diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml
new file mode 100644
index 0000000..696b4f8
--- /dev/null
+++ b/.github/auto_assign.yml
@@ -0,0 +1,17 @@
+# Set to true to add reviewers to pull requests
+addReviewers: true
+
+# Set to true to add assignees to pull requests
+addAssignees: false
+
+# A list of reviewers to be added to pull requests (GitHub user name)
+reviewers:
+ - phantsure
+ - anuragc617
+ - tiwarishub
+ - vsvipul
+ - bishal-pdmsft
+
+# A number of reviewers added to the pull request
+# Set 0 to add all the reviewers (default: 0)
+numberOfReviewers: 1
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..62283f9
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+ - package-ecosystem: "npm"
+ directory: "/"
+ schedule:
+ interval: "weekly"
+
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "weekly"
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 6494e8d..9b6c10f 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -26,6 +26,7 @@ It is not:
- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
+- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
**For _CI_ workflows, the workflow:**
@@ -37,7 +38,7 @@ It is not:
**For _Code Scanning_ workflows, the workflow:**
-- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci).
+- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning).
- [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows:
- [ ] `name`: Name of the Code Scanning integration.
- [ ] `organization`: Name of the organization producing the Code Scanning integration.
diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml
new file mode 100644
index 0000000..0cb9345
--- /dev/null
+++ b/.github/workflows/auto-assign-issues.yml
@@ -0,0 +1,15 @@
+name: Issue assignment
+
+on:
+ issues:
+ types: [opened]
+
+jobs:
+ auto-assign:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Auto-assign issue'
+ uses: pozil/auto-assign-issue@v1.10.0
+ with:
+ assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft
+ numOfAssignee: 1
diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml
new file mode 100644
index 0000000..b0789b3
--- /dev/null
+++ b/.github/workflows/auto-assign.yml
@@ -0,0 +1,10 @@
+name: 'Auto Assign'
+on:
+ pull_request_target:
+ types: [opened, ready_for_review]
+
+jobs:
+ add-reviews:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: kentaro-m/auto-assign-action@v1.2.2
diff --git a/.github/workflows/label-feature.yml b/.github/workflows/label-feature.yml
index d13cf87..122caac 100644
--- a/.github/workflows/label-feature.yml
+++ b/.github/workflows/label-feature.yml
@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Close Issue
- uses: peter-evans/close-issue@v1
+ uses: peter-evans/close-issue@v2
if: contains(github.event.issue.labels.*.name, 'feature')
with:
comment: |
diff --git a/.github/workflows/label-support.yml b/.github/workflows/label-support.yml
index ea0f240..e762afc 100644
--- a/.github/workflows/label-support.yml
+++ b/.github/workflows/label-support.yml
@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Close Issue
- uses: peter-evans/close-issue@v1
+ uses: peter-evans/close-issue@v2
if: contains(github.event.issue.labels.*.name, 'support')
with:
comment: |
diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml
index eba05f0..99fdbc5 100644
--- a/.github/workflows/labeler-triage.yml
+++ b/.github/workflows/labeler-triage.yml
@@ -11,6 +11,6 @@ jobs:
triage:
runs-on: ubuntu-latest
steps:
- - uses: actions/labeler@v3
+ - uses: actions/labeler@v4
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
\ No newline at end of file
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 217078a..c319ce1 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/stale@v3
+ - uses: actions/stale@v5
with:
stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.'
stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.'
diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync-ghes.yaml
similarity index 80%
rename from .github/workflows/sync_ghes.yaml
rename to .github/workflows/sync-ghes.yaml
index 946218f..aba7780 100644
--- a/.github/workflows/sync_ghes.yaml
+++ b/.github/workflows/sync-ghes.yaml
@@ -11,14 +11,16 @@ jobs:
contents: write
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- run: |
git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
git config user.email "cschleiden@github.com"
git config user.name "GitHub Actions"
- - uses: actions/setup-node@v2
+ - uses: actions/setup-node@v3
with:
- node-version: '12'
+ node-version: '16'
+ cache: 'npm'
+ cache-dependency-path: script/sync-ghes/package-lock.json
- name: Check starter workflows for GHES compat
run: |
npm ci
diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml
index 7d5c1ee..7f8701d 100644
--- a/.github/workflows/validate-data.yaml
+++ b/.github/workflows/validate-data.yaml
@@ -10,11 +10,13 @@ jobs:
contents: read
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- - uses: actions/setup-node@v2
+ - uses: actions/setup-node@v3
with:
- node-version: "12"
+ node-version: '16'
+ cache: 'npm'
+ cache-dependency-path: script/validate-data/package-lock.json
- name: Validate workflows
run: |
diff --git a/CODEOWNERS b/CODEOWNERS
index 8866d17..0a7c0a5 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,3 +1,4 @@
* @actions/starter-workflows
-/code-scanning/ @actions/advanced-security-code-scanning
+/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows
+/pages/ @actions/pages @actions/starter-workflows
diff --git a/automation/greetings.yml b/automation/greetings.yml
index ee1cb11..4677434 100644
--- a/automation/greetings.yml
+++ b/automation/greetings.yml
@@ -1,6 +1,6 @@
name: Greetings
-on: [pull_request, issues]
+on: [pull_request_target, issues]
jobs:
greeting:
@@ -12,5 +12,5 @@ jobs:
- uses: actions/first-interaction@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- issue-message: 'Message that will be displayed on users first issue'
- pr-message: 'Message that will be displayed on users first pull request'
+ issue-message: "Message that will be displayed on users' first issue"
+ pr-message: "Message that will be displayed on users' first pull request"
diff --git a/automation/label.yml b/automation/label.yml
index 5cdc45e..a8a1bd7 100644
--- a/automation/label.yml
+++ b/automation/label.yml
@@ -17,6 +17,6 @@ jobs:
pull-requests: write
steps:
- - uses: actions/labeler@v2
+ - uses: actions/labeler@v4
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/automation/stale.yml b/automation/stale.yml
index ff88dc0..1322eaf 100644
--- a/automation/stale.yml
+++ b/automation/stale.yml
@@ -18,7 +18,7 @@ jobs:
pull-requests: write
steps:
- - uses: actions/stale@v3
+ - uses: actions/stale@v5
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'Stale issue message'
diff --git a/ci/ada.yml b/ci/ada.yml
index a27902a..7e94b38 100644
--- a/ci/ada.yml
+++ b/ci/ada.yml
@@ -13,7 +13,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Set up GNAT toolchain
run: >
diff --git a/ci/android.yml b/ci/android.yml
index 3037b9f..221fca5 100644
--- a/ci/android.yml
+++ b/ci/android.yml
@@ -12,12 +12,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
cache: gradle
- name: Grant execute permission for gradlew
diff --git a/ci/ant.yml b/ci/ant.yml
index 655a94c..1614664 100644
--- a/ci/ant.yml
+++ b/ci/ant.yml
@@ -15,11 +15,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
- name: Build with Ant
run: ant -noinput -buildfile build.xml
diff --git a/ci/blank.yml b/ci/blank.yml
index 895e5d1..607e2cf 100644
--- a/ci/blank.yml
+++ b/ci/blank.yml
@@ -23,7 +23,7 @@ jobs:
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Runs a single command using the runners shell
- name: Run a one-line script
diff --git a/ci/c-cpp.yml b/ci/c-cpp.yml
index 88d1497..14d2eb9 100644
--- a/ci/c-cpp.yml
+++ b/ci/c-cpp.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: configure
run: ./configure
- name: make
diff --git a/ci/clojure.yml b/ci/clojure.yml
index 098918a..a76631a 100644
--- a/ci/clojure.yml
+++ b/ci/clojure.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Install dependencies
run: lein deps
- name: Run tests
diff --git a/ci/cmake.yml b/ci/cmake.yml
index 1634140..6f06f75 100644
--- a/ci/cmake.yml
+++ b/ci/cmake.yml
@@ -12,14 +12,13 @@ env:
jobs:
build:
- # The CMake configure and build commands are platform agnostic and should work equally
- # well on Windows or Mac. You can convert this to a matrix build if you need
- # cross-platform coverage.
+ # The CMake configure and build commands are platform agnostic and should work equally well on Windows or Mac.
+ # You can convert this to a matrix build if you need cross-platform coverage.
# See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Configure CMake
# Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
diff --git a/ci/crystal.yml b/ci/crystal.yml
index 6552afa..18cc825 100644
--- a/ci/crystal.yml
+++ b/ci/crystal.yml
@@ -15,7 +15,7 @@ jobs:
image: crystallang/crystal
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Install dependencies
run: shards install
- name: Run tests
diff --git a/ci/d.yml b/ci/d.yml
index 6086681..350eeee 100644
--- a/ci/d.yml
+++ b/ci/d.yml
@@ -10,13 +10,16 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- uses: dlang-community/setup-dlang@4c99aa991ce7d19dd3064de0a4f2f6b2f152e2d7
- name: 'Build & Test'
diff --git a/ci/dart.yml b/ci/dart.yml
index 7486577..7bf352f 100644
--- a/ci/dart.yml
+++ b/ci/dart.yml
@@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Note: This workflow uses the latest stable version of the Dart SDK.
# You can specify other versions if desired, see documentation here:
diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml
new file mode 100644
index 0000000..7056f87
--- /dev/null
+++ b/ci/datadog-synthetics.yml
@@ -0,0 +1,38 @@
+# This workflow will trigger Datadog Synthetic tests within your Datadog organisation
+# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# To get started:
+
+# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/.
+# 2. Start using the action within your workflow
+
+name: Run Datadog Synthetic tests
+
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v2
+
+ # Run Synthetic tests within your GitHub workflow.
+ # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci
+ - name: Run Datadog Synthetic tests
+ uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e
+ with:
+ api_key: ${{secrets.DD_API_KEY}}
+ app_key: ${{secrets.DD_APP_KEY}}
+ test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy
+
+
diff --git a/ci/deno.yml b/ci/deno.yml
index 38f2319..2234bf6 100644
--- a/ci/deno.yml
+++ b/ci/deno.yml
@@ -14,17 +14,20 @@ on:
pull_request:
branches: [$default-branch]
+permissions:
+ contents: read
+
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Setup repo
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Setup Deno
# uses: denoland/setup-deno@v1
- uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e9833173669
+ uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e983317366
with:
deno-version: v1.x
diff --git a/ci/django.yml b/ci/django.yml
index dbde266..79550cc 100644
--- a/ci/django.yml
+++ b/ci/django.yml
@@ -16,9 +16,9 @@ jobs:
python-version: [3.7, 3.8, 3.9]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- name: Install Dependencies
diff --git a/ci/docker-image.yml b/ci/docker-image.yml
index 78532a3..cc9cd6e 100644
--- a/ci/docker-image.yml
+++ b/ci/docker-image.yml
@@ -13,6 +13,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)
diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml
index ab266ef..e88539d 100644
--- a/ci/docker-publish.yml
+++ b/ci/docker-publish.yml
@@ -29,10 +29,26 @@ jobs:
permissions:
contents: read
packages: write
+ # This is used to complete the identity challenge
+ # with sigstore/fulcio when running outside of PRs.
+ id-token: write
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
+
+ # Install the cosign tool except on PR
+ # https://github.com/sigstore/cosign-installer
+ - name: Install cosign
+ if: github.event_name != 'pull_request'
+ uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25
+ with:
+ cosign-release: 'v1.9.0'
+
+
+ # Workaround: https://github.com/docker/build-push-action/issues/461
+ - name: Setup Docker buildx
+ uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
@@ -55,9 +71,23 @@ jobs:
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
- uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+ id: build-and-push
+ uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
+
+ # Sign the resulting Docker image digest except on PRs.
+ # This will only write to the public Rekor transparency log when the Docker
+ # repository is public to avoid leaking data. If you would like to publish
+ # transparency data even for private images, pass --force to cosign below.
+ # https://github.com/sigstore/cosign
+ - name: Sign the published Docker image
+ if: ${{ github.event_name != 'pull_request' }}
+ env:
+ COSIGN_EXPERIMENTAL: "true"
+ # This step uses the identity token to provision an ephemeral certificate
+ # against the sigstore community Fulcio instance.
+ run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml
index 0635779..bd2cb2e 100644
--- a/ci/dotnet-desktop.yml
+++ b/ci/dotnet-desktop.yml
@@ -63,15 +63,15 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
with:
fetch-depth: 0
# Install the .NET Core workload
- name: Install .NET Core
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@v2
with:
- dotnet-version: 5.0.x
+ dotnet-version: 6.0.x
# Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
- name: Setup MSBuild.exe
@@ -105,11 +105,11 @@ jobs:
# Remove the pfx
- name: Remove the pfx
- run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate
+ run: Remove-Item -path $env:Wap_Project_Directory\GitHubActionsWorkflow.pfx
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
- name: Upload build artifacts
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: MSIX Package
path: ${{ env.Wap_Project_Directory }}\AppPackages
diff --git a/ci/dotnet.yml b/ci/dotnet.yml
index c31cf68..a8eccab 100644
--- a/ci/dotnet.yml
+++ b/ci/dotnet.yml
@@ -12,11 +12,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Setup .NET
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@v2
with:
- dotnet-version: 5.0.x
+ dotnet-version: 6.0.x
- name: Restore dependencies
run: dotnet restore
- name: Build
diff --git a/ci/elixir.yml b/ci/elixir.yml
index afe01be..6c76f54 100644
--- a/ci/elixir.yml
+++ b/ci/elixir.yml
@@ -1,31 +1,34 @@
-name: Elixir CI
-
-on:
- push:
- branches: [ $default-branch ]
- pull_request:
- branches: [ $default-branch ]
-
-jobs:
- build:
-
- name: Build and test
- runs-on: ubuntu-latest
-
- steps:
- - uses: actions/checkout@v2
- - name: Set up Elixir
- uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
- with:
- elixir-version: '1.12.3' # Define the elixir version [required]
- otp-version: '24.1' # Define the OTP version [required]
- - name: Restore dependencies cache
- uses: actions/cache@v2
- with:
- path: deps
- key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }}
- restore-keys: ${{ runner.os }}-mix-
- - name: Install dependencies
- run: mix deps.get
- - name: Run tests
- run: mix test
+name: Elixir CI
+
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+
+ name: Build and test
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+ - name: Set up Elixir
+ uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
+ with:
+ elixir-version: '1.12.3' # Define the elixir version [required]
+ otp-version: '24.1' # Define the OTP version [required]
+ - name: Restore dependencies cache
+ uses: actions/cache@v3
+ with:
+ path: deps
+ key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }}
+ restore-keys: ${{ runner.os }}-mix-
+ - name: Install dependencies
+ run: mix deps.get
+ - name: Run tests
+ run: mix test
diff --git a/ci/erlang.yml b/ci/erlang.yml
index 25cb893..984b83a 100644
--- a/ci/erlang.yml
+++ b/ci/erlang.yml
@@ -6,6 +6,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
@@ -16,7 +19,7 @@ jobs:
image: erlang:22.0.7
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Compile
run: rebar3 compile
- name: Run tests
diff --git a/ci/gem-push.yml b/ci/gem-push.yml
index 3dc62be..8905272 100644
--- a/ci/gem-push.yml
+++ b/ci/gem-push.yml
@@ -15,7 +15,7 @@ jobs:
packages: write
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Ruby 2.6
uses: actions/setup-ruby@v1
with:
diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml
new file mode 100644
index 0000000..a738875
--- /dev/null
+++ b/ci/go-ossf-slsa3-publish.yml
@@ -0,0 +1,38 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you compile your Go project using a SLSA3 compliant builder.
+# This workflow will generate a so-called "provenance" file describing the steps
+# that were performed to generate the final binary.
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA Go releaser
+on:
+ workflow_dispatch:
+ release:
+ types: [created]
+
+permissions: read-all
+
+jobs:
+ # ========================================================================================================================================
+ # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
+ # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file
+ #=========================================================================================================================================
+ build:
+ permissions:
+ id-token: write # To sign.
+ contents: write # To upload release assets.
+ actions: read # To read workflow path.
+ uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0
+ with:
+ go-version: 1.17
+ # =============================================================================================================
+ # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects
+ # =============================================================================================================
+
diff --git a/ci/go.yml b/ci/go.yml
index afff652..bb3ec96 100644
--- a/ci/go.yml
+++ b/ci/go.yml
@@ -11,12 +11,12 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Go
- uses: actions/setup-go@v2
+ uses: actions/setup-go@v3
with:
- go-version: 1.17
+ go-version: 1.18
- name: Build
run: go build -v ./...
diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml
index a74a1ce..42eae27 100644
--- a/ci/gradle-publish.yml
+++ b/ci/gradle-publish.yml
@@ -1,3 +1,7 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
# This workflow will build a package using Gradle and then publish it to GitHub packages when a release is created
# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-gradle
@@ -16,22 +20,26 @@ jobs:
packages: write
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Build with Gradle
- run: gradle build
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
+ with:
+ arguments: build
# The USERNAME and TOKEN need to correspond to the credentials environment variables used in
# the publishing section of your build.gradle
- name: Publish to GitHub Packages
- run: gradle publish
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
+ with:
+ arguments: publish
env:
USERNAME: ${{ github.actor }}
TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/ci/gradle.yml b/ci/gradle.yml
index 5ecabba..0c0f12c 100644
--- a/ci/gradle.yml
+++ b/ci/gradle.yml
@@ -1,3 +1,7 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
@@ -9,20 +13,22 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
- distribution: 'adopt'
- cache: gradle
- - name: Grant execute permission for gradlew
- run: chmod +x gradlew
+ distribution: 'temurin'
- name: Build with Gradle
- run: ./gradlew build
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
+ with:
+ arguments: build
diff --git a/ci/haskell.yml b/ci/haskell.yml
index c1d7dc7..5693f90 100644
--- a/ci/haskell.yml
+++ b/ci/haskell.yml
@@ -6,20 +6,23 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- uses: actions/setup-haskell@v1
with:
ghc-version: '8.10.3'
cabal-version: '3.2'
- name: Cache
- uses: actions/cache@v1
+ uses: actions/cache@v3
env:
cache-name: cache-cabal
with:
diff --git a/ci/ios.yml b/ci/ios.yml
index ab92d32..693a7d5 100644
--- a/ci/ios.yml
+++ b/ci/ios.yml
@@ -13,7 +13,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Set Default Scheme
run: |
scheme_list=$(xcodebuild -list -json | tr -d "\n")
@@ -26,7 +26,7 @@ jobs:
platform: ${{ 'iOS Simulator' }}
run: |
# xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959)
- device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'`
+ device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"`
if [ $scheme = default ]; then scheme=$(cat default); fi
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
@@ -37,7 +37,7 @@ jobs:
platform: ${{ 'iOS Simulator' }}
run: |
# xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959)
- device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'`
+ device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"`
if [ $scheme = default ]; then scheme=$(cat default); fi
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
diff --git a/ci/jekyll.yml b/ci/jekyll.yml
index 71920c1..6a98dea 100644
--- a/ci/jekyll.yml
+++ b/ci/jekyll.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build the site in the jekyll/builder container
run: |
docker run \
diff --git a/ci/laravel.yml b/ci/laravel.yml
index 5f4e6c9..e778d7b 100644
--- a/ci/laravel.yml
+++ b/ci/laravel.yml
@@ -15,7 +15,7 @@ jobs:
- uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e
with:
php-version: '8.0'
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Copy .env
run: php -r "file_exists('.env') || copy('.env.example', '.env');"
- name: Install Dependencies
diff --git a/ci/makefile.yml b/ci/makefile.yml
index eafe622..0156944 100644
--- a/ci/makefile.yml
+++ b/ci/makefile.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: configure
run: ./configure
diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml
index 18dd937..dab69fe 100644
--- a/ci/maven-publish.yml
+++ b/ci/maven-publish.yml
@@ -16,12 +16,12 @@ jobs:
packages: write
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
settings-path: ${{ github.workspace }} # location for the settings.xml file
diff --git a/ci/maven.yml b/ci/maven.yml
index ac3b6de..65e0dff 100644
--- a/ci/maven.yml
+++ b/ci/maven.yml
@@ -15,12 +15,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
cache: maven
- name: Build with Maven
run: mvn -B package --file pom.xml
diff --git a/ci/msbuild.yml b/ci/msbuild.yml
index 29b6ace..c50354e 100644
--- a/ci/msbuild.yml
+++ b/ci/msbuild.yml
@@ -1,6 +1,10 @@
name: MSBuild
-on: [push]
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
env:
