From cbd5b645f1a79cf3496950ff6d0b66ddf0b71542 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 8 Oct 2021 17:31:42 +0530 Subject: [PATCH 001/110] Merge pull request #1110 from manuelbcd/main (#1155) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd --- ci/azure-data-factory.yml | 47 --------- .../azure-data-factory.properties.json | 7 -- code-scanning/cloudrail.yml | 58 +++++++++++ code-scanning/fortify.yml | 97 +++++++++++++++++++ .../properties/cloudrail.properties.json | 7 ++ .../properties/fortify.properties.json | 7 ++ .../properties/sysdig-scan.properties.json | 7 ++ code-scanning/sysdig-scan.yml | 54 +++++++++++ deployments/aws.yml | 34 ++++--- icons/azure-data-factory.svg | 1 - icons/cloudrail.svg | 53 ++++++++++ icons/fortify.svg | 1 + icons/sysdig-scan.svg | 1 + script/sync-ghes/settings.json | 1 - 14 files changed, 307 insertions(+), 68 deletions(-) delete mode 100644 ci/azure-data-factory.yml delete mode 100644 ci/properties/azure-data-factory.properties.json create mode 100644 code-scanning/cloudrail.yml create mode 100644 code-scanning/fortify.yml create mode 100644 code-scanning/properties/cloudrail.properties.json create mode 100644 code-scanning/properties/fortify.properties.json create mode 100644 code-scanning/properties/sysdig-scan.properties.json create mode 100644 code-scanning/sysdig-scan.yml delete mode 100644 icons/azure-data-factory.svg create mode 100644 icons/cloudrail.svg create mode 100644 icons/fortify.svg create mode 100644 icons/sysdig-scan.svg diff --git a/ci/azure-data-factory.yml b/ci/azure-data-factory.yml deleted file mode 100644 index 776e250..0000000 --- a/ci/azure-data-factory.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Sample workflow to validate Azure Data Factory resources and export its ARM template as an artifact -# Note: Ensure you have the following package.json in the same directory of your ADF resources - -# { -# "scripts":{ -# "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index" -# }, -# "dependencies":{ -# "@microsoft/azure-data-factory-utilities":"^0.1.5" -# } -# } - -name: Data Factory CI - -on: - pull_request: - branches: [ $default-branch, $protected-branches ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Code checkout - uses: actions/checkout@v2 - - - name: Validate - uses: Azure/data-factory-validate-action@v1.1.3 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - # Generate the ARM template into the destination folder, which is the same as selecting "Publish" from the UX. - # The ARM template generated isn't published to the live version of the factory. - - name: Export ARM Template - id: export - uses: Azure/data-factory-export-action@v1.1.0 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - - name: Publish artifact - uses: actions/upload-artifact@v2 - with: - name: Data Factory package - path: ${{ steps.export.outputs.arm-template-directory }} - if-no-files-found: error diff --git a/ci/properties/azure-data-factory.properties.json b/ci/properties/azure-data-factory.properties.json deleted file mode 100644 index f1e7f5b..0000000 --- a/ci/properties/azure-data-factory.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Azure Data Factory", - "creator": "Microsoft Azure", - "description": "Build and validate Azure Data Factory resources", - "iconName": "azure-data-factory", - "categories": ["Continuous integration", "Azure Data Factory"] -} diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml new file mode 100644 index 0000000..9f95c5c --- /dev/null +++ b/code-scanning/cloudrail.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: cloudrail + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + cloudrail: + name: Run Indeni Cloudrail on Terraform code with SARIF output + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v2 + + # For Terraform, Cloudrail requires the plan as input. So we generate it using + # the Terraform core binary. + - uses: hashicorp/setup-terraform@v1 + with: + terraform_version: v0.13.2 + + - run: terraform init + + - run: terraform plan -out=plan.out + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # Confirm we have the plan file + - run: stat plan.out + + - name: Run Cloudrail + uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622 + with: + tf-plan-file: plan.out # This was created in a "terraform plan" step + cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app + cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() + # is needed to ensure the SARIF file is uploaded + if: always() + with: + sarif_file: cloudrail_results.sarif diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml new file mode 100644 index 0000000..d67d194 --- /dev/null +++ b/code-scanning/fortify.yml @@ -0,0 +1,97 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +################################################################################################################################################ +# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# +# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # +# or contact our sales team, visit microfocus.com/appsecurity. # +# # +# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# +# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # +# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # +# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # +# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # +# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +################################################################################################################################################ + +name: Fortify on Demand Scan + +# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +on: + workflow_dispatch: + push: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + FoD-SAST-Scan: + # Use the appropriate runner for building your source code. + # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v2 + + # Java is required to run the various Fortify utilities. + # When scanning a Java application, please use the appropriate Java version for building your application. + - name: Setup Java + uses: actions/setup-java@v1 + with: + java-version: 1.8 + + # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. + # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: + # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). + # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. + # ScanCentral has additional options that should be set for PHP and Python projects + # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. + # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ + - name: Download Fortify ScanCentral Client + uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 + - name: Package Code + Dependencies + run: scancentral package $PACKAGE_OPTS -o package.zip + env: + PACKAGE_OPTS: "-bt mvn" + + # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java + # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: + # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). + # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. + - name: Download Fortify on Demand Universal CI Tool + uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 + - name: Perform SAST Scan + run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" + env: + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" + FOD_TENANT: ${{ secrets.FOD_TENANT }} + FOD_USER: ${{ secrets.FOD_USER }} + FOD_PAT: ${{ secrets.FOD_PAT }} + FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} + FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' + + # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. + - name: Export results to GitHub-optimized SARIF + uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b + with: + fod_base_url: "https://ams.fortify.com/" + fod_tenant: ${{ secrets.FOD_TENANT }} + fod_user: ${{ secrets.FOD_USER }} + fod_password: ${{ secrets.FOD_PAT }} + fod_release_id: ${{ secrets.FOD_RELEASE_ID }} + + # Import Fortify on Demand results to GitHub Security Code Scanning + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./gh-fortify-sast.sarif diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json new file mode 100644 index 0000000..830d966 --- /dev/null +++ b/code-scanning/properties/cloudrail.properties.json @@ -0,0 +1,7 @@ +{ + "name": "cloudrail", + "creator": "Indeni Cloudrail", + "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.", + "iconName": "cloudrail", + "categories": ["Code Scanning", "HCL"] +} diff --git a/code-scanning/properties/fortify.properties.json b/code-scanning/properties/fortify.properties.json new file mode 100644 index 0000000..100b4bb --- /dev/null +++ b/code-scanning/properties/fortify.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Fortify on Demand Scan", + "creator": "Micro Focus", + "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", + "iconName": "fortify", + "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"] +} diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json new file mode 100644 index 0000000..d39072e --- /dev/null +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Sysdig Inline Scan", + "creator": "Sysdig", + "description": "Performs analysis on locally built container image and posts the results in SARIF report", + "iconName": "sysdig-scan", + "categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] +} diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml new file mode 100644 index 0000000..49841d7 --- /dev/null +++ b/code-scanning/sysdig-scan.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Sysdig - Build, scan, push and upload sarif report + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Build the Docker image + # Tag image to be built + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below + run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest + + - name: Sysdig Secure Inline Scan + id: scan + uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 + with: + # Tag of the image to analyse. + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above + image-tag: ${{ github.repository }}:latest + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}} + # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ + # US-East https://secure.sysdig.com + # US-West https://us2.app.sysdig.com + # EU https://eu1.app.sysdig.com + sysdig-secure-url: https://us2.app.sysdig.com + dockerfile-path: ./Dockerfile + input-type: docker-daemon + ignore-failed-scan: true + # Sysdig inline scanner requires privileged rights + run-as-user: root + + - uses: github/codeql-action/upload-sarif@v1 + #Upload SARIF file + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file diff --git a/deployments/aws.yml b/deployments/aws.yml index 8b10116..6a6643c 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -5,29 +5,40 @@ # # 1. Create an ECR repository to store your images. # For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. -# Replace the value of `ECR_REPOSITORY` in the workflow below with your repository's name. -# Replace the value of `aws-region` in the workflow below with your repository's region. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. # # 2. Create an ECS task definition, an ECS cluster, and an ECS service. # For example, follow the Getting Started guide on the ECS console: # https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun -# Replace the values for `service` and `cluster` in the workflow below with your service and cluster names. +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. # # 3. Store your ECS task definition as a JSON file in your repository. # The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. -# Replace the value of `task-definition` in the workflow below with your JSON file's name. -# Replace the value of `container-name` in the workflow below with the name of the container +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container # in the `containerDefinitions` section of the task definition. # # 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. # See the documentation for each action used below for the recommended IAM policies for this IAM user, # and best practices on handling the access key credentials. +name: Deploy to Amazon ECS + on: release: types: [created] -name: Deploy to Amazon ECS +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition jobs: deploy: @@ -44,7 +55,7 @@ jobs: with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-2 + aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr @@ -54,7 +65,6 @@ jobs: id: build-image env: ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - ECR_REPOSITORY: my-ecr-repo IMAGE_TAG: ${{ github.sha }} run: | # Build a docker container and @@ -68,14 +78,14 @@ jobs: id: task-def uses: aws-actions/amazon-ecs-render-task-definition@v1 with: - task-definition: task-definition.json - container-name: sample-app + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} image: ${{ steps.build-image.outputs.image }} - name: Deploy Amazon ECS task definition uses: aws-actions/amazon-ecs-deploy-task-definition@v1 with: task-definition: ${{ steps.task-def.outputs.task-definition }} - service: sample-app-service - cluster: default + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} wait-for-service-stability: true diff --git a/icons/azure-data-factory.svg b/icons/azure-data-factory.svg deleted file mode 100644 index 2237336..0000000 --- a/icons/azure-data-factory.svg +++ /dev/null @@ -1 +0,0 @@ -Icon-databases-126 \ No newline at end of file diff --git a/icons/cloudrail.svg b/icons/cloudrail.svg new file mode 100644 index 0000000..9aaf9c3 --- /dev/null +++ b/icons/cloudrail.svg @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + diff --git a/icons/fortify.svg b/icons/fortify.svg new file mode 100644 index 0000000..45a0d77 --- /dev/null +++ b/icons/fortify.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/sysdig-scan.svg b/icons/sysdig-scan.svg new file mode 100644 index 0000000..85d5de0 --- /dev/null +++ b/icons/sysdig-scan.svg @@ -0,0 +1 @@ +Artboard 1 \ No newline at end of file diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index e4f50fa..9648ab4 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,6 @@ "folders": [ "../../ci", "../../automation", - "../../deployments", "../../code-scanning" ], "enabledActions": [ From 21775ad05bf2415ebd480c17a803fd8a83065a72 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Fri, 15 Oct 2021 15:32:54 -0700 Subject: [PATCH 002/110] Rename "azure.yml" to Node-specific name --- .../{azure.yml => azure-webapps-node.yml} | 30 +++++++++++++++---- ...son => azure-webapps-node.properties.json} | 0 2 files changed, 24 insertions(+), 6 deletions(-) rename deployments/{azure.yml => azure-webapps-node.yml} (81%) rename deployments/properties/{azure.properties.json => azure-webapps-node.properties.json} (100%) diff --git a/deployments/azure.yml b/deployments/azure-webapps-node.yml similarity index 81% rename from deployments/azure.yml rename to deployments/azure-webapps-node.yml index 0262b49..ab144ba 100644 --- a/deployments/azure.yml +++ b/deployments/azure-webapps-node.yml @@ -25,23 +25,41 @@ env: NODE_VERSION: '10.x' # set this to the node version to use jobs: - build-and-deploy: - name: Build and Deploy + build: runs-on: ubuntu-latest - environment: production steps: - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} + + - name: Set up Node.js uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test run: | - # Build and test the project, then - # deploy to Azure Web App. npm install npm run build --if-present npm run test --if-present + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: node-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Production' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: node-app + - name: 'Deploy to Azure WebApp' uses: azure/webapps-deploy@v2 with: diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure-webapps-node.properties.json similarity index 100% rename from deployments/properties/azure.properties.json rename to deployments/properties/azure-webapps-node.properties.json From e59c11c494c0a2a443cf8577b496e63f618c8169 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Fri, 15 Oct 2021 15:33:45 -0700 Subject: [PATCH 003/110] Add templates and properties for other languages --- deployments/azure-webapps-container.yml | 59 ++++++++++++++++ deployments/azure-webapps-java-jar.yml | 56 ++++++++++++++++ deployments/azure-webapps-python.yml | 67 +++++++++++++++++++ .../azure-webapps-container.properties.json | 7 ++ .../azure-webapps-java-jar.properties.json | 7 ++ .../azure-webapps-python.properties.json | 7 ++ 6 files changed, 203 insertions(+) create mode 100644 deployments/azure-webapps-container.yml create mode 100644 deployments/azure-webapps-java-jar.yml create mode 100644 deployments/azure-webapps-python.yml create mode 100644 deployments/properties/azure-webapps-container.properties.json create mode 100644 deployments/properties/azure-webapps-java-jar.properties.json create mode 100644 deployments/properties/azure-webapps-python.properties.json diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml new file mode 100644 index 0000000..b9dab0d --- /dev/null +++ b/deployments/azure-webapps-container.yml @@ -0,0 +1,59 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy a container to an Azure Web App + +env: + AZURE_WEBAPP_NAME: '' # set this to the name of your Azure Web App + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Log in to GitHub container registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Lowercase the repo name + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Build and push container image to registry + uses: docker/build-push-action@v2 + with: + push: true + tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} + file: ./Dockerfile + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Production' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Lowercase the repo name + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' \ No newline at end of file diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml new file mode 100644 index 0000000..ae1cb87 --- /dev/null +++ b/deployments/azure-webapps-java-jar.yml @@ -0,0 +1,56 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy JAR app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + JAVA_VERSION: '11' # set this to the Java version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Java version + uses: actions/setup-java@v1 + with: + java-version: ${{ env.JAVA_VERSION }} + + - name: Build with Maven + run: mvn clean install + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: java-app + path: '${{ github.workspace }}/target/*.jar' + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: Production + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: java-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: '*.jar' \ No newline at end of file diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml new file mode 100644 index 0000000..a934a02 --- /dev/null +++ b/deployments/azure-webapps-python.yml @@ -0,0 +1,67 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions +# More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions + +name: Build and deploy Python app to Azure Web App - __sitename__ + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + PYTHON_VERSION: '11' # set this to the Python version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Python version + uses: actions/setup-python@v1 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Create and start virtual environment + run: | + python -m venv venv + source venv/bin/activate + + - name: Install dependencies + run: pip install -r requirements.txt + + # Optional: Add step to run tests here (PyTest, Django test suites, etc.) + + - name: Upload artifact for deployment jobs + uses: actions/upload-artifact@v2 + with: + name: python-app + path: | + . + !venv/ + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: '__slotname__' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: python-app + path: . + + - name: 'Deploy to Azure Web App' + uses: azure/webapps-deploy@v2 + id: deploy-to-webapp + with: + app-name: '__sitename__' + slot-name: '__slotname__' + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/properties/azure-webapps-container.properties.json b/deployments/properties/azure-webapps-container.properties.json new file mode 100644 index 0000000..1335e3a --- /dev/null +++ b/deployments/properties/azure-webapps-container.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a container to an Azure Web App", + "description": "Build a container and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file diff --git a/deployments/properties/azure-webapps-java-jar.properties.json b/deployments/properties/azure-webapps-java-jar.properties.json new file mode 100644 index 0000000..f2418fa --- /dev/null +++ b/deployments/properties/azure-webapps-java-jar.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a Java .jar app to an Azure Web App", + "description": "Build a Java project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file diff --git a/deployments/properties/azure-webapps-python.properties.json b/deployments/properties/azure-webapps-python.properties.json new file mode 100644 index 0000000..f749848 --- /dev/null +++ b/deployments/properties/azure-webapps-python.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a Python app to an Azure Web App", + "description": "Build a Python app and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file From 4fad808870ff1d108b443339ba43616c6f88c6ca Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Fri, 15 Oct 2021 15:47:30 -0700 Subject: [PATCH 004/110] Add workflow for .NET Core --- deployments/azure-webapps-dotnet-core.yml | 59 +++++++++++++++++++ .../properties/azure-webapps-donet-core.json | 7 +++ 2 files changed, 66 insertions(+) create mode 100644 deployments/azure-webapps-dotnet-core.yml create mode 100644 deployments/properties/azure-webapps-donet-core.json diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml new file mode 100644 index 0000000..532efc4 --- /dev/null +++ b/deployments/azure-webapps-dotnet-core.yml @@ -0,0 +1,59 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy ASP.Net Core app to an Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + DOTNET_VERSION: '5' # set this to the .NET Core version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up .NET Core + uses: actions/setup-dotnet@v1 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: Build with dotnet + run: dotnet build --configuration Release + + - name: dotnet publish + run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: .net-app + path: ${{env.DOTNET_ROOT}}/myapp + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Production' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: .net-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/properties/azure-webapps-donet-core.json b/deployments/properties/azure-webapps-donet-core.json new file mode 100644 index 0000000..3ac2f8c --- /dev/null +++ b/deployments/properties/azure-webapps-donet-core.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a .NET Core app to an Azure Web App", + "description": "Build a .NET Core project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file From e6620ddc5b73399da7e03af6164e62d93790fe51 Mon Sep 17 00:00:00 2001 From: Rui Chen Date: Wed, 20 Oct 2021 00:02:48 -0400 Subject: [PATCH 005/110] python: update to use python 3.10 Signed-off-by: Rui Chen --- ci/pylint.yml | 4 ++-- ci/python-app.yml | 4 ++-- ci/python-package-conda.yml | 4 ++-- ci/python-package.yml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/pylint.yml b/ci/pylint.yml index 0805af7..e217f63 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -9,10 +9,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.9 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: 3.10 - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-app.yml b/ci/python-app.yml index f6ad69a..30b2b8f 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -16,10 +16,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.9 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: 3.10 - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 7bae7e2..9bd6d2b 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -10,10 +10,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.8 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.10 - name: Add conda to system path run: | # $CONDA is an environment variable pointing to the root of the miniconda directory diff --git a/ci/python-package.yml b/ci/python-package.yml index b079b1c..9690811 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -16,7 +16,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: [3.7, 3.8, 3.9] + python-version: [3.8, 3.9, 3.10] steps: - uses: actions/checkout@v2 From 40f0709bd652afee23c304a26984fb30dd82c869 Mon Sep 17 00:00:00 2001 From: Rui Chen Date: Fri, 22 Oct 2021 01:14:49 -0400 Subject: [PATCH 006/110] quote the version strings --- ci/pylint.yml | 9 +++++---- ci/python-app.yml | 2 +- ci/python-package.yml | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/ci/pylint.yml b/ci/pylint.yml index e217f63..10c49c6 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -4,15 +4,16 @@ on: [push] jobs: build: - runs-on: ubuntu-latest - + strategy: + matrix: + python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v2 - - name: Set up Python 3.10 + - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: - python-version: 3.10 + python-version: ${{ matrix.python-version }} - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-app.yml b/ci/python-app.yml index 30b2b8f..2cfc2a3 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.10 + python-version: "3.10" - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-package.yml b/ci/python-package.yml index 9690811..b0a63cf 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -16,7 +16,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: [3.8, 3.9, 3.10] + python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v2 From 4e20b526184631f70591dc040dbed47a83f712b3 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 22 Oct 2021 14:47:00 +0530 Subject: [PATCH 007/110] Sync partner_templates branch with main (#1184) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json * Correct character-case of "c" in Cloudrail * AWS template also used Docker * trigger on push instead of release (#1157) Co-authored-by: Josh Gross * Added new templates for 3 clouds. * Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. * Add workflow for Microsoft C++ Code Analysis * Updated action to meet guidelines * correct typo in msvc.properties.json Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd Co-authored-by: Daniel Winsor --- code-scanning/cloudrail.yml | 2 +- code-scanning/msvc.yml | 59 +++++++++++++++++++ code-scanning/properties/msvc.properties.json | 7 +++ deployments/alibabacloud.yml | 7 ++- deployments/aws.yml | 7 ++- deployments/azure.yml | 7 ++- deployments/google.yml | 7 ++- deployments/ibm.yml | 7 ++- deployments/properties/aws.properties.json | 4 +- deployments/tencent.yml | 7 ++- icons/microsoft.svg | 34 +++++++++++ 11 files changed, 127 insertions(+), 21 deletions(-) create mode 100644 code-scanning/msvc.yml create mode 100644 code-scanning/properties/msvc.properties.json create mode 100644 icons/microsoft.svg diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 9f95c5c..00e270a 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -name: cloudrail +name: Cloudrail on: push: diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml new file mode 100644 index 0000000..c6bb29f --- /dev/null +++ b/code-scanning/msvc.yml @@ -0,0 +1,59 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Find more information at: +# https://github.com/microsoft/msvc-code-analysis-action + +name: Microsoft C++ Code Analysis + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +env: + # Path to the CMake build directory. + build: '${{ github.workspace }}/build' + +jobs: + analyze: + name: Analyze + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Configure CMake + run: cmake -B ${{ env.build }} + + # Build is not required unless generated source files are used + # - name: Build CMake + # run: cmake --build ${{ env.build }} + + - name: Initialize MSVC Code Analysis + uses: microsoft/msvc-code-analysis-action@502db28262ba134c9a621d5a509b9f7e696c99b6 + # Provide a unique ID to access the sarif output path + id: run-analysis + with: + cmakeBuildDirectory: ${{ env.build }} + # Ruleset file that will determine what checks will be run + ruleset: NativeRecommendRules.ruleset + + # Upload SARIF file to GitHub Code Scanning Alerts + - name: Upload SARIF to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.run-analysis.outputs.sarif }} + + # Upload SARIF file as an Artifact to download and view + # - name: Upload SARIF as an Artifact + # uses: actions/upload-artifact@v2 + # with: + # name: sarif-file + # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/properties/msvc.properties.json b/code-scanning/properties/msvc.properties.json new file mode 100644 index 0000000..641d5e6 --- /dev/null +++ b/code-scanning/properties/msvc.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Microsoft C++ Code Analysis", + "creator": "Microsoft", + "description": "Code Analysis with the Microsoft C & C++ Compiler for CMake based projects.", + "iconName": "microsoft", + "categories": ["Code Scanning", "C", "C++"] +} diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 9ccc033..ded9178 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -1,5 +1,5 @@ # This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR), -# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when a release is created. +# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the $default-branch branch. # # To use this workflow, you will need to complete the following set-up steps: # @@ -20,8 +20,9 @@ name: Build and Deploy to ACK on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow. env: diff --git a/deployments/aws.yml b/deployments/aws.yml index 6a6643c..dab851f 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -1,5 +1,5 @@ # This workflow will build and push a new container image to Amazon ECR, -# and then will deploy a new task definition to Amazon ECS, when a release is created +# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch. # # To use this workflow, you will need to complete the following set-up steps: # @@ -27,8 +27,9 @@ name: Deploy to Amazon ECS on: - release: - types: [created] + push: + branches: + - $default-branch env: AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 diff --git a/deployments/azure.yml b/deployments/azure.yml index 0262b49..904ff25 100644 --- a/deployments/azure.yml +++ b/deployments/azure.