From 05e45811599669cf3c0631d7980937988b31be11 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Thu, 15 Feb 2024 09:01:39 +0100 Subject: [PATCH 01/22] Update codeql.yml with new build-mode --- code-scanning/codeql.yml | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 808449d..d0df66c 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -40,11 +40,12 @@ jobs: strategy: fail-fast: false matrix: - language: [ $detected-codeql-languages ] - # CodeQL supports [ $supported-codeql-languages ] - # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + $codeql-languages-matrix + # CodeQL supports the following values keywords for 'language': $supported-codeql-languages + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. steps: - name: Checkout repository @@ -55,6 +56,7 @@ jobs: uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. @@ -62,21 +64,20 @@ jobs: # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. # â„šī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh + - if: ${{ matrix.build-mode == 'manual' }} + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 From 8a973982d129261906540b29fc80512a1fd3ec81 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Mon, 19 Feb 2024 15:54:06 +0100 Subject: [PATCH 02/22] Update code-scanning/codeql.yml Co-authored-by: Henry Mercer --- code-scanning/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index d0df66c..00ef183 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -42,6 +42,7 @@ jobs: matrix: $codeql-languages-matrix # CodeQL supports the following values keywords for 'language': $supported-codeql-languages + # Use `c-cpp` to analyze code written in C, C++ or both # Use 'java-kotlin' to analyze code written in Java, Kotlin or both # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, From 4a8c4e08b0b97c465318cc670fc212b94cfcbaba Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Mon, 19 Feb 2024 15:57:02 +0100 Subject: [PATCH 03/22] Update code-scanning/codeql.yml Co-authored-by: Henry Mercer --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 00ef183..1d23be1 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -71,7 +71,7 @@ jobs: # to build your code. # â„šī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: ${{ matrix.build-mode == 'manual' }} + - if: matrix.build-mode == 'manual' run: | echo 'If you are using a "manual" build mode for one or more of the' \ 'languages you are analyzing, replace this with the commands to build' \ From 03277899f01de35a7544217d1b02c1031bae1102 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Wed, 6 Mar 2024 16:46:46 -0500 Subject: [PATCH 04/22] tfsec latest v0.1.4 (#2318) --- code-scanning/tfsec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 48ee4d2..706c8be 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@v3 - name: Run tfsec - uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f + uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 with: sarif_file: tfsec.sarif From 3fb9f82449706d5e8e6605bf7cb839b690359cdc Mon Sep 17 00:00:00 2001 From: Tim Heuer Date: Tue, 12 Mar 2024 12:08:25 -0700 Subject: [PATCH 05/22] Updating dotnet CI starter workflows (#2333) * Update dotnet.yml Updating versions * Update dotnet-desktop.yml Bumping versions * Update ci/dotnet-desktop.yml Co-authored-by: Alexis Abril --------- Co-authored-by: Alexis Abril --- ci/dotnet-desktop.yml | 8 ++++---- ci/dotnet.yml | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index fd82a39..ad99b56 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -63,19 +63,19 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 # Install the .NET Core workload - name: Install .NET Core - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: - dotnet-version: 6.0.x + dotnet-version: 8.0.x # Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild - name: Setup MSBuild.exe - uses: microsoft/setup-msbuild@v1.0.2 + uses: microsoft/setup-msbuild@v2 # Execute all unit tests in the solution - name: Execute unit tests diff --git a/ci/dotnet.yml b/ci/dotnet.yml index f11f050..b869d6e 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -15,11 +15,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Setup .NET - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: - dotnet-version: 6.0.x + dotnet-version: 8.0.x - name: Restore dependencies run: dotnet restore - name: Build From 0f4d22325b4bd42a10be5b295f57866f7c78b2bb Mon Sep 17 00:00:00 2001 From: cclin Date: Mon, 25 Mar 2024 16:05:58 +0800 Subject: [PATCH 06/22] Update astro.yml for yarn based project --- pages/astro.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pages/astro.yml b/pages/astro.yml index 0929af5..03044be 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -42,11 +42,13 @@ jobs: echo "manager=yarn" >> $GITHUB_OUTPUT echo "command=install" >> $GITHUB_OUTPUT echo "runner=yarn" >> $GITHUB_OUTPUT + echo "lockfile=yarn.lock" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then echo "manager=npm" >> $GITHUB_OUTPUT echo "command=ci" >> $GITHUB_OUTPUT echo "runner=npx --no-install" >> $GITHUB_OUTPUT + echo "lockfile=package-lock.json" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine package manager" @@ -57,7 +59,7 @@ jobs: with: node-version: "20" cache: ${{ steps.detect-package-manager.outputs.manager }} - cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json + cache-dependency-path: ${{ env.BUILD_PATH }}/${{ steps.detect-package-manager.outputs.lockfile }} - name: Setup Pages id: pages uses: actions/configure-pages@v4 From 61cdce264d9ad8045eee8229857b814e0c0510a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=EC=B9=B4=EA=B8=B0=EC=9E=90=ED=8C=90?= Date: Tue, 26 Mar 2024 08:26:55 +0900 Subject: [PATCH 07/22] Updating nextjs.yml for Next.js 14 Support (#2204) * Update nextjs.yml * Update nextjs.yml --------- Co-authored-by: Alexis Abril --- pages/nextjs.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pages/nextjs.yml b/pages/nextjs.yml index f91a07d..74e57fc 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -73,10 +73,8 @@ jobs: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}- - name: Install dependencies run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} - - name: Build with Next.js + - name: Build and Static HTML export with Next.js run: ${{ steps.detect-package-manager.outputs.runner }} next build - - name: Static HTML export with Next.js - run: ${{ steps.detect-package-manager.outputs.runner }} next export - name: Upload artifact uses: actions/upload-pages-artifact@v3 with: From aad92724382fbe4be3a7880224fb9c1cacd3b7b2 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Tue, 26 Mar 2024 13:18:17 +0100 Subject: [PATCH 08/22] Update codeql.yml Limit matrix information in the job name to language by default --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 1d23be1..dd1406a 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -21,7 +21,7 @@ on: jobs: analyze: - name: Analyze + name: Analyze (${{ matrix.language }}) # Runner size impacts CodeQL analysis time. To learn more, please see: # - https://gh.io/recommended-hardware-resources-for-running-codeql # - https://gh.io/supported-runners-and-hardware-resources From fdbad9c74f2ddbd29ef69cedd91184c4552c7360 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Tue, 26 Mar 2024 13:41:53 +0100 Subject: [PATCH 09/22] Update codeql.yml links to docs --- code-scanning/codeql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index dd1406a..cb883a9 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -47,7 +47,8 @@ jobs: # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository uses: actions/checkout@v4 From 831e9cb8e41cb47e2ffdabda6c3f268a057ffae5 Mon Sep 17 00:00:00 2001 From: Andreas Deininger Date: Wed, 27 Mar 2024 18:51:41 +0100 Subject: [PATCH 10/22] Bump workflow actions of various starter files (#2210) --- code-scanning/detekt.yml | 2 +- code-scanning/endorlabs.yml | 2 +- code-scanning/rust-clippy.yml | 4 ++-- deployments/alibabacloud.yml | 4 ++-- pages/hugo.yml | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 15aeb45..502c66e 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -13,7 +13,7 @@ # 4. Manually, on demand, via the "workflow_dispatch" event # # The workflow should work with no modifications, but you might like to use a -# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG +# later version of the Detekt CLI by modifying the $DETEKT_RELEASE_TAG # environment variable. name: Scan with Detekt diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 1ad0e26..5633a6b 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -24,7 +24,7 @@ jobs: uses: actions/checkout@v3 #### Package Build Instructions ### Use this section to define the build steps used by your software package. - ### Endor