diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 6494e8d..752dd99 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -26,6 +26,7 @@ It is not:
- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
+- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
**For _CI_ workflows, the workflow:**
diff --git a/ci/android.yml b/ci/android.yml
index 3037b9f..f289bd5 100644
--- a/ci/android.yml
+++ b/ci/android.yml
@@ -17,7 +17,7 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
cache: gradle
- name: Grant execute permission for gradlew
diff --git a/ci/ant.yml b/ci/ant.yml
index 655a94c..0205d40 100644
--- a/ci/ant.yml
+++ b/ci/ant.yml
@@ -20,6 +20,6 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
- name: Build with Ant
run: ant -noinput -buildfile build.xml
diff --git a/ci/deno.yml b/ci/deno.yml
index 38f2319..25e9e2a 100644
--- a/ci/deno.yml
+++ b/ci/deno.yml
@@ -24,7 +24,7 @@ jobs:
- name: Setup Deno
# uses: denoland/setup-deno@v1
- uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e9833173669
+ uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e983317366
with:
deno-version: v1.x
diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml
index f24c004..9fdc851 100644
--- a/ci/gradle-publish.yml
+++ b/ci/gradle-publish.yml
@@ -25,19 +25,19 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Build with Gradle
- uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021
+ uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7
with:
arguments: build
# The USERNAME and TOKEN need to correspond to the credentials environment variables used in
# the publishing section of your build.gradle
- name: Publish to GitHub Packages
- uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021
+ uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7
with:
arguments: publish
env:
diff --git a/ci/gradle.yml b/ci/gradle.yml
index b83458c..fc8cf2f 100644
--- a/ci/gradle.yml
+++ b/ci/gradle.yml
@@ -24,8 +24,8 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
- name: Build with Gradle
- uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021
+ uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7
with:
arguments: build
diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml
index 18dd937..319f9a1 100644
--- a/ci/maven-publish.yml
+++ b/ci/maven-publish.yml
@@ -21,7 +21,7 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
settings-path: ${{ github.workspace }} # location for the settings.xml file
diff --git a/ci/maven.yml b/ci/maven.yml
index ac3b6de..f301fe0 100644
--- a/ci/maven.yml
+++ b/ci/maven.yml
@@ -20,7 +20,7 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
cache: maven
- name: Build with Maven
run: mvn -B package --file pom.xml
diff --git a/ci/node.js.yml b/ci/node.js.yml
index 89b24fe..8d1b9c7 100644
--- a/ci/node.js.yml
+++ b/ci/node.js.yml
@@ -1,4 +1,4 @@
-# This workflow will do a clean install of node dependencies, cache/restore them, build the source code and run tests across different versions of node
+# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
name: Node.js CI
diff --git a/ci/properties/rubyonrails-lint.properties.json b/ci/properties/rubyonrails-lint.properties.json
deleted file mode 100644
index e6e5f69..0000000
--- a/ci/properties/rubyonrails-lint.properties.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
- "name": "Rails - Install Dependencies and Run Linters",
- "description": "Install dependencies and run linters on Rails application",
- "iconName": "ruby",
- "categories": ["Continuous integration", "Ruby", "Rails"]
-}
diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json
new file mode 100644
index 0000000..49b29a4
--- /dev/null
+++ b/ci/properties/rubyonrails.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Ruby on Rails continuous integration",
+ "description": "Build, lint, and test a Rails application",
+ "iconName": "rails",
+ "categories": ["Continuous integration", "Ruby", "Rails"]
+}
diff --git a/ci/pylint.yml b/ci/pylint.yml
index 10c49c6..7b555fe 100644
--- a/ci/pylint.yml
+++ b/ci/pylint.yml
@@ -20,4 +20,4 @@ jobs:
pip install pylint
- name: Analysing the code with pylint
run: |
- pylint `ls -R|grep .py$|xargs`
+ pylint $(git ls-files '*.py')
diff --git a/ci/rubyonrails-lint.yml b/ci/rubyonrails-lint.yml
deleted file mode 100644
index d95b70e..0000000
--- a/ci/rubyonrails-lint.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-# This workflow will download a prebuilt Ruby version, install dependencies, and run linters
-name: Rails - Install dependencies and run linters
-
-on:
- push:
- branches: [ $default-branch ]
- pull_request:
- branches: [ $default-branch ]
-jobs:
- run-lint:
- runs-on: ubuntu-latest
- steps:
- - name: Checkout code
- uses: actions/checkout@v2
-
- - name: Setup Ruby and install gems
- uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
- with:
- bundler-cache: true
- # Add or Replace any other security checks here
- - name: Run security checks
- run: |
- bin/bundler-audit --update
- bin/brakeman -q -w2
- # Add or Replace any other Linters here
- - name: Run linters
- run: |
- bin/rubocop --parallel
\ No newline at end of file
diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml
new file mode 100644
index 0000000..b7b3624
--- /dev/null
+++ b/ci/rubyonrails.yml
@@ -0,0 +1,58 @@
+# This workflow uses actions that are not certified by GitHub. They are
+# provided by a third-party and are governed by separate terms of service,
+# privacy policy, and support documentation.