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a release is created. +# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan @@ -16,8 +16,9 @@ # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions # For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples on: - release: - types: [created] + push: + branches: + - $default-branch env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name diff --git a/deployments/google.yml b/deployments/google.yml index 5e803ed..267d3cb 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when a release is created +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -13,8 +13,9 @@ name: Build and Deploy to GKE on: - release: - types: [created] + push: + branches: + - $default-branch env: PROJECT_ID: ${{ secrets.GKE_PROJECT }} diff --git a/deployments/ibm.yml b/deployments/ibm.yml index a8502cd..216b04d 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when a release is created +# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -9,8 +9,9 @@ name: Build and Deploy to IKS on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/properties/aws.properties.json b/deployments/properties/aws.properties.json index 10a7ed3..1b5955a 100644 --- a/deployments/properties/aws.properties.json +++ b/deployments/properties/aws.properties.json @@ -3,5 +3,5 @@ "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Dockerfile"] +} diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 0be339e..83bde94 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -1,4 +1,4 @@ -# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE). +# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE) when there is a push to the $default-branch branch. # # To configure this workflow: # @@ -16,8 +16,9 @@ name: Tencent Kubernetes Engine on: - release: - types: [created] + push: + branches: + - $default-branch # Environment variables available to all jobs and steps in this workflow env: diff --git a/icons/microsoft.svg b/icons/microsoft.svg new file mode 100644 index 0000000..990fa84 --- /dev/null +++ b/icons/microsoft.svg @@ -0,0 +1,34 @@ +microsoft + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From 0f29a0acbb3cafbbe38e9aa926e80cb45a78392a Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 22 Oct 2021 15:12:17 +0530 Subject: [PATCH 008/110] Add files via upload --- deployments/aws_docker.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/aws_node.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/azure_docker.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/azure_node.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/google_java.yaml | 81 +++++++++++++++++++++++++++++++++++ deployments/google_python.yml | 81 +++++++++++++++++++++++++++++++++++ 6 files changed, 486 insertions(+) create mode 100644 deployments/aws_docker.yaml create mode 100644 deployments/aws_node.yaml create mode 100644 deployments/azure_docker.yaml create mode 100644 deployments/azure_node.yaml create mode 100644 deployments/google_java.yaml create mode 100644 deployments/google_python.yml diff --git a/deployments/aws_docker.yaml b/deployments/aws_docker.yaml new file mode 100644 index 0000000..0c789fa --- /dev/null +++ b/deployments/aws_docker.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/aws_node.yaml b/deployments/aws_node.yaml new file mode 100644 index 0000000..0c789fa --- /dev/null +++ b/deployments/aws_node.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/azure_docker.yaml b/deployments/azure_docker.yaml new file mode 100644 index 0000000..0c789fa --- /dev/null +++ b/deployments/azure_docker.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/azure_node.yaml b/deployments/azure_node.yaml new file mode 100644 index 0000000..0c789fa --- /dev/null +++ b/deployments/azure_node.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/google_java.yaml b/deployments/google_java.yaml new file mode 100644 index 0000000..0c789fa --- /dev/null +++ b/deployments/google_java.yaml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file diff --git a/deployments/google_python.yml b/deployments/google_python.yml new file mode 100644 index 0000000..0c789fa --- /dev/null +++ b/deployments/google_python.yml @@ -0,0 +1,81 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide \ No newline at end of file From a3270e70de1372f795ccd0b5f6c234b62743de79 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 22 Oct 2021 15:13:09 +0530 Subject: [PATCH 009/110] Add files via upload --- deployments/properties/aws_dockerfile.properties.json | 7 +++++++ deployments/properties/aws_node.properties.json | 7 +++++++ deployments/properties/azure_docker.properties.json | 7 +++++++ deployments/properties/azure_node.properties.json | 7 +++++++ deployments/properties/google_java.properties.json | 7 +++++++ deployments/properties/google_python.properties.json | 7 +++++++ 6 files changed, 42 insertions(+) create mode 100644 deployments/properties/aws_dockerfile.properties.json create mode 100644 deployments/properties/aws_node.properties.json create mode 100644 deployments/properties/azure_docker.properties.json create mode 100644 deployments/properties/azure_node.properties.json create mode 100644 deployments/properties/google_java.properties.json create mode 100644 deployments/properties/google_python.properties.json diff --git a/deployments/properties/aws_dockerfile.properties.json b/deployments/properties/aws_dockerfile.properties.json new file mode 100644 index 0000000..ca3ebc9 --- /dev/null +++ b/deployments/properties/aws_dockerfile.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Docker]Deploy to Amazon ECS", + "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "creator": "Amazon Web Services", + "iconName": "aws", + "categories": ["Deployment", "Dockerfile"] +} \ No newline at end of file diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json new file mode 100644 index 0000000..0466c39 --- /dev/null +++ b/deployments/properties/aws_node.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Node]Deploy to Amazon ECS", + "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "creator": "Amazon Web Services", + "iconName": "aws", + "categories": ["Deployment", "JavaScript", "npm"] +} \ No newline at end of file diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json new file mode 100644 index 0000000..8fb260c --- /dev/null +++ b/deployments/properties/azure_docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Docker]Deploy Node.js to Azure Web App", + "description": "Build a Node.js project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Dockerfile"] +} \ No newline at end of file diff --git a/deployments/properties/azure_node.properties.json b/deployments/properties/azure_node.properties.json new file mode 100644 index 0000000..f2124ad --- /dev/null +++ b/deployments/properties/azure_node.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Node]Deploy Node.js to Azure Web App", + "description": "Build a Node.js project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "JavaScript", "npm"] +} \ No newline at end of file diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json new file mode 100644 index 0000000..88e3c2e --- /dev/null +++ b/deployments/properties/google_java.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Java]Build and Deploy to GKE", + "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "creator": "Google Cloud", + "iconName": "googlegke", + "categories": ["Deployment", "Java"] +} \ No newline at end of file diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json new file mode 100644 index 0000000..ff8561c --- /dev/null +++ b/deployments/properties/google_python.properties.json @@ -0,0 +1,7 @@ +{ + "name": "[Specific Python]Build and Deploy to GKE", + "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "creator": "Google Cloud", + "iconName": "googlegke", + "categories": ["Deployment", "Python"] +} \ No newline at end of file From d6e33d5f35d8477542daaac02ccc53b091deb0fe Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 15:48:49 +0530 Subject: [PATCH 010/110] fix dummy template names (#1185) --- deployments/azure_node.yaml | 81 ------------------- .../properties/aws_dockerfile.properties.json | 4 +- deployments/properties/azure.properties.json | 2 +- .../properties/azure_docker.properties.json | 4 +- .../properties/azure_node.properties.json | 7 -- .../properties/google_python.properties.json | 4 +- 6 files changed, 7 insertions(+), 95 deletions(-) delete mode 100644 deployments/azure_node.yaml delete mode 100644 deployments/properties/azure_node.properties.json diff --git a/deployments/azure_node.yaml b/deployments/azure_node.yaml deleted file mode 100644 index 0c789fa..0000000 --- a/deployments/azure_node.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/properties/aws_dockerfile.properties.json b/deployments/properties/aws_dockerfile.properties.json index ca3ebc9..e22ba46 100644 --- a/deployments/properties/aws_dockerfile.properties.json +++ b/deployments/properties/aws_dockerfile.properties.json @@ -1,6 +1,6 @@ { - "name": "[Specific Docker]Deploy to Amazon ECS", - "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "name": "[Specific Docker] Deploy dockerfile to Amazon EKS", + "description": "Deploy a container to an Amazon ECS.", "creator": "Amazon Web Services", "iconName": "aws", "categories": ["Deployment", "Dockerfile"] diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure.properties.json index 362d5d1..90a3717 100644 --- a/deployments/properties/azure.properties.json +++ b/deployments/properties/azure.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] + "categories": ["Deployment", "JavaScript", "npm"] } \ No newline at end of file diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json index 8fb260c..bbf4a81 100644 --- a/deployments/properties/azure_docker.properties.json +++ b/deployments/properties/azure_docker.properties.json @@ -1,6 +1,6 @@ { - "name": "[Specific Docker]Deploy Node.js to Azure Web App", - "description": "Build a Node.js project and deploy it to an Azure Web App.", + "name": "[Specific Docker] Deploy Node.js to AKS", + "description": "Build a Node.js project and deploy it to AKS.", "creator": "Microsoft Azure", "iconName": "azure", "categories": ["Deployment", "Dockerfile"] diff --git a/deployments/properties/azure_node.properties.json b/deployments/properties/azure_node.properties.json deleted file mode 100644 index f2124ad..0000000 --- a/deployments/properties/azure_node.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Node]Deploy Node.js to Azure Web App", - "description": "Build a Node.js project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "JavaScript", "npm"] -} \ No newline at end of file diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json index ff8561c..21c631f 100644 --- a/deployments/properties/google_python.properties.json +++ b/deployments/properties/google_python.properties.json @@ -1,6 +1,6 @@ { - "name": "[Specific Python]Build and Deploy to GKE", - "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "name": "[Specific Python] Build and Deploy to GCE", + "description": "Build a docker container, publish it to Google compute engine.", "creator": "Google Cloud", "iconName": "googlegke", "categories": ["Deployment", "Python"] From c3f7e66294d486c8e262a3ac75dbb668b696bce8 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 15:53:33 +0530 Subject: [PATCH 011/110] Update azure_docker.properties.json --- deployments/properties/azure_docker.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json index bbf4a81..2b7babf 100644 --- a/deployments/properties/azure_docker.properties.json +++ b/deployments/properties/azure_docker.properties.json @@ -1,7 +1,7 @@ { - "name": "[Specific Docker] Deploy Node.js to AKS", + "name": "[Specific Docker] Deploy dockerfile to AKS", "description": "Build a Node.js project and deploy it to AKS.", "creator": "Microsoft Azure", "iconName": "azure", "categories": ["Deployment", "Dockerfile"] -} \ No newline at end of file +} From 1d19515d9576cc6df6a0e2beeaa7aa448cea7c58 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 15:58:29 +0530 Subject: [PATCH 012/110] Update google_java.properties.json --- deployments/properties/google_java.properties.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json index 88e3c2e..0a87690 100644 --- a/deployments/properties/google_java.properties.json +++ b/deployments/properties/google_java.properties.json @@ -1,7 +1,7 @@ { - "name": "[Specific Java]Build and Deploy to GKE", - "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", + "name": "[Specific Java] Build and Deploy Java to GCE", + "description": "Build and deploy Java application to Google Compute engine.", "creator": "Google Cloud", "iconName": "googlegke", "categories": ["Deployment", "Java"] -} \ No newline at end of file +} From 1ff952c678c7ccb754cbcb5f33fc2d4e3478f2d4 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:00:12 +0530 Subject: [PATCH 013/110] Update aws_node.properties.json --- deployments/properties/aws_node.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json index 0466c39..dd932f0 100644 --- a/deployments/properties/aws_node.properties.json +++ b/deployments/properties/aws_node.properties.json @@ -1,7 +1,7 @@ { "name": "[Specific Node]Deploy to Amazon ECS", - "description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "description": "Deploy a Java app to Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", "categories": ["Deployment", "JavaScript", "npm"] -} \ No newline at end of file +} From ff38066101192d26bc67c20561c01f1f6f3c90e2 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:00:18 +0530 Subject: [PATCH 014/110] Create aws_node.properties.json From 62a3686226d6d270103408b1c31a7ed19cb4ca60 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:00:55 +0530 Subject: [PATCH 015/110] Rename aws_node.properties.json to aws_java.properties.json --- .../{aws_node.properties.json => aws_java.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployments/properties/{aws_node.properties.json => aws_java.properties.json} (100%) diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_java.properties.json similarity index 100% rename from deployments/properties/aws_node.properties.json rename to deployments/properties/aws_java.properties.json From a7e746ef4ebc6f9a54f1b0a34d33c8e5625589fa Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:01:43 +0530 Subject: [PATCH 016/110] Rename aws_node.yaml to aws_java.yaml --- deployments/{aws_node.yaml => aws_java.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename deployments/{aws_node.yaml => aws_java.yaml} (98%) diff --git a/deployments/aws_node.yaml b/deployments/aws_java.yaml similarity index 98% rename from deployments/aws_node.yaml rename to deployments/aws_java.yaml index 0c789fa..267d3cb 100644 --- a/deployments/aws_node.yaml +++ b/deployments/aws_java.yaml @@ -78,4 +78,4 @@ jobs: ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA ./kustomize build . | kubectl apply -f - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file + kubectl get services -o wide From 41027f9cb5d57b442d39278c6618552596e2969a Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:08:40 +0530 Subject: [PATCH 017/110] Update aws_dockerfile.properties.json --- deployments/properties/aws_dockerfile.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/aws_dockerfile.properties.json b/deployments/properties/aws_dockerfile.properties.json index e22ba46..dc886ae 100644 --- a/deployments/properties/aws_dockerfile.properties.json +++ b/deployments/properties/aws_dockerfile.properties.json @@ -1,7 +1,7 @@ { "name": "[Specific Docker] Deploy dockerfile to Amazon EKS", - "description": "Deploy a container to an Amazon ECS.", + "description": "Deploy a container to an Amazon EKS.", "creator": "Amazon Web Services", "iconName": "aws", "categories": ["Deployment", "Dockerfile"] -} \ No newline at end of file +} From 34a94290c1c9302a04c793a6e3493e69855a9c01 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:10:51 +0530 Subject: [PATCH 018/110] Update aws_java.properties.json --- deployments/properties/aws_java.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/aws_java.properties.json b/deployments/properties/aws_java.properties.json index dd932f0..070837b 100644 --- a/deployments/properties/aws_java.properties.json +++ b/deployments/properties/aws_java.properties.json @@ -1,6 +1,6 @@ { "name": "[Specific Node]Deploy to Amazon ECS", - "description": "Deploy a Java app to Amazon ECS service powered by AWS Fargate or Amazon EC2.", + "description": "Deploy a Node app to Amazon ECS service powered by AWS Fargate or Amazon EC2.", "creator": "Amazon Web Services", "iconName": "aws", "categories": ["Deployment", "JavaScript", "npm"] From 2b39072b92cca434b145494f409ae8b72be3cac3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:11:39 +0530 Subject: [PATCH 019/110] Rename aws_java.properties.json to aws_node.properties.json --- .../{aws_java.properties.json => aws_node.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployments/properties/{aws_java.properties.json => aws_node.properties.json} (100%) diff --git a/deployments/properties/aws_java.properties.json b/deployments/properties/aws_node.properties.json similarity index 100% rename from deployments/properties/aws_java.properties.json rename to deployments/properties/aws_node.properties.json From 7b8fcf2d84798a1106efc90dcef79ed5fc0411a7 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:11:57 +0530 Subject: [PATCH 020/110] Rename aws_java.yaml to aws_node.yaml --- deployments/{aws_java.yaml => aws_node.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployments/{aws_java.yaml => aws_node.yaml} (100%) diff --git a/deployments/aws_java.yaml b/deployments/aws_node.yaml similarity index 100% rename from deployments/aws_java.yaml rename to deployments/aws_node.yaml From 4abed744e3963827eba227a342798d3526e9acc3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:12:34 +0530 Subject: [PATCH 021/110] Update azure_docker.properties.json --- deployments/properties/azure_docker.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json index 2b7babf..840dcea 100644 --- a/deployments/properties/azure_docker.properties.json +++ b/deployments/properties/azure_docker.properties.json @@ -1,6 +1,6 @@ { "name": "[Specific Docker] Deploy dockerfile to AKS", - "description": "Build a Node.js project and deploy it to AKS.", + "description": "Build a dockerfile project and deploy it to AKS.", "creator": "Microsoft Azure", "iconName": "azure", "categories": ["Deployment", "Dockerfile"] From cd0b591526109d7aca2799ff3815105df7315544 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 22 Oct 2021 16:13:36 +0530 Subject: [PATCH 022/110] Update google_python.properties.json --- deployments/properties/google_python.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json index 21c631f..31e5e4f 100644 --- a/deployments/properties/google_python.properties.json +++ b/deployments/properties/google_python.properties.json @@ -1,7 +1,7 @@ { "name": "[Specific Python] Build and Deploy to GCE", - "description": "Build a docker container, publish it to Google compute engine.", + "description": "Build and deploy a python application to Google compute engine.", "creator": "Google Cloud", "iconName": "googlegke", "categories": ["Deployment", "Python"] -} \ No newline at end of file +} From 39293c24520b95f8e8d17bdfd4325f71a1bc0498 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 22 Oct 2021 16:24:02 +0530 Subject: [PATCH 023/110] Deleting gcp dummy templates. (#1186) --- deployments/google_java.yaml | 81 ------------------- deployments/google_python.yml | 81 ------------------- .../properties/google_java.properties.json | 7 -- .../properties/google_python.properties.json | 7 -- 4 files changed, 176 deletions(-) delete mode 100644 deployments/google_java.yaml delete mode 100644 deployments/google_python.yml delete mode 100644 deployments/properties/google_java.properties.json delete mode 100644 deployments/properties/google_python.properties.json diff --git a/deployments/google_java.yaml b/deployments/google_java.yaml deleted file mode 100644 index 0c789fa..0000000 --- a/deployments/google_java.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/google_python.yml b/deployments/google_python.yml deleted file mode 100644 index 0c789fa..0000000 --- a/deployments/google_python.yml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/properties/google_java.properties.json b/deployments/properties/google_java.properties.json deleted file mode 100644 index 0a87690..0000000 --- a/deployments/properties/google_java.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Java] Build and Deploy Java to GCE", - "description": "Build and deploy Java application to Google Compute engine.", - "creator": "Google Cloud", - "iconName": "googlegke", - "categories": ["Deployment", "Java"] -} diff --git a/deployments/properties/google_python.properties.json b/deployments/properties/google_python.properties.json deleted file mode 100644 index 31e5e4f..0000000 --- a/deployments/properties/google_python.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Python] Build and Deploy to GCE", - "description": "Build and deploy a python application to Google compute engine.", - "creator": "Google Cloud", - "iconName": "googlegke", - "categories": ["Deployment", "Python"] -} From 27ebc235eed1c6b89291b0a5b8a787321620aab8 Mon Sep 17 00:00:00 2001 From: Simona Cotin Date: Fri, 22 Oct 2021 13:00:26 +0200 Subject: [PATCH 024/110] Add partner templates for Azure Static Web Apps --- deployments/azure-staticwebapp.yml | 64 +++++++++++++++++++ .../azure-staticwebapp.properties.json | 7 ++ icons/azure-staticwebapp.svg | 17 +++++ 3 files changed, 88 insertions(+) create mode 100644 deployments/azure-staticwebapp.yml create mode 100644 deployments/properties/azure-staticwebapp.properties.json create mode 100644 icons/azure-staticwebapp.svg diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml new file mode 100644 index 0000000..d170d57 --- /dev/null +++ b/deployments/azure-staticwebapp.yml @@ -0,0 +1,64 @@ +# This workflow will build and push a web application to an Azure Static Web App when you change your code. +# +# This workflow assumes you have already created the target Azure Static Web App. +# For instructions see https://docs.microsoft.com/azure/static-web-apps/get-started-portal?tabs=vanilla-javascript +# +# To configure this workflow: +# +# 1. Set up a secret in your repository named AZURE_STATIC_WEB_APPS_API_TOKEN with the value of your Static Web Apps deployment token. +# For instructions on obtaining the deployment token see: https://docs.microsoft.com/azure/static-web-apps/deployment-token-management +# +# 3. Change the values for the APP_LOCATION, API_LOCATION and APP_ARTIFACT_LOCATION, AZURE_STATIC_WEB_APPS_API_TOKEN environment variables (below). +# For instructions on setting up the appropriate configuration values go to https://docs.microsoft.com/azure/static-web-apps/front-end-frameworks +name: Deploy web app to Azure Static Web Apps + +on: + push: + branches: + - $default-branch + pull_request: + types: [opened, synchronize, reopened, closed] + branches: + - $default-branch + +# Environment variables available to all jobs and steps in this workflow +env: + APP_LOCATION: "/" # location of your client code + API_LOCATION: "api" # location of your api source code - optional + APP_ARTIFACT_LOCATION: "build" # location of client code build output + AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app + +jobs: + build_and_deploy_job: + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') + runs-on: ubuntu-latest + name: Build and Deploy Job + steps: + - uses: actions/checkout@v2 + with: + submodules: true + - name: Build And Deploy + id: builddeploy + uses: Azure/static-web-apps-deploy@v1 + with: + azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app + repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) + action: "upload" + ###### Repository/Build Configurations - These values can be configured to match you app requirements. ###### + # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig + app_location: ${{ env.APP_LOCATION }} + api_location: ${{ env.API_LOCATION }} + app_artifact_location: ${{ env.APP_ARTIFACT_LOCATION }} + ###### End of Repository/Build Configurations ###### + + close_pull_request_job: + if: github.event_name == 'pull_request' && github.event.action == 'closed' + runs-on: ubuntu-latest + name: Close Pull Request Job + steps: + - name: Close Pull Request + id: closepullrequest + uses: Azure/static-web-apps-deploy@latest + with: + azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app + action: "close" diff --git a/deployments/properties/azure-staticwebapp.properties.json b/deployments/properties/azure-staticwebapp.properties.json new file mode 100644 index 0000000..8bc5f6a --- /dev/null +++ b/deployments/properties/azure-staticwebapp.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy web app to Azure Static Web Apps", + "description": "Build and deploy web application to an Azure Static Web App.", + "creator": "Microsoft Azure", + "iconName": "azure-staticwebapp", + "categories": ["Deployment", "React", "Angular", "Vue", "Svelte", "Gatsby", "Next", "Nuxt", "Jekyll"] +} \ No newline at end of file diff --git a/icons/azure-staticwebapp.svg b/icons/azure-staticwebapp.svg new file mode 100644 index 0000000..327517d --- /dev/null +++ b/icons/azure-staticwebapp.svg @@ -0,0 +1,17 @@ + + + + + + + + + + + + + + + + + \ No newline at end of file From a702d187d139aa4b2f22db55a7bcd8fb5d796027 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Sun, 24 Oct 2021 21:37:36 -0700 Subject: [PATCH 025/110] Add workflow and properties file for PHP --- deployments/azure-webapps-php.yml | 64 +++++++++++++++++++ .../azure-webapps-php.properties.json | 7 ++ 2 files changed, 71 insertions(+) create mode 100644 deployments/azure-webapps-php.yml create mode 100644 deployments/properties/azure-webapps-php.properties.json diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml new file mode 100644 index 0000000..261184b --- /dev/null +++ b/deployments/azure-webapps-php.yml @@ -0,0 +1,64 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy PHP app to Azure Web App - __sitename__ + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + NODE_VERSION: '10.x' # set this to the PHP version to use + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ env.NODE_VERSION }} + + - name: Check if composer.json exists + id: check_files + uses: andstor/file-existence-action@v1 + with: + files: 'composer.json' + + - name: Run composer install if composer.json exists + if: steps.check_files.outputs.files_exists == 'true' + run: composer validate --no-check-publish && composer install --prefer-dist --no-progress + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: php-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Production' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: php-app + + - name: 'Deploy to Azure Web App' + uses: azure/webapps-deploy@v2 + id: deploy-to-webapp + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/properties/azure-webapps-php.properties.json b/deployments/properties/azure-webapps-php.properties.json new file mode 100644 index 0000000..42fd724 --- /dev/null +++ b/deployments/properties/azure-webapps-php.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a PHP app to an Azure Web App", + "description": "Build a PHP app and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment"] +} \ No newline at end of file From 704eb638ced8cd324890dcf8b1cbe0e21498e65c Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Sun, 24 Oct 2021 21:45:21 -0700 Subject: [PATCH 026/110] Updates from PR review --- deployments/azure-webapps-container.