Labs builds your software for you where possible but the required build tools must be made availible. + ### Endor Labs builds your software for you where possible but the required build tools must be made available. # - name: Setup Java # uses: actions/setup-java@v3 # with: diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index 90583f3..4f50c3e 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -28,7 +28,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Install Rust toolchain uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1 @@ -52,4 +52,4 @@ jobs: uses: github/codeql-action/upload-sarif@v1 with: sarif_file: rust-clippy-results.sarif - wait-for-processing: true \ No newline at end of file + wait-for-processing: true diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 96d5d38..74dd7f6 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -49,7 +49,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # 1.1 Login to ACR - name: Login to ACR with the AccessKey pair @@ -59,7 +59,7 @@ jobs: access-key-id: "${{ secrets.ACCESS_KEY_ID }}" access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" - # 1.2 Buid and push image to ACR + # 1.2 Build and push image to ACR - name: Build and push image to ACR run: | docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . diff --git a/pages/hugo.yml b/pages/hugo.yml index 6e40b04..1061a74 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -31,7 +31,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.120.4 + HUGO_VERSION: 0.124.1 steps: - name: Install Hugo CLI run: | From 4620c76b38f478f21a88b354ce6794dcfacba755 Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Wed, 27 Mar 2024 13:25:03 -0700 Subject: [PATCH 11/22] update Scorecard Action hashes and version comments (#2348) * update action hashes and version comments ossf/scorecard-action v2.1.2 is old and doesnt work after a Sigstore change. https://blog.sigstore.dev/tuf-root-update/ Signed-off-by: Spencer Schrock * downgrade actions/upload-artifact to node20 version of v3 dependabot will suggest upgrade to v4.3.1 for repos that can upgrade. note: v3.pre.node20 is how dependabot refers to the pinned hash, so use that so it can upgrade the comment Signed-off-by: Spencer Schrock * upgrade github/codeql-action/upload-sarif to v3.24.9 Signed-off-by: Spencer Schrock --------- Signed-off-by: Spencer Schrock Co-authored-by: Alexis Abril --- code-scanning/scorecard.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 19b9b00..162c788 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -32,19 +32,19 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. # repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: @@ -59,14 +59,15 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 with: name: SARIF file path: results.sarif retention-days: 5 - # Upload the results to GitHub's code scanning dashboard. + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: sarif_file: results.sarif From 4ca845b387fb6f8d1b8ba86e6b2d3b345cd862b7 Mon Sep 17 00:00:00 2001 From: Alexis Abril Date: Fri, 29 Mar 2024 13:23:28 -0700 Subject: [PATCH 12/22] Update CODEOWNERS Simplifying the CODEOWNERS file to allow respective teams the capabilities to manage PRs as responsibilities have been updated recently. In the short term, this will add notifications to folks for each team. --- CODEOWNERS | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 2ed2e33..7580ac6 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,5 +1,5 @@ +* @actions/advanced-security-code-scanning +* @actions/advanced-security-dependency-graph +* @actions/pages * @actions/actions-workflow-development-reviewers - -/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph -/code-scanning/dependency-review.yml @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph -/pages/ @actions/pages @actions/actions-workflow-development-reviewers +* @actions/starter-workflows From 87efe4c91d3d86b0f544d36ceaae0dc8be94f080 Mon Sep 17 00:00:00 2001 From: Alexis Abril Date: Fri, 29 Mar 2024 15:20:42 -0700 Subject: [PATCH 13/22] Update CODEOWNERS Adding @actions/starter-workflows to each category to minimize notification pollution. --- CODEOWNERS | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 7580ac6..50abb26 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,5 +1,5 @@ -* @actions/advanced-security-code-scanning -* @actions/advanced-security-dependency-graph -* @actions/pages -* @actions/actions-workflow-development-reviewers -* @actions/starter-workflows +* @actions/actions-workflow-development-reviewers @actions/starter-workflows + +/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph @actions/starter-workflows +/code-scanning/dependency-review.yml @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph @actions/starter-workflows +/pages/ @actions/pages @actions/actions-workflow-development-reviewers @actions/starter-workflows From c9a0122a593db43660edaf37cf6cae081c2f45d9 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 29 Mar 2024 19:57:20 -0500 Subject: [PATCH 14/22] Update all Pages workflows to use actions/configure-pages@v5 --- pages/astro.yml | 2 +- pages/gatsby.yml | 2 +- pages/hugo.yml | 2 +- pages/jekyll-gh-pages.yml | 2 +- pages/jekyll.yml | 2 +- pages/mdbook.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- pages/static.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 03044be..25db103 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -62,7 +62,7 @@ jobs: cache-dependency-path: ${{ env.BUILD_PATH }}/${{ steps.detect-package-manager.outputs.lockfile }} - name: Setup Pages id: pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 - name: Install dependencies run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} working-directory: ${{ env.BUILD_PATH }} diff --git a/pages/gatsby.yml b/pages/gatsby.yml index c82a2f7..1bcc667 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -58,7 +58,7 @@ jobs: cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 with: # Automatically inject pathPrefix in your Gatsby configuration file. # diff --git a/pages/hugo.yml b/pages/hugo.yml index 1061a74..141ad91 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -45,7 +45,7 @@ jobs: submodules: recursive - name: Setup Pages id: pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 - name: Install Node.js dependencies run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Build with Hugo diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 8d5586c..2874cc0 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -29,7 +29,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Setup Pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 - name: Build with Jekyll uses: actions/jekyll-build-pages@v1 with: diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 17fec3f..f07bc39 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -41,7 +41,7 @@ jobs: cache-version: 0 # Increment this number if you need to re-download cached gems - name: Setup Pages id: pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 - name: Build with Jekyll # Outputs to the './_site' directory by default run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 6ea654d..cf79f4e 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -39,7 +39,7 @@ jobs: cargo install --version ${MDBOOK_VERSION} mdbook - name: Setup Pages id: pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 - name: Build with mdBook run: mdbook build - name: Upload artifact diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 74e57fc..ccde58d 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -54,7 +54,7 @@ jobs: node-version: "20" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 with: # Automatically inject basePath in your Next.js configuration file and disable # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized). diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 5ceb0e8..25a6862 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -52,7 +52,7 @@ jobs: node-version: "20" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 with: # Automatically inject router.base in your Nuxt configuration file and set # target to static (https://nuxtjs.org/docs/configuration-glossary/configuration-target/). diff --git a/pages/static.yml b/pages/static.yml index 819974a..5640380 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -32,7 +32,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Setup Pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@v5 - name: Upload artifact uses: actions/upload-pages-artifact@v3 with: From e4837fa7681a5ff12fe8500675c47c7f6a296f98 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 29 Mar 2024 20:19:30 -0500 Subject: [PATCH 15/22] Improve step name for Next.js build --- pages/nextjs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/nextjs.yml b/pages/nextjs.yml index ccde58d..e2c9ab6 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -73,7 +73,7 @@ jobs: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}- - name: Install dependencies run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} - - name: Build and Static HTML export with Next.js + - name: Build with Next.js run: ${{ steps.detect-package-manager.outputs.runner }} next build - name: Upload artifact uses: actions/upload-pages-artifact@v3 From efd31e5f0f3f40497cbbd7d3991ddac4da4037ca Mon Sep 17 00:00:00 2001 From: SOOS-GSteen Date: Mon, 1 Apr 2024 16:11:05 -0400 Subject: [PATCH 16/22] update soos dash action commit hash / sarif action version / logo (#2317) * Update soos-dast-scan.yml * Update soos-dast-scan.yml * Update soos.svg * Update code-scanning/soos-dast-scan.yml Co-authored-by: Alexis Abril --------- Co-authored-by: Alexis Abril --- code-scanning/soos-dast-scan.yml | 6 +++--- icons/soos.svg | 18 +----------------- 2 files changed, 4 insertions(+), 20 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 335aa03..b3e470e 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Analysis - uses: soos-io/soos-dast-github-action@d0ee0d8feb02c1881e6a1d785bf2078662631150 + uses: soos-io/soos-dast-github-action@a7f2cb2dfd143cb3224712d902ca0a1da0198ea9 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} @@ -45,6 +45,6 @@ jobs: target_url: "https://www.example.com/" output_format: "sarif" - name: Upload SOOS DAST SARIF Report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif diff --git a/icons/soos.svg b/icons/soos.svg index 17a31fc..7480560 100644 --- a/icons/soos.svg +++ b/icons/soos.svg @@ -1,17 +1 @@ - - - - - - - - - - - + \ No newline at end of file From b53d05e4b0dde7cdaeda60476acfcaaa1713f8cc Mon Sep 17 00:00:00 2001 From: Charly Garcia <155784995+cgarciagarcia@users.noreply.github.com> Date: Mon, 1 Apr 2024 17:12:02 -0300 Subject: [PATCH 17/22] ci: use artisan command to run test, because this ci/laravel.yml does not work properly in laravel when uses Pest instead of PHPUnit (#2284) Co-authored-by: Alexis Abril --- ci/laravel.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/laravel.yml b/ci/laravel.yml index e778d7b..fc30f21 100644 --- a/ci/laravel.yml +++ b/ci/laravel.yml @@ -28,8 +28,8 @@ jobs: run: | mkdir -p database touch database/database.sqlite - - name: Execute tests (Unit and Feature tests) via PHPUnit + - name: Execute tests (Unit and Feature tests) via PHPUnit/Pest env: DB_CONNECTION: sqlite DB_DATABASE: database/database.sqlite - run: vendor/bin/phpunit + run: php artisan test From 31a3e00dab4440b64f47b6b9d92f8d330e1b6f00 Mon Sep 17 00:00:00 2001 From: Issy Long Date: Wed, 3 Apr 2024 10:23:11 +0100 Subject: [PATCH 18/22] codeql: Clarify that hosted larger runners only exist on GHEC - Part of https://github.com/github/code-scanning/issues/13748. --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index cb883a9..d24240d 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -25,8 +25,8 @@ jobs: # Runner size impacts CodeQL analysis time. To learn more, please see: # - https://gh.io/recommended-hardware-resources-for-running-codeql # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners - # Consider using larger runners for possible analysis time improvements. + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: From cd4b67d0b4d0afb975b04ffa9097d358de9a7af3 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 3 Jan 2024 02:09:21 -0500 Subject: [PATCH 19/22] Checkout: Update all workflows to use Checkout V4 --- .github/workflows/lint.yaml | 2 +- .github/workflows/sync-ghes.yaml | 2 +- .github/workflows/validate-data.yaml | 2 +- ci/ada.yml | 2 +- ci/android.yml | 2 +- ci/ant.yml | 2 +- ci/blank.yml | 2 +- ci/c-cpp.yml | 2 +- ci/clojure.yml | 2 +- ci/cmake-multi-platform.yml | 2 +- ci/cmake-single-platform.yml | 2 +- ci/crystal.yml | 2 +- ci/d.yml | 2 +- ci/dart.yml | 2 +- ci/deno.yml | 2 +- ci/django.yml | 2 +- ci/docker-image.yml | 2 +- ci/docker-publish.yml | 2 +- ci/elixir.yml | 2 +- ci/erlang.yml | 2 +- ci/gem-push.yml | 2 +- ci/generator-generic-ossf-slsa3-publish.yml | 2 +- ci/go.yml | 2 +- ci/haskell.yml | 2 +- ci/ios.yml | 2 +- ci/jekyll-docker.yml | 2 +- ci/laravel.yml | 2 +- ci/makefile.yml | 2 +- ci/maven-publish.yml | 2 +- ci/maven.yml | 2 +- ci/msbuild.yml | 2 +- ci/node.js.yml | 2 +- ci/npm-grunt.yml | 2 +- ci/npm-gulp.yml | 2 +- ci/npm-publish-github-packages.yml | 4 ++-- ci/npm-publish.yml | 4 ++-- ci/objective-c-xcode.yml | 2 +- ci/php.yml | 2 +- ci/pylint.yml | 2 +- ci/python-app.yml | 2 +- ci/python-package-conda.yml | 2 +- ci/python-package.yml | 2 +- ci/python-publish.yml | 2 +- ci/r.yml | 2 +- ci/ruby.yml | 2 +- ci/rubyonrails.yml | 4 ++-- ci/rust.yml | 2 +- ci/scala.yml | 2 +- ci/super-linter.yml | 2 +- ci/swift.yml | 2 +- ci/symfony.yml | 2 +- ci/webpack.yml | 2 +- code-scanning/anchore-syft.yml | 2 +- code-scanning/anchore.yml | 2 +- code-scanning/bearer.yml | 2 +- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx-one.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/cloudrail.yml | 2 +- code-scanning/codacy.yml | 2 +- code-scanning/codescan.yml | 2 +- code-scanning/contrast-scan.yml | 2 +- code-scanning/credo.yml | 2 +- code-scanning/crunch42.yml | 2 +- code-scanning/datree.yml | 2 +- code-scanning/defender-for-devops.yml | 2 +- code-scanning/detekt.yml | 2 +- code-scanning/devskim.yml | 2 +- code-scanning/endorlabs.yml | 2 +- code-scanning/eslint.yml | 2 +- code-scanning/flawfinder.yml | 2 +- code-scanning/fortify.yml | 2 +- code-scanning/frogbot-scan-and-fix.yml | 2 +- code-scanning/hadolint.yml | 2 +- code-scanning/jscrambler-code-integrity.yml | 2 +- code-scanning/kubesec.yml | 2 +- code-scanning/lintr.yml | 2 +- code-scanning/mayhem-for-api.yml | 2 +- code-scanning/mobsf.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/njsscan.yml | 2 +- code-scanning/nowsecure-mobile-sbom.yml | 2 +- code-scanning/nowsecure.yml | 2 +- code-scanning/ossar.yml | 2 +- code-scanning/phpmd.yml | 2 +- code-scanning/pmd.yml | 2 +- code-scanning/powershell.yml | 2 +- code-scanning/prisma.yml | 2 +- code-scanning/psalm.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/pyre.yml | 2 +- code-scanning/pysa.yml | 2 +- code-scanning/rubocop.yml | 2 +- code-scanning/securitycodescan.yml | 2 +- code-scanning/semgrep.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/snyk-security.yml | 2 +- code-scanning/sobelow.yml | 2 +- code-scanning/stackhawk.yml | 2 +- code-scanning/synopsys-action.yml | 2 +- code-scanning/synopsys-io.yml | 2 +- code-scanning/sysdig-scan.yml | 2 +- code-scanning/tfsec.yml | 2 +- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- code-scanning/zscaler-iac-scan.yml | 2 +- code-scanning/zscan.yml | 2 +- deployments/alibabacloud.yml | 2 +- deployments/aws.yml | 2 +- deployments/azure-container-webapp.yml | 2 +- deployments/azure-functions-app-container.yml | 2 +- deployments/azure-functions-app-dotnet.yml | 2 +- deployments/azure-functions-app-java-gradle.yml | 2 +- deployments/azure-functions-app-java.yml | 2 +- deployments/azure-functions-app-nodejs.yml | 2 +- deployments/azure-functions-app-powershell.yml | 2 +- deployments/azure-functions-app-python.yml | 2 +- deployments/azure-kubernetes-service-helm.yml | 4 ++-- deployments/azure-kubernetes-service-kompose.yml | 4 ++-- deployments/azure-kubernetes-service-kustomize.yml | 4 ++-- deployments/azure-kubernetes-service.yml | 4 ++-- deployments/azure-staticwebapp.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-java-jar-gradle.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-node.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- deployments/azure-webapps-python.yml | 2 +- deployments/google.yml | 2 +- deployments/ibm.yml | 2 +- deployments/openshift.yml | 2 +- deployments/tencent.yml | 2 +- deployments/terraform.yml | 2 +- 135 files changed, 142 insertions(+), 142 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index b526eeb..ffe789e 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index ddd0484..6a3da68 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -10,7 +10,7 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 7f8701d..43f5578 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -10,7 +10,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-node@v3 with: diff --git a/ci/ada.yml b/ci/ada.yml index 417ed2e..ecb01cd 100644 --- a/ci/ada.yml +++ b/ci/ada.