From eeb84c9ae6f1844ca670440d5e8259830defcdfd Mon Sep 17 00:00:00 2001 From: Abir Majumdar Date: Thu, 28 Oct 2021 10:55:20 -0400 Subject: [PATCH 01/45] Adding Psalm PHP scanning to Starter Workflows --- .../properties/psalm.properties.json | 10 +++++++ code-scanning/psalm.yml | 30 +++++++++++++++++++ icons/psalm.svg | 23 ++++++++++++++ 3 files changed, 63 insertions(+) create mode 100644 code-scanning/properties/psalm.properties.json create mode 100644 code-scanning/psalm.yml create mode 100644 icons/psalm.svg diff --git a/code-scanning/properties/psalm.properties.json b/code-scanning/properties/psalm.properties.json new file mode 100644 index 0000000..711fd39 --- /dev/null +++ b/code-scanning/properties/psalm.properties.json @@ -0,0 +1,10 @@ +{ + "name": "Psalm Security Scan", + "creator": "psalm", + "description": "Psalm is a static analysis tool for finding errors in PHP applications", + "iconName": "mobsf", + "categories": [ + "Code Scanning", + "PHP" + ] +} \ No newline at end of file diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml new file mode 100644 index 0000000..b4c7aba --- /dev/null +++ b/code-scanning/psalm.yml @@ -0,0 +1,30 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Psalm Security Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + php-security: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Psalm Security Scan + uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 + + - name: Upload Security Analysis results to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/icons/psalm.svg b/icons/psalm.svg new file mode 100644 index 0000000..3533e2d --- /dev/null +++ b/icons/psalm.svg @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + + + + + + + + + + From ec35be8871f419348e0b448a3a5a5e2987287522 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 10 Nov 2021 11:31:39 -0500 Subject: [PATCH 02/45] Update psalm.properties.json --- code-scanning/properties/psalm.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/psalm.properties.json b/code-scanning/properties/psalm.properties.json index 711fd39..cba67b4 100644 --- a/code-scanning/properties/psalm.properties.json +++ b/code-scanning/properties/psalm.properties.json @@ -2,9 +2,9 @@ "name": "Psalm Security Scan", "creator": "psalm", "description": "Psalm is a static analysis tool for finding errors in PHP applications", - "iconName": "mobsf", + "iconName": "psalm", "categories": [ "Code Scanning", "PHP" ] -} \ No newline at end of file +} From f35be5c494bbd11675293a19c91e471191d9d66d Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 13:58:39 +0100 Subject: [PATCH 03/45] icon: refresh psalm logo Signed-off-by: Emmanuel Roullit --- icons/psalm.svg | 24 +----------------------- 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/icons/psalm.svg b/icons/psalm.svg index 3533e2d..fd9d347 100644 --- a/icons/psalm.svg +++ b/icons/psalm.svg @@ -1,23 +1 @@ - - - - - - - - - - - - - - - - - - - - - - - + \ No newline at end of file From ac13a846c956442df592a674cac09e7208c1ed3e Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 14:04:26 +0100 Subject: [PATCH 04/45] ci: remove trailing whitespaces Signed-off-by: Emmanuel Roullit --- code-scanning/properties/psalm.properties.json | 2 +- code-scanning/psalm.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/properties/psalm.properties.json b/code-scanning/properties/psalm.properties.json index cba67b4..381a312 100644 --- a/code-scanning/properties/psalm.properties.json +++ b/code-scanning/properties/psalm.properties.json @@ -4,7 +4,7 @@ "description": "Psalm is a static analysis tool for finding errors in PHP applications", "iconName": "psalm", "categories": [ - "Code Scanning", + "Code Scanning", "PHP" ] } diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index b4c7aba..d6226a1 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -9,21 +9,21 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly jobs: php-security: runs-on: ubuntu-latest - + steps: - name: Checkout code uses: actions/checkout@v2 - name: Psalm Security Scan uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 - + - name: Upload Security Analysis results to GitHub uses: github/codeql-action/upload-sarif@v1 with: From f07709949e75d13e1511700953273eb80da4635c Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 14:13:04 +0100 Subject: [PATCH 05/45] ci: restrict starter workflow permissions Signed-off-by: Emmanuel Roullit --- code-scanning/psalm.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index d6226a1..d35787e 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -9,13 +9,21 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: php-security: runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code @@ -27,4 +35,4 @@ jobs: - name: Upload Security Analysis results to GitHub uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From 3a818c491024917b28e503cbac0e1aa1d07a8fbd Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 14:13:37 +0100 Subject: [PATCH 06/45] ci: bump github actions version Signed-off-by: Emmanuel Roullit --- code-scanning/psalm.