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-node.yml | 2 +- deployments/azure-webapps-php.yml | 8 ++++---- deployments/azure-webapps-python.yml | 9 ++++----- .../properties/azure-webapps-container.properties.json | 4 ++-- ...ps-donet-core.json => azure-webapps-dotnet-core.json} | 4 ++-- .../properties/azure-webapps-java-jar.properties.json | 4 ++-- .../properties/azure-webapps-node.properties.json | 4 ++-- deployments/properties/azure-webapps-php.properties.json | 4 ++-- .../properties/azure-webapps-python.properties.json | 4 ++-- 12 files changed, 24 insertions(+), 25 deletions(-) rename deployments/properties/{azure-webapps-donet-core.json => azure-webapps-dotnet-core.json} (78%) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index b9dab0d..e2dec98 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -43,7 +43,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: 'Production' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 532efc4..9948969 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: 'Production' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index ae1cb87..a46026d 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: Production + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index ab144ba..f3221c2 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -51,7 +51,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: 'Production' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 261184b..936e0db 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -46,7 +46,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: 'Production' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: @@ -59,6 +59,6 @@ jobs: uses: azure/webapps-deploy@v2 id: deploy-to-webapp with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index a934a02..c4ba186 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -2,11 +2,11 @@ # More GitHub Actions for Azure: https://github.com/Azure/actions # More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions -name: Build and deploy Python app to Azure Web App - __sitename__ +name: Build and deploy Python app to Azure Web App env: AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - PYTHON_VERSION: '11' # set this to the Python version to use + PYTHON_VERSION: '3.8' # set this to the Python version to use on: push: @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest needs: build environment: - name: '__slotname__' + name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: @@ -62,6 +62,5 @@ jobs: uses: azure/webapps-deploy@v2 id: deploy-to-webapp with: - app-name: '__sitename__' - slot-name: '__slotname__' + app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/properties/azure-webapps-container.properties.json b/deployments/properties/azure-webapps-container.properties.json index 1335e3a..fcd62b2 100644 --- a/deployments/properties/azure-webapps-container.properties.json +++ b/deployments/properties/azure-webapps-container.properties.json @@ -3,5 +3,5 @@ "description": "Build a container and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Dockerfile"] +} diff --git a/deployments/properties/azure-webapps-donet-core.json b/deployments/properties/azure-webapps-dotnet-core.json similarity index 78% rename from deployments/properties/azure-webapps-donet-core.json rename to deployments/properties/azure-webapps-dotnet-core.json index 3ac2f8c..9074a2a 100644 --- a/deployments/properties/azure-webapps-donet-core.json +++ b/deployments/properties/azure-webapps-dotnet-core.json @@ -3,5 +3,5 @@ "description": "Build a .NET Core project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "C#", "dotNetCore"] +} diff --git a/deployments/properties/azure-webapps-java-jar.properties.json b/deployments/properties/azure-webapps-java-jar.properties.json index f2418fa..6654463 100644 --- a/deployments/properties/azure-webapps-java-jar.properties.json +++ b/deployments/properties/azure-webapps-java-jar.properties.json @@ -3,5 +3,5 @@ "description": "Build a Java project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Java"] +} diff --git a/deployments/properties/azure-webapps-node.properties.json b/deployments/properties/azure-webapps-node.properties.json index 362d5d1..f24fd04 100644 --- a/deployments/properties/azure-webapps-node.properties.json +++ b/deployments/properties/azure-webapps-node.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Node"] +} diff --git a/deployments/properties/azure-webapps-php.properties.json b/deployments/properties/azure-webapps-php.properties.json index 42fd724..48554de 100644 --- a/deployments/properties/azure-webapps-php.properties.json +++ b/deployments/properties/azure-webapps-php.properties.json @@ -3,5 +3,5 @@ "description": "Build a PHP app and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "PHP"] +} diff --git a/deployments/properties/azure-webapps-python.properties.json b/deployments/properties/azure-webapps-python.properties.json index f749848..73f0cf5 100644 --- a/deployments/properties/azure-webapps-python.properties.json +++ b/deployments/properties/azure-webapps-python.properties.json @@ -3,5 +3,5 @@ "description": "Build a Python app and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment"] -} \ No newline at end of file + "categories": ["Deployment", "Python"] +} From b5113430d97e147627681b7acb9e8799b18338b0 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Sun, 24 Oct 2021 21:46:13 -0700 Subject: [PATCH 027/110] Fix EOF --- deployments/azure-webapps-container.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index e2dec98..66c49d8 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -56,4 +56,4 @@ jobs: with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' \ No newline at end of file + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index a46026d..8e4f5fb 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -53,4 +53,4 @@ jobs: with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: '*.jar' \ No newline at end of file + package: '*.jar' From c78dd727e93078bf584efad509341f4758d7ad5a Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Sun, 24 Oct 2021 21:47:00 -0700 Subject: [PATCH 028/110] Use latest versions --- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-python.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 8e4f5fb..45ec6f8 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -21,7 +21,7 @@ jobs: - uses: actions/checkout@v2 - name: Set up Java version - uses: actions/setup-java@v1 + uses: actions/setup-java@v2.3.1 with: java-version: ${{ env.JAVA_VERSION }} diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index c4ba186..7ad005e 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -22,7 +22,7 @@ jobs: - uses: actions/checkout@v2 - name: Set up Python version - uses: actions/setup-python@v1 + uses: actions/setup-python@v2.2.2 with: python-version: ${{ env.PYTHON_VERSION }} From 87a12c3391c7e723a2a49fd712ae8407d8c457dd Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 25 Oct 2021 19:30:04 +0530 Subject: [PATCH 029/110] Undo bug bash changes and Sync with the main branch (#1193) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json * Correct character-case of "c" in Cloudrail * AWS template also used Docker * trigger on push instead of release (#1157) Co-authored-by: Josh Gross * Added new templates for 3 clouds. * Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. * Add workflow for Microsoft C++ Code Analysis * Updated action to meet guidelines * correct typo in msvc.properties.json * Removed the dummy templates used in bug_bash. Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd Co-authored-by: Daniel Winsor --- deployments/aws_docker.yaml | 81 ------------------- deployments/aws_node.yaml | 81 ------------------- deployments/azure_docker.yaml | 81 ------------------- .../properties/aws_dockerfile.properties.json | 7 -- .../properties/aws_node.properties.json | 7 -- .../properties/azure_docker.properties.json | 7 -- 6 files changed, 264 deletions(-) delete mode 100644 deployments/aws_docker.yaml delete mode 100644 deployments/aws_node.yaml delete mode 100644 deployments/azure_docker.yaml delete mode 100644 deployments/properties/aws_dockerfile.properties.json delete mode 100644 deployments/properties/aws_node.properties.json delete mode 100644 deployments/properties/azure_docker.properties.json diff --git a/deployments/aws_docker.yaml b/deployments/aws_docker.yaml deleted file mode 100644 index 0c789fa..0000000 --- a/deployments/aws_docker.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/aws_node.yaml b/deployments/aws_node.yaml deleted file mode 100644 index 267d3cb..0000000 --- a/deployments/aws_node.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide diff --git a/deployments/azure_docker.yaml b/deployments/azure_docker.yaml deleted file mode 100644 index 0c789fa..0000000 --- a/deployments/azure_docker.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - push: - branches: - - $default-branch - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v2 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide \ No newline at end of file diff --git a/deployments/properties/aws_dockerfile.properties.json b/deployments/properties/aws_dockerfile.properties.json deleted file mode 100644 index dc886ae..0000000 --- a/deployments/properties/aws_dockerfile.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Docker] Deploy dockerfile to Amazon EKS", - "description": "Deploy a container to an Amazon EKS.", - "creator": "Amazon Web Services", - "iconName": "aws", - "categories": ["Deployment", "Dockerfile"] -} diff --git a/deployments/properties/aws_node.properties.json b/deployments/properties/aws_node.properties.json deleted file mode 100644 index 070837b..0000000 --- a/deployments/properties/aws_node.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Node]Deploy to Amazon ECS", - "description": "Deploy a Node app to Amazon ECS service powered by AWS Fargate or Amazon EC2.", - "creator": "Amazon Web Services", - "iconName": "aws", - "categories": ["Deployment", "JavaScript", "npm"] -} diff --git a/deployments/properties/azure_docker.properties.json b/deployments/properties/azure_docker.properties.json deleted file mode 100644 index 840dcea..0000000 --- a/deployments/properties/azure_docker.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "[Specific Docker] Deploy dockerfile to AKS", - "description": "Build a dockerfile project and deploy it to AKS.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Dockerfile"] -} From 9ce2a5b56fdbf317dc8c33602b79858e9ecd8077 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 25 Oct 2021 21:16:06 +0530 Subject: [PATCH 030/110] Dummy azure templates for showcasing the CD Ordering Behavior (#1194) * Rename "azure.yml" to Node-specific name * Add templates and properties for other languages * Add workflow for .NET Core * Add workflow and properties file for PHP * Updates from PR review * Fix EOF * Use latest versions * Renamed the file appropriately. Co-authored-by: Jason Freeberg --- deployments/dummy-azure-webapps-container.yml | 59 +++++++++++++++++ .../dummy-azure-webapps-dotnet-core.yml | 59 +++++++++++++++++ deployments/dummy-azure-webapps-java-jar.yml | 56 ++++++++++++++++ ...azure.yml => dummy-azure-webapps-node.yml} | 30 +++++++-- deployments/dummy-azure-webapps-php.yml | 64 ++++++++++++++++++ deployments/dummy-azure-webapps-python.yml | 66 +++++++++++++++++++ ...my-azure-webapps-container.properties.json | 7 ++ ...-azure-webapps-dotnet-core.properties.json | 7 ++ ...mmy-azure-webapps-java-jar.properties.json | 7 ++ ... dummy-azure-webapps-node.properties.json} | 2 +- .../dummy-azure-webapps-php.properties.json | 7 ++ ...dummy-azure-webapps-python.properties.json | 7 ++ 12 files changed, 364 insertions(+), 7 deletions(-) create mode 100644 deployments/dummy-azure-webapps-container.yml create mode 100644 deployments/dummy-azure-webapps-dotnet-core.yml create mode 100644 deployments/dummy-azure-webapps-java-jar.yml rename deployments/{azure.yml => dummy-azure-webapps-node.yml} (82%) create mode 100644 deployments/dummy-azure-webapps-php.yml create mode 100644 deployments/dummy-azure-webapps-python.yml create mode 100644 deployments/properties/dummy-azure-webapps-container.properties.json create mode 100644 deployments/properties/dummy-azure-webapps-dotnet-core.properties.json create mode 100644 deployments/properties/dummy-azure-webapps-java-jar.properties.json rename deployments/properties/{azure.properties.json => dummy-azure-webapps-node.properties.json} (73%) create mode 100644 deployments/properties/dummy-azure-webapps-php.properties.json create mode 100644 deployments/properties/dummy-azure-webapps-python.properties.json diff --git a/deployments/dummy-azure-webapps-container.yml b/deployments/dummy-azure-webapps-container.yml new file mode 100644 index 0000000..66c49d8 --- /dev/null +++ b/deployments/dummy-azure-webapps-container.yml @@ -0,0 +1,59 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy a container to an Azure Web App + +env: + AZURE_WEBAPP_NAME: '' # set this to the name of your Azure Web App + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Log in to GitHub container registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Lowercase the repo name + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Build and push container image to registry + uses: docker/build-push-action@v2 + with: + push: true + tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} + file: ./Dockerfile + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Lowercase the repo name + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' diff --git a/deployments/dummy-azure-webapps-dotnet-core.yml b/deployments/dummy-azure-webapps-dotnet-core.yml new file mode 100644 index 0000000..9948969 --- /dev/null +++ b/deployments/dummy-azure-webapps-dotnet-core.yml @@ -0,0 +1,59 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy ASP.Net Core app to an Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + DOTNET_VERSION: '5' # set this to the .NET Core version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up .NET Core + uses: actions/setup-dotnet@v1 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: Build with dotnet + run: dotnet build --configuration Release + + - name: dotnet publish + run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: .net-app + path: ${{env.DOTNET_ROOT}}/myapp + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: .net-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/dummy-azure-webapps-java-jar.yml b/deployments/dummy-azure-webapps-java-jar.yml new file mode 100644 index 0000000..45ec6f8 --- /dev/null +++ b/deployments/dummy-azure-webapps-java-jar.yml @@ -0,0 +1,56 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy JAR app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + JAVA_VERSION: '11' # set this to the Java version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Java version + uses: actions/setup-java@v2.3.1 + with: + java-version: ${{ env.JAVA_VERSION }} + + - name: Build with Maven + run: mvn clean install + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: java-app + path: '${{ github.workspace }}/target/*.jar' + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: java-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: '*.jar' diff --git a/deployments/azure.yml b/deployments/dummy-azure-webapps-node.yml similarity index 82% rename from deployments/azure.yml rename to deployments/dummy-azure-webapps-node.yml index 904ff25..62f7a8f 100644 --- a/deployments/azure.yml +++ b/deployments/dummy-azure-webapps-node.yml @@ -26,23 +26,41 @@ env: NODE_VERSION: '10.x' # set this to the node version to use jobs: - build-and-deploy: - name: Build and Deploy + build: runs-on: ubuntu-latest - environment: production steps: - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} + + - name: Set up Node.js uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test run: | - # Build and test the project, then - # deploy to Azure Web App. npm install npm run build --if-present npm run test --if-present + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: node-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: node-app + - name: 'Deploy to Azure WebApp' uses: azure/webapps-deploy@v2 with: diff --git a/deployments/dummy-azure-webapps-php.yml b/deployments/dummy-azure-webapps-php.yml new file mode 100644 index 0000000..5862766 --- /dev/null +++ b/deployments/dummy-azure-webapps-php.yml @@ -0,0 +1,64 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy PHP app to Azure Web App + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + PHP_VERSION: '10.x' # set this to the PHP version to use + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ env.PHP_VERSION }} + + - name: Check if composer.json exists + id: check_files + uses: andstor/file-existence-action@v1 + with: + files: 'composer.json' + + - name: Run composer install if composer.json exists + if: steps.check_files.outputs.files_exists == 'true' + run: composer validate --no-check-publish && composer install --prefer-dist --no-progress + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: php-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: php-app + + - name: 'Deploy to Azure Web App' + uses: azure/webapps-deploy@v2 + id: deploy-to-webapp + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/deployments/dummy-azure-webapps-python.yml b/deployments/dummy-azure-webapps-python.yml new file mode 100644 index 0000000..7ad005e --- /dev/null +++ b/deployments/dummy-azure-webapps-python.yml @@ -0,0 +1,66 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# More GitHub Actions for Azure: https://github.com/Azure/actions +# More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions + +name: Build and deploy Python app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + PYTHON_VERSION: '3.8' # set this to the Python version to use + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Set up Python version + uses: actions/setup-python@v2.2.2 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Create and start virtual environment + run: | + python -m venv venv + source venv/bin/activate + + - name: Install dependencies + run: pip install -r requirements.txt + + # Optional: Add step to run tests here (PyTest, Django test suites, etc.) + + - name: Upload artifact for deployment jobs + uses: actions/upload-artifact@v2 + with: + name: python-app + path: | + . + !venv/ + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: python-app + path: . + + - name: 'Deploy to Azure Web App' + uses: azure/webapps-deploy@v2 + id: deploy-to-webapp + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/properties/dummy-azure-webapps-container.properties.json b/deployments/properties/dummy-azure-webapps-container.properties.json new file mode 100644 index 0000000..fcd62b2 --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-container.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a container to an Azure Web App", + "description": "Build a container and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Dockerfile"] +} diff --git a/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json b/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json new file mode 100644 index 0000000..9074a2a --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a .NET Core app to an Azure Web App", + "description": "Build a .NET Core project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "C#", "dotNetCore"] +} diff --git a/deployments/properties/dummy-azure-webapps-java-jar.properties.json b/deployments/properties/dummy-azure-webapps-java-jar.properties.json new file mode 100644 index 0000000..6654463 --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-java-jar.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a Java .jar app to an Azure Web App", + "description": "Build a Java project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Java"] +} diff --git a/deployments/properties/azure.properties.json b/deployments/properties/dummy-azure-webapps-node.properties.json similarity index 73% rename from deployments/properties/azure.properties.json rename to deployments/properties/dummy-azure-webapps-node.properties.json index 90a3717..905267e 100644 --- a/deployments/properties/azure.properties.json +++ b/deployments/properties/dummy-azure-webapps-node.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "JavaScript", "npm"] + "categories": ["Deployment", "JavaScript", "TypeScript", "npm"] } \ No newline at end of file diff --git a/deployments/properties/dummy-azure-webapps-php.properties.json b/deployments/properties/dummy-azure-webapps-php.properties.json new file mode 100644 index 0000000..48554de --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-php.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a PHP app to an Azure Web App", + "description": "Build a PHP app and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "PHP"] +} diff --git a/deployments/properties/dummy-azure-webapps-python.properties.json b/deployments/properties/dummy-azure-webapps-python.properties.json new file mode 100644 index 0000000..73f0cf5 --- /dev/null +++ b/deployments/properties/dummy-azure-webapps-python.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy a Python app to an Azure Web App", + "description": "Build a Python app and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Python"] +} From c0fe29b09da4d6c929909465c322ce67c7cf7a94 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 25 Oct 2021 22:06:21 +0530 Subject: [PATCH 031/110] Added Azure Id template back. (#1195) * Rename "azure.yml" to Node-specific name * Add templates and properties for other languages * Add workflow for .NET Core * Add workflow and properties file for PHP * Updates from PR review * Fix EOF * Use latest versions * Renamed the file appropriately. * Put the azure file back. * Added azure back. Co-authored-by: Jason Freeberg --- deployments/{dummy-azure-webapps-node.yml => azure.yml} | 0 ...y-azure-webapps-node.properties.json => azure.properties.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename deployments/{dummy-azure-webapps-node.yml => azure.yml} (100%) rename deployments/properties/{dummy-azure-webapps-node.properties.json => azure.properties.json} (100%) diff --git a/deployments/dummy-azure-webapps-node.yml b/deployments/azure.yml similarity index 100% rename from deployments/dummy-azure-webapps-node.yml rename to deployments/azure.yml diff --git a/deployments/properties/dummy-azure-webapps-node.properties.json b/deployments/properties/azure.properties.json similarity index 100% rename from deployments/properties/dummy-azure-webapps-node.properties.json rename to deployments/properties/azure.properties.json From 767ba11df2322f72416beb52046b83f6d626a5bd Mon Sep 17 00:00:00 2001 From: Simona Cotin Date: Tue, 26 Oct 2021 13:15:05 +0200 Subject: [PATCH 032/110] update action version to v1 --- deployments/azure-staticwebapp.yml | 2 +- deployments/properties/azure-staticwebapp.properties.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index d170d57..8e1faf7 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -58,7 +58,7 @@ jobs: steps: - name: Close Pull Request id: closepullrequest - uses: Azure/static-web-apps-deploy@latest + uses: Azure/static-web-apps-deploy@v1 with: azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app action: "close" diff --git a/deployments/properties/azure-staticwebapp.properties.json b/deployments/properties/azure-staticwebapp.properties.json index 8bc5f6a..a2552b0 100644 --- a/deployments/properties/azure-staticwebapp.properties.json +++ b/deployments/properties/azure-staticwebapp.properties.json @@ -3,5 +3,5 @@ "description": "Build and deploy web application to an Azure Static Web App.", "creator": "Microsoft Azure", "iconName": "azure-staticwebapp", - "categories": ["Deployment", "React", "Angular", "Vue", "Svelte", "Gatsby", "Next", "Nuxt", "Jekyll"] -} \ No newline at end of file + "categories": ["Deployment", "React", "Angular", "Vue", "Svelte", "Gatsby", "Next", "Nuxt", "Jekyll", "Blazor"] +} From 3893e3d7c85c519d9c6125372276812811dbac3b Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 27 Oct 2021 12:20:09 -0700 Subject: [PATCH 033/110] Add setup instructions to the top --- deployments/azure-webapps-container.yml | 20 ++++++++++++++-- deployments/azure-webapps-dotnet-core.yml | 23 ++++++++++++++++--- deployments/azure-webapps-java-jar.yml | 20 ++++++++++++++-- deployments/azure-webapps-node.yml | 25 ++++++++++++-------- deployments/azure-webapps-php.yml | 28 ++++++++++++++++++----- deployments/azure-webapps-python.yml | 23 +++++++++++++++---- 6 files changed, 112 insertions(+), 27 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 66c49d8..18cc860 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -1,5 +1,21 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions +# This workflow will build and push a Docker container to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples name: Build and deploy a container to an Azure Web App diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 9948969..656136c 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -1,10 +1,27 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions +# This workflow will build and push a .NET Core app to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and DOTNET_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples name: Build and deploy ASP.Net Core app to an Azure Web App env: AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root DOTNET_VERSION: '5' # set this to the .NET Core version to use on: @@ -56,4 +73,4 @@ jobs: with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 45ec6f8..48e9e88 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -1,5 +1,21 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the JAVA_VERSION environment variable below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples name: Build and deploy JAR app to Azure Web App diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index f3221c2..8c80255 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -1,23 +1,27 @@ -# This workflow will build and push a node.js application to an Azure Web App when a release is created. +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli # # To configure this workflow: # -# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. -# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials # -# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. # For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret # -# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables below. # -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + on: - release: - types: [created] + push: + branches: + - $default-branch + workflow_dispatch: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name @@ -61,6 +65,7 @@ jobs: name: node-app - name: 'Deploy to Azure WebApp' + id: deploy-to-webapp uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 936e0db..19af463 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -1,7 +1,23 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and PHP_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples -name: Build and deploy PHP app to Azure Web App - __sitename__ +name: Build and deploy PHP app to Azure Web App on: push: @@ -12,7 +28,7 @@ on: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the PHP version to use + PHP_VERSION: '8.x' # set this to the PHP version to use jobs: build: @@ -24,7 +40,7 @@ jobs: - name: Setup PHP uses: shivammathur/setup-php@v2 with: - php-version: ${{ env.NODE_VERSION }} + php-version: ${{ env.PHP_VERSION }} - name: Check if composer.json exists id: check_files @@ -56,8 +72,8 @@ jobs: name: php-app - name: 'Deploy to Azure Web App' - uses: azure/webapps-deploy@v2 id: deploy-to-webapp + uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 7ad005e..208c8c1 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -1,6 +1,21 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions -# More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and PYTHON_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples name: Build and deploy Python app to Azure Web App @@ -59,8 +74,8 @@ jobs: path: . - name: 'Deploy to Azure Web App' - uses: azure/webapps-deploy@v2 id: deploy-to-webapp + uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} From e176cd52cd2a6c5e8a5f15a500af05a40748416c Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 27 Oct 2021 12:20:29 -0700 Subject: [PATCH 034/110] Add more tech stack metadata to the properties files --- ...tnet-core.json => azure-webapps-dotnet-core.properties.json} | 0 deployments/properties/azure-webapps-java-jar.properties.json | 2 +- deployments/properties/azure-webapps-node.properties.json | 2 +- deployments/properties/azure-webapps-python.properties.json | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) rename deployments/properties/{azure-webapps-dotnet-core.json => azure-webapps-dotnet-core.properties.json} (100%) diff --git a/deployments/properties/azure-webapps-dotnet-core.json b/deployments/properties/azure-webapps-dotnet-core.properties.json similarity index 100% rename from deployments/properties/azure-webapps-dotnet-core.json rename to deployments/properties/azure-webapps-dotnet-core.properties.json diff --git a/deployments/properties/azure-webapps-java-jar.properties.json b/deployments/properties/azure-webapps-java-jar.properties.json index 6654463..289d95c 100644 --- a/deployments/properties/azure-webapps-java-jar.properties.json +++ b/deployments/properties/azure-webapps-java-jar.properties.json @@ -3,5 +3,5 @@ "description": "Build a Java project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Java"] + "categories": ["Deployment", "Java", "Maven"] } diff --git a/deployments/properties/azure-webapps-node.properties.json b/deployments/properties/azure-webapps-node.properties.json index f24fd04..89a9542 100644 --- a/deployments/properties/azure-webapps-node.properties.json +++ b/deployments/properties/azure-webapps-node.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Node"] + "categories": ["Deployment", "Javascript", "Typescript", "npm"] } diff --git a/deployments/properties/azure-webapps-python.properties.json b/deployments/properties/azure-webapps-python.properties.json index 73f0cf5..391af32 100644 --- a/deployments/properties/azure-webapps-python.properties.json +++ b/deployments/properties/azure-webapps-python.properties.json @@ -3,5 +3,5 @@ "description": "Build a Python app and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Python"] + "categories": ["Deployment", "Python", "Django", "Flask", "Pip"] } From e1ca1f58becaa3ee88a3b990b3504f0010b3749d Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 27 Oct 2021 12:23:24 -0700 Subject: [PATCH 035/110] typos --- deployments/azure-webapps-container.yml | 2 +- .../properties/azure-webapps-dotnet-core.properties.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 18cc860..3fb2bbd 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -20,7 +20,7 @@ name: Build and deploy a container to an Azure Web App env: - AZURE_WEBAPP_NAME: '' # set this to the name of your Azure Web App + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App on: push: diff --git a/deployments/properties/azure-webapps-dotnet-core.properties.json b/deployments/properties/azure-webapps-dotnet-core.properties.json index 9074a2a..a9d5e20 100644 --- a/deployments/properties/azure-webapps-dotnet-core.properties.json +++ b/deployments/properties/azure-webapps-dotnet-core.properties.json @@ -3,5 +3,5 @@ "description": "Build a .NET Core project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "C#", "dotNetCore"] + "categories": ["Deployment", "C#", "aspNetCore"] } From c3c12f195022fed5b024d1c014e36f3370119723 Mon Sep 17 00:00:00 2001 From: Abir Majumdar Date: Wed, 27 Oct 2021 15:35:18 -0400 Subject: [PATCH 036/110] Adding pmd --- code-scanning/pmd.yml | 58 ++++++++++++++++++++ code-scanning/properties/pmd.properties.json | 19 +++++++ 2 files changed, 77 insertions(+) create mode 100644 code-scanning/pmd.yml create mode 100644 code-scanning/properties/pmd.properties.json diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml new file mode 100644 index 0000000..69596a4 --- /dev/null +++ b/code-scanning/pmd.