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up GNAT toolchain run: > diff --git a/ci/android.yml b/ci/android.yml index 221fca5..80a33b4 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: set up JDK 11 uses: actions/setup-java@v3 with: diff --git a/ci/ant.yml b/ci/ant.yml index e9dba01..517a37a 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: diff --git a/ci/blank.yml b/ci/blank.yml index 607e2cf..8decfee 100644 --- a/ci/blank.yml +++ b/ci/blank.yml @@ -23,7 +23,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Runs a single command using the runners shell - name: Run a one-line script diff --git a/ci/c-cpp.yml b/ci/c-cpp.yml index 14d2eb9..087efee 100644 --- a/ci/c-cpp.yml +++ b/ci/c-cpp.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: configure run: ./configure - name: make diff --git a/ci/clojure.yml b/ci/clojure.yml index a76631a..06396a8 100644 --- a/ci/clojure.yml +++ b/ci/clojure.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install dependencies run: lein deps - name: Run tests diff --git a/ci/cmake-multi-platform.yml b/ci/cmake-multi-platform.yml index 8762e9f..6d49398 100644 --- a/ci/cmake-multi-platform.yml +++ b/ci/cmake-multi-platform.yml @@ -45,7 +45,7 @@ jobs: c_compiler: cl steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set reusable strings # Turn repeated input strings (such as the build output directory) into step outputs. These step outputs can be used throughout the workflow file. diff --git a/ci/cmake-single-platform.yml b/ci/cmake-single-platform.yml index ccc318b..1e89f2f 100644 --- a/ci/cmake-single-platform.yml +++ b/ci/cmake-single-platform.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. diff --git a/ci/crystal.yml b/ci/crystal.yml index 18cc825..0b4f570 100644 --- a/ci/crystal.yml +++ b/ci/crystal.yml @@ -15,7 +15,7 @@ jobs: image: crystallang/crystal steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install dependencies run: shards install - name: Run tests diff --git a/ci/d.yml b/ci/d.yml index 350eeee..e268298 100644 --- a/ci/d.yml +++ b/ci/d.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: dlang-community/setup-dlang@4c99aa991ce7d19dd3064de0a4f2f6b2f152e2d7 - name: 'Build & Test' diff --git a/ci/dart.yml b/ci/dart.yml index 7bf352f..35c0ee6 100644 --- a/ci/dart.yml +++ b/ci/dart.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Note: This workflow uses the latest stable version of the Dart SDK. # You can specify other versions if desired, see documentation here: diff --git a/ci/deno.yml b/ci/deno.yml index 92338c9..abbf294 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Setup repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Deno # uses: denoland/setup-deno@v1 diff --git a/ci/django.yml b/ci/django.yml index 79550cc..0503635 100644 --- a/ci/django.yml +++ b/ci/django.yml @@ -16,7 +16,7 @@ jobs: python-version: [3.7, 3.8, 3.9] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v3 with: diff --git a/ci/docker-image.yml b/ci/docker-image.yml index cc9cd6e..be757cc 100644 --- a/ci/docker-image.yml +++ b/ci/docker-image.yml @@ -13,6 +13,6 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build the Docker image run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index ff80b66..8a042a5 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer diff --git a/ci/elixir.yml b/ci/elixir.yml index 58f0b27..43b32be 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Elixir uses: erlef/setup-beam@61e01a43a562a89bfc54c7f9a378ff67b03e4a21 # v1.16.0 with: diff --git a/ci/erlang.yml b/ci/erlang.yml index 984b83a..d8dcb76 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -19,7 +19,7 @@ jobs: image: erlang:22.0.7 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Compile run: rebar3 compile - name: Run tests diff --git a/ci/gem-push.yml b/ci/gem-push.yml index dd6d867..262d9bc 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -15,7 +15,7 @@ jobs: packages: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Ruby 2.6 # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index a36e782..35c829b 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -23,7 +23,7 @@ jobs: digests: ${{ steps.hash.outputs.digests }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # ======================================================== # diff --git a/ci/go.yml b/ci/go.yml index 9f74f87..2154740 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -14,7 +14,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v4 diff --git a/ci/haskell.yml b/ci/haskell.yml index 5693f90..6be4162 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-haskell@v1 with: ghc-version: '8.10.3' diff --git a/ci/ios.yml b/ci/ios.yml index 693a7d5..e1dca4b 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/jekyll-docker.yml b/ci/jekyll-docker.yml index 6a98dea..4ae36d7 100644 --- a/ci/jekyll-docker.yml +++ b/ci/jekyll-docker.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build the site in the jekyll/builder container run: | docker run \ diff --git a/ci/laravel.yml b/ci/laravel.yml index fc30f21..267c798 100644 --- a/ci/laravel.yml +++ b/ci/laravel.yml @@ -15,7 +15,7 @@ jobs: - uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e with: php-version: '8.0' - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Copy .env run: php -r "file_exists('.env') || copy('.env.example', '.env');" - name: Install Dependencies diff --git a/ci/makefile.yml b/ci/makefile.yml index 1b53855..5b6d2e6 100644 --- a/ci/makefile.yml +++ b/ci/makefile.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: configure run: ./configure diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index dab69fe..954e6c8 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -16,7 +16,7 @@ jobs: packages: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: diff --git a/ci/maven.yml b/ci/maven.yml index f97113e..47816ee 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 17 uses: actions/setup-java@v3 with: diff --git a/ci/msbuild.yml b/ci/msbuild.yml index a52ec35..25ed6d1 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -28,7 +28,7 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Add MSBuild to PATH uses: microsoft/setup-msbuild@v1.0.2 diff --git a/ci/node.js.yml b/ci/node.js.yml index f230593..688a227 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -20,7 +20,7 @@ jobs: # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v3 with: diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index 0bcbd1c..0039895 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -15,7 +15,7 @@ jobs: node-version: [14.x, 16.x, 18.x] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v3 diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 7d79002..19bed27 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -15,7 +15,7 @@ jobs: node-version: [14.x, 16.x, 18.x] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v3 diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index e790f4d..1899709 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -11,7 +11,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-node@v3 with: node-version: 16 @@ -25,7 +25,7 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-node@v3 with: node-version: 16 diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 6cdebaf..0049296 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -11,7 +11,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-node@v3 with: node-version: 16 @@ -22,7 +22,7 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-node@v3 with: node-version: 16 diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml index 1373878..8c73fce 100644 --- a/ci/objective-c-xcode.yml +++ b/ci/objective-c-xcode.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/php.yml b/ci/php.yml index a3bdfd7..0cf8c96 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Validate composer.json and composer.lock run: composer validate --strict diff --git a/ci/pylint.yml b/ci/pylint.yml index 383e65c..c73e032 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -9,7 +9,7 @@ jobs: matrix: python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v3 with: diff --git a/ci/python-app.yml b/ci/python-app.yml index 9945382..5963096 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python 3.10 uses: actions/setup-python@v3 with: diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 384f9b7..f358604 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -9,7 +9,7 @@ jobs: max-parallel: 5 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python 3.10 uses: actions/setup-python@v3 with: diff --git a/ci/python-package.yml b/ci/python-package.yml index 249ceef..19247ca 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -19,7 +19,7 @@ jobs: python-version: ["3.9", "3.10", "3.11"] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v3 with: diff --git a/ci/python-publish.yml b/ci/python-publish.yml index bdaab28..b7a704b 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v3 with: diff --git a/ci/r.yml b/ci/r.yml index 68f02d7..6d58427 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -25,7 +25,7 @@ jobs: r-version: ['3.6.3', '4.1.1'] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up R ${{ matrix.r-version }} uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: diff --git a/ci/ruby.yml b/ci/ruby.yml index 9e94081..1eaba46 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -25,7 +25,7 @@ jobs: ruby-version: ['2.6', '2.7', '3.0'] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Ruby # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 20ff014..23c242c 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -27,7 +27,7 @@ jobs: DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test" steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Add or replace dependency steps here - name: Install Ruby and gems uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install Ruby and gems uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: diff --git a/ci/rust.yml b/ci/rust.yml index d51f1af..cda1f64 100644 --- a/ci/rust.yml +++ b/ci/rust.