# Path to the solution file relative to the root of the project.
@@ -11,12 +15,15 @@ env:
# https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
BUILD_CONFIGURATION: Release
+permissions:
+ contents: read
+
jobs:
build:
runs-on: windows-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Add MSBuild to PATH
uses: microsoft/setup-msbuild@v1.0.2
diff --git a/ci/node.js.yml b/ci/node.js.yml
index 89b24fe..87ef0d8 100644
--- a/ci/node.js.yml
+++ b/ci/node.js.yml
@@ -1,4 +1,4 @@
-# This workflow will do a clean install of node dependencies, cache/restore them, build the source code and run tests across different versions of node
+# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
name: Node.js CI
@@ -20,9 +20,9 @@ jobs:
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v2
+ uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml
index 8c83cb6..eda97e1 100644
--- a/ci/npm-grunt.yml
+++ b/ci/npm-grunt.yml
@@ -15,10 +15,10 @@ jobs:
node-version: [12.x, 14.x, 16.x]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v1
+ uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml
index cc5da13..504f22e 100644
--- a/ci/npm-gulp.yml
+++ b/ci/npm-gulp.yml
@@ -15,10 +15,10 @@ jobs:
node-version: [12.x, 14.x, 16.x]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v1
+ uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml
new file mode 100644
index 0000000..638ccf8
--- /dev/null
+++ b/ci/npm-publish-github-packages.yml
@@ -0,0 +1,36 @@
+# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
+# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
+
+name: Node.js Package
+
+on:
+ release:
+ types: [created]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - uses: actions/setup-node@v3
+ with:
+ node-version: 16
+ - run: npm ci
+ - run: npm test
+
+ publish-gpr:
+ needs: build
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+ steps:
+ - uses: actions/checkout@v3
+ - uses: actions/setup-node@v3
+ with:
+ node-version: 16
+ registry-url: $registry-url(npm)
+ - run: npm ci
+ - run: npm publish
+ env:
+ NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml
index 025976d..c461c85 100644
--- a/ci/npm-publish.yml
+++ b/ci/npm-publish.yml
@@ -11,10 +11,10 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
- - uses: actions/setup-node@v2
+ - uses: actions/checkout@v3
+ - uses: actions/setup-node@v3
with:
- node-version: 14
+ node-version: 16
- run: npm ci
- run: npm test
@@ -22,29 +22,12 @@ jobs:
needs: build
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
- - uses: actions/setup-node@v2
+ - uses: actions/checkout@v3
+ - uses: actions/setup-node@v3
with:
- node-version: 14
+ node-version: 16
registry-url: https://registry.npmjs.org/
- run: npm ci
- run: npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.npm_token}}
-
- publish-gpr:
- needs: build
- runs-on: ubuntu-latest
- permissions:
- contents: read
- packages: write
- steps:
- - uses: actions/checkout@v2
- - uses: actions/setup-node@v2
- with:
- node-version: 14
- registry-url: $registry-url(npm)
- - run: npm ci
- - run: npm publish
- env:
- NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml
index db009b0..1373878 100644
--- a/ci/objective-c-xcode.yml
+++ b/ci/objective-c-xcode.yml
@@ -13,7 +13,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Set Default Scheme
run: |
scheme_list=$(xcodebuild -list -json | tr -d "\n")
diff --git a/ci/php.yml b/ci/php.yml
index 6acfdd1..a3bdfd7 100644
--- a/ci/php.yml
+++ b/ci/php.yml
@@ -6,20 +6,23 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Validate composer.json and composer.lock
run: composer validate --strict
- name: Cache Composer packages
id: composer-cache
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: vendor
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json
new file mode 100644
index 0000000..edbb086
--- /dev/null
+++ b/ci/properties/datadog-synthetics.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Datadog Synthetics",
+ "description": "Run Datadog Synthetic tests within your GitHub Actions workflow",
+ "creator": "Datadog",
+ "iconName": "datadog",
+ "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"]
+}
diff --git a/ci/properties/go-ossf-slsa3-publish.properties.json b/ci/properties/go-ossf-slsa3-publish.properties.json
new file mode 100644
index 0000000..2d58eaf
--- /dev/null
+++ b/ci/properties/go-ossf-slsa3-publish.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SLSA Go releaser",
+ "creator": "Open Source Security Foundation (OpenSSF)",
+ "description": "Compile your Go project using a SLSA3 compliant builder",
+ "iconName": "go-ossf-slsa3-publish",
+ "categories": ["Continuous integration", "Go"]
+}
diff --git a/ci/properties/npm-publish-github-packages.properties.json b/ci/properties/npm-publish-github-packages.properties.json
new file mode 100644
index 0000000..180b73a
--- /dev/null
+++ b/ci/properties/npm-publish-github-packages.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Publish Node.js Package to GitHub Packages",
+ "description": "Publishes a Node.js package to GitHub Packages.",
+ "iconName": "node-package-transparent",
+ "categories": ["Continuous integration", "JavaScript", "npm"]
+}
diff --git a/ci/properties/npm-publish.properties.json b/ci/properties/npm-publish.properties.json
index 9371d7b..cc2c707 100644
--- a/ci/properties/npm-publish.properties.json
+++ b/ci/properties/npm-publish.properties.json
@@ -1,6 +1,6 @@
{
"name": "Publish Node.js Package",
- "description": "Publishes a Node.js package to npm and GitHub Packages.",
+ "description": "Publishes a Node.js package to npm.",
"iconName": "node-package-transparent",
"categories": ["Continuous integration", "JavaScript", "npm"]
}
diff --git a/ci/properties/rubyonrails-lint.properties.json b/ci/properties/rubyonrails-lint.properties.json
deleted file mode 100644
index e6e5f69..0000000
--- a/ci/properties/rubyonrails-lint.properties.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
- "name": "Rails - Install Dependencies and Run Linters",
- "description": "Install dependencies and run linters on Rails application",
- "iconName": "ruby",
- "categories": ["Continuous integration", "Ruby", "Rails"]
-}
diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json
new file mode 100644
index 0000000..7a2c18a
--- /dev/null
+++ b/ci/properties/rubyonrails.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Ruby on Rails",
+ "description": "Build, lint, and test a Rails application",
+ "iconName": "rails",
+ "categories": ["Continuous integration", "Ruby", "Rails"]
+}
diff --git a/ci/pylint.yml b/ci/pylint.yml
index 10c49c6..383e65c 100644
--- a/ci/pylint.yml
+++ b/ci/pylint.yml
@@ -9,9 +9,9 @@ jobs:
matrix:
python-version: ["3.8", "3.9", "3.10"]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
@@ -20,4 +20,4 @@ jobs:
pip install pylint
- name: Analysing the code with pylint
run: |
- pylint `ls -R|grep .py$|xargs`
+ pylint $(git ls-files '*.py')
diff --git a/ci/python-app.yml b/ci/python-app.yml
index 2cfc2a3..4b7fa5f 100644
--- a/ci/python-app.yml
+++ b/ci/python-app.yml
@@ -9,15 +9,18 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python 3.10
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: "3.10"
- name: Install dependencies
diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml
index 9bd6d2b..57940bd 100644
--- a/ci/python-package-conda.yml
+++ b/ci/python-package-conda.yml
@@ -9,9 +9,9 @@ jobs:
max-parallel: 5
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python 3.10
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: 3.10
- name: Add conda to system path
diff --git a/ci/python-package.yml b/ci/python-package.yml
index b0a63cf..583a366 100644
--- a/ci/python-package.yml
+++ b/ci/python-package.yml
@@ -19,9 +19,9 @@ jobs:
python-version: ["3.8", "3.9", "3.10"]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index 3bfabfc..ec70354 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -12,15 +12,18 @@ on:
release:
types: [published]
+permissions:
+ contents: read
+
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: '3.x'
- name: Install dependencies
diff --git a/ci/r.yml b/ci/r.yml
index 305c2cf..68f02d7 100644
--- a/ci/r.yml
+++ b/ci/r.yml
@@ -14,6 +14,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: macos-latest
@@ -22,7 +25,7 @@ jobs:
r-version: ['3.6.3', '4.1.1']
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up R ${{ matrix.r-version }}
uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a
with:
diff --git a/ci/ruby.yml b/ci/ruby.yml
index f6ae1e3..6340760 100644
--- a/ci/ruby.yml
+++ b/ci/ruby.yml
@@ -13,6 +13,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
test:
@@ -22,12 +25,12 @@ jobs:
ruby-version: ['2.6', '2.7', '3.0']
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Ruby
# To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
# change this to (see https://github.com/ruby/setup-ruby#versioning):
# uses: ruby/setup-ruby@v1
- uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: ${{ matrix.ruby-version }}
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
diff --git a/ci/rubyonrails-lint.yml b/ci/rubyonrails-lint.yml
deleted file mode 100644
index d95b70e..0000000
--- a/ci/rubyonrails-lint.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-# This workflow will download a prebuilt Ruby version, install dependencies, and run linters
-name: Rails - Install dependencies and run linters
-
-on:
- push:
- branches: [ $default-branch ]
- pull_request:
- branches: [ $default-branch ]
-jobs:
- run-lint:
- runs-on: ubuntu-latest
- steps:
- - name: Checkout code
- uses: actions/checkout@v2
-
- - name: Setup Ruby and install gems
- uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
- with:
- bundler-cache: true
- # Add or Replace any other security checks here
- - name: Run security checks
- run: |
- bin/bundler-audit --update
- bin/brakeman -q -w2
- # Add or Replace any other Linters here
- - name: Run linters
- run: |
- bin/rubocop --parallel
\ No newline at end of file
diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml
new file mode 100644
index 0000000..958a104
--- /dev/null
+++ b/ci/rubyonrails.yml
@@ -0,0 +1,58 @@
+# This workflow uses actions that are not certified by GitHub. They are
+# provided by a third-party and are governed by separate terms of service,
+# privacy policy, and support documentation.
+#
+# This workflow will install a prebuilt Ruby version, install dependencies, and
+# run tests and linters.
+name: "Ruby on Rails CI"
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
+jobs:
+ test:
+ runs-on: ubuntu-latest
+ services:
+ postgres:
+ image: postgres:11-alpine
+ ports:
+ - "5432:5432"
+ env:
+ POSTGRES_DB: rails_test
+ POSTGRES_USER: rails
+ POSTGRES_PASSWORD: password
+ env:
+ RAILS_ENV: test
+ DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test"
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+ # Add or replace dependency steps here
+ - name: Install Ruby and gems
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
+ with:
+ bundler-cache: true
+ # Add or replace database setup steps here
+ - name: Set up database schema
+ run: bin/rails db:schema:load
+ # Add or replace test runners here
+ - name: Run tests
+ run: bin/rake
+
+ lint:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+ - name: Install Ruby and gems
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
+ with:
+ bundler-cache: true
+ # Add or replace any other lints here
+ - name: Security audit dependencies
+ run: bin/bundler-audit --update
+ - name: Security audit application code
+ run: bin/brakeman -q -w2
+ - name: Lint Ruby files
+ run: bin/rubocop --parallel
diff --git a/ci/rust.yml b/ci/rust.yml
index 6c82c61..d51f1af 100644
--- a/ci/rust.yml
+++ b/ci/rust.yml
@@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build
run: cargo build --verbose
- name: Run tests
diff --git a/ci/scala.yml b/ci/scala.yml
index 4a3c112..6f80a22 100644
--- a/ci/scala.yml
+++ b/ci/scala.yml
@@ -6,17 +6,21 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
+ cache: 'sbt'
- name: Run tests
run: sbt test
diff --git a/ci/super-linter.yml b/ci/super-linter.yml
index bebd82d..275b34f 100644
--- a/ci/super-linter.yml
+++ b/ci/super-linter.yml
@@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
with:
# Full git history is needed to get a proper list of changed files within `super-linter`
fetch-depth: 0
diff --git a/ci/swift.yml b/ci/swift.yml
index df062b5..3668fc0 100644
--- a/ci/swift.yml
+++ b/ci/swift.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: macos-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build
run: swift build -v
- name: Run tests
diff --git a/ci/symfony.yml b/ci/symfony.yml
index 7d1ca74..d1ac71a 100644
--- a/ci/symfony.yml
+++ b/ci/symfony.yml
@@ -6,6 +6,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
symfony-tests:
runs-on: ubuntu-latest
@@ -16,12 +19,12 @@ jobs:
- uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28
with:
php-version: '8.0'
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Copy .env.test.local
run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');"
- name: Cache Composer packages
id: composer-cache
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: vendor
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
diff --git a/ci/webpack.yml b/ci/webpack.yml
index 8edb34f..6449fe7 100644
--- a/ci/webpack.yml
+++ b/ci/webpack.yml
@@ -15,10 +15,10 @@ jobs:
node-version: [12.x, 14.x, 16.x]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v1
+ uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
diff --git a/code-scanning/anchore-syft.yml b/code-scanning/anchore-syft.yml
new file mode 100644
index 0000000..8180622
--- /dev/null
+++ b/code-scanning/anchore-syft.yml
@@ -0,0 +1,38 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency
+# submission API.
+
+# For more information on the Anchore sbom-action usage
+# and parameters, see https://github.com/anchore/sbom-action. For more
+# information about the Anchore SBOM tool, Syft, see
+# https://github.com/anchore/syft
+name: Anchore Syft SBOM scan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+
+permissions:
+ contents: write
+
+jobs:
+ Anchore-Build-Scan:
+ permissions:
+ contents: write # required to upload to the Dependency submission API
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout the code
+ uses: actions/checkout@v3
+ - name: Build the Docker image
+ run: docker build . --file Dockerfile --tag localbuild/testimage:latest
+ - name: Scan the image and upload dependency results
+ uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a
+ with:
+ image: "localbuild/testimage:latest"
+ artifact-name: image.spdx.json
+ dependency-snapshot: true
diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml
index d90f68c..a3d2eed 100644
--- a/code-scanning/anchore.yml
+++ b/code-scanning/anchore.yml
@@ -20,12 +20,19 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
Anchore-Build-Scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout the code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
@@ -33,7 +40,8 @@ jobs:
with:
image: "localbuild/testimage:latest"
acs-report-enable: true
+ fail-build: false
- name: Upload Anchore Scan Report
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
- sarif_file: results.sarif
\ No newline at end of file
+ sarif_file: results.sarif
diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml
index 65a6baf..4bd22d8 100644
--- a/code-scanning/apisec-scan.yml
+++ b/code-scanning/apisec-scan.yml
@@ -42,8 +42,14 @@ on:
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
+
Trigger_APIsec_scan:
+ permissions:
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
@@ -59,6 +65,6 @@ jobs:
# The name of the sarif format result file The file is written only if this property is provided.
sarif-result-file: "apisec-results.sarif"
- name: Import results
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
- sarif_file: ./apisec-results.sarif
\ No newline at end of file
+ sarif_file: ./apisec-results.sarif
diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml
index ae5215a..b04cabf 100644
--- a/code-scanning/brakeman.yml
+++ b/code-scanning/brakeman.yml
@@ -17,18 +17,24 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
brakeman-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Customize the ruby version depending on your needs
- name: Setup Ruby
- uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: '2.7'
@@ -46,6 +52,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: output.sarif.json
diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml
index ee97108..e060654 100644
--- a/code-scanning/checkmarx.yml
+++ b/code-scanning/checkmarx.yml
@@ -17,28 +17,38 @@ on:
- cron: $cron-weekly
# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action
+permissions:
+ contents: read
+
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
+ pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
- name: Checkmarx CxFlow Action
- uses: checkmarx-ts/checkmarx-cxflow-github-action@04e6403dbbfee0fd3fb076e5791202c31c54fe6b
+ uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe
with:
- project: GithubActionTest
- team: '\CxServer\SP\Checkmarx'
+ project: ${{ secrets.CHECKMARX_PROJECT }}
+ team: ${{ secrets.CHECKMARX_TEAMS }}
checkmarx_url: ${{ secrets.CHECKMARX_URL }}
checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
+ scanners: sast
+ params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }}
# Upload the Report for CodeQL/Security Alerts
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: cx.sarif
diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml
new file mode 100644
index 0000000..3cfde14
--- /dev/null
+++ b/code-scanning/clj-holmes.yml
@@ -0,0 +1,43 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: clj-holmes
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ clj-holmes:
+ name: Run clj-holmes scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Scan code
+ uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
+ with:
+ # rules-repository: 'git://org/private-rules-repo#main'
+ output-type: 'sarif'
+ output-file: 'clj-holmes-results.sarif'
+ fail-on-result: 'false'
+
+ - name: Upload analysis results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
+ wait-for-processing: true
diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml
new file mode 100644
index 0000000..2e4ab3c
--- /dev/null
+++ b/code-scanning/clj-watson.yml
@@ -0,0 +1,53 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# clj-watson scans dependencies in a clojure deps.edn
+# seeking for vulnerable direct/transitive dependencies and
+# build a report with all the information needed to help you
+# understand how the vulnerability manifest in your software.
+# More details at https://github.com/clj-holmes/clj-watson
+
+name: clj-watson
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ clj-holmes:
+ name: Run clj-watson scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Dependency scan
+ uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c
+ with:
+ clj-watson-sha: "65d928c"
+ clj-watson-tag: "v4.0.1"
+ database-strategy: github-advisory
+ aliases: clojure-lsp,test
+ deps-edn-path: deps.edn
+ suggest-fix: true
+ output-type: sarif
+ output-file: clj-watson-results.sarif
+ fail-on-result: false
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: ${{github.workspace}}/clj-watson-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml
index 00e270a..4a0cd73 100644
--- a/code-scanning/cloudrail.yml
+++ b/code-scanning/cloudrail.yml
@@ -24,7 +24,7 @@ jobs:
steps:
- name: Clone repo
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# For Terraform, Cloudrail requires the plan as input. So we generate it using
# the Terraform core binary.
@@ -50,7 +50,7 @@ jobs:
cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
# is needed to ensure the SARIF file is uploaded
if: always()
diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml
index 50185ad..b74e449 100644
--- a/code-scanning/codacy.yml
+++ b/code-scanning/codacy.yml
@@ -22,14 +22,20 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
codacy-security-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Codacy Security Scan
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
- name: Run Codacy Analysis CLI
@@ -49,6 +55,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index 57b4b69..a113b59 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -34,37 +34,39 @@ jobs:
matrix:
language: [ $detected-codeql-languages ]
# CodeQL supports [ $supported-codeql-languages ]
- # Learn more about CodeQL language support at https://git.io/codeql-language-support
+ # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v1
+ uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
- # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+ # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+ # queries: security-extended,security-and-quality
+
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
- uses: github/codeql-action/autobuild@v1
+ uses: github/codeql-action/autobuild@v2
# ℹ️ Command-line programs to run using the OS shell.
- # 📚 https://git.io/JvXDl
+ # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
- # and modify them (or add more) to build your code if your project
- # uses a compiled language
+ # If the Autobuild fails above, remove it and uncomment the following three lines.
+ # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
- #- run: |
- # make bootstrap
- # make release
+ # - run: |
+ # echo "Run, Build Application using script"
+ # ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v1
+ uses: github/codeql-action/analyze@v2
diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml
index 5886843..92707b1 100644
--- a/code-scanning/codescan.yml
+++ b/code-scanning/codescan.yml
@@ -17,14 +17,20 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
CodeScan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Cache files
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: |
~/.sonar
@@ -37,6 +43,6 @@ jobs:
organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: codescan.sarif
diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml
new file mode 100644
index 0000000..61ffd7a
--- /dev/null
+++ b/code-scanning/contrast-scan.yml
@@ -0,0 +1,52 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github.
+# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action.
+# Contrast Scan currently supports Java, JavaScript and .NET artifacts.
+# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action
+
+# Pre-requisites:
+# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action.
+# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER.