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: pmd + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + mobile-security: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup python + uses: actions/setup-python@v2 + with: + python-version: 3.8 + + - name: Run Full PMD Analysis on Apex Code + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + id: pmd-full-analysis + uses: abirismyname/pmd@master + with: + analyse-all-code: 'true' + pmd-version: 'latest' + file-path: './src' + rules-path: 'rulesets/apex/quickstart.xml' + + # - name: Run Full PMD Analysis on Java Code + # if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + # id: pmd-full-analysis + # uses: abirismyname/pmd@master + # with: + # analyse-all-code: 'true' + # pmd-version: 'latest' + # file-path: './src' + # rules-path: 'rulesets/java/quickstart.xml' + + - name: Upload pmdscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: pmd-output.sarif + + - name: No PMD Errors? + run: | + if ${{ steps.pmd-full-analysis.outputs.error-found }} ${{ steps.pmd-partial-analysis.outputs.error-found }} + then + exit 3 + fi diff --git a/code-scanning/properties/pmd.properties.json b/code-scanning/properties/pmd.properties.json new file mode 100644 index 0000000..8608022 --- /dev/null +++ b/code-scanning/properties/pmd.properties.json @@ -0,0 +1,19 @@ +{ + "name": "pmd", + "creator": "pmd", + "description": "PMD is a static source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, Salesforce.com Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.", + "iconName": "pmd", + "categories": [ + "Code Scanning", + "Java", + "JavaScript", + "Apex", + "Modelica", + "PLSQL", + "Apache Velocity", + "XML", + "XSl", + "Scala", + "Apex" + ] +} \ No newline at end of file From 1d8891efc2151b2290b1d93e8489f9b1f41bd047 Mon Sep 17 00:00:00 2001 From: rui Date: Thu, 28 Oct 2021 11:37:36 -0400 Subject: [PATCH 037/110] r: use setup-r@1 and include r@4 for starter (#1169) * r: use setup-r@1 and include r@4 for starter Signed-off-by: Rui Chen * use sha instead of tag for external action Co-authored-by: Josh Gross Co-authored-by: Josh Gross --- ci/r.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/r.yml b/ci/r.yml index f257fbd..305c2cf 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -19,12 +19,12 @@ jobs: runs-on: macos-latest strategy: matrix: - r-version: [3.5, 3.6] + r-version: ['3.6.3', '4.1.1'] steps: - uses: actions/checkout@v2 - name: Set up R ${{ matrix.r-version }} - uses: r-lib/actions/setup-r@ffe45a39586f073cc2e9af79c4ba563b657dc6e3 + uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: r-version: ${{ matrix.r-version }} - name: Install dependencies From de6c8cbcf0d4f8f40042d425fe053a22ac4beaa7 Mon Sep 17 00:00:00 2001 From: gambtho Date: Thu, 28 Oct 2021 22:58:17 -0400 Subject: [PATCH 038/110] add aks starter --- deployments/aks.yml | 76 ++++++++++++++++++++++ deployments/properties/aks.properties.json | 7 ++ 2 files changed, 83 insertions(+) create mode 100644 deployments/aks.yml create mode 100644 deployments/properties/aks.properties.json diff --git a/deployments/aks.yml b/deployments/aks.yml new file mode 100644 index 0000000..c235d28 --- /dev/null +++ b/deployments/aks.yml @@ -0,0 +1,76 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository: +# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret) +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry) +# - PROJECT_NAME +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# +# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set +# any needed environment variables such as: +# - CHART_PATH +# - CHART_OVERRIDE_PATH +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please see the folllowing +# https://github.com/Azure/login +# https://github.com/Azure/aks-set-context +# https://github.com/marketplace/actions/azure-cli-action +# https://github.com/Azure/k8s-bake +# https://github.com/Azure/k8s-deploy + +on: [push] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Azure CLI script + uses: azure/CLI@v1 + with: + azcliversion: 2.29.1 + inlineScript: | + az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} + az acr build -t -t ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + + - uses: azure/aks-set-context@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + id: login + + - uses: azure/k8s-bake@v1 + with: + renderEngine: 'helm' + helmChart: ${{ env.CHART_PATH }} + overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} + overrides: | + replicas:2 + helm-version: 'latest' + id: bake + + - uses: Azure/k8s-deploy@v1 + with: + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.PROJECT_NAME }} diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json new file mode 100644 index 0000000..22c5550 --- /dev/null +++ b/deployments/properties/aks.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to a AKS Cluster", + "description": "Deploy an application to a Azure Kubernetes Service Cluster", + "creator": "Microsoft Azure", + "iconName": "aks", + "categories": ["Deployment", "AKS", "Kompose", "Helm", "Kustomize", "Kubernetes"] +} From 644f0a59aa2237d2a0917ed946edecf98b27db5a Mon Sep 17 00:00:00 2001 From: gambtho Date: Thu, 28 Oct 2021 23:05:42 -0400 Subject: [PATCH 039/110] step names and registry path --- deployments/aks.yml | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/deployments/aks.yml b/deployments/aks.yml index c235d28..65e3782 100644 --- a/deployments/aks.yml +++ b/deployments/aks.yml @@ -42,22 +42,24 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Azure CLI script + - name: Build image on ACR uses: azure/CLI@v1 with: azcliversion: 2.29.1 inlineScript: | - az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} - az acr build -t -t ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} + az acr build -t -t ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} - - uses: azure/aks-set-context@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - id: login + - name: Gets K8s context + uses: azure/aks-set-context@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + id: login - - uses: azure/k8s-bake@v1 + - name: Configure deployment + uses: azure/k8s-bake@v1 with: renderEngine: 'helm' helmChart: ${{ env.CHART_PATH }} @@ -67,10 +69,11 @@ jobs: helm-version: 'latest' id: bake + - name: Deploys application - uses: Azure/k8s-deploy@v1 with: manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | - ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} imagepullsecrets: | ${{ env.PROJECT_NAME }} From cde6fc6c141cfaa1441a95bbb8b7bbf53065b977 Mon Sep 17 00:00:00 2001 From: Tom Gamble Date: Mon, 1 Nov 2021 09:41:55 -0400 Subject: [PATCH 040/110] Update aks.properties.json --- deployments/properties/aks.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json index 22c5550..a5c9f63 100644 --- a/deployments/properties/aks.properties.json +++ b/deployments/properties/aks.properties.json @@ -2,6 +2,6 @@ "name": "Deploy to a AKS Cluster", "description": "Deploy an application to a Azure Kubernetes Service Cluster", "creator": "Microsoft Azure", - "iconName": "aks", + "iconName": "azure", "categories": ["Deployment", "AKS", "Kompose", "Helm", "Kustomize", "Kubernetes"] } From 69f26d5fd6ff080f5e949cde398a9f46270ef32a Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 3 Nov 2021 17:58:38 -0700 Subject: [PATCH 041/110] Copy/paste error --- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- deployments/azure-webapps-python.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 48e9e88..edb630e 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 19af463..0be746f 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# This workflow will build and push a PHP application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 208c8c1..6cb093b 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# This workflow will build and push a Python application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. # For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli From a561392dff9de9a2623fb6de09e74b551e5d451e Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 3 Nov 2021 18:02:06 -0700 Subject: [PATCH 042/110] Update azure-webapps-container.yml --- deployments/azure-webapps-container.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 3fb2bbd..823a36f 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -39,7 +39,7 @@ jobs: uses: docker/setup-buildx-action@v1 - name: Log in to GitHub container registry - uses: docker/login-action@v1 + uses: docker/login-action@v1.10.0 with: registry: ghcr.io username: ${{ github.actor }} From 5354877aa04d5e0970f648f356bc9d9f0a9c94b7 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 3 Nov 2021 18:10:02 -0700 Subject: [PATCH 043/110] enable caching --- deployments/azure-webapps-java-jar.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index edb630e..e533f3f 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -40,6 +40,7 @@ jobs: uses: actions/setup-java@v2.3.1 with: java-version: ${{ env.JAVA_VERSION }} + cache: 'maven' - name: Build with Maven run: mvn clean install From 56c93ff7521bd818b4186cd504aba6e2b7b42643 Mon Sep 17 00:00:00 2001 From: rui Date: Mon, 8 Nov 2021 11:14:50 -0500 Subject: [PATCH 044/110] elixir: refresh dependencies (#1212) - setup action got renamed into `setup-beam` - update elixir and erlang versions --- ci/elixir.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index 3f64657..afe01be 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -15,10 +15,10 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Elixir - uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24 + uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: - elixir-version: '1.10.3' # Define the elixir version [required] - otp-version: '22.3' # Define the OTP version [required] + elixir-version: '1.12.3' # Define the elixir version [required] + otp-version: '24.1' # Define the OTP version [required] - name: Restore dependencies cache uses: actions/cache@v2 with: From d739e93e5ea8b39749d14c9c60f0002c99a0f924 Mon Sep 17 00:00:00 2001 From: Tom Gamble Date: Tue, 9 Nov 2021 07:01:43 -0500 Subject: [PATCH 045/110] Update aks.properties.json --- deployments/properties/aks.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json index a5c9f63..a510f3e 100644 --- a/deployments/properties/aks.properties.json +++ b/deployments/properties/aks.properties.json @@ -3,5 +3,5 @@ "description": "Deploy an application to a Azure Kubernetes Service Cluster", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "AKS", "Kompose", "Helm", "Kustomize", "Kubernetes"] + "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes"] } From 50fcc151be4d81289d1e466265954becdd3cb56f Mon Sep 17 00:00:00 2001 From: Tom Gamble Date: Fri, 12 Nov 2021 07:11:40 -0500 Subject: [PATCH 046/110] Update aks.properties.json --- deployments/properties/aks.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json index a510f3e..a228aa2 100644 --- a/deployments/properties/aks.properties.json +++ b/deployments/properties/aks.properties.json @@ -1,7 +1,7 @@ { "name": "Deploy to a AKS Cluster", - "description": "Deploy an application to a Azure Kubernetes Service Cluster", + "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes"] + "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes, "Dockerfile"] } From 2f7dd7431854932290267a5ff770cd41b633e231 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 15 Nov 2021 13:40:30 +0530 Subject: [PATCH 047/110] Dummy azure templates (#1249) * Rename "azure.yml" to Node-specific name * Add templates and properties for other languages * Add workflow for .NET Core * Add workflow and properties file for PHP * Updates from PR review * Fix EOF * Use latest versions * Renamed the file appropriately. * Put the azure file back. * Added azure back. * Revert "Dummy azure templates for showcasing the CD Ordering Behavior (#1194)" This reverts commit 9ce2a5b56fdbf317dc8c33602b79858e9ecd8077. Co-authored-by: Jason Freeberg --- deployments/azure.yml | 30 ++------- deployments/dummy-azure-webapps-container.yml | 59 ----------------- .../dummy-azure-webapps-dotnet-core.yml | 59 ----------------- deployments/dummy-azure-webapps-java-jar.yml | 56 ---------------- deployments/dummy-azure-webapps-php.yml | 64 ------------------ deployments/dummy-azure-webapps-python.yml | 66 ------------------- deployments/properties/azure.properties.json | 2 +- ...my-azure-webapps-container.properties.json | 7 -- ...-azure-webapps-dotnet-core.properties.json | 7 -- ...mmy-azure-webapps-java-jar.properties.json | 7 -- .../dummy-azure-webapps-php.properties.json | 7 -- ...dummy-azure-webapps-python.properties.json | 7 -- 12 files changed, 7 insertions(+), 364 deletions(-) delete mode 100644 deployments/dummy-azure-webapps-container.yml delete mode 100644 deployments/dummy-azure-webapps-dotnet-core.yml delete mode 100644 deployments/dummy-azure-webapps-java-jar.yml delete mode 100644 deployments/dummy-azure-webapps-php.yml delete mode 100644 deployments/dummy-azure-webapps-python.yml delete mode 100644 deployments/properties/dummy-azure-webapps-container.properties.json delete mode 100644 deployments/properties/dummy-azure-webapps-dotnet-core.properties.json delete mode 100644 deployments/properties/dummy-azure-webapps-java-jar.properties.json delete mode 100644 deployments/properties/dummy-azure-webapps-php.properties.json delete mode 100644 deployments/properties/dummy-azure-webapps-python.properties.json diff --git a/deployments/azure.yml b/deployments/azure.yml index 62f7a8f..904ff25 100644 --- a/deployments/azure.yml +++ b/deployments/azure.yml @@ -26,41 +26,23 @@ env: NODE_VERSION: '10.x' # set this to the node version to use jobs: - build: + build-and-deploy: + name: Build and Deploy runs-on: ubuntu-latest + environment: production steps: - uses: actions/checkout@v2 - - - name: Set up Node.js + - name: Use Node.js ${{ env.NODE_VERSION }} uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} - - name: npm install, build, and test run: | + # Build and test the project, then + # deploy to Azure Web App. npm install npm run build --if-present npm run test --if-present - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 - with: - name: node-app - path: . - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: node-app - - name: 'Deploy to Azure WebApp' uses: azure/webapps-deploy@v2 with: diff --git a/deployments/dummy-azure-webapps-container.yml b/deployments/dummy-azure-webapps-container.yml deleted file mode 100644 index 66c49d8..0000000 --- a/deployments/dummy-azure-webapps-container.yml +++ /dev/null @@ -1,59 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy a container to an Azure Web App - -env: - AZURE_WEBAPP_NAME: '' # set this to the name of your Azure Web App - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Log in to GitHub container registry - uses: docker/login-action@v1 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Lowercase the repo name - run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Build and push container image to registry - uses: docker/build-push-action@v2 - with: - push: true - tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} - file: ./Dockerfile - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Lowercase the repo name - run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' diff --git a/deployments/dummy-azure-webapps-dotnet-core.yml b/deployments/dummy-azure-webapps-dotnet-core.yml deleted file mode 100644 index 9948969..0000000 --- a/deployments/dummy-azure-webapps-dotnet-core.yml +++ /dev/null @@ -1,59 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy ASP.Net Core app to an Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - DOTNET_VERSION: '5' # set this to the .NET Core version to use - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Set up .NET Core - uses: actions/setup-dotnet@v1 - with: - dotnet-version: ${{ env.DOTNET_VERSION }} - - - name: Build with dotnet - run: dotnet build --configuration Release - - - name: dotnet publish - run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 - with: - name: .net-app - path: ${{env.DOTNET_ROOT}}/myapp - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: .net-app - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . diff --git a/deployments/dummy-azure-webapps-java-jar.yml b/deployments/dummy-azure-webapps-java-jar.yml deleted file mode 100644 index 45ec6f8..0000000 --- a/deployments/dummy-azure-webapps-java-jar.yml +++ /dev/null @@ -1,56 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy JAR app to Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - JAVA_VERSION: '11' # set this to the Java version to use - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Set up Java version - uses: actions/setup-java@v2.3.1 - with: - java-version: ${{ env.JAVA_VERSION }} - - - name: Build with Maven - run: mvn clean install - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 - with: - name: java-app - path: '${{ github.workspace }}/target/*.jar' - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: java-app - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: '*.jar' diff --git a/deployments/dummy-azure-webapps-php.yml b/deployments/dummy-azure-webapps-php.yml deleted file mode 100644 index 5862766..0000000 --- a/deployments/dummy-azure-webapps-php.yml +++ /dev/null @@ -1,64 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy PHP app to Azure Web App - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - PHP_VERSION: '10.x' # set this to the PHP version to use - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Setup PHP - uses: shivammathur/setup-php@v2 - with: - php-version: ${{ env.PHP_VERSION }} - - - name: Check if composer.json exists - id: check_files - uses: andstor/file-existence-action@v1 - with: - files: 'composer.json' - - - name: Run composer install if composer.json exists - if: steps.check_files.outputs.files_exists == 'true' - run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 - with: - name: php-app - path: . - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: php-app - - - name: 'Deploy to Azure Web App' - uses: azure/webapps-deploy@v2 - id: deploy-to-webapp - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . diff --git a/deployments/dummy-azure-webapps-python.yml b/deployments/dummy-azure-webapps-python.yml deleted file mode 100644 index 7ad005e..0000000 --- a/deployments/dummy-azure-webapps-python.yml +++ /dev/null @@ -1,66 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# More GitHub Actions for Azure: https://github.com/Azure/actions -# More info on Python, GitHub Actions, and Azure App Service: https://aka.ms/python-webapps-actions - -name: Build and deploy Python app to Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - PYTHON_VERSION: '3.8' # set this to the Python version to use - -on: - push: - branches: - - $default-branch - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Set up Python version - uses: actions/setup-python@v2.2.2 - with: - python-version: ${{ env.PYTHON_VERSION }} - - - name: Create and start virtual environment - run: | - python -m venv venv - source venv/bin/activate - - - name: Install dependencies - run: pip install -r requirements.txt - - # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - - - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v2 - with: - name: python-app - path: | - . - !venv/ - - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v2 - with: - name: python-app - path: . - - - name: 'Deploy to Azure Web App' - uses: azure/webapps-deploy@v2 - id: deploy-to-webapp - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure.properties.json index 905267e..90a3717 100644 --- a/deployments/properties/azure.properties.json +++ b/deployments/properties/azure.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "JavaScript", "TypeScript", "npm"] + "categories": ["Deployment", "JavaScript", "npm"] } \ No newline at end of file diff --git a/deployments/properties/dummy-azure-webapps-container.properties.json b/deployments/properties/dummy-azure-webapps-container.properties.json deleted file mode 100644 index fcd62b2..0000000 --- a/deployments/properties/dummy-azure-webapps-container.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a container to an Azure Web App", - "description": "Build a container and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Dockerfile"] -} diff --git a/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json b/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json deleted file mode 100644 index 9074a2a..0000000 --- a/deployments/properties/dummy-azure-webapps-dotnet-core.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a .NET Core app to an Azure Web App", - "description": "Build a .NET Core project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "C#", "dotNetCore"] -} diff --git a/deployments/properties/dummy-azure-webapps-java-jar.properties.json b/deployments/properties/dummy-azure-webapps-java-jar.properties.json deleted file mode 100644 index 6654463..0000000 --- a/deployments/properties/dummy-azure-webapps-java-jar.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a Java .jar app to an Azure Web App", - "description": "Build a Java project and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Java"] -} diff --git a/deployments/properties/dummy-azure-webapps-php.properties.json b/deployments/properties/dummy-azure-webapps-php.properties.json deleted file mode 100644 index 48554de..0000000 --- a/deployments/properties/dummy-azure-webapps-php.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a PHP app to an Azure Web App", - "description": "Build a PHP app and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "PHP"] -} diff --git a/deployments/properties/dummy-azure-webapps-python.properties.json b/deployments/properties/dummy-azure-webapps-python.properties.json deleted file mode 100644 index 73f0cf5..0000000 --- a/deployments/properties/dummy-azure-webapps-python.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy a Python app to an Azure Web App", - "description": "Build a Python app and deploy it to an Azure Web App.", - "creator": "Microsoft Azure", - "iconName": "azure", - "categories": ["Deployment", "Python"] -} From b1b3ae86ee9db474a243c896fea923eeae001d79 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 15 Nov 2021 13:47:17 +0530 Subject: [PATCH 048/110] Sync partner_templates with the main Branch. (#1250) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json * Correct character-case of "c" in Cloudrail * AWS template also used Docker * trigger on push instead of release (#1157) Co-authored-by: Josh Gross * Adding MobSF starter workflow * Adhering to pull request guidelines * python: update to use python 3.10 Signed-off-by: Rui Chen * Added new templates for 3 clouds. * Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. * Add ruby and update workflow * Add workflow for Microsoft C++ Code Analysis * Updated action to meet guidelines * quote the version strings * correct typo in msvc.properties.json * Update codeql.properties.json * Update code-scanning/properties/codeql.properties.json Co-authored-by: Arthur Baars * Update codeql.properties.json * Update codeql.properties.json * Update code-scanning/mobsf.yml Co-authored-by: Nick Fyson * Update code-scanning/properties/mobsf.properties.json Co-authored-by: Nick Fyson * Fixed typo in workflow that will cause every run to fail * Update commit SHA * r: use setup-r@1 and include r@4 for starter (#1169) * r: use setup-r@1 and include r@4 for starter Signed-off-by: Rui Chen * use sha instead of tag for external action Co-authored-by: Josh Gross Co-authored-by: Josh Gross * elixir: refresh dependencies (#1212) - setup action got renamed into `setup-beam` - update elixir and erlang versions Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd Co-authored-by: Abir Majumdar Co-authored-by: Rui Chen Co-authored-by: David Verdeguer Co-authored-by: Daniel Winsor Co-authored-by: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Co-authored-by: Arthur Baars Co-authored-by: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Co-authored-by: Marco Gario Co-authored-by: Andy McKay --- ci/elixir.yml | 6 +- ci/pylint.yml | 9 +- ci/python-app.yml | 4 +- ci/python-package-conda.yml | 4 +- ci/python-package.yml | 2 +- ci/r.yml | 4 +- code-scanning/codeql.yml | 3 +- code-scanning/mobsf.yml | 36 ++++++ code-scanning/msvc.yml | 6 +- .../properties/codeql.properties.json | 4 +- .../properties/mobsf.properties.json | 13 ++ icons/mobsf.svg | 114 ++++++++++++++++++ 12 files changed, 184 insertions(+), 21 deletions(-) create mode 100644 code-scanning/mobsf.yml create mode 100644 code-scanning/properties/mobsf.properties.json create mode 100644 icons/mobsf.svg diff --git a/ci/elixir.yml b/ci/elixir.yml index 3f64657..afe01be 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -15,10 +15,10 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Elixir - uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24 + uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: - elixir-version: '1.10.3' # Define the elixir version [required] - otp-version: '22.3' # Define the OTP version [required] + elixir-version: '1.12.3' # Define the elixir version [required] + otp-version: '24.1' # Define the OTP version [required] - name: Restore dependencies cache uses: actions/cache@v2 with: diff --git a/ci/pylint.yml b/ci/pylint.yml index 0805af7..10c49c6 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -4,15 +4,16 @@ on: [push] jobs: build: - runs-on: ubuntu-latest - + strategy: + matrix: + python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v2 - - name: Set up Python 3.9 + - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: ${{ matrix.python-version }} - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-app.yml b/ci/python-app.yml index f6ad69a..2cfc2a3 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -16,10 +16,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.9 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: "3.10" - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 7bae7e2..9bd6d2b 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -10,10 +10,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Python 3.8 + - name: Set up Python 3.10 uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.10 - name: Add conda to system path run: | # $CONDA is an environment variable pointing to the root of the miniconda directory diff --git a/ci/python-package.yml b/ci/python-package.yml index b079b1c..b0a63cf 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -16,7 +16,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: [3.7, 3.8, 3.9] + python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v2 diff --git a/ci/r.yml b/ci/r.yml index f257fbd..305c2cf 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -19,12 +19,12 @@ jobs: runs-on: macos-latest strategy: matrix: - r-version: [3.5, 3.6] + r-version: ['3.6.3', '4.1.1'] steps: - uses: actions/checkout@v2 - name: Set up R ${{ matrix.r-version }} - uses: r-lib/actions/setup-r@ffe45a39586f073cc2e9af79c4ba563b657dc6e3 + uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: r-version: ${{ matrix.r-version }} - name: Install dependencies diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index b32675e..57b4b69 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,8 +34,7 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - name: Checkout repository diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml new file mode 100644 index 0000000..689a1a0 --- /dev/null +++ b/code-scanning/mobsf.yml @@ -0,0 +1,36 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: MobSF + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + mobile-security: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup python + uses: actions/setup-python@v2 + with: + python-version: 3.8 + + - name: Run mobsfscan + uses: MobSF/mobsfscan@a60d10a83af68e23e0b30611c6515da604f06f65 + with: + args: . --sarif --output results.sarif || true + + - name: Upload mobsfscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index c6bb29f..f14ae3e 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -37,13 +37,13 @@ jobs: # run: cmake --build ${{ env.build }} - name: Initialize MSVC Code Analysis - uses: microsoft/msvc-code-analysis-action@502db28262ba134c9a621d5a509b9f7e696c99b6 + uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99 # Provide a unique ID to access the sarif output path id: run-analysis with: cmakeBuildDirectory: ${{ env.build }} # Ruleset file that will determine what checks will be run - ruleset: NativeRecommendRules.ruleset + ruleset: NativeRecommendedRules.ruleset # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub @@ -56,4 +56,4 @@ jobs: # uses: actions/upload-artifact@v2 # with: # name: sarif-file - # path: ${{ steps.run-analysis.outputs.sarif }} + # path: ${{ steps.run-analysis.outputs.sarif }} \ No newline at end of file diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index cb9305a..ddb4627 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,7 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", - "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] } diff --git a/code-scanning/properties/mobsf.properties.json b/code-scanning/properties/mobsf.properties.json new file mode 100644 index 0000000..a6afbfa --- /dev/null +++ b/code-scanning/properties/mobsf.properties.json @@ -0,0 +1,13 @@ +{ + "name": "mobsf", + "creator": "mobsf", + "description": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.", + "iconName": "mobsf", + "categories": [ + "Code Scanning", + "Java", + "Swift", + "Objective-C", + "Kotlin" + ] +} \ No newline at end of file diff --git a/icons/mobsf.svg b/icons/mobsf.svg new file mode 100644 index 0000000..46dd154 --- /dev/null +++ b/icons/mobsf.svg @@ -0,0 +1,114 @@ + + + + From 4f8abda415d1c6f0876a9a8060aba95a43d871ab Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Mon, 15 Nov 2021 18:03:36 +0530 Subject: [PATCH 049/110] Updated the azure properties file to the main branch version. (#1251) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json * Correct character-case of "c" in Cloudrail * AWS template also used Docker * trigger on push instead of release (#1157) Co-authored-by: Josh Gross * Adding MobSF starter workflow * Adhering to pull request guidelines * python: update to use python 3.10 Signed-off-by: Rui Chen * Added new templates for 3 clouds. * Revert "Added new templates for 3 clouds." This reverts commit c765d6316fb380d15d81206ede83b0042cdac377. * Add ruby and update workflow * Add workflow for Microsoft C++ Code Analysis * Updated action to meet guidelines * quote the version strings * correct typo in msvc.properties.json * Update codeql.properties.json * Update code-scanning/properties/codeql.properties.json Co-authored-by: Arthur Baars * Update codeql.properties.json * Update codeql.properties.json * Update code-scanning/mobsf.yml Co-authored-by: Nick Fyson * Update code-scanning/properties/mobsf.properties.json Co-authored-by: Nick Fyson * Fixed typo in workflow that will cause every run to fail * Update commit SHA * r: use setup-r@1 and include r@4 for starter (#1169) * r: use setup-r@1 and include r@4 for starter Signed-off-by: Rui Chen * use sha instead of tag for external action Co-authored-by: Josh Gross Co-authored-by: Josh Gross * elixir: refresh dependencies (#1212) - setup action got renamed into `setup-beam` - update elixir and erlang versions * Updated to main branch version. Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd Co-authored-by: Abir Majumdar Co-authored-by: Rui Chen Co-authored-by: David Verdeguer Co-authored-by: Daniel Winsor Co-authored-by: David Verdeguer <47184891+Daverlo@users.noreply.github.com> Co-authored-by: Arthur Baars Co-authored-by: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Co-authored-by: Marco Gario Co-authored-by: Andy McKay --- deployments/properties/azure.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/properties/azure.properties.json b/deployments/properties/azure.properties.json index 90a3717..362d5d1 100644 --- a/deployments/properties/azure.properties.json +++ b/deployments/properties/azure.properties.json @@ -3,5 +3,5 @@ "description": "Build a Node.js project and deploy it to an Azure Web App.", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "JavaScript", "npm"] + "categories": ["Deployment"] } \ No newline at end of file From f61ca9907b39f2023bf9abaa26adc2e0c56193d8 Mon Sep 17 00:00:00 2001 From: Keegan Saunders Date: Fri, 12 Nov 2021 09:55:14 -0500 Subject: [PATCH 050/110] Add NowSecure starter workflow --- code-scanning/nowsecure.yml | 52 +++++++++++++++++++ .../properties/nowsecure.properties.json | 21 ++++++++ icons/nowsecure.svg | 21 ++++++++ 3 files changed, 94 insertions(+) create mode 100644 code-scanning/nowsecure.yml create mode 100644 code-scanning/properties/nowsecure.properties.json create mode 100644 icons/nowsecure.svg diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml new file mode 100644 index 0000000..92126bd --- /dev/null +++ b/code-scanning/nowsecure.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# NowSecure: The Mobile Security Experts . +# +# To use this workflow, you must be an existing NowSecure customer with GitHub Advanced Security (GHAS) enabled for your +# repository. +# +# If you *are not* an existing customer, click here to contact us for licensing and pricing details: +# . +# +# Instructions: +# +# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and +# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit +# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub". +# +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. + +name: "NowSecure" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +jobs: + nowsecure: + name: NowSecure + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Build your application + run: ./gradlew assembleDebug # Update this to build your Android or iOS application + + - name: Run NowSecure + uses: nowsecure/nowsecure-action@3b439db31b6dce857b09f5222fd13ffc3159ad26 + with: + token: ${{ secrets.NS_TOKEN }} + app_file: app-debug.apk # Update this to a path to your .ipa or .apk + group_id: {{ groupId }} # Update this to your desired Platform group ID + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: NowSecure.sarif diff --git a/code-scanning/properties/nowsecure.properties.json b/code-scanning/properties/nowsecure.properties.json new file mode 100644 index 0000000..dfc9f60 --- /dev/null +++ b/code-scanning/properties/nowsecure.properties.json @@ -0,0 +1,21 @@ +{ + "name": "NowSecure", + "creator": "NowSecure", + "description": "The NowSecure Action delivers fast, accurate, automated security analysis of iOS and Android apps coded in any language", + "iconName": "nowsecure", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C", + "C", + "C++", + "C#", + "Rust", + "JavaScript", + "TypeScript", + "Node" + ] +} diff --git a/icons/nowsecure.svg b/icons/nowsecure.svg new file mode 100644 index 0000000..0cec9f3 --- /dev/null +++ b/icons/nowsecure.svg @@ -0,0 +1,21 @@ + + + + + + + + From 214aeaaafe01dc791220ab91d9043e79d34db66f Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Tue, 16 Nov 2021 09:43:18 -0800 Subject: [PATCH 051/110] Update quickstart link --- deployments/azure-webapps-container.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- deployments/azure-webapps-python.yml | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 823a36f..407279e 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -1,7 +1,7 @@ # This workflow will build and push a Docker container to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-custom-container?tabs=dotnet&pivots=container-linux # # To configure this workflow: # diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 656136c..fe81148 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -1,7 +1,7 @@ # This workflow will build and push a .NET Core app to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?tabs=net60&pivots=development-environment-vscode # # To configure this workflow: # diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index e533f3f..f386250 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -1,7 +1,7 @@ # This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-java?tabs=javase&pivots=platform-linux # # To configure this workflow: # diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 0be746f..c900dfa 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -1,7 +1,7 @@ # This workflow will build and push a PHP application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-php?pivots=platform-linux # # To configure this workflow: # diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 6cb093b..216742f 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -1,7 +1,7 @@ # This workflow will build and push a Python application to an Azure Web App when a commit is pushed to your default branch. # # This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-python?tabs=bash&pivots=python-framework-flask # # To configure this workflow: # @@ -11,7 +11,7 @@ # 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. # For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret # -# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and PYTHON_VERSION environment variables below. +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the PYTHON_VERSION environment variables below. # # For more information on GitHub Actions for Azure: https://github.com/Azure/Actions # For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy From 11147495c0f5cbaf48672a428f8914c23b23f914 Mon Sep 17 00:00:00 2001 From: gambtho Date: Thu, 18 Nov 2021 07:30:10 -0500 Subject: [PATCH 052/110] variable cleanup and comment additions --- deployments/aks.yml | 3 ++- deployments/properties/aks.properties.json | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/deployments/aks.yml b/deployments/aks.yml index 65e3782..08988ff 100644 --- a/deployments/aks.yml +++ b/deployments/aks.yml @@ -3,6 +3,7 @@ # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) # For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# https://github.com/Azure/aks-create-action # # To configure this workflow: # @@ -48,7 +49,7 @@ jobs: azcliversion: 2.29.1 inlineScript: | az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} - az acr build -t -t ${{ secrets.REGISTRY_URL }}/${{ env.PROJECT_NAME }}:${{ github.sha }} + az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} - name: Gets K8s context uses: azure/aks-set-context@v1 diff --git a/deployments/properties/aks.properties.json b/deployments/properties/aks.properties.json index a228aa2..28f3725 100644 --- a/deployments/properties/aks.properties.json +++ b/deployments/properties/aks.properties.json @@ -3,5 +3,5 @@ "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes, "Dockerfile"] + "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"] } From 42dcf88eb9dde18e9c0b9e05840c92d47d26a28c Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Fri, 19 Nov 2021 16:41:15 +0100 Subject: [PATCH 053/110] add detekt workflow --- code-scanning/detekt.yml | 109 ++++++++++++++++++ .../properties/detekt.properties.json | 9 ++ icons/detekt.svg | 32 +++++ 3 files changed, 150 insertions(+) create mode 100644 code-scanning/detekt.yml create mode 100644 code-scanning/properties/detekt.properties.json create mode 100644 icons/detekt.svg diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml new file mode 100644 index 0000000..0edc8b5 --- /dev/null +++ b/code-scanning/detekt.yml @@ -0,0 +1,109 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your Kotlin source code using +# Detekt. +# +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event +# +# The workflow should work with no modifications, but you might like to use a +# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG +# environment variable. +name: Scan with Detekt + +on: + # Triggers the workflow on push or pull request events but only for default and protected branches + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +env: + # Release tag associated with version of Detekt to be installed + # SARIF support (required for this workflow) was introduced in Detekt v1.15.0 + DETEKT_RELEASE_TAG: v1.15.0 + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "scan" + scan: + name: Scan + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Gets the download URL associated with the $DETEKT_RELEASE_TAG + - name: Get Detekt download URL + id: detekt_info + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + DETEKT_DOWNLOAD_URL=$( gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' + query getReleaseAssetDownloadUrl($tagName: String!) { + repository(name: "detekt", owner: "detekt") { + release(tagName: $tagName) { + # it doesn't look like there is an alternative semantics for this with a specific SHA, is this release tag immutable? + releaseAssets(name: "detekt", first: 1) { + nodes { + downloadUrl + } + } + } + } + } + ' | \ + jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' ) + echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" + + # Sets up the detekt cli + - name: Setup Detekt + run: | + dest=$( mktemp -d ) + curl --request GET \ + --url ${{ steps.detekt_info.outputs.download_url }} \ + --silent \ + --location \ + --output $dest/detekt + chmod a+x $dest/detekt + echo $dest >> $GITHUB_PATH + + # Performs static analysis using Detekt + - name: Run Detekt + continue-on-error: true + run: | + detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json + + # Modifies the SARIF output produced by Detekt so that absolute URIs are relative + # This is so we can easily map results onto their source files + # This can be removed once relative URI support lands in Detekt: https://git.io/JLBbA + - name: Make artifact location URIs relative + continue-on-error: true + run: | + echo "$( + jq \ + --arg github_workspace ${{ github.workspace }} \ + '. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \ + ${{ github.workspace }}/detekt.sarif.json + )" > ${{ github.workspace }}/detekt.sarif.json + + # Uploads results to GitHub repository using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: ${{ github.workspace }}/detekt.sarif.json + checkout_path: ${{ github.workspace }} diff --git a/code-scanning/properties/detekt.properties.json b/code-scanning/properties/detekt.properties.json new file mode 100644 index 0000000..d51a6ad --- /dev/null +++ b/code-scanning/properties/detekt.properties.json @@ -0,0 +1,9 @@ +{ + "name": "Detekt", + "creator": "Detekt", + "description": "Static code analysis for Kotlin", + "iconName": "detekt", + "categories": ["Code Scanning", "Kotlin"] +} + + \ No newline at end of file diff --git a/icons/detekt.svg b/icons/detekt.svg new file mode 100644 index 0000000..1526170 --- /dev/null +++ b/icons/detekt.svg @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 52edf1b58088d3acb5c1444b65bf9988e1d1b498 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Fri, 19 Nov 2021 16:55:27 +0100 Subject: [PATCH 054/110] add a bunch of code scanning workflows --- code-scanning/42crunch.yml | 53 ++ code-scanning/anchore.yml | 39 + code-scanning/brakeman.yml | 51 ++ code-scanning/checkmarx.yml | 44 + code-scanning/codacy.yml | 54 ++ code-scanning/codescan.yml | 42 + code-scanning/njsscan.yml | 35 + code-scanning/ossar.yml | 49 ++ code-scanning/prisma.yml | 54 ++ .../properties/42crunch.properties.json | 7 + .../properties/anchore.properties.json | 7 + .../properties/brakeman.properties.json | 7 + .../properties/checkmarx.properties.json | 7 + .../properties/codacy.properties.json | 7 + .../properties/codescan.properties.json | 7 + .../properties/njsscan.properties.json | 7 + .../properties/ossar.properties.json | 7 + .../properties/prisma.properties.json | 7 + .../properties/rubocop.properties.json | 7 + .../securitycodescan.properties.json | 7 + .../properties/semgrep.properties.json | 7 + .../properties/shiftleft.properties.json | 7 + .../properties/snyk-container.properties.json | 7 + .../snyk-infrastructure.properties.json | 7 + .../properties/trivy.properties.json | 8 + .../properties/xanitizer.properties.json | 7 + code-scanning/rubocop.yml | 52 ++ code-scanning/securitycodescan.yml | 41 + code-scanning/semgrep.yml | 42 + code-scanning/shiftleft.yml | 47 ++ code-scanning/snyk-container.yml | 48 ++ code-scanning/snyk-infrastructure.yml | 47 ++ code-scanning/trivy.yml | 41 + code-scanning/xanitizer.yml | 92 +++ icons/42crunch.svg | 19 + icons/anchore.svg | 1 + icons/brakeman.svg | 464 +++++++++++ icons/checkmarx.svg | 14 + icons/codacy.svg | 16 + icons/codescan.svg | 69 ++ icons/njsscan.svg | 755 ++++++++++++++++++ icons/prisma.svg | 16 + icons/rubocop.svg | 1 + icons/securitycodescan.svg | 3 + icons/semgrep.svg | 4 + icons/shiftleft.svg | 6 + icons/snyk.svg | 31 + icons/trivy.svg | 93 +++ icons/xanitizer.svg | 50 ++ 49 files changed, 2493 insertions(+) create mode 100644 code-scanning/42crunch.yml create mode 100644 code-scanning/anchore.yml create mode 100644 code-scanning/brakeman.yml create mode 100644 code-scanning/checkmarx.yml create mode 100644 code-scanning/codacy.yml create mode 100644 code-scanning/codescan.yml create mode 100644 code-scanning/njsscan.yml create mode 100644 code-scanning/ossar.yml create mode 100644 code-scanning/prisma.yml create mode 100644 code-scanning/properties/42crunch.properties.json create mode 100644 code-scanning/properties/anchore.properties.json create mode 100644 code-scanning/properties/brakeman.properties.json create mode 100644 code-scanning/properties/checkmarx.properties.json create mode 100644 code-scanning/properties/codacy.properties.json create mode 100644 code-scanning/properties/codescan.properties.json create mode 100644 code-scanning/properties/njsscan.properties.json create mode 100644 code-scanning/properties/ossar.properties.json create mode 100644 code-scanning/properties/prisma.properties.json create mode 100644 code-scanning/properties/rubocop.properties.json create mode 100644 code-scanning/properties/securitycodescan.properties.json create mode 100644 code-scanning/properties/semgrep.properties.json create mode 100644 code-scanning/properties/shiftleft.properties.json create mode 100644 code-scanning/properties/snyk-container.properties.json create mode 100644 code-scanning/properties/snyk-infrastructure.properties.json create mode 100644 code-scanning/properties/trivy.properties.json create mode 100644 code-scanning/properties/xanitizer.properties.json create mode 100644 code-scanning/rubocop.yml create mode 100644 code-scanning/securitycodescan.yml create mode 100644 code-scanning/semgrep.yml create mode 100644 code-scanning/shiftleft.yml create mode 100644 code-scanning/snyk-container.yml create mode 100644 code-scanning/snyk-infrastructure.yml create mode 100644 code-scanning/trivy.yml create mode 100644 code-scanning/xanitizer.yml create mode 100644 icons/42crunch.svg create mode 100644 icons/anchore.svg create mode 100644 icons/brakeman.svg create mode 100644 icons/checkmarx.svg create mode 100644 icons/codacy.svg create mode 100644 icons/codescan.svg create mode 100644 icons/njsscan.svg create mode 100644 icons/prisma.svg create mode 100644 icons/rubocop.svg create mode 100644 icons/securitycodescan.svg create mode 100644 icons/semgrep.svg create mode 100644 icons/shiftleft.svg create mode 100644 icons/snyk.svg create mode 100644 icons/trivy.svg create mode 100644 icons/xanitizer.svg diff --git a/code-scanning/42crunch.yml b/code-scanning/42crunch.yml new file mode 100644 index 0000000..1d44bf9 --- /dev/null +++ b/code-scanning/42crunch.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow locates REST API file contracts +# (Swagger or OpenAPI format, v2 and v3, JSON and YAML) +# and runs 200+ security checks on them using 42Crunch Security Audit technology. +# +# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# +# To use this workflow, you will need to complete the following setup steps. +# +# 1. Create a free 42Crunch account at https://platform.42crunch.com/register +# +# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# to create an API Token on the 42Crunch platform +# +# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm, +# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow +# +# If you have any questions or need help contact https://support.42crunch.com + +name: "42Crunch REST API Static Security Testing" + +# follow standard Code Scanning triggers +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rest-api-static-security-testing: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: 42Crunch REST API Static Security Testing + uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 + with: + # Please create free account at https://platform.42crunch.com/register + # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm + api-token: ${{ secrets.API_TOKEN }} + # Fail if any OpenAPI file scores lower than 75 + min-score: 75 + # Upload results to Github code scanning + upload-to-code-scanning: true + # Github token for uploading the results + github-token: ${{ github.token }} diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml new file mode 100644 index 0000000..d90f68c --- /dev/null +++ b/code-scanning/anchore.yml @@ -0,0 +1,39 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security +# code scanning feature. For more information on the Anchore scan action usage +# and parameters, see https://github.com/anchore/scan-action. For more +# information on Anchore's container image scanning tool Grype, see +# https://github.com/anchore/grype +name: Anchore Container Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + Anchore-Build-Scan: + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled + uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd + with: + image: "localbuild/testimage:latest" + acs-report-enable: true + - name: Upload Anchore Scan Report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml new file mode 100644 index 0000000..ae5215a --- /dev/null +++ b/code-scanning/brakeman.yml @@ -0,0 +1,51 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Brakeman with GitHub's Code Scanning feature +# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications + +name: Brakeman Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + brakeman-scan: + name: Brakeman Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Customize the ruby version depending on your needs + - name: Setup Ruby + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + with: + ruby-version: '2.7' + + - name: Setup Brakeman + env: + BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+ + run: | + gem install brakeman --version $BRAKEMAN_VERSION + + # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis + - name: Scan + continue-on-error: true + run: | + brakeman -f sarif -o output.sarif.json . + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml new file mode 100644 index 0000000..ee97108 --- /dev/null +++ b/code-scanning/checkmarx.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action + +name: CxFlow + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + runs-on: ubuntu-latest + + # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs + - name: Checkmarx CxFlow Action + uses: checkmarx-ts/checkmarx-cxflow-github-action@04e6403dbbfee0fd3fb076e5791202c31c54fe6b + with: + project: GithubActionTest + team: '\CxServer\SP\Checkmarx' + checkmarx_url: ${{ secrets.CHECKMARX_URL }} + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + # Upload the Report for CodeQL/Security Alerts + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: cx.sarif diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml new file mode 100644 index 0000000..50185ad --- /dev/null +++ b/code-scanning/codacy.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + codacy-security-scan: + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v2 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml new file mode 100644 index 0000000..5886843 --- /dev/null +++ b/code-scanning/codescan.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow requires that you have an existing account with codescan.io +# For more information about configuring your workflow, +# read our documentation at https://github.com/codescan-io/codescan-scanner-action +name: CodeScan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + CodeScan: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Cache files + uses: actions/cache@v2 + with: + path: | + ~/.sonar + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Run Analysis + uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12 + with: + login: ${{ secrets.CODESCAN_AUTH_TOKEN }} + organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} + projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: codescan.sarif diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml new file mode 100644 index 0000000..8077f76 --- /dev/null +++ b/code-scanning/njsscan.yml @@ -0,0 +1,35 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates njsscan with GitHub's Code Scanning feature +# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications + +name: njsscan sarif + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + njsscan: + runs-on: ubuntu-latest + name: njsscan code scanning + steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: nodejsscan scan + id: njsscan + uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 + with: + args: '. --sarif --output results.sarif || true' + - name: Upload njsscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml new file mode 100644 index 0000000..b5aefa4 --- /dev/null +++ b/code-scanning/ossar.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates a collection of open source static analysis tools +# with GitHub code scanning. For documentation, or to provide feedback, visit +# https://github.com/github/ossar-action +name: OSSAR + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + OSSAR-Scan: + # OSSAR runs on windows-latest. + # ubuntu-latest and macos-latest support coming soon + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Ensure a compatible version of dotnet is installed. + # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. + # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. + # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. + # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: + # - name: Install .NET + # uses: actions/setup-dotnet@v1 + # with: + # dotnet-version: '3.1.x' + + # Run open source static analysis tools + - name: Run OSSAR + uses: github/ossar-action@v1 + id: ossar + + # Upload results to the Security tab + - name: Upload OSSAR results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml new file mode 100644 index 0000000..5323d1b --- /dev/null +++ b/code-scanning/prisma.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow that checks for security issues using +# the Prisma Cloud Infrastructure as Code Scan Action on +# the IaC files present in the repository. +# The results are uploaded to GitHub Security Code Scanning +# +# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action + +name: Prisma Cloud IaC Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + prisma_cloud_iac_scan: + runs-on: ubuntu-latest + name: Run Prisma Cloud IaC Scan to check + steps: + - name: Checkout + uses: actions/checkout@v2 + - id: iac-scan + name: Run Scan on CFT files in the repository + uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 + with: + # You will need Prisma Cloud API Access Token + # More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action + prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }} + access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }} + secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }} + # Scan sources on Prisma Cloud are uniquely identified by their name + asset_name: 'my-asset-name' + # The service need to know the type of IaC being scanned + template_type: 'CFT' + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. + # And alternative it to add `continue-on-error: true` to the previous step + if: success() || failure() + with: + # The SARIF Log file name is configurable on scan action + # therefore the file name is best read from the steps output + sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }} diff --git a/code-scanning/properties/42crunch.properties.json b/code-scanning/properties/42crunch.properties.json new file mode 100644 index 0000000..9fbeca9 --- /dev/null +++ b/code-scanning/properties/42crunch.properties.json @@ -0,0 +1,7 @@ +{ + "name": "42Crunch API Security Audit", + "creator": "42crunch", + "description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.", + "iconName": "42crunch", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/anchore.properties.json b/code-scanning/properties/anchore.properties.json new file mode 100644 index 0000000..d997da4 --- /dev/null +++ b/code-scanning/properties/anchore.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Anchore Container Scan", + "creator": "Indeni Cloudrail", + "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.", + "iconName": "anchore", + "categories": ["Code Scanning", "dockerfile"] +} \ No newline at end of file diff --git a/code-scanning/properties/brakeman.properties.json b/code-scanning/properties/brakeman.properties.json new file mode 100644 index 0000000..5597919 --- /dev/null +++ b/code-scanning/properties/brakeman.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Brakeman", + "creator": "Brakeman", + "description": "Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications.", + "iconName": "brakeman", + "categories": ["Code Scanning", "ruby"] +} \ No newline at end of file diff --git a/code-scanning/properties/checkmarx.properties.json b/code-scanning/properties/checkmarx.properties.json new file mode 100644 index 0000000..473a103 --- /dev/null +++ b/code-scanning/properties/checkmarx.properties.json @@ -0,0 +1,7 @@ +{ + "name": "CxSAST", + "creator": "Checkmarx", + "description": "Scan your code with Checkmarx CxSAST and see your results in the GitHub security tab.", + "iconName": "checkmarx", + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] +} \ No newline at end of file diff --git a/code-scanning/properties/codacy.properties.json b/code-scanning/properties/codacy.properties.json new file mode 100644 index 0000000..4ee4362 --- /dev/null +++ b/code-scanning/properties/codacy.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Codacy Security Scan", + "creator": "Codacy", + "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.", + "iconName": "codacy", + "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"] +} \ No newline at end of file diff --git a/code-scanning/properties/codescan.properties.json b/code-scanning/properties/codescan.properties.json new file mode 100644 index 0000000..74b66ca --- /dev/null +++ b/code-scanning/properties/codescan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "CodeScan", + "creator": "CodeScan Enterprises, LLC", + "description": "CodeScan allows for better visibility on your code quality checks based on your custom rulesets.", + "iconName": "codescan", + "categories": ["Code Scanning", "javascript", "apex"] +} \ No newline at end of file diff --git a/code-scanning/properties/njsscan.properties.json b/code-scanning/properties/njsscan.properties.json new file mode 100644 index 0000000..c6510a1 --- /dev/null +++ b/code-scanning/properties/njsscan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "njsscan", + "creator": "NodeJSScan", + "description": "nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications.", + "iconName": "njsscan", + "categories": ["Code Scanning", "JavaScript", "TypeScript"] +} \ No newline at end of file diff --git a/code-scanning/properties/ossar.properties.json b/code-scanning/properties/ossar.properties.json new file mode 100644 index 0000000..d295205 --- /dev/null +++ b/code-scanning/properties/ossar.properties.json @@ -0,0 +1,7 @@ +{ + "name": "OSSAR", + "creator": "GitHub", + "description": "Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).", + "iconName": "octicon mark-github", + "categories": ["Code Scanning", "python", "javascript"] +} \ No newline at end of file diff --git a/code-scanning/properties/prisma.properties.json b/code-scanning/properties/prisma.properties.json new file mode 100644 index 0000000..7d8be17 --- /dev/null +++ b/code-scanning/properties/prisma.