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build run: cargo build --verbose - name: Run tests diff --git a/ci/scala.yml b/ci/scala.yml index 14ba966..83b09f7 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: diff --git a/ci/super-linter.yml b/ci/super-linter.yml index 275b34f..01dc63b 100644 --- a/ci/super-linter.yml +++ b/ci/super-linter.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 diff --git a/ci/swift.yml b/ci/swift.yml index 91276e3..f2da0d0 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -15,7 +15,7 @@ jobs: runs-on: macos-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build run: swift build -v - name: Run tests diff --git a/ci/symfony.yml b/ci/symfony.yml index 4b957e1..4ca1764 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -24,7 +24,7 @@ jobs: - uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28 with: php-version: '8.0' - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Copy .env.test.local run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" - name: Cache Composer packages diff --git a/ci/webpack.yml b/ci/webpack.yml index 2b8b18a..9e967c0 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -15,7 +15,7 @@ jobs: node-version: [14.x, 16.x, 18.x] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v3 diff --git a/code-scanning/anchore-syft.yml b/code-scanning/anchore-syft.yml index 8180622..99d4dd0 100644 --- a/code-scanning/anchore-syft.yml +++ b/code-scanning/anchore-syft.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - name: Scan the image and upload dependency results diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 818fb70..2bbc55e 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - name: Run the Anchore Grype scan action diff --git a/code-scanning/bearer.yml b/code-scanning/bearer.yml index 7e66e57..7971be9 100644 --- a/code-scanning/bearer.yml +++ b/code-scanning/bearer.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: # Checkout project source - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Scan code using Bearer CLI - name: Run Report id: report diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index 197300c..0d1cb05 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -31,7 +31,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Customize the ruby version depending on your needs - name: Setup Ruby diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index 6214ab1..7feeb25 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -38,7 +38,7 @@ jobs: steps: # This step checks out a copy of your repository. - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # This step creates the Checkmarx One scan - name: Checkmarx One scan uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 582488a..b4a99f3 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -35,7 +35,7 @@ jobs: # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index e5defa3..8273881 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 # For Terraform, Cloudrail requires the plan as input. So we generate it using # the Terraform core binary. diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index bbb2118..c3cd9f5 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -36,7 +36,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 0959d23..c4858c6 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Cache files uses: actions/cache@v3 with: diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index ff3d9d3..1950d3a 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest # check out project steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. # -name: Build Project # ... diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index c1fb8d1..8c8c8be 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -41,7 +41,7 @@ jobs: otp: [version] elixir: [version] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: otp-version: ${{matrix.otp}} diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 94ea23b..693bf5f 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -42,7 +42,7 @@ jobs: security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: 42Crunch REST API Static Security Testing uses: 42Crunch/api-security-audit-action@fc01ea7a89e6268875868f9d89598af7a9899ae0 diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index 2e44682..a892cf8 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -27,7 +27,7 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run Datree policy check continue-on-error: true uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml index 71971cd..07aa7d1 100644 --- a/code-scanning/defender-for-devops.yml +++ b/code-scanning/defender-for-devops.yml @@ -32,7 +32,7 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-dotnet@v3 with: dotnet-version: | diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 502c66e..76a116b 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -45,7 +45,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Gets the download URL associated with the $DETEKT_RELEASE_TAG - name: Get Detekt download URL diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 4abd6ca..98daab8 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -23,7 +23,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run DevSkim scanner uses: microsoft/DevSkim-Action@v1 diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 5633a6b..670fe62 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 #### Package Build Instructions ### Use this section to define the build steps used by your software package. ### Endor Labs builds your software for you where possible but the required build tools must be made available. diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index fcb4f21..876ea2b 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -28,7 +28,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install ESLint run: | diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index 4ed8792..d564b68 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: flawfinder_scan uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index 5e7c422..c52b70e 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -39,7 +39,7 @@ jobs: steps: # Check out source code - name: Check Out Source Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Java is required to run the various Fortify utilities. # When scanning a Java application, please use the appropriate Java version for building your application. diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index ed70289..62eb9ec 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -21,7 +21,7 @@ jobs: create-fix-pull-requests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # IMPORTANT: # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 68aebaa..2d901a4 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -30,7 +30,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run hadolint uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 diff --git a/code-scanning/jscrambler-code-integrity.yml b/code-scanning/jscrambler-code-integrity.yml index cbc9345..69d7c42 100644 --- a/code-scanning/jscrambler-code-integrity.yml +++ b/code-scanning/jscrambler-code-integrity.