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index d35787e..1e88766 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -27,12 +27,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Psalm Security Scan uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 - name: Upload Security Analysis results to GitHub - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif From c26da3749c8d37900fd0ac34b90056670424a926 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Thu, 2 Feb 2023 17:31:49 +0000 Subject: [PATCH 07/45] adding credo workflow --- code-scanning/credo.yml | 60 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 code-scanning/credo.yml diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml new file mode 100644 index 0000000..f69159b --- /dev/null +++ b/code-scanning/credo.yml @@ -0,0 +1,60 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + + +# Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency. +# https://github.com/rrrene/credo +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 1. Add :credo as a dependency to your project's mix.exs with version ~> 1.7.0-rc.1 - https://github.com/rrrene/credo#installation-and-usage +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. + +name: Credo + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + otp: [version] + elixir: [version] + steps: + - uses: actions/checkout@v3 + - uses: erlef/setup-beam@v1 + with: + otp-version: ${{matrix.otp}} + elixir-version: ${{matrix.elixir}} + - name: get dependencies + run: mix deps.get + - name: compile dependencies + run: mix deps.compile + - name: compile + run: mix compile + - name: credo-scan + run: mix credo --format=sarif > credo_output.sarif + - name: upload sarif + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: credo_output.sarif From 77bc6e809fc1431ae3f609be5f4c35b63a5964d0 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Wed, 22 Feb 2023 15:39:47 +0000 Subject: [PATCH 08/45] add credo properties --- code-scanning/properties/credo.properties.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 code-scanning/properties/credo.properties.json diff --git a/code-scanning/properties/credo.properties.json b/code-scanning/properties/credo.properties.json new file mode 100644 index 0000000..3a86a10 --- /dev/null +++ b/code-scanning/properties/credo.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Credo Scan", + "creator": "Credo", + "description": "Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.", + "categories": ["Code Scanning", "Elixir"] +} \ No newline at end of file From f5cfb3ea9c17d9f3031dc88a7b065108653916e8 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Tue, 7 Mar 2023 14:52:54 -0600 Subject: [PATCH 09/45] Update code-scanning/credo.yml Co-authored-by: Sampark Sharma --- code-scanning/credo.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index f69159b..7861c02 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -33,6 +33,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest strategy: fail-fast: false From 07c72062df203ca1bd7062f410eaeaf37992e0b1 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Tue, 7 Mar 2023 20:56:57 +0000 Subject: [PATCH 10/45] adding commit sha to for action --- code-scanning/credo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index 7861c02..9a77881 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -42,7 +42,7 @@ jobs: elixir: [version] steps: - uses: actions/checkout@v3 - - uses: erlef/setup-beam@v1 + - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: otp-version: ${{matrix.otp}} elixir-version: ${{matrix.elixir}} From 19a9f5df85afdfd434d0d1cbec9b033e4feb9b8c Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 9 Mar 2023 13:49:38 -0500 Subject: [PATCH 11/45] Add runner size docs --- code-scanning/codeql.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index f0c3beb..79a4a7c 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -23,6 +23,11 @@ on: jobs: analyze: name: Analyze + # Runner size impacts CodeQL analysis time. Please see: + # https://gh.io/recommended-hardware-resources-for-running-codeql + # https://gh.io/supported-runners-and-hardware-resources + # https://gh.io/using-larger-runners + # to learn more. runs-on: ubuntu-latest permissions: actions: read From fc5ffa2714ad1088b5c57c94e31093aaeeb0f592 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Fri, 24 Mar 2023 14:14:25 +0000 Subject: [PATCH 12/45] removed whitespace --- code-scanning/credo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index 9a77881..c1fb8d1 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -46,7 +46,7 @@ jobs: with: otp-version: ${{matrix.otp}} elixir-version: ${{matrix.elixir}} - - name: get dependencies + - name: get dependencies run: mix deps.get - name: compile dependencies run: mix deps.compile From b9b82275918a75a68714fe4edda0810552a65e23 Mon Sep 17 00:00:00 2001 From: Issy Long Date: Tue, 11 Apr 2023 15:40:06 +0100 Subject: [PATCH 13/45] Add Swift to the list of CodeQL-supported languages - This is in public beta. --- code-scanning/properties/codeql.