diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml
index eba05f0..99fdbc5 100644
--- a/.github/workflows/labeler-triage.yml
+++ b/.github/workflows/labeler-triage.yml
@@ -11,6 +11,6 @@ jobs:
triage:
runs-on: ubuntu-latest
steps:
- - uses: actions/labeler@v3
+ - uses: actions/labeler@v4
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
\ No newline at end of file
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 217078a..c319ce1 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/stale@v3
+ - uses: actions/stale@v5
with:
stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.'
stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.'
diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync_ghes.yaml
index 946218f..fb9c623 100644
--- a/.github/workflows/sync_ghes.yaml
+++ b/.github/workflows/sync_ghes.yaml
@@ -11,12 +11,12 @@ jobs:
contents: write
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- run: |
git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
git config user.email "cschleiden@github.com"
git config user.name "GitHub Actions"
- - uses: actions/setup-node@v2
+ - uses: actions/setup-node@v3
with:
node-version: '12'
- name: Check starter workflows for GHES compat
diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml
index 7d5c1ee..d2ac9a5 100644
--- a/.github/workflows/validate-data.yaml
+++ b/.github/workflows/validate-data.yaml
@@ -10,9 +10,9 @@ jobs:
contents: read
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- - uses: actions/setup-node@v2
+ - uses: actions/setup-node@v3
with:
node-version: "12"
diff --git a/automation/greetings.yml b/automation/greetings.yml
index ee1cb11..18ba13f 100644
--- a/automation/greetings.yml
+++ b/automation/greetings.yml
@@ -1,6 +1,6 @@
name: Greetings
-on: [pull_request, issues]
+on: [pull_request_target, issues]
jobs:
greeting:
diff --git a/automation/label.yml b/automation/label.yml
index 5cdc45e..a8a1bd7 100644
--- a/automation/label.yml
+++ b/automation/label.yml
@@ -17,6 +17,6 @@ jobs:
pull-requests: write
steps:
- - uses: actions/labeler@v2
+ - uses: actions/labeler@v4
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/automation/stale.yml b/automation/stale.yml
index ff88dc0..1322eaf 100644
--- a/automation/stale.yml
+++ b/automation/stale.yml
@@ -18,7 +18,7 @@ jobs:
pull-requests: write
steps:
- - uses: actions/stale@v3
+ - uses: actions/stale@v5
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'Stale issue message'
diff --git a/ci/ada.yml b/ci/ada.yml
index a27902a..7e94b38 100644
--- a/ci/ada.yml
+++ b/ci/ada.yml
@@ -13,7 +13,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Set up GNAT toolchain
run: >
diff --git a/ci/android.yml b/ci/android.yml
index f289bd5..221fca5 100644
--- a/ci/android.yml
+++ b/ci/android.yml
@@ -12,9 +12,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/ant.yml b/ci/ant.yml
index 0205d40..1614664 100644
--- a/ci/ant.yml
+++ b/ci/ant.yml
@@ -15,9 +15,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/blank.yml b/ci/blank.yml
index 895e5d1..607e2cf 100644
--- a/ci/blank.yml
+++ b/ci/blank.yml
@@ -23,7 +23,7 @@ jobs:
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Runs a single command using the runners shell
- name: Run a one-line script
diff --git a/ci/c-cpp.yml b/ci/c-cpp.yml
index 88d1497..14d2eb9 100644
--- a/ci/c-cpp.yml
+++ b/ci/c-cpp.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: configure
run: ./configure
- name: make
diff --git a/ci/clojure.yml b/ci/clojure.yml
index 098918a..a76631a 100644
--- a/ci/clojure.yml
+++ b/ci/clojure.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Install dependencies
run: lein deps
- name: Run tests
diff --git a/ci/cmake.yml b/ci/cmake.yml
index 6c858b9..6f06f75 100644
--- a/ci/cmake.yml
+++ b/ci/cmake.yml
@@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Configure CMake
# Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
diff --git a/ci/crystal.yml b/ci/crystal.yml
index 6552afa..18cc825 100644
--- a/ci/crystal.yml
+++ b/ci/crystal.yml
@@ -15,7 +15,7 @@ jobs:
image: crystallang/crystal
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Install dependencies
run: shards install
- name: Run tests
diff --git a/ci/d.yml b/ci/d.yml
index 6086681..350eeee 100644
--- a/ci/d.yml
+++ b/ci/d.yml
@@ -10,13 +10,16 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- uses: dlang-community/setup-dlang@4c99aa991ce7d19dd3064de0a4f2f6b2f152e2d7
- name: 'Build & Test'
diff --git a/ci/dart.yml b/ci/dart.yml
index 7486577..7bf352f 100644
--- a/ci/dart.yml
+++ b/ci/dart.yml
@@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Note: This workflow uses the latest stable version of the Dart SDK.
# You can specify other versions if desired, see documentation here:
diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml
new file mode 100644
index 0000000..7056f87
--- /dev/null
+++ b/ci/datadog-synthetics.yml
@@ -0,0 +1,38 @@
+# This workflow will trigger Datadog Synthetic tests within your Datadog organisation
+# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# To get started:
+
+# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/.
+# 2. Start using the action within your workflow
+
+name: Run Datadog Synthetic tests
+
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v2
+
+ # Run Synthetic tests within your GitHub workflow.
+ # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci
+ - name: Run Datadog Synthetic tests
+ uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e
+ with:
+ api_key: ${{secrets.DD_API_KEY}}
+ app_key: ${{secrets.DD_APP_KEY}}
+ test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy
+
+
diff --git a/ci/deno.yml b/ci/deno.yml
index 25e9e2a..2234bf6 100644
--- a/ci/deno.yml
+++ b/ci/deno.yml
@@ -14,13 +14,16 @@ on:
pull_request:
branches: [$default-branch]
+permissions:
+ contents: read
+
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Setup repo
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Setup Deno
# uses: denoland/setup-deno@v1
diff --git a/ci/django.yml b/ci/django.yml
index dbde266..79550cc 100644
--- a/ci/django.yml
+++ b/ci/django.yml
@@ -16,9 +16,9 @@ jobs:
python-version: [3.7, 3.8, 3.9]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- name: Install Dependencies
diff --git a/ci/docker-image.yml b/ci/docker-image.yml
index 78532a3..cc9cd6e 100644
--- a/ci/docker-image.yml
+++ b/ci/docker-image.yml
@@ -13,6 +13,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)
diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml
index 977635a..7b6add3 100644
--- a/ci/docker-publish.yml
+++ b/ci/docker-publish.yml
@@ -35,7 +35,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml
index 0635779..170b3f6 100644
--- a/ci/dotnet-desktop.yml
+++ b/ci/dotnet-desktop.yml
@@ -63,13 +63,13 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
with:
fetch-depth: 0
# Install the .NET Core workload
- name: Install .NET Core
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@v2
with:
dotnet-version: 5.0.x
@@ -109,7 +109,7 @@ jobs:
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
- name: Upload build artifacts
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: MSIX Package
path: ${{ env.Wap_Project_Directory }}\AppPackages
diff --git a/ci/dotnet.yml b/ci/dotnet.yml
index c31cf68..5974d4a 100644
--- a/ci/dotnet.yml
+++ b/ci/dotnet.yml
@@ -12,9 +12,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Setup .NET
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@v2
with:
dotnet-version: 5.0.x
- name: Restore dependencies
diff --git a/ci/elixir.yml b/ci/elixir.yml
index afe01be..6c76f54 100644
--- a/ci/elixir.yml
+++ b/ci/elixir.yml
@@ -1,31 +1,34 @@
-name: Elixir CI
-
-on:
- push:
- branches: [ $default-branch ]
- pull_request:
- branches: [ $default-branch ]
-
-jobs:
- build:
-
- name: Build and test
- runs-on: ubuntu-latest
-
- steps:
- - uses: actions/checkout@v2
- - name: Set up Elixir
- uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
- with:
- elixir-version: '1.12.3' # Define the elixir version [required]
- otp-version: '24.1' # Define the OTP version [required]
