diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 9b6c10f..0a98861 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -41,7 +41,7 @@ It is not: - [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning). - [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: - [ ] `name`: Name of the Code Scanning integration. - - [ ] `organization`: Name of the organization producing the Code Scanning integration. + - [ ] `creator`: Name of the organization/user producing the Code Scanning integration. - [ ] `description`: Short description of the Code Scanning integration. - [ ] `categories`: Array of languages supported by the Code Scanning integration. - [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons). diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index c319ce1..002f30d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v5 + - uses: actions/stale@v6 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index c8b83c9..ddd0484 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -2,7 +2,7 @@ name: Sync workflows for GHES on: push: - branches: [ $default-branch ] + branches: [ main ] jobs: sync: diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index e88539d..11dd662 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 + uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 with: - cosign-release: 'v1.9.0' + cosign-release: 'v1.11.0' # Workaround: https://github.com/docker/build-push-action/issues/461 @@ -78,6 +78,9 @@ jobs: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker diff --git a/ci/jekyll.yml b/ci/jekyll-docker.yml similarity index 100% rename from ci/jekyll.yml rename to ci/jekyll-docker.yml diff --git a/ci/node.js.yml b/ci/node.js.yml index 87ef0d8..a89108d 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -16,7 +16,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index eda97e1..e39ddbf 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] steps: - uses: actions/checkout@v3 diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 504f22e..7606dea 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] steps: - uses: actions/checkout@v3 diff --git a/ci/properties/jekyll.properties.json b/ci/properties/jekyll-docker.properties.json similarity index 100% rename from ci/properties/jekyll.properties.json rename to ci/properties/jekyll-docker.properties.json diff --git a/ci/webpack.yml b/ci/webpack.yml index 6449fe7..0bc6406 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] steps: - uses: actions/checkout@v3 diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 5a9b751..a2dfbd2 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -49,6 +49,7 @@ jobs: Trigger APIsec scan: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index b04cabf..957343c 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Brakeman Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index e060654..9bdb136 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,6 +29,7 @@ jobs: issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 3cfde14..4487e23 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -24,6 +24,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 2e4ab3c..76903a9 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index b74e449..7b705bd 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Codacy Security Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index a113b59..00ffcdb 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -70,3 +70,5 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 92707b1..a9f1053 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 61ffd7a..4e4deb7 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout security-events: write # for github/codeql-action/upload-sarif + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # check out project steps: diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 9067a7d..54b01c8 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 6dd4b0e..0089f10 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -37,7 +37,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab + - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index ec19d61..bd1a9c2 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab + - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 2f554e4..3153652 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 74a3b21..350df19 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 6d2bfb8..1013749 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -21,6 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 863fbcb..e8dac88 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Analyze runs-on: windows-latest diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8c359b8..d766a6f 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: njsscan code scanning steps: diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index cbef5a2..2bd91dd 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: windows-latest steps: diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 91f4b2d..d10ace1 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -34,6 +34,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index a1e32c4..8115116 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -21,6 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 1d72a9b..02e5de7 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -25,13 +25,14 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: PSScriptAnalyzer runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Run PSScriptAnalyzer - uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061 + uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f with: # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 6f2031b..1a12b86 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index ddb4627..8ee80b4 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", + "enterprise": true, "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json index a84646a..2a1271f 100644 --- a/code-scanning/properties/eslint.properties.json +++ b/code-scanning/properties/eslint.properties.json @@ -2,10 +2,11 @@ "name": "ESLint", "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", "iconName": "eslint", + "enterprise": false, "categories": [ "Code Scanning", "JavaScript", "EcmaScript", "TypeScript" ] -} \ No newline at end of file +} diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index d41b65b..50b86db 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index e9c426a..c5f10ee 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index e4f1d0f..31a4fa1 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,12 +17,12 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write - # Used to receive a badge. (Upcoming feature) + # Used to receive a badge. id-token: write # Needs for private repositories. contents: read actions: read - + steps: - name: "Checkout code" uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1 + uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3 with: results_file: results.sarif results_format: sarif @@ -41,8 +41,8 @@ jobs: # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless # of the value entered here. publish_results: true @@ -54,7 +54,7 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index fae9885..b10a930 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 0fbbf87..a232c53 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index a685323..3ca1035 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 21cb6e7..7d38c77 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index cf3b1b7..9b58e90 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -3,13 +3,18 @@ # separate terms of service, privacy policy, and support # documentation. # -# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/ +# SOOS is the easy-to-integrate and affordable software security solution for your whole team. +# Learn more at https://soos.io/ # -# To use this action you need to fill the following requirements: +# To use this action, perform the following steps: # -# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product). +# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA and DAST products. # -# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload) +# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here. +# +# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. +# +# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token. # name: "SOOS DAST Scan" diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f075a80..f9b61b9 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -24,6 +24,7 @@ jobs: checks: write # for sysdiglabs/scan-action to publish the checks contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 63be947..f56d9e5 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -22,6 +22,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build runs-on: "ubuntu-18.04" steps: diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index b8a5b37..89d35df 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3462eaa..5724a97 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -51,6 +51,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 608e73d..a320d36 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - workflowProperties.enterprise !== false && + (workflowProperties.enterprise === true || folder !== 'code-scanning') && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 9648ab4..41d6bcd 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,20 +2,27 @@ "folders": [ "../../ci", "../../automation", - "../../code-scanning" + "../../code-scanning", + "../../pages" ], "enabledActions": [ + "actions/cache", "actions/checkout", + "actions/configure-pages", "actions/create-release", "actions/delete-package-versions", + "actions/deploy-pages", "actions/download-artifact", + "actions/jekyll-build-pages", "actions/setup-dotnet", "actions/setup-go", "actions/setup-java", "actions/setup-node", + "actions/setup-python", "actions/stale", "actions/starter-workflows", "actions/upload-artifact", + "actions/upload-pages-artifact", "actions/upload-release-asset", "github/codeql-action" ],