+#
+# This workflow will install a prebuilt Ruby version, install dependencies, and
+# run tests and linters.
+name: "Ruby on Rails CI"
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
+jobs:
+ test:
+ runs-on: ubuntu-latest
+ services:
+ postgres:
+ image: postgres:11-alpine
+ ports:
+ - "5432:5432"
+ env:
+ POSTGRES_DB: rails_test
+ POSTGRES_USER: rails
+ POSTGRES_PASSWORD: password
+ env:
+ RAILS_ENV: test
+ DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test"
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+ # Add or replace dependency steps here
+ - name: Install Ruby and gems
+ uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
+ with:
+ bundler-cache: true
+ # Add or replace database setup steps here
+ - name: Set up database schema
+ run: bin/rails db:schema:load
+ # Add or replace test runners here
+ - name: Run tests
+ run: bin/rake
+
+ lint:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+ - name: Install Ruby and gems
+ uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
+ with:
+ bundler-cache: true
+ # Add or replace any other lints here
+ - name: Security audit dependencies
+ run: bin/bundler-audit --update
+ - name: Security audit application code
+ run: bin/brakeman -q -w2
+ - name: Lint Ruby files
+ run: bin/rubocop --parallel
diff --git a/ci/scala.yml b/ci/scala.yml
index 4a3c112..af6b2ed 100644
--- a/ci/scala.yml
+++ b/ci/scala.yml
@@ -17,6 +17,6 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
- distribution: 'adopt'
+ distribution: 'temurin'
- name: Run tests
run: sbt test
diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml
index d90f68c..fcca708 100644
--- a/code-scanning/anchore.yml
+++ b/code-scanning/anchore.yml
@@ -20,8 +20,14 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
Anchore-Build-Scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- name: Checkout the code
@@ -36,4 +42,4 @@ jobs:
- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@v1
with:
- sarif_file: results.sarif
\ No newline at end of file
+ sarif_file: results.sarif
diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml
index 96b9897..d012bce 100644
--- a/code-scanning/checkmarx.yml
+++ b/code-scanning/checkmarx.yml
@@ -17,10 +17,18 @@ on:
- cron: $cron-weekly
# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action
+permissions:
+ contents: read
+
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
+ pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
diff --git a/code-scanning/properties/apisec-scan.properties.json b/code-scanning/properties/apisec-scan.properties.json
index 9e7db58..b0872c8 100644
--- a/code-scanning/properties/apisec-scan.properties.json
+++ b/code-scanning/properties/apisec-scan.properties.json
@@ -1,7 +1,7 @@
{
"name": "APIsec Scan",
"creator": "APIsec",
- "description": "APIsec addresses the critical need to secure APIs before they reach production. APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.",
+ "description": "APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.",
"iconName": "apisec",
"categories": [
"Code Scanning",
diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json
index 830d966..e87f3ca 100644
--- a/code-scanning/properties/cloudrail.properties.json
+++ b/code-scanning/properties/cloudrail.properties.json
@@ -1,7 +1,7 @@
{
"name": "cloudrail",
"creator": "Indeni Cloudrail",
- "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.",
+ "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues.",
"iconName": "cloudrail",
"categories": ["Code Scanning", "HCL"]
}
diff --git a/code-scanning/properties/pmd.properties.json b/code-scanning/properties/pmd.properties.json
index 8608022..b96ecb7 100644
--- a/code-scanning/properties/pmd.properties.json
+++ b/code-scanning/properties/pmd.properties.json
@@ -1,7 +1,7 @@
{
"name": "pmd",
"creator": "pmd",
- "description": "PMD is a static source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, Salesforce.com Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.",
+ "description": "PMD is a static source code analyzer. It supports Java, JavaScript, Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.",
"iconName": "pmd",
"categories": [
"Code Scanning",
@@ -13,7 +13,6 @@
"Apache Velocity",
"XML",
"XSl",
- "Scala",
- "Apex"
+ "Scala"
]
}
\ No newline at end of file
diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json
index d45274b..a98834c 100644
--- a/code-scanning/properties/scorecards.properties.json
+++ b/code-scanning/properties/scorecards.properties.json
@@ -1,7 +1,7 @@
{
- "name": "OSSF Scorecards supply-chain security analysis",
- "creator": "Open Source Security Foundation (OpenSSF) - https://github.com/ossf",
- "description": "Scorecards is a static analysis tool to assess the security posture of your project",
+ "name": "OSSF Scorecards",
+ "creator": "Open Source Security Foundation (OpenSSF)",
+ "description": "Scorecards is a static supply-chain security analysis tool to assess the security posture of your project",
"iconName": "scorecards",
"categories": ["Code Scanning"]
}
diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml
index 8b2346a..618ce28 100644
--- a/code-scanning/scorecards.yml
+++ b/code-scanning/scorecards.yml
@@ -1,5 +1,5 @@
name: Scorecards supply-chain security
-on:
+on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
@@ -17,7 +17,9 @@ jobs:
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
-
+ actions: read
+ contents: read
+
steps:
- name: "Checkout code"
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
@@ -25,17 +27,17 @@ jobs:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@175f59783fa96e44dd6fa96619ab7bdacab56b5c # v0.0.1
+ uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2
with:
results_file: results.sarif
results_format: sarif
# Read-only PAT token. To create it,
# follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
- repo_token: ${{ secrets.SCORECARD_TOKEN }}
+ repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
# Publish the results to enable scorecard badges. For more details, see
# https://github.com/ossf/scorecard-action#publishing-results.
- # If you are installing the action on a private repo, set it to `publish_results: false`
- # or comment out the following line.
+ # For private repositories, `publish_results` will automatically be set to `false`,
+ # regardless of the value entered here.
publish_results: true
# Upload the results as artifacts (optional).
@@ -45,7 +47,7 @@ jobs:
name: SARIF file
path: results.sarif
retention-days: 5
-
+
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
index f778492..3d5373f 100644
--- a/code-scanning/trivy.yml
+++ b/code-scanning/trivy.yml
@@ -14,8 +14,14 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
build:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Build
runs-on: "ubuntu-18.04"
steps:
diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml
index 7c7bb2a..57fe362 100644
--- a/deployments/azure-container-webapp.yml
+++ b/deployments/azure-container-webapp.yml
@@ -62,21 +62,21 @@ jobs:
tags: ghcr.io/${{ env.REPO }}:${{ github.sha }}
file: ./Dockerfile
- deploy:
- runs-on: ubuntu-latest
- needs: build
- environment:
- name: 'Development'
- url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
+ deploy:
+ runs-on: ubuntu-latest
+ needs: build
+ environment:
+ name: 'Development'
+ url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
- steps:
- - name: Lowercase the repo name and username
- run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
-
- - name: Deploy to Azure Web App
- id: deploy-to-webapp
- uses: azure/webapps-deploy@v2
- with:
- app-name: ${{ env.AZURE_WEBAPP_NAME }}
- publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
- images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}'
+ steps:
+ - name: Lowercase the repo name and username
+ run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+
+ - name: Deploy to Azure Web App
+ id: deploy-to-webapp
+ uses: azure/webapps-deploy@v2
+ with:
+ app-name: ${{ env.AZURE_WEBAPP_NAME }}
+ publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
+ images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}'
diff --git a/deployments/google.yml b/deployments/google.yml
index bfb5de6..003e53b 100644
--- a/deployments/google.yml
+++ b/deployments/google.yml
@@ -26,16 +26,16 @@ env:
REPOSITORY: samples # TODO: update to Artifact Registry docker repository
IMAGE: static-site
-permissions:
- contents: 'read'
- id-token: 'write'
-
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
runs-on: ubuntu-latest
environment: production
+ permissions:
+ contents: 'read'
+ id-token: 'write'
+
steps:
- name: Checkout
uses: actions/checkout@v2
@@ -43,18 +43,24 @@ jobs:
# Configure Workload Identity Federation and generate an access token.
- id: 'auth'
name: 'Authenticate to Google Cloud'
- uses: 'google-github-actions/auth@v0.4.0'
+ uses: 'google-github-actions/auth@v0'
with:
token_format: 'access_token'
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
+ # Alternative option - authentication via credentials json
+ # - id: 'auth'
+ # uses: 'google-github-actions/auth@v0'
+ # with:
+ # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+
- name: Docker configuration
run: |-
echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev
# Get the GKE credentials so we can deploy to the cluster
- name: Set up GKE credentials
- uses: google-github-actions/get-gke-credentials@v0.4.0
+ uses: google-github-actions/get-gke-credentials@v0
with:
cluster_name: ${{ env.GKE_CLUSTER }}
location: ${{ env.GKE_ZONE }}
diff --git a/icons/rails.svg b/icons/rails.svg
new file mode 100644
index 0000000..5e1f8f8
--- /dev/null
+++ b/icons/rails.svg
@@ -0,0 +1 @@
+
diff --git a/icons/scorecards.svg b/icons/scorecards.svg
index 9db608c..9433c91 100644
--- a/icons/scorecards.svg
+++ b/icons/scorecards.svg
@@ -1,365 +1 @@
-
-
-
+
\ No newline at end of file