- - name: Restore dependencies cache
- uses: actions/cache@v2
- with:
- path: deps
- key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }}
- restore-keys: ${{ runner.os }}-mix-
- - name: Install dependencies
- run: mix deps.get
- - name: Run tests
- run: mix test
+name: Elixir CI
+
+on:
+ push:
+ branches: [ $default-branch ]
+ pull_request:
+ branches: [ $default-branch ]
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+
+ name: Build and test
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+ - name: Set up Elixir
+ uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
+ with:
+ elixir-version: '1.12.3' # Define the elixir version [required]
+ otp-version: '24.1' # Define the OTP version [required]
+ - name: Restore dependencies cache
+ uses: actions/cache@v3
+ with:
+ path: deps
+ key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }}
+ restore-keys: ${{ runner.os }}-mix-
+ - name: Install dependencies
+ run: mix deps.get
+ - name: Run tests
+ run: mix test
diff --git a/ci/erlang.yml b/ci/erlang.yml
index 25cb893..984b83a 100644
--- a/ci/erlang.yml
+++ b/ci/erlang.yml
@@ -6,6 +6,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
@@ -16,7 +19,7 @@ jobs:
image: erlang:22.0.7
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Compile
run: rebar3 compile
- name: Run tests
diff --git a/ci/gem-push.yml b/ci/gem-push.yml
index 3dc62be..8905272 100644
--- a/ci/gem-push.yml
+++ b/ci/gem-push.yml
@@ -15,7 +15,7 @@ jobs:
packages: write
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Ruby 2.6
uses: actions/setup-ruby@v1
with:
diff --git a/ci/go.yml b/ci/go.yml
index afff652..6f498a6 100644
--- a/ci/go.yml
+++ b/ci/go.yml
@@ -11,10 +11,10 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Go
- uses: actions/setup-go@v2
+ uses: actions/setup-go@v3
with:
go-version: 1.17
diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml
index 9fdc851..9aeb2b8 100644
--- a/ci/gradle-publish.yml
+++ b/ci/gradle-publish.yml
@@ -20,9 +20,9 @@ jobs:
packages: write
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
@@ -30,14 +30,14 @@ jobs:
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Build with Gradle
- uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7
+ uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
with:
arguments: build
# The USERNAME and TOKEN need to correspond to the credentials environment variables used in
# the publishing section of your build.gradle
- name: Publish to GitHub Packages
- uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7
+ uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
with:
arguments: publish
env:
diff --git a/ci/gradle.yml b/ci/gradle.yml
index fc8cf2f..4642c75 100644
--- a/ci/gradle.yml
+++ b/ci/gradle.yml
@@ -13,19 +13,22 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
- name: Build with Gradle
- uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7
+ uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
with:
arguments: build
diff --git a/ci/haskell.yml b/ci/haskell.yml
index c1d7dc7..5693f90 100644
--- a/ci/haskell.yml
+++ b/ci/haskell.yml
@@ -6,20 +6,23 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- uses: actions/setup-haskell@v1
with:
ghc-version: '8.10.3'
cabal-version: '3.2'
- name: Cache
- uses: actions/cache@v1
+ uses: actions/cache@v3
env:
cache-name: cache-cabal
with:
diff --git a/ci/ios.yml b/ci/ios.yml
index ab92d32..5cec5e7 100644
--- a/ci/ios.yml
+++ b/ci/ios.yml
@@ -13,7 +13,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Set Default Scheme
run: |
scheme_list=$(xcodebuild -list -json | tr -d "\n")
diff --git a/ci/jekyll.yml b/ci/jekyll.yml
index 71920c1..6a98dea 100644
--- a/ci/jekyll.yml
+++ b/ci/jekyll.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build the site in the jekyll/builder container
run: |
docker run \
diff --git a/ci/laravel.yml b/ci/laravel.yml
index 5f4e6c9..e778d7b 100644
--- a/ci/laravel.yml
+++ b/ci/laravel.yml
@@ -15,7 +15,7 @@ jobs:
- uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e
with:
php-version: '8.0'
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Copy .env
run: php -r "file_exists('.env') || copy('.env.example', '.env');"
- name: Install Dependencies
diff --git a/ci/makefile.yml b/ci/makefile.yml
index eafe622..0156944 100644
--- a/ci/makefile.yml
+++ b/ci/makefile.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: configure
run: ./configure
diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml
index 319f9a1..dab69fe 100644
--- a/ci/maven-publish.yml
+++ b/ci/maven-publish.yml
@@ -16,9 +16,9 @@ jobs:
packages: write
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/maven.yml b/ci/maven.yml
index f301fe0..65e0dff 100644
--- a/ci/maven.yml
+++ b/ci/maven.yml
@@ -15,9 +15,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/msbuild.yml b/ci/msbuild.yml
index e650e2a..c50354e 100644
--- a/ci/msbuild.yml
+++ b/ci/msbuild.yml
@@ -15,12 +15,15 @@ env:
# https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
BUILD_CONFIGURATION: Release
+permissions:
+ contents: read
+
jobs:
build:
runs-on: windows-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Add MSBuild to PATH
uses: microsoft/setup-msbuild@v1.0.2
diff --git a/ci/node.js.yml b/ci/node.js.yml
index 8d1b9c7..87ef0d8 100644
--- a/ci/node.js.yml
+++ b/ci/node.js.yml
@@ -20,9 +20,9 @@ jobs:
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v2
+ uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml
index 8c83cb6..eda97e1 100644
--- a/ci/npm-grunt.yml
+++ b/ci/npm-grunt.yml
@@ -15,10 +15,10 @@ jobs:
node-version: [12.x, 14.x, 16.x]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v1
+ uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml
index cc5da13..504f22e 100644
--- a/ci/npm-gulp.yml
+++ b/ci/npm-gulp.yml
@@ -15,10 +15,10 @@ jobs:
node-version: [12.x, 14.x, 16.x]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v1
+ uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml
index 09ff0b3..638ccf8 100644
--- a/ci/npm-publish-github-packages.yml
+++ b/ci/npm-publish-github-packages.yml
@@ -11,8 +11,8 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
- - uses: actions/setup-node@v2
+ - uses: actions/checkout@v3
+ - uses: actions/setup-node@v3
with:
node-version: 16
- run: npm ci
@@ -25,8 +25,8 @@ jobs:
contents: read
packages: write
steps:
- - uses: actions/checkout@v2
- - uses: actions/setup-node@v2
+ - uses: actions/checkout@v3
+ - uses: actions/setup-node@v3
with:
node-version: 16
registry-url: $registry-url(npm)
diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml
index ef8c690..c461c85 100644
--- a/ci/npm-publish.yml
+++ b/ci/npm-publish.yml
@@ -11,8 +11,8 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
- - uses: actions/setup-node@v2
+ - uses: actions/checkout@v3
+ - uses: actions/setup-node@v3
with:
node-version: 16
- run: npm ci
@@ -22,8 +22,8 @@ jobs:
needs: build
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
- - uses: actions/setup-node@v2
+ - uses: actions/checkout@v3
+ - uses: actions/setup-node@v3
with:
node-version: 16
registry-url: https://registry.npmjs.org/
diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml
index db009b0..1373878 100644
--- a/ci/objective-c-xcode.yml
+++ b/ci/objective-c-xcode.yml
@@ -13,7 +13,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Set Default Scheme
run: |
scheme_list=$(xcodebuild -list -json | tr -d "\n")
diff --git a/ci/php.yml b/ci/php.yml
index 6acfdd1..a3bdfd7 100644
--- a/ci/php.yml
+++ b/ci/php.yml
@@ -6,20 +6,23 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Validate composer.json and composer.lock
run: composer validate --strict
- name: Cache Composer packages
id: composer-cache
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: vendor
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json
new file mode 100644
index 0000000..edbb086
--- /dev/null
+++ b/ci/properties/datadog-synthetics.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Datadog Synthetics",
+ "description": "Run Datadog Synthetic tests within your GitHub Actions workflow",
+ "creator": "Datadog",
+ "iconName": "datadog",
