From f42f92e60ce9599cfd74f77191f8b0dfd5bbe08e Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Wed, 5 Jan 2022 09:50:26 -0800 Subject: [PATCH 01/55] Update erlang.yml Add token permissions --- ci/erlang.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ci/erlang.yml b/ci/erlang.yml index 25cb893..3bebb1f 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -6,10 +6,14 @@ on: pull_request: branches: [ $default-branch ] +permissions: read-all + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest container: From eedf8fbcb38fafd48d3aa00644bd01325b89abaa Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Fri, 21 Jan 2022 12:23:16 -0800 Subject: [PATCH 02/55] Update erlang.yml Setting contents: read at workflow level, and removing from job level --- ci/erlang.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ci/erlang.yml b/ci/erlang.yml index 3bebb1f..fc11dac 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -6,14 +6,13 @@ on: pull_request: branches: [ $default-branch ] -permissions: read-all +permissions: + contents: read jobs: build: - permissions: - contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest container: From b88366bf0e067c779927710896ffd772d554574c Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:47:51 +0530 Subject: [PATCH 03/55] added token permissions --- code-scanning/snyk-infrastructure.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index b79bf34..be7c2f0 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -21,8 +21,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From 2a4545affa629f8317733e2a81401b069cd07692 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:50:05 +0530 Subject: [PATCH 04/55] added github_token permissions --- code-scanning/xanitizer.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3bfb9ed..1e511aa 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -42,9 +42,15 @@ on: - cron: $cron-weekly workflow_dispatch: +permissions: + contents: read + jobs: xanitizer-security-analysis: # Xanitizer runs on ubuntu-latest and windows-latest. + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: From 494ea2d29d4639345a238dc8a98c06abd89f4f4c Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:52:39 +0530 Subject: [PATCH 05/55] added github_token permissions --- code-scanning/powershell.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index dfbf452..22e5ea7 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: PSScriptAnalyzer runs-on: ubuntu-latest steps: From dc2daec13461e79d070e114e1c6acdedc695ca50 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:27:43 +0530 Subject: [PATCH 06/55] added token permissions --- ci/msbuild.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/msbuild.yml b/ci/msbuild.yml index 29b6ace..2cf2a88 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -11,6 +11,9 @@ env: # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix BUILD_CONFIGURATION: Release +permissions: + contents: read + jobs: build: runs-on: windows-latest From ccd26a97cbd594ff3af6632ba294d570b2e5c797 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:30:57 +0530 Subject: [PATCH 07/55] added token permissions --- ci/d.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/d.yml b/ci/d.yml index 6086681..c78e2ce 100644 --- a/ci/d.yml +++ b/ci/d.yml @@ -10,6 +10,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From d50a73e3b85ca935b2a475373e3645a277b0757b Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:47:03 +0530 Subject: [PATCH 08/55] Update python-publish.yml --- ci/python-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 3bfabfc..489d5e6 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -12,6 +12,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: deploy: From fa522381039cec2072a9f83de5f7fd077faf57d4 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:57:42 +0530 Subject: [PATCH 09/55] Update gradle.yml --- ci/gradle.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/gradle.yml b/ci/gradle.yml index fc8cf2f..11b4ea6 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -13,6 +13,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From d6dfba970ff1b09095fe860bf15860fbfc788840 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:03:20 +0530 Subject: [PATCH 10/55] Update deno.yml --- ci/deno.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/deno.yml b/ci/deno.yml index 25e9e2a..6393f5f 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -14,6 +14,9 @@ on: pull_request: branches: [$default-branch] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest From baf5276476b911e377a006890698a2bfd211e47d Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:05:59 +0530 Subject: [PATCH 11/55] Update ruby.yml --- ci/ruby.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/ruby.yml b/ci/ruby.yml index f6ae1e3..9f90687 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -13,6 +13,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: test: From b93e51dac62613e75ab7b232cead7c400368d461 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:11:47 +0530 Subject: [PATCH 12/55] Update msvc.yml --- code-scanning/msvc.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 1503319..83d4571 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -20,8 +20,14 @@ env: # Path to the CMake build directory. build: '${{ github.workspace }}/build' +permissions: + contents: read + jobs: analyze: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Analyze runs-on: windows-latest From f6474e2bfa207cc53531f4de21c1f9243ec7c46a Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Mon, 14 Feb 2022 15:23:03 +0530 Subject: [PATCH 13/55] Update brakeman.yml --- code-scanning/brakeman.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index ae5215a..d0b25ac 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: brakeman-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Brakeman Scan runs-on: ubuntu-latest steps: From db842e7ec591aa2ff0545d82f159c0719a0087d8 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:39:46 +0530 Subject: [PATCH 14/55] added github_token permission --- ci/scala.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/scala.yml b/ci/scala.yml index af6b2ed..95c1957 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From f0d5cb15453edac00fb14288d0ca9ae895bf76b0 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:42:06 +0530 Subject: [PATCH 15/55] added token permission --- ci/python-app.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/python-app.yml b/ci/python-app.yml index 2cfc2a3..cdd6c6c 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -9,6 +9,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From 93dc183837a934693bd89af6bf3e1ed076f9b958 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:55:16 +0530 Subject: [PATCH 16/55] Update r.yml --- ci/r.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/r.yml b/ci/r.yml index 305c2cf..456e552 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -14,6 +14,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: macos-latest From d3fb4810d7ded6721dd323f60d1b3c63d901b307 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 2 Mar 2022 10:53:29 -0800 Subject: [PATCH 17/55] Add clj-holmes starter workflow --- code-scanning/clj-holmes.yml | 40 +++++++++++++++++++ .../properties/clj-holmes.properties.json | 10 +++++ icons/clj-holmes.svg | 1 + 3 files changed, 51 insertions(+) create mode 100644 code-scanning/clj-holmes.yml create mode 100644 code-scanning/properties/clj-holmes.properties.json create mode 100644 icons/clj-holmes.svg diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml new file mode 100644 index 0000000..62364b3 --- /dev/null +++ b/code-scanning/clj-holmes.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: clj-holmes + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + clj-holmes: + name: Run clj-holmes scanning + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Scan code + uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb + with: + rules-repository: 'git://org/private-rules-repo#main' + output-type: 'sarif' + output-file: 'clj-holmes-results.sarif' + fail-on-result: 'false' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{github.workspace}}/clj-holmes-results.sarif \ No newline at end of file diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json new file mode 100644 index 0000000..41950bb --- /dev/null +++ b/code-scanning/properties/clj-holmes.properties.json @@ -0,0 +1,10 @@ +{ + "name": "clj-holmes", + "creator": "Matheus Bernardes", + "description": "A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language.", + "iconName": "clj-holmes", + "categories": [ + "Code Scanning", + "clojure" + ] +} \ No newline at end of file diff --git a/icons/clj-holmes.svg b/icons/clj-holmes.svg new file mode 100644 index 0000000..74459e5 --- /dev/null +++ b/icons/clj-holmes.svg @@ -0,0 +1 @@ + \ No newline at end of file From 0d462e1c6b547f7df41b16f6ef94d08d27f26176 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 3 Mar 2022 22:43:12 +0530 Subject: [PATCH 18/55] Port reworked AKS templates to main (#1450) --- deployments/azure-kubernetes-service-helm.yml | 122 +++++++++++++++++ .../azure-kubernetes-service-kompose.yml | 111 +++++++++++++++ .../azure-kubernetes-service-kustomize.yml | 117 ++++++++++++++++ deployments/azure-kubernetes-service.yml | 127 +++++++++++------- ...re-kubernetes-service-helm.properties.json | 7 + ...kubernetes-service-kompose.properties.json | 7 + ...bernetes-service-kustomize.properties.json | 7 + .../azure-kubernetes-service.properties.json | 6 +- 8 files changed, 450 insertions(+), 54 deletions(-) create mode 100644 deployments/azure-kubernetes-service-helm.yml create mode 100644 deployments/azure-kubernetes-service-kompose.yml create mode 100644 deployments/azure-kubernetes-service-kustomize.yml create mode 100644 deployments/properties/azure-kubernetes-service-helm.properties.json create mode 100644 deployments/properties/azure-kubernetes-service-kompose.properties.json create mode 100644 deployments/properties/azure-kubernetes-service-kustomize.properties.json diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml new file mode 100644 index 0000000..506819d --- /dev/null +++ b/deployments/azure-kubernetes-service-helm.yml @@ -0,0 +1,122 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. +# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. +# - CHART_PATH (path to your helm chart) +# - CHART_OVERRIDE_PATH (path to your helm chart with override values) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Helm + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + CHART_PATH: "your-chart-path" + CHART_OVERRIDE_PATH: "your-chart-override-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Helm to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'helm' + helmChart: ${{ env.CHART_PATH }} + overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} + overrides: | + replicas:2 + helm-version: 'latest' + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml new file mode 100644 index 0000000..1d33fe3 --- /dev/null +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -0,0 +1,111 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. +# Set your dockerComposeFile and kompose-version to suit your configuration. +# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kompose + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Kompose to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'kompose' + dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} + kompose-version: 'latest' + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml new file mode 100644 index 0000000..51b7d69 --- /dev/null +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -0,0 +1,117 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. +# Set your kustomizationPath and kubectl-version to suit your configuration. +# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kustomize + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + KUSTOMIZE_PATH: "your-kustomize-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Kustomize to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'kustomize' + kustomizationPath: ${{ env.KUSTOMIZE_PATH }} + kubectl-version: latest + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index 08988ff..e61e64e 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -1,80 +1,105 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) -# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal -# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal -# https://github.com/Azure/aks-create-action +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository: -# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret) +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): -# - AZURE_CONTAINER_REGISTRY (name of your container registry) -# - PROJECT_NAME +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# -# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set -# any needed environment variables such as: -# - CHART_PATH -# - CHART_OVERRIDE_PATH +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) # # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions # For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -# For more options with the actions used below please see the folllowing -# https://github.com/Azure/login -# https://github.com/Azure/aks-set-context -# https://github.com/marketplace/actions/azure-cli-action -# https://github.com/Azure/k8s-bake -# https://github.com/Azure/k8s-deploy +# For more options with the actions used below please refer to https://github.com/Azure/login -on: [push] +name: Build and deploy an app to AKS + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' jobs: build: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest steps: + # Checks out the repository this file is in - uses: actions/checkout@master - - name: Azure Login - uses: azure/login@v1 + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Build image on ACR - uses: azure/CLI@v1 - with: - azcliversion: 2.29.1 - inlineScript: | - az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} - az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} - - - name: Gets K8s context - uses: azure/aks-set-context@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - id: login + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - name: Configure deployment - uses: azure/k8s-bake@v1 + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 with: - renderEngine: 'helm' - helmChart: ${{ env.CHART_PATH }} - overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} - overrides: | - replicas:2 - helm-version: 'latest' - id: bake + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Deploys application based on given manifest file - name: Deploys application - - uses: Azure/k8s-deploy@v1 + uses: Azure/k8s-deploy@v3.0 with: - manifests: ${{ steps.bake.outputs.manifestsBundle }} + action: deploy + manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.PROJECT_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/properties/azure-kubernetes-service-helm.properties.json b/deployments/properties/azure-kubernetes-service-helm.properties.json new file mode 100644 index 0000000..92478b3 --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-helm.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Helm", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Helm", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Helm", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service-kompose.properties.json b/deployments/properties/azure-kubernetes-service-kompose.properties.json new file mode 100644 index 0000000..de246c3 --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-kompose.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Kompose", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Kompose", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Kompose", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service-kustomize.properties.json b/deployments/properties/azure-kubernetes-service-kustomize.properties.json new file mode 100644 index 0000000..bfc71cc --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-kustomize.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Kustomize", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Kustomize", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Kustomize", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service.properties.json b/deployments/properties/azure-kubernetes-service.properties.json index 28f3725..45d4a69 100644 --- a/deployments/properties/azure-kubernetes-service.properties.json +++ b/deployments/properties/azure-kubernetes-service.properties.json @@ -1,7 +1,7 @@ { - "name": "Deploy to a AKS Cluster", - "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials", + "name": "Deploy to AKS", + "description": "Deploy an application to an Azure Kubernetes Service cluster", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"] + "categories": ["Deployment", "Kubernetes", "Dockerfile"] } From 023a52c48804fd4e0a7b11ad54367e7d645d8e25 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 7 Mar 2022 09:26:30 -0800 Subject: [PATCH 19/55] remove specifying permissions Co-authored-by: Nick Fyson --- code-scanning/clj-holmes.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 62364b3..704a01e 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -13,6 +13,8 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly +permissions: + contents: read jobs: clj-holmes: From 90d3b1b63b0f9cbe985a3de257df4f43dd94b1a0 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 7 Mar 2022 09:27:40 -0800 Subject: [PATCH 20/55] Update tool description Co-authored-by: Nick Fyson --- code-scanning/properties/clj-holmes.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json index 41950bb..71f29c0 100644 --- a/code-scanning/properties/clj-holmes.properties.json +++ b/code-scanning/properties/clj-holmes.properties.json @@ -1,7 +1,7 @@ { "name": "clj-holmes", "creator": "Matheus Bernardes", - "description": "A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language.", + "description": "A Static Application Security Testing tool to find vulnerable Clojure code via rules that use a simple pattern language.", "iconName": "clj-holmes", "categories": [ "Code Scanning", From af777b030efdf58461a737904e9307ad3e652562 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Tue, 8 Mar 2022 14:19:19 -0800 Subject: [PATCH 21/55] update permissions setting --- code-scanning/clj-holmes.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 704a01e..ca53f99 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -13,15 +13,12 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly -permissions: - contents: read jobs: clj-holmes: name: Run clj-holmes scanning runs-on: ubuntu-latest permissions: - actions: read contents: read security-events: write steps: @@ -39,4 +36,5 @@ jobs: - name: Upload analysis results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ${{github.workspace}}/clj-holmes-results.sarif \ No newline at end of file + sarif_file: ${{github.workspace}}/clj-holmes-results.sarif + ait-for-processing: true \ No newline at end of file From 5665b8b5b8c5bbb0de5142879029ce57022e219c Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 9 Mar 2022 11:18:14 -0800 Subject: [PATCH 22/55] Update code-scanning/clj-holmes.yml Co-authored-by: Nick Fyson --- code-scanning/clj-holmes.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index ca53f99..4150cbb 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -14,6 +14,9 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: clj-holmes: name: Run clj-holmes scanning From 46017054a3c90b341c23f8cb09c6a6bfa9046cb8 Mon Sep 17 00:00:00 2001 From: Jonathan Tamsut Date: Mon, 14 Mar 2022 07:35:28 -0700 Subject: [PATCH 23/55] Update `download-artifact` and `upload-artifact` from `v2` to `v3` (#1465) * migrate to v3 * update download-artifact --- ci/dotnet-desktop.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 ++-- deployments/azure-webapps-java-jar.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- deployments/azure-webapps-php.yml | 4 ++-- deployments/azure-webapps-python.yml | 4 ++-- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 0635779..06ce344 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: MSIX Package path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 83d4571..0abb409 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -59,7 +59,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v2 + # uses: actions/upload-artifact@v3 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3bfb9ed..dc3c9ce 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -79,7 +79,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v3 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 7a2a84f..ed45e22 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -57,7 +57,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -71,7 +71,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index f386250..210fd90 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -46,7 +46,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -60,7 +60,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b7cb51f..b6089d4 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -47,7 +47,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: node-app path: . @@ -61,7 +61,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 700f83a..a2dd57b 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -68,7 +68,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: php-app path: . @@ -82,7 +82,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index cb19cda..8605e0a 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -53,7 +53,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: python-app path: | @@ -69,7 +69,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: python-app path: . From c4cc28d92dcac4ba6ecd2d89ea90b5593363ef67 Mon Sep 17 00:00:00 2001 From: Mike Verbanic Date: Wed, 16 Mar 2022 15:00:00 -0400 Subject: [PATCH 24/55] feat: add google cloud run starter workflows (#1392) * feat: add google cloud run starter workflows * fix: pr comments * fix: pr comments * fix: properties naming * fix: docker registry path --- deployments/google-cloudrun-docker.yml | 114 ++++++++++++++++++ deployments/google-cloudrun-source.yml | 96 +++++++++++++++ .../google-cloudrun-docker.properties.json | 7 ++ .../google-cloudrun-source.properties.json | 7 ++ deployments/properties/google.properties.json | 2 +- icons/{googlegke.svg => google-cloud.svg} | 0 6 files changed, 225 insertions(+), 1 deletion(-) create mode 100644 deployments/google-cloudrun-docker.yml create mode 100644 deployments/google-cloudrun-source.yml create mode 100644 deployments/properties/google-cloudrun-docker.properties.json create mode 100644 deployments/properties/google-cloudrun-source.properties.json rename icons/{googlegke.svg => google-cloud.svg} (100%) diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml new file mode 100644 index 0000000..b8d0511 --- /dev/null +++ b/deployments/google-cloudrun-docker.yml @@ -0,0 +1,114 @@ +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Authenticate Docker to Artifact Registry +# 3. Build a docker container +# 4. Publish it to Google Artifact Registry +# 5. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). +# +# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Build and Deploy to Cloud Run + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + token_format: 'access_token' + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' + + # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) + + # Authenticate Docker to Google Cloud Artifact Registry + - name: Docker Auth + id: docker-auth + uses: 'docker/login-action@v1' + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.access_token }}' + registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + + - name: Build and Push Container + run: |- + docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./ + docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + + # END - Docker auth and build + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If using a pre-built image, update the image name here + image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml new file mode 100644 index 0000000..2916b45 --- /dev/null +++ b/deployments/google-cloudrun-source.yml @@ -0,0 +1,96 @@ +# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Cloud Build cloudbuild.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Cloud Build +# roles/cloudbuild.builds.editor +# +# Cloud Storage +# roles/storage.objectAdmin +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the SERVICE and REGION environment variables (below). +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy +# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Deploy to Cloud Run from Source + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If required, update to the appropriate source folder + source: ./ + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/properties/google-cloudrun-docker.properties.json b/deployments/properties/google-cloudrun-docker.properties.json new file mode 100644 index 0000000..b1a2b2b --- /dev/null +++ b/deployments/properties/google-cloudrun-docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Build and Deploy to Cloud Run", + "description": "Build a Docker container, publish it to Google Artifact Registry, and deploy to Google Cloud Run.", + "creator": "Google Cloud", + "iconName": "google-cloud", + "categories": ["Deployment", "Containers", "Dockerfile", "Cloud Run", "Serverless"] +} diff --git a/deployments/properties/google-cloudrun-source.properties.json b/deployments/properties/google-cloudrun-source.properties.json new file mode 100644 index 0000000..2735d80 --- /dev/null +++ b/deployments/properties/google-cloudrun-source.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Cloud Run from Source", + "description": "Deploy to Google Cloud Run directly from source.", + "creator": "Google Cloud", + "iconName": "google-cloud", + "categories": ["Deployment", "Containers", "Cloud Run", "Serverless", "Buildpacks"] +} diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json index f1bd883..e226385 100644 --- a/deployments/properties/google.properties.json +++ b/deployments/properties/google.properties.json @@ -2,6 +2,6 @@ "name": "Build and Deploy to GKE", "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", - "iconName": "googlegke", + "iconName": "google-cloud", "categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"] } \ No newline at end of file diff --git a/icons/googlegke.svg b/icons/google-cloud.svg similarity index 100% rename from icons/googlegke.svg rename to icons/google-cloud.svg From 4740e068c130da4a35f6c535f07f6154ea4a4f43 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:46:17 +0530 Subject: [PATCH 25/55] Update codescan.yml --- code-scanning/codescan.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 5886843..74a7156 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: CodeScan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout repository From 3a1a8562bf027aa2426256a7c187344e6a48f3ab Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:49:21 +0530 Subject: [PATCH 26/55] Update snyk-container.yml --- code-scanning/snyk-container.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 8ff2c9a..2373377 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From 18952126dca8c9b124ee6e15eed336f4a2f5e656 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:54:27 +0530 Subject: [PATCH 27/55] Update ossar.yml --- code-scanning/ossar.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index b5aefa4..f09b611 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -17,10 +17,16 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: OSSAR-Scan: # OSSAR runs on windows-latest. # ubuntu-latest and macos-latest support coming soon + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: windows-latest steps: From 962b63852bcaf3eb7e38772047448700ada94d5f Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:56:24 +0530 Subject: [PATCH 28/55] Update alibabacloud.yml --- deployments/alibabacloud.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded9178..c783305 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From ceada66602af669fcb1fee31ae307f1e47c85a2f Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:32:12 +0530 Subject: [PATCH 29/55] Update haskell.yml --- ci/haskell.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/haskell.yml b/ci/haskell.yml index c1d7dc7..20dbb4c 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From 02fa52f6c02fc3004eb878379efba7e1b6d071b7 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:34:10 +0530 Subject: [PATCH 30/55] Update symfony.yml --- ci/symfony.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/symfony.yml b/ci/symfony.yml index 7d1ca74..ab80492 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: symfony-tests: runs-on: ubuntu-latest From c5f542db49696973e6dbe4fc4d83305434656a96 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:35:53 +0530 Subject: [PATCH 31/55] Update php.yml --- ci/php.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/php.yml b/ci/php.yml index 6acfdd1..4937d3e 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From f2990d6b8371d3c22b0f47639e92f844b1af0ccf Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Wed, 23 Mar 2022 09:54:13 -0600 Subject: [PATCH 32/55] Update to v2.1.4 of gradle-build-action (#1489) * Update to new version of gradle-build-action * Update to new version of gradle-build-action --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 9fdc851..35f2d9c 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index fc8cf2f..7e4ece5 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -26,6 +26,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: build From e59567a947c1c63e8d7fcfb494c87e8e199ee44a Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 25 Mar 2022 16:03:59 +0530 Subject: [PATCH 33/55] Bringing back Datadog Synthetics workflow (#1503) * Revert "Revert "Add Datadog Synthetics GitHub action to starter workflows (#1342)" (#1385)" This reverts commit de41169eb0a60341cf326c9b790a79a99e147793. * Add creator --- ci/datadog-synthetics.yml | 38 +++++++++++++++++++ .../datadog-synthetics.properties.json | 7 ++++ icons/datadog.svg | 4 ++ 3 files changed, 49 insertions(+) create mode 100644 ci/datadog-synthetics.yml create mode 100644 ci/properties/datadog-synthetics.properties.json create mode 100644 icons/datadog.svg diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml new file mode 100644 index 0000000..7056f87 --- /dev/null +++ b/ci/datadog-synthetics.yml @@ -0,0 +1,38 @@ +# This workflow will trigger Datadog Synthetic tests within your Datadog organisation +# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# To get started: + +# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. +# 2. Start using the action within your workflow + +name: Run Datadog Synthetic tests + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + # Run Synthetic tests within your GitHub workflow. + # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci + - name: Run Datadog Synthetic tests + uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e + with: + api_key: ${{secrets.DD_API_KEY}} + app_key: ${{secrets.DD_APP_KEY}} + test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy + + diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json new file mode 100644 index 0000000..edbb086 --- /dev/null +++ b/ci/properties/datadog-synthetics.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Datadog Synthetics", + "description": "Run Datadog Synthetic tests within your GitHub Actions workflow", + "creator": "Datadog", + "iconName": "datadog", + "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"] +} diff --git a/icons/datadog.svg b/icons/datadog.svg new file mode 100644 index 0000000..91cb3b6 --- /dev/null +++ b/icons/datadog.svg @@ -0,0 +1,4 @@ + + + + From 3be3c5deec708a2becaca71ec12dce81ae3d6080 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Mon, 28 Mar 2022 09:47:44 +0530 Subject: [PATCH 34/55] Update cache action to v3 (#1507) --- ci/elixir.yml | 2 +- ci/haskell.yml | 2 +- ci/php.yml | 2 +- ci/symfony.yml | 2 +- code-scanning/codescan.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index afe01be..525d175 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -20,7 +20,7 @@ jobs: elixir-version: '1.12.3' # Define the elixir version [required] otp-version: '24.1' # Define the OTP version [required] - name: Restore dependencies cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: deps key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} diff --git a/ci/haskell.yml b/ci/haskell.yml index c1d7dc7..b9b1d4e 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -19,7 +19,7 @@ jobs: cabal-version: '3.2' - name: Cache - uses: actions/cache@v1 + uses: actions/cache@v3 env: cache-name: cache-cabal with: diff --git a/ci/php.yml b/ci/php.yml index 6acfdd1..4a1d36b 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -19,7 +19,7 @@ jobs: - name: Cache Composer packages id: composer-cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: vendor key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} diff --git a/ci/symfony.yml b/ci/symfony.yml index 7d1ca74..ba3d49c 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -21,7 +21,7 @@ jobs: run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" - name: Cache Composer packages id: composer-cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: vendor key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 5886843..ff376a9 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -24,7 +24,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v2 - name: Cache files - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | ~/.sonar diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index ed45e22..d4690a5 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -43,7 +43,7 @@ jobs: dotnet-version: ${{ env.DOTNET_VERSION }} - name: Set up dependency caching for faster builds - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.nuget/packages key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index a2dd57b..f971d1c 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -55,7 +55,7 @@ jobs: echo "::set-output name=dir::$(composer config cache-files-dir)" - name: Set up dependency caching for faster installs - uses: actions/cache@v2 + uses: actions/cache@v3 if: steps.check_files.outputs.files_exists == 'true' with: path: ${{ steps.composer-cache.outputs.dir }} From 69cce6ad3afa0ae834dd79e191f20b0104b1dde8 Mon Sep 17 00:00:00 2001 From: Hiroyuki Onaka Date: Mon, 28 Mar 2022 19:39:18 +0900 Subject: [PATCH 35/55] Add env variable to set the Java distribution to use --- deployments/azure-webapps-java-jar.