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+name: Scan analyze workflow
+jobs:
+ build-and-scan:
+ permissions:
+ contents: read # for actions/checkout
+ security-events: write # for github/codeql-action/upload-sarif
+ runs-on: ubuntu-latest
+ # check out project
+ steps:
+ - uses: actions/checkout@v3
+ # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here.
+ # -name: Build Project
+ # ...
+ # Scan Artifact
+ - name: Contrast Scan Action
+ uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1
+ with:
+ artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact
+ apiKey: ${{ secrets.CONTRAST_API_KEY }}
+ orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
+ authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
+ #Upload the results to GitHub
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml
new file mode 100644
index 0000000..d5bb88f
--- /dev/null
+++ b/code-scanning/crda.yml
@@ -0,0 +1,126 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow performs a static analysis of your source code using
+# Red Hat CodeReady Dependency Analytics.
+
+# Scans are triggered:
+# 1. On every push to default and protected branches
+# 2. On every Pull Request targeting the default branch
+# 3. On a weekly schedule
+# 4. Manually, on demand, via the "workflow_dispatch" event
+
+# 💁 The CRDA Starter workflow will:
+# - Checkout your repository
+# - Setup the required tool stack
+# - Install the CRDA command line tool
+# - Auto detect the manifest file and install the project's dependencies
+# - Perform the security scan using CRDA
+# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab
+# - Optionally upload the SARIF file as an artifact for the future reference
+
+# ℹ️ Configure your repository and the workflow with the following steps:
+# 1. Setup the tool stack based on the project's requirement.
+# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack
+# 2. (Optional) CRDA action attempt to detect the language and install the
+# required dependencies for your project. If your project doesn't aligns
+# with the default dependency installation command mentioned here
+# https://github.com/redhat-actions/crda/#3-installing-dependencies.
+# Use the required inputs to setup the same
+# 3. (Optional) CRDA action attempts to detect the manifest file if it is
+# present in the root of the project and named as per the default mentioned
+# here https://github.com/redhat-actions/crda/#3-installing-dependencies.
+# If it deviates from the default, use the required inputs to setup the same
+# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN.
+# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication
+# 5. (Optional) Upload SARIF file as an Artifact to download and view
+# 6. Commit and push the workflow file to your default branch to trigger a workflow run.
+
+# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback.
+
+name: CRDA Scan
+
+# Controls when the workflow will run
+on:
+ # TODO: Customize trigger events based on your DevSecOps processes
+ #
+ # This workflow is made to run with OpenShift starter workflow
+ # https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml
+ # However, if you want to run this workflow as a standalone workflow, please
+ # uncomment the 'push' trigger below and configure it based on your requirements.
+ #
+ workflow_call:
+ secrets:
+ CRDA_KEY:
+ required: false
+ SNYK_TOKEN:
+ required: false
+ workflow_dispatch:
+
+ # push:
+ # branches: [ $default-branch, $protected-branches ]
+
+ # pull_request_target is used to securely share secret to the PR's workflow run.
+ # For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
+ pull_request_target:
+ branches: [ $default-branch ]
+ types: [ assigned, opened, synchronize, reopened, labeled, edited ]
+
+permissions:
+ contents: read
+
+jobs:
+ crda-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for redhat-actions/crda to upload SARIF results
+ name: Scan project vulnerabilities with CRDA
+ runs-on: ubuntu-20.04
+ steps:
+
+ - name: Check out repository
+ uses: actions/checkout@v2
+
+ # *******************************************************************
+ # Required: Instructions to setup project
+ # 1. Setup Go, Java, Node.js or Python depending on your project type
+ # 2. Setup Actions are listed below, choose one from them:
+ # - Go: https://github.com/actions/setup-go
+ # - Java: https://github.com/actions/setup-java
+ # - Node.js: https://github.com/actions/setup-node
+ # - Python: https://github.com/actions/setup-python
+ #
+ # Example:
+ # - name: Setup Node
+ # uses: actions/setup-node@v2
+ # with:
+ # node-version: '14'
+
+ # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
+ - name: Install CRDA CLI
+ uses: redhat-actions/openshift-tools-installer@v1
+ with:
+ source: github
+ github_pat: ${{ github.token }}
+ # Choose the desired version of the CRDA CLI
+ crda: "latest"
+
+ ######################################################################################
+ # https://github.com/redhat-actions/crda/blob/main/README.md
+ #
+ # By default, CRDA will detect the manifest file and install the required dependencies
+ # using the standard command for the project type.
+ # If your project doesn't aligns with the defaults mentioned in this action, you will
+ # need to set few inputs that are described here:
+ # https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies
+ # Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand
+ # process to get a SNYK_TOKEN or a CRDA_KEY
+ - name: CRDA Scan
+ id: scan
+ uses: redhat-actions/crda@v1
+ with:
+ crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token
+ # snyk_token: ${{ secrets.SNYK_TOKEN }}
+ # upload_artifact: false # Set this to false to skip artifact upload
diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml
index 1d44bf9..1ac846e 100644
--- a/code-scanning/crunch42.yml
+++ b/code-scanning/crunch42.yml
@@ -33,14 +33,20 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
rest-api-static-security-testing:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: 42Crunch REST API Static Security Testing
- uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1
+ uses: 42Crunch/api-security-audit-action@f3a4f4d44ca6f538fe84361373d7a2a374018fdd
with:
# Please create free account at https://platform.42crunch.com/register
# Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml
new file mode 100644
index 0000000..fe461b4
--- /dev/null
+++ b/code-scanning/dependency-review.yml
@@ -0,0 +1,20 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+ contents: read
+
+jobs:
+ dependency-review:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Checkout Repository'
+ uses: actions/checkout@v3
+ - name: 'Dependency Review'
+ uses: actions/dependency-review-action@v2
diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml
index a8610c3..0c65813 100644
--- a/code-scanning/detekt.yml
+++ b/code-scanning/detekt.yml
@@ -45,7 +45,7 @@ jobs:
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Gets the download URL associated with the $DETEKT_RELEASE_TAG
- name: Get Detekt download URL
@@ -111,7 +111,7 @@ jobs:
)" > ${{ github.workspace }}/detekt.sarif.json
# Uploads results to GitHub repository using the upload-sarif action
- - uses: github/codeql-action/upload-sarif@v1
+ - uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/detekt.sarif.json
diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml
index 3a5c45f..bf11261 100644
--- a/code-scanning/devskim.yml
+++ b/code-scanning/devskim.yml
@@ -23,12 +23,12 @@ jobs:
security-events: write
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@v1
- name: Upload DevSkim scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: devskim-results.sarif
diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml
new file mode 100644
index 0000000..9067a7d
--- /dev/null
+++ b/code-scanning/eslint.yml
@@ -0,0 +1,49 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# ESLint is a tool for identifying and reporting on patterns
+# found in ECMAScript/JavaScript code.
+# More details at https://github.com/eslint/eslint
+# and https://eslint.org
+
+name: ESLint
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ eslint:
+ name: Run eslint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Install ESLint
+ run: |
+ npm install eslint@8.10.0
+ npm install @microsoft/eslint-formatter-sarif@2.1.7
+
+ - name: Run ESLint
+ run: npx eslint .
+ --config .eslintrc.js
+ --ext .js,.jsx,.ts,.tsx
+ --format @microsoft/eslint-formatter-sarif
+ --output-file eslint-results.sarif
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: eslint-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml
index 080953e..4ed8792 100644
--- a/code-scanning/flawfinder.yml
+++ b/code-scanning/flawfinder.yml
@@ -24,7 +24,7 @@ jobs:
security-events: write
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: flawfinder_scan
uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c
@@ -33,6 +33,6 @@ jobs:
output: 'flawfinder_results.sarif'
- name: Upload analysis results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{github.workspace}}/flawfinder_results.sarif
\ No newline at end of file
diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml
index d67d194..5e7c422 100644
--- a/code-scanning/fortify.yml
+++ b/code-scanning/fortify.yml
@@ -39,14 +39,15 @@ jobs:
steps:
# Check out source code
- name: Check Out Source Code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Java is required to run the various Fortify utilities.
# When scanning a Java application, please use the appropriate Java version for building your application.
- name: Setup Java
- uses: actions/setup-java@v1
+ uses: actions/setup-java@v3
with:
- java-version: 1.8
+ java-version: 8
+ distribution: 'temurin'
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
@@ -92,6 +93,6 @@ jobs:
# Import Fortify on Demand results to GitHub Security Code Scanning
- name: Import Results
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./gh-fortify-sast.sarif
diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml
new file mode 100644
index 0000000..56725f5
--- /dev/null
+++ b/code-scanning/frogbot-scan-and-fix.yml
@@ -0,0 +1,59 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# Frogbot Scan and Fix does the following:
+# Automatically creates pull requests with fixes for vulnerable project dependencies.
+# Uses JFrog Xray to scan the project.
+# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
+
+name: "Frogbot Scan and Fix"
+on:
+ push:
+ branches:
+ # The scanning and creation of pull requests with fixes are triggered by pushing code to one of the these branches.
+ # You can edit the list of branches you wish to open fix pull requests on.
+ - "main"
+ - "master"
+permissions:
+ contents: write
+ pull-requests: write
+jobs:
+ create-fix-pull-requests:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+
+ # Install prerequisites - uncomment the relevant one
+
+ # - uses: actions/setup-go@v3
+ # with:
+ # go-version: 1.17.x
+
+ # - uses: actions/setup-java@v3
+ # with:
+ # java-version: "11"
+ # distribution: "temurin"
+
+ # - uses: actions/setup-node@v3
+ # with:
+ # node-version: "16.x"
+
+
+ - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416
+ env:
+ # [Mandatory]
+ # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
+ JF_URL: ${{ secrets.FROGBOT_URL }}
+
+ # [Mandatory if JF_USER and JF_PASSWORD are not provided]
+ # JFrog access token with 'read' permissions on Xray service
+ JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }}
+
+ # [Mandatory]
+ # The GitHub token automatically generated for the job
+ JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ # [Mandatory if using npm]
+ # The command that installs the dependencies
+ # JF_INSTALL_DEPS_CMD: "npm i"
diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml
new file mode 100644
index 0000000..bdc71b4
--- /dev/null
+++ b/code-scanning/frogbot-scan-pr.yml
@@ -0,0 +1,75 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# Frogbot Scan Pull Request does the following:
+# Automatically scans new pull requests for security vulnerabilities.
+# Uses JFrog Xray to scan the project.
+# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
+
+name: "Frogbot Scan Pull Request"
+on:
+ pull_request_target:
+ types: [ opened, synchronize ]
+permissions:
+ pull-requests: write
+ contents: read
+jobs:
+ scan-pull-request:
+ runs-on: ubuntu-latest
+ # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
+ # "frogbot" GitHub environment can approve the pull request to be scanned.
+ environment: frogbot
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+
+ # Install prerequisites - uncomment the relevant ones
+
+ # - uses: actions/setup-go@v3
+ # with:
+ # go-version: 1.17.x
+
+ # - uses: actions/setup-java@v3
+ # with:
+ # java-version: "11"
+ # distribution: "temurin"
+
+ # - uses: actions/setup-node@v3
+ # with:
+ # node-version: "16.x"
+
+ # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
+
+ - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416
+ env:
+ # [Mandatory]
+ # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
+ JF_URL: ${{ secrets.JF_URL }}
+
+ # [Mandatory if JF_ACCESS_TOKEN is not provided]
+ # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
+ JF_USER: ${{ secrets.JF_USER }}
+
+ # [Mandatory if JF_ACCESS_TOKEN is not provided]
+ # JFrog password. Must be provided with JF_USER
+ JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
+
+ # [Mandatory]
+ # The GitHub token automatically generated for the job
+ JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ # [Mandatory if JF_USER and JF_PASSWORD are not provided]
+ # JFrog access token with 'read' permissions on Xray service
+ # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
+
+ # [Mandatory when using npm]
+ # The command that installs the dependencies
+ # JF_INSTALL_DEPS_CMD: "npm i"
+
+ # [Mandatory when using .NET]
+ # The command that installs the dependencies
+ # JF_INSTALL_DEPS_CMD: "dotnet restore"
+
+ # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml
new file mode 100644
index 0000000..2f554e4
--- /dev/null
+++ b/code-scanning/hadolint.yml
@@ -0,0 +1,47 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# hadoint is a Dockerfile linter written in Haskell
+# that helps you build best practice Docker images.
+# More details at https://github.com/hadolint/hadolint
+
+name: Hadolint
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ hadolint:
+ name: Run hadolint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Run hadolint
+ uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183
+ with:
+ dockerfile: ./Dockerfile
+ format: sarif
+ output-file: hadolint-results.sarif
+ no-fail: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: hadolint-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml
index 1cad70c..c432673 100644
--- a/code-scanning/kubesec.yml
+++ b/code-scanning/kubesec.yml
@@ -24,7 +24,7 @@ jobs:
security-events: write
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Run kubesec scanner
uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14
@@ -36,6 +36,6 @@ jobs:
exit-code: "0"
- name: Upload Kubesec scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: kubesec-results.sarif
\ No newline at end of file
diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml
index 59d66a0..64fe71a 100644
--- a/code-scanning/mayhem-for-api.yml
+++ b/code-scanning/mayhem-for-api.yml
@@ -42,7 +42,7 @@ jobs:
contents: read
security-events: write
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Run your API in the background. Ideally, the API would run in debug
# mode & send stacktraces back on "500 Internal Server Error" responses
@@ -61,6 +61,6 @@ jobs:
sarif-report: mapi.sarif
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: mapi.sarif
diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml
index 689a1a0..6d2bfb8 100644
--- a/code-scanning/mobsf.yml
+++ b/code-scanning/mobsf.yml
@@ -13,15 +13,21 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
mobile-security:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Setup python
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: 3.8
@@ -31,6 +37,6 @@ jobs:
args: . --sarif --output results.sarif || true
- name: Upload mobsfscan report
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
- sarif_file: results.sarif
\ No newline at end of file
+ sarif_file: results.sarif
diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml
index 1503319..863fbcb 100644
--- a/code-scanning/msvc.yml
+++ b/code-scanning/msvc.yml
@@ -20,14 +20,20 @@ env:
# Path to the CMake build directory.
build: '${{ github.workspace }}/build'
+permissions:
+ contents: read
+
jobs:
analyze:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Analyze
runs-on: windows-latest
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Configure CMake
run: cmake -B ${{ env.build }}
@@ -47,13 +53,13 @@ jobs:
# Upload SARIF file to GitHub Code Scanning Alerts
- name: Upload SARIF to GitHub
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
# Upload SARIF file as an Artifact to download and view
# - name: Upload SARIF as an Artifact
- # uses: actions/upload-artifact@v2
+ # uses: actions/upload-artifact@v3
# with:
# name: sarif-file
# path: ${{ steps.run-analysis.outputs.sarif }}
diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml
new file mode 100644
index 0000000..e24e14a
--- /dev/null
+++ b/code-scanning/neuralegion.yml
@@ -0,0 +1,175 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Run a Nexploit Scan
+# This action runs a new security scan in Nexploit, or reruns an existing one.
+# Build Secure Apps & APIs. Fast.
+# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love.
+# Automatically Tests Every Aspect of Your Apps & APIs
+# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports
+# Seamlessly integrates with the Tools and Workflows You Already Use
+#
+# NeuraLegion works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing.
+# Spin-Up, Configure and Control Scans with Code
+# One file. One command. One scan. No UI needed.
+#
+# Super-Fast Scans
+#
+# Interacts with applications and APIs, instead of just crawling them and guessing.
+# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks.
+#
+# No False Positives
+#
+# Stop chasing ghosts and wasting time. NeuraLegion doesn’t return false positives, so you can focus on releasing code.
+#
+# Comprehensive Security Testing
+#
+# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities.
+#
+# More information is available on NeuraLegion’s:
+# * [Website](https://www.neuralegion.com/)
+# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart)
+# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw)
+# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+)
+#
+# Inputs
+#
+# `name`
+#
+# **Required**. Scan name.
+#
+# _Example:_ `name: GitHub scan ${{ github.sha }}`
+#
+# `api_token`
+#
+# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens).
+#
+# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}`
+#
+# `restart_scan`
+#
+# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements.
+#
+# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)`
+#
+# `discovery_types`
+#
+# **Required**. Array of discovery types. The following types are available:
+# * `archive` - uses an uploaded HAR-file for a scan
+# * `crawler` - uses a crawler to define the attack surface for a scan
+# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default.
+#
+# _Example:_
+#
+# ```yml
+# discovery_types: |
+# [ "crawler", "archive" ]
+# ```
+#
+# `file_id`
+#
+# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login).
+#
+# _Example:_
+#
+# ```
+# FILE_ID=$(nexploit-cli archive:upload \
+# --token ${{ secrets.NEXPLOIT_TOKEN }} \
+# --discard true \
+# ./example.har)
+# ```
+#
+# `crawler_urls`
+#
+# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface.
+#
+# _Example:_
+#
+# ```
+# crawler_urls: |
+# [ "http://vulnerable-bank.com" ]
+# ```
+#
+# `hosts_filter`
+#
+# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan.
+#
+# Outputs
+#
+# `url`
+#
+# Url of the resulting scan
+#
+# `id`
+#
+# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions:
+# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues)
+# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan)
+#
+# Example usage
+#
+# Start a new scan with parameters
+#
+# ```yml
+# steps:
+# - name: Start Nexploit Scan
+# id: start
+# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+# with:
+# api_token: ${{ secrets.NEXPLOIT_TOKEN }}
+# name: GitHub scan ${{ github.sha }}
+# discovery_types: |
+# [ "crawler", "archive" ]
+# crawler_urls: |
+# [ "http://vulnerable-bank.com" ]
+# file_id: LiYknMYSdbSZbqgMaC9Sj
+# hosts_filter: |
+# [ ]
+# - name: Get the output scan url
+# run: echo "The scan was started on ${{ steps.start.outputs.url }}"
+# ```
+#
+# Restart an existing scan
+#
+# ```yml
+# steps:
+# - name: Start Nexploit Scan
+# id: start
+# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+# with:
+# api_token: ${{ secrets.NEXPLOIT_TOKEN }}
+# name: GitHub scan ${{ github.sha }}
+# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ
+# - name: Get the output scan url
+# run: echo "The scan was started on ${{ steps.start.outputs.url }}"
+
+
+name: "NeuraLegion"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ neuralegion_scan:
+ runs-on: ubuntu-18.04
+ name: A job to run a Nexploit scan
+ steps:
+ - uses: actions/checkout@v2
+ - name: Start Nexploit Scan 🏁
+ id: start
+ uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+ with:
+ api_token: ${{ secrets.NEURALEGION_TOKEN }}
+ name: GitHub scan ${{ github.sha }}
+ discovery_types: |
+ [ "crawler" ]
+ crawler_urls: |
+ [ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan
diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml
index 8077f76..8c359b8 100644
--- a/code-scanning/njsscan.yml
+++ b/code-scanning/njsscan.yml
@@ -17,19 +17,25 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
njsscan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
- name: Checkout the code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711
with:
args: '. --sarif --output results.sarif || true'
- name: Upload njsscan report
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml
index 92126bd..7b5ba8f 100644
--- a/code-scanning/nowsecure.yml
+++ b/code-scanning/nowsecure.yml
@@ -34,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Build your application
run: ./gradlew assembleDebug # Update this to build your Android or iOS application
@@ -47,6 +47,6 @@ jobs:
group_id: {{ groupId }} # Update this to your desired Platform group ID
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: NowSecure.sarif
diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml
index b5aefa4..cbef5a2 100644
--- a/code-scanning/ossar.yml
+++ b/code-scanning/ossar.yml
@@ -17,15 +17,21 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
OSSAR-Scan:
# OSSAR runs on windows-latest.
# ubuntu-latest and macos-latest support coming soon
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: windows-latest
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Ensure a compatible version of dotnet is installed.
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
@@ -33,7 +39,7 @@ jobs:
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
# - name: Install .NET
- # uses: actions/setup-dotnet@v1
+ # uses: actions/setup-dotnet@v2
# with:
# dotnet-version: '3.1.x'
@@ -44,6 +50,6 @@ jobs:
# Upload results to the Security tab
- name: Upload OSSAR results
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml
new file mode 100644
index 0000000..91f4b2d
--- /dev/null
+++ b/code-scanning/phpmd.yml
@@ -0,0 +1,56 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# PHPMD is a spin-off project of PHP Depend and
+# aims to be a PHP equivalent of the well known Java tool PMD.