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index f5e78bf..8aaa8f5 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -2,7 +2,7 @@ "name": "CodeQL Analysis", "creator": "GitHub", "enterprise": true, - "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby and Kotlin developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Kotlin and Swift developers.", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin", "Swift"] } From 73f69c4600dd494bc6311ba2c4c2e362e25fde2f Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Mon, 17 Apr 2023 12:06:44 -0700 Subject: [PATCH 14/45] CodeQL: Run on macOS by default if the target language is Swift CodeQL Swift analysis is best supported on macOS. In preparation for CodeQL supporting Swift analysis in beta, adjust the CodeQL starter workflow template to run the `swift` matrix job on `macos-latest`, and all other matrix jobs on `ubuntu-latest`. This does not affect the matrix itself. --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index f0c3beb..bd394ae 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -23,7 +23,7 @@ on: jobs: analyze: name: Analyze - runs-on: ubuntu-latest + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: actions: read contents: read @@ -51,7 +51,7 @@ jobs: # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality From d4482bb5829c32e2d0803b022eebc6f0280c4649 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Apr 2023 20:55:06 +0000 Subject: [PATCH 15/45] Bump actions/stale from 7 to 8 Bumps [actions/stale](https://github.com/actions/stale) from 7 to 8. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v7...v8) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0cae015..ecdf037 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v7 + - uses: actions/stale@v8 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' From f6b2d354a2ab0113314ab63a77d94d6532475e47 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Apr 2023 20:56:17 +0000 Subject: [PATCH 16/45] Bump peter-evans/close-issue from 2 to 3 Bumps [peter-evans/close-issue](https://github.com/peter-evans/close-issue) from 2 to 3. - [Release notes](https://github.com/peter-evans/close-issue/releases) - [Commits](https://github.com/peter-evans/close-issue/compare/v2...v3) --- updated-dependencies: - dependency-name: peter-evans/close-issue dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/label-feature.yml | 2 +- .github/workflows/label-support.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/label-feature.yml b/.github/workflows/label-feature.yml index 122caac..aaf1e7e 100644 --- a/.github/workflows/label-feature.yml +++ b/.github/workflows/label-feature.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close Issue - uses: peter-evans/close-issue@v2 + uses: peter-evans/close-issue@v3 if: contains(github.event.issue.labels.*.name, 'feature') with: comment: | diff --git a/.github/workflows/label-support.yml b/.github/workflows/label-support.yml index e762afc..639ae0a 100644 --- a/.github/workflows/label-support.yml +++ b/.github/workflows/label-support.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close Issue - uses: peter-evans/close-issue@v2 + uses: peter-evans/close-issue@v3 if: contains(github.event.issue.labels.*.name, 'support') with: comment: | From d841affe4c5e9554c36059bf0b297818f4778a16 Mon Sep 17 00:00:00 2001 From: Trevor Blanarik Date: Mon, 24 Apr 2023 15:53:48 +0000 Subject: [PATCH 17/45] corrects the syntax for so that the array is inline --- deployments/azure-functions-app-container.yml | 3 +-- deployments/azure-functions-app-dotnet.yml | 3 +-- deployments/azure-functions-app-java-gradle.yml | 3 +-- deployments/azure-functions-app-java.yml | 3 +-- deployments/azure-functions-app-nodejs.yml | 3 +-- deployments/azure-functions-app-powershell.yml | 3 +-- deployments/azure-functions-app-python.yml | 3 +-- 7 files changed, 7 insertions(+), 14 deletions(-) diff --git a/deployments/azure-functions-app-container.yml b/deployments/azure-functions-app-container.yml index 7b438be..1173b95 100644 --- a/deployments/azure-functions-app-container.yml +++ b/deployments/azure-functions-app-container.yml @@ -21,8 +21,7 @@ name: Deploy container to Azure Functions App on: push: - branches: - - [$default-branch] + branches: [$default-branch] permissions: contents: read diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml index 8b2c23b..824614e 100644 --- a/deployments/azure-functions-app-dotnet.yml +++ b/deployments/azure-functions-app-dotnet.yml @@ -20,8 +20,7 @@ name: Deploy DotNet project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml index 69f6343..36c50b8 100644 --- a/deployments/azure-functions-app-java-gradle.yml +++ b/deployments/azure-functions-app-java-gradle.yml @@ -20,8 +20,7 @@ name: Deploy Gradle Java project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] permissions: contents: read diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml index 0774544..5608328 100644 --- a/deployments/azure-functions-app-java.yml +++ b/deployments/azure-functions-app-java.yml @@ -20,8 +20,7 @@ name: Deploy Java project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml index b8033f0..916f396 100644 --- a/deployments/azure-functions-app-nodejs.yml +++ b/deployments/azure-functions-app-nodejs.yml @@ -22,8 +22,7 @@ name: Deploy Node.js project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-powershell.yml