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Prisma Cloud IaC Scan", + "creator": "Palo Alto Prisma Cloud", + "description": "Scan your Infrastructure as Code files with Prisma Cloud to detect security issues", + "iconName": "prisma", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/rubocop.properties.json b/code-scanning/properties/rubocop.properties.json new file mode 100644 index 0000000..79f026b --- /dev/null +++ b/code-scanning/properties/rubocop.properties.json @@ -0,0 +1,7 @@ +{ + "name": "RuboCop Linting", + "creator": "arthurnn", + "description": "A Ruby static code analyzer and formatter, based on the community Ruby style guide.", + "iconName": "rubocop", + "categories": ["Code Scanning", "ruby"] +} \ No newline at end of file diff --git a/code-scanning/properties/securitycodescan.properties.json b/code-scanning/properties/securitycodescan.properties.json new file mode 100644 index 0000000..aa57969 --- /dev/null +++ b/code-scanning/properties/securitycodescan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SecurityCodeScan", + "creator": "@security-code-scan", + "description": "Vulnerability Patterns Detector for C# and VB.NET", + "iconName": "securitycodescan", + "categories": ["Code Scanning", "C#", "Visual Basic .NET"] +} \ No newline at end of file diff --git a/code-scanning/properties/semgrep.properties.json b/code-scanning/properties/semgrep.properties.json new file mode 100644 index 0000000..5f74ed5 --- /dev/null +++ b/code-scanning/properties/semgrep.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Semgrep", + "creator": "Returntocorp", + "description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.", + "iconName": "semgrep", + "categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"] +} \ No newline at end of file diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json new file mode 100644 index 0000000..1cb36c9 --- /dev/null +++ b/code-scanning/properties/shiftleft.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Scan", + "creator": "ShiftLeft", + "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.", + "iconName": "shiftleft", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/snyk-container.properties.json b/code-scanning/properties/snyk-container.properties.json new file mode 100644 index 0000000..0b1ddb4 --- /dev/null +++ b/code-scanning/properties/snyk-container.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Snyk Container", + "creator": "Snyk", + "description": "Detect vulnerabilities in your container images and surface the issues in GitHub code scanning.", + "iconName": "snyk", + "categories": ["Code Scanning", "dockerfile"] +} \ No newline at end of file diff --git a/code-scanning/properties/snyk-infrastructure.properties.json b/code-scanning/properties/snyk-infrastructure.properties.json new file mode 100644 index 0000000..3680109 --- /dev/null +++ b/code-scanning/properties/snyk-infrastructure.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Snyk Infrastructure as Code", + "creator": "Snyk", + "description": "Detect vulnerabilities in your infrastructure as code files and surface the issues in GitHub code scanning.", + "iconName": "snyk", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/trivy.properties.json b/code-scanning/properties/trivy.properties.json new file mode 100644 index 0000000..4f9613c --- /dev/null +++ b/code-scanning/properties/trivy.properties.json @@ -0,0 +1,8 @@ +{ + "name": "Trivy", + "creator": "Aqua Security", + "description": "Scan Docker container images for vulnerabilities in OS packages and language dependencies with Trivy from Aqua Security.", + "iconName": "trivy", + "categories": ["Code Scanning", "dockerfile"], + "enterprise_requirements": ["docker"] +} \ No newline at end of file diff --git a/code-scanning/properties/xanitizer.properties.json b/code-scanning/properties/xanitizer.properties.json new file mode 100644 index 0000000..6e578c3 --- /dev/null +++ b/code-scanning/properties/xanitizer.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Xanitizer", + "creator": "RIGS IT", + "description": "Automatically scan your code for vulnerabilities and generate compliance reports with the static security analysis tool Xanitizer (SAST).", + "iconName": "xanitizer", + "categories": ["Code Scanning", "javascript", "java", "scala", "typescript", "xml", "json"] +} \ No newline at end of file diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml new file mode 100644 index 0000000..373d5b6 --- /dev/null +++ b/code-scanning/rubocop.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# pulled from repo +name: "Rubocop" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rubocop: + runs-on: ubuntu-latest + strategy: + fail-fast: false + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # If running on a self-hosted runner, check it meets the requirements + # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners + - name: Set up Ruby + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + with: + ruby-version: 2.6 + + # This step is not necessary if you add the gem to your Gemfile + - name: Install Code Scanning integration + run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install + + - name: Install dependencies + run: bundle install + + - name: Rubocop run + run: | + bash -c " + bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif + [[ $? -ne 2 ]] + " + + - name: Upload Sarif output + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: rubocop.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml new file mode 100644 index 0000000..3063c7a --- /dev/null +++ b/code-scanning/securitycodescan.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature +# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET + +name: SecurityCodeScan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + SCS: + runs-on: windows-latest + steps: + - uses: actions/checkout@v2 + - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 + - uses: microsoft/setup-msbuild@v1.0.2 + + - name: Set up projects for analysis + uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d + + - name: Restore dependencies + run: dotnet restore + + - name: Build + run: dotnet build --no-restore + + - name: Convert sarif for uploading to GitHub + uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 + + - name: Upload sarif + uses: github/codeql-action/upload-sarif@v1 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml new file mode 100644 index 0000000..827387b --- /dev/null +++ b/code-scanning/semgrep.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow file requires a free account on Semgrep.dev to +# manage rules, file ignores, notifications, and more. +# +# See https://semgrep.dev/docs + +name: Semgrep + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + semgrep: + name: Scan + runs-on: ubuntu-latest + steps: + # Checkout project source + - uses: actions/checkout@v2 + + # Scan code using project's configuration on https://semgrep.dev/manage + - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + generateSarif: "1" + + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: semgrep.sarif + if: always() diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml new file mode 100644 index 0000000..48b86d3 --- /dev/null +++ b/code-scanning/shiftleft.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Scan with GitHub's code scanning feature +# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft +# Visit https://slscan.io/en/latest/integrations/code-scan for help +name: SL Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + Scan-Build: + # Scan runs on ubuntu, mac and windows + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # Instructions + # 1. Setup JDK, Node.js, Python etc depending on your project type + # 2. Compile or build the project before invoking scan + # Example: mvn compile, or npm install or pip install goes here + # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url + + - name: Perform Scan + uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64 + env: + WORKSPACE: "" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SCAN_AUTO_BUILD: true + with: + output: reports + # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type + # type: credscan,java + # type: python + + - name: Upload report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: reports diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml new file mode 100644 index 0000000..8ff2c9a --- /dev/null +++ b/code-scanning/snyk-container.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out the code, builds a container +# image using Docker and scans that image for vulnerabilities using +# Snyk. The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity +# issues, monitor images for newly disclosed vulnerabilities in Snyk and +# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ + +name: Snyk Container + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build a Docker image + run: docker build -t your/image-to-test . + - name: Run Snyk to check Docker image for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: your/image-to-test + args: --file=Dockerfile + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml new file mode 100644 index 0000000..b79bf34 --- /dev/null +++ b/code-scanning/snyk-infrastructure.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your Infrastructure as Code Configuration files, +# such as Kubernetes, Helm & Terraform and scans them for any security issues. +# The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Infrastructure as Code + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Run Snyk to check configuration files for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + # Add the path to the configuration file that you would like to test. + # For example `deployment.yaml` for a Kubernetes deployment manifest + # or `main.tf` for a Terraform configuration file + file: your-file-to-test.yaml + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml new file mode 100644 index 0000000..f778492 --- /dev/null +++ b/code-scanning/trivy.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: build + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + build: + name: Build + runs-on: "ubuntu-18.04" + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml new file mode 100644 index 0000000..3bfb9ed --- /dev/null +++ b/code-scanning/xanitizer.yml @@ -0,0 +1,92 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it, +# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository. +# +# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action +# +# To use this basic workflow, you will need to complete the following setup steps: +# +# 1. The underlying Xanitizer, used in this workflow, needs a separate license file. +# Licenses are free of charge for open source projects and for educational usage. +# To get more information about the Xanitizer licenses and how to obtain a license file, +# please consult https://www.xanitizer.com/xanitizer-pricing/. +# +# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository. +# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. +# +# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action. +# Example: +# - name: Xanitizer Security Analysis +# uses: RIGS-IT/xanitizer-action@v1 +# with: +# license: ${{ secrets.XANITIZER_LICENSE }} +# +# 4. As a static application security testing (SAST) tool, +# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully. +# So you have to install all used libraries and build your project before running the security analysis, +# e.g. via `mvn compile` for Java or `npm install` for JavaScript + +name: "Xanitizer Security Analysis" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + workflow_dispatch: + +jobs: + xanitizer-security-analysis: + # Xanitizer runs on ubuntu-latest and windows-latest. + runs-on: ubuntu-latest + + steps: + # Check out the repository + - name: Checkout + uses: actions/checkout@v2 + + # Set up the correct Java version for your project + # Please comment out, if your project does not contain Java source code. + - name: Set up JDK 11 + uses: actions/setup-java@v1 + with: + java-version: 11 + + # Compile the code for Java projects and get all libraries, e.g. via Maven + # Please adapt, if your project uses another build system to compile Java source code. + # Please comment out, if your project does not contain Java source code. + - name: Compile Java code + run: mvn -B compile + + # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm + # Please adapt to run `npm install` in the correct directories. + # Please adapt, if your project uses another package manager for getting JavaScript libraries. + # Please comment out, if your project does not use a package manager for getting JavaScript libraries. + - name: Install JavaScript libraries + run: npm install + + # Run the security analysis with default settings + - name: Xanitizer Security Analysis + uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316 + with: + license: ${{ secrets.XANITIZER_LICENSE }} + + # Archiving the findings list reports + - uses: actions/upload-artifact@v2 + with: + name: Xanitizer-Reports + path: | + *-Findings-List.pdf + *-Findings-List.sarif + + # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: Xanitizer-Findings-List.sarif diff --git a/icons/42crunch.svg b/icons/42crunch.svg new file mode 100644 index 0000000..96cd102 --- /dev/null +++ b/icons/42crunch.svg @@ -0,0 +1,19 @@ + + + + + + + + diff --git a/icons/anchore.svg b/icons/anchore.svg new file mode 100644 index 0000000..2381f20 --- /dev/null +++ b/icons/anchore.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/brakeman.svg b/icons/brakeman.svg new file mode 100644 index 0000000..ce91881 --- /dev/null +++ b/icons/brakeman.svg @@ -0,0 +1,464 @@ + +image/svg+xml \ No newline at end of file diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg new file mode 100644 index 0000000..6bf5ad3 --- /dev/null +++ b/icons/checkmarx.svg @@ -0,0 +1,14 @@ + + + + + + diff --git a/icons/codacy.svg b/icons/codacy.svg new file mode 100644 index 0000000..736d60c --- /dev/null +++ b/icons/codacy.svg @@ -0,0 +1,16 @@ + + + +codacy-white + + + + + + + + + + + diff --git a/icons/codescan.svg b/icons/codescan.svg new file mode 100644 index 0000000..5a44c2a --- /dev/null +++ b/icons/codescan.svg @@ -0,0 +1,69 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/njsscan.svg b/icons/njsscan.svg new file mode 100644 index 0000000..a9989e8 --- /dev/null +++ b/icons/njsscan.svg @@ -0,0 +1,755 @@ + + + + diff --git a/icons/prisma.svg b/icons/prisma.svg new file mode 100644 index 0000000..dfb5fdf --- /dev/null +++ b/icons/prisma.svg @@ -0,0 +1,16 @@ + + + + + + + + + + + + + + + + diff --git a/icons/rubocop.svg b/icons/rubocop.svg new file mode 100644 index 0000000..3add056 --- /dev/null +++ b/icons/rubocop.svg @@ -0,0 +1 @@ + diff --git a/icons/securitycodescan.svg b/icons/securitycodescan.svg new file mode 100644 index 0000000..db0181a --- /dev/null +++ b/icons/securitycodescan.svg @@ -0,0 +1,3 @@ + + + diff --git a/icons/semgrep.svg b/icons/semgrep.svg new file mode 100644 index 0000000..1a3e2a9 --- /dev/null +++ b/icons/semgrep.svg @@ -0,0 +1,4 @@ + + + + diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg new file mode 100644 index 0000000..f8e944a --- /dev/null +++ b/icons/shiftleft.svg @@ -0,0 +1,6 @@ + + + + + + diff --git a/icons/snyk.svg b/icons/snyk.svg new file mode 100644 index 0000000..8a934ac --- /dev/null +++ b/icons/snyk.svg @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/trivy.svg b/icons/trivy.svg new file mode 100644 index 0000000..ba2d477 --- /dev/null +++ b/icons/trivy.svg @@ -0,0 +1,93 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/xanitizer.svg b/icons/xanitizer.svg new file mode 100644 index 0000000..1d5fe16 --- /dev/null +++ b/icons/xanitizer.svg @@ -0,0 +1,50 @@ + +image/svg+xml \ No newline at end of file From 28856d6071d6bbeb7c0111aab7f0ef7f2b71bce1 Mon Sep 17 00:00:00 2001 From: Fedor Isakov Date: Fri, 19 Nov 2021 20:46:53 +0300 Subject: [PATCH 055/110] Update google deployment starter workflow --- deployments/google.yml | 47 ++++++++++--------- deployments/properties/google.properties.json | 2 +- 2 files changed, 27 insertions(+), 22 deletions(-) diff --git a/deployments/google.yml b/deployments/google.yml index 267d3cb..bfb5de6 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -4,11 +4,11 @@ # # 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. # -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# 2. Create and configure a Workload Identity Provider for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) # -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# 3. Change the values for the GAR_LOCATION, GKE_ZONE, GKE_CLUSTER, IMAGE, REPOSITORY and DEPLOYMENT_NAME environment variables (below). # -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke-kustomize name: Build and Deploy to GKE @@ -19,11 +19,17 @@ on: env: PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GAR_LOCATION: us-central1 # TODO: update region of the Artifact Registry GKE_CLUSTER: cluster-1 # TODO: update to cluster name GKE_ZONE: us-central1-c # TODO: update to cluster zone DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + REPOSITORY: samples # TODO: update to Artifact Registry docker repository IMAGE: static-site +permissions: + contents: 'read' + id-token: 'write' + jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy @@ -34,48 +40,47 @@ jobs: - name: Checkout uses: actions/checkout@v2 - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v0.2.0 + # Configure Workload Identity Federation and generate an access token. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@v0.4.0' with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker + token_format: 'access_token' + workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' + service_account: 'my-service-account@my-project.iam.gserviceaccount.com' + - name: Docker configuration + run: |- + echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v0.2.1 + - name: Set up GKE credentials + uses: google-github-actions/get-gke-credentials@v0.4.0 with: cluster_name: ${{ env.GKE_CLUSTER }} location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} # Build the Docker image - name: Build run: |- docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \ --build-arg GITHUB_SHA="$GITHUB_SHA" \ --build-arg GITHUB_REF="$GITHUB_REF" \ . - - # Push the Docker image to Google Container Registry + # Push the Docker image to Google Artifact Registry - name: Publish run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - + docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" # Set up kustomize - name: Set up Kustomize run: |- curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 chmod u+x ./kustomize - # Deploy the Docker image to the GKE cluster - name: Deploy run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + # replacing the image name in the k8s template + ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA ./kustomize build . | kubectl apply -f - kubectl rollout status deployment/$DEPLOYMENT_NAME kubectl get services -o wide diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json index 6318106..f1bd883 100644 --- a/deployments/properties/google.properties.json +++ b/deployments/properties/google.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", "iconName": "googlegke", - "categories": ["Deployment", "Dockerfile"] + "categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"] } \ No newline at end of file From 499e38bc3ee1fea3ced5760aa8d1668e781b768e Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Mon, 22 Nov 2021 20:35:15 +0530 Subject: [PATCH 056/110] Added starter workflow to help you get started with APIsec-Scan Actions. --- code-scanning/apisec-scan.yml | 63 +++++++++++++++++++ .../properties/apisec-scan.properties.json | 24 +++++++ icons/apisec.svg | 17 +++++ 3 files changed, 104 insertions(+) create mode 100644 code-scanning/apisec-scan.yml create mode 100644 code-scanning/properties/apisec-scan.properties.json create mode 100644 icons/apisec.svg diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml new file mode 100644 index 0000000..55356ad --- /dev/null +++ b/code-scanning/apisec-scan.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# APIsec addresses the critical need to secure APIs before they reach production. +# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. +# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities. + +# How to Get Started with APIsec.ai +# 1. Schedule a demo at https://www.apisec.ai/request-a-demo . +# +# 2. Register your account at https://cloud.fxlabs.io/#/signup . +# +# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly. +# +# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions +# +# apisec-run-scan +# +# This action triggers the on-demand scans for projects registered in APIsec. +# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings. +# Else you can view the scan results from the project home page in APIsec Platform. +# The link to view the scan results is also displayed on the console on successful completion of action. + +# This is a starter workflow to help you get started with APIsec-Scan Actions + +name: APIsec + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the $default-branch branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + +jobs: + Trigger-APIsec-Scan: + runs-on: ubuntu-latest + + steps: + - name: APIsec Scan + uses: apisec-inc/apisec-run-scan@master + with: + # The APIsec username with which the scans will be executed + apisec-username: ${{ secrets.apisec_username }} + # The Password of the APIsec user with which the scans will be executed + apisec-password: ${{ secrets.apisec_password}} + # The name of the project for security scan + apisec-project: "VAmPI" + # The name of the sarif format result file The file is written only if this property is provided. + sarif-result-file: "apisec-results.sarif" + + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./apisec-results.sarif \ No newline at end of file diff --git a/code-scanning/properties/apisec-scan.properties.json b/code-scanning/properties/apisec-scan.properties.json new file mode 100644 index 0000000..9e7db58 --- /dev/null +++ b/code-scanning/properties/apisec-scan.properties.json @@ -0,0 +1,24 @@ +{ + "name": "APIsec Scan", + "creator": "APIsec", + "description": "APIsec addresses the critical need to secure APIs before they reach production. APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.", + "iconName": "apisec", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/icons/apisec.svg b/icons/apisec.svg new file mode 100644 index 0000000..664dfa9 --- /dev/null +++ b/icons/apisec.svg @@ -0,0 +1,17 @@ + + + Group + + + + \ No newline at end of file From 6439d558f42430c1a7e94c9ca7aa587dcbe8d1ed Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Mon, 22 Nov 2021 21:14:54 +0530 Subject: [PATCH 057/110] Updated the names as per the pull request checklist. --- code-scanning/apisec-scan.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 55356ad..67937ac 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -32,21 +32,23 @@ on: # Triggers the workflow on push or pull request events but only for the $default-branch branch # Customize trigger events based on your DevSecOps processes. push: - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] pull_request: branches: [ $default-branch ] + schedule: + - cron: $cron-weekly # Allows you to run this workflow manually from the Actions tab workflow_dispatch: jobs: - Trigger-APIsec-Scan: + Trigger APIsec scan: runs-on: ubuntu-latest steps: - - name: APIsec Scan - uses: apisec-inc/apisec-run-scan@master + - name: APIsec scan + uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993 with: # The APIsec username with which the scans will be executed apisec-username: ${{ secrets.apisec_username }} @@ -57,7 +59,7 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - - name: Import Results + - name: Import results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ./apisec-results.sarif \ No newline at end of file From 0debae5ec754be64d660b4f9992796fa31f4f0db Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 23 Nov 2021 09:37:32 +0100 Subject: [PATCH 058/110] fix crunch42 template id so it overrides old template as required --- code-scanning/{42crunch.yml => crunch42.yml} | 0 .../{42crunch.properties.json => crunch42.properties.json} | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename code-scanning/{42crunch.yml => crunch42.yml} (100%) rename code-scanning/properties/{42crunch.properties.json => crunch42.properties.json} (90%) diff --git a/code-scanning/42crunch.yml b/code-scanning/crunch42.yml similarity index 100% rename from code-scanning/42crunch.yml rename to code-scanning/crunch42.yml diff --git a/code-scanning/properties/42crunch.properties.json b/code-scanning/properties/crunch42.properties.json similarity index 90% rename from code-scanning/properties/42crunch.properties.json rename to code-scanning/properties/crunch42.properties.json index 9fbeca9..82ae816 100644 --- a/code-scanning/properties/42crunch.properties.json +++ b/code-scanning/properties/crunch42.properties.json @@ -1,6 +1,6 @@ { "name": "42Crunch API Security Audit", - "creator": "42crunch", + "creator": "42Crunch", "description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.", "iconName": "42crunch", "categories": ["Code Scanning"] From c4dadecc05874dd13684bcea151993acf42199f7 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 23 Nov 2021 21:14:53 +0100 Subject: [PATCH 059/110] find a way to pin the SHA for detekt workflow template --- code-scanning/detekt.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 0edc8b5..a8610c3 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -53,21 +53,30 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - DETEKT_DOWNLOAD_URL=$( gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' + gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' query getReleaseAssetDownloadUrl($tagName: String!) { repository(name: "detekt", owner: "detekt") { release(tagName: $tagName) { - # it doesn't look like there is an alternative semantics for this with a specific SHA, is this release tag immutable? releaseAssets(name: "detekt", first: 1) { nodes { downloadUrl } } + tagCommit { + oid + } } } } - ' | \ - jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' ) + ' 1> gh_response.json + + DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json) + if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then + echo "Release tag doesn't match expected commit SHA" + exit 1 + fi + + DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" # Sets up the detekt cli From 8fd6550c33440825258777a9a357dabe11fd35b2 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 24 Nov 2021 14:20:00 -0800 Subject: [PATCH 060/110] Revert overwrite from upstream pull --- deployments/azure-webapps-node.yml | 32 +++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index a1330cc..fcfb75e 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -29,27 +29,45 @@ env: NODE_VERSION: '10.x' # set this to the node version to use jobs: - build-and-deploy: - name: Build and Deploy + build: runs-on: ubuntu-latest - environment: production steps: - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} + + - name: Set up Node.js uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test run: | - # Build and test the project, then - # deploy to Azure Web App. npm install npm run build --if-present npm run test --if-present + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v2 + with: + name: node-app + path: . + + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v2 + with: + name: node-app + - name: 'Deploy to Azure WebApp' id: deploy-to-webapp uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} \ No newline at end of file From 278aa7a82e206a81e3a9057063117e4d94cf5356 Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 24 Nov 2021 14:26:16 -0800 Subject: [PATCH 061/110] Add dependency caching for .NET, Node, PHP, and Python workflows --- deployments/azure-webapps-dotnet-core.yml | 8 ++++++++ deployments/azure-webapps-node.yml | 1 + deployments/azure-webapps-php.yml | 15 +++++++++++++++ deployments/azure-webapps-python.yml | 8 ++++++++ 4 files changed, 32 insertions(+) diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index fe81148..7a2a84f 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -41,6 +41,14 @@ jobs: uses: actions/setup-dotnet@v1 with: dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: Set up dependency caching for faster builds + uses: actions/cache@v2 + with: + path: ~/.nuget/packages + key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} + restore-keys: | + ${{ runner.os }}-nuget- - name: Build with dotnet run: dotnet build --configuration Release diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index fcfb75e..8546fea 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -38,6 +38,7 @@ jobs: uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} + cache: 'npm' - name: npm install, build, and test run: | diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index c900dfa..ad351dc 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -48,6 +48,21 @@ jobs: with: files: 'composer.json' + - name: Get Composer Cache Directory + id: composer-cache + if: steps.check_files.outputs.files_exists == 'true' + run: | + echo "::set-output name=dir::$(composer config cache-files-dir)" + + - name: Set up dependency caching for faster installs + uses: actions/cache@v2 + if: steps.check_files.outputs.files_exists == 'true' + with: + path: ${{ steps.composer-cache.outputs.dir }} + key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} + restore-keys: | + ${{ runner.os }}-composer- + - name: Run composer install if composer.json exists if: steps.check_files.outputs.files_exists == 'true' run: composer validate --no-check-publish && composer install --prefer-dist --no-progress diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 216742f..1212caa 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -46,6 +46,14 @@ jobs: python -m venv venv source venv/bin/activate + - name: Set up dependency caching for faster installs + uses: actions/cache@v2 + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} + restore-keys: | + ${{ runner.os }}-pip- + - name: Install dependencies run: pip install -r requirements.txt From 1a67e08a9eb41fc63c6d5ef750ed6e8f37a9595a Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 24 Nov 2021 15:58:25 -0800 Subject: [PATCH 062/110] Update azure-webapps-container.yml --- deployments/azure-webapps-container.