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 210fd90..c211a0f 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -22,6 +22,7 @@ name: Build and deploy JAR app to Azure Web App env: AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App JAVA_VERSION: '11' # set this to the Java version to use + DISTRIBUTION: zulu # set this to the Java distribution on: push: @@ -40,6 +41,7 @@ jobs: uses: actions/setup-java@v2.3.1 with: java-version: ${{ env.JAVA_VERSION }} + distribution: ${{ env.DISTRIBUTION }} cache: 'maven' - name: Build with Maven From 1d9d6d7fb0a8a27ef98efbbfa9689cd14c906383 Mon Sep 17 00:00:00 2001 From: Thomas Boop <52323235+thboop@users.noreply.github.com> Date: Mon, 28 Mar 2022 13:10:48 -0400 Subject: [PATCH 36/55] Update Actions to node16 (#1469) * update actions * address merge conflicts * fix java updates * update github script * update cache to v3 Co-authored-by: Bishal Prasad --- .github/workflows/labeler-triage.yml | 2 +- .github/workflows/stale.yml | 2 +- .github/workflows/sync_ghes.yaml | 4 +- .github/workflows/validate-data.yaml | 4 +- automation/label.yml | 2 +- automation/stale.yml | 2 +- ci/ada.yml | 2 +- ci/android.yml | 4 +- ci/ant.yml | 4 +- ci/blank.yml | 2 +- ci/c-cpp.yml | 2 +- ci/clojure.yml | 2 +- ci/cmake.yml | 2 +- ci/crystal.yml | 2 +- ci/d.yml | 2 +- ci/dart.yml | 2 +- ci/deno.yml | 2 +- ci/django.yml | 4 +- ci/docker-image.yml | 2 +- ci/docker-publish.yml | 2 +- ci/dotnet-desktop.yml | 4 +- ci/dotnet.yml | 4 +- ci/elixir.yml | 62 +++++++++---------- ci/erlang.yml | 2 +- ci/gem-push.yml | 2 +- ci/go.yml | 4 +- ci/gradle-publish.yml | 4 +- ci/gradle.yml | 4 +- ci/haskell.yml | 2 +- ci/ios.yml | 2 +- ci/jekyll.yml | 2 +- ci/laravel.yml | 2 +- ci/makefile.yml | 2 +- ci/maven-publish.yml | 4 +- ci/maven.yml | 4 +- ci/msbuild.yml | 2 +- ci/node.js.yml | 4 +- ci/npm-grunt.yml | 4 +- ci/npm-gulp.yml | 4 +- ci/npm-publish-github-packages.yml | 8 +-- ci/npm-publish.yml | 8 +-- ci/objective-c-xcode.yml | 2 +- ci/php.yml | 2 +- ci/pylint.yml | 4 +- ci/python-app.yml | 4 +- ci/python-package-conda.yml | 4 +- ci/python-package.yml | 4 +- ci/python-publish.yml | 4 +- ci/r.yml | 2 +- ci/ruby.yml | 2 +- ci/rubyonrails.yml | 4 +- ci/rust.yml | 2 +- ci/scala.yml | 4 +- ci/super-linter.yml | 2 +- ci/swift.yml | 2 +- ci/symfony.yml | 2 +- ci/webpack.yml | 4 +- code-scanning/anchore.yml | 2 +- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/cloudrail.yml | 2 +- code-scanning/codacy.yml | 2 +- code-scanning/codeql.yml | 2 +- code-scanning/codescan.yml | 2 +- code-scanning/crunch42.yml | 2 +- code-scanning/detekt.yml | 2 +- code-scanning/devskim.yml | 2 +- code-scanning/flawfinder.yml | 2 +- code-scanning/fortify.yml | 7 ++- code-scanning/kubesec.yml | 2 +- code-scanning/mayhem-for-api.yml | 2 +- code-scanning/mobsf.yml | 4 +- code-scanning/msvc.yml | 2 +- code-scanning/njsscan.yml | 2 +- code-scanning/nowsecure.yml | 2 +- code-scanning/ossar.yml | 4 +- code-scanning/pmd.yml | 4 +- code-scanning/powershell.yml | 2 +- code-scanning/prisma.yml | 2 +- code-scanning/rubocop.yml | 2 +- code-scanning/scorecards.yml | 4 +- code-scanning/securitycodescan.yml | 2 +- code-scanning/semgrep.yml | 2 +- code-scanning/shiftleft.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/stackhawk.yml | 2 +- code-scanning/synopsys-io.yml | 2 +- code-scanning/sysdig-scan.yml | 2 +- code-scanning/tfsec.yml | 2 +- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 7 ++- code-scanning/xanitizer.yml | 5 +- deployments/alibabacloud.yml | 4 +- deployments/aws.yml | 2 +- deployments/azure-container-webapp.yml | 2 +- deployments/azure-kubernetes-service-helm.yml | 2 +- .../azure-kubernetes-service-kompose.yml | 2 +- .../azure-kubernetes-service-kustomize.yml | 2 +- deployments/azure-kubernetes-service.yml | 2 +- deployments/azure-staticwebapp.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 +- deployments/azure-webapps-java-jar.yml | 4 +- deployments/azure-webapps-node.yml | 4 +- deployments/azure-webapps-php.yml | 2 +- deployments/azure-webapps-python.yml | 4 +- deployments/google.yml | 2 +- deployments/ibm.yml | 2 +- deployments/openshift.yml | 4 +- deployments/tencent.yml | 2 +- deployments/terraform.yml | 2 +- 111 files changed, 188 insertions(+), 185 deletions(-) diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml index eba05f0..99fdbc5 100644 --- a/.github/workflows/labeler-triage.yml +++ b/.github/workflows/labeler-triage.yml @@ -11,6 +11,6 @@ jobs: triage: runs-on: ubuntu-latest steps: - - uses: actions/labeler@v3 + - uses: actions/labeler@v4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 217078a..c319ce1 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v3 + - uses: actions/stale@v5 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync_ghes.yaml index 946218f..fb9c623 100644 --- a/.github/workflows/sync_ghes.yaml +++ b/.github/workflows/sync_ghes.yaml @@ -11,12 +11,12 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" git config user.name "GitHub Actions" - - uses: actions/setup-node@v2 + - uses: actions/setup-node@v3 with: node-version: '12' - name: Check starter workflows for GHES compat diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 7d5c1ee..d2ac9a5 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -10,9 +10,9 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - - uses: actions/setup-node@v2 + - uses: actions/setup-node@v3 with: node-version: "12" diff --git a/automation/label.yml b/automation/label.yml index 5cdc45e..a8a1bd7 100644 --- a/automation/label.yml +++ b/automation/label.yml @@ -17,6 +17,6 @@ jobs: pull-requests: write steps: - - uses: actions/labeler@v2 + - uses: actions/labeler@v4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/automation/stale.yml b/automation/stale.yml index ff88dc0..1322eaf 100644 --- a/automation/stale.yml +++ b/automation/stale.yml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v3 + - uses: actions/stale@v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'Stale issue message' diff --git a/ci/ada.yml b/ci/ada.yml index a27902a..7e94b38 100644 --- a/ci/ada.yml +++ b/ci/ada.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set up GNAT toolchain run: > diff --git a/ci/android.yml b/ci/android.yml index f289bd5..221fca5 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/ant.yml b/ci/ant.yml index 0205d40..1614664 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/blank.yml b/ci/blank.yml index 895e5d1..607e2cf 100644 --- a/ci/blank.yml +++ b/ci/blank.yml @@ -23,7 +23,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs a single command using the runners shell - name: Run a one-line script diff --git a/ci/c-cpp.yml b/ci/c-cpp.yml index 88d1497..14d2eb9 100644 --- a/ci/c-cpp.yml +++ b/ci/c-cpp.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: configure run: ./configure - name: make diff --git a/ci/clojure.yml b/ci/clojure.yml index 098918a..a76631a 100644 --- a/ci/clojure.yml +++ b/ci/clojure.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install dependencies run: lein deps - name: Run tests diff --git a/ci/cmake.yml b/ci/cmake.yml index 6c858b9..6f06f75 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. diff --git a/ci/crystal.yml b/ci/crystal.yml index 6552afa..18cc825 100644 --- a/ci/crystal.yml +++ b/ci/crystal.yml @@ -15,7 +15,7 @@ jobs: image: crystallang/crystal steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install dependencies run: shards install - name: Run tests diff --git a/ci/d.yml b/ci/d.yml index 6086681..878716a 100644 --- a/ci/d.yml +++ b/ci/d.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: dlang-community/setup-dlang@4c99aa991ce7d19dd3064de0a4f2f6b2f152e2d7 - name: 'Build & Test' diff --git a/ci/dart.yml b/ci/dart.yml index 7486577..7bf352f 100644 --- a/ci/dart.yml +++ b/ci/dart.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Note: This workflow uses the latest stable version of the Dart SDK. # You can specify other versions if desired, see documentation here: diff --git a/ci/deno.yml b/ci/deno.yml index 25e9e2a..24d3d9b 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Setup repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup Deno # uses: denoland/setup-deno@v1 diff --git a/ci/django.yml b/ci/django.yml index dbde266..79550cc 100644 --- a/ci/django.yml +++ b/ci/django.yml @@ -16,9 +16,9 @@ jobs: python-version: [3.7, 3.8, 3.9] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install Dependencies diff --git a/ci/docker-image.yml b/ci/docker-image.yml index 78532a3..cc9cd6e 100644 --- a/ci/docker-image.yml +++ b/ci/docker-image.yml @@ -13,6 +13,6 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 977635a..7b6add3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 06ce344..170b3f6 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -63,13 +63,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 # Install the .NET Core workload - name: Install .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: 5.0.x diff --git a/ci/dotnet.yml b/ci/dotnet.yml index c31cf68..5974d4a 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup .NET - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: 5.0.x - name: Restore dependencies diff --git a/ci/elixir.yml b/ci/elixir.yml index 525d175..5b5aabb 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -1,31 +1,31 @@ -name: Elixir CI - -on: - push: - branches: [ $default-branch ] - pull_request: - branches: [ $default-branch ] - -jobs: - build: - - name: Build and test - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: Set up Elixir - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f - with: - elixir-version: '1.12.3' # Define the elixir version [required] - otp-version: '24.1' # Define the OTP version [required] - - name: Restore dependencies cache - uses: actions/cache@v3 - with: - path: deps - key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} - restore-keys: ${{ runner.os }}-mix- - - name: Install dependencies - run: mix deps.get - - name: Run tests - run: mix test +name: Elixir CI + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + + name: Build and test + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - name: Set up Elixir + uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f + with: + elixir-version: '1.12.3' # Define the elixir version [required] + otp-version: '24.1' # Define the OTP version [required] + - name: Restore dependencies cache + uses: actions/cache@v3 + with: + path: deps + key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} + restore-keys: ${{ runner.os }}-mix- + - name: Install dependencies + run: mix deps.get + - name: Run tests + run: mix test diff --git a/ci/erlang.yml b/ci/erlang.yml index 25cb893..20e269f 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -16,7 +16,7 @@ jobs: image: erlang:22.0.7 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Compile run: rebar3 compile - name: Run tests diff --git a/ci/gem-push.yml b/ci/gem-push.yml index 3dc62be..8905272 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -15,7 +15,7 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Ruby 2.6 uses: actions/setup-ruby@v1 with: diff --git a/ci/go.yml b/ci/go.yml index afff652..6f498a6 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -11,10 +11,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v3 with: go-version: 1.17 diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 35f2d9c..9aeb2b8 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -20,9 +20,9 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/gradle.yml b/ci/gradle.yml index 7e4ece5..8e0d1e4 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -19,9 +19,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/haskell.yml b/ci/haskell.yml index b9b1d4e..827d177 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: actions/setup-haskell@v1 with: ghc-version: '8.10.3' diff --git a/ci/ios.yml b/ci/ios.yml index ab92d32..5cec5e7 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/jekyll.yml b/ci/jekyll.yml index 71920c1..6a98dea 100644 --- a/ci/jekyll.yml +++ b/ci/jekyll.