+# What PHPMD does is: It takes a given PHP source code base
+# and look for several potential problems within that source.
+# These problems can be things like:
+# Possible bugs
+# Suboptimal code
+# Overcomplicated expressions
+# Unused parameters, methods, properties
+# More details at https://phpmd.org/
+
+name: PHPMD
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ PHPMD:
+ name: Run PHPMD scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Setup PHP
+ uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161
+ with:
+ coverage: none
+ tools: phpmd
+
+ - name: Run PHPMD
+ run: phpmd . sarif codesize --reportfile phpmd-results.sarif
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: phpmd-results.sarif
+ wait-for-processing: true
diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml
new file mode 100644
index 0000000..a1e32c4
--- /dev/null
+++ b/code-scanning/pmd.yml
@@ -0,0 +1,42 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: pmd
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ pmd-code-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Set up JDK 11
+ uses: actions/setup-java@v3
+ with:
+ java-version: '11'
+ distribution: 'temurin'
+ - name: Run PMD
+ id: pmd
+ uses: pmd/pmd-github-action@967a81f8b657c87f7c3e96b62301cb1a48efef29
+ with:
+ rulesets: 'rulesets/java/quickstart.xml'
+ sourcePath: 'src/main/java'
+ analyzeModifiedFilesOnly: false
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: pmd-report.sarif
diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml
index dfbf452..1d72a9b 100644
--- a/code-scanning/powershell.yml
+++ b/code-scanning/powershell.yml
@@ -17,12 +17,18 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
build:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: PSScriptAnalyzer
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Run PSScriptAnalyzer
uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061
@@ -37,6 +43,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml
index 5323d1b..6f2031b 100644
--- a/code-scanning/prisma.yml
+++ b/code-scanning/prisma.yml
@@ -21,13 +21,19 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
prisma_cloud_iac_scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- id: iac-scan
name: Run Scan on CFT files in the repository
uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3
@@ -42,7 +48,7 @@ jobs:
# The service need to know the type of IaC being scanned
template_type: 'CFT'
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed.
diff --git a/code-scanning/properties/anchore-syft.properties.json b/code-scanning/properties/anchore-syft.properties.json
new file mode 100644
index 0000000..815f8b2
--- /dev/null
+++ b/code-scanning/properties/anchore-syft.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Anchore Syft SBOM Scan",
+ "organization": "Anchore",
+ "description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.",
+ "iconName": "anchore",
+ "categories": ["Code Scanning", "dockerfile", "dependency-management"]
+}
diff --git a/code-scanning/properties/apisec-scan.properties.json b/code-scanning/properties/apisec-scan.properties.json
index 9e7db58..b0872c8 100644
--- a/code-scanning/properties/apisec-scan.properties.json
+++ b/code-scanning/properties/apisec-scan.properties.json
@@ -1,7 +1,7 @@
{
"name": "APIsec Scan",
"creator": "APIsec",
- "description": "APIsec addresses the critical need to secure APIs before they reach production. APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.",
+ "description": "APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.",
"iconName": "apisec",
"categories": [
"Code Scanning",
diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json
new file mode 100644
index 0000000..71f29c0
--- /dev/null
+++ b/code-scanning/properties/clj-holmes.properties.json
@@ -0,0 +1,10 @@
+{
+ "name": "clj-holmes",
+ "creator": "Matheus Bernardes",
+ "description": "A Static Application Security Testing tool to find vulnerable Clojure code via rules that use a simple pattern language.",
+ "iconName": "clj-holmes",
+ "categories": [
+ "Code Scanning",
+ "clojure"
+ ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/clj-watson.properties.json b/code-scanning/properties/clj-watson.properties.json
new file mode 100644
index 0000000..966314a
--- /dev/null
+++ b/code-scanning/properties/clj-watson.properties.json
@@ -0,0 +1,9 @@
+{
+ "name": "clj-watson",
+ "description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.",
+ "iconName": "clj-watson",
+ "categories": [
+ "Code Scanning",
+ "Clojure"
+ ]
+}
diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json
index 830d966..e87f3ca 100644
--- a/code-scanning/properties/cloudrail.properties.json
+++ b/code-scanning/properties/cloudrail.properties.json
@@ -1,7 +1,7 @@
{
"name": "cloudrail",
"creator": "Indeni Cloudrail",
- "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.",
+ "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues.",
"iconName": "cloudrail",
"categories": ["Code Scanning", "HCL"]
}
diff --git a/code-scanning/properties/contrast-scan.properties.json b/code-scanning/properties/contrast-scan.properties.json
new file mode 100644
index 0000000..67369b8
--- /dev/null
+++ b/code-scanning/properties/contrast-scan.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Contrast Scan",
+ "creator": "Contrast Security Inc",
+ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.",
+ "iconName": "contrast",
+ "categories": ["Code Scanning", "java", "javascript", "dotnet"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/crda.properties.json b/code-scanning/properties/crda.properties.json
new file mode 100644
index 0000000..9e1a7ac
--- /dev/null
+++ b/code-scanning/properties/crda.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Red Hat CodeReady Dependency Analytics",
+ "creator": "Red Hat",
+ "description": "Scan your project's dependencies with CodeReady Dependency Analytics.",
+ "iconName": "openshift",
+ "categories": ["Code Scanning", "Go", "Python", "Node.js", "Java"]
+}
diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json
new file mode 100644
index 0000000..c195c73
--- /dev/null
+++ b/code-scanning/properties/dependency-review.properties.json
@@ -0,0 +1,16 @@
+{
+ "name": "Dependency Review",
+ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable dependencies to the repository",
+ "iconName": "octicon mark-github",
+ "categories": [
+ "Dependency review",
+ "Dependency graph",
+ "Go",
+ "Java",
+ "JavaScript",
+ "TypeScript",
+ "Python",
+ "Ruby",
+ "Actions",
+ "PHP"]
+}
diff --git a/code-scanning/properties/detekt.properties.json b/code-scanning/properties/detekt.properties.json
index d51a6ad..c133cc1 100644
--- a/code-scanning/properties/detekt.properties.json
+++ b/code-scanning/properties/detekt.properties.json
@@ -3,7 +3,6 @@
"creator": "Detekt",
"description": "Static code analysis for Kotlin",
"iconName": "detekt",
- "categories": ["Code Scanning", "Kotlin"]
+ "categories": ["Code Scanning", "Kotlin"],
+ "enterprise": false
}
-
-
\ No newline at end of file
diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json
new file mode 100644
index 0000000..a84646a
--- /dev/null
+++ b/code-scanning/properties/eslint.properties.json
@@ -0,0 +1,11 @@
+{
+ "name": "ESLint",
+ "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.",
+ "iconName": "eslint",
+ "categories": [
+ "Code Scanning",
+ "JavaScript",
+ "EcmaScript",
+ "TypeScript"
+ ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/frogbot-scan-and-fix.properties.json b/code-scanning/properties/frogbot-scan-and-fix.properties.json
new file mode 100644
index 0000000..a072c5a
--- /dev/null
+++ b/code-scanning/properties/frogbot-scan-and-fix.properties.json
@@ -0,0 +1,15 @@
+{
+ "name": "Frogbot Scan and Fix",
+ "description": "Automatically creates pull requests with fixes for vulnerable project dependencies. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.",
+ "iconName": "frogbot",
+ "categories": [
+ "Code Scanning",
+ "Go Module",
+ "Maven POM",
+ "NPM Config",
+ "Gradle",
+ "C#",
+ "Python"
+ ],
+ "creator": "JFrog"
+}
diff --git a/code-scanning/properties/frogbot-scan-pr.properties.json b/code-scanning/properties/frogbot-scan-pr.properties.json
new file mode 100644
index 0000000..257f9d6
--- /dev/null
+++ b/code-scanning/properties/frogbot-scan-pr.properties.json
@@ -0,0 +1,15 @@
+{
+ "name": "Frogbot Scan Pull Request",
+ "description": "Automatically scans new pull requests for security vulnerabilities. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.",
+ "iconName": "frogbot",
+ "categories": [
+ "Code Scanning",
+ "Go Module",
+ "Maven POM",
+ "NPM Config",
+ "Gradle",
+ "C#",
+ "Python"
+ ],
+ "creator": "JFrog"
+}
diff --git a/code-scanning/properties/hadolint.properties.json b/code-scanning/properties/hadolint.properties.json
new file mode 100644
index 0000000..b4f7141
--- /dev/null
+++ b/code-scanning/properties/hadolint.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Haskell Dockerfile Linter",
+ "description": "A smarter Dockerfile linter that helps you build best practice Docker images.",
+ "iconName": "hadolint",
+ "categories": ["Code Scanning", "Dockerfile"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/neuralegion.properties.json b/code-scanning/properties/neuralegion.properties.json
new file mode 100644
index 0000000..ee64a52
--- /dev/null
+++ b/code-scanning/properties/neuralegion.properties.json
@@ -0,0 +1,24 @@
+{
+ "name": "NeuraLegion",
+ "creator": "NeuraLegion",
+ "description": "Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports",
+ "iconName": "neuralegion",
+ "categories": [
+ "Code Scanning",
+ "C",
+ "C#",
+ "C++",
+ "Go",
+ "Java",
+ "JavaScript",
+ "Kotlin",
+ "Objective C",
+ "PHP",
+ "Python",
+ "Ruby",
+ "Rust",
+ "Scala",
+ "Swift",
+ "TypeScript"
+ ]
+}
diff --git a/code-scanning/properties/phpmd.properties.json b/code-scanning/properties/phpmd.properties.json
new file mode 100644
index 0000000..bd95bf9
--- /dev/null
+++ b/code-scanning/properties/phpmd.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "PHPMD",
+ "description": "A spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD.",
+ "iconName": "phpmd",
+ "categories": [ "Code Scanning", "PHP" ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/pmd.properties.json b/code-scanning/properties/pmd.properties.json
new file mode 100644
index 0000000..b96ecb7
--- /dev/null
+++ b/code-scanning/properties/pmd.properties.json
@@ -0,0 +1,18 @@
+{
+ "name": "pmd",
+ "creator": "pmd",
+ "description": "PMD is a static source code analyzer. It supports Java, JavaScript, Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.",
+ "iconName": "pmd",
+ "categories": [
+ "Code Scanning",
+ "Java",
+ "JavaScript",
+ "Apex",
+ "Modelica",
+ "PLSQL",
+ "Apache Velocity",
+ "XML",
+ "XSl",
+ "Scala"
+ ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/puppet-lint.properties.json b/code-scanning/properties/puppet-lint.properties.json
new file mode 100644
index 0000000..62ebd9e
--- /dev/null
+++ b/code-scanning/properties/puppet-lint.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "puppet-lint",
+ "description": "Puppet Lint tests Puppet code against the recommended Puppet language style guide.",
+ "iconName": "puppet-lint",
+ "categories": [ "Code Scanning", "Puppet" ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/pyre.properties.json b/code-scanning/properties/pyre.properties.json
new file mode 100644
index 0000000..bc12321
--- /dev/null
+++ b/code-scanning/properties/pyre.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Pyre",
+ "creator": "Meta",
+ "description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code.",
+ "iconName": "pyre",
+ "categories": ["Code Scanning", "Python"]
+}
diff --git a/code-scanning/properties/pysa.properties.json b/code-scanning/properties/pysa.properties.json
new file mode 100644
index 0000000..1a61c40
--- /dev/null
+++ b/code-scanning/properties/pysa.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Pysa",
+ "creator": "Meta",
+ "description": "Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location.",
+ "iconName": "pysa",
+ "categories": ["Code Scanning", "Python"]
+}
diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json
new file mode 100644
index 0000000..4737786
--- /dev/null
+++ b/code-scanning/properties/rust-clippy.properties.json
@@ -0,0 +1,9 @@
+{
+ "name": "rust-clippy",
+ "description": "A collection of lints to catch common mistakes and improve your Rust code.",
+ "iconName": "rust",
+ "categories": [
+ "Code Scanning",
+ "rust"
+ ]
+}
diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json
new file mode 100644
index 0000000..a98834c
--- /dev/null
+++ b/code-scanning/properties/scorecards.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "OSSF Scorecards",
+ "creator": "Open Source Security Foundation (OpenSSF)",
+ "description": "Scorecards is a static supply-chain security analysis tool to assess the security posture of your project",
+ "iconName": "scorecards",
+ "categories": ["Code Scanning"]
+}
diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json
deleted file mode 100644
index 1cb36c9..0000000
--- a/code-scanning/properties/shiftleft.properties.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
- "name": "Scan",
- "creator": "ShiftLeft",
- "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.",
- "iconName": "shiftleft",
- "categories": ["Code Scanning"]
-}
\ No newline at end of file
diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json
new file mode 100644
index 0000000..163e866
--- /dev/null
+++ b/code-scanning/properties/sobelow.properties.json
@@ -0,0 +1,11 @@
+{
+ "name": "Sobelow",
+ "creator": "nccgroup",
+ "description": "Sobelow is a security-focused static analysis tool for the Phoenix framework.",
+ "iconName": "sobelow",
+ "categories": [
+ "Code Scanning",
+ "Elixir"
+ ]
+ }
+
\ No newline at end of file
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
new file mode 100644
index 0000000..9b88a78
--- /dev/null
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SonarCloud",
+ "creator": "Sonar",
+ "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!",
+ "iconName": "sonarcloud",
+ "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
+}
diff --git a/code-scanning/properties/soos-dast-scan.properties.json b/code-scanning/properties/soos-dast-scan.properties.json
new file mode 100644
index 0000000..6ef5121
--- /dev/null
+++ b/code-scanning/properties/soos-dast-scan.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SOOS DAST Scan",
+ "creator": "SOOS",
+ "description": "SOOS DAST is the easy-to-integrate no-limit web vulnerability scanner. Integrate SOOS DAST with your CI pipeline to find vulnerabilities by scanning a web app or APIs.",
+ "iconName": "soos",
+ "categories": ["Code Scanning"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/veracode.properties.json b/code-scanning/properties/veracode.properties.json
new file mode 100644
index 0000000..e42ac9f
--- /dev/null
+++ b/code-scanning/properties/veracode.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Veracode Static Analysis",
+ "creator": "Veracode",
+ "description": "Get fast feedback on flaws with Veracode Static Analysis and the pipeline scan. Break the build based on flaw severity and CWE category.",
+ "iconName": "veracode",
+ "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "kotlin", "scala", "groovy", "tsql", "plsql", "perl", "cobol"]
+}
\ No newline at end of file
diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml
new file mode 100644
index 0000000..d41b65b
--- /dev/null
+++ b/code-scanning/puppet-lint.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# Puppet Lint tests Puppet code against the recommended Puppet language style guide.
+# https://puppet.com/docs/puppet/7/style_guide.html
+# Puppet Lint validates only code style; it does not validate syntax.
+# To test syntax, use Puppet's puppet parser validate command.
+# More details at https://github.com/puppetlabs/puppet-lint/
+
+name: puppet-lint
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ puppet-lint:
+ name: Run puppet-lint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Setup Ruby
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
+ with:
+ ruby-version: 2.7
+ bundler-cache: true
+
+ - name: Install puppet-lint
+ run: gem install puppet-lint
+
+ - name: Run puppet-lint
+ run: puppet-lint . --sarif > puppet-lint-results.sarif
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: puppet-lint-results.sarif
+ wait-for-processing: true
diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml
new file mode 100644
index 0000000..3c32e8b
--- /dev/null
+++ b/code-scanning/pyre.yml
@@ -0,0 +1,46 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Pyre with GitHub's
+# Code Scanning feature.
+#
+# Pyre is a performant type checker for Python compliant with
+# PEP 484. Pyre can analyze codebases with millions of lines
+# of code incrementally – providing instantaneous feedback
+# to developers as they write code.
+#
+# See https://pyre-check.org
+
+name: Pyre
+
+on:
+ workflow_dispatch:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+
+permissions:
+ contents: read
+
+jobs:
+ pyre:
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ submodules: true
+
+ - name: Run Pyre
+ uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d
+ with:
+ # To customize these inputs:
+ # See https://github.com/facebook/pyre-action#inputs
+ repo-directory: './'
+ requirements-path: 'requirements.txt'
diff --git a/code-scanning/pysa.yml b/code-scanning/pysa.yml
new file mode 100644
index 0000000..a9e3c81
--- /dev/null
+++ b/code-scanning/pysa.yml
@@ -0,0 +1,50 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Python Static Analyzer (Pysa) with
+# GitHub's Code Scanning feature.
+#
+# Python Static Analyzer (Pysa) is a security-focused static
+# analysis tool that tracks flows of data from where they
+# originate to where they terminate in a dangerous location.
+#
+# See https://pyre-check.org/docs/pysa-basics/
+
+name: Pysa
+
+on:
+ workflow_dispatch:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ pysa:
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ submodules: true
+
+ - name: Run Pysa
+ uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b
+ with:
+ # To customize these inputs:
+ # See https://github.com/facebook/pysa-action#inputs
+ repo-directory: './'
+ requirements-path: 'requirements.txt'
+ infer-types: true
+ include-default-sapp-filters: true
diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml
index 373d5b6..8018ca1 100644
--- a/code-scanning/rubocop.yml
+++ b/code-scanning/rubocop.yml
@@ -23,12 +23,12 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# If running on a self-hosted runner, check it meets the requirements
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
- name: Set up Ruby
- uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: 2.6
@@ -47,6 +47,6 @@ jobs:
"
- name: Upload Sarif output
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: rubocop.sarif
diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml
new file mode 100644
index 0000000..e9c426a
--- /dev/null
+++ b/code-scanning/rust-clippy.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# rust-clippy is a tool that runs a bunch of lints to catch common
+# mistakes in your Rust code and help improve your Rust code.
+# More details at https://github.com/rust-lang/rust-clippy
+# and https://rust-lang.github.io/rust-clippy/
+
+name: rust-clippy analyze
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ rust-clippy-analyze:
+ name: Run rust-clippy analyzing
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Install Rust toolchain
+ uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1
+ with:
+ profile: minimal
+ toolchain: stable
+ components: clippy
+ override: true
+
+ - name: Install required cargo
+ run: cargo install clippy-sarif sarif-fmt
+
+ - name: Run rust-clippy
+ run:
+ cargo clippy
+ --all-features
+ --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: rust-clippy-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml
new file mode 100644
index 0000000..e4f1d0f
--- /dev/null
+++ b/code-scanning/scorecards.yml
@@ -0,0 +1,62 @@
+name: Scorecards supply-chain security
+on:
+ # Only the default branch is supported.
+ branch_protection_rule:
+ schedule:
+ - cron: $cron-weekly
+ push:
+ branches: [ $default-branch ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+ analysis:
+ name: Scorecards analysis
+ runs-on: ubuntu-latest
+ permissions:
+ # Needed to upload the results to code-scanning dashboard.
+ security-events: write
+ # Used to receive a badge. (Upcoming feature)
+ id-token: write
+ # Needs for private repositories.
+ contents: read
+ actions: read
+
+ steps:
+ - name: "Checkout code"
+ uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
+ with:
+ persist-credentials: false
+
+ - name: "Run analysis"
+ uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1
+ with:
+ results_file: results.sarif
+ results_format: sarif
+ # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+ # - you want to enable the Branch-Protection check on a *public* repository, or
+ # - you are installing Scorecards on a *private* repository
+ # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+ # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+ # Publish the results for public repositories to enable scorecard badges. For more details, see
+ # https://github.com/ossf/scorecard-action#publishing-results.
+ # For private repositories, `publish_results` will automatically be set to `false`, regardless
+ # of the value entered here.
+ publish_results: true
+
+ # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+ # format to the repository Actions tab.
+ - name: "Upload artifact"
+ uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
+ with:
+ name: SARIF file
+ path: results.sarif
+ retention-days: 5
+
+ # Upload the results to GitHub's code scanning dashboard.
