From f31b00f6cce1cd19ed8b231e5eca4694a464e5f9 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 20 Mar 2023 23:25:38 -0500 Subject: [PATCH 01/11] Update all Pages starter workflows to use actions/deploy-pages@v2 --- pages/astro.yml | 2 +- pages/gatsby.yml | 2 +- pages/hugo.yml | 2 +- pages/jekyll-gh-pages.yml | 2 +- pages/jekyll.yml | 2 +- pages/mdbook.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- pages/static.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index dbe49db..8377ee4 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -85,4 +85,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/gatsby.yml b/pages/gatsby.yml index fbe9e70..8303af4 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -94,4 +94,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/hugo.yml b/pages/hugo.yml index 3431284..fd6c4b4 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -72,4 +72,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 7d18dc8..851f2ce 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -48,4 +48,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 9e6bf67..b680516 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -61,4 +61,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 191aa48..78d664e 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -57,4 +57,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/nextjs.yml b/pages/nextjs.yml index bf15a71..5dd673d 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -92,4 +92,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 3ded228..1ec761a 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -87,4 +87,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/static.yml b/pages/static.yml index c0cfa35..43bec60 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -40,4 +40,4 @@ jobs: path: '.' - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 From b294ad2ff3d618c03a33966760f39e2730bcef9b Mon Sep 17 00:00:00 2001 From: Josh Goldberg Date: Mon, 27 Mar 2023 18:13:09 -0400 Subject: [PATCH 02/11] chore: fix package(r) manager typo --- pages/astro.yml | 2 +- pages/gatsby.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index dbe49db..bde3560 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -49,7 +49,7 @@ jobs: echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else - echo "Unable to determine packager manager" + echo "Unable to determine package manager" exit 1 fi - name: Setup Node diff --git a/pages/gatsby.yml b/pages/gatsby.yml index fbe9e70..a5dceb3 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -48,7 +48,7 @@ jobs: echo "command=ci" >> $GITHUB_OUTPUT exit 0 else - echo "Unable to determine packager manager" + echo "Unable to determine package manager" exit 1 fi - name: Setup Node diff --git a/pages/nextjs.yml b/pages/nextjs.yml index bf15a71..a9da03d 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -45,7 +45,7 @@ jobs: echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else - echo "Unable to determine packager manager" + echo "Unable to determine package manager" exit 1 fi - name: Setup Node diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 3ded228..d3c9921 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -43,7 +43,7 @@ jobs: echo "command=ci" >> $GITHUB_OUTPUT exit 0 else - echo "Unable to determine packager manager" + echo "Unable to determine package manager" exit 1 fi - name: Setup Node From eeb9248ea6d958f2adcb504c334b98464be041ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=81=AA=E3=81=A4=E3=81=8D?= Date: Tue, 4 Apr 2023 14:26:08 -0700 Subject: [PATCH 03/11] Update ruby/setup-ruby for CVE-2023-28755 and CVE-2023-28756 --- ci/ruby.yml | 2 +- ci/rubyonrails.yml | 4 ++-- code-scanning/brakeman.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/rubocop.yml | 2 +- pages/jekyll.yml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index e1551d5..9e94081 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 5102b3d..20ff014 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Install Ruby and gems - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: bundler-cache: true # Add or replace any other lints here diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index d381e85..197300c 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -35,7 +35,7 @@ jobs: # Customize the ruby version depending on your needs - name: Setup Ruby - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: '2.7' diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 0804ba9..047ff00 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -36,7 +36,7 @@ jobs: uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: 2.7 bundler-cache: true diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index 97a693f..e2347db 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -28,7 +28,7 @@ jobs: # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners - name: Set up Ruby - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: 2.6 diff --git a/pages/jekyll.yml b/pages/jekyll.yml index b680516..5adebe4 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -34,7 +34,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: '3.1' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically From b9b82275918a75a68714fe4edda0810552a65e23 Mon Sep 17 00:00:00 2001 From: Issy Long Date: Tue, 11 Apr 2023 15:40:06 +0100 Subject: [PATCH 04/11] Add Swift to the list of CodeQL-supported languages - This is in public beta. --- code-scanning/properties/codeql.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index f5e78bf..8aaa8f5 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -2,7 +2,7 @@ "name": "CodeQL Analysis", "creator": "GitHub", "enterprise": true, - "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby and Kotlin developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Kotlin and Swift developers.", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin", "Swift"] } From 6a1457d1e2dbee50677ff2610ac2ea7b2f1dad1c Mon Sep 17 00:00:00 2001 From: Marcos Pereira <3464445+marcospgp@users.noreply.github.com> Date: Fri, 14 Apr 2023 23:02:17 +0100 Subject: [PATCH 05/11] Update manual.yml --- automation/manual.