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-node@v3 with: node-version: 18 diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index c432673..98fd8e0 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run kubesec scanner uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 8a6de57..01ce719 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup R uses: r-lib/actions/setup-r@4e1feaf90520ec1215d1882fdddfe3411c08e492 diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 64fe71a..9e533fe 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -42,7 +42,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Run your API in the background. Ideally, the API would run in debug # mode & send stacktraces back on "500 Internal Server Error" responses diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 2146248..9f876ae 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Setup python uses: actions/setup-python@v3 diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 172d855..0700989 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Configure CMake run: cmake -B ${{ env.build }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 81e3650..8062259 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -30,7 +30,7 @@ jobs: name: njsscan code scanning steps: - name: Checkout the code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: nodejsscan scan id: njsscan uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 diff --git a/code-scanning/nowsecure-mobile-sbom.yml b/code-scanning/nowsecure-mobile-sbom.yml index b9cf039..539b038 100644 --- a/code-scanning/nowsecure-mobile-sbom.yml +++ b/code-scanning/nowsecure-mobile-sbom.yml @@ -42,7 +42,7 @@ jobs: contents: read steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build your application run: ./gradlew assembleDebug # Update this to build your Android or iOS application diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 7b5ba8f..324a533 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build your application run: ./gradlew assembleDebug # Update this to build your Android or iOS application diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index 63a7515..ad46e1d 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Ensure a compatible version of dotnet is installed. # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 686551a..58ca4f8 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup PHP uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161 diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 6b5b7ea..ed5eec9 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -24,7 +24,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 1e8a426..52f65a0 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -29,7 +29,7 @@ jobs: name: PSScriptAnalyzer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run PSScriptAnalyzer uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 9b24386..4b84b21 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -34,7 +34,7 @@ jobs: name: Run Prisma Cloud IaC Scan to check steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - id: iac-scan name: Run Scan on CFT files in the repository uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index 1e88766..dddbfdd 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Psalm Security Scan uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 047ff00..e039085 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Ruby uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml index 3c32e8b..791dbaa 100644 --- a/code-scanning/pyre.yml +++ b/code-scanning/pyre.yml @@ -33,7 +33,7 @@ jobs: security-events: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true diff --git a/code-scanning/pysa.yml b/code-scanning/pysa.yml index a9e3c81..a60a99f 100644 --- a/code-scanning/pysa.yml +++ b/code-scanning/pysa.yml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index e2347db..feef351 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 7a93d8a..5d5e87b 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -21,7 +21,7 @@ jobs: SCS: runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 - uses: microsoft/setup-msbuild@v1.0.2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index 23486e4..f21aa9a 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: # Checkout project source - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Scan code using project's configuration on https://semgrep.dev/manage - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index c3756c8..edbea1d 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -33,7 +33,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build a Docker image run: docker build -t your/image-to-test . - name: Run Snyk to check Docker image for vulnerabilities diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index aedf2a3..a5605a3 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -32,7 +32,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run Snyk to check configuration files for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the issues to GitHub Code Scanning diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml index 715fa1b..4941e00 100644 --- a/code-scanning/snyk-security.yml +++ b/code-scanning/snyk-security.yml @@ -35,7 +35,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Snyk CLI to check for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the SAST issues to GitHub Code Scanning diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 61d376f..6dd4ffe 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: run-action uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 - name: Upload report diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index 64e9b9b..cac0507 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Start your service run: ./your-service.sh & # âœī¸ Update this to run your own service to be scanned diff --git a/code-scanning/synopsys-action.yml b/code-scanning/synopsys-action.yml index 78855d6..f78def5 100644 --- a/code-scanning/synopsys-action.yml +++ b/code-scanning/synopsys-action.yml @@ -20,7 +20,7 @@ jobs: contents: read steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Synopsys Action uses: synopsys-sig/synopsys-action@v1.6.0 with: diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 61169e2..df50d9d 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Synopsys Intelligent Security Scan id: prescription diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 8c13a4b..c9a0edb 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build the Docker image # Tag image to be built diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 706c8be..388fc37 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run tfsec uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index e4d38cd..ec90221 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -27,7 +27,7 @@ jobs: runs-on: "ubuntu-20.04" steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build an image from Dockerfile run: | diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 04fc814..379493f 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -32,7 +32,7 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: repository: '' diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 8fd5c7b..32c977e 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -57,7 +57,7 @@ jobs: steps: # Check out the repository - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Set up the correct Java version for your project # Please comment out, if your project does not contain Java source code. diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index e880bdf..7a2fc00 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name : Code Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name : Zscaler IAC Scan uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087 id : zscaler-iac-scan diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml index 01c3b05..018e473 100644 --- a/code-scanning/zscan.yml +++ b/code-scanning/zscan.yml @@ -36,7 +36,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Execute gradle build run: ./gradlew build # Change this to build your mobile application diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 74dd7f6..526169e 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -76,7 +76,7 @@ jobs: tag: "${{ env.TAG }}" # 2.1 (Optional) Login to ACR EE - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Login to ACR EE with the AccessKey pair uses: aliyun/acr-login@v1 with: diff --git a/deployments/aws.yml b/deployments/aws.yml index af7d87d..3a1caa9 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -51,7 +51,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 2f686e6..57d6386 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 diff --git a/deployments/azure-functions-app-container.yml b/deployments/azure-functions-app-container.yml index 1173b95..8333878 100644 --- a/deployments/azure-functions-app-container.yml +++ b/deployments/azure-functions-app-container.yml @@ -40,7 +40,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: 'Login via Azure CLI' uses: azure/login@v1 diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml index 