * escaping pipe * printing debug line * using %0A * Update validate-categories.yaml * Update validate.rb * Update validate.rb * removing debug * removing variable * Update validate.rb * Update validate-categories.yaml * Validate categories comment on pr (#32) * reverting deployment directory * checking for output * Categories validation two workflows (#34) comment on pr in a separate workflow * Categories validation two workflows (#35) using right dir name * Categories validation two workflows (#36) . * Categories validation two workflows (#37) fixing typo * adding if conditions * adding try catch * using console instead of echo * equating to upstream * moving deployment templates * add codeql workflow to ghes * restoring from main (#1078) * Revert "add codeql workflow to ghes branch" * add codeql workflow to ghes * only run ghes sync checks on YML files * only check nwo of supported actions * Testing Partner Toggle. Co-authored-by: Varun Sharma <varunsh@stepsecurity.io> Co-authored-by: step-security[bot] <89328102+step-security[bot]@users.noreply.github.com> Co-authored-by: Step Security <bot@stepsecurity.io> Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: Nick Fyson <nickfyson@github.com>
This commit is contained in:
@@ -5,6 +5,8 @@ on:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
issues: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Close Issue
|
||||
|
||||
@@ -5,6 +5,8 @@ on:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
issues: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Close Issue
|
||||
|
||||
@@ -7,6 +7,9 @@ on:
|
||||
jobs:
|
||||
stale:
|
||||
|
||||
permissions:
|
||||
issues: write
|
||||
pull-requests: write
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
||||
@@ -7,6 +7,8 @@ on:
|
||||
|
||||
jobs:
|
||||
sync:
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
@@ -6,6 +6,8 @@ on:
|
||||
|
||||
jobs:
|
||||
validate-data:
|
||||
permissions:
|
||||
contents: read
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"name": "Rails - Build and Run Linters",
|
||||
"description": "Build Rails application and run linters",
|
||||
"iconName": "ruby",
|
||||
"categories": ["Ruby", "Rails"]
|
||||
}
|
||||
@@ -0,0 +1,32 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# This workflow will download a prebuilt Ruby version, install dependencies, and run linters
|
||||
name: Build Rails and run linters
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
jobs:
|
||||
run-lint:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Setup Ruby and install gems
|
||||
uses: ruby/setup-ruby@v1
|
||||
with:
|
||||
bundler-cache: true
|
||||
# Add or Replace any other security checks here
|
||||
- name: Run security checks
|
||||
run: |
|
||||
bin/bundler-audit --update
|
||||
bin/brakeman -q -w2
|
||||
# Add or Replace any other Linters here
|
||||
- name: Run linters
|
||||
run: |
|
||||
bin/rubocop --parallel
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "Deploy Node.js to Azure Web App",
|
||||
"description": "Build a Node.js project and deploy it to an Azure Web App.",
|
||||
"description": "[Test Partner]Build a Node.js project and deploy it to an Azure Web App.",
|
||||
"creator": "Microsoft Azure",
|
||||
"iconName": "azure",
|
||||
"categories": ["Deployment"]
|
||||
@@ -45,7 +45,7 @@ async function checkWorkflows(
|
||||
});
|
||||
|
||||
for (const e of dir) {
|
||||
if (e.isFile()) {
|
||||
if (e.isFile() && extname(e.name) === ".yml") {
|
||||
const workflowFilePath = join(folder, e.name);
|
||||
const workflowId = basename(e.name, extname(e.name));
|
||||
const workflowProperties: WorkflowProperties = require(join(
|
||||
@@ -58,7 +58,7 @@ async function checkWorkflows(
|
||||
const isPartnerWorkflow = workflowProperties.creator ? partnersSet.has(workflowProperties.creator.toLowerCase()) : false;
|
||||
|
||||
const enabled =
|
||||
!isPartnerWorkflow &&
|
||||
!isPartnerWorkflow &&
|
||||
(await checkWorkflow(workflowFilePath, enabledActions));
|
||||
|
||||
const workflowDesc: WorkflowDesc = {
|
||||
@@ -104,7 +104,8 @@ async function checkWorkflow(
|
||||
if (!!step.uses) {
|
||||
// Check if allowed action
|
||||
const [actionName, _] = step.uses.split("@");
|
||||
if (!enabledActionsSet.has(actionName.toLowerCase())) {
|
||||
const actionNwo = actionName.split("/").slice(0, 2).join("/");
|
||||
if (!enabledActionsSet.has(actionNwo.toLowerCase())) {
|
||||
console.info(
|
||||
`Workflow ${workflowPath} uses '${actionName}' which is not supported for GHES.`
|
||||
);
|
||||
|
||||
@@ -1,7 +1,9 @@
|
||||
{
|
||||
"folders": [
|
||||
"../../ci",
|
||||
"../../automation"
|
||||
"../../automation",
|
||||
"../../deployments",
|
||||
"../../code-scanning"
|
||||
],
|
||||
"enabledActions": [
|
||||
"actions/checkout",
|
||||
@@ -15,7 +17,8 @@
|
||||
"actions/stale",
|
||||
"actions/starter-workflows",
|
||||
"actions/upload-artifact",
|
||||
"actions/upload-release-asset"
|
||||
"actions/upload-release-asset",
|
||||
"github/codeql-action"
|
||||
],
|
||||
"partners": [
|
||||
"Alibaba Cloud",
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"folders": [
|
||||
"../../ci",
|
||||
"../../automation"
|
||||
"../../automation",
|
||||
"../../deployments"
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user