+ - name: "Upload to code-scanning"
+ uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
+ with:
+ sarif_file: results.sarif
diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml
index 3063c7a..b6ee5ad 100644
--- a/code-scanning/securitycodescan.yml
+++ b/code-scanning/securitycodescan.yml
@@ -21,7 +21,7 @@ jobs:
SCS:
runs-on: windows-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1
- uses: microsoft/setup-msbuild@v1.0.2
@@ -38,4 +38,4 @@ jobs:
uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
- name: Upload sarif
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml
index 827387b..fae9885 100644
--- a/code-scanning/semgrep.yml
+++ b/code-scanning/semgrep.yml
@@ -19,13 +19,19 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
semgrep:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Scan
runs-on: ubuntu-latest
steps:
# Checkout project source
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Scan code using project's configuration on https://semgrep.dev/manage
- uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735
@@ -36,7 +42,7 @@ jobs:
# Upload SARIF file generated in previous step
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif
if: always()
diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml
deleted file mode 100644
index 48b86d3..0000000
--- a/code-scanning/shiftleft.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# This workflow integrates Scan with GitHub's code scanning feature
-# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft
-# Visit https://slscan.io/en/latest/integrations/code-scan for help
-name: SL Scan
-
-on:
- push:
- branches: [ $default-branch, $protected-branches ]
- pull_request:
- # The branches below must be a subset of the branches above
- branches: [ $default-branch ]
- schedule:
- - cron: $cron-weekly
-
-jobs:
- Scan-Build:
- # Scan runs on ubuntu, mac and windows
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- # Instructions
- # 1. Setup JDK, Node.js, Python etc depending on your project type
- # 2. Compile or build the project before invoking scan
- # Example: mvn compile, or npm install or pip install goes here
- # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url
-
- - name: Perform Scan
- uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64
- env:
- WORKSPACE: ""
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- SCAN_AUTO_BUILD: true
- with:
- output: reports
- # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type
- # type: credscan,java
- # type: python
-
- - name: Upload report
- uses: github/codeql-action/upload-sarif@v1
- with:
- sarif_file: reports
diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml
index 8ff2c9a..0fbbf87 100644
--- a/code-scanning/snyk-container.yml
+++ b/code-scanning/snyk-container.yml
@@ -22,11 +22,17 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
snyk:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build a Docker image
run: docker build -t your/image-to-test .
- name: Run Snyk to check Docker image for vulnerabilities
@@ -43,6 +49,6 @@ jobs:
image: your/image-to-test
args: --file=Dockerfile
- name: Upload result to GitHub Code Scanning
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml
index b79bf34..a685323 100644
--- a/code-scanning/snyk-infrastructure.yml
+++ b/code-scanning/snyk-infrastructure.yml
@@ -21,11 +21,17 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
snyk:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Run Snyk to check configuration files for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the issues to GitHub Code Scanning
@@ -42,6 +48,6 @@ jobs:
# or `main.tf` for a Terraform configuration file
file: your-file-to-test.yaml
- name: Upload result to GitHub Code Scanning
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml
new file mode 100644
index 0000000..21cb6e7
--- /dev/null
+++ b/code-scanning/sobelow.yml
@@ -0,0 +1,40 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/
+#
+# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository.
+#
+# Instructions:
+# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
+# and review the "Security" tab once the action has run.
+name: Sobelow
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ security-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+ - id: run-action
+ uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912
+ - name: Upload report
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: results.sarif
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
new file mode 100644
index 0000000..ff388c8
--- /dev/null
+++ b/code-scanning/sonarcloud.yml
@@ -0,0 +1,68 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow helps you trigger a SonarCloud analysis of your code and populates
+# GitHub Code Scanning alerts with the vulnerabilities found.
+# Free for open source project.
+
+# 1. Login to SonarCloud.io using your GitHub account
+
+# 2. Import your project on SonarCloud
+# * Add your GitHub organization first, then add your repository as a new project.
+# * Please note that many languages are eligible for automatic analysis,
+# which means that the analysis will start automatically without the need to set up GitHub Actions.
+# * This behavior can be changed in Administration > Analysis Method.
+#
+# 3. Follow the SonarCloud in-product tutorial
+# * a. Copy/paste the Project Key and the Organization Key into the args parameter below
+# (You'll find this information in SonarCloud. Click on "Information" at the bottom left)
+#
+# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
+# (On SonarCloud, click on your avatar on top-right > My account > Security
+# or go directly to https://sonarcloud.io/account/security/)
+
+# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
+# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
+
+name: SonarCloud analysis
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ workflow_dispatch:
+
+permissions:
+ pull-requests: read # allows SonarCloud to decorate PRs with analysis results
+
+jobs:
+ Analysis:
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Analyze with SonarCloud
+
+ # You can pin the exact commit or the version.
+ # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
+ uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
+ with:
+ # Additional arguments for the sonarcloud scanner
+ args:
+ # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
+ # mandatory
+ -Dsonar.projectKey=
+ -Dsonar.organization=
+ # Comma-separated paths to directories containing main source files.
+ #-Dsonar.sources= # optional, default is project base directory
+ # When you need the analysis to take place in a directory other than the one from which it was launched
+ #-Dsonar.projectBaseDir= # optional, default is .
+ # Comma-separated paths to directories containing test source files.
+ #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+ #-Dsonar.verbose= # optional, default is false
diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml
new file mode 100644
index 0000000..cf3b1b7
--- /dev/null
+++ b/code-scanning/soos-dast-scan.yml
@@ -0,0 +1,45 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/
+#
+# To use this action you need to fill the following requirements:
+#
+# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product).
+#
+# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload)
+#
+
+name: "SOOS DAST Scan"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+
+jobs:
+ soos:
+ permissions:
+ security-events: write # for uploading code scanning alert info
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ name: SOOS DAST Scan
+ runs-on: ubuntu-latest
+ steps:
+ - name: Run SOOS DAST Scan
+ uses: soos-io/soos-dast-github-action@b524e2cfbc4f4a5733153a7e624f569913f6c6e9
+ with:
+ client_id: ${{ secrets.SOOS_CLIENT_ID }}
+ api_key: ${{ secrets.SOOS_API_KEY }}
+ project_name: ""
+ scan_mode: "baseline"
+ target_url: "https://www.example.com/"
+ output_format: "sarif"
+ - name: Upload SOOS DAST SARIF Report
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: results.sarif
+
+
diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml
index 9701b1f..64e9b9b 100644
--- a/code-scanning/stackhawk.yml
+++ b/code-scanning/stackhawk.yml
@@ -37,13 +37,19 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
stackhawk:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info
name: StackHawk
runs-on: ubuntu-20.04
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Start your service
run: ./your-service.sh & # ✏️ Update this to run your own service to be scanned
diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml
index 0c1ff16..c32334c 100644
--- a/code-scanning/synopsys-io.yml
+++ b/code-scanning/synopsys-io.yml
@@ -25,7 +25,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Synopsys Intelligent Security Scan
id: prescription
@@ -71,7 +71,7 @@ jobs:
- name: Upload SARIF file
if: ${{steps.prescription.outputs.sastScan == 'true' }}
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: workflowengine-results.sarif.json
diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml
index 49841d7..f075a80 100644
--- a/code-scanning/sysdig-scan.yml
+++ b/code-scanning/sysdig-scan.yml
@@ -13,14 +13,21 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
build:
+ permissions:
+ checks: write # for sysdiglabs/scan-action to publish the checks
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build the Docker image
# Tag image to be built
@@ -47,8 +54,8 @@ jobs:
# Sysdig inline scanner requires privileged rights
run-as-user: root
- - uses: github/codeql-action/upload-sarif@v1
+ - uses: github/codeql-action/upload-sarif@v2
#Upload SARIF file
if: always()
with:
- sarif_file: ${{ steps.scan.outputs.sarifReport }}
\ No newline at end of file
+ sarif_file: ${{ steps.scan.outputs.sarifReport }}
diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml
index 479f713..77f8156 100644
--- a/code-scanning/tfsec.yml
+++ b/code-scanning/tfsec.yml
@@ -24,15 +24,15 @@ jobs:
steps:
- name: Clone repo
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Run tfsec
- uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
+ uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
with:
sarif_file: tfsec.sarif
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: tfsec.sarif
diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
index f778492..63be947 100644
--- a/code-scanning/trivy.yml
+++ b/code-scanning/trivy.yml
@@ -14,20 +14,26 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
build:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Build
runs-on: "ubuntu-18.04"
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
- uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
+ uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
@@ -36,6 +42,6 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml
new file mode 100644
index 0000000..b8a5b37
--- /dev/null
+++ b/code-scanning/veracode.yml
@@ -0,0 +1,58 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert
+
+name: Veracode Static Analysis Pipeline Scan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+permissions:
+ contents: read
+
+jobs:
+ # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
+ build-and-pipeline-scan:
+ # The type of runner that the job will run on
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ runs-on: ubuntu-latest
+ steps:
+
+ # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps
+ - uses: actions/checkout@v3
+ with:
+ repository: ''
+
+ - run: zip -r veracode-scan-target.zip ./
+
+ # download the Veracode Static Analysis Pipeline scan jar
+ - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
+ - run: unzip -o pipeline-scan-LATEST.zip
+
+ - uses: actions/setup-java@v3
+ with:
+ java-version: 8
+ distribution: 'temurin'
+ - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip
+ continue-on-error: true
+ - name: Convert pipeline scan output to SARIF format
+ id: convert
+ uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be
+ with:
+ pipeline-results-json: results.json
+ - uses: github/codeql-action/upload-sarif@v2
+ with:
+ # Path to SARIF file relative to the root of the repository
+ sarif_file: veracode-results.sarif
diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml
index 3bfb9ed..3462eaa 100644
--- a/code-scanning/xanitizer.yml
+++ b/code-scanning/xanitizer.yml
@@ -42,22 +42,29 @@ on:
- cron: $cron-weekly
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
xanitizer-security-analysis:
# Xanitizer runs on ubuntu-latest and windows-latest.
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
# Check out the repository
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Set up the correct Java version for your project
# Please comment out, if your project does not contain Java source code.
- name: Set up JDK 11
- uses: actions/setup-java@v1
+ uses: actions/setup-java@v3
with:
java-version: 11
+ distribution: 'temurin'
# Compile the code for Java projects and get all libraries, e.g. via Maven
# Please adapt, if your project uses another build system to compile Java source code.
@@ -79,7 +86,7 @@ jobs:
license: ${{ secrets.XANITIZER_LICENSE }}
# Archiving the findings list reports
- - uses: actions/upload-artifact@v2
+ - uses: actions/upload-artifact@v3
with:
name: Xanitizer-Reports
path: |
@@ -87,6 +94,6 @@ jobs:
*-Findings-List.sarif
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
- - uses: github/codeql-action/upload-sarif@v1
+ - uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: Xanitizer-Findings-List.sarif
diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml
index ded9178..d7c27d9 100644
--- a/deployments/alibabacloud.yml
+++ b/deployments/alibabacloud.yml
@@ -40,6 +40,9 @@ env:
ACR_EE_IMAGE: repo
ACR_EE_TAG: ${{ github.sha }}
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -47,7 +50,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# 1.1 Login to ACR
- name: Login to ACR with the AccessKey pair
@@ -74,7 +77,7 @@ jobs:
tag: "${{ env.TAG }}"
# 2.1 (Optional) Login to ACR EE
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Login to ACR EE with the AccessKey pair
uses: aliyun/acr-login@v1
with:
diff --git a/deployments/aws.yml b/deployments/aws.yml
index dab851f..47253bf 100644
--- a/deployments/aws.yml
+++ b/deployments/aws.yml
@@ -41,6 +41,9 @@ env:
CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the
# containerDefinitions section of your task definition
+permissions:
+ contents: read
+
jobs:
deploy:
name: Deploy
@@ -49,7 +52,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml
new file mode 100644
index 0000000..8b69065
--- /dev/null
+++ b/deployments/azure-container-webapp.yml
@@ -0,0 +1,87 @@
+# This workflow will build and push a Docker container to an Azure Web App when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure App Service web app.
+# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-custom-container?tabs=dotnet&pivots=container-linux
+#
+# To configure this workflow:
+#
+# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal.
+# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials
+#
+# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
+# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
+#
+# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions.
+#
+# 4. Create three app settings on your Azure Web app:
+# DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io"
+# DOCKER_REGISTRY_SERVER_USERNAME: Set this to the GitHub username or organization that owns the repository
+# DOCKER_REGISTRY_SERVER_PASSWORD: Set this to the value of your PAT token from the previous step
+#
+# 5. Change the value for the AZURE_WEBAPP_NAME.
+#
+# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions
+# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples
+
+name: Build and deploy a container to an Azure Web App
+
+env:
+ AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v1
+
+ - name: Log in to GitHub container registry
+ uses: docker/login-action@v1.10.0
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ github.token }}
+
+ - name: Lowercase the repo name and username
+ run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+
+ - name: Build and push container image to registry
+ uses: docker/build-push-action@v2
+ with:
+ push: true
+ tags: ghcr.io/${{ env.REPO }}:${{ github.sha }}
+ file: ./Dockerfile
+
+ deploy:
+ permissions:
+ contents: none
+ runs-on: ubuntu-latest
+ needs: build
+ environment:
+ name: 'Development'
+ url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
+
+ steps:
+ - name: Lowercase the repo name and username
+ run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+
+ - name: Deploy to Azure Web App
+ id: deploy-to-webapp
+ uses: azure/webapps-deploy@v2
+ with:
+ app-name: ${{ env.AZURE_WEBAPP_NAME }}
+ publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
+ images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}'
diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml
new file mode 100644
index 0000000..a6a2f4e
--- /dev/null
+++ b/deployments/azure-kubernetes-service-helm.yml
@@ -0,0 +1,162 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
+#
+# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm.
+# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration.
+# - CHART_PATH (path to your helm chart)
+# - CHART_OVERRIDE_PATH (path to your helm chart with override values)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS with Helm
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
+ CHART_PATH: "your-chart-path"
+ CHART_OVERRIDE_PATH: "your-chart-override-path"
+
+jobs:
+ buildImage:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ createSecret:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Retrieves the credentials for pulling images from your Azure Container Registry
+ - name: Get ACR credentials
+ run: |
+ az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
+ ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
+ ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::add-mask::${ACR_USERNAME}"
+ echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::add-mask::${ACR_PASSWORD}"
+ echo "::set-output name=password::${ACR_PASSWORD}"
+ id: get-acr-creds
+
+ # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
+ - name: Create K8s secret for pulling image from ACR
+ uses: Azure/k8s-create-secret@v1.1
+ with:
+ container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
+ container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
+ container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ deploy:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ needs: [buildImage, createSecret]
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Runs Helm to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2.1
+ with:
+ renderEngine: 'helm'
+ helmChart: ${{ env.CHART_PATH }}
+ overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
+ overrides: |
+ replicas:2
+ helm-version: 'latest'
+ id: bake
+
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v3.1
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
+ imagepullsecrets: |
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
\ No newline at end of file
diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml
new file mode 100644
index 0000000..60fe536
--- /dev/null
+++ b/deployments/azure-kubernetes-service-kompose.yml
@@ -0,0 +1,157 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
+#
+# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose.
+# Set your dockerComposeFile and kompose-version to suit your configuration.
+# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS with Kompose
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
+ DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path"
+
+jobs:
+ buildImage:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ createSecret:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Retrieves the credentials for pulling images from your Azure Container Registry
+ - name: Get ACR credentials
+ run: |
+ az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
+ ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
+ ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::add-mask::${ACR_USERNAME}"
+ echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::add-mask::${ACR_PASSWORD}"
+ echo "::set-output name=password::${ACR_PASSWORD}"
+ id: get-acr-creds
+
+ # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
+ - name: Create K8s secret for pulling image from ACR
+ uses: Azure/k8s-create-secret@v1.1
+ with:
+ container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
+ container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
+ container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ deploy:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ needs: [buildImage, createSecret]
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Runs Kompose to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2.1
+ with:
+ renderEngine: 'kompose'
+ dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }}
+ kompose-version: 'latest'
+ id: bake
+
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v3.1
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
+ imagepullsecrets: |
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml
new file mode 100644
index 0000000..d46cadb
--- /dev/null
+++ b/deployments/azure-kubernetes-service-kustomize.yml
@@ -0,0 +1,157 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
+#
+# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize.
+# Set your kustomizationPath and kubectl-version to suit your configuration.
+# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS with Kustomize
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
+ KUSTOMIZE_PATH: "your-kustomize-path"
+
+jobs:
+ buildImage:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ createSecret:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Retrieves the credentials for pulling images from your Azure Container Registry
+ - name: Get ACR credentials
+ run: |
+ az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
+ ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
+ ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::add-mask::${ACR_USERNAME}"
+ echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::add-mask::${ACR_PASSWORD}"
+ echo "::set-output name=password::${ACR_PASSWORD}"
+ id: get-acr-creds
+
+ # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
+ - name: Create K8s secret for pulling image from ACR
+ uses: Azure/k8s-create-secret@v1.1
+ with:
+ container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
+ container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
+ container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ deploy:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ needs: [buildImage, createSecret]
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Runs Kustomize to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2.1
+ with:
+ renderEngine: 'kustomize'
+ kustomizationPath: ${{ env.KUSTOMIZE_PATH }}
+ kubectl-version: latest
+ id: bake
+
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v3.1
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
+ imagepullsecrets: |
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
\ No newline at end of file
diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml
new file mode 100644
index 0000000..d04a2ac
--- /dev/null
+++ b/deployments/azure-kubernetes-service.yml
@@ -0,0 +1,144 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
+# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
+ DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path'
+
+jobs:
+ buildImage:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ createSecret:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Retrieves the credentials for pulling images from your Azure Container Registry
+ - name: Get ACR credentials
+ run: |
+ az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
+ ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
+ ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::add-mask::${ACR_USERNAME}"
+ echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::add-mask::${ACR_PASSWORD}"
+ echo "::set-output name=password::${ACR_PASSWORD}"
+ id: get-acr-creds
+
+ # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
+ - name: Create K8s secret for pulling image from ACR
+ uses: Azure/k8s-create-secret@v1.1
+ with:
+ container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
+ container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
+ container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ deploy:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ needs: [buildImage, createSecret]
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Deploys application based on given manifest file
+ - name: Deploys application
+ uses: Azure/k8s-deploy@v3.1
+ with:
+ action: deploy
+ manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
+ imagepullsecrets: |
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
\ No newline at end of file
diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml
new file mode 100644
index 0000000..a40ecc2
--- /dev/null
+++ b/deployments/azure-staticwebapp.yml
@@ -0,0 +1,72 @@
+# This workflow will build and push a web application to an Azure Static Web App when you change your code.
+#
+# This workflow assumes you have already created the target Azure Static Web App.
+# For instructions see https://docs.microsoft.com/azure/static-web-apps/get-started-portal?tabs=vanilla-javascript
+#
+# To configure this workflow:
+#
+# 1. Set up a secret in your repository named AZURE_STATIC_WEB_APPS_API_TOKEN with the value of your Static Web Apps deployment token.
+# For instructions on obtaining the deployment token see: https://docs.microsoft.com/azure/static-web-apps/deployment-token-management
+#
+# 3. Change the values for the APP_LOCATION, API_LOCATION and APP_ARTIFACT_LOCATION, AZURE_STATIC_WEB_APPS_API_TOKEN environment variables (below).
