diff --git a/automation/greetings.yml b/automation/greetings.yml index ebb00a0..ee1cb11 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -5,6 +5,9 @@ on: [pull_request, issues] jobs: greeting: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/first-interaction@v1 with: diff --git a/automation/label.yml b/automation/label.yml index 7c724a6..5cdc45e 100644 --- a/automation/label.yml +++ b/automation/label.yml @@ -12,6 +12,9 @@ jobs: label: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/labeler@v2 diff --git a/automation/stale.yml b/automation/stale.yml index b671fc0..30c3dd9 100644 --- a/automation/stale.yml +++ b/automation/stale.yml @@ -8,6 +8,9 @@ jobs: stale: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/stale@v3 diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 76756db..ba69744 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -44,6 +44,10 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'push' + permissions: + contents: read + packages: write + steps: - uses: actions/checkout@v2 diff --git a/ci/gem-push.yml b/ci/gem-push.yml index a1edfbc..3dc62be 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -10,6 +10,9 @@ jobs: build: name: Build + Publish runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index ef99e13..a74a1ce 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -11,6 +11,9 @@ jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 diff --git a/ci/laravel.yml b/ci/laravel.yml index d54921e..5f4e6c9 100644 --- a/ci/laravel.yml +++ b/ci/laravel.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: shivammathur/setup-php@b7d1d9c9a92d8d8463ce36d7f60da34d461724f8 + - uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e with: php-version: '8.0' - uses: actions/checkout@v2 diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index c3f4855..18dd937 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -11,6 +11,9 @@ jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 1b4952d..8462902 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -35,6 +35,9 @@ jobs: publish-gpr: needs: build runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index d88fe52..b32675e 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -24,6 +24,10 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write strategy: fail-fast: false diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 8d3d0eb..1cad70c 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -18,6 +18,10 @@ jobs: lint: name: Kubesec runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 1601ff5..0aab0b4 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -37,6 +37,10 @@ jobs: name: Mayhem for API # Mayhem for API runs on linux, mac and windows runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: - uses: actions/checkout@v2 diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml new file mode 100644 index 0000000..dfbf452 --- /dev/null +++ b/code-scanning/powershell.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# https://github.com/microsoft/action-psscriptanalyzer +# For more information on PSScriptAnalyzer in general, see +# https://github.com/PowerShell/PSScriptAnalyzer + +name: PSScriptAnalyzer + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + build: + name: PSScriptAnalyzer + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Run PSScriptAnalyzer + uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061 + with: + # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. + # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. + path: .\ + recurse: true + # Include your own basic security rules. Removing this option will run all the rules + includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' + output: results.sarif + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/code-scanning/properties/powershell.properties.json b/code-scanning/properties/powershell.properties.json new file mode 100644 index 0000000..95420ae --- /dev/null +++ b/code-scanning/properties/powershell.properties.json @@ -0,0 +1,7 @@ +{ + "name": "PSScriptAnalyzer", + "creator": "Microsoft Corporation", + "description": "A static code checker for PowerShell modules and scripts. PSScriptAnalyzer checks the quality of PowerShell code by running a set of rules.", + "iconName": "powershell", + "categories": ["Code Scanning", "PowerShell"] +} \ No newline at end of file diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 9b5a080..0c1ff16 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -18,6 +18,10 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: - name: Checkout repository diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 05879a1..51c5639 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -17,6 +17,10 @@ jobs: tfsec: name: Run tfsec sarif report runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: - name: Clone repo diff --git a/icons/powershell.svg b/icons/powershell.svg new file mode 100644 index 0000000..ec01c8c --- /dev/null +++ b/icons/powershell.svg @@ -0,0 +1,29 @@ + + + + + + + + + + + \ No newline at end of file