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-webapps-container.yml index 407279e..7c7bb2a 100644 --- a/deployments/azure-webapps-container.yml +++ b/deployments/azure-webapps-container.yml @@ -11,7 +11,14 @@ # 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. # For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret # -# 3. Change the value for the AZURE_WEBAPP_NAME. +# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions. +# +# 4. Create three app settings on your Azure Web app: +# DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io" +# DOCKER_REGISTRY_SERVER_USERNAME: Set this to the GitHub username or organization that owns the repository +# DOCKER_REGISTRY_SERVER_PASSWORD: Set this to the value of your PAT token from the previous step +# +# 5. Change the value for the AZURE_WEBAPP_NAME. # # For more information on GitHub Actions for Azure: https://github.com/Azure/Actions # For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy @@ -43,9 +50,9 @@ jobs: with: registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ github.token }} - - name: Lowercase the repo name + - name: Lowercase the repo name and username run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - name: Build and push container image to registry @@ -63,7 +70,7 @@ jobs: url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} steps: - - name: Lowercase the repo name + - name: Lowercase the repo name and username run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - name: Deploy to Azure Web App From b4ee59804382c997e64cf73a3ef4469686644589 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Thu, 25 Nov 2021 10:03:14 +0000 Subject: [PATCH 063/110] use setup cache option instead of action --- deployments/azure-webapps-python.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 1212caa..cb19cda 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -40,19 +40,12 @@ jobs: uses: actions/setup-python@v2.2.2 with: python-version: ${{ env.PYTHON_VERSION }} + cache: 'pip' - name: Create and start virtual environment run: | python -m venv venv source venv/bin/activate - - - name: Set up dependency caching for faster installs - uses: actions/cache@v2 - with: - path: ~/.cache/pip - key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} - restore-keys: | - ${{ runner.os }}-pip- - name: Install dependencies run: pip install -r requirements.txt From 3258466b267d3c4857b4f962fced64d71f920d35 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 29 Nov 2021 08:51:54 +0000 Subject: [PATCH 064/110] Adding commit sha for 3rd party actions --- deployments/azure-webapps-php.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index ad351dc..700f83a 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -38,13 +38,13 @@ jobs: - uses: actions/checkout@v2 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc with: php-version: ${{ env.PHP_VERSION }} - name: Check if composer.json exists id: check_files - uses: andstor/file-existence-action@v1 + uses: andstor/file-existence-action@87d74d4732ddb824259d80c8a508c0124bf1c673 with: files: 'composer.json' From 1a37cd53451ca29b380e72f0f307050d81f9d589 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Fri, 19 Nov 2021 16:42:04 +0100 Subject: [PATCH 065/110] add veracode workflow --- .../properties/veracode.properties.json | 7 ++ code-scanning/veracode.yml | 66 +++++++++++++++++++ icons/veracode.svg | 1 + 3 files changed, 74 insertions(+) create mode 100644 code-scanning/properties/veracode.properties.json create mode 100644 code-scanning/veracode.yml create mode 100644 icons/veracode.svg diff --git a/code-scanning/properties/veracode.properties.json b/code-scanning/properties/veracode.properties.json new file mode 100644 index 0000000..e42ac9f --- /dev/null +++ b/code-scanning/properties/veracode.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Veracode Static Analysis", + "creator": "Veracode", + "description": "Get fast feedback on flaws with Veracode Static Analysis and the pipeline scan. Break the build based on flaw severity and CWE category.", + "iconName": "veracode", + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "kotlin", "scala", "groovy", "tsql", "plsql", "perl", "cobol"] +} \ No newline at end of file diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml new file mode 100644 index 0000000..31fa989 --- /dev/null +++ b/code-scanning/veracode.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert + +name: Veracode Static Analysis Pipeline Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter + build-and-pipeline-scan: + # The type of runner that the job will run on + runs-on: ubuntu-latest + steps: + + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps + - uses: actions/checkout@v2 + with: + repository: '' + + - uses: vimtor/action-zip@5f1c4aa587ea41db1110df6a99981dbe19cee310 + with: + files: / + recursive: true + dest: veracode-pipeline-scan-results-to-sarif.zip + + - uses: actions/upload-artifact@v1 + with: + name: my-artifact + path: veracode-pipeline-scan-results-to-sarif.zip + + # download the Veracode Static Analysis Pipeline scan jar + - uses: wei/curl@012398a392d02480afa2720780031f8621d5f94c + with: + args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + - run: unzip -o pipeline-scan-LATEST.zip + + - uses: actions/setup-java@v1 + with: + java-version: 1.8 + - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-pipeline-scan-results-to-sarif.zip + continue-on-error: true + - uses: actions/upload-artifact@v1 + with: + name: ScanResults + path: results.json + - name: Convert pipeline scan output to SARIF format + id: convert + uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be + with: + pipeline-results-json: results.json + - uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif diff --git a/icons/veracode.svg b/icons/veracode.svg new file mode 100644 index 0000000..6c70e79 --- /dev/null +++ b/icons/veracode.svg @@ -0,0 +1 @@ + \ No newline at end of file From b6299984305a9e6dfa939d1691051301339ed1d2 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 30 Nov 2021 09:56:40 +0100 Subject: [PATCH 066/110] replace unnecessary actions with shell commands --- code-scanning/veracode.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 31fa989..64c732f 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -29,11 +29,7 @@ jobs: with: repository: '' - - uses: vimtor/action-zip@5f1c4aa587ea41db1110df6a99981dbe19cee310 - with: - files: / - recursive: true - dest: veracode-pipeline-scan-results-to-sarif.zip + - run: zip -r veracode-pipeline-scan-results-to-sarif.zip ./ - uses: actions/upload-artifact@v1 with: @@ -41,9 +37,7 @@ jobs: path: veracode-pipeline-scan-results-to-sarif.zip # download the Veracode Static Analysis Pipeline scan jar - - uses: wei/curl@012398a392d02480afa2720780031f8621d5f94c - with: - args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - run: unzip -o pipeline-scan-LATEST.zip - uses: actions/setup-java@v1 From 3f39a5a76b03f05e551caec5165369544e4bf35f Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Wed, 1 Dec 2021 13:27:02 +0530 Subject: [PATCH 067/110] Removed the unwanted space in actions file. Updated the logo to have only the shield portion. --- code-scanning/apisec-scan.yml | 1 - icons/apisec.svg | 16 ++++------------ 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 67937ac..3aa06ca 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -58,7 +58,6 @@ jobs: apisec-project: "VAmPI" # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - - name: Import results uses: github/codeql-action/upload-sarif@v1 with: diff --git a/icons/apisec.svg b/icons/apisec.svg index 664dfa9..8b2760b 100644 --- a/icons/apisec.svg +++ b/icons/apisec.svg @@ -1,17 +1,9 @@ - - Group + + Fill 11 - \ No newline at end of file From 4238ac653e5124c1e1f118cc0b0bd428b8973953 Mon Sep 17 00:00:00 2001 From: Myles Borins Date: Wed, 1 Dec 2021 14:38:35 -0500 Subject: [PATCH 068/110] chore: split npm publish into 2 workflows (#1281) Currently we suggest that folks dual publish to both npm + gpr. There are a large number of edge cases related to doing this and IMHO it is not the best practice. Let's make two separate workflows. --- ci/npm-publish-github-packages.yml | 36 +++++++++++++++++++ ci/npm-publish.yml | 21 ++--------- ...pm-publish-github-packages.properties.json | 6 ++++ ci/properties/npm-publish.properties.json | 2 +- 4 files changed, 45 insertions(+), 20 deletions(-) create mode 100644 ci/npm-publish-github-packages.yml create mode 100644 ci/properties/npm-publish-github-packages.properties.json diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml new file mode 100644 index 0000000..09ff0b3 --- /dev/null +++ b/ci/npm-publish-github-packages.yml @@ -0,0 +1,36 @@ +# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created +# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages + +name: Node.js Package + +on: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-node@v2 + with: + node-version: 16 + - run: npm ci + - run: npm test + + publish-gpr: + needs: build + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-node@v2 + with: + node-version: 16 + registry-url: $registry-url(npm) + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 025976d..ef8c690 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 with: - node-version: 14 + node-version: 16 - run: npm ci - run: npm test @@ -25,26 +25,9 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 with: - node-version: 14 + node-version: 16 registry-url: https://registry.npmjs.org/ - run: npm ci - run: npm publish env: NODE_AUTH_TOKEN: ${{secrets.npm_token}} - - publish-gpr: - needs: build - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 - with: - node-version: 14 - registry-url: $registry-url(npm) - - run: npm ci - - run: npm publish - env: - NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/ci/properties/npm-publish-github-packages.properties.json b/ci/properties/npm-publish-github-packages.properties.json new file mode 100644 index 0000000..180b73a --- /dev/null +++ b/ci/properties/npm-publish-github-packages.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Publish Node.js Package to GitHub Packages", + "description": "Publishes a Node.js package to GitHub Packages.", + "iconName": "node-package-transparent", + "categories": ["Continuous integration", "JavaScript", "npm"] +} diff --git a/ci/properties/npm-publish.properties.json b/ci/properties/npm-publish.properties.json index 9371d7b..cc2c707 100644 --- a/ci/properties/npm-publish.properties.json +++ b/ci/properties/npm-publish.properties.json @@ -1,6 +1,6 @@ { "name": "Publish Node.js Package", - "description": "Publishes a Node.js package to npm and GitHub Packages.", + "description": "Publishes a Node.js package to npm.", "iconName": "node-package-transparent", "categories": ["Continuous integration", "JavaScript", "npm"] } From ce771c75d8e1fe4b0075873cdcfb9b55117af9d9 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 1 Dec 2021 15:50:22 -0500 Subject: [PATCH 069/110] Referencing new official PMD github action --- code-scanning/pmd.yml | 52 ++++++++++++++----------------------------- 1 file changed, 17 insertions(+), 35 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 69596a4..8689961 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -14,45 +14,27 @@ on: - cron: $cron-weekly jobs: - mobile-security: + pmd-code-scan: runs-on: ubuntu-latest - steps: - uses: actions/checkout@v2 - - - name: Setup python - uses: actions/setup-python@v2 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - python-version: 3.8 - - - name: Run Full PMD Analysis on Apex Code - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - id: pmd-full-analysis - uses: abirismyname/pmd@master + java-version: '11' + distribution: 'adopt' + cache: maven + - name: Run PMD + id: pmd + uses: pmd/pmd-github-action@v1 with: - analyse-all-code: 'true' - pmd-version: 'latest' - file-path: './src' - rules-path: 'rulesets/apex/quickstart.xml' - - # - name: Run Full PMD Analysis on Java Code - # if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - # id: pmd-full-analysis - # uses: abirismyname/pmd@master - # with: - # analyse-all-code: 'true' - # pmd-version: 'latest' - # file-path: './src' - # rules-path: 'rulesets/java/quickstart.xml' - - - name: Upload pmdscan report + rulesets: 'rulesets/java/quickstart.xml' + sourcePath: 'src/main/java' + - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: pmd-output.sarif - - - name: No PMD Errors? - run: | - if ${{ steps.pmd-full-analysis.outputs.error-found }} ${{ steps.pmd-partial-analysis.outputs.error-found }} - then - exit 3 - fi + sarif_file: pmd-report.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: pmd-report.sarif \ No newline at end of file From d2bba6f2d932e0692a43de925bef2c57274303c8 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 1 Dec 2021 16:03:49 -0500 Subject: [PATCH 070/110] Adding icon --- icons/pmd.svg | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 icons/pmd.svg diff --git a/icons/pmd.svg b/icons/pmd.svg new file mode 100644 index 0000000..c0b3415 --- /dev/null +++ b/icons/pmd.svg @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file From 435b265ae0e53ff80428fe76b33752eb76074cac Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 1 Dec 2021 17:02:40 -0500 Subject: [PATCH 071/110] Removing dupe --- code-scanning/pmd.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 8689961..c876da5 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -34,7 +34,3 @@ jobs: uses: github/codeql-action/upload-sarif@v1 with: sarif_file: pmd-report.sarif - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: pmd-report.sarif \ No newline at end of file From a48ef3a64354a224371396a3b719d48f50ff67bb Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Wed, 1 Dec 2021 17:52:36 -0800 Subject: [PATCH 072/110] Update azure-webapps-node.yml (#1282) --- deployments/azure-webapps-node.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 8546fea..b7cb51f 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -26,7 +26,7 @@ on: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the node version to use + NODE_VERSION: '14.x' # set this to the node version to use jobs: build: @@ -71,4 +71,4 @@ jobs: with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} \ No newline at end of file + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} From 9920cac8e993e7080faf048ed69586c2e5aa8103 Mon Sep 17 00:00:00 2001 From: Marcel Wagner Date: Thu, 2 Dec 2021 04:51:29 +0100 Subject: [PATCH 073/110] Update text flow for cmake comment (#1054) --- ci/cmake.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ci/cmake.yml b/ci/cmake.yml index 1634140..6c858b9 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -12,9 +12,8 @@ env: jobs: build: - # The CMake configure and build commands are platform agnostic and should work equally - # well on Windows or Mac. You can convert this to a matrix build if you need - # cross-platform coverage. + # The CMake configure and build commands are platform agnostic and should work equally well on Windows or Mac. + # You can convert this to a matrix build if you need cross-platform coverage. # See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix runs-on: ubuntu-latest From f7b1f1515d467adea6cbb6ea0b0b419c69a3ef7b Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Thu, 2 Dec 2021 15:22:55 -0700 Subject: [PATCH 074/110] Use `gradle-build-action` in starter workflows (#1237) The `gradle-build-action` provides enhanced execution and caching functionality for Gradle. This change updates starter workflows to use `v2.0.0` of `gradle-build-action`. Improvements over invoking Gradle directly include: - Easier to run the workflow with a particular Gradle version - More sophisticated and more efficient caching of Gradle User Home between invocations - Detailed reporting of cache usage and cache configuration options - Automatic capture of Build Scan links Co-authored-by: Josh Gross --- ci/gradle-publish.yml | 12 ++++++++++-- ci/gradle.yml | 11 +++++++---- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index a74a1ce..f24c004 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. # This workflow will build a package using Gradle and then publish it to GitHub packages when a release is created # For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-gradle @@ -26,12 +30,16 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - run: gradle build + uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + with: + arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - run: gradle publish + uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + with: + arguments: publish env: USERNAME: ${{ github.actor }} TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ci/gradle.yml b/ci/gradle.yml index 5ecabba..b83458c 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. # This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle @@ -21,8 +25,7 @@ jobs: with: java-version: '11' distribution: 'adopt' - cache: gradle - - name: Grant execute permission for gradlew - run: chmod +x gradlew - name: Build with Gradle - run: ./gradlew build + uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + with: + arguments: build From 649bca8dab3f93f2fa14671d79d813ef6d5e2c73 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Fri, 3 Dec 2021 10:33:18 -0500 Subject: [PATCH 075/110] Updating logo and adding sha to workflow --- code-scanning/pmd.yml | 2 +- icons/pmd.svg | 79 +++++++++++++++++++++++++++++++++++++++---- 2 files changed, 73 insertions(+), 8 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index c876da5..7920c88 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -26,7 +26,7 @@ jobs: cache: maven - name: Run PMD id: pmd - uses: pmd/pmd-github-action@v1 + uses: pmd/pmd-github-action@7ed79622882840855e297f090460face22328ece with: rulesets: 'rulesets/java/quickstart.xml' sourcePath: 'src/main/java' diff --git a/icons/pmd.svg b/icons/pmd.svg index c0b3415..bc1cb58 100644 --- a/icons/pmd.svg +++ b/icons/pmd.svg @@ -1,8 +1,73 @@ - - - - - - + +image/svg+xml + + + + + - \ No newline at end of file + From 4e6641ed7425cb2c2e9beb20339a03b9955d286d Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Fri, 3 Dec 2021 13:19:43 -0500 Subject: [PATCH 076/110] Updating pmd logo --- icons/pmd.svg | 72 +++++++++++++++++---------------------------------- 1 file changed, 24 insertions(+), 48 deletions(-) diff --git a/icons/pmd.svg b/icons/pmd.svg index bc1cb58..61f1842 100644 --- a/icons/pmd.svg +++ b/icons/pmd.svg @@ -1,72 +1,48 @@ image/svg+xml + rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> From 60d206d0900a9e3b4de3779cb2f5277c6304c887 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 6 Dec 2021 09:05:19 -0800 Subject: [PATCH 077/110] Have the starter `docker-publish` action sign digests. (#1255) * Have the starter `docker-publish` action sign digests. This change installs `sigstore/cosign` using the `cosign-installer` action, and uses sigstore's "keyless" signing process to sign the resulting image digest using the action's identity token (see: `id-token: write`). Signed-off-by: Matt Moore * Fully qualify the digest, add setup-buildx-action as workaround * Drop --force, add public repo check * Use built-in 'private' bit --- ci/docker-publish.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index ab266ef..3b55fce 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -29,11 +29,24 @@ jobs: permissions: contents: read packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write steps: - name: Checkout repository uses: actions/checkout@v2 + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} @@ -55,9 +68,26 @@ jobs: # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image + id: build-and-push uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc with: context: . push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + # Sign the resulting Docker image digest except on PRs and private repos + # The keyless signing process records signatures on the Rekor public + # transparency log, so signing is disabled for private repos by default + # to avoid leaking private data. If you wish to sign things anyways, + # then this check can be removed and --force can be added to the cosign + # command below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' && !github.event.repository.private }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance, and records it to the + # sigstore community Rekor transparency log. + run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} From 1c56988c5df7b85a0d1fbcbb4a2d6dcee44b7b51 Mon Sep 17 00:00:00 2001 From: anaarmas <54946499+anaarmas@users.noreply.github.com> Date: Tue, 7 Dec 2021 11:35:26 +0100 Subject: [PATCH 078/110] remove unnecessary uses of the upload-artifact action and improve input file name --- code-scanning/veracode.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 64c732f..e38fffd 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -29,12 +29,7 @@ jobs: with: repository: '' - - run: zip -r veracode-pipeline-scan-results-to-sarif.zip ./ - - - uses: actions/upload-artifact@v1 - with: - name: my-artifact - path: veracode-pipeline-scan-results-to-sarif.zip + - run: zip -r veracode-scan-target.zip ./ # download the Veracode Static Analysis Pipeline scan jar - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip @@ -43,12 +38,8 @@ jobs: - uses: actions/setup-java@v1 with: java-version: 1.8 - - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-pipeline-scan-results-to-sarif.zip + - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip continue-on-error: true - - uses: actions/upload-artifact@v1 - with: - name: ScanResults - path: results.json - name: Convert pipeline scan output to SARIF format id: convert uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be From c059d06679620e5a2c8d2c74b677879420f0922a Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Tue, 7 Dec 2021 14:16:20 +0000 Subject: [PATCH 079/110] renaming azure template to fix the order --- ...azure-webapps-container.yml => azure-containerized-webapp.yml} | 0 deployments/{aks.yml => azure-kubernetes-service.yml} | 0 ...properties.json => azure-containerized-webapp.properties.json} | 0 ...s.properties.json => azure-kubernetes-service.properties.json} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename deployments/{azure-webapps-container.yml => azure-containerized-webapp.yml} (100%) rename deployments/{aks.yml => azure-kubernetes-service.yml} (100%) rename deployments/properties/{azure-webapps-container.properties.json => azure-containerized-webapp.properties.json} (100%) rename deployments/properties/{aks.properties.json => azure-kubernetes-service.properties.json} (100%) diff --git a/deployments/azure-webapps-container.yml b/deployments/azure-containerized-webapp.yml similarity index 100% rename from deployments/azure-webapps-container.yml rename to deployments/azure-containerized-webapp.yml diff --git a/deployments/aks.yml b/deployments/azure-kubernetes-service.yml similarity index 100% rename from deployments/aks.yml rename to deployments/azure-kubernetes-service.yml diff --git a/deployments/properties/azure-webapps-container.properties.json b/deployments/properties/azure-containerized-webapp.properties.json similarity index 100% rename from deployments/properties/azure-webapps-container.properties.json rename to deployments/properties/azure-containerized-webapp.properties.json diff --git a/deployments/properties/aks.properties.json b/deployments/properties/azure-kubernetes-service.properties.json similarity index 100% rename from deployments/properties/aks.properties.json rename to deployments/properties/azure-kubernetes-service.properties.json From 17c64f97fed1f39b1ec676d1b2446b0f0f772949 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Wed, 8 Dec 2021 05:01:06 +0000 Subject: [PATCH 080/110] resolving comments --- ...{azure-containerized-webapp.yml => azure-container-webapp.yml} | 0 ...app.properties.json => azure-container-webapp.properties.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename deployments/{azure-containerized-webapp.yml => azure-container-webapp.yml} (100%) rename deployments/properties/{azure-containerized-webapp.properties.json => azure-container-webapp.properties.json} (100%) diff --git a/deployments/azure-containerized-webapp.yml b/deployments/azure-container-webapp.yml similarity index 100% rename from deployments/azure-containerized-webapp.yml rename to deployments/azure-container-webapp.yml diff --git a/deployments/properties/azure-containerized-webapp.properties.json b/deployments/properties/azure-container-webapp.properties.json similarity index 100% rename from deployments/properties/azure-containerized-webapp.properties.json rename to deployments/properties/azure-container-webapp.properties.json From 00db25fc1e0c3432105036075404c4429dfda403 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 13 Dec 2021 12:17:02 -0800 Subject: [PATCH 081/110] Enable keyless signing for private repos. (#1295) Now that cosign 1.4 is out, we can perform keyless signing without panicking on private images (and without `--force` uploading to Rekor). Signed-off-by: Matt Moore --- ci/docker-publish.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 3b55fce..977635a 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -42,6 +42,9 @@ jobs: - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + with: + cosign-release: 'v1.4.0' + # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx @@ -76,18 +79,15 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - # Sign the resulting Docker image digest except on PRs and private repos - # The keyless signing process records signatures on the Rekor public - # transparency log, so signing is disabled for private repos by default - # to avoid leaking private data. If you wish to sign things anyways, - # then this check can be removed and --force can be added to the cosign - # command below. + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' && !github.event.repository.private }} + if: ${{ github.event_name != 'pull_request' }} env: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance, and records it to the - # sigstore community Rekor transparency log. + # against the sigstore community Fulcio instance. run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} From 73a17a51b52614ac5865c750577d62c43ce3aa14 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Thu, 16 Dec 2021 10:55:17 +0000 Subject: [PATCH 082/110] deleting azure.yml --- deployments/azure.yml | 51 ------------------------------------------- 1 file changed, 51 deletions(-) delete mode 100644 deployments/azure.yml diff --git a/deployments/azure.yml b/deployments/azure.yml deleted file mode 100644 index 904ff25..0000000 --- a/deployments/azure.yml +++ /dev/null @@ -1,51 +0,0 @@ -# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan -# -# To configure this workflow: -# -# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. -# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings -# -# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -on: - push: - branches: - - $default-branch - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the node version to use - -jobs: - build-and-deploy: - name: Build and Deploy - runs-on: ubuntu-latest - environment: production - steps: - - uses: actions/checkout@v2 - - name: Use Node.js ${{ env.NODE_VERSION }} - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODE_VERSION }} - - name: npm install, build, and test - run: | - # Build and test the project, then - # deploy to Azure Web App. - npm install - npm run build --if-present - npm run test --if-present - - name: 'Deploy to Azure WebApp' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} From 615c63babc0be77daa72c0eca79dbb9b4a60d606 Mon Sep 17 00:00:00 2001 From: Andreas Dangel Date: Mon, 20 Dec 2021 11:44:55 +0100 Subject: [PATCH 083/110] Update pmd to v1.1.0 Use pmd/pmd-github-action@6d98898be0d59f46ec37dafcea33d8f8f55acfd1 which is v1.1.0 Use temurin as java distribution --- code-scanning/pmd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 7920c88..ba895fe 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -22,11 +22,11 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' cache: maven - name: Run PMD id: pmd - uses: pmd/pmd-github-action@7ed79622882840855e297f090460face22328ece + uses: pmd/pmd-github-action@6d98898be0d59f46ec37dafcea33d8f8f55acfd1 with: rulesets: 'rulesets/java/quickstart.xml' sourcePath: 'src/main/java' From 0b45ddae0d6a1bb5d2524384ae316a929f3d0e96 Mon Sep 17 00:00:00 2001 From: DhavalPatelPersistent Date: Fri, 24 Dec 2021 15:55:11 +0530 Subject: [PATCH 084/110] Update / Add "uses","project","teams","scanners","params" attributes. --- code-scanning/checkmarx.