+# For instructions on setting up the appropriate configuration values go to https://docs.microsoft.com/azure/static-web-apps/front-end-frameworks
+name: Deploy web app to Azure Static Web Apps
+
+on:
+ push:
+ branches:
+ - $default-branch
+ pull_request:
+ types: [opened, synchronize, reopened, closed]
+ branches:
+ - $default-branch
+
+# Environment variables available to all jobs and steps in this workflow
+env:
+ APP_LOCATION: "/" # location of your client code
+ API_LOCATION: "api" # location of your api source code - optional
+ APP_ARTIFACT_LOCATION: "build" # location of client code build output
+ AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app
+
+permissions:
+ contents: read
+
+jobs:
+ build_and_deploy_job:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs
+ if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
+ runs-on: ubuntu-latest
+ name: Build and Deploy Job
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ submodules: true
+ - name: Build And Deploy
+ id: builddeploy
+ uses: Azure/static-web-apps-deploy@v1
+ with:
+ azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app
+ repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)
+ action: "upload"
+ ###### Repository/Build Configurations - These values can be configured to match you app requirements. ######
+ # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig
+ app_location: ${{ env.APP_LOCATION }}
+ api_location: ${{ env.API_LOCATION }}
+ app_artifact_location: ${{ env.APP_ARTIFACT_LOCATION }}
+ ###### End of Repository/Build Configurations ######
+
+ close_pull_request_job:
+ permissions:
+ contents: none
+ if: github.event_name == 'pull_request' && github.event.action == 'closed'
+ runs-on: ubuntu-latest
+ name: Close Pull Request Job
+ steps:
+ - name: Close Pull Request
+ id: closepullrequest
+ uses: Azure/static-web-apps-deploy@v1
+ with:
+ azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app
+ action: "close"
diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml
new file mode 100644
index 0000000..0b59686
--- /dev/null
+++ b/deployments/azure-webapps-dotnet-core.yml
@@ -0,0 +1,89 @@
+# This workflow will build and push a .NET Core app to an Azure Web App when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure App Service web app.
+# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?tabs=net60&pivots=development-environment-vscode
+#
+# To configure this workflow:
+#
+# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal.
+# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials
+#
+# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
+# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
+#
+# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and DOTNET_VERSION environment variables below.
+#
+# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions
+# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples
+
+name: Build and deploy ASP.Net Core app to an Azure Web App
+
+env:
+ AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App
+ AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+ DOTNET_VERSION: '5' # set this to the .NET Core version to use
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Set up .NET Core
+ uses: actions/setup-dotnet@v2
+ with:
+ dotnet-version: ${{ env.DOTNET_VERSION }}
+
+ - name: Set up dependency caching for faster builds
+ uses: actions/cache@v3
+ with:
+ path: ~/.nuget/packages
+ key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
+ restore-keys: |
+ ${{ runner.os }}-nuget-
+
+ - name: Build with dotnet
+ run: dotnet build --configuration Release
+
+ - name: dotnet publish
+ run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp
+
+ - name: Upload artifact for deployment job
+ uses: actions/upload-artifact@v3
+ with:
+ name: .net-app
+ path: ${{env.DOTNET_ROOT}}/myapp
+
+ deploy:
+ permissions:
+ contents: none
+ runs-on: ubuntu-latest
+ needs: build
+ environment:
+ name: 'Development'
+ url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
+
+ steps:
+ - name: Download artifact from build job
+ uses: actions/download-artifact@v3
+ with:
+ name: .net-app
+
+ - name: Deploy to Azure Web App
+ id: deploy-to-webapp
+ uses: azure/webapps-deploy@v2
+ with:
+ app-name: ${{ env.AZURE_WEBAPP_NAME }}
+ publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
+ package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }}
diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml
new file mode 100644
index 0000000..6e3df8d
--- /dev/null
+++ b/deployments/azure-webapps-java-jar.yml
@@ -0,0 +1,80 @@
+# This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure App Service web app.
+# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-java?tabs=javase&pivots=platform-linux
+#
+# To configure this workflow:
+#
+# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal.
+# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials
+#
+# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
+# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
+#
+# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the JAVA_VERSION environment variable below.
+#
+# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions
+# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples
+
+name: Build and deploy JAR app to Azure Web App
+
+env:
+ AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App
+ JAVA_VERSION: '11' # set this to the Java version to use
+ DISTRIBUTION: zulu # set this to the Java distribution
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Set up Java version
+ uses: actions/setup-java@v3.0.0
+ with:
+ java-version: ${{ env.JAVA_VERSION }}
+ distribution: ${{ env.DISTRIBUTION }}
+ cache: 'maven'
+
+ - name: Build with Maven
+ run: mvn clean install
+
+ - name: Upload artifact for deployment job
+ uses: actions/upload-artifact@v3
+ with:
+ name: java-app
+ path: '${{ github.workspace }}/target/*.jar'
+
+ deploy:
+ permissions:
+ contents: none
+ runs-on: ubuntu-latest
+ needs: build
+ environment:
+ name: 'Development'
+ url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
+
+ steps:
+ - name: Download artifact from build job
+ uses: actions/download-artifact@v3
+ with:
+ name: java-app
+
+ - name: Deploy to Azure Web App
+ id: deploy-to-webapp
+ uses: azure/webapps-deploy@v2
+ with:
+ app-name: ${{ env.AZURE_WEBAPP_NAME }}
+ publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
+ package: '*.jar'
diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml
new file mode 100644
index 0000000..1480c92
--- /dev/null
+++ b/deployments/azure-webapps-node.yml
@@ -0,0 +1,79 @@
+# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure App Service web app.
+# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli
+#
+# To configure this workflow:
+#
+# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal.
+# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials
+#
+# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
+# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
+#
+# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables below.
+#
+# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions
+# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+env:
+ AZURE_WEBAPP_NAME: your-app-name # set this to your application's name
+ AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+ NODE_VERSION: '14.x' # set this to the node version to use
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Set up Node.js
+ uses: actions/setup-node@v3
+ with:
+ node-version: ${{ env.NODE_VERSION }}
+ cache: 'npm'
+
+ - name: npm install, build, and test
+ run: |
+ npm install
+ npm run build --if-present
+ npm run test --if-present
+
+ - name: Upload artifact for deployment job
+ uses: actions/upload-artifact@v3
+ with:
+ name: node-app
+ path: .
+
+ deploy:
+ permissions:
+ contents: none
+ runs-on: ubuntu-latest
+ needs: build
+ environment:
+ name: 'Development'
+ url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
+
+ steps:
+ - name: Download artifact from build job
+ uses: actions/download-artifact@v3
+ with:
+ name: node-app
+
+ - name: 'Deploy to Azure WebApp'
+ id: deploy-to-webapp
+ uses: azure/webapps-deploy@v2
+ with:
+ app-name: ${{ env.AZURE_WEBAPP_NAME }}
+ publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
+ package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }}
diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml
new file mode 100644
index 0000000..98e8dc7
--- /dev/null
+++ b/deployments/azure-webapps-php.yml
@@ -0,0 +1,100 @@
+# This workflow will build and push a PHP application to an Azure Web App when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure App Service web app.
+# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-php?pivots=platform-linux
+#
+# To configure this workflow:
+#
+# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal.
+# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials
+#
+# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
+# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
+#
+# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and PHP_VERSION environment variables below.
+#
+# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions
+# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples
+
+name: Build and deploy PHP app to Azure Web App
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+env:
+ AZURE_WEBAPP_NAME: your-app-name # set this to your application's name
+ AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+ PHP_VERSION: '8.x' # set this to the PHP version to use
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Setup PHP
+ uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc
+ with:
+ php-version: ${{ env.PHP_VERSION }}
+
+ - name: Check if composer.json exists
+ id: check_files
+ uses: andstor/file-existence-action@87d74d4732ddb824259d80c8a508c0124bf1c673
+ with:
+ files: 'composer.json'
+
+ - name: Get Composer Cache Directory
+ id: composer-cache
+ if: steps.check_files.outputs.files_exists == 'true'
+ run: |
+ echo "::set-output name=dir::$(composer config cache-files-dir)"
+
+ - name: Set up dependency caching for faster installs
+ uses: actions/cache@v3
+ if: steps.check_files.outputs.files_exists == 'true'
+ with:
+ path: ${{ steps.composer-cache.outputs.dir }}
+ key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+ restore-keys: |
+ ${{ runner.os }}-composer-
+
+ - name: Run composer install if composer.json exists
+ if: steps.check_files.outputs.files_exists == 'true'
+ run: composer validate --no-check-publish && composer install --prefer-dist --no-progress
+
+ - name: Upload artifact for deployment job
+ uses: actions/upload-artifact@v3
+ with:
+ name: php-app
+ path: .
+
+ deploy:
+ permissions:
+ contents: none
+ runs-on: ubuntu-latest
+ needs: build
+ environment:
+ name: 'Development'
+ url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
+
+ steps:
+ - name: Download artifact from build job
+ uses: actions/download-artifact@v3
+ with:
+ name: php-app
+
+ - name: 'Deploy to Azure Web App'
+ id: deploy-to-webapp
+ uses: azure/webapps-deploy@v2
+ with:
+ app-name: ${{ env.AZURE_WEBAPP_NAME }}
+ publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
+ package: .
diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml
new file mode 100644
index 0000000..50f4823
--- /dev/null
+++ b/deployments/azure-webapps-python.yml
@@ -0,0 +1,87 @@
+# This workflow will build and push a Python application to an Azure Web App when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure App Service web app.
+# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-python?tabs=bash&pivots=python-framework-flask
+#
+# To configure this workflow:
+#
+# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal.
+# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials
+#
+# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
+# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
+#
+# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the PYTHON_VERSION environment variables below.
+#
+# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions
+# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples
+
+name: Build and deploy Python app to Azure Web App
+
+env:
+ AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App
+ PYTHON_VERSION: '3.8' # set this to the Python version to use
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Set up Python version
+ uses: actions/setup-python@v3.0.0
+ with:
+ python-version: ${{ env.PYTHON_VERSION }}
+ cache: 'pip'
+
+ - name: Create and start virtual environment
+ run: |
+ python -m venv venv
+ source venv/bin/activate
+
+ - name: Install dependencies
+ run: pip install -r requirements.txt
+
+ # Optional: Add step to run tests here (PyTest, Django test suites, etc.)
+
+ - name: Upload artifact for deployment jobs
+ uses: actions/upload-artifact@v3
+ with:
+ name: python-app
+ path: |
+ .
+ !venv/
+
+ deploy:
+ permissions:
+ contents: none
+ runs-on: ubuntu-latest
+ needs: build
+ environment:
+ name: 'Development'
+ url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
+
+ steps:
+ - name: Download artifact from build job
+ uses: actions/download-artifact@v3
+ with:
+ name: python-app
+ path: .
+
+ - name: 'Deploy to Azure Web App'
+ id: deploy-to-webapp
+ uses: azure/webapps-deploy@v2
+ with:
+ app-name: ${{ env.AZURE_WEBAPP_NAME }}
+ publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
diff --git a/deployments/azure.yml b/deployments/azure.yml
deleted file mode 100644
index 904ff25..0000000
--- a/deployments/azure.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch.
-#
-# This workflow assumes you have already created the target Azure App Service web app.
-# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan
-#
-# To configure this workflow:
-#
-# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**.
-# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings
-#
-# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile.
-# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
-#
-# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below).
-#
-# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
-# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
-on:
- push:
- branches:
- - $default-branch
-
-env:
- AZURE_WEBAPP_NAME: your-app-name # set this to your application's name
- AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
- NODE_VERSION: '10.x' # set this to the node version to use
-
-jobs:
- build-and-deploy:
- name: Build and Deploy
- runs-on: ubuntu-latest
- environment: production
- steps:
- - uses: actions/checkout@v2
- - name: Use Node.js ${{ env.NODE_VERSION }}
- uses: actions/setup-node@v2
- with:
- node-version: ${{ env.NODE_VERSION }}
- - name: npm install, build, and test
- run: |
- # Build and test the project, then
- # deploy to Azure Web App.
- npm install
- npm run build --if-present
- npm run test --if-present
- - name: 'Deploy to Azure WebApp'
- uses: azure/webapps-deploy@v2
- with:
- app-name: ${{ env.AZURE_WEBAPP_NAME }}
- publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
- package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }}
diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml
new file mode 100644
index 0000000..b8d0511
--- /dev/null
+++ b/deployments/google-cloudrun-docker.yml
@@ -0,0 +1,114 @@
+# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch
+#
+# Overview:
+#
+# 1. Authenticate to Google Cloud
+# 2. Authenticate Docker to Artifact Registry
+# 3. Build a docker container
+# 4. Publish it to Google Artifact Registry
+# 5. Deploy it to Cloud Run
+#
+# To configure this workflow:
+#
+# 1. Ensure the required Google Cloud APIs are enabled:
+#
+# Cloud Run run.googleapis.com
+# Artifact Registry artifactregistry.googleapis.com
+#
+# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
+#
+# 3. Ensure the required IAM permissions are granted
+#
+# Cloud Run
+# roles/run.admin
+# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
+#
+# Artifact Registry
+# roles/artifactregistry.admin (project or repository level)
+#
+# NOTE: You should always follow the principle of least privilege when assigning IAM roles
+#
+# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
+#
+# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below).
+#
+# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io
+#
+# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
+#
+# Further reading:
+# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying
+# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles
+# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
+# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
+
+name: Build and Deploy to Cloud Run
+
+on:
+ push:
+ branches:
+ - $default-branch
+
+env:
+ PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
+ GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location
+ SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
+ REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
+
+jobs:
+ deploy:
+ # Add 'id-token' with the intended permissions for workload identity federation
+ permissions:
+ contents: 'read'
+ id-token: 'write'
+
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Google Auth
+ id: auth
+ uses: 'google-github-actions/auth@v0'
+ with:
+ token_format: 'access_token'
+ workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
+ service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com
+
+ # NOTE: Alternative option - authentication via credentials json
+ # - name: Google Auth
+ # id: auth
+ # uses: 'google-github-actions/auth@v0'
+ # with:
+ # credentials_json: '${{ secrets.GCP_CREDENTIALS }}''
+
+ # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted)
+
+ # Authenticate Docker to Google Cloud Artifact Registry
+ - name: Docker Auth
+ id: docker-auth
+ uses: 'docker/login-action@v1'
+ with:
+ username: 'oauth2accesstoken'
+ password: '${{ steps.auth.outputs.access_token }}'
+ registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'
+
+ - name: Build and Push Container
+ run: |-
+ docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./
+ docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}"
+
+ # END - Docker auth and build
+
+ - name: Deploy to Cloud Run
+ id: deploy
+ uses: google-github-actions/deploy-cloudrun@v0
+ with:
+ service: ${{ env.SERVICE }}
+ region: ${{ env.REGION }}
+ # NOTE: If using a pre-built image, update the image name here
+ image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
+
+ # If required, use the Cloud Run url output in later steps
+ - name: Show Output
+ run: echo ${{ steps.deploy.outputs.url }}
diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml
new file mode 100644
index 0000000..2916b45
--- /dev/null
+++ b/deployments/google-cloudrun-source.yml
@@ -0,0 +1,96 @@
+# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch
+#
+# Overview:
+#
+# 1. Authenticate to Google Cloud
+# 2. Deploy it to Cloud Run
+#
+# To configure this workflow:
+#
+# 1. Ensure the required Google Cloud APIs are enabled:
+#
+# Cloud Run run.googleapis.com
+# Cloud Build cloudbuild.googleapis.com
+# Artifact Registry artifactregistry.googleapis.com
+#
+# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
+#
+# 3. Ensure the required IAM permissions are granted
+#
+# Cloud Run
+# roles/run.admin
+# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
+#
+# Cloud Build
+# roles/cloudbuild.builds.editor
+#
+# Cloud Storage
+# roles/storage.objectAdmin
+#
+# Artifact Registry
+# roles/artifactregistry.admin (project or repository level)
+#
+# NOTE: You should always follow the principle of least privilege when assigning IAM roles
+#
+# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
+#
+# 5. Change the values for the SERVICE and REGION environment variables (below).
+#
+# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
+#
+# Further reading:
+# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity
+# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy
+# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code
+# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
+
+name: Deploy to Cloud Run from Source
+
+on:
+ push:
+ branches:
+ - $default-branch
+
+env:
+ PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
+ SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
+ REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
+
+jobs:
+ deploy:
+ # Add 'id-token' with the intended permissions for workload identity federation
+ permissions:
+ contents: 'read'
+ id-token: 'write'
+
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Google Auth
+ id: auth
+ uses: 'google-github-actions/auth@v0'
+ with:
+ workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
+ service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com
+
+ # NOTE: Alternative option - authentication via credentials json
+ # - name: Google Auth
+ # id: auth
+ # uses: 'google-github-actions/auth@v0'
+ # with:
+ # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+
+ - name: Deploy to Cloud Run
+ id: deploy
+ uses: google-github-actions/deploy-cloudrun@v0
+ with:
+ service: ${{ env.SERVICE }}
+ region: ${{ env.REGION }}
+ # NOTE: If required, update to the appropriate source folder
+ source: ./
+
+ # If required, use the Cloud Run url output in later steps
+ - name: Show Output
+ run: echo ${{ steps.deploy.outputs.url }}
diff --git a/deployments/google.yml b/deployments/google.yml
index 267d3cb..6150672 100644
--- a/deployments/google.yml
+++ b/deployments/google.yml
@@ -4,11 +4,11 @@
#
# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc.
#
-# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs).
+# 2. Create and configure a Workload Identity Provider for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
#
-# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below).
+# 3. Change the values for the GAR_LOCATION, GKE_ZONE, GKE_CLUSTER, IMAGE, REPOSITORY and DEPLOYMENT_NAME environment variables (below).
#
-# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke
+# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke-kustomize
name: Build and Deploy to GKE
@@ -19,9 +19,11 @@ on:
env:
PROJECT_ID: ${{ secrets.GKE_PROJECT }}
+ GAR_LOCATION: us-central1 # TODO: update region of the Artifact Registry
GKE_CLUSTER: cluster-1 # TODO: update to cluster name
GKE_ZONE: us-central1-c # TODO: update to cluster zone
DEPLOYMENT_NAME: gke-test # TODO: update to deployment name
+ REPOSITORY: samples # TODO: update to Artifact Registry docker repository
IMAGE: static-site
jobs:
@@ -30,52 +32,61 @@ jobs:
runs-on: ubuntu-latest
environment: production
+ permissions:
+ contents: 'read'
+ id-token: 'write'
+
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- # Setup gcloud CLI
- - uses: google-github-actions/setup-gcloud@v0.2.0
+ # Configure Workload Identity Federation and generate an access token.
+ - id: 'auth'
+ name: 'Authenticate to Google Cloud'
+ uses: 'google-github-actions/auth@v0'
with:
- service_account_key: ${{ secrets.GKE_SA_KEY }}
- project_id: ${{ secrets.GKE_PROJECT }}
+ token_format: 'access_token'
+ workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+ service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
- # Configure Docker to use the gcloud command-line tool as a credential
- # helper for authentication
- - run: |-
- gcloud --quiet auth configure-docker
+ # Alternative option - authentication via credentials json
+ # - id: 'auth'
+ # uses: 'google-github-actions/auth@v0'
+ # with:
+ # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+ - name: Docker configuration
+ run: |-
+ echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev
# Get the GKE credentials so we can deploy to the cluster
- - uses: google-github-actions/get-gke-credentials@v0.2.1
+ - name: Set up GKE credentials
+ uses: google-github-actions/get-gke-credentials@v0
with:
cluster_name: ${{ env.GKE_CLUSTER }}
location: ${{ env.GKE_ZONE }}
- credentials: ${{ secrets.GKE_SA_KEY }}
# Build the Docker image
- name: Build
run: |-
docker build \
- --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \
+ --tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \
--build-arg GITHUB_SHA="$GITHUB_SHA" \
--build-arg GITHUB_REF="$GITHUB_REF" \
.
-
- # Push the Docker image to Google Container Registry
+ # Push the Docker image to Google Artifact Registry
- name: Publish
run: |-
- docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA"
-
+ docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA"
# Set up kustomize
- name: Set up Kustomize
run: |-
curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64
chmod u+x ./kustomize
-
# Deploy the Docker image to the GKE cluster
- name: Deploy
run: |-
- ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA
+ # replacing the image name in the k8s template
+ ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA
./kustomize build . | kubectl apply -f -
kubectl rollout status deployment/$DEPLOYMENT_NAME
kubectl get services -o wide
diff --git a/deployments/ibm.yml b/deployments/ibm.yml
index 216b04d..cb3080f 100644
--- a/deployments/ibm.yml
+++ b/deployments/ibm.yml
@@ -33,7 +33,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Download and Install IBM Cloud CLI
- name: Install IBM Cloud CLI
diff --git a/deployments/openshift.yml b/deployments/openshift.yml
index 46ff961..8504059 100644
--- a/deployments/openshift.yml
+++ b/deployments/openshift.yml
@@ -54,15 +54,30 @@ env:
on:
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows
+ workflow_dispatch:
push:
# Edit to the branch(es) you want to build and deploy on each push.
branches: [ $default-branch ]
jobs:
+ # 🖊️ EDIT if you want to run vulnerability check on your project before deploying
+ # the application. Please uncomment the below CRDA scan job and configure to run it in
+ # your workflow. For details about CRDA action visit https://github.com/redhat-actions/crda/blob/main/README.md
+ #
+ # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab.
+ # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows
+
+ crda-scan:
+ uses: ./.github/workflows/crda.yml
+ secrets:
+ CRDA_KEY: ${{ secrets.CRDA_KEY }}
+ # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY
+
openshift-ci-cd:
+ # 🖊️ Uncomment this if you are using CRDA scan step above
+ # needs: crda-scan
name: Build and deploy to OpenShift
- # ubuntu-20.04 can also be used.
- runs-on: ubuntu-18.04
+ runs-on: ubuntu-20.04
environment: production
outputs:
@@ -71,7 +86,7 @@ jobs:
steps:
- name: Check for required secrets
- uses: actions/github-script@v4
+ uses: actions/github-script@v6
with:
script: |
const secrets = {
@@ -109,7 +124,7 @@ jobs:
}
- name: Check out repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Determine app name
if: env.APP_NAME == ''
diff --git a/deployments/properties/azure-container-webapp.properties.json b/deployments/properties/azure-container-webapp.properties.json
new file mode 100644
index 0000000..fcd62b2
--- /dev/null
+++ b/deployments/properties/azure-container-webapp.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy a container to an Azure Web App",
+ "description": "Build a container and deploy it to an Azure Web App.",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Dockerfile"]
+}
diff --git a/deployments/properties/azure-kubernetes-service-helm.properties.json b/deployments/properties/azure-kubernetes-service-helm.properties.json
new file mode 100644
index 0000000..92478b3
--- /dev/null
+++ b/deployments/properties/azure-kubernetes-service-helm.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to AKS with Helm",
+ "description": "Deploy an application to an Azure Kubernetes Service cluster using Helm",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Helm", "Kubernetes", "Dockerfile"]
+}
diff --git a/deployments/properties/azure-kubernetes-service-kompose.properties.json b/deployments/properties/azure-kubernetes-service-kompose.properties.json
new file mode 100644
index 0000000..de246c3
--- /dev/null
+++ b/deployments/properties/azure-kubernetes-service-kompose.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to AKS with Kompose",
+ "description": "Deploy an application to an Azure Kubernetes Service cluster using Kompose",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Kompose", "Kubernetes", "Dockerfile"]
+}
diff --git a/deployments/properties/azure-kubernetes-service-kustomize.properties.json b/deployments/properties/azure-kubernetes-service-kustomize.properties.json
new file mode 100644
index 0000000..bfc71cc
--- /dev/null
+++ b/deployments/properties/azure-kubernetes-service-kustomize.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to AKS with Kustomize",
+ "description": "Deploy an application to an Azure Kubernetes Service cluster using Kustomize",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Kustomize", "Kubernetes", "Dockerfile"]
+}
diff --git a/deployments/properties/azure-kubernetes-service.properties.json b/deployments/properties/azure-kubernetes-service.properties.json
new file mode 100644
index 0000000..45d4a69
--- /dev/null
+++ b/deployments/properties/azure-kubernetes-service.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to AKS",
+ "description": "Deploy an application to an Azure Kubernetes Service cluster",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Kubernetes", "Dockerfile"]
+}
diff --git a/deployments/properties/azure-staticwebapp.properties.json b/deployments/properties/azure-staticwebapp.properties.json
new file mode 100644
index 0000000..a2552b0
--- /dev/null
+++ b/deployments/properties/azure-staticwebapp.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy web app to Azure Static Web Apps",
+ "description": "Build and deploy web application to an Azure Static Web App.",
+ "creator": "Microsoft Azure",
+ "iconName": "azure-staticwebapp",
+ "categories": ["Deployment", "React", "Angular", "Vue", "Svelte", "Gatsby", "Next", "Nuxt", "Jekyll", "Blazor"]
+}
diff --git a/deployments/properties/azure-webapps-dotnet-core.properties.json b/deployments/properties/azure-webapps-dotnet-core.properties.json
new file mode 100644
index 0000000..a9d5e20
--- /dev/null
+++ b/deployments/properties/azure-webapps-dotnet-core.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy a .NET Core app to an Azure Web App",
+ "description": "Build a .NET Core project and deploy it to an Azure Web App.",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "C#", "aspNetCore"]
+}
diff --git a/deployments/properties/azure-webapps-java-jar.properties.json b/deployments/properties/azure-webapps-java-jar.properties.json
new file mode 100644
index 0000000..289d95c
--- /dev/null
+++ b/deployments/properties/azure-webapps-java-jar.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy a Java .jar app to an Azure Web App",
+ "description": "Build a Java project and deploy it to an Azure Web App.",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Java", "Maven"]
+}
diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure-webapps-node.properties.json
similarity index 72%
rename from deployments/properties/azure.properties.json
rename to deployments/properties/azure-webapps-node.properties.json
index 362d5d1..63e94db 100644
--- a/deployments/properties/azure.properties.json
+++ b/deployments/properties/azure-webapps-node.properties.json
@@ -3,5 +3,5 @@
"description": "Build a Node.js project and deploy it to an Azure Web App.",
"creator": "Microsoft Azure",
"iconName": "azure",
- "categories": ["Deployment"]
-}
\ No newline at end of file
+ "categories": ["Deployment", "JavaScript", "TypeScript", "npm"]
+}
diff --git a/deployments/properties/azure-webapps-php.properties.json b/deployments/properties/azure-webapps-php.properties.json
new file mode 100644
index 0000000..48554de
--- /dev/null
+++ b/deployments/properties/azure-webapps-php.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy a PHP app to an Azure Web App",
+ "description": "Build a PHP app and deploy it to an Azure Web App.",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "PHP"]
+}
diff --git a/deployments/properties/azure-webapps-python.properties.json b/deployments/properties/azure-webapps-python.properties.json
new file mode 100644
index 0000000..391af32
--- /dev/null
+++ b/deployments/properties/azure-webapps-python.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy a Python app to an Azure Web App",
+ "description": "Build a Python app and deploy it to an Azure Web App.",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Python", "Django", "Flask", "Pip"]
+}
diff --git a/deployments/properties/google-cloudrun-docker.properties.json b/deployments/properties/google-cloudrun-docker.properties.json
new file mode 100644
index 0000000..b1a2b2b
--- /dev/null
+++ b/deployments/properties/google-cloudrun-docker.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Build and Deploy to Cloud Run",
+ "description": "Build a Docker container, publish it to Google Artifact Registry, and deploy to Google Cloud Run.",
+ "creator": "Google Cloud",
+ "iconName": "google-cloud",
+ "categories": ["Deployment", "Containers", "Dockerfile", "Cloud Run", "Serverless"]
+}
diff --git a/deployments/properties/google-cloudrun-source.properties.json b/deployments/properties/google-cloudrun-source.properties.json
new file mode 100644
index 0000000..2735d80
--- /dev/null
+++ b/deployments/properties/google-cloudrun-source.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to Cloud Run from Source",
+ "description": "Deploy to Google Cloud Run directly from source.",
+ "creator": "Google Cloud",
+ "iconName": "google-cloud",
+ "categories": ["Deployment", "Containers", "Cloud Run", "Serverless", "Buildpacks"]
+}
diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json
index 6318106..e226385 100644
--- a/deployments/properties/google.properties.json
+++ b/deployments/properties/google.properties.json
@@ -2,6 +2,6 @@
"name": "Build and Deploy to GKE",
"description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.",
"creator": "Google Cloud",
- "iconName": "googlegke",
- "categories": ["Deployment", "Dockerfile"]
+ "iconName": "google-cloud",
+ "categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"]
}
\ No newline at end of file
diff --git a/deployments/tencent.yml b/deployments/tencent.yml
index 83bde94..4e9e9f6 100644
--- a/deployments/tencent.yml
+++ b/deployments/tencent.yml
@@ -27,6 +27,9 @@ env:
TKE_CLUSTER_ID: cls-mywebapp
DEPLOYMENT_NAME: tke-test
+permissions:
+ contents: read
+
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
@@ -35,7 +38,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Build
- name: Build Docker image
diff --git a/deployments/terraform.yml b/deployments/terraform.yml
index 589f1f3..53efe48 100644
--- a/deployments/terraform.yml
+++ b/deployments/terraform.yml
@@ -50,6 +50,9 @@ on:
- $default-branch
pull_request:
+permissions:
+ contents: read
+
jobs:
terraform:
name: 'Terraform'
@@ -64,7 +67,7 @@ jobs:
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
@@ -82,10 +85,10 @@ jobs:
# Generates an execution plan for Terraform
- name: Terraform Plan
- run: terraform plan
+ run: terraform plan -input=false
# On push to $default-branch, build or change infrastructure according to Terraform configuration files
# Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
- name: Terraform Apply
if: github.ref == 'refs/heads/$default-branch' && github.event_name == 'push'
- run: terraform apply -auto-approve
+ run: terraform apply -auto-approve -input=false
diff --git a/icons/azure-staticwebapp.svg b/icons/azure-staticwebapp.svg
new file mode 100644
index 0000000..327517d
--- /dev/null
+++ b/icons/azure-staticwebapp.svg
@@ -0,0 +1,17 @@
+
\ No newline at end of file
diff --git a/icons/clj-holmes.svg b/icons/clj-holmes.svg
new file mode 100644
index 0000000..74459e5
--- /dev/null
+++ b/icons/clj-holmes.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg
new file mode 100644
index 0000000..74459e5
--- /dev/null
+++ b/icons/clj-watson.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/contrast.svg b/icons/contrast.svg
new file mode 100644
index 0000000..7680157
--- /dev/null
+++ b/icons/contrast.svg
@@ -0,0 +1,16 @@
+
+
+
diff --git a/icons/datadog.svg b/icons/datadog.svg
new file mode 100644
index 0000000..91cb3b6
--- /dev/null
+++ b/icons/datadog.svg
@@ -0,0 +1,4 @@
+
diff --git a/icons/eslint.svg b/icons/eslint.svg
new file mode 100644
index 0000000..23964aa
--- /dev/null
+++ b/icons/eslint.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/frogbot.svg b/icons/frogbot.svg
new file mode 100644
index 0000000..21100d9
--- /dev/null
+++ b/icons/frogbot.svg
@@ -0,0 +1,80 @@
+
diff --git a/icons/gatsby.svg b/icons/gatsby.svg
new file mode 100644
index 0000000..5578b06
--- /dev/null
+++ b/icons/gatsby.svg
@@ -0,0 +1,7 @@
+
diff --git a/icons/go-ossf-slsa3-publish.svg b/icons/go-ossf-slsa3-publish.svg
new file mode 100644
index 0000000..ea77468
--- /dev/null
+++ b/icons/go-ossf-slsa3-publish.svg
@@ -0,0 +1,11 @@
+
+
diff --git a/icons/googlegke.svg b/icons/google-cloud.svg
similarity index 100%
rename from icons/googlegke.svg
rename to icons/google-cloud.svg
diff --git a/icons/hadolint.svg b/icons/hadolint.svg
new file mode 100644
index 0000000..048b86c
--- /dev/null
+++ b/icons/hadolint.svg
@@ -0,0 +1,131 @@
+
+
+
diff --git a/icons/hugo.svg b/icons/hugo.svg
new file mode 100644
index 0000000..ea72a6f
--- /dev/null
+++ b/icons/hugo.svg
@@ -0,0 +1,9 @@
+
diff --git a/icons/jekyll-tube.svg b/icons/jekyll-tube.svg
new file mode 100644
index 0000000..89dd55d
--- /dev/null
+++ b/icons/jekyll-tube.svg
@@ -0,0 +1 @@
+
diff --git a/icons/neuralegion.svg b/icons/neuralegion.svg
new file mode 100644
index 0000000..0534225
--- /dev/null
+++ b/icons/neuralegion.svg
@@ -0,0 +1,57 @@
+
+
+
diff --git a/icons/nextjs.svg b/icons/nextjs.svg
new file mode 100644
index 0000000..c45d6e6
--- /dev/null
+++ b/icons/nextjs.svg
@@ -0,0 +1,3 @@
+
diff --git a/icons/nuxtjs.svg b/icons/nuxtjs.svg
new file mode 100644
index 0000000..bebded3
--- /dev/null
+++ b/icons/nuxtjs.svg
@@ -0,0 +1,4 @@
+
diff --git a/icons/phpmd.svg b/icons/phpmd.svg
new file mode 100644
index 0000000..7697766
--- /dev/null
+++ b/icons/phpmd.svg
@@ -0,0 +1,595 @@
+
+
+
+
diff --git a/icons/pmd.svg b/icons/pmd.svg
new file mode 100644
index 0000000..61f1842
--- /dev/null
+++ b/icons/pmd.svg
@@ -0,0 +1,49 @@
+
+
diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg
new file mode 100644
index 0000000..4e5d4d0
--- /dev/null
+++ b/icons/puppet-lint.svg
@@ -0,0 +1,95 @@
+
+
+
+
diff --git a/icons/pyre.svg b/icons/pyre.svg
new file mode 100644
index 0000000..2af14c0
--- /dev/null
+++ b/icons/pyre.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/pysa.svg b/icons/pysa.svg
new file mode 100644
index 0000000..ed60fb1
--- /dev/null
+++ b/icons/pysa.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/rails.svg b/icons/rails.svg
new file mode 100644
index 0000000..5e1f8f8
--- /dev/null
+++ b/icons/rails.svg
@@ -0,0 +1 @@
+
diff --git a/icons/scorecards.svg b/icons/scorecards.svg
new file mode 100644
index 0000000..9433c91
--- /dev/null
+++ b/icons/scorecards.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg
deleted file mode 100644
index f8e944a..0000000
--- a/icons/shiftleft.svg
+++ /dev/null
@@ -1,6 +0,0 @@
-
diff --git a/icons/sobelow.svg b/icons/sobelow.svg
new file mode 100644
index 0000000..4d243ea
--- /dev/null
+++ b/icons/sobelow.svg
@@ -0,0 +1,20 @@
+
+
+
diff --git a/icons/sonarcloud.svg b/icons/sonarcloud.svg
new file mode 100644
index 0000000..5f946d2
--- /dev/null
+++ b/icons/sonarcloud.svg
@@ -0,0 +1,20 @@
+
+
+
diff --git a/icons/soos.svg b/icons/soos.svg
new file mode 100644
index 0000000..17a31fc
--- /dev/null
+++ b/icons/soos.svg
@@ -0,0 +1,17 @@
+
+
+
diff --git a/icons/veracode.svg b/icons/veracode.svg
new file mode 100644
index 0000000..6c70e79
--- /dev/null
+++ b/icons/veracode.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/pages/gatsby.yml b/pages/gatsby.yml
new file mode 100644
index 0000000..4f2857d
--- /dev/null
+++ b/pages/gatsby.yml
@@ -0,0 +1,96 @@
+# Sample workflow for building and deploying a Gatsby site to GitHub Pages
+#
+# To get started with Gatsby see: https://www.gatsbyjs.com/docs/quick-start/
+#
+name: Deploy Gatsby site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+# Default to bash
+defaults:
+ run:
+ shell: bash
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Detect package manager
+ id: detect-package-manager
+ run: |
+ if [ -f "${{ github.workspace }}/yarn.lock" ]; then
+ echo "::set-output name=manager::yarn"
+ echo "::set-output name=command::install"
+ exit 0
+ elif [ -f "${{ github.workspace }}/package.json" ]; then
+ echo "::set-output name=manager::npm"
+ echo "::set-output name=command::ci"
+ exit 0
+ else
+ echo "Unable to determine packager manager"
+ exit 1
+ fi
+ - name: Setup Node
+ uses: actions/setup-node@v3
+ with:
+ node-version: "16"
+ cache: ${{ steps.detect-package-manager.outputs.manager }}
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v2
+ with:
+ # Automatically inject pathPrefix in your Gatsby configuration file.
+ #
+ # You may remove this line if you want to manage the configuration yourself.
+ static_site_generator: gatsby
+ - name: Restore cache
+ uses: actions/cache@v3
+ with:
+ path: |
+ public
+ .cache
+ key: ${{ runner.os }}-gatsby-build-${{ hashFiles('public') }}
+ restore-keys: |
+ ${{ runner.os }}-gatsby-build-
+ - name: Install dependencies
+ run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
+ - name: Build with Gatsby
+ env:
+ PREFIX_PATHS: 'true'
+ run: ${{ steps.detect-package-manager.outputs.manager }} run build
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
+ with:
+ path: ./public
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/hugo.yml b/pages/hugo.yml
new file mode 100644
index 0000000..f273fb2
--- /dev/null
+++ b/pages/hugo.yml
@@ -0,0 +1,70 @@
+# Sample workflow for building and deploying a Hugo site to GitHub Pages
+name: Deploy Hugo site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+# Default to bash
+defaults:
+ run:
+ shell: bash
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ env:
+ HUGO_VERSION: 0.102.3
+ steps:
+ - name: Install Hugo CLI
+ run: |
+ wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_Linux-64bit.deb \
+ && sudo dpkg -i ${{ runner.temp }}/hugo.deb
+ - name: Checkout
+ uses: actions/checkout@v3
+ with:
+ submodules: recursive
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v2
+ - name: Build with Hugo
+ env:
+ # For maximum backward compatibility with Hugo modules
+ HUGO_ENVIRONMENT: production
+ HUGO_ENV: production
+ run: |
+ hugo \
+ --minify \
+ --baseURL "${{ steps.pages.outputs.base_url }}/"
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
+ with:
+ path: ./public
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml
new file mode 100644
index 0000000..8c7a207
--- /dev/null
+++ b/pages/jekyll-gh-pages.yml
@@ -0,0 +1,50 @@
+# Sample workflow for building and deploying a Jekyll site to GitHub Pages
+name: Deploy Jekyll with GitHub Pages dependencies preinstalled
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Setup Pages
+ uses: actions/configure-pages@v2
+ - name: Build with Jekyll
+ uses: actions/jekyll-build-pages@v1
+ with:
+ source: ./
+ destination: ./_site
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/jekyll.yml b/pages/jekyll.yml
new file mode 100644
index 0000000..d039d12
--- /dev/null
+++ b/pages/jekyll.yml
@@ -0,0 +1,63 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Sample workflow for building and deploying a Jekyll site to GitHub Pages
+name: Deploy Jekyll site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Setup Ruby
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
+ with:
+ ruby-version: '3.0' # Not needed with a .ruby-version file
+ bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+ cache-version: 0 # Increment this number if you need to re-download cached gems
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v2
+ - name: Build with Jekyll
+ # Outputs to the './_site' directory by default
+ run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
+ env:
+ JEKYLL_ENV: production
+ - name: Upload artifact
+ # Automatically uploads an artifact from the './_site' directory by default
+ uses: actions/upload-pages-artifact@v1
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/nextjs.yml b/pages/nextjs.yml
new file mode 100644
index 0000000..5c2bf67
--- /dev/null
+++ b/pages/nextjs.yml
@@ -0,0 +1,94 @@
+# Sample workflow for building and deploying a Next.js site to GitHub Pages
+#
+# To get started with Next.js see: https://nextjs.org/docs/getting-started
+#
+name: Deploy Next.js site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Detect package manager
+ id: detect-package-manager
+ run: |
+ if [ -f "${{ github.workspace }}/yarn.lock" ]; then
+ echo "::set-output name=manager::yarn"
+ echo "::set-output name=command::install"
+ echo "::set-output name=runner::yarn"
+ exit 0
+ elif [ -f "${{ github.workspace }}/package.json" ]; then
+ echo "::set-output name=manager::npm"
+ echo "::set-output name=command::ci"
+ echo "::set-output name=runner::npx --no-install"
+ exit 0
+ else
+ echo "Unable to determine packager manager"
+ exit 1
+ fi
+ - name: Setup Node
+ uses: actions/setup-node@v3
+ with:
+ node-version: "16"
+ cache: ${{ steps.detect-package-manager.outputs.manager }}
+ - name: Setup Pages
+ uses: actions/configure-pages@v2
+ with:
+ # Automatically inject basePath in your Next.js configuration file and disable
+ # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized).