b/deployments/azure-functions-app-powershell.yml index 505b5af..5d62316 100644 --- a/deployments/azure-functions-app-powershell.yml +++ b/deployments/azure-functions-app-powershell.yml @@ -20,8 +20,7 @@ name: Deploy PowerShell project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-python.yml b/deployments/azure-functions-app-python.yml index 0220227..6452a18 100644 --- a/deployments/azure-functions-app-python.yml +++ b/deployments/azure-functions-app-python.yml @@ -20,8 +20,7 @@ name: Deploy Python project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure From 2f530b0cd479c1e07141f409afdd623b43179869 Mon Sep 17 00:00:00 2001 From: Stephen Chudleigh Date: Wed, 26 Apr 2023 01:21:31 -0700 Subject: [PATCH 18/45] Update elixir.yml Fixes the build error on the default build action and updates the Erlang/Elixir versions. --- ci/elixir.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index 371ff24..9890efd 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -23,10 +23,10 @@ jobs: steps: - uses: actions/checkout@v3 - name: Set up Elixir - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f + uses: erlef/setup-beam@v1 with: - elixir-version: '1.12.3' # Define the elixir version [required] - otp-version: '24.1' # Define the OTP version [required] + elixir-version: '1.14.4' # Define the elixir version [required] + otp-version: '25.3' # Define the OTP version [required] - name: Restore dependencies cache uses: actions/cache@v3 with: From 4c95f1b7e49b61adcfe16b906abc6955919baa4e Mon Sep 17 00:00:00 2001 From: Leo Kettmeir Date: Wed, 3 May 2023 12:17:51 +0200 Subject: [PATCH 19/45] Update denoland/setup-deno workflow --- ci/deno.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/deno.yml b/ci/deno.yml index 5ee940d..c48292e 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -27,7 +27,7 @@ jobs: - name: Setup Deno # uses: denoland/setup-deno@v1 - uses: denoland/setup-deno@9db7f66e8e16b5699a514448ce994936c63f0d54 + uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 with: deno-version: v1.x From b54241071aa42253f58aefd5d960e98471d97f37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Mon, 15 May 2023 21:44:39 +0300 Subject: [PATCH 20/45] use intermediate environment variables to avoid risks of script injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- ci/docker-publish.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index d57b2f1..4aaca04 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,10 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 + uses: sigstore/cosign-installer@03d0fecf172873164a163bbc64bed0f3bf114ed7 #v3.4.0 with: - cosign-release: 'v1.13.1' - + cosign-release: 'v2.0.2' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx @@ -90,7 +89,9 @@ jobs: - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} env: - COSIGN_EXPERIMENTAL: "true" + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} From b015c848b62afa863d3f5607a61b1604ee66ebea Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Mon, 22 May 2023 10:10:15 -0700 Subject: [PATCH 21/45] CodeQL: Reduce job timeout to 2h if the target language is Swift Some projects observed intermittent build timeouts with Swift. In case this happens, and our CodeQL-level mitigations do not prevent the problem, we want to avoid using up 6h of the customer's billed macOS Actions minutes (which is the default timeout), so we suggest a reduced timeout of 2h. This value is chosen to accommodate the total job time (build + CodeQL extraction + CodeQL analysis) we expect for large Swift projects. We may choose to adjust it in future. --- code-scanning/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index bd394ae..e901a24 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -24,6 +24,7 @@ jobs: analyze: name: Analyze runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: actions: read contents: read From ee518ae76c27a9700e06499dd8f8c1c99d6d0316 Mon Sep 17 00:00:00 2001 From: Beth Brennan <34719884+elbrenn@users.noreply.github.com> Date: Wed, 31 May 2023 13:38:11 -0400 Subject: [PATCH 22/45] Update CODEOWNERS --- CODEOWNERS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 0a7c0a5..a47bd5b 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,4 +1,4 @@ -* @actions/starter-workflows +* @actions/actions-workflow-development-reviewers -/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows -/pages/ @actions/pages @actions/starter-workflows +/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers +/pages/ @actions/pages @actions/actions-workflow-development-reviewers From 437d407a8a0b4ff654b5ccc6f3ef59c946cb5210 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Tue, 6 Jun 2023 16:22:48 -0700 Subject: [PATCH 23/45] add Endor Labs --- code-scanning/endorlabs.yml | 46 ++ .../properties/endorlabs.properties.json | 7 + icons/endorlabs.svg | 426 ++++++++++++++++++ 3 files changed, 479 insertions(+) create mode 100644 code-scanning/endorlabs.yml create mode 100644 code-scanning/properties/endorlabs.properties.json create mode 100644 icons/endorlabs.svg diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml new file mode 100644 index 0000000..5f6e867 --- /dev/null +++ b/code-scanning/endorlabs.yml @@ -0,0 +1,46 @@ +name: Endor Labs Scan +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly +jobs: + scan: + permissions: + security-events: write # Used to upload sarif artifact to GitHub + contents: read # Used to checkout a private repository but actions/checkout. + actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required. + id-token: write # Used for keyless authentication to Endor Labs + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v3 + #### Package Build Instructions + ### Use this section to define the build steps used by your software package. + ### Endor Labs does this for you when possible. + # - name: Setup Java + # uses: actions/setup-java@v3 + # with: + # distribution: 'microsoft' + # java-version: '17' + # - name: Build Package + # run: mvn clean install + - name: Endor Labs Scan Pull Request + if: github.event_name == 'pull_request' + uses: endorlabs/github-action@main + with: + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + sarif_file: findings.sarif + - name: Endor Labs Scan Push to main + if: github.event_name == 'push' + uses: endorlabs/github-action@main + with: + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + ci_run: "false" + sarif_file: findings.sarif + - name: Upload SARIF to github + uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd + with: + sarif_file: findings.sarif \ No newline at end of file diff --git a/code-scanning/properties/endorlabs.properties.json b/code-scanning/properties/endorlabs.properties.json new file mode 100644 index 0000000..8c4cbb0 --- /dev/null +++ b/code-scanning/properties/endorlabs.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Endor Labs Scan", + "creator": "EndorLabs", + "description": "Identify, prioritize and address open source and code governance issues with Endor Labs.", + "iconName": "endorlabs", + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "ruby", "go", "kotlin", "scala" ] +} \ No newline at end of file diff --git a/icons/endorlabs.svg b/icons/endorlabs.svg new file mode 100644 index 0000000..04f1287 --- /dev/null +++ b/icons/endorlabs.svg @@ -0,0 +1,426 @@ + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From 43f7851be318b6c6d3f53cc2dcc716304ce0b1f4 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Tue, 6 Jun 2023 20:20:00 -0700 Subject: [PATCH 24/45] Change to specified version --- code-scanning/endorlabs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 5f6e867..cc7ebaa 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -35,7 +35,7 @@ jobs: sarif_file: findings.sarif - name: Endor Labs Scan Push to main if: github.event_name == 'push' - uses: endorlabs/github-action@main + uses: endorlabs/github-action@v1.0.0 with: namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. ci_run: "false" @@ -43,4 +43,4 @@ jobs: - name: Upload SARIF to github uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd with: - sarif_file: findings.sarif \ No newline at end of file + sarif_file: findings.sarif From ea40b7a2671cddb7c82f6daf4ac2f299bd4ca475 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Tue, 6 Jun 2023 20:22:38 -0700 Subject: [PATCH 25/45] Update to commit sha --- code-scanning/endorlabs.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index cc7ebaa..b3d92c4 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -29,13 +29,13 @@ jobs: # run: mvn clean install - name: Endor Labs Scan Pull Request if: github.event_name == 'pull_request' - uses: endorlabs/github-action@main + uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. sarif_file: findings.sarif - - name: Endor Labs Scan Push to main - if: github.event_name == 'push' - uses: endorlabs/github-action@v1.0.0 + - name: Endor Labs Scan Monitor + if: github.event_name == 'push' + uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. ci_run: "false" From bb9bbc31d84c8b28e3aad02f5a7124bf710ccc72 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Wed, 7 Jun 2023 17:28:33 -0500 Subject: [PATCH 26/45] add line at eof and adding icon --- code-scanning/properties/credo.properties.json | 3 ++- icons/code.svg | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 icons/code.svg diff --git a/code-scanning/properties/credo.properties.json b/code-scanning/properties/credo.properties.json index 3a86a10..cdc621f 100644 --- a/code-scanning/properties/credo.properties.json +++ b/code-scanning/properties/credo.properties.json @@ -2,5 +2,6 @@ "name": "Credo Scan", "creator": "Credo", "description": "Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.", + "iconName": "code", "categories": ["Code Scanning", "Elixir"] -} \ No newline at end of file +} diff --git a/icons/code.svg b/icons/code.svg new file mode 100644 index 0000000..ee64cbc --- /dev/null +++ b/icons/code.svg @@ -0,0 +1 @@ + \ No newline at end of file From 82f55d00bdc01e81e34edf2ce29733c6f96f0ef1 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 8 Jun 2023 12:08:28 -0400 Subject: [PATCH 27/45] Bump DR to take advantage of latest features --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index fe461b4..b0dedc4 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@v2 + uses: actions/dependency-review-action@v3 From 47e25f909529738fcd02d3f6a07224e4cd35f0b6 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Mon, 12 Jun 2023 11:13:06 +0100 Subject: [PATCH 28/45] CodeQL: Update autobuild comment Add Swift to the list of compiled languages that autobuild will try to build. --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index e901a24..0b8af33 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -56,7 +56,7 @@ jobs: # queries: security-extended,security-and-quality - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@v2 From fae93dfd03b4d95ea199d016c0177a0e9acf5036 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Mon, 12 Jun 2023 19:05:57 -0700 Subject: [PATCH 29/45] Update endorlabs.properties.json --- code-scanning/properties/endorlabs.