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the site in the jekyll/builder container run: | docker run \ diff --git a/ci/laravel.yml b/ci/laravel.yml index 5f4e6c9..e778d7b 100644 --- a/ci/laravel.yml +++ b/ci/laravel.yml @@ -15,7 +15,7 @@ jobs: - uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e with: php-version: '8.0' - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Copy .env run: php -r "file_exists('.env') || copy('.env.example', '.env');" - name: Install Dependencies diff --git a/ci/makefile.yml b/ci/makefile.yml index eafe622..0156944 100644 --- a/ci/makefile.yml +++ b/ci/makefile.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: configure run: ./configure diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 319f9a1..dab69fe 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -16,9 +16,9 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/maven.yml b/ci/maven.yml index f301fe0..65e0dff 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/msbuild.yml b/ci/msbuild.yml index e650e2a..3cd8f01 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -20,7 +20,7 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Add MSBuild to PATH uses: microsoft/setup-msbuild@v1.0.2 diff --git a/ci/node.js.yml b/ci/node.js.yml index 8d1b9c7..87ef0d8 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -20,9 +20,9 @@ jobs: # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} cache: 'npm' diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index 8c83cb6..eda97e1 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index cc5da13..504f22e 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index 09ff0b3..638ccf8 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -11,8 +11,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: npm ci @@ -25,8 +25,8 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 registry-url: $registry-url(npm) diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index ef8c690..c461c85 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -11,8 +11,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: npm ci @@ -22,8 +22,8 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 registry-url: https://registry.npmjs.org/ diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml index db009b0..1373878 100644 --- a/ci/objective-c-xcode.yml +++ b/ci/objective-c-xcode.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/php.yml b/ci/php.yml index 4a1d36b..ba84657 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Validate composer.json and composer.lock run: composer validate --strict diff --git a/ci/pylint.yml b/ci/pylint.yml index 7b555fe..383e65c 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -9,9 +9,9 @@ jobs: matrix: python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/ci/python-app.yml b/ci/python-app.yml index 2cfc2a3..89823c1 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.10 - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: "3.10" - name: Install dependencies diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 9bd6d2b..57940bd 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -9,9 +9,9 @@ jobs: max-parallel: 5 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.10 - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.10 - name: Add conda to system path diff --git a/ci/python-package.yml b/ci/python-package.yml index b0a63cf..583a366 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -19,9 +19,9 @@ jobs: python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 3bfabfc..f55528c 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -18,9 +18,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: '3.x' - name: Install dependencies diff --git a/ci/r.yml b/ci/r.yml index 305c2cf..afb870e 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -22,7 +22,7 @@ jobs: r-version: ['3.6.3', '4.1.1'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up R ${{ matrix.r-version }} uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: diff --git a/ci/ruby.yml b/ci/ruby.yml index f6ae1e3..d8e672a 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -22,7 +22,7 @@ jobs: ruby-version: ['2.6', '2.7', '3.0'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Ruby # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index b7b3624..2ad891f 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -27,7 +27,7 @@ jobs: DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Install Ruby and gems uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 with: diff --git a/ci/rust.yml b/ci/rust.yml index 6c82c61..d51f1af 100644 --- a/ci/rust.yml +++ b/ci/rust.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build run: cargo build --verbose - name: Run tests diff --git a/ci/scala.yml b/ci/scala.yml index af6b2ed..ed24363 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/super-linter.yml b/ci/super-linter.yml index bebd82d..275b34f 100644 --- a/ci/super-linter.yml +++ b/ci/super-linter.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 diff --git a/ci/swift.yml b/ci/swift.yml index df062b5..3668fc0 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -12,7 +12,7 @@ jobs: runs-on: macos-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build run: swift build -v - name: Run tests diff --git a/ci/symfony.yml b/ci/symfony.yml index ba3d49c..533d379 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -16,7 +16,7 @@ jobs: - uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28 with: php-version: '8.0' - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Copy .env.test.local run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" - name: Cache Composer packages diff --git a/ci/webpack.yml b/ci/webpack.yml index 8edb34f..6449fe7 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index fcca708..64264e4 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index d0b25ac..3237551 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -30,7 +30,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Customize the ruby version depending on your needs - name: Setup Ruby diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index d012bce..d86d4f9 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -34,7 +34,7 @@ jobs: # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 00e270a..0d6b3de 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 # For Terraform, Cloudrail requires the plan as input. So we generate it using # the Terraform core binary. diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 4892930..8100be8 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -35,7 +35,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 57b4b69..cd9a683 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index ff376a9..bc65eb0 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Cache files uses: actions/cache@v3 with: diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index e8e2447..07cd73a 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -43,7 +43,7 @@ jobs: security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: 42Crunch REST API Static Security Testing uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index a8610c3..1118c3d 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -45,7 +45,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Gets the download URL associated with the $DETEKT_RELEASE_TAG - name: Get Detekt download URL diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 3a5c45f..e057348 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -23,7 +23,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run DevSkim scanner uses: microsoft/DevSkim-Action@v1 diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index 080953e..697e561 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: flawfinder_scan uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index d67d194..83f99c1 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -39,14 +39,15 @@ jobs: steps: # Check out source code - name: Check Out Source Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Java is required to run the various Fortify utilities. # When scanning a Java application, please use the appropriate Java version for building your application. - name: Setup Java - uses: actions/setup-java@v1 + uses: actions/setup-java@v3 with: - java-version: 1.8 + java-version: 8 + distribution: 'temurin' # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 1cad70c..81ebaa7 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run kubesec scanner uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 59d66a0..ed424f1 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -42,7 +42,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Run your API in the background. Ideally, the API would run in debug # mode & send stacktraces back on "500 Internal Server Error" responses diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index d8eaa92..96655af 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -24,10 +24,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.8 diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0abb409..13e58ef 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Configure CMake run: cmake -B ${{ env.build }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index a6da087..16ade3b 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -29,7 +29,7 @@ jobs: name: njsscan code scanning steps: - name: Checkout the code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: nodejsscan scan id: njsscan uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 92126bd..fbca537 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build your application run: ./gradlew assembleDebug # Update this to build your Android or iOS application diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index b5aefa4..a6f6aa7 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Ensure a compatible version of dotnet is installed. # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. @@ -33,7 +33,7 @@ jobs: # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: # - name: Install .NET - # uses: actions/setup-dotnet@v1 + # uses: actions/setup-dotnet@v2 # with: # dotnet-version: '3.1.x' diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 0604734..cd88c34 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -17,9 +17,9 @@ jobs: pmd-code-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index dfbf452..e70dd96 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -22,7 +22,7 @@ jobs: name: PSScriptAnalyzer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Run PSScriptAnalyzer uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061 diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5b11482..07be948 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -33,7 +33,7 @@ jobs: name: Run Prisma Cloud IaC Scan to check steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - id: iac-scan name: Run Scan on CFT files in the repository uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index 373d5b6..4ab8001 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index d63b462..a6bde3a 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -22,7 +22,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 with: persist-credentials: false @@ -42,7 +42,7 @@ jobs: # Upload the results as artifacts (optional). - name: "Upload artifact" - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 with: name: SARIF file path: results.