+ "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"]
+}
diff --git a/ci/pylint.yml b/ci/pylint.yml
index 7b555fe..383e65c 100644
--- a/ci/pylint.yml
+++ b/ci/pylint.yml
@@ -9,9 +9,9 @@ jobs:
matrix:
python-version: ["3.8", "3.9", "3.10"]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
diff --git a/ci/python-app.yml b/ci/python-app.yml
index 2cfc2a3..4b7fa5f 100644
--- a/ci/python-app.yml
+++ b/ci/python-app.yml
@@ -9,15 +9,18 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python 3.10
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: "3.10"
- name: Install dependencies
diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml
index 9bd6d2b..57940bd 100644
--- a/ci/python-package-conda.yml
+++ b/ci/python-package-conda.yml
@@ -9,9 +9,9 @@ jobs:
max-parallel: 5
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python 3.10
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: 3.10
- name: Add conda to system path
diff --git a/ci/python-package.yml b/ci/python-package.yml
index b0a63cf..583a366 100644
--- a/ci/python-package.yml
+++ b/ci/python-package.yml
@@ -19,9 +19,9 @@ jobs:
python-version: ["3.8", "3.9", "3.10"]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index 3bfabfc..ec70354 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -12,15 +12,18 @@ on:
release:
types: [published]
+permissions:
+ contents: read
+
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: '3.x'
- name: Install dependencies
diff --git a/ci/r.yml b/ci/r.yml
index 305c2cf..68f02d7 100644
--- a/ci/r.yml
+++ b/ci/r.yml
@@ -14,6 +14,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: macos-latest
@@ -22,7 +25,7 @@ jobs:
r-version: ['3.6.3', '4.1.1']
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up R ${{ matrix.r-version }}
uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a
with:
diff --git a/ci/ruby.yml b/ci/ruby.yml
index f6ae1e3..256aa14 100644
--- a/ci/ruby.yml
+++ b/ci/ruby.yml
@@ -13,6 +13,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
test:
@@ -22,7 +25,7 @@ jobs:
ruby-version: ['2.6', '2.7', '3.0']
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Ruby
# To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
# change this to (see https://github.com/ruby/setup-ruby#versioning):
diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml
index b7b3624..2ad891f 100644
--- a/ci/rubyonrails.yml
+++ b/ci/rubyonrails.yml
@@ -27,7 +27,7 @@ jobs:
DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test"
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Add or replace dependency steps here
- name: Install Ruby and gems
uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
@@ -44,7 +44,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Install Ruby and gems
uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
with:
diff --git a/ci/rust.yml b/ci/rust.yml
index 6c82c61..d51f1af 100644
--- a/ci/rust.yml
+++ b/ci/rust.yml
@@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build
run: cargo build --verbose
- name: Run tests
diff --git a/ci/scala.yml b/ci/scala.yml
index af6b2ed..c985f74 100644
--- a/ci/scala.yml
+++ b/ci/scala.yml
@@ -6,15 +6,18 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/super-linter.yml b/ci/super-linter.yml
index bebd82d..275b34f 100644
--- a/ci/super-linter.yml
+++ b/ci/super-linter.yml
@@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
with:
# Full git history is needed to get a proper list of changed files within `super-linter`
fetch-depth: 0
diff --git a/ci/swift.yml b/ci/swift.yml
index df062b5..3668fc0 100644
--- a/ci/swift.yml
+++ b/ci/swift.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: macos-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build
run: swift build -v
- name: Run tests
diff --git a/ci/symfony.yml b/ci/symfony.yml
index 7d1ca74..d1ac71a 100644
--- a/ci/symfony.yml
+++ b/ci/symfony.yml
@@ -6,6 +6,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
symfony-tests:
runs-on: ubuntu-latest
@@ -16,12 +19,12 @@ jobs:
- uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28
with:
php-version: '8.0'
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Copy .env.test.local
run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');"
- name: Cache Composer packages
id: composer-cache
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: vendor
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
diff --git a/ci/webpack.yml b/ci/webpack.yml
index 8edb34f..6449fe7 100644
--- a/ci/webpack.yml
+++ b/ci/webpack.yml
@@ -15,10 +15,10 @@ jobs:
node-version: [12.x, 14.x, 16.x]
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v1
+ uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml
index fcca708..6f52d5d 100644
--- a/code-scanning/anchore.yml
+++ b/code-scanning/anchore.yml
@@ -31,7 +31,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout the code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
@@ -40,6 +40,6 @@ jobs:
image: "localbuild/testimage:latest"
acs-report-enable: true
- name: Upload Anchore Scan Report
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml
index 4737d06..5a9b751 100644
--- a/code-scanning/apisec-scan.yml
+++ b/code-scanning/apisec-scan.yml
@@ -64,6 +64,6 @@ jobs:
# The name of the sarif format result file The file is written only if this property is provided.
sarif-result-file: "apisec-results.sarif"
- name: Import results
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./apisec-results.sarif
diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml
index ae5215a..155208f 100644
--- a/code-scanning/brakeman.yml
+++ b/code-scanning/brakeman.yml
@@ -17,14 +17,20 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
brakeman-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Customize the ruby version depending on your needs
- name: Setup Ruby
@@ -46,6 +52,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: output.sarif.json
diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml
index d012bce..297cae0 100644
--- a/code-scanning/checkmarx.yml
+++ b/code-scanning/checkmarx.yml
@@ -34,7 +34,7 @@ jobs:
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
- name: Checkmarx CxFlow Action
uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314
@@ -49,6 +49,6 @@ jobs:
params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory
# Upload the Report for CodeQL/Security Alerts
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: cx.sarif
diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml
new file mode 100644
index 0000000..4150cbb
--- /dev/null
+++ b/code-scanning/clj-holmes.yml
@@ -0,0 +1,43 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: clj-holmes
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ clj-holmes:
+ name: Run clj-holmes scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Scan code
+ uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
+ with:
+ rules-repository: 'git://org/private-rules-repo#main'
+ output-type: 'sarif'
+ output-file: 'clj-holmes-results.sarif'
+ fail-on-result: 'false'
+
+ - name: Upload analysis results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
+ ait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml
index 00e270a..4a0cd73 100644
--- a/code-scanning/cloudrail.yml
+++ b/code-scanning/cloudrail.yml
@@ -24,7 +24,7 @@ jobs:
steps:
- name: Clone repo
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# For Terraform, Cloudrail requires the plan as input. So we generate it using
# the Terraform core binary.
@@ -50,7 +50,7 @@ jobs:
cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
# is needed to ensure the SARIF file is uploaded
if: always()
diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml
index 4892930..b74e449 100644
--- a/code-scanning/codacy.yml
+++ b/code-scanning/codacy.yml
@@ -35,7 +35,7 @@ jobs:
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
- name: Run Codacy Analysis CLI
@@ -55,6 +55,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index 57b4b69..37109ab 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -38,11 +38,11 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v1
+ uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
- uses: github/codeql-action/autobuild@v1
+ uses: github/codeql-action/autobuild@v2
# âšī¸ Command-line programs to run using the OS shell.
# đ https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
# make release
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v1
+ uses: github/codeql-action/analyze@v2
diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml
index 5886843..92707b1 100644
--- a/code-scanning/codescan.yml
+++ b/code-scanning/codescan.yml
@@ -17,14 +17,20 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
CodeScan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Cache files
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: |
~/.sonar
@@ -37,6 +43,6 @@ jobs:
organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: codescan.sarif
diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml
index e8e2447..07cd73a 100644
--- a/code-scanning/crunch42.yml
+++ b/code-scanning/crunch42.yml
@@ -43,7 +43,7 @@ jobs:
security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: 42Crunch REST API Static Security Testing
uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1
diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml
new file mode 100644
index 0000000..0e72a00
--- /dev/null
+++ b/code-scanning/dependency-review.yml
@@ -0,0 +1,20 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+ contents: read
+
+jobs:
+ dependency-review:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Checkout Repository'
+ uses: actions/checkout@v3
+ - name: 'Dependency Review'
+ uses: actions/dependency-review-action@v1
diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml
index a8610c3..0c65813 100644
--- a/code-scanning/detekt.yml
+++ b/code-scanning/detekt.yml
@@ -45,7 +45,7 @@ jobs:
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Gets the download URL associated with the $DETEKT_RELEASE_TAG
- name: Get Detekt download URL
@@ -111,7 +111,7 @@ jobs:
)" > ${{ github.workspace }}/detekt.sarif.json
# Uploads results to GitHub repository using the upload-sarif action
- - uses: github/codeql-action/upload-sarif@v1
+ - uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/detekt.sarif.json
diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml
index 3a5c45f..bf11261 100644
--- a/code-scanning/devskim.yml
+++ b/code-scanning/devskim.yml
@@ -23,12 +23,12 @@ jobs:
security-events: write
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@v1
- name: Upload DevSkim scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: devskim-results.sarif
diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml
index 080953e..4ed8792 100644
--- a/code-scanning/flawfinder.yml
+++ b/code-scanning/flawfinder.yml
@@ -24,7 +24,7 @@ jobs:
security-events: write
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: flawfinder_scan
uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c
@@ -33,6 +33,6 @@ jobs:
output: 'flawfinder_results.sarif'
- name: Upload analysis results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{github.workspace}}/flawfinder_results.sarif
\ No newline at end of file
diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml
index d67d194..5e7c422 100644
--- a/code-scanning/fortify.yml
+++ b/code-scanning/fortify.yml
@@ -39,14 +39,15 @@ jobs:
steps:
# Check out source code
- name: Check Out Source Code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Java is required to run the various Fortify utilities.
# When scanning a Java application, please use the appropriate Java version for building your application.
- name: Setup Java
- uses: actions/setup-java@v1
+ uses: actions/setup-java@v3
with:
- java-version: 1.8
+ java-version: 8
+ distribution: 'temurin'
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
@@ -92,6 +93,6 @@ jobs:
# Import Fortify on Demand results to GitHub Security Code Scanning
- name: Import Results
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./gh-fortify-sast.sarif
diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml
index 1cad70c..c432673 100644
--- a/code-scanning/kubesec.yml
+++ b/code-scanning/kubesec.yml
@@ -24,7 +24,7 @@ jobs:
security-events: write
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Run kubesec scanner
uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14
@@ -36,6 +36,6 @@ jobs:
exit-code: "0"
- name: Upload Kubesec scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: kubesec-results.sarif
\ No newline at end of file
diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml
index 59d66a0..64fe71a 100644
--- a/code-scanning/mayhem-for-api.yml
+++ b/code-scanning/mayhem-for-api.yml
@@ -42,7 +42,7 @@ jobs:
contents: read
security-events: write
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Run your API in the background. Ideally, the API would run in debug
# mode & send stacktraces back on "500 Internal Server Error" responses
@@ -61,6 +61,6 @@ jobs:
sarif-report: mapi.sarif
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: mapi.sarif
diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml
index d8eaa92..6d2bfb8 100644
--- a/code-scanning/mobsf.yml
+++ b/code-scanning/mobsf.yml
@@ -24,10 +24,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Setup python
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v3
with:
python-version: 3.8
@@ -37,6 +37,6 @@ jobs:
args: . --sarif --output results.sarif || true
- name: Upload mobsfscan report
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml
index 1503319..863fbcb 100644
--- a/code-scanning/msvc.yml
+++ b/code-scanning/msvc.yml
@@ -20,14 +20,20 @@ env:
# Path to the CMake build directory.
build: '${{ github.workspace }}/build'
+permissions:
+ contents: read
+
jobs:
analyze:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Analyze
runs-on: windows-latest
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Configure CMake
run: cmake -B ${{ env.build }}
@@ -47,13 +53,13 @@ jobs:
# Upload SARIF file to GitHub Code Scanning Alerts
- name: Upload SARIF to GitHub
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
# Upload SARIF file as an Artifact to download and view
# - name: Upload SARIF as an Artifact
- # uses: actions/upload-artifact@v2
+ # uses: actions/upload-artifact@v3
# with:
# name: sarif-file
# path: ${{ steps.run-analysis.outputs.sarif }}
diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml
index a6da087..8c359b8 100644
--- a/code-scanning/njsscan.yml
+++ b/code-scanning/njsscan.yml
@@ -29,13 +29,13 @@ jobs:
name: njsscan code scanning
steps:
- name: Checkout the code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711
with:
args: '. --sarif --output results.sarif || true'
- name: Upload njsscan report
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml
index 92126bd..7b5ba8f 100644
--- a/code-scanning/nowsecure.yml
+++ b/code-scanning/nowsecure.yml
@@ -34,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Build your application
run: ./gradlew assembleDebug # Update this to build your Android or iOS application
@@ -47,6 +47,6 @@ jobs:
group_id: {{ groupId }} # Update this to your desired Platform group ID
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: NowSecure.sarif
diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml
index b5aefa4..cbef5a2 100644
--- a/code-scanning/ossar.yml
+++ b/code-scanning/ossar.yml
@@ -17,15 +17,21 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
OSSAR-Scan:
# OSSAR runs on windows-latest.
# ubuntu-latest and macos-latest support coming soon
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: windows-latest
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Ensure a compatible version of dotnet is installed.
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
@@ -33,7 +39,7 @@ jobs:
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
# - name: Install .NET
- # uses: actions/setup-dotnet@v1
+ # uses: actions/setup-dotnet@v2
# with:
# dotnet-version: '3.1.x'
@@ -44,6 +50,6 @@ jobs:
# Upload results to the Security tab
- name: Upload OSSAR results
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml
index 0604734..0bc512c 100644
--- a/code-scanning/pmd.yml
+++ b/code-scanning/pmd.yml
@@ -17,9 +17,9 @@ jobs:
pmd-code-scan:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up JDK 11
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
@@ -31,6 +31,6 @@ jobs:
sourcePath: 'src/main/java'
analyzeModifiedFilesOnly: false
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: pmd-report.sarif
diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml
index dfbf452..1d72a9b 100644
--- a/code-scanning/powershell.yml
+++ b/code-scanning/powershell.yml
@@ -17,12 +17,18 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
build:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: PSScriptAnalyzer
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Run PSScriptAnalyzer
uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061
@@ -37,6 +43,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml
index 5b11482..6f2031b 100644
--- a/code-scanning/prisma.yml
+++ b/code-scanning/prisma.yml
@@ -33,7 +33,7 @@ jobs:
name: Run Prisma Cloud IaC Scan to check
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- id: iac-scan
name: Run Scan on CFT files in the repository
uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3
@@ -48,7 +48,7 @@ jobs:
# The service need to know the type of IaC being scanned
template_type: 'CFT'
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed.
diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json
new file mode 100644
index 0000000..71f29c0
--- /dev/null
+++ b/code-scanning/properties/clj-holmes.properties.json
@@ -0,0 +1,10 @@
+{
+ "name": "clj-holmes",
+ "creator": "Matheus Bernardes",
+ "description": "A Static Application Security Testing tool to find vulnerable Clojure code via rules that use a simple pattern language.",
+ "iconName": "clj-holmes",
+ "categories": [
+ "Code Scanning",
+ "clojure"
+ ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json
new file mode 100644
index 0000000..e84278c
--- /dev/null
+++ b/code-scanning/properties/dependency-review.properties.json
@@ -0,0 +1,16 @@
+{
+ "name": "Dependency Review",
+ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository",
+ "iconName": "octicon mark-github",
+ "categories": [
+ "Dependency review",
+ "Dependency graph",
+ "Go",
+ "Java",
+ "JavaScript",
+ "TypeScript",
+ "Python",
+ "Ruby",
+ "Actions",
+ "PHP"]
+}
diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json
new file mode 100644
index 0000000..ea5c871
--- /dev/null
+++ b/code-scanning/properties/rust-clippy.properties.json
@@ -0,0 +1,10 @@
+{
+ "name": "rust-clippy",
+ "creator": "Rust",
+ "description": "A collection of lints to catch common mistakes and improve your Rust code.",
+ "iconName": "rust",
+ "categories": [
+ "Code Scanning",
+ "rust"
+ ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json
deleted file mode 100644
index 1cb36c9..0000000
--- a/code-scanning/properties/shiftleft.properties.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
- "name": "Scan",
- "creator": "ShiftLeft",
- "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.",
- "iconName": "shiftleft",
- "categories": ["Code Scanning"]
-}
\ No newline at end of file
diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml
index 373d5b6..ed458b2 100644
--- a/code-scanning/rubocop.yml
+++ b/code-scanning/rubocop.yml
@@ -23,7 +23,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# If running on a self-hosted runner, check it meets the requirements
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
@@ -47,6 +47,6 @@ jobs:
"
- name: Upload Sarif output
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: rubocop.sarif
diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml
new file mode 100644
index 0000000..e9c426a
--- /dev/null
+++ b/code-scanning/rust-clippy.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# rust-clippy is a tool that runs a bunch of lints to catch common
+# mistakes in your Rust code and help improve your Rust code.
+# More details at https://github.com/rust-lang/rust-clippy
+# and https://rust-lang.github.io/rust-clippy/
+
+name: rust-clippy analyze
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ rust-clippy-analyze:
+ name: Run rust-clippy analyzing
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Install Rust toolchain
+ uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1
+ with:
+ profile: minimal
+ toolchain: stable
+ components: clippy
+ override: true
+
+ - name: Install required cargo
+ run: cargo install clippy-sarif sarif-fmt
+
+ - name: Run rust-clippy
+ run:
+ cargo clippy
+ --all-features
+ --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: rust-clippy-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml
index d63b462..a6bde3a 100644
--- a/code-scanning/scorecards.yml
+++ b/code-scanning/scorecards.yml
@@ -22,7 +22,7 @@ jobs:
steps:
- name: "Checkout code"
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+ uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
with:
persist-credentials: false
@@ -42,7 +42,7 @@ jobs:
# Upload the results as artifacts (optional).
- name: "Upload artifact"
- uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
+ uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
with:
name: SARIF file
path: results.sarif
diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml
index 3063c7a..b6ee5ad 100644
--- a/code-scanning/securitycodescan.yml
+++ b/code-scanning/securitycodescan.yml
@@ -21,7 +21,7 @@ jobs:
SCS:
runs-on: windows-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1
- uses: microsoft/setup-msbuild@v1.0.2
@@ -38,4 +38,4 @@ jobs:
uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
- name: Upload sarif
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml
index f99d441..fae9885 100644
--- a/code-scanning/semgrep.yml
+++ b/code-scanning/semgrep.yml
@@ -31,7 +31,7 @@ jobs:
runs-on: ubuntu-latest
steps:
# Checkout project source
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
# Scan code using project's configuration on https://semgrep.dev/manage
- uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735
@@ -42,7 +42,7 @@ jobs:
# Upload SARIF file generated in previous step
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif
if: always()
diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml
deleted file mode 100644
index 48b86d3..0000000
--- a/code-scanning/shiftleft.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# This workflow integrates Scan with GitHub's code scanning feature
-# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft
-# Visit https://slscan.io/en/latest/integrations/code-scan for help
-name: SL Scan
-
-on:
- push:
- branches: [ $default-branch, $protected-branches ]
- pull_request:
- # The branches below must be a subset of the branches above
- branches: [ $default-branch ]
- schedule:
- - cron: $cron-weekly
-
-jobs:
- Scan-Build:
- # Scan runs on ubuntu, mac and windows
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- # Instructions
- # 1. Setup JDK, Node.js, Python etc depending on your project type
- # 2. Compile or build the project before invoking scan
- # Example: mvn compile, or npm install or pip install goes here
- # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url
-
- - name: Perform Scan
- uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64
- env:
- WORKSPACE: ""
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- SCAN_AUTO_BUILD: true
- with:
- output: reports
- # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type
- # type: credscan,java
- # type: python
-
- - name: Upload report
- uses: github/codeql-action/upload-sarif@v1
- with:
- sarif_file: reports
diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml
index 8ff2c9a..0fbbf87 100644
--- a/code-scanning/snyk-container.yml
+++ b/code-scanning/snyk-container.yml
@@ -22,11 +22,17 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
snyk:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build a Docker image
run: docker build -t your/image-to-test .
- name: Run Snyk to check Docker image for vulnerabilities
@@ -43,6 +49,6 @@ jobs:
image: your/image-to-test
args: --file=Dockerfile
- name: Upload result to GitHub Code Scanning
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml
index b79bf34..a685323 100644
--- a/code-scanning/snyk-infrastructure.yml
+++ b/code-scanning/snyk-infrastructure.yml
@@ -21,11 +21,17 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
snyk:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Run Snyk to check configuration files for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the issues to GitHub Code Scanning
@@ -42,6 +48,6 @@ jobs:
# or `main.tf` for a Terraform configuration file
file: your-file-to-test.yaml
- name: Upload result to GitHub Code Scanning
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml
index af220c0..64e9b9b 100644
--- a/code-scanning/stackhawk.yml
+++ b/code-scanning/stackhawk.yml
@@ -49,7 +49,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Start your service
run: ./your-service.sh & # âī¸ Update this to run your own service to be scanned
diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml
index 0c1ff16..c32334c 100644
--- a/code-scanning/synopsys-io.yml
+++ b/code-scanning/synopsys-io.yml
@@ -25,7 +25,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Synopsys Intelligent Security Scan
id: prescription
@@ -71,7 +71,7 @@ jobs:
- name: Upload SARIF file
if: ${{steps.prescription.outputs.sastScan == 'true' }}
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: workflowengine-results.sarif.json
diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml
index f9b29fc..f075a80 100644
--- a/code-scanning/sysdig-scan.yml
+++ b/code-scanning/sysdig-scan.yml
@@ -27,7 +27,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Build the Docker image
# Tag image to be built
@@ -54,7 +54,7 @@ jobs:
# Sysdig inline scanner requires privileged rights
run-as-user: root
- - uses: github/codeql-action/upload-sarif@v1
+ - uses: github/codeql-action/upload-sarif@v2
#Upload SARIF file
if: always()
with:
diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml
index 479f713..6536fbe 100644
--- a/code-scanning/tfsec.yml
+++ b/code-scanning/tfsec.yml
@@ -24,7 +24,7 @@ jobs:
steps:
- name: Clone repo
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Run tfsec
uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
@@ -32,7 +32,7 @@ jobs:
sarif_file: tfsec.sarif
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: tfsec.sarif
diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
index 3d5373f..06b5cae 100644
--- a/code-scanning/trivy.yml
+++ b/code-scanning/trivy.yml
@@ -26,7 +26,7 @@ jobs:
runs-on: "ubuntu-18.04"
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
@@ -42,6 +42,6 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml
index 073d1b6..b8a5b37 100644
--- a/code-scanning/veracode.yml
+++ b/code-scanning/veracode.yml
@@ -31,7 +31,7 @@ jobs:
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
with:
repository: ''
@@ -41,9 +41,10 @@ jobs:
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- run: unzip -o pipeline-scan-LATEST.zip
- - uses: actions/setup-java@v1
+ - uses: actions/setup-java@v3
with:
- java-version: 1.8
+ java-version: 8
+ distribution: 'temurin'
- run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip
continue-on-error: true
- name: Convert pipeline scan output to SARIF format
@@ -51,7 +52,7 @@ jobs:
uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be
with:
pipeline-results-json: results.json
- - uses: github/codeql-action/upload-sarif@v1
+ - uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: veracode-results.sarif
diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml
index 3bfb9ed..3462eaa 100644
--- a/code-scanning/xanitizer.yml
+++ b/code-scanning/xanitizer.yml
@@ -42,22 +42,29 @@ on:
- cron: $cron-weekly
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
xanitizer-security-analysis:
# Xanitizer runs on ubuntu-latest and windows-latest.
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
# Check out the repository
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Set up the correct Java version for your project
# Please comment out, if your project does not contain Java source code.
- name: Set up JDK 11
- uses: actions/setup-java@v1
+ uses: actions/setup-java@v3
with:
java-version: 11
+ distribution: 'temurin'
# Compile the code for Java projects and get all libraries, e.g. via Maven
# Please adapt, if your project uses another build system to compile Java source code.
@@ -79,7 +86,7 @@ jobs:
license: ${{ secrets.XANITIZER_LICENSE }}
# Archiving the findings list reports
- - uses: actions/upload-artifact@v2
+ - uses: actions/upload-artifact@v3
with:
name: Xanitizer-Reports
path: |
@@ -87,6 +94,6 @@ jobs:
*-Findings-List.sarif
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
- - uses: github/codeql-action/upload-sarif@v1
+ - uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: Xanitizer-Findings-List.sarif
diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml
index ded9178..d7c27d9 100644
--- a/deployments/alibabacloud.yml
+++ b/deployments/alibabacloud.yml
@@ -40,6 +40,9 @@ env:
ACR_EE_IMAGE: repo
ACR_EE_TAG: ${{ github.sha }}
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -47,7 +50,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# 1.1 Login to ACR
- name: Login to ACR with the AccessKey pair
@@ -74,7 +77,7 @@ jobs:
tag: "${{ env.TAG }}"
# 2.1 (Optional) Login to ACR EE
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Login to ACR EE with the AccessKey pair
uses: aliyun/acr-login@v1
with:
diff --git a/deployments/aws.yml b/deployments/aws.yml
index dab851f..fe5e076 100644
--- a/deployments/aws.yml
+++ b/deployments/aws.yml
@@ -49,7 +49,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml
index 57fe362..c882bde 100644
--- a/deployments/azure-container-webapp.yml
+++ b/deployments/azure-container-webapp.yml
@@ -40,7 +40,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml
new file mode 100644
index 0000000..948e7db
--- /dev/null
+++ b/deployments/azure-kubernetes-service-helm.yml
@@ -0,0 +1,122 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+#
+# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm.
+# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration.
+# - CHART_PATH (path to your helm chart)
+# - CHART_OVERRIDE_PATH (path to your helm chart with override values)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS with Helm
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
+ CHART_PATH: "your-chart-path"
+ CHART_OVERRIDE_PATH: "your-chart-override-path"
+
+jobs:
+ build:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Retrieves the credentials for pulling images from your Azure Container Registry
+ - name: Get ACR credentials
+ run: |
+ az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
+ ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
+ ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::set-output name=password::${ACR_PASSWORD}"
+ id: get-acr-creds
+
+ # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
+ - name: Create K8s secret for pulling image from ACR
+ uses: Azure/k8s-create-secret@v1.1
+ with:
+ container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
+ container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
+ container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ # Runs Helm to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2.1
+ with:
+ renderEngine: 'helm'
+ helmChart: ${{ env.CHART_PATH }}
+ overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
+ overrides: |
+ replicas:2
+ helm-version: 'latest'
+ id: bake
+
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v3.0
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
+ imagepullsecrets: |
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml
new file mode 100644
index 0000000..7c25319
--- /dev/null
+++ b/deployments/azure-kubernetes-service-kompose.yml
@@ -0,0 +1,111 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+#
+# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose.
+# Set your dockerComposeFile and kompose-version to suit your configuration.
+# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS with Kompose
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
+ DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path"
+
+jobs:
+ build:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Retrieves the credentials for pulling images from your Azure Container Registry
+ - name: Get ACR credentials
+ run: |
+ az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
+ ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
+ ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::set-output name=password::${ACR_PASSWORD}"
+ id: get-acr-creds
+
+ # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
+ - name: Create K8s secret for pulling image from ACR
+ uses: Azure/k8s-create-secret@v1.1
+ with:
+ container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
+ container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
+ container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ # Runs Kompose to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2.1
+ with:
+ renderEngine: 'kompose'
+ dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }}
+ kompose-version: 'latest'
+ id: bake
+
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v3.0
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
+ imagepullsecrets: |
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml
new file mode 100644
index 0000000..f6928d0
--- /dev/null
+++ b/deployments/azure-kubernetes-service-kustomize.yml
@@ -0,0 +1,117 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+#
+# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize.
+# Set your kustomizationPath and kubectl-version to suit your configuration.
+# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS with Kustomize
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
+ KUSTOMIZE_PATH: "your-kustomize-path"
+
+jobs:
+ build:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
+ # Retrieves the credentials for pulling images from your Azure Container Registry
+ - name: Get ACR credentials
+ run: |
+ az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
+ ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
+ ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::set-output name=password::${ACR_PASSWORD}"
+ id: get-acr-creds
+
+ # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
+ - name: Create K8s secret for pulling image from ACR
+ uses: Azure/k8s-create-secret@v1.1
+ with:
+ container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
+ container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
+ container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ # Runs Kustomize to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2.1
+ with:
+ renderEngine: 'kustomize'
+ kustomizationPath: ${{ env.KUSTOMIZE_PATH }}
+ kubectl-version: latest
+ id: bake
+
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v3.0
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
+ imagepullsecrets: |
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml
index 08988ff..bb513d4 100644
--- a/deployments/azure-kubernetes-service.yml
+++ b/deployments/azure-kubernetes-service.yml
@@ -1,80 +1,105 @@
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
#
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
-# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
-# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
-# https://github.com/Azure/aks-create-action
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://github.com/Azure/aks-create-action
#
# To configure this workflow:
#
-# 1. Set the following secrets in your repository:
-# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret)
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
#
# 2. Set the following environment variables (or replace the values below):
-# - AZURE_CONTAINER_REGISTRY (name of your container registry)
-# - PROJECT_NAME
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
-#
-# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set
-# any needed environment variables such as:
-# - CHART_PATH
-# - CHART_OVERRIDE_PATH
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment)
#
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
-# For more options with the actions used below please see the folllowing
-# https://github.com/Azure/login
-# https://github.com/Azure/aks-set-context
-# https://github.com/marketplace/actions/azure-cli-action
-# https://github.com/Azure/k8s-bake
-# https://github.com/Azure/k8s-deploy
+# For more options with the actions used below please refer to https://github.com/Azure/login
-on: [push]
+name: Build and deploy an app to AKS
+
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
+ DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path'
jobs:
build:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@master
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
- - name: Azure Login
- uses: azure/login@v1
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
with:
- creds: ${{ secrets.AZURE_CREDENTIALS }}
-
- - name: Build image on ACR
- uses: azure/CLI@v1
- with:
- azcliversion: 2.29.1
- inlineScript: |
- az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }}
- az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }}
-
- - name: Gets K8s context
- uses: azure/aks-set-context@v1
- with:
- creds: ${{ secrets.AZURE_CREDENTIALS }}
- resource-group: ${{ env.RESOURCE_GROUP }}
- cluster-name: ${{ env.CLUSTER_NAME }}
- id: login
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
- - name: Configure deployment
- uses: azure/k8s-bake@v1
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
with:
- renderEngine: 'helm'
- helmChart: ${{ env.CHART_PATH }}
- overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
- overrides: |
- replicas:2
- helm-version: 'latest'
- id: bake
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+ # Retrieves the credentials for pulling images from your Azure Container Registry
+ - name: Get ACR credentials
+ run: |
+ az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
+ ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
+ ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::set-output name=password::${ACR_PASSWORD}"
+ id: get-acr-creds
+
+ # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
+ - name: Create K8s secret for pulling image from ACR
+ uses: Azure/k8s-create-secret@v1.1
+ with:
+ container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
+ container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
+ container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ # Deploys application based on given manifest file
- name: Deploys application
- - uses: Azure/k8s-deploy@v1
+ uses: Azure/k8s-deploy@v3.0
with:
- manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ action: deploy
+ manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }}
images: |
- ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }}
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
imagepullsecrets: |
- ${{ env.PROJECT_NAME }}
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml
index 8e1faf7..becfede 100644
--- a/deployments/azure-staticwebapp.yml
+++ b/deployments/azure-staticwebapp.yml
@@ -34,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
name: Build and Deploy Job
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
with:
submodules: true
- name: Build And Deploy
diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml
index 7a2a84f..3357dc8 100644
--- a/deployments/azure-webapps-dotnet-core.yml
+++ b/deployments/azure-webapps-dotnet-core.yml
@@ -35,15 +35,15 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up .NET Core
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@v2
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Set up dependency caching for faster builds
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
@@ -57,7 +57,7 @@ jobs:
run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: .net-app
path: ${{env.DOTNET_ROOT}}/myapp
@@ -71,7 +71,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@v3
with:
name: .net-app
diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml
index f386250..d29b0c9 100644
--- a/deployments/azure-webapps-java-jar.yml
+++ b/deployments/azure-webapps-java-jar.yml
@@ -22,6 +22,7 @@ name: Build and deploy JAR app to Azure Web App
env:
AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App
JAVA_VERSION: '11' # set this to the Java version to use
+ DISTRIBUTION: zulu # set this to the Java distribution
on:
push:
@@ -34,19 +35,20 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Java version
- uses: actions/setup-java@v2.3.1
+ uses: actions/setup-java@v3.0.0
with:
java-version: ${{ env.JAVA_VERSION }}
+ distribution: ${{ env.DISTRIBUTION }}
cache: 'maven'
- name: Build with Maven
run: mvn clean install
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: java-app
path: '${{ github.workspace }}/target/*.jar'
@@ -60,7 +62,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@v3
with:
name: java-app
diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml
index b7cb51f..c967bdb 100644
--- a/deployments/azure-webapps-node.yml
+++ b/deployments/azure-webapps-node.yml
@@ -32,10 +32,10 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Node.js
- uses: actions/setup-node@v2
+ uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
@@ -47,7 +47,7 @@ jobs:
npm run test --if-present
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: node-app
path: .
@@ -61,7 +61,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@v3
with:
name: node-app
diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml
index 700f83a..04f55f4 100644
--- a/deployments/azure-webapps-php.yml
+++ b/deployments/azure-webapps-php.yml
@@ -35,7 +35,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Setup PHP
uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc
@@ -55,7 +55,7 @@ jobs:
echo "::set-output name=dir::$(composer config cache-files-dir)"
- name: Set up dependency caching for faster installs
- uses: actions/cache@v2
+ uses: actions/cache@v3
if: steps.check_files.outputs.files_exists == 'true'
with:
path: ${{ steps.composer-cache.outputs.dir }}
@@ -68,7 +68,7 @@ jobs:
run: composer validate --no-check-publish && composer install --prefer-dist --no-progress
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: php-app
path: .
@@ -82,7 +82,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@v3
with:
name: php-app
diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml
index cb19cda..af6a9dd 100644
--- a/deployments/azure-webapps-python.yml
+++ b/deployments/azure-webapps-python.yml
@@ -34,10 +34,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: Set up Python version
- uses: actions/setup-python@v2.2.2
+ uses: actions/setup-python@v3.0.0
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
@@ -53,7 +53,7 @@ jobs:
# Optional: Add step to run tests here (PyTest, Django test suites, etc.)
- name: Upload artifact for deployment jobs
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: python-app
path: |
@@ -69,7 +69,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@v3
with:
name: python-app
path: .
diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml
new file mode 100644
index 0000000..b8d0511
--- /dev/null
+++ b/deployments/google-cloudrun-docker.yml
@@ -0,0 +1,114 @@
+# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch
+#
+# Overview:
+#
+# 1. Authenticate to Google Cloud
+# 2. Authenticate Docker to Artifact Registry
+# 3. Build a docker container
+# 4. Publish it to Google Artifact Registry
+# 5. Deploy it to Cloud Run
+#
+# To configure this workflow:
+#
+# 1. Ensure the required Google Cloud APIs are enabled:
+#
+# Cloud Run run.googleapis.com
+# Artifact Registry artifactregistry.googleapis.com
+#
+# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
+#
+# 3. Ensure the required IAM permissions are granted
+#
+# Cloud Run
+# roles/run.admin
+# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
+#
+# Artifact Registry
+# roles/artifactregistry.admin (project or repository level)
+#
+# NOTE: You should always follow the principle of least privilege when assigning IAM roles
+#
+# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
+#
+# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below).
+#
+# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io
+#
+# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
+#
+# Further reading:
+# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying
+# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles
+# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
+# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
+
+name: Build and Deploy to Cloud Run
+
+on:
+ push:
+ branches:
+ - $default-branch
+
+env:
+ PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
+ GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location
+ SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
+ REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
+
+jobs:
+ deploy:
+ # Add 'id-token' with the intended permissions for workload identity federation
+ permissions:
+ contents: 'read'
+ id-token: 'write'
+
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Google Auth
+ id: auth
+ uses: 'google-github-actions/auth@v0'
+ with:
+ token_format: 'access_token'
+ workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
+ service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com
+
+ # NOTE: Alternative option - authentication via credentials json
+ # - name: Google Auth
+ # id: auth
+ # uses: 'google-github-actions/auth@v0'
+ # with:
+ # credentials_json: '${{ secrets.GCP_CREDENTIALS }}''
+
+ # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted)
+
+ # Authenticate Docker to Google Cloud Artifact Registry
+ - name: Docker Auth
+ id: docker-auth
+ uses: 'docker/login-action@v1'
+ with:
+ username: 'oauth2accesstoken'
+ password: '${{ steps.auth.outputs.access_token }}'
+ registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'
+
+ - name: Build and Push Container
+ run: |-
+ docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./
+ docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}"
+
+ # END - Docker auth and build
+
+ - name: Deploy to Cloud Run
+ id: deploy
+ uses: google-github-actions/deploy-cloudrun@v0
+ with:
+ service: ${{ env.SERVICE }}
+ region: ${{ env.REGION }}
+ # NOTE: If using a pre-built image, update the image name here
+ image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
+
+ # If required, use the Cloud Run url output in later steps
+ - name: Show Output
+ run: echo ${{ steps.deploy.outputs.url }}
diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml
new file mode 100644
index 0000000..2916b45
--- /dev/null
+++ b/deployments/google-cloudrun-source.yml
@@ -0,0 +1,96 @@
+# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch
+#
+# Overview:
+#
+# 1. Authenticate to Google Cloud
+# 2. Deploy it to Cloud Run
+#
+# To configure this workflow:
+#
+# 1. Ensure the required Google Cloud APIs are enabled:
+#
+# Cloud Run run.googleapis.com
+# Cloud Build cloudbuild.googleapis.com
+# Artifact Registry artifactregistry.googleapis.com
+#
+# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
+#
+# 3. Ensure the required IAM permissions are granted
+#
+# Cloud Run
+# roles/run.admin
+# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
+#
+# Cloud Build
+# roles/cloudbuild.builds.editor
+#
+# Cloud Storage
+# roles/storage.objectAdmin
+#
+# Artifact Registry
+# roles/artifactregistry.admin (project or repository level)
+#
+# NOTE: You should always follow the principle of least privilege when assigning IAM roles
+#
+# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
+#
+# 5. Change the values for the SERVICE and REGION environment variables (below).