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/endorlabs.properties.json b/code-scanning/properties/endorlabs.properties.json index 8c4cbb0..f251c7b 100644 --- a/code-scanning/properties/endorlabs.properties.json +++ b/code-scanning/properties/endorlabs.properties.json @@ -4,4 +4,4 @@ "description": "Identify, prioritize and address open source and code governance issues with Endor Labs.", "iconName": "endorlabs", "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "ruby", "go", "kotlin", "scala" ] -} \ No newline at end of file +} From 9988e13794684252e6aed931cfe876d5eb0afdf4 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Mon, 12 Jun 2023 19:08:27 -0700 Subject: [PATCH 30/45] Update endorlabs.yml --- code-scanning/endorlabs.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index b3d92c4..cc9d71f 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -15,7 +15,7 @@ jobs: id-token: write # Used for keyless authentication to Endor Labs runs-on: ubuntu-latest steps: - - name: Checkout Repository + - name: Checkout repository uses: actions/checkout@v3 #### Package Build Instructions ### Use this section to define the build steps used by your software package. @@ -27,13 +27,13 @@ jobs: # java-version: '17' # - name: Build Package # run: mvn clean install - - name: Endor Labs Scan Pull Request + - name: Endor Labs scan pull request if: github.event_name == 'pull_request' uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. sarif_file: findings.sarif - - name: Endor Labs Scan Monitor + - name: Endor Labs scan monitor if: github.event_name == 'push' uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: From 018bc7064380b34483c023064f31435f65011ecd Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Mon, 12 Jun 2023 19:08:58 -0700 Subject: [PATCH 31/45] Update endorlabs.yml --- code-scanning/endorlabs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index cc9d71f..7c69cb4 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -1,4 +1,4 @@ -name: Endor Labs Scan +name: Endor Labs on: push: branches: [ $default-branch ] From c6e2cb88e6e745ed8ad5c23581c173668afb4319 Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Thu, 15 Jun 2023 09:11:51 -0700 Subject: [PATCH 32/45] Add comments header --- code-scanning/endorlabs.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 7c69cb4..59a9a29 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -1,7 +1,12 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Endor Labs on: push: - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] pull_request: branches: [ $default-branch ] schedule: From 6da5a650b9818dfd8ecff77ba25ff5d79d0119fb Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Thu, 15 Jun 2023 09:13:08 -0700 Subject: [PATCH 33/45] Update case and spacing --- code-scanning/properties/endorlabs.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/endorlabs.properties.json b/code-scanning/properties/endorlabs.properties.json index f251c7b..4347f4c 100644 --- a/code-scanning/properties/endorlabs.properties.json +++ b/code-scanning/properties/endorlabs.properties.json @@ -1,6 +1,6 @@ { - "name": "Endor Labs Scan", - "creator": "EndorLabs", + "name": "Endor Labs scan", + "creator": "Endor Labs", "description": "Identify, prioritize and address open source and code governance issues with Endor Labs.", "iconName": "endorlabs", "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "ruby", "go", "kotlin", "scala" ] From 03ce4e088fd4b766979b2642c82187dcff28b83c Mon Sep 17 00:00:00 2001 From: Jamie Scott Date: Thu, 15 Jun 2023 10:36:30 -0700 Subject: [PATCH 34/45] Fix Linter Issues --- code-scanning/endorlabs.