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index ee97108..c0785da 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,14 +29,16 @@ jobs: - uses: actions/checkout@v2 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@04e6403dbbfee0fd3fb076e5791202c31c54fe6b + uses: checkmarx-ts/checkmarx-cxflow-github-action@master with: - project: GithubActionTest - team: '\CxServer\SP\Checkmarx' + project: ${{ secrets.CHECKMARX_PROJECT }} + team: ${{ secrets.CHECKMARX_TEAMS }} checkmarx_url: ${{ secrets.CHECKMARX_URL }} checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + scanners: sast + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 From 97020d0adc1a32ef799bcafcffa18b2297ca4da3 Mon Sep 17 00:00:00 2001 From: DhavalPatelPersistent <93903969+DhavalPatelPersistent@users.noreply.github.com> Date: Thu, 30 Dec 2021 16:39:28 +0530 Subject: [PATCH 085/110] Update checkmarx.yml Point to SHA instead for master --- code-scanning/checkmarx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index c0785da..96b9897 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,7 +29,7 @@ jobs: - uses: actions/checkout@v2 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@master + uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 with: project: ${{ secrets.CHECKMARX_PROJECT }} team: ${{ secrets.CHECKMARX_TEAMS }} From 794e910e12b7f31ea222a4be4c11f8c7dd2bcf86 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 10 Dec 2021 17:49:59 +0000 Subject: [PATCH 086/110] add scorecards config --- .../properties/scorecards.properties.json | 10 +++ code-scanning/scorecards.yml | 74 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 code-scanning/properties/scorecards.properties.json create mode 100644 code-scanning/scorecards.yml diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json new file mode 100644 index 0000000..54362eb --- /dev/null +++ b/code-scanning/properties/scorecards.properties.json @@ -0,0 +1,10 @@ +{ + "name": "OSSF Scorecards supply-chain security analysis", + "creator": "Open Source Security Foundation (OpenSSF) - https://github.com/ossf", + "description": "Scorecards is a static analysis tool to assess the security posture of your project", + "iconName": "scorecards", + "categories": [ + "code-quality", "testing", + "supply-chain", "security", "scanning" + ] +} diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml new file mode 100644 index 0000000..23dc0c1 --- /dev/null +++ b/code-scanning/scorecards.yml @@ -0,0 +1,74 @@ +name: Scorecards supply-chain security +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + # Weekly on Saturdays. + - cron: '30 1 * * 6' + push: + branches: [ $default-branch ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + + steps: + - name: "Checkout code" + uses: actions/checkout@v1 + + - name: "Run analysis" + # TODO: update with a hash once we have a release. + uses: ossf/scorecard-action@feat/rempol + with: + results_file: results.sarif + results_format: sarif + # For the token, + # 1. Create a PAT token at https://github.com/settings/tokens/new + # with the following read permissions: + # - Note: OSSF Scorecard read-only token + # - Expiration: No expiration + # - Scopes: + # * repo > public_repo + # * admin:org > read:org + # * admin:repo_hook > read:repo_hook + # * write:discussion > read:discussion + # + # Create and copy the token. + # + # 2. Create a new repository secret at https://github.com///settings/secrets/actions + # with the following settings: + # - Name: SCORECARD_TOKEN + # - Value: the value of the token created in step 1 above. + repo_token: ${{ secrets.SCORECARD_TOKEN }} + # The Scorecard team runs a weekly scan of public GitHub repositories in order to track + # the overall security health of the open source ecosystem. + # Setting `publish_results: true` replaces the results of the team's weelky scans, + # helping us scale by cutting down on repeated workflows and GitHub API requests. + # This option is needed to enable badges on the repo. + publish_results: true + + # Upload the results as artifacts. + # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts + # This is optional. + - name: "Upload artifact" + # Note: scorecard will flag this line if not pinned by hash. + uses: actions/upload-artifact@v2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + # This is required to visualize the results on GitHub website. + - name: "Upload to code-scanning" + # Note: scorecard will flag this line if not pinned by hash. + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif From 0e50194de868de89ba9545e296fc254c13aaf4cc Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 10 Dec 2021 17:56:35 +0000 Subject: [PATCH 087/110] use hash --- code-scanning/scorecards.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 23dc0c1..709da7e 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -24,8 +24,7 @@ jobs: uses: actions/checkout@v1 - name: "Run analysis" - # TODO: update with a hash once we have a release. - uses: ossf/scorecard-action@feat/rempol + uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b with: results_file: results.sarif results_format: sarif From a00db4437c100515400041ae9ec3d00bc4e3f0b2 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 16 Dec 2021 18:25:53 +0000 Subject: [PATCH 088/110] comments --- code-scanning/properties/scorecards.properties.json | 5 +---- code-scanning/scorecards.yml | 3 +-- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/code-scanning/properties/scorecards.properties.json b/code-scanning/properties/scorecards.properties.json index 54362eb..d45274b 100644 --- a/code-scanning/properties/scorecards.properties.json +++ b/code-scanning/properties/scorecards.properties.json @@ -3,8 +3,5 @@ "creator": "Open Source Security Foundation (OpenSSF) - https://github.com/ossf", "description": "Scorecards is a static analysis tool to assess the security posture of your project", "iconName": "scorecards", - "categories": [ - "code-quality", "testing", - "supply-chain", "security", "scanning" - ] + "categories": ["Code Scanning"] } diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 709da7e..27ffc2f 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -3,8 +3,7 @@ on: # Only the default branch is supported. branch_protection_rule: schedule: - # Weekly on Saturdays. - - cron: '30 1 * * 6' + - cron: $cron-weekly push: branches: [ $default-branch ] From a894da71d16be3f3b970d067d20d12cc1f23042f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 28 Dec 2021 17:49:56 +0000 Subject: [PATCH 089/110] pin actions --- code-scanning/scorecards.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 27ffc2f..88f47ee 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -20,7 +20,9 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v1 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + with: + persist-credentials: false - name: "Run analysis" uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b @@ -56,8 +58,7 @@ jobs: # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts # This is optional. - name: "Upload artifact" - # Note: scorecard will flag this line if not pinned by hash. - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: SARIF file path: results.sarif @@ -66,7 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. # This is required to visualize the results on GitHub website. - name: "Upload to code-scanning" - # Note: scorecard will flag this line if not pinned by hash. - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 with: sarif_file: results.sarif From 9e49744dc2534cee2fbb4986f45287bfce589fb6 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 28 Dec 2021 18:13:49 +0000 Subject: [PATCH 090/110] url --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 88f47ee..b04a28d 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -42,7 +42,7 @@ jobs: # # Create and copy the token. # - # 2. Create a new repository secret at https://github.com///settings/secrets/actions + # 2. Create a new repository secret at https://github.com///settings/secrets/actions/new # with the following settings: # - Name: SCORECARD_TOKEN # - Value: the value of the token created in step 1 above. From f38127b0623a68a7a5faee31773d3adbb8bd3cfb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 22:51:32 +0000 Subject: [PATCH 091/110] update text --- code-scanning/scorecards.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index b04a28d..c8f9993 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -48,10 +48,12 @@ jobs: # - Value: the value of the token created in step 1 above. repo_token: ${{ secrets.SCORECARD_TOKEN }} # The Scorecard team runs a weekly scan of public GitHub repositories in order to track - # the overall security health of the open source ecosystem. + # the overall security health of the open source ecosystem. The results are publicly + # available as described at https://github.com/ossf/scorecard#public-data. # Setting `publish_results: true` replaces the results of the team's weelky scans, # helping us scale by cutting down on repeated workflows and GitHub API requests. - # This option is needed to enable badges on the repo. + # This option is needed to enable badges on the repo. If you're installing the action + # on a private repo, set it to `publish_results: false` or do not set the value at all. publish_results: true # Upload the results as artifacts. From 48edda6acad5d9b718bedba3c63e8198f1f7c08f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 22:56:18 +0000 Subject: [PATCH 092/110] reduce text --- code-scanning/scorecards.yml | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index c8f9993..a647577 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -29,23 +29,8 @@ jobs: with: results_file: results.sarif results_format: sarif - # For the token, - # 1. Create a PAT token at https://github.com/settings/tokens/new - # with the following read permissions: - # - Note: OSSF Scorecard read-only token - # - Expiration: No expiration - # - Scopes: - # * repo > public_repo - # * admin:org > read:org - # * admin:repo_hook > read:repo_hook - # * write:discussion > read:discussion - # - # Create and copy the token. - # - # 2. Create a new repository secret at https://github.com///settings/secrets/actions/new - # with the following settings: - # - Name: SCORECARD_TOKEN - # - Value: the value of the token created in step 1 above. + # Read-only PAT token. To create it, follow the steps + # in https://github.com/ossf/scorecard-action/main#pat-token-creation repo_token: ${{ secrets.SCORECARD_TOKEN }} # The Scorecard team runs a weekly scan of public GitHub repositories in order to track # the overall security health of the open source ecosystem. The results are publicly @@ -56,9 +41,7 @@ jobs: # on a private repo, set it to `publish_results: false` or do not set the value at all. publish_results: true - # Upload the results as artifacts. - # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts - # This is optional. + # Upload the results as artifacts (optional). - name: "Upload artifact" uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: @@ -67,7 +50,6 @@ jobs: retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - # This is required to visualize the results on GitHub website. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 with: From 07be376c3a753560b12712d3e1c614031a2cf117 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 23:02:46 +0000 Subject: [PATCH 093/110] updates --- code-scanning/scorecards.yml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a647577..b9efa21 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -29,16 +29,13 @@ jobs: with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, follow the steps - # in https://github.com/ossf/scorecard-action/main#pat-token-creation + # Read-only PAT token. To create it, + # follow the steps in https://github.com/ossf/scorecard-action/blob/main#pat-token-creation. repo_token: ${{ secrets.SCORECARD_TOKEN }} - # The Scorecard team runs a weekly scan of public GitHub repositories in order to track - # the overall security health of the open source ecosystem. The results are publicly - # available as described at https://github.com/ossf/scorecard#public-data. - # Setting `publish_results: true` replaces the results of the team's weelky scans, - # helping us scale by cutting down on repeated workflows and GitHub API requests. - # This option is needed to enable badges on the repo. If you're installing the action - # on a private repo, set it to `publish_results: false` or do not set the value at all. + # Publish the results to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action/blob/main#publishing-results. + # If you are installing the action on a private repo, set it to `publish_results: false` + # or do not set the value at all. publish_results: true # Upload the results as artifacts (optional). From 7c57e8a703516f380383aedcc599bac86c30b6e2 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 23:07:26 +0000 Subject: [PATCH 094/110] updates --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index b9efa21..209dc37 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -35,7 +35,7 @@ jobs: # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action/blob/main#publishing-results. # If you are installing the action on a private repo, set it to `publish_results: false` - # or do not set the value at all. + # or comment out the following line. publish_results: true # Upload the results as artifacts (optional). From 40772919fb6683dd374c85974123e699aff4872c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 29 Dec 2021 23:11:08 +0000 Subject: [PATCH 095/110] updates --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 209dc37..dbfbecd 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -30,10 +30,10 @@ jobs: results_file: results.sarif results_format: sarif # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action/blob/main#pat-token-creation. + # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. repo_token: ${{ secrets.SCORECARD_TOKEN }} # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action/blob/main#publishing-results. + # https://github.com/ossf/scorecard-action#publishing-results. # If you are installing the action on a private repo, set it to `publish_results: false` # or comment out the following line. publish_results: true From b73f59a3e8a02531a5ca5623bab1ad5387d8072d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 4 Jan 2022 18:08:50 +0000 Subject: [PATCH 096/110] add icon --- icons/scorecards.svg | 365 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 365 insertions(+) create mode 100644 icons/scorecards.svg diff --git a/icons/scorecards.svg b/icons/scorecards.svg new file mode 100644 index 0000000..9db608c --- /dev/null +++ b/icons/scorecards.svg @@ -0,0 +1,365 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From d0dba5262b9d520abb5b6a16c3c7631df3414a9d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 4 Jan 2022 18:13:24 +0000 Subject: [PATCH 097/110] use v0.0.1 --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index dbfbecd..8b2346a 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@59f9117686133e93b60a8f23131f87089a076e1b + uses: ossf/scorecard-action@175f59783fa96e44dd6fa96619ab7bdacab56b5c # v0.0.1 with: results_file: results.sarif results_format: sarif From 00e08539ca5ff25307997d8c845296376a1cd858 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 10 Jan 2022 23:19:46 +0000 Subject: [PATCH 098/110] prepare release --- code-scanning/scorecards.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 8b2346a..ba42ef0 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,6 +17,8 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write + actions: read + contents: read steps: - name: "Checkout code" @@ -34,8 +36,8 @@ jobs: repo_token: ${{ secrets.SCORECARD_TOKEN }} # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. - # If you are installing the action on a private repo, set it to `publish_results: false` - # or comment out the following line. + # Note: for private repositories, the value of `publish_results` set here + # is ignored and defaults to false. publish_results: true # Upload the results as artifacts (optional). From b0f310cefc1cd8acd28eb8680356f1b084414f09 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 10 Jan 2022 23:52:58 +0000 Subject: [PATCH 099/110] update token name --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index ba42ef0..6cbdaaf 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -33,7 +33,7 @@ jobs: results_format: sarif # Read-only PAT token. To create it, # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_TOKEN }} + repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. # Note: for private repositories, the value of `publish_results` set here From aa643dfa0c1ddbdc15fe80baa4c7bf5a60eca2a6 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 13 Jan 2022 22:29:39 +0000 Subject: [PATCH 100/110] bump hash --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 6cbdaaf..a756c2b 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@175f59783fa96e44dd6fa96619ab7bdacab56b5c # v0.0.1 + uses: ossf/scorecard-action@0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a # v1.0.0 with: results_file: results.sarif results_format: sarif From 1b10c28ff42916ad2a9d5f9566d39656df9e6372 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 14 Jan 2022 03:00:11 +0000 Subject: [PATCH 101/110] rem tabs and update comment --- code-scanning/scorecards.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a756c2b..cbd0e01 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -1,5 +1,5 @@ name: Scorecards supply-chain security -on: +on: # Only the default branch is supported. branch_protection_rule: schedule: @@ -19,7 +19,7 @@ jobs: security-events: write actions: read contents: read - + steps: - name: "Checkout code" uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 @@ -36,8 +36,8 @@ jobs: repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. - # Note: for private repositories, the value of `publish_results` set here - # is ignored and defaults to false. + # For private repositories, `publish_results` will automatically be set to `false`, + # regardless of the value entered here. publish_results: true # Upload the results as artifacts (optional). @@ -47,7 +47,7 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 From 588f02dade95e45435f1a970cde5258223b6f9ab Mon Sep 17 00:00:00 2001 From: Manuel Date: Sat, 15 Jan 2022 00:05:31 +0100 Subject: [PATCH 102/110] Switch java distribution from 'adopt' to 'temurin' (#1065) adopt is rebranded into temurin see https://blog.adoptopenjdk.net/2021/03/transition-to-eclipse-an-update/ --- ci/android.yml | 2 +- ci/ant.yml | 2 +- ci/gradle-publish.yml | 2 +- ci/gradle.yml | 2 +- ci/maven-publish.yml | 2 +- ci/maven.yml | 2 +- ci/scala.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/android.yml b/ci/android.yml index 3037b9f..f289bd5 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -17,7 +17,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' cache: gradle - name: Grant execute permission for gradlew diff --git a/ci/ant.yml b/ci/ant.yml index 655a94c..0205d40 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -20,6 +20,6 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' - name: Build with Ant run: ant -noinput -buildfile build.xml diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index f24c004..26bc0df 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -25,7 +25,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file diff --git a/ci/gradle.yml b/ci/gradle.yml index b83458c..cc63e9a 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -24,7 +24,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' - name: Build with Gradle uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 with: diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 18dd937..319f9a1 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -21,7 +21,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file diff --git a/ci/maven.yml b/ci/maven.yml index ac3b6de..f301fe0 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -20,7 +20,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' cache: maven - name: Build with Maven run: mvn -B package --file pom.xml diff --git a/ci/scala.yml b/ci/scala.yml index 4a3c112..af6b2ed 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -17,6 +17,6 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' - name: Run tests run: sbt test From b224dd844994cf72698787cfaa6e91d3b9bcef14 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 14 Jan 2022 21:38:04 +0000 Subject: [PATCH 103/110] update icon --- code-scanning/scorecards.yml | 2 +- icons/scorecards.svg | 366 +---------------------------------- 2 files changed, 2 insertions(+), 366 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index cbd0e01..2172aba 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a # v1.0.0 + uses: ossf/scorecard-action@f5a7da46837397de5331ea22ce0099e2bfe265d0 # v1.0.1 with: results_file: results.sarif results_format: sarif diff --git a/icons/scorecards.svg b/icons/scorecards.svg index 9db608c..9433c91 100644 --- a/icons/scorecards.svg +++ b/icons/scorecards.svg @@ -1,365 +1 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + \ No newline at end of file From 94100d1d4a908d4b49a2c82511353ec7b670cc07 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 14 Jan 2022 21:44:30 +0000 Subject: [PATCH 104/110] bump --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 2172aba..dbae361 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@f5a7da46837397de5331ea22ce0099e2bfe265d0 # v1.0.1 + uses: ossf/scorecard-action@e3e75cf2ffbf9364bbff86cdbdf52b23176fe492 # v1.0.1 with: results_file: results.sarif results_format: sarif From f31e3a9c9dda4c8027904038d1e7e1c54695dc7d Mon Sep 17 00:00:00 2001 From: Beth G Date: Sat, 15 Jan 2022 07:11:46 +0100 Subject: [PATCH 105/110] Add Datadog Synthetics GitHub action to starter workflows (#1342) --- ci/datadog-synthetics.yml | 38 +++++++++++++++++++ .../datadog-synthetics.properties.json | 6 +++ icons/datadog.svg | 4 ++ 3 files changed, 48 insertions(+) create mode 100644 ci/datadog-synthetics.yml create mode 100644 ci/properties/datadog-synthetics.properties.json create mode 100644 icons/datadog.svg diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml new file mode 100644 index 0000000..7056f87 --- /dev/null +++ b/ci/datadog-synthetics.yml @@ -0,0 +1,38 @@ +# This workflow will trigger Datadog Synthetic tests within your Datadog organisation +# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# To get started: + +# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. +# 2. Start using the action within your workflow + +name: Run Datadog Synthetic tests + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + # Run Synthetic tests within your GitHub workflow. + # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci + - name: Run Datadog Synthetic tests + uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e + with: + api_key: ${{secrets.DD_API_KEY}} + app_key: ${{secrets.DD_APP_KEY}} + test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy + + diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json new file mode 100644 index 0000000..5a4f74d --- /dev/null +++ b/ci/properties/datadog-synthetics.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Datadog Synthetics", + "description": "Run Datadog Synthetic tests within your GitHub Actions workflow", + "iconName": "datadog", + "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"] +} diff --git a/icons/datadog.svg b/icons/datadog.svg new file mode 100644 index 0000000..91cb3b6 --- /dev/null +++ b/icons/datadog.svg @@ -0,0 +1,4 @@ + + + + From 11778e9eb06ef161f9f8fc44f9d82ca4b79675e3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Mon, 17 Jan 2022 13:17:29 +0530 Subject: [PATCH 106/110] Add check for GITHUB_TOKEN permissions (#1354) --- .github/pull_request_template.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 6494e8d..752dd99 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,6 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. +- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** From 5635bf05bcf0ed0db83494aca58ccaf979eed483 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Arko?= Date: Mon, 17 Jan 2022 12:34:33 -0800 Subject: [PATCH 107/110] Upgrade Rails workflow to true CI (#1353) * Upgrade Rails workflow to true CI The existing Rails CI example only runs linters, which is not continuous integration. This change brings the Rails example workflow up to par with the other web framework CI flows, like Django. This example is optimized for Rails 7, which does not include NodeJS, webpack, or yarn by default. No Rails application code changes are required for this flow to run the tests, and both minitest and rspec are supported via the `test` rake task. * add Rails icon * use env vars, hopefully * use the full hash for ruby/setup-ruby * remove PORT since services cannot use it * stop repeating identical step envs * resolve env var declaration error * update setup-ruby to the SHA of v1.92 * use setup-ruby SHA for lint job too Co-authored-by: Bishal Prasad --- .../rubyonrails-lint.properties.json | 6 -- ci/properties/rubyonrails.properties.json | 6 ++ ci/rubyonrails-lint.yml | 32 ---------- ci/rubyonrails.yml | 58 +++++++++++++++++++ icons/rails.svg | 1 + 5 files changed, 65 insertions(+), 38 deletions(-) delete mode 100644 ci/properties/rubyonrails-lint.properties.json create mode 100644 ci/properties/rubyonrails.properties.json delete mode 100644 ci/rubyonrails-lint.yml create mode 100644 ci/rubyonrails.yml create mode 100644 icons/rails.svg diff --git a/ci/properties/rubyonrails-lint.properties.json b/ci/properties/rubyonrails-lint.properties.json deleted file mode 100644 index e6e5f69..0000000 --- a/ci/properties/rubyonrails-lint.properties.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "Rails - Install Dependencies and Run Linters", - "description": "Install dependencies and run linters on Rails application", - "iconName": "ruby", - "categories": ["Continuous integration", "Ruby", "Rails"] -} diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json new file mode 100644 index 0000000..49b29a4 --- /dev/null +++ b/ci/properties/rubyonrails.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Ruby on Rails continuous integration", + "description": "Build, lint, and test a Rails application", + "iconName": "rails", + "categories": ["Continuous integration", "Ruby", "Rails"] +} diff --git a/ci/rubyonrails-lint.yml b/ci/rubyonrails-lint.yml deleted file mode 100644 index d95b70e..0000000 --- a/ci/rubyonrails-lint.yml +++ /dev/null @@ -1,32 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# This workflow will download a prebuilt Ruby version, install dependencies, and run linters -name: Rails - Install dependencies and run linters - -on: - push: - branches: [ $default-branch ] - pull_request: - branches: [ $default-branch ] -jobs: - run-lint: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Setup Ruby and install gems - uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e - with: - bundler-cache: true - # Add or Replace any other security checks here - - name: Run security checks - run: | - bin/bundler-audit --update - bin/brakeman -q -w2 - # Add or Replace any other Linters here - - name: Run linters - run: | - bin/rubocop --parallel \ No newline at end of file diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml new file mode 100644 index 0000000..b7b3624 --- /dev/null +++ b/ci/rubyonrails.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. They are +# provided by a third-party and are governed by separate terms of service, +# privacy policy, and support documentation. +# +# This workflow will install a prebuilt Ruby version, install dependencies, and +# run tests and linters. +name: "Ruby on Rails CI" +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] +jobs: + test: + runs-on: ubuntu-latest + services: + postgres: + image: postgres:11-alpine + ports: + - "5432:5432" + env: + POSTGRES_DB: rails_test + POSTGRES_USER: rails + POSTGRES_PASSWORD: password + env: + RAILS_ENV: test + DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test" + steps: + - name: Checkout code + uses: actions/checkout@v2 + # Add or replace dependency steps here + - name: Install Ruby and gems + uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 + with: + bundler-cache: true + # Add or replace database setup steps here + - name: Set up database schema + run: bin/rails db:schema:load + # Add or replace test runners here + - name: Run tests + run: bin/rake + + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Install Ruby and gems + uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 + with: + bundler-cache: true + # Add or replace any other lints here + - name: Security audit dependencies + run: bin/bundler-audit --update + - name: Security audit application code + run: bin/brakeman -q -w2 + - name: Lint Ruby files + run: bin/rubocop --parallel diff --git a/icons/rails.svg b/icons/rails.svg new file mode 100644 index 0000000..5e1f8f8 --- /dev/null +++ b/icons/rails.svg @@ -0,0 +1 @@ + From ba97234b6070487094b58c0bd01959c47d29c20d Mon Sep 17 00:00:00 2001 From: Jason Freeberg Date: Tue, 18 Jan 2022 14:07:26 -0800 Subject: [PATCH 108/110] Fix indentation error (#1356) --- deployments/azure-container-webapp.yml | 34 +++++++++++++------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 7c7bb2a..57fe362 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -62,21 +62,21 @@ jobs: tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} file: ./Dockerfile - deploy: - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + deploy: + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - steps: - - name: Lowercase the repo name and username - run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' + steps: + - name: Lowercase the repo name and username + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' From a96d2407b59e6e123df45d05c846d2ae3073d6aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9sar=20Rom=C3=A1n?= Date: Wed, 19 Jan 2022 15:41:20 -0800 Subject: [PATCH 109/110] fix(ci): pylint.yml (#1108) ref: #636. `pylint` command does not work I've had success running the modified command [here](https://github.com/thecesrom/incendium/blob/project/.github/workflows/pylint.yml). Co-authored-by: Josh Gross --- ci/pylint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/pylint.yml b/ci/pylint.yml index 10c49c6..7b555fe 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -20,4 +20,4 @@ jobs: pip install pylint - name: Analysing the code with pylint run: | - pylint `ls -R|grep .py$|xargs` + pylint $(git ls-files '*.py') From ffa80e095edd0b21cda81cc3836cf3b7c863c355 Mon Sep 17 00:00:00 2001 From: Andrew Wiltshire <62200778+AW1534@users.noreply.github.com> Date: Thu, 20 Jan 2022 03:30:56 +0000 Subject: [PATCH 110/110] fixed grammatical error in node.js.yml (#1358) --- ci/node.js.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/node.js.yml b/ci/node.js.yml index 89b24fe..8d1b9c7 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -1,4 +1,4 @@ -# This workflow will do a clean install of node dependencies, cache/restore them, build the source code and run tests across different versions of node +# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node # For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions name: Node.js CI