+#
+# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
+#
+# Further reading:
+# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity
+# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy
+# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code
+# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
+
+name: Deploy to Cloud Run from Source
+
+on:
+ push:
+ branches:
+ - $default-branch
+
+env:
+ PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
+ SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
+ REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
+
+jobs:
+ deploy:
+ # Add 'id-token' with the intended permissions for workload identity federation
+ permissions:
+ contents: 'read'
+ id-token: 'write'
+
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Google Auth
+ id: auth
+ uses: 'google-github-actions/auth@v0'
+ with:
+ workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
+ service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com
+
+ # NOTE: Alternative option - authentication via credentials json
+ # - name: Google Auth
+ # id: auth
+ # uses: 'google-github-actions/auth@v0'
+ # with:
+ # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+
+ - name: Deploy to Cloud Run
+ id: deploy
+ uses: google-github-actions/deploy-cloudrun@v0
+ with:
+ service: ${{ env.SERVICE }}
+ region: ${{ env.REGION }}
+ # NOTE: If required, update to the appropriate source folder
+ source: ./
+
+ # If required, use the Cloud Run url output in later steps
+ - name: Show Output
+ run: echo ${{ steps.deploy.outputs.url }}
diff --git a/deployments/google.yml b/deployments/google.yml
index 003e53b..6150672 100644
--- a/deployments/google.yml
+++ b/deployments/google.yml
@@ -38,7 +38,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Configure Workload Identity Federation and generate an access token.
- id: 'auth'
diff --git a/deployments/ibm.yml b/deployments/ibm.yml
index 216b04d..cb3080f 100644
--- a/deployments/ibm.yml
+++ b/deployments/ibm.yml
@@ -33,7 +33,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Download and Install IBM Cloud CLI
- name: Install IBM Cloud CLI
diff --git a/deployments/openshift.yml b/deployments/openshift.yml
index 46ff961..5775cb0 100644
--- a/deployments/openshift.yml
+++ b/deployments/openshift.yml
@@ -71,7 +71,7 @@ jobs:
steps:
- name: Check for required secrets
- uses: actions/github-script@v4
+ uses: actions/github-script@v6
with:
script: |
const secrets = {
@@ -109,7 +109,7 @@ jobs:
}
- name: Check out repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: Determine app name
if: env.APP_NAME == ''
diff --git a/deployments/properties/azure-kubernetes-service-helm.properties.json b/deployments/properties/azure-kubernetes-service-helm.properties.json
new file mode 100644
index 0000000..92478b3
--- /dev/null
+++ b/deployments/properties/azure-kubernetes-service-helm.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to AKS with Helm",
+ "description": "Deploy an application to an Azure Kubernetes Service cluster using Helm",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Helm", "Kubernetes", "Dockerfile"]
+}
diff --git a/deployments/properties/azure-kubernetes-service-kompose.properties.json b/deployments/properties/azure-kubernetes-service-kompose.properties.json
new file mode 100644
index 0000000..de246c3
--- /dev/null
+++ b/deployments/properties/azure-kubernetes-service-kompose.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to AKS with Kompose",
+ "description": "Deploy an application to an Azure Kubernetes Service cluster using Kompose",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Kompose", "Kubernetes", "Dockerfile"]
+}
diff --git a/deployments/properties/azure-kubernetes-service-kustomize.properties.json b/deployments/properties/azure-kubernetes-service-kustomize.properties.json
new file mode 100644
index 0000000..bfc71cc
--- /dev/null
+++ b/deployments/properties/azure-kubernetes-service-kustomize.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to AKS with Kustomize",
+ "description": "Deploy an application to an Azure Kubernetes Service cluster using Kustomize",
+ "creator": "Microsoft Azure",
+ "iconName": "azure",
+ "categories": ["Deployment", "Kustomize", "Kubernetes", "Dockerfile"]
+}
diff --git a/deployments/properties/azure-kubernetes-service.properties.json b/deployments/properties/azure-kubernetes-service.properties.json
index 28f3725..45d4a69 100644
--- a/deployments/properties/azure-kubernetes-service.properties.json
+++ b/deployments/properties/azure-kubernetes-service.properties.json
@@ -1,7 +1,7 @@
{
- "name": "Deploy to a AKS Cluster",
- "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials",
+ "name": "Deploy to AKS",
+ "description": "Deploy an application to an Azure Kubernetes Service cluster",
"creator": "Microsoft Azure",
"iconName": "azure",
- "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"]
+ "categories": ["Deployment", "Kubernetes", "Dockerfile"]
}
diff --git a/deployments/properties/google-cloudrun-docker.properties.json b/deployments/properties/google-cloudrun-docker.properties.json
new file mode 100644
index 0000000..b1a2b2b
--- /dev/null
+++ b/deployments/properties/google-cloudrun-docker.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Build and Deploy to Cloud Run",
+ "description": "Build a Docker container, publish it to Google Artifact Registry, and deploy to Google Cloud Run.",
+ "creator": "Google Cloud",
+ "iconName": "google-cloud",
+ "categories": ["Deployment", "Containers", "Dockerfile", "Cloud Run", "Serverless"]
+}
diff --git a/deployments/properties/google-cloudrun-source.properties.json b/deployments/properties/google-cloudrun-source.properties.json
new file mode 100644
index 0000000..2735d80
--- /dev/null
+++ b/deployments/properties/google-cloudrun-source.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Deploy to Cloud Run from Source",
+ "description": "Deploy to Google Cloud Run directly from source.",
+ "creator": "Google Cloud",
+ "iconName": "google-cloud",
+ "categories": ["Deployment", "Containers", "Cloud Run", "Serverless", "Buildpacks"]
+}
diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json
index f1bd883..e226385 100644
--- a/deployments/properties/google.properties.json
+++ b/deployments/properties/google.properties.json
@@ -2,6 +2,6 @@
"name": "Build and Deploy to GKE",
"description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.",
"creator": "Google Cloud",
- "iconName": "googlegke",
+ "iconName": "google-cloud",
"categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"]
}
\ No newline at end of file
diff --git a/deployments/tencent.yml b/deployments/tencent.yml
index 83bde94..2bf2a68 100644
--- a/deployments/tencent.yml
+++ b/deployments/tencent.yml
@@ -35,7 +35,7 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Build
- name: Build Docker image
diff --git a/deployments/terraform.yml b/deployments/terraform.yml
index 589f1f3..6142d2c 100644
--- a/deployments/terraform.yml
+++ b/deployments/terraform.yml
@@ -64,7 +64,7 @@ jobs:
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
@@ -82,10 +82,10 @@ jobs:
# Generates an execution plan for Terraform
- name: Terraform Plan
- run: terraform plan
+ run: terraform plan -input=false
# On push to $default-branch, build or change infrastructure according to Terraform configuration files
# Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
- name: Terraform Apply
if: github.ref == 'refs/heads/$default-branch' && github.event_name == 'push'
- run: terraform apply -auto-approve
+ run: terraform apply -auto-approve -input=false
diff --git a/icons/clj-holmes.svg b/icons/clj-holmes.svg
new file mode 100644
index 0000000..74459e5
--- /dev/null
+++ b/icons/clj-holmes.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/datadog.svg b/icons/datadog.svg
new file mode 100644
index 0000000..91cb3b6
--- /dev/null
+++ b/icons/datadog.svg
@@ -0,0 +1,4 @@
+
diff --git a/icons/googlegke.svg b/icons/google-cloud.svg
similarity index 100%
rename from icons/googlegke.svg
rename to icons/google-cloud.svg
diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg
deleted file mode 100644
index f8e944a..0000000
--- a/icons/shiftleft.svg
+++ /dev/null
@@ -1,6 +0,0 @@
-
diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json
index ce89e36..ef8ee60 100644
--- a/script/validate-data/settings.json
+++ b/script/validate-data/settings.json
@@ -9,6 +9,7 @@
"Continuous integration",
"Deployment",
"Code Scanning",
+ "Dependency review",
"Automation"
]
-}
\ No newline at end of file
+}