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 59a9a29..1ad0e26 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -15,7 +15,7 @@ jobs: scan: permissions: security-events: write # Used to upload sarif artifact to GitHub - contents: read # Used to checkout a private repository but actions/checkout. + contents: read # Used to checkout a private repository by actions/checkout. actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required. id-token: write # Used for keyless authentication to Endor Labs runs-on: ubuntu-latest @@ -23,8 +23,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 #### Package Build Instructions - ### Use this section to define the build steps used by your software package. - ### Endor Labs does this for you when possible. + ### Use this section to define the build steps used by your software package. + ### Endor Labs builds your software for you where possible but the required build tools must be made availible. # - name: Setup Java # uses: actions/setup-java@v3 # with: @@ -36,13 +36,13 @@ jobs: if: github.event_name == 'pull_request' uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: - namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. sarif_file: findings.sarif - name: Endor Labs scan monitor - if: github.event_name == 'push' + if: github.event_name == 'push' uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c with: - namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. ci_run: "false" sarif_file: findings.sarif - name: Upload SARIF to github From 2402be0dd2440854bd9c695066d297daaf836468 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 15 Jun 2023 16:46:40 -0400 Subject: [PATCH 35/45] Update code-scanning/codeql.yml Co-authored-by: Nick Liffen --- code-scanning/codeql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 79a4a7c..15398a7 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -27,7 +27,8 @@ jobs: # https://gh.io/recommended-hardware-resources-for-running-codeql # https://gh.io/supported-runners-and-hardware-resources # https://gh.io/using-larger-runners - # to learn more. + # to learn more. + # Consider using larger runners for possible analysis time improvements. runs-on: ubuntu-latest permissions: actions: read From fcf8a26d9d738ab865ef0fa1413a579df8424b6f Mon Sep 17 00:00:00 2001 From: Dmitry Shibanov Date: Mon, 19 Jun 2023 11:47:56 +0200 Subject: [PATCH 36/45] bump go version and use single quotes --- ci/go.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/go.yml b/ci/go.yml index e89f6c9..9f74f87 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -17,9 +17,9 @@ jobs: - uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: - go-version: 1.19 + go-version: '1.20' - name: Build run: go build -v ./... From c6191f3c154ba8fc2b63183ac0d8e67897ea3c23 Mon Sep 17 00:00:00 2001 From: Joe Mooring Date: Tue, 20 Jun 2023 22:39:07 -0700 Subject: [PATCH 37/45] Update Hugo version and switch to Dart Sass --- pages/hugo.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index fd6c4b4..8d9fc97 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -31,14 +31,14 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.108.0 + HUGO_VERSION: 0.114.0 steps: - name: Install Hugo CLI run: | wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \ && sudo dpkg -i ${{ runner.temp }}/hugo.deb - - name: Install Dart Sass Embedded - run: sudo snap install dart-sass-embedded + - name: Install Dart Sass + run: sudo snap install dart-sass - name: Checkout uses: actions/checkout@v3 with: From 0c238aec84e18522e7befaa32ccb39537e7dc44d Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 10 Jul 2023 23:00:03 -0500 Subject: [PATCH 38/45] Update all Pages starter workflows to use upload-pages-artifact@v2 --- pages/astro.yml | 2 +- pages/gatsby.yml | 2 +- pages/hugo.yml | 2 +- pages/jekyll-gh-pages.yml | 2 +- pages/jekyll.yml | 2 +- pages/mdbook.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- pages/static.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 4278958..ccbae47 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -71,7 +71,7 @@ jobs: --base "${{ steps.pages.outputs.base_path }}" working-directory: ${{ env.BUILD_PATH }} - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ${{ env.BUILD_PATH }}/dist diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 1fe2d24..676740b 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -80,7 +80,7 @@ jobs: PREFIX_PATHS: 'true' run: ${{ steps.detect-package-manager.outputs.manager }} run build - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./public diff --git a/pages/hugo.yml b/pages/hugo.yml index fd6c4b4..9e0fb88 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -58,7 +58,7 @@ jobs: --minify \ --baseURL "${{ steps.pages.outputs.base_url }}/" - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./public diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 851f2ce..044e34c 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -36,7 +36,7 @@ jobs: source: ./ destination: ./_site - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 # Deployment job deploy: diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 5adebe4..bd2f2e8 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -49,7 +49,7 @@ jobs: JEKYLL_ENV: production - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 # Deployment job deploy: diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 78d664e..0fae7a4 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -43,7 +43,7 @@ jobs: - name: Build with mdBook run: mdbook build - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./book diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 81073e6..308b76e 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -78,7 +78,7 @@ jobs: - name: Static HTML export with Next.js run: ${{ steps.detect-package-manager.outputs.runner }} next export - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./out diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index