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 3063c7a..0b2fa57 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -21,7 +21,7 @@ jobs: SCS: runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 - uses: microsoft/setup-msbuild@v1.0.2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index f99d441..86c3647 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: # Checkout project source - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Scan code using project's configuration on https://semgrep.dev/manage - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml index 48b86d3..d1154d1 100644 --- a/code-scanning/shiftleft.yml +++ b/code-scanning/shiftleft.yml @@ -22,7 +22,7 @@ jobs: # Scan runs on ubuntu, mac and windows runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Instructions # 1. Setup JDK, Node.js, Python etc depending on your project type # 2. Compile or build the project before invoking scan diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 8ff2c9a..48ccbe9 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -26,7 +26,7 @@ jobs: snyk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build a Docker image run: docker build -t your/image-to-test . - name: Run Snyk to check Docker image for vulnerabilities diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index b79bf34..2799bfc 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -25,7 +25,7 @@ jobs: snyk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Run Snyk to check configuration files for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the issues to GitHub Code Scanning diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index af220c0..64e9b9b 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Start your service run: ./your-service.sh & # âœī¸ Update this to run your own service to be scanned diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 0c1ff16..c73eb17 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Synopsys Intelligent Security Scan id: prescription diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f9b29fc..92082e5 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the Docker image # Tag image to be built diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 479f713..10a77ab 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run tfsec uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 3d5373f..d6633be 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -26,7 +26,7 @@ jobs: runs-on: "ubuntu-18.04" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build an image from Dockerfile run: | diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 073d1b6..2ce3212 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -31,7 +31,7 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: repository: '' @@ -41,9 +41,10 @@ jobs: - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - run: unzip -o pipeline-scan-LATEST.zip - - uses: actions/setup-java@v1 + - uses: actions/setup-java@v3 with: - java-version: 1.8 + java-version: 8 + distribution: 'temurin' - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip continue-on-error: true - name: Convert pipeline scan output to SARIF format diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index dc3c9ce..c20c741 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -50,14 +50,15 @@ jobs: steps: # Check out the repository - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Set up the correct Java version for your project # Please comment out, if your project does not contain Java source code. - name: Set up JDK 11 - uses: actions/setup-java@v1 + uses: actions/setup-java@v3 with: java-version: 11 + distribution: 'temurin' # Compile the code for Java projects and get all libraries, e.g. via Maven # Please adapt, if your project uses another build system to compile Java source code. diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded9178..841a2fd 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # 1.1 Login to ACR - name: Login to ACR with the AccessKey pair @@ -74,7 +74,7 @@ jobs: tag: "${{ env.TAG }}" # 2.1 (Optional) Login to ACR EE - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Login to ACR EE with the AccessKey pair uses: aliyun/acr-login@v1 with: diff --git a/deployments/aws.yml b/deployments/aws.yml index dab851f..fe5e076 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -49,7 +49,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 57fe362..c882bde 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -40,7 +40,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 506819d..948e7db 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -57,7 +57,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 1d33fe3..7c25319 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 51b7d69..f6928d0 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -55,7 +55,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index e61e64e..bb513d4 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -52,7 +52,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index 8e1faf7..becfede 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest name: Build and Deploy Job steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - name: Build And Deploy diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index d4690a5..3357dc8 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -35,10 +35,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: ${{ env.DOTNET_VERSION }} diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 210fd90..5f58dbf 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -34,10 +34,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Java version - uses: actions/setup-java@v2.3.1 + uses: actions/setup-java@v3.0.0 with: java-version: ${{ env.JAVA_VERSION }} cache: 'maven' diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b6089d4..c967bdb 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -32,10 +32,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Node.js - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index f971d1c..04f55f4 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup PHP uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 8605e0a..af6a9dd 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -34,10 +34,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python version - uses: actions/setup-python@v2.2.2 + uses: actions/setup-python@v3.0.0 with: python-version: ${{ env.PYTHON_VERSION }} cache: 'pip' diff --git a/deployments/google.yml b/deployments/google.yml index 003e53b..6150672 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Configure Workload Identity Federation and generate an access token. - id: 'auth' diff --git a/deployments/ibm.yml b/deployments/ibm.yml index 216b04d..cb3080f 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Download and Install IBM Cloud CLI - name: Install IBM Cloud CLI diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 46ff961..5775cb0 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -71,7 +71,7 @@ jobs: steps: - name: Check for required secrets - uses: actions/github-script@v4 + uses: actions/github-script@v6 with: script: | const secrets = { @@ -109,7 +109,7 @@ jobs: } - name: Check out repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Determine app name if: env.APP_NAME == '' diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 83bde94..2bf2a68 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Build - name: Build Docker image diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 589f1f3..96e44e0 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -64,7 +64,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform From d8be55169b88f4cf8f90c7a7fe03f63244b2afb2 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 21 Mar 2022 11:40:07 -0700 Subject: [PATCH 37/55] add Security Gallery entry for new Dependency Review Action --- dependency-graph/dependency-review.yml | 11 +++++++++++ .../dependency-review.properties.json | 17 +++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 dependency-graph/dependency-review.yml create mode 100644 dependency-graph/properties/dependency-review.properties.json diff --git a/dependency-graph/dependency-review.yml b/dependency-graph/dependency-review.yml new file mode 100644 index 0000000..6e46018 --- /dev/null +++ b/dependency-graph/dependency-review.yml @@ -0,0 +1,11 @@ +name: 'Dependency Review' +on: [pull_request] + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: github/dependency-review-action@main diff --git a/dependency-graph/properties/dependency-review.properties.json b/dependency-graph/properties/dependency-review.properties.json new file mode 100644 index 0000000..e8a14a1 --- /dev/null +++ b/dependency-graph/properties/dependency-review.properties.json @@ -0,0 +1,17 @@ +{ + "name": "Dependency Review", + "creator": "GitHub", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", + "iconName": "octicon mark-github", + "categories": [ + "Dependency Graph", + "Dependency Review", + "Go", + "Java", + "JavaScript", + "TypeScript", + "Python", + "Ruby", + "Actions", + "PHP"] +} From c5111ef87154111daba867bf116825b8848ad936 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Thu, 24 Mar 2022 13:09:18 -0700 Subject: [PATCH 38/55] update org the final, open-sourced DR Action will be hosted under for GA release --- dependency-graph/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-graph/dependency-review.yml b/dependency-graph/dependency-review.yml index 6e46018..8e94ea0 100644 --- a/dependency-graph/dependency-review.yml +++ b/dependency-graph/dependency-review.yml @@ -8,4 +8,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: github/dependency-review-action@main + uses: actions/dependency-review-action@main