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/manual.yml b/automation/manual.yml index 4a7131e..faabdec 100644 --- a/automation/manual.yml +++ b/automation/manual.yml @@ -27,4 +27,4 @@ jobs: steps: # Runs a single command using the runners shell - name: Send greeting - run: echo "Hello ${{ github.event.inputs.name }}" \ No newline at end of file + run: echo "Hello ${{ inputs.name }}" From 73f69c4600dd494bc6311ba2c4c2e362e25fde2f Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Mon, 17 Apr 2023 12:06:44 -0700 Subject: [PATCH 06/11] CodeQL: Run on macOS by default if the target language is Swift CodeQL Swift analysis is best supported on macOS. In preparation for CodeQL supporting Swift analysis in beta, adjust the CodeQL starter workflow template to run the `swift` matrix job on `macos-latest`, and all other matrix jobs on `ubuntu-latest`. This does not affect the matrix itself. --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index f0c3beb..bd394ae 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -23,7 +23,7 @@ on: jobs: analyze: name: Analyze - runs-on: ubuntu-latest + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: actions: read contents: read @@ -51,7 +51,7 @@ jobs: # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality From 1c781c4e6aa4c2db08b9133b742b4f35871e150e Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 18 Apr 2023 11:20:09 -0500 Subject: [PATCH 07/11] Add data type to workflow_dispatch inputs --- automation/manual.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/automation/manual.yml b/automation/manual.yml index faabdec..11b2e35 100644 --- a/automation/manual.yml +++ b/automation/manual.yml @@ -15,6 +15,8 @@ on: default: 'World' # Input has to be provided for the workflow to run required: true + # The data type of the input + type: string # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: From d4482bb5829c32e2d0803b022eebc6f0280c4649 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Apr 2023 20:55:06 +0000 Subject: [PATCH 08/11] Bump actions/stale from 7 to 8 Bumps [actions/stale](https://github.com/actions/stale) from 7 to 8. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v7...v8) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0cae015..ecdf037 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v7 + - uses: actions/stale@v8 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' From d841affe4c5e9554c36059bf0b297818f4778a16 Mon Sep 17 00:00:00 2001 From: Trevor Blanarik Date: Mon, 24 Apr 2023 15:53:48 +0000 Subject: [PATCH 09/11] corrects the syntax for so that the array is inline --- deployments/azure-functions-app-container.yml | 3 +-- deployments/azure-functions-app-dotnet.yml | 3 +-- deployments/azure-functions-app-java-gradle.yml | 3 +-- deployments/azure-functions-app-java.yml | 3 +-- deployments/azure-functions-app-nodejs.yml | 3 +-- deployments/azure-functions-app-powershell.yml | 3 +-- deployments/azure-functions-app-python.yml | 3 +-- 7 files changed, 7 insertions(+), 14 deletions(-) diff --git a/deployments/azure-functions-app-container.yml b/deployments/azure-functions-app-container.yml index 7b438be..1173b95 100644 --- a/deployments/azure-functions-app-container.yml +++ b/deployments/azure-functions-app-container.yml @@ -21,8 +21,7 @@ name: Deploy container to Azure Functions App on: push: - branches: - - [$default-branch] + branches: [$default-branch] permissions: contents: read diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml index 8b2c23b..824614e 100644 --- a/deployments/azure-functions-app-dotnet.yml +++ b/deployments/azure-functions-app-dotnet.yml @@ -20,8 +20,7 @@ name: Deploy DotNet project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml index 69f6343..36c50b8 100644 --- a/deployments/azure-functions-app-java-gradle.yml +++ b/deployments/azure-functions-app-java-gradle.yml @@ -20,8 +20,7 @@ name: Deploy Gradle Java project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] permissions: contents: read diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml index 0774544..5608328 100644 --- a/deployments/azure-functions-app-java.yml +++ b/deployments/azure-functions-app-java.yml @@ -20,8 +20,7 @@ name: Deploy Java project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml index b8033f0..916f396 100644 --- a/deployments/azure-functions-app-nodejs.yml +++ b/deployments/azure-functions-app-nodejs.yml @@ -22,8 +22,7 @@ name: Deploy Node.js project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-powershell.yml b/deployments/azure-functions-app-powershell.yml index 505b5af..5d62316 100644 --- a/deployments/azure-functions-app-powershell.yml +++ b/deployments/azure-functions-app-powershell.yml @@ -20,8 +20,7 @@ name: Deploy PowerShell project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-python.yml b/deployments/azure-functions-app-python.yml index 0220227..6452a18 100644 --- a/deployments/azure-functions-app-python.yml +++ b/deployments/azure-functions-app-python.yml @@ -20,8 +20,7 @@ name: Deploy Python project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure From b015c848b62afa863d3f5607a61b1604ee66ebea Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Mon, 22 May 2023 10:10:15 -0700 Subject: [PATCH 10/11] CodeQL: Reduce job timeout to 2h if the target language is Swift Some projects observed intermittent build timeouts with Swift. In case this happens, and our CodeQL-level mitigations do not prevent the problem, we want to avoid using up 6h of the customer's billed macOS Actions minutes (which is the default timeout), so we suggest a reduced timeout of 2h. This value is chosen to accommodate the total job time (build + CodeQL extraction + CodeQL analysis) we expect for large Swift projects. We may choose to adjust it in future. --- code-scanning/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index bd394ae..e901a24 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -24,6 +24,7 @@ jobs: analyze: name: Analyze runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: actions: read contents: read From ee518ae76c27a9700e06499dd8f8c1c99d6d0316 Mon Sep 17 00:00:00 2001 From: Beth Brennan <34719884+elbrenn@users.noreply.github.com> Date: Wed, 31 May 2023 13:38:11 -0400 Subject: [PATCH 11/11] Update CODEOWNERS --- CODEOWNERS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 0a7c0a5..a47bd5b 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,4 +1,4 @@ -* @actions/starter-workflows +* @actions/actions-workflow-development-reviewers -/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows -/pages/ @actions/pages @actions/starter-workflows +/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers +/pages/ @actions/pages @actions/actions-workflow-development-reviewers