ddf8f4f..2951136 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -73,7 +73,7 @@ jobs: - name: Static HTML export with Nuxt run: ${{ steps.detect-package-manager.outputs.manager }} run generate - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: path: ./dist diff --git a/pages/static.yml b/pages/static.yml index 43bec60..31ac428 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -34,7 +34,7 @@ jobs: - name: Setup Pages uses: actions/configure-pages@v3 - name: Upload artifact - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v2 with: # Upload entire repository path: '.' From 356930494d1828026e574eb42892964e6b1ce089 Mon Sep 17 00:00:00 2001 From: Natalie Somersall Date: Wed, 12 Jul 2023 15:25:09 +0000 Subject: [PATCH 39/45] move gem workflow to ruby/setup-ruby, same as ruby --- ci/gem-push.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ci/gem-push.yml b/ci/gem-push.yml index 8905272..dd6d867 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -17,7 +17,10 @@ jobs: steps: - uses: actions/checkout@v3 - name: Set up Ruby 2.6 - uses: actions/setup-ruby@v1 + # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, + # change this to (see https://github.com/ruby/setup-ruby#versioning): + # uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: 2.6.x From 830d0c7c9dc9cb64457807f740440982e68a1a77 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:30:22 -0500 Subject: [PATCH 40/45] Add comment containing friendly version number --- ci/deno.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/deno.yml b/ci/deno.yml index c48292e..92338c9 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -27,7 +27,7 @@ jobs: - name: Setup Deno # uses: denoland/setup-deno@v1 - uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 + uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 # v1.1.2 with: deno-version: v1.x From d0ceca4feaff32caa6d0957e1b1ae9314b619167 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:36:51 -0500 Subject: [PATCH 41/45] Compress the comment --- code-scanning/codeql.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 15398a7..18667cf 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -23,11 +23,10 @@ on: jobs: analyze: name: Analyze - # Runner size impacts CodeQL analysis time. Please see: - # https://gh.io/recommended-hardware-resources-for-running-codeql - # https://gh.io/supported-runners-and-hardware-resources - # https://gh.io/using-larger-runners - # to learn more. + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners # Consider using larger runners for possible analysis time improvements. runs-on: ubuntu-latest permissions: From ec351ca4a9ea59041fccee4d2bbaf1fcf1a98e31 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:39:44 -0500 Subject: [PATCH 42/45] Delete trailing whitespace --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 660514a..f53c061 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -27,7 +27,7 @@ jobs: # - https://gh.io/recommended-hardware-resources-for-running-codeql # - https://gh.io/supported-runners-and-hardware-resources # - https://gh.io/using-larger-runners - # Consider using larger runners for possible analysis time improvements. + # Consider using larger runners for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: From a07603e5efb78778ca8291d20a54900f0024e0b8 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 09:51:15 -0500 Subject: [PATCH 43/45] Update to latest cosign versions --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 4aaca04..31da0e3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@03d0fecf172873164a163bbc64bed0f3bf114ed7 #v3.4.0 + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 with: - cosign-release: 'v2.0.2' + cosign-release: 'v2.1.1' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx From cbe6296a3534c58492e4553dbc21063c347bbe7b Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 10:30:20 -0500 Subject: [PATCH 44/45] Update ci/elixir.yml --- ci/elixir.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index 9890efd..a8513c1 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -23,7 +23,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Set up Elixir - uses: erlef/setup-beam@v1 + uses: erlef/setup-beam@61e01a43a562a89bfc54c7f9a378ff67b03e4a21 # v1.16.0 with: elixir-version: '1.14.4' # Define the elixir version [required] otp-version: '25.3' # Define the OTP version [required] From 49efc3d27f757ab3bb8e7ee7ee9233c32a27de77 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 13 Jul 2023 10:30:29 -0500 Subject: [PATCH 45/45] Update ci/elixir.yml --- ci/elixir.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index a8513c1..58f0b27 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -25,8 +25,8 @@ jobs: - name: Set up Elixir uses: erlef/setup-beam@61e01a43a562a89bfc54c7f9a378ff67b03e4a21 # v1.16.0 with: - elixir-version: '1.14.4' # Define the elixir version [required] - otp-version: '25.3' # Define the OTP version [required] + elixir-version: '1.15.2' # [Required] Define the Elixir version + otp-version: '26.0' # [Required] Define the Erlang/OTP version - name: Restore dependencies cache uses: actions/cache@v3 with: