diff --git a/ci/cmake.yml b/ci/cmake.yml
index 1634140..6c858b9 100644
--- a/ci/cmake.yml
+++ b/ci/cmake.yml
@@ -12,9 +12,8 @@ env:
jobs:
build:
- # The CMake configure and build commands are platform agnostic and should work equally
- # well on Windows or Mac. You can convert this to a matrix build if you need
- # cross-platform coverage.
+ # The CMake configure and build commands are platform agnostic and should work equally well on Windows or Mac.
+ # You can convert this to a matrix build if you need cross-platform coverage.
# See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
runs-on: ubuntu-latest
diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml
index ab266ef..3b55fce 100644
--- a/ci/docker-publish.yml
+++ b/ci/docker-publish.yml
@@ -29,11 +29,24 @@ jobs:
permissions:
contents: read
packages: write
+ # This is used to complete the identity challenge
+ # with sigstore/fulcio when running outside of PRs.
+ id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v2
+ # Install the cosign tool except on PR
+ # https://github.com/sigstore/cosign-installer
+ - name: Install cosign
+ if: github.event_name != 'pull_request'
+ uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
+
+ # Workaround: https://github.com/docker/build-push-action/issues/461
+ - name: Setup Docker buildx
+ uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
+
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
@@ -55,9 +68,26 @@ jobs:
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
+ id: build-and-push
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
+
+ # Sign the resulting Docker image digest except on PRs and private repos
+ # The keyless signing process records signatures on the Rekor public
+ # transparency log, so signing is disabled for private repos by default
+ # to avoid leaking private data. If you wish to sign things anyways,
+ # then this check can be removed and --force can be added to the cosign
+ # command below.
+ # https://github.com/sigstore/cosign
+ - name: Sign the published Docker image
+ if: ${{ github.event_name != 'pull_request' && !github.event.repository.private }}
+ env:
+ COSIGN_EXPERIMENTAL: "true"
+ # This step uses the identity token to provision an ephemeral certificate
+ # against the sigstore community Fulcio instance, and records it to the
+ # sigstore community Rekor transparency log.
+ run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml
index a74a1ce..f24c004 100644
--- a/ci/gradle-publish.yml
+++ b/ci/gradle-publish.yml
@@ -1,3 +1,7 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
# This workflow will build a package using Gradle and then publish it to GitHub packages when a release is created
# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-gradle
@@ -26,12 +30,16 @@ jobs:
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Build with Gradle
- run: gradle build
+ uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021
+ with:
+ arguments: build
# The USERNAME and TOKEN need to correspond to the credentials environment variables used in
# the publishing section of your build.gradle
- name: Publish to GitHub Packages
- run: gradle publish
+ uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021
+ with:
+ arguments: publish
env:
USERNAME: ${{ github.actor }}
TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/ci/gradle.yml b/ci/gradle.yml
index 5ecabba..b83458c 100644
--- a/ci/gradle.yml
+++ b/ci/gradle.yml
@@ -1,3 +1,7 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
@@ -21,8 +25,7 @@ jobs:
with:
java-version: '11'
distribution: 'adopt'
- cache: gradle
- - name: Grant execute permission for gradlew
- run: chmod +x gradlew
- name: Build with Gradle
- run: ./gradlew build
+ uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021
+ with:
+ arguments: build
diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml
new file mode 100644
index 0000000..09ff0b3
--- /dev/null
+++ b/ci/npm-publish-github-packages.yml
@@ -0,0 +1,36 @@
+# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
+# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
+
+name: Node.js Package
+
+on:
+ release:
+ types: [created]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - uses: actions/setup-node@v2
+ with:
+ node-version: 16
+ - run: npm ci
+ - run: npm test
+
+ publish-gpr:
+ needs: build
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+ steps:
+ - uses: actions/checkout@v2
+ - uses: actions/setup-node@v2
+ with:
+ node-version: 16
+ registry-url: $registry-url(npm)
+ - run: npm ci
+ - run: npm publish
+ env:
+ NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml
index 025976d..ef8c690 100644
--- a/ci/npm-publish.yml
+++ b/ci/npm-publish.yml
@@ -14,7 +14,7 @@ jobs:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
- node-version: 14
+ node-version: 16
- run: npm ci
- run: npm test
@@ -25,26 +25,9 @@ jobs:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
- node-version: 14
+ node-version: 16
registry-url: https://registry.npmjs.org/
- run: npm ci
- run: npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.npm_token}}
-
- publish-gpr:
- needs: build
- runs-on: ubuntu-latest
- permissions:
- contents: read
- packages: write
- steps:
- - uses: actions/checkout@v2
- - uses: actions/setup-node@v2
- with:
- node-version: 14
- registry-url: $registry-url(npm)
- - run: npm ci
- - run: npm publish
- env:
- NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/ci/properties/npm-publish-github-packages.properties.json b/ci/properties/npm-publish-github-packages.properties.json
new file mode 100644
index 0000000..180b73a
--- /dev/null
+++ b/ci/properties/npm-publish-github-packages.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Publish Node.js Package to GitHub Packages",
+ "description": "Publishes a Node.js package to GitHub Packages.",
+ "iconName": "node-package-transparent",
+ "categories": ["Continuous integration", "JavaScript", "npm"]
+}
diff --git a/ci/properties/npm-publish.properties.json b/ci/properties/npm-publish.properties.json
index 9371d7b..cc2c707 100644
--- a/ci/properties/npm-publish.properties.json
+++ b/ci/properties/npm-publish.properties.json
@@ -1,6 +1,6 @@
{
"name": "Publish Node.js Package",
- "description": "Publishes a Node.js package to npm and GitHub Packages.",
+ "description": "Publishes a Node.js package to npm.",
"iconName": "node-package-transparent",
"categories": ["Continuous integration", "JavaScript", "npm"]
}
diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml
new file mode 100644
index 0000000..3aa06ca
--- /dev/null
+++ b/code-scanning/apisec-scan.yml
@@ -0,0 +1,64 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# APIsec addresses the critical need to secure APIs before they reach production.
+# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.
+# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.
+
+# How to Get Started with APIsec.ai
+# 1. Schedule a demo at https://www.apisec.ai/request-a-demo .
+#
+# 2. Register your account at https://cloud.fxlabs.io/#/signup .
+#
+# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly.
+#
+# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions
+#
+# apisec-run-scan
+#
+# This action triggers the on-demand scans for projects registered in APIsec.
+# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings.
+# Else you can view the scan results from the project home page in APIsec Platform.
+# The link to view the scan results is also displayed on the console on successful completion of action.
+
+# This is a starter workflow to help you get started with APIsec-Scan Actions
+
+name: APIsec
+
+# Controls when the workflow will run
+on:
+ # Triggers the workflow on push or pull request events but only for the $default-branch branch
+ # Customize trigger events based on your DevSecOps processes.
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+
+jobs:
+ Trigger APIsec scan:
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: APIsec scan
+ uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993
+ with:
+ # The APIsec username with which the scans will be executed
+ apisec-username: ${{ secrets.apisec_username }}
+ # The Password of the APIsec user with which the scans will be executed
+ apisec-password: ${{ secrets.apisec_password}}
+ # The name of the project for security scan
+ apisec-project: "VAmPI"
+ # The name of the sarif format result file The file is written only if this property is provided.
+ sarif-result-file: "apisec-results.sarif"
+ - name: Import results
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: ./apisec-results.sarif
\ No newline at end of file
diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml
new file mode 100644
index 0000000..7920c88
--- /dev/null
+++ b/code-scanning/pmd.yml
@@ -0,0 +1,36 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: pmd
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ pmd-code-scan:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Set up JDK 11
+ uses: actions/setup-java@v2
+ with:
+ java-version: '11'
+ distribution: 'adopt'
+ cache: maven
+ - name: Run PMD
+ id: pmd
+ uses: pmd/pmd-github-action@7ed79622882840855e297f090460face22328ece
+ with:
+ rulesets: 'rulesets/java/quickstart.xml'
+ sourcePath: 'src/main/java'
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: pmd-report.sarif
diff --git a/code-scanning/properties/apisec-scan.properties.json b/code-scanning/properties/apisec-scan.properties.json
new file mode 100644
index 0000000..9e7db58
--- /dev/null
+++ b/code-scanning/properties/apisec-scan.properties.json
@@ -0,0 +1,24 @@
+{
+ "name": "APIsec Scan",
+ "creator": "APIsec",
+ "description": "APIsec addresses the critical need to secure APIs before they reach production. APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.",
+ "iconName": "apisec",
+ "categories": [
+ "Code Scanning",
+ "C",
+ "C#",
+ "C++",
+ "Go",
+ "Java",
+ "JavaScript",
+ "Kotlin",
+ "Objective C",
+ "PHP",
+ "Python",
+ "Ruby",
+ "Rust",
+ "Scala",
+ "Swift",
+ "TypeScript"
+ ]
+}
diff --git a/code-scanning/properties/pmd.properties.json b/code-scanning/properties/pmd.properties.json
new file mode 100644
index 0000000..8608022
--- /dev/null
+++ b/code-scanning/properties/pmd.properties.json
@@ -0,0 +1,19 @@
+{
+ "name": "pmd",
+ "creator": "pmd",
+ "description": "PMD is a static source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, Salesforce.com Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.",
+ "iconName": "pmd",
+ "categories": [
+ "Code Scanning",
+ "Java",
+ "JavaScript",
+ "Apex",
+ "Modelica",
+ "PLSQL",
+ "Apache Velocity",
+ "XML",
+ "XSl",
+ "Scala",
+ "Apex"
+ ]
+}
\ No newline at end of file
diff --git a/icons/apisec.svg b/icons/apisec.svg
new file mode 100644
index 0000000..8b2760b
--- /dev/null
+++ b/icons/apisec.svg
@@ -0,0 +1,9 @@
+
+
\ No newline at end of file
diff --git a/icons/pmd.svg b/icons/pmd.svg
new file mode 100644
index 0000000..61f1842
--- /dev/null
+++ b/icons/pmd.svg
@@ -0,0 +1,49 @@
+
+