+ #
+ # You may remove this line if you want to manage the configuration yourself.
+ static_site_generator: next
+ - name: Restore cache
+ uses: actions/cache@v3
+ with:
+ path: |
+ .next/cache
+ # Generate a new cache whenever packages or source files change.
+ key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
+ # If source files changed but packages didn't, rebuild from a prior cache.
+ restore-keys: |
+ ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-
+ - name: Install dependencies
+ run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
+ - name: Build with Next.js
+ run: ${{ steps.detect-package-manager.outputs.runner }} next build
+ - name: Static HTML export with Next.js
+ run: ${{ steps.detect-package-manager.outputs.runner }} next export
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
+ with:
+ path: ./out
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml
new file mode 100644
index 0000000..4178f18
--- /dev/null
+++ b/pages/nuxtjs.yml
@@ -0,0 +1,89 @@
+# Sample workflow for building and deploying a Nuxt site to GitHub Pages
+#
+# To get started with Nuxt see: https://nuxtjs.org/docs/get-started/installation
+#
+name: Deploy Nuxt site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Detect package manager
+ id: detect-package-manager
+ run: |
+ if [ -f "${{ github.workspace }}/yarn.lock" ]; then
+ echo "::set-output name=manager::yarn"
+ echo "::set-output name=command::install"
+ exit 0
+ elif [ -f "${{ github.workspace }}/package.json" ]; then
+ echo "::set-output name=manager::npm"
+ echo "::set-output name=command::ci"
+ exit 0
+ else
+ echo "Unable to determine packager manager"
+ exit 1
+ fi
+ - name: Setup Node
+ uses: actions/setup-node@v3
+ with:
+ node-version: "16"
+ cache: ${{ steps.detect-package-manager.outputs.manager }}
+ - name: Setup Pages
+ uses: actions/configure-pages@v2
+ with:
+ # Automatically inject router.base in your Nuxt configuration file and set
+ # target to static (https://nuxtjs.org/docs/configuration-glossary/configuration-target/).
+ #
+ # You may remove this line if you want to manage the configuration yourself.
+ static_site_generator: nuxt
+ - name: Restore cache
+ uses: actions/cache@v3
+ with:
+ path: |
+ dist
+ .nuxt
+ key: ${{ runner.os }}-nuxt-build-${{ hashFiles('dist') }}
+ restore-keys: |
+ ${{ runner.os }}-nuxt-build-
+ - name: Install dependencies
+ run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
+ - name: Static HTML export with Nuxt
+ run: ${{ steps.detect-package-manager.outputs.manager }} run generate
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
+ with:
+ path: ./dist
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/properties/gatsby.properties.json b/pages/properties/gatsby.properties.json
new file mode 100644
index 0000000..df260f8
--- /dev/null
+++ b/pages/properties/gatsby.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Gatsby",
+ "description": "Package a Gatsby site.",
+ "iconName": "gatsby",
+ "categories": ["Pages", "Gatsby"]
+}
\ No newline at end of file
diff --git a/pages/properties/hugo.properties.json b/pages/properties/hugo.properties.json
new file mode 100644
index 0000000..b6f6dc7
--- /dev/null
+++ b/pages/properties/hugo.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Hugo",
+ "description": "Package a Hugo site.",
+ "iconName": "hugo",
+ "categories": ["Pages", "Hugo"]
+}
\ No newline at end of file
diff --git a/pages/properties/jekyll-gh-pages.properties.json b/pages/properties/jekyll-gh-pages.properties.json
new file mode 100644
index 0000000..3e38602
--- /dev/null
+++ b/pages/properties/jekyll-gh-pages.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "GitHub Pages Jekyll",
+ "description": "Package a Jekyll site with GitHub Pages dependencies preinstalled.",
+ "iconName": "jekyll-tube",
+ "categories": ["Pages", "Jekyll"]
+}
diff --git a/pages/properties/jekyll.properties.json b/pages/properties/jekyll.properties.json
new file mode 100644
index 0000000..8b4c1d2
--- /dev/null
+++ b/pages/properties/jekyll.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Jekyll",
+ "description": "Package a Jekyll site.",
+ "iconName": "jekyll-tube",
+ "categories": ["Pages", "Jekyll"]
+}
diff --git a/pages/properties/nextjs.properties.json b/pages/properties/nextjs.properties.json
new file mode 100644
index 0000000..4209908
--- /dev/null
+++ b/pages/properties/nextjs.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Next.js",
+ "description": "Package a Next.js site.",
+ "iconName": "nextjs",
+ "categories": ["Pages", "Next"]
+}
diff --git a/pages/properties/nuxtjs.properties.json b/pages/properties/nuxtjs.properties.json
new file mode 100644
index 0000000..d79909e
--- /dev/null
+++ b/pages/properties/nuxtjs.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "NuxtJS",
+ "description": "Package a NuxtJS site.",
+ "iconName": "nuxtjs",
+ "categories": ["Pages", "Nuxt"]
+}
\ No newline at end of file
diff --git a/pages/properties/static.properties.json b/pages/properties/static.properties.json
new file mode 100644
index 0000000..372579c
--- /dev/null
+++ b/pages/properties/static.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Static HTML",
+ "description": "Deploy static files in a repository without a build.",
+ "iconName": "html",
+ "categories": ["Pages", "HTML", "JavaScript", "CSS"]
+}
diff --git a/pages/static.yml b/pages/static.yml
new file mode 100644
index 0000000..9e0e871
--- /dev/null
+++ b/pages/static.yml
@@ -0,0 +1,42 @@
+# Simple workflow for deploying static content to GitHub Pages
+name: Deploy static content to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+jobs:
+ # Single deploy job since we're just deploying
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Setup Pages
+ uses: actions/configure-pages@v2
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
+ with:
+ # Upload entire repository
+ path: '.'
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts
index 9edc70e..608e73d 100755
--- a/script/sync-ghes/index.ts
+++ b/script/sync-ghes/index.ts
@@ -21,6 +21,8 @@ interface WorkflowProperties {
categories: string[] | null;
creator?: string;
+
+ enterprise?: boolean;
}
interface WorkflowsCheckResult {
@@ -59,6 +61,7 @@ async function checkWorkflows(
const enabled =
!isPartnerWorkflow &&
+ workflowProperties.enterprise !== false &&
(await checkWorkflow(workflowFilePath, enabledActions));
const workflowDesc: WorkflowDesc = {
diff --git a/script/sync-ghes/package-lock.json b/script/sync-ghes/package-lock.json
index ebcd318..768bbda 100644
--- a/script/sync-ghes/package-lock.json
+++ b/script/sync-ghes/package-lock.json
@@ -1,8 +1,166 @@
{
"name": "sync-ghes-actions",
"version": "1.0.0",
- "lockfileVersion": 1,
+ "lockfileVersion": 2,
"requires": true,
+ "packages": {
+ "": {
+ "name": "sync-ghes-actions",
+ "version": "1.0.0",
+ "license": "MIT",
+ "dependencies": {
+ "js-yaml": "^3.13.1"
+ },
+ "devDependencies": {
+ "@types/js-yaml": "^3.12.4",
+ "@types/node": "^14.0.1",
+ "ts-node": "^8.10.1",
+ "typescript": "^3.9.2"
+ }
+ },
+ "node_modules/@types/js-yaml": {
+ "version": "3.12.4",
+ "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.12.4.tgz",
+ "integrity": "sha512-fYMgzN+9e28R81weVN49inn/u798ruU91En1ZnGvSZzCRc5jXx9B2EDhlRaWmcO1RIxFHL8AajRXzxDuJu93+A==",
+ "dev": true
+ },
+ "node_modules/@types/node": {
+ "version": "14.0.1",
+ "resolved": "https://registry.npmjs.org/@types/node/-/node-14.0.1.tgz",
+ "integrity": "sha512-FAYBGwC+W6F9+huFIDtn43cpy7+SzG+atzRiTfdp3inUKL2hXnd4rG8hylJLIh4+hqrQy1P17kvJByE/z825hA==",
+ "dev": true
+ },
+ "node_modules/arg": {
+ "version": "4.1.3",
+ "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz",
+ "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==",
+ "dev": true
+ },
+ "node_modules/argparse": {
+ "version": "1.0.10",
+ "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz",
+ "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==",
+ "dependencies": {
+ "sprintf-js": "~1.0.2"
+ }
+ },
+ "node_modules/buffer-from": {
+ "version": "1.1.1",
+ "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz",
+ "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==",
+ "dev": true
+ },
+ "node_modules/diff": {
+ "version": "4.0.2",
+ "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz",
+ "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==",
+ "dev": true,
+ "engines": {
+ "node": ">=0.3.1"
+ }
+ },
+ "node_modules/esprima": {
+ "version": "4.0.1",
+ "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz",
+ "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==",
+ "bin": {
+ "esparse": "bin/esparse.js",
+ "esvalidate": "bin/esvalidate.js"
+ },
+ "engines": {
+ "node": ">=4"
+ }
+ },
+ "node_modules/js-yaml": {
+ "version": "3.13.1",
+ "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz",
+ "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==",
+ "dependencies": {
+ "argparse": "^1.0.7",
+ "esprima": "^4.0.0"
+ },
+ "bin": {
+ "js-yaml": "bin/js-yaml.js"
+ }
+ },
+ "node_modules/make-error": {
+ "version": "1.3.6",
+ "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz",
+ "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==",
+ "dev": true
+ },
+ "node_modules/source-map": {
+ "version": "0.6.1",
+ "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+ "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+ "dev": true,
+ "engines": {
+ "node": ">=0.10.0"
+ }
+ },
+ "node_modules/source-map-support": {
+ "version": "0.5.19",
+ "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz",
+ "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==",
+ "dev": true,
+ "dependencies": {
+ "buffer-from": "^1.0.0",
+ "source-map": "^0.6.0"
+ }
+ },
+ "node_modules/sprintf-js": {
+ "version": "1.0.3",
+ "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
+ "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw="
+ },
+ "node_modules/ts-node": {
+ "version": "8.10.1",
+ "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-8.10.1.tgz",
+ "integrity": "sha512-bdNz1L4ekHiJul6SHtZWs1ujEKERJnHs4HxN7rjTyyVOFf3HaJ6sLqe6aPG62XTzAB/63pKRh5jTSWL0D7bsvw==",
+ "dev": true,
+ "dependencies": {
+ "arg": "^4.1.0",
+ "diff": "^4.0.1",
+ "make-error": "^1.1.1",
+ "source-map-support": "^0.5.17",
+ "yn": "3.1.1"
+ },
+ "bin": {
+ "ts-node": "dist/bin.js",
+ "ts-node-script": "dist/bin-script.js",
+ "ts-node-transpile-only": "dist/bin-transpile.js",
+ "ts-script": "dist/bin-script-deprecated.js"
+ },
+ "engines": {
+ "node": ">=6.0.0"
+ },
+ "peerDependencies": {
+ "typescript": ">=2.7"
+ }
+ },
+ "node_modules/typescript": {
+ "version": "3.9.2",
+ "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz",
+ "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==",
+ "dev": true,
+ "bin": {
+ "tsc": "bin/tsc",
+ "tsserver": "bin/tsserver"
+ },
+ "engines": {
+ "node": ">=4.2.0"
+ }
+ },
+ "node_modules/yn": {
+ "version": "3.1.1",
+ "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz",
+ "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==",
+ "dev": true,
+ "engines": {
+ "node": ">=6"
+ }
+ }
+ },
"dependencies": {
"@types/js-yaml": {
"version": "3.12.4",
diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts
index 7dce3d1..4bd260d 100755
--- a/script/validate-data/index.ts
+++ b/script/validate-data/index.ts
@@ -1,7 +1,7 @@
#!/usr/bin/env npx ts-node
import { promises as fs } from "fs";
import { safeLoad } from "js-yaml";
-import { basename, extname, join } from "path";
+import { basename, extname, join, dirname } from "path";
import { Validator as validator } from "jsonschema";
import { endGroup, error, info, setFailed, startGroup } from '@actions/core';
@@ -14,6 +14,7 @@ interface WorkflowWithErrors {
interface WorkflowProperties {
name: string;
description: string;
+ creator: string;
iconName: string;
categories: string[];
}
@@ -40,7 +41,7 @@ const propertiesSchema = {
}
}
-async function checkWorkflows(folders: string[], allowed_categories: string[]): Promise {
+async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise {
const result: WorkflowWithErrors[] = []
const workflow_template_names = new Set()
for (const folder of folders) {
@@ -69,7 +70,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[]):
return result;
}
-async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[]): Promise {
+async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise {
let workflowErrors: WorkflowWithErrors = {
id: workflowPath,
name: null,
@@ -104,9 +105,19 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow
}
}
- if (!workflowPath.endsWith("blank.yml") && (!properties.categories ||
- !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) {
- workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`)
+ var path = dirname(workflowPath)
+ var folder_categories = allowed_categories.find( category => category["path"] == path)["categories"]
+ if (!workflowPath.endsWith("blank.yml")) {
+ if(!properties.categories || properties.categories.length == 0) {
+ workflowErrors.errors.push(`Workflow categories cannot be null or empty`)
+ }
+ else if(!folder_categories.some(category => properties.categories[0].toLowerCase() == category.toLowerCase())) {
+ workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}. Either move the workflow to an appropriate directory or change the category."`)
+ }
+ }
+
+ if(basename(path).toLowerCase() == 'deployments' && !properties.creator) {
+ workflowErrors.errors.push(`The "creator" in properties.json must be present.`)
}
} catch (e) {
workflowErrors.errors.push(e.toString())
diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json
index 8839d6a..e660b6a 100644
--- a/script/validate-data/package-lock.json
+++ b/script/validate-data/package-lock.json
@@ -1,8 +1,181 @@
{
- "name": "sync-ghes-actions",
+ "name": "validate-data",
"version": "1.0.0",
- "lockfileVersion": 1,
+ "lockfileVersion": 2,
"requires": true,
+ "packages": {
+ "": {
+ "name": "validate-data",
+ "version": "1.0.0",
+ "license": "MIT",
+ "dependencies": {
+ "@actions/core": "^1.2.6",
+ "js-yaml": "^3.13.1",
+ "jsonschema": "^1.2.6"
+ },
+ "devDependencies": {
+ "@types/js-yaml": "^3.12.4",
+ "@types/node": "^14.0.1",
+ "ts-node": "^8.10.1",
+ "typescript": "^3.9.2"
+ }
+ },
+ "node_modules/@actions/core": {
+ "version": "1.2.6",
+ "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz",
+ "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA=="
+ },
+ "node_modules/@types/js-yaml": {
+ "version": "3.12.4",
+ "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.12.4.tgz",
+ "integrity": "sha512-fYMgzN+9e28R81weVN49inn/u798ruU91En1ZnGvSZzCRc5jXx9B2EDhlRaWmcO1RIxFHL8AajRXzxDuJu93+A==",
+ "dev": true
+ },
+ "node_modules/@types/node": {
+ "version": "14.0.1",
+ "resolved": "https://registry.npmjs.org/@types/node/-/node-14.0.1.tgz",
+ "integrity": "sha512-FAYBGwC+W6F9+huFIDtn43cpy7+SzG+atzRiTfdp3inUKL2hXnd4rG8hylJLIh4+hqrQy1P17kvJByE/z825hA==",
+ "dev": true
+ },
+ "node_modules/arg": {
+ "version": "4.1.3",
+ "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz",
+ "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==",
+ "dev": true
+ },
+ "node_modules/argparse": {
+ "version": "1.0.10",
+ "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz",
+ "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==",
+ "dependencies": {
+ "sprintf-js": "~1.0.2"
+ }
+ },
+ "node_modules/buffer-from": {
+ "version": "1.1.1",
+ "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz",
+ "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==",
+ "dev": true
+ },
+ "node_modules/diff": {
+ "version": "4.0.2",
+ "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz",
+ "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==",
+ "dev": true,
+ "engines": {
+ "node": ">=0.3.1"
+ }
+ },
+ "node_modules/esprima": {
+ "version": "4.0.1",
+ "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz",
+ "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==",
+ "bin": {
+ "esparse": "bin/esparse.js",
+ "esvalidate": "bin/esvalidate.js"
+ },
+ "engines": {
+ "node": ">=4"
+ }
+ },
+ "node_modules/js-yaml": {
+ "version": "3.13.1",
+ "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz",
+ "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==",
+ "dependencies": {
+ "argparse": "^1.0.7",
+ "esprima": "^4.0.0"
+ },
+ "bin": {
+ "js-yaml": "bin/js-yaml.js"
+ }
+ },
+ "node_modules/jsonschema": {
+ "version": "1.2.6",
+ "resolved": "https://registry.npmjs.org/jsonschema/-/jsonschema-1.2.6.tgz",
+ "integrity": "sha512-SqhURKZG07JyKKeo/ir24QnS4/BV7a6gQy93bUSe4lUdNp0QNpIz2c9elWJQ9dpc5cQYY6cvCzgRwy0MQCLyqA==",
+ "engines": {
+ "node": "*"
+ }
+ },
+ "node_modules/make-error": {
+ "version": "1.3.6",
+ "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz",
+ "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==",
+ "dev": true
+ },
+ "node_modules/source-map": {
+ "version": "0.6.1",
+ "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+ "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+ "dev": true,
+ "engines": {
+ "node": ">=0.10.0"
+ }
+ },
+ "node_modules/source-map-support": {
+ "version": "0.5.19",
+ "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz",
+ "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==",
+ "dev": true,
+ "dependencies": {
+ "buffer-from": "^1.0.0",
+ "source-map": "^0.6.0"
+ }
+ },
+ "node_modules/sprintf-js": {
+ "version": "1.0.3",
+ "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
+ "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw="
+ },
+ "node_modules/ts-node": {
+ "version": "8.10.1",
+ "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-8.10.1.tgz",
+ "integrity": "sha512-bdNz1L4ekHiJul6SHtZWs1ujEKERJnHs4HxN7rjTyyVOFf3HaJ6sLqe6aPG62XTzAB/63pKRh5jTSWL0D7bsvw==",
+ "dev": true,
+ "dependencies": {
+ "arg": "^4.1.0",
+ "diff": "^4.0.1",
+ "make-error": "^1.1.1",
+ "source-map-support": "^0.5.17",
+ "yn": "3.1.1"
+ },
+ "bin": {
+ "ts-node": "dist/bin.js",
+ "ts-node-script": "dist/bin-script.js",
+ "ts-node-transpile-only": "dist/bin-transpile.js",
+ "ts-script": "dist/bin-script-deprecated.js"
+ },
+ "engines": {
+ "node": ">=6.0.0"
+ },
+ "peerDependencies": {
+ "typescript": ">=2.7"
+ }
+ },
+ "node_modules/typescript": {
+ "version": "3.9.2",
+ "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz",
+ "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==",
+ "dev": true,
+ "bin": {
+ "tsc": "bin/tsc",
+ "tsserver": "bin/tsserver"
+ },
+ "engines": {
+ "node": ">=4.2.0"
+ }
+ },
+ "node_modules/yn": {
+ "version": "3.1.1",
+ "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz",
+ "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==",
+ "dev": true,
+ "engines": {
+ "node": ">=6"
+ }
+ }
+ },
"dependencies": {
"@actions/core": {
"version": "1.2.6",
diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json
index ce89e36..852f575 100644
--- a/script/validate-data/settings.json
+++ b/script/validate-data/settings.json
@@ -5,10 +5,22 @@
"../../deployments",
"../../code-scanning"
],
- "allowed_categories" : [
- "Continuous integration",
- "Deployment",
- "Code Scanning",
- "Automation"
+ "allowed_categories": [
+ {
+ "path": "../../ci",
+ "categories": ["Continuous integration"]
+ },
+ {
+ "path": "../../automation",
+ "categories": ["Automation"]
+ },
+ {
+ "path": "../../deployments",
+ "categories": ["Deployment"]
+ },
+ {
+ "path": "../../code-scanning",
+ "categories": ["Code Scanning", "Dependency review"]
+ }
]
-}
\ No newline at end of file
+}