824614e..bf1169b 100644 --- a/deployments/azure-functions-app-dotnet.yml +++ b/deployments/azure-functions-app-dotnet.yml @@ -33,7 +33,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below # - name: 'Login via Azure CLI' diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml index 36c50b8..131e287 100644 --- a/deployments/azure-functions-app-java-gradle.yml +++ b/deployments/azure-functions-app-java-gradle.yml @@ -38,7 +38,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below # - name: 'Login via Azure CLI' diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml index 5608328..e7b78c0 100644 --- a/deployments/azure-functions-app-java.yml +++ b/deployments/azure-functions-app-java.yml @@ -33,7 +33,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below # - name: 'Login via Azure CLI' diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml index 916f396..6c2e45c 100644 --- a/deployments/azure-functions-app-nodejs.yml +++ b/deployments/azure-functions-app-nodejs.yml @@ -35,7 +35,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below # - name: 'Login via Azure CLI' diff --git a/deployments/azure-functions-app-powershell.yml b/deployments/azure-functions-app-powershell.yml index 5d62316..9ffc628 100644 --- a/deployments/azure-functions-app-powershell.yml +++ b/deployments/azure-functions-app-powershell.yml @@ -32,7 +32,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below # - name: 'Login via Azure CLI' diff --git a/deployments/azure-functions-app-python.yml b/deployments/azure-functions-app-python.yml index 6452a18..2c50d8a 100644 --- a/deployments/azure-functions-app-python.yml +++ b/deployments/azure-functions-app-python.yml @@ -33,7 +33,7 @@ jobs: environment: dev steps: - name: 'Checkout GitHub Action' - uses: actions/checkout@v3 + uses: actions/checkout@v4 # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below # - name: 'Login via Azure CLI' diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index c3b521e..a6c666b 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -55,7 +55,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login @@ -79,7 +79,7 @@ jobs: needs: [buildImage] steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index c2edcea..a222528 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -53,7 +53,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login @@ -77,7 +77,7 @@ jobs: needs: [buildImage] steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 1b8aa99..e27e04e 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -53,7 +53,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login @@ -77,7 +77,7 @@ jobs: needs: [buildImage] steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index f5450e5..649eb72 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login @@ -73,7 +73,7 @@ jobs: needs: [buildImage] steps: # Checks out the repository this file is in - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index 8fe07ce..bc9bc62 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest name: Build and Deploy Job steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true - name: Build And Deploy diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 005aef2..b4bfafb 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up .NET Core uses: actions/setup-dotnet@v2 diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index b1c1df9..63a45cc 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Java version uses: actions/setup-java@v3.0.0 diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index c29d871..608fb8e 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Java version uses: actions/setup-java@v3.0.0 diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index c72b1be..147d4e6 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -34,7 +34,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Node.js uses: actions/setup-node@v3 diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index b3aee8d..1182c2a 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Setup PHP uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 0ce3ce9..656f95c 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python version uses: actions/setup-python@v3.0.0 diff --git a/deployments/google.yml b/deployments/google.yml index 846452a..deb9877 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -37,7 +37,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Configure Workload Identity Federation and generate an access token. - id: 'auth' diff --git a/deployments/ibm.yml b/deployments/ibm.yml index 53a58c5..eaec275 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Download and Install IBM Cloud CLI - name: Install IBM Cloud CLI diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 8504059..1c3fc43 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -124,7 +124,7 @@ jobs: } - name: Check out repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Determine app name if: env.APP_NAME == '' diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 3d22854..bf75b56 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -37,7 +37,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Build - name: Build Docker image diff --git a/deployments/terraform.yml b/deployments/terraform.yml index c06f685..25d2963 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -66,7 +66,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform From ca5bcdc6930fe44fae60c9e0a60f5c1f56b2d449 Mon Sep 17 00:00:00 2001 From: Rex P <106129829+another-rex@users.noreply.github.com> Date: Wed, 10 Apr 2024 13:21:33 +1000 Subject: [PATCH 20/22] Add OSV-Scanner code scanning workflow (#2350) * Add OSV-Scanner code scanning workflow * Update code-scanning/osv-scanner.yml Co-authored-by: Alexis Abril --------- Co-authored-by: Alexis Abril --- code-scanning/osv-scanner.yml | 48 +++++++++++++++++++ .../properties/osv-scanner.properties.json | 7 +++ icons/osv.svg | 29 +++++++++++ 3 files changed, 84 insertions(+) create mode 100644 code-scanning/osv-scanner.yml create mode 100644 code-scanning/properties/osv-scanner.properties.json create mode 100644 icons/osv.svg diff --git a/code-scanning/osv-scanner.yml b/code-scanning/osv-scanner.yml new file mode 100644 index 0000000..2aa7150 --- /dev/null +++ b/code-scanning/osv-scanner.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities, +# in addition to a PR check which fails if new vulnerabilities are introduced. +# +# For more examples and options, including how to ignore specific vulnerabilities, +# see https://google.github.io/osv-scanner/github-action/ + +name: OSV-Scanner + +on: + pull_request: + branches: [ $default-branch, $protected-branches ] + merge_group: + branches: [ $default-branch, $protected-branches ] + schedule: + - cron: $cron-weekly + push: + branches: [ $default-branch, $protected-branches ] + +permissions: + # Require writing security events to upload SARIF file to security tab + security-events: write + # Read commit contents + contents: read + +jobs: + scan-scheduled: + if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 + with: + # Example of specifying custom arguments + scan-args: |- + -r + --skip-git + ./ + scan-pr: + if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 + with: + # Example of specifying custom arguments + scan-args: |- + -r + --skip-git + ./ diff --git a/code-scanning/properties/osv-scanner.properties.json b/code-scanning/properties/osv-scanner.properties.json new file mode 100644 index 0000000..2ea1d36 --- /dev/null +++ b/code-scanning/properties/osv-scanner.properties.json @@ -0,0 +1,7 @@ +{ + "name": "OSV Scanner", + "creator": "Google", + "description": "Vulnerability scanner for your dependencies using data provided by https://osv.dev", + "iconName": "osv", + "categories": ["Code Scanning", "JavaScript", "Python", "Java", "PHP", "C#", "R", "Ruby", "Rust", "Swift", "Go", "TypeScript"] +} diff --git a/icons/osv.svg b/icons/osv.svg new file mode 100644 index 0000000..c01aeee --- /dev/null +++ b/icons/osv.svg @@ -0,0 +1,29 @@ + + + + + + + + + + + + From a3194f5b4757a7bfb2324b17ccf11e28df2bc4f9 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Thu, 11 Apr 2024 09:39:30 +0200 Subject: [PATCH 21/22] Update CodeQL workflow to use packages:read permission. Co-authored-by: Anders Starcke Henriksen --- code-scanning/codeql.