From 6537e55e9700a5fa61e5b5f612e4b1efb0251124 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 10:58:48 -0700 Subject: [PATCH 39/55] post-review: use default "creator" entry: "By GitHub" --- dependency-graph/properties/dependency-review.properties.json | 1 - 1 file changed, 1 deletion(-) diff --git a/dependency-graph/properties/dependency-review.properties.json b/dependency-graph/properties/dependency-review.properties.json index e8a14a1..3ccbf1f 100644 --- a/dependency-graph/properties/dependency-review.properties.json +++ b/dependency-graph/properties/dependency-review.properties.json @@ -1,6 +1,5 @@ { "name": "Dependency Review", - "creator": "GitHub", "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ From c3a21a83b2a61aa77fecbf9f85c70d6e6f2ad01a Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 13:33:59 -0700 Subject: [PATCH 40/55] post-review: move DR Action spec and props file into code-scanning/ dir tree temporarily, until maintainers refactor this to security/ --- {dependency-graph => code-scanning}/dependency-review.yml | 0 .../properties/dependency-review.properties.json | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {dependency-graph => code-scanning}/dependency-review.yml (100%) rename {dependency-graph => code-scanning}/properties/dependency-review.properties.json (100%) diff --git a/dependency-graph/dependency-review.yml b/code-scanning/dependency-review.yml similarity index 100% rename from dependency-graph/dependency-review.yml rename to code-scanning/dependency-review.yml diff --git a/dependency-graph/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json similarity index 100% rename from dependency-graph/properties/dependency-review.properties.json rename to code-scanning/properties/dependency-review.properties.json From 4aa004f885b18219244520462aa3b46af0146cd0 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 13:39:46 -0700 Subject: [PATCH 41/55] linter: add tags to props file appropriate for code-scanning/ entries (security gallery) --- code-scanning/properties/dependency-review.properties.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 3ccbf1f..3badf40 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,6 +3,8 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ + "Code Scanning", + "Automation", "Dependency Graph", "Dependency Review", "Go", From 5bd031f3071b0e3ef3c7d0cda4fdc064790c734f Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 16:50:23 -0700 Subject: [PATCH 42/55] add explanatory comments with links to DR security gallery workflow template file --- code-scanning/dependency-review.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 8e94ea0..c342269 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,3 +1,9 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement name: 'Dependency Review' on: [pull_request] From aee1a2083533d8f67f8f771a3671c3cba9de020a Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 16:57:03 -0700 Subject: [PATCH 43/55] add tigher scoped repo perms to workflow run template file --- code-scanning/dependency-review.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index c342269..eb3a90b 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -7,6 +7,9 @@ name: 'Dependency Review' on: [pull_request] +permissions: + repo: read + jobs: dependency-review: runs-on: ubuntu-latest From cdc592d6034f2f17c52a825dd1b456e6e9e6f576 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Tue, 29 Mar 2022 08:52:08 -0700 Subject: [PATCH 44/55] update action version used in template to "v1" branch; set perms to "contents: read" --- code-scanning/dependency-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index eb3a90b..0e72a00 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -8,7 +8,7 @@ name: 'Dependency Review' on: [pull_request] permissions: - repo: read + contents: read jobs: dependency-review: @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@main + uses: actions/dependency-review-action@v1 From 10092345c8d227804b7dc9f587d10813d85199c5 Mon Sep 17 00:00:00 2001 From: h0x0er Date: Wed, 30 Mar 2022 15:08:50 +0530 Subject: [PATCH 45/55] fixing conflict --- ci/elixir.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/elixir.yml b/ci/elixir.yml index 5b5aabb..6c76f54 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: From 3fc061974d6849a15c6ddfd7ccb7c16ed93f38c2 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Wed, 30 Mar 2022 12:52:01 -0700 Subject: [PATCH 46/55] remove "Automation" tag from properites file --- code-scanning/properties/dependency-review.properties.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 3badf40..568af90 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,10 +3,9 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Code Scanning", - "Automation", - "Dependency Graph", "Dependency Review", + "Code Scanning", + "Dependency Graph", "Go", "Java", "JavaScript", From 439bf3cc34005f8b68d877f9bc5e288e491784e3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 31 Mar 2022 14:28:28 +0530 Subject: [PATCH 47/55] Change to small case --- code-scanning/properties/dependency-review.properties.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 568af90..e84278c 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,9 +3,8 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Dependency Review", - "Code Scanning", - "Dependency Graph", + "Dependency review", + "Dependency graph", "Go", "Java", "JavaScript", From 8d8c6f77d6d743a4b096c8b5b1eee8467552de77 Mon Sep 17 00:00:00 2001 From: Thomas Boop Date: Thu, 31 Mar 2022 08:24:35 -0400 Subject: [PATCH 48/55] update to v2 --- code-scanning/anchore.yml | 2 +- code-scanning/apisec-scan.yml | 2 +- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/cloudrail.yml | 2 +- code-scanning/codacy.yml | 2 +- code-scanning/codeql.yml | 6 +++--- code-scanning/codescan.yml | 2 +- code-scanning/detekt.yml | 2 +- code-scanning/devskim.yml | 2 +- code-scanning/flawfinder.yml | 2 +- code-scanning/fortify.yml | 2 +- code-scanning/kubesec.yml | 2 +- code-scanning/mayhem-for-api.yml | 2 +- code-scanning/mobsf.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/njsscan.yml | 2 +- code-scanning/nowsecure.yml | 2 +- code-scanning/ossar.yml | 2 +- code-scanning/pmd.yml | 2 +- code-scanning/powershell.yml | 2 +- code-scanning/prisma.yml | 2 +- code-scanning/rubocop.yml | 2 +- code-scanning/securitycodescan.yml | 2 +- code-scanning/semgrep.yml | 2 +- code-scanning/shiftleft.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/synopsys-io.yml | 2 +- code-scanning/sysdig-scan.yml | 2 +- code-scanning/tfsec.yml | 2 +- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- 34 files changed, 36 insertions(+), 36 deletions(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index fcca708..66dd09f 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -40,6 +40,6 @@ jobs: image: "localbuild/testimage:latest" acs-report-enable: true - name: Upload Anchore Scan Report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 4737d06..5a9b751 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -64,6 +64,6 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - name: Import results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./apisec-results.sarif diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index d0b25ac..f54f6e7 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -52,6 +52,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index d012bce..dc96cde 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -49,6 +49,6 @@ jobs: params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: cx.sarif diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 00e270a..dd70bdf 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -50,7 +50,7 @@ jobs: cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() # is needed to ensure the SARIF file is uploaded if: always() diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 4892930..6b0df9e 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -55,6 +55,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 57b4b69..07b48e7 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -53,7 +53,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # â„šī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -67,4 +67,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 5886843..b87586c 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -37,6 +37,6 @@ jobs: organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: codescan.sarif diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index a8610c3..505e31a 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -111,7 +111,7 @@ jobs: )" > ${{ github.workspace }}/detekt.sarif.json # Uploads results to GitHub repository using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: ${{ github.workspace }}/detekt.sarif.json diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 3a5c45f..a435448 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -29,6 +29,6 @@ jobs: uses: microsoft/DevSkim-Action@v1 - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: devskim-results.sarif diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index 080953e..179d56f 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -33,6 +33,6 @@ jobs: output: 'flawfinder_results.sarif' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{github.workspace}}/flawfinder_results.sarif \ No newline at end of file diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index d67d194..1d37bc0 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -92,6 +92,6 @@ jobs: # Import Fortify on Demand results to GitHub Security Code Scanning - name: Import Results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./gh-fortify-sast.sarif diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 1cad70c..ac7085e 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -36,6 +36,6 @@ jobs: exit-code: "0" - name: Upload Kubesec scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 59d66a0..94bdc4a 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -61,6 +61,6 @@ jobs: sarif-report: mapi.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: mapi.sarif diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index d8eaa92..03aec53 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -37,6 +37,6 @@ jobs: args: . --sarif --output results.sarif || true - name: Upload mobsfscan report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0abb409..078399f 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -53,7 +53,7 @@ jobs: # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index a6da087..421aa31 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -36,6 +36,6 @@ jobs: with: args: '. --sarif --output results.sarif || true' - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 92126bd..161c786 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -47,6 +47,6 @@ jobs: group_id: {{ groupId }} # Update this to your desired Platform group ID - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: NowSecure.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index b5aefa4..b3d5b39 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -44,6 +44,6 @@ jobs: # Upload results to the Security tab - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 0604734..e4702d8 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -31,6 +31,6 @@ jobs: sourcePath: 'src/main/java' analyzeModifiedFilesOnly: false - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: pmd-report.sarif diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index dfbf452..5252cf0 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -37,6 +37,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5b11482..729cbac 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -48,7 +48,7 @@ jobs: # The service need to know the type of IaC being scanned template_type: 'CFT' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 # Results are generated only on a success or failure # this is required since GitHub by default won't run the next step # when the previous one has failed. diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index 373d5b6..8f32c73 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -47,6 +47,6 @@ jobs: " - name: Upload Sarif output - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: rubocop.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 3063c7a..471c216 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -38,4 +38,4 @@ jobs: uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 - name: Upload sarif - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index f99d441..f88ad21 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -42,7 +42,7 @@ jobs: # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: semgrep.sarif if: always() diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml index 48b86d3..552bc99 100644 --- a/code-scanning/shiftleft.yml +++ b/code-scanning/shiftleft.yml @@ -42,6 +42,6 @@ jobs: # type: python - name: Upload report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: reports diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 8ff2c9a..d0a95bf 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -43,6 +43,6 @@ jobs: image: your/image-to-test args: --file=Dockerfile - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index b79bf34..ee4723d 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -42,6 +42,6 @@ jobs: # or `main.tf` for a Terraform configuration file file: your-file-to-test.yaml - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 0c1ff16..e320303 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -71,7 +71,7 @@ jobs: - name: Upload SARIF file if: ${{steps.prescription.outputs.sastScan == 'true' }} - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: workflowengine-results.sarif.json diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f9b29fc..0b5af83 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -54,7 +54,7 @@ jobs: # Sysdig inline scanner requires privileged rights run-as-user: root - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 #Upload SARIF file if: always() with: diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 479f713..275bf45 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -32,7 +32,7 @@ jobs: sarif_file: tfsec.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 3d5373f..3bb0b1c 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -42,6 +42,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 073d1b6..c764551 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -51,7 +51,7 @@ jobs: uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be with: pipeline-results-json: results.json - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: veracode-results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index dc3c9ce..ec0019a 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -87,6 +87,6 @@ jobs: *-Findings-List.sarif # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: sarif_file: Xanitizer-Findings-List.sarif From 24a0860545c9fb8bc75902a3944350e15b2ca893 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Thu, 31 Mar 2022 10:34:19 -0700 Subject: [PATCH 49/55] fix broken build due to missing required category --- code-scanning/properties/dependency-review.properties.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index e84278c..57ca502 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,8 +3,9 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Dependency review", - "Dependency graph", + "Code Scanning", + "Dependency Review", + "Dependency Graph", "Go", "Java", "JavaScript", From dbba84eb877092dade4cc207fe0f2721d9ed60f2 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 1 Apr 2022 10:03:32 +0530 Subject: [PATCH 50/55] revert back to "Dependency review" category The CI test needs to be fixed and not the other way round. --- code-scanning/properties/dependency-review.properties.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 57ca502..e84278c 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,9 +3,8 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Code Scanning", - "Dependency Review", - "Dependency Graph", + "Dependency review", + "Dependency graph", "Go", "Java", "JavaScript", From d629c82ad7b53ccd396ab5ca9f8b97bf9a67ca68 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 1 Apr 2022 10:04:38 +0530 Subject: [PATCH 51/55] Include "Dependency review" in allowed categories --- script/validate-data/settings.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index ce89e36..ef8ee60 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -9,6 +9,7 @@ "Continuous integration", "Deployment", "Code Scanning", + "Dependency review", "Automation" ] -} \ No newline at end of file +} From cca97c83b88349992531d905e3456a9227e2a391 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Sat, 9 Apr 2022 01:28:14 -0700 Subject: [PATCH 52/55] Add rust-clippy starter workflow (#1462) * Add rust-clippy starter workflow * fix parameter `wait-for-processing` indent of action github/codeql-action/upload-sarif@v1 * Use commit sha instead of tag * addressing pr comments * Update creator * Add comments --- .../properties/rust-clippy.properties.json | 10 ++++ code-scanning/rust-clippy.yml | 54 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 code-scanning/properties/rust-clippy.properties.json create mode 100644 code-scanning/rust-clippy.yml diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json new file mode 100644 index 0000000..ea5c871 --- /dev/null +++ b/code-scanning/properties/rust-clippy.properties.json @@ -0,0 +1,10 @@ +{ + "name": "rust-clippy", + "creator": "Rust", + "description": "A collection of lints to catch common mistakes and improve your Rust code.", + "iconName": "rust", + "categories": [ + "Code Scanning", + "rust" + ] +} \ No newline at end of file diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml new file mode 100644 index 0000000..e9c426a --- /dev/null +++ b/code-scanning/rust-clippy.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# rust-clippy is a tool that runs a bunch of lints to catch common +# mistakes in your Rust code and help improve your Rust code. +# More details at https://github.com/rust-lang/rust-clippy +# and https://rust-lang.github.io/rust-clippy/ + +name: rust-clippy analyze + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rust-clippy-analyze: + name: Run rust-clippy analyzing + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install Rust toolchain + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1 + with: + profile: minimal + toolchain: stable + components: clippy + override: true + + - name: Install required cargo + run: cargo install clippy-sarif sarif-fmt + + - name: Run rust-clippy + run: + cargo clippy + --all-features + --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: rust-clippy-results.sarif + wait-for-processing: true \ No newline at end of file From 769950ce816c2f79f8df05cf138640f9aa08625d Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Sun, 10 Apr 2022 17:20:15 +0530 Subject: [PATCH 53/55] Removing code-scanning/shiftleft as per author request (#1513) Co-authored-by: Bishal Prasad --- .../properties/shiftleft.properties.json | 7 --- code-scanning/shiftleft.yml | 47 ------------------- icons/shiftleft.svg | 6 --- 3 files changed, 60 deletions(-) delete mode 100644 code-scanning/properties/shiftleft.properties.json delete mode 100644 code-scanning/shiftleft.yml delete mode 100644 icons/shiftleft.svg diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json deleted file mode 100644 index 1cb36c9..0000000 --- a/code-scanning/properties/shiftleft.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Scan", - "creator": "ShiftLeft", - "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.", - "iconName": "shiftleft", - "categories": ["Code Scanning"] -} \ No newline at end of file diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml deleted file mode 100644 index b042670..0000000 --- a/code-scanning/shiftleft.yml +++ /dev/null @@ -1,47 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates Scan with GitHub's code scanning feature -# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft -# Visit https://slscan.io/en/latest/integrations/code-scan for help -name: SL Scan - -on: - push: - branches: [ $default-branch, $protected-branches ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ $default-branch ] - schedule: - - cron: $cron-weekly - -jobs: - Scan-Build: - # Scan runs on ubuntu, mac and windows - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - # Instructions - # 1. Setup JDK, Node.js, Python etc depending on your project type - # 2. Compile or build the project before invoking scan - # Example: mvn compile, or npm install or pip install goes here - # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url - - - name: Perform Scan - uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64 - env: - WORKSPACE: "" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SCAN_AUTO_BUILD: true - with: - output: reports - # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type - # type: credscan,java - # type: python - - - name: Upload report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: reports diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg deleted file mode 100644 index f8e944a..0000000 --- a/icons/shiftleft.svg +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - From 31b35634e10474dd37c3d2929577d2778e781cbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Sun, 10 Apr 2022 15:07:11 +0200 Subject: [PATCH 54/55] Fix pull request trigger in greetings.yml (#1518) --- automation/greetings.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index ee1cb11..18ba13f 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -1,6 +1,6 @@ name: Greetings -on: [pull_request, issues] +on: [pull_request_target, issues] jobs: greeting: From d80712faf41487f0d71d06018ec3bae11b859987 Mon Sep 17 00:00:00 2001 From: Anthony Roussel Date: Sun, 10 Apr 2022 15:29:47 +0200 Subject: [PATCH 55/55] Disable Terraform interactive prompts during apply & plan (#1467) --- deployments/terraform.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 96e44e0..6142d2c 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -82,10 +82,10 @@ jobs: # Generates an execution plan for Terraform - name: Terraform Plan - run: terraform plan + run: terraform plan -input=false # On push to $default-branch, build or change infrastructure according to Terraform configuration files # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - name: Terraform Apply if: github.ref == 'refs/heads/$default-branch' && github.event_name == 'push' - run: terraform apply -auto-approve + run: terraform apply -auto-approve -input=false