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index d24240d..6fdadb1 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -33,6 +33,9 @@ jobs: # required for all workflows security-events: write + # required to fetch internal or private CodeQL packs + packages: read + # only required for workflows in private repositories actions: read contents: read From ac9c407320899c9ddcb5054890deec998e9a20bb Mon Sep 17 00:00:00 2001 From: mponaws <157431286+mponaws@users.noreply.github.com> Date: Thu, 18 Apr 2024 12:39:17 -0700 Subject: [PATCH 22/22] Add starter-workflows for Policy Validator (#2375) * Add starter-workflows for Policy Validator * Add starter-workflows for Policy Validator * Add starter-workflows for Policy Validator, removed references to GitHub secrets & S3 to keep it simple --- code-scanning/policy-validator-cfn.yaml | 84 ++++++++++++++++++ code-scanning/policy-validator-tf.yaml | 87 +++++++++++++++++++ .../policy-validator-cfn.properties.json | 7 ++ .../policy-validator-tf.properties.json | 7 ++ 4 files changed, 185 insertions(+) create mode 100644 code-scanning/policy-validator-cfn.yaml create mode 100644 code-scanning/policy-validator-tf.yaml create mode 100644 code-scanning/properties/policy-validator-cfn.properties.json create mode 100644 code-scanning/properties/policy-validator-tf.properties.json diff --git a/code-scanning/policy-validator-cfn.yaml b/code-scanning/policy-validator-cfn.yaml new file mode 100644 index 0000000..b2cd163 --- /dev/null +++ b/code-scanning/policy-validator-cfn.yaml @@ -0,0 +1,84 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will validate the IAM policies in the CloudFormation (CFN) templates with using the standard and custom checks in AWS IAM Access Analyzer +# To use this workflow, you will need to complete the following set up steps before start using it: +# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. In the below workflow, ARN of such role is stored in the GitHub secrets with name `POLICY_VALIDATOR_ROLE` +# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo. +# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the given CFN templates. +# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow. +name: Validate AWS IAM policies in CloudFormation templates using Policy Validator +on: + push: + branches: [$default-branch, $protected-branches] + pull_request: + # The branches below must be a subset of the branches above + branches: [$default-branch] +env: + AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions + REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 + TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. +jobs: + policy-validator: + runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable) + # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow + # https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + name: Policy Validator checks for AWS IAM policies + steps: + # checkout the repo for workflow to access the contents + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + # Configure AWS Credentials. More configuration details here - https://github.com/aws-actions/configure-aws-credentials + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 + with: + role-to-assume: ${{ env.AWS_ROLE }} + aws-region: ${{ env.REGION }} + # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer ValidatePolicy check + id: run-aws-validate-policy + uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + with: + policy-check-type: "VALIDATE_POLICY" + template-path: ${{ env.TEMPLATE_PATH}} + region: ${{ env.REGION }} + # Print result from VALIDATE_POLICY check + - name: Print the result for ValidatePolicy check + if: success() || failure() + run: echo "${{ steps.run-aws-validate-policy.outputs.result }}" + # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckAccessNotGranted check + id: run-aws-check-access-not-granted + uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + with: + policy-check-type: "CHECK_ACCESS_NOT_GRANTED" + template-path: ${{ env.TEMPLATE_PATH}} + actions: ${{ env.ACTIONS }} + region: ${{ env.REGION }} + # Print result from CHECK_ACCESS_NOT_GRANTED check + - name: Print the result for CheckAccessNotGranted check + if: success() || failure() + run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}" + # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + # reference-policy is stored in GitHub secrets + - name: Run AWS AccessAnalyzer CheckNoNewAccess check + id: run-aws-check-no-new-access + uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + with: + policy-check-type: "CHECK_NO_NEW_ACCESS" + template-path: ${{ env.TEMPLATE_PATH}} + reference-policy: ${{ env.REFERENCE }} + reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} + region: ${{env.REGION }} + # Print result from CHECK_NO_NEW_ACCESS check + - name: Print the result for CheckNoNewAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" diff --git a/code-scanning/policy-validator-tf.yaml b/code-scanning/policy-validator-tf.yaml new file mode 100644 index 0000000..1ca77b5 --- /dev/null +++ b/code-scanning/policy-validator-tf.yaml @@ -0,0 +1,87 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer +# To use this workflow, you will need to complete the following set up steps before start using it: +# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. +# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo. +# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates. +# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow. + +name: Validate AWS IAM policies in Terraform templates using Policy Validator +on: + push: + branches: [$default-branch, $protected-branches] + pull_request: + # The branches below must be a subset of the branches above + branches: [$default-branch] +env: + AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions + REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 + TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + +jobs: + policy-validator: + runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable) + #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow + #https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners + name: Policy Validator checks for AWS IAM policies + steps: + # checkout the repo for workflow to access the contents + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + # Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 + with: + role-to-assume: ${{ env.AWS_ROLE }} + aws-region: ${{ env.REGION }} + # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer ValidatePolicy check + id: run-aws-validate-policy + uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + with: + policy-check-type: "VALIDATE_POLICY" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from VALIDATE_POLICY check + - name: Print the result for ValidatePolicy check + if: success() || failure() + run: echo "${{ steps.run-aws-validate-policy.outputs.result }}" + # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckAccessNotGranted check + id: run-aws-check-access-not-granted + uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + with: + policy-check-type: "CHECK_ACCESS_NOT_GRANTED" + template-path: ${{ env.TEMPLATE_PATH }} + actions: ${{ env.ACTIONS }} + region: ${{ env.REGION }} + # Print result from CHECK_ACCESS_NOT_GRANTED check + - name: Print the result for CheckAccessNotGranted check + if: success() || failure() + run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}" + # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + # reference-policy is stored in GitHub secrets + - name: Run AWS AccessAnalyzer CheckNoNewAccess check + id: run-aws-check-no-new-access + uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + with: + policy-check-type: "CHECK_NO_NEW_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + reference-policy: ${{ env.REFERENCE_POLICY }} + reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_NEW_ACCESS check + - name: Print the result CheckNoNewAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" diff --git a/code-scanning/properties/policy-validator-cfn.properties.json b/code-scanning/properties/policy-validator-cfn.properties.json new file mode 100644 index 0000000..496b368 --- /dev/null +++ b/code-scanning/properties/policy-validator-cfn.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Policy Validator for CloudFormation", + "creator": "Amazon Web Services", + "description": "Validate AWS IAM Policies in CloudFormation Templates powered IAM Access Analyzer", + "iconName": "aws", + "categories": ["Code Scanning", "AWS", "Python"] +} diff --git a/code-scanning/properties/policy-validator-tf.properties.json b/code-scanning/properties/policy-validator-tf.properties.json new file mode 100644 index 0000000..f683f49 --- /dev/null +++ b/code-scanning/properties/policy-validator-tf.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Policy Validator for Terraform", + "creator": "Amazon Web Services", + "description": "Validate AWS IAM Policies in Terraform Templates powered IAM Access Analyzer", + "iconName": "aws", + "categories": ["Code Scanning", "AWS", "Python"] +}