From 71b1a7c99f8b54d104b465e0dd9dc74e34a223bf Mon Sep 17 00:00:00 2001 From: ShootingStarDragons Date: Sat, 13 Aug 2022 22:16:20 +0800 Subject: [PATCH 01/42] feat(mdbook): add mdbook support Log: add mdbook support --- icons/mdbook.svg | 22 +++++++++ pages/mdbook.yml | 62 +++++++++++++++++++++++++ pages/properties/mdbook.properties.json | 6 +++ 3 files changed, 90 insertions(+) create mode 100644 icons/mdbook.svg create mode 100644 pages/mdbook.yml create mode 100644 pages/properties/mdbook.properties.json diff --git a/icons/mdbook.svg b/icons/mdbook.svg new file mode 100644 index 0000000..90e0ea5 --- /dev/null +++ b/icons/mdbook.svg @@ -0,0 +1,22 @@ + + + + + diff --git a/pages/mdbook.yml b/pages/mdbook.yml new file mode 100644 index 0000000..57f3636 --- /dev/null +++ b/pages/mdbook.yml @@ -0,0 +1,62 @@ +# Sample workflow for building and deploying a mdbook site to GitHub Pages +# +# To get started with mdbook see: https://rust-lang.github.io/mdBook/index.html +# +name: Deploy mdbook site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true +jobs: + # This workflow contains a single job called "build" + build: + env: + MDBOOK_VERSION : 0.4.21 + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v3 + + # Runs a single command using the runners shell + - name: install mdbook + run: | + curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh + rustup update + cargo install --version ${MDBOOK_VERSION} mdbook + - name: Setup Pages + id: pages + uses: actions/configure-pages@v1 + - name: Build with mdbook + run: mdbook build + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: ./book + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/properties/mdbook.properties.json b/pages/properties/mdbook.properties.json new file mode 100644 index 0000000..8617e7f --- /dev/null +++ b/pages/properties/mdbook.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Mdbook", + "description": "Package a Mdbook site.", + "iconName": "mdbook", + "categories": ["Pages", "Mdbook"] +} From a248253343fd89ef758e1f6044b935515e932f71 Mon Sep 17 00:00:00 2001 From: vitorveiga Date: Tue, 31 Jan 2023 10:55:13 +0000 Subject: [PATCH 02/42] Add Jscrambler Code Integrity starter workflow (#1893) * Add Jscrambler Code Integrity starter workflow * Use hash commit * fix: missing permissions and improve description * chore: move to code scanning category * chore: workflow checks review --- code-scanning/jscrambler-code-integrity.yml | 47 +++++++++++++++++++ .../jscrambler-code-integrity.properties.json | 7 +++ icons/jscrambler.svg | 1 + 3 files changed, 55 insertions(+) create mode 100644 code-scanning/jscrambler-code-integrity.yml create mode 100644 code-scanning/properties/jscrambler-code-integrity.properties.json create mode 100644 icons/jscrambler.svg diff --git a/code-scanning/jscrambler-code-integrity.yml b/code-scanning/jscrambler-code-integrity.yml new file mode 100644 index 0000000..cbc9345 --- /dev/null +++ b/code-scanning/jscrambler-code-integrity.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Jscrambler Code Integrity Action. +# It automates the protection of your JavaScript Applications, so you can run it whenever a new version of your application is built. +# A Jscrambler account is required to use this Workflow. +# +# More info can be found here : https://docs.jscrambler.com/latest/code-integrity/documentation/github-ci-integration + +name: Jscrambler Code Integrity + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 18 + - run: npm ci + - run: npm run build + - name: Jscrambler Code Integrity + id: jscrambler + # the complete list of inputs can be found here: https://github.com/marketplace/actions/jscrambler#inputs + uses: jscrambler/code-integrity-actions/protect@ab65962a2ecffcc362b75a997e24a181d0bde5fb + with: + application-id: ${{ secrets.JSCRAMBLER_APPLICATION_ID }} # This value should be created within your Jscrambler account + secret-key: ${{ secrets.JSCRAMBLER_SECRET_KEY }} # This value can be found in your Jscrambler account + access-key: ${{ secrets.JSCRAMBLER_ACCESS_KEY }} # This value can be found in your Jscrambler account + jscrambler-config-path: jscrambler.json # Download from your Jscrambler account + files-src: | # List of Files to be protected + dist/**/* + files-dest: . diff --git a/code-scanning/properties/jscrambler-code-integrity.properties.json b/code-scanning/properties/jscrambler-code-integrity.properties.json new file mode 100644 index 0000000..f231d5c --- /dev/null +++ b/code-scanning/properties/jscrambler-code-integrity.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Jscrambler Code Integrity", + "description": "Protect your JavaScript Application with polymorphic obfuscation, code locks, and self-defensive techniques", + "creator": "Jscrambler", + "iconName": "jscrambler", + "categories": ["Code Scanning", "JavaScript", "HTML"] +} diff --git a/icons/jscrambler.svg b/icons/jscrambler.svg new file mode 100644 index 0000000..17f79b7 --- /dev/null +++ b/icons/jscrambler.svg @@ -0,0 +1 @@ + \ No newline at end of file From ea28b603a3a237371a836a7d6124d4f868f78e3a Mon Sep 17 00:00:00 2001 From: Dylan Smith Date: Tue, 31 Jan 2023 11:56:30 +0000 Subject: [PATCH 03/42] Use updated Azure logo (#1922) --- icons/azure.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/icons/azure.svg b/icons/azure.svg index 2ff63c1..3b89df5 100644 --- a/icons/azure.svg +++ b/icons/azure.svg @@ -1 +1 @@ - \ No newline at end of file + From c26da3749c8d37900fd0ac34b90056670424a926 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Thu, 2 Feb 2023 17:31:49 +0000 Subject: [PATCH 04/42] adding credo workflow --- code-scanning/credo.yml | 60 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 code-scanning/credo.yml diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml new file mode 100644 index 0000000..f69159b --- /dev/null +++ b/code-scanning/credo.yml @@ -0,0 +1,60 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + + +# Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency. +# https://github.com/rrrene/credo +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 1. Add :credo as a dependency to your project's mix.exs with version ~> 1.7.0-rc.1 - https://github.com/rrrene/credo#installation-and-usage +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. + +name: Credo + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + otp: [version] + elixir: [version] + steps: + - uses: actions/checkout@v3 + - uses: erlef/setup-beam@v1 + with: + otp-version: ${{matrix.otp}} + elixir-version: ${{matrix.elixir}} + - name: get dependencies + run: mix deps.get + - name: compile dependencies + run: mix deps.compile + - name: compile + run: mix compile + - name: credo-scan + run: mix credo --format=sarif > credo_output.sarif + - name: upload sarif + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: credo_output.sarif From dd99cc07334b542d7991237f376d3791b470c643 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Wed, 8 Feb 2023 14:19:57 +0200 Subject: [PATCH 05/42] Frogbot update (#1925) * Update Frogbot starter workflows * Update * Update Frogbot starter-workflows commit hash --- code-scanning/frogbot-scan-and-fix.yml | 39 ++++++++---------- code-scanning/frogbot-scan-pr.yml | 55 +++++++++----------------- 2 files changed, 35 insertions(+), 59 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 12414a1..96dcfb5 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -7,6 +7,9 @@ # Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file: +# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md + name: "Frogbot Scan and Fix" on: push: @@ -21,36 +24,28 @@ jobs: steps: - uses: actions/checkout@v3 - # Install prerequisites - uncomment the relevant one + # IMPORTANT: + # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix + # 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - # - uses: actions/setup-go@v3 - # with: - # go-version: 1.17.x - - # - uses: actions/setup-java@v3 - # with: - # java-version: "11" - # distribution: "temurin" - - # - uses: actions/setup-node@v3 - # with: - # node-version: "16.x" - - - - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694 + - uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716 env: # [Mandatory] - # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) - JF_URL: ${{ secrets.FROGBOT_URL }} + # JFrog platform URL + JF_URL: ${{ secrets.JF_URL }} # [Mandatory if JF_USER and JF_PASSWORD are not provided] # JFrog access token with 'read' permissions on Xray service - JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }} + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory] # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # [Mandatory if using npm] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "npm i" + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} \ No newline at end of file diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 74ee41e..fe7d125 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -7,6 +7,9 @@ # Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file: +# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md + name: "Frogbot Scan Pull Request" on: pull_request_target: @@ -19,57 +22,35 @@ jobs: runs-on: ubuntu-latest # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the # "frogbot" GitHub environment can approve the pull request to be scanned. + # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md environment: frogbot steps: - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }} - # Install prerequisites - uncomment the relevant ones + # IMPORTANT: + # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix + # 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - # - uses: actions/setup-go@v3 - # with: - # go-version: 1.17.x - - # - uses: actions/setup-java@v3 - # with: - # java-version: "11" - # distribution: "temurin" - - # - uses: actions/setup-node@v3 - # with: - # node-version: "16.x" - - # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694 + - uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716 env: # [Mandatory] - # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + # JFrog platform URL JF_URL: ${{ secrets.JF_URL }} - # [Mandatory if JF_ACCESS_TOKEN is not provided] - # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD - JF_USER: ${{ secrets.JF_USER }} - - # [Mandatory if JF_ACCESS_TOKEN is not provided] - # JFrog password. Must be provided with JF_USER - JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory] # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # [Mandatory if JF_USER and JF_PASSWORD are not provided] - # JFrog access token with 'read' permissions on Xray service - # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} - # [Mandatory when using npm] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "npm i" - - # [Mandatory when using .NET] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "dotnet restore" - - # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} \ No newline at end of file From 5343fe6869403f9be2246dee0c94c3b6dafcc7c4 Mon Sep 17 00:00:00 2001 From: Milos Pantic <101411245+panticmilos@users.noreply.github.com> Date: Fri, 10 Feb 2023 09:04:29 +0100 Subject: [PATCH 06/42] Change event to pull_request_target (#1930) Co-authored-by: Sampark Sharma --- automation/label.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/label.yml b/automation/label.yml index a8a1bd7..4613569 100644 --- a/automation/label.yml +++ b/automation/label.yml @@ -6,7 +6,7 @@ # https://github.com/actions/labeler name: Labeler -on: [pull_request] +on: [pull_request_target] jobs: label: From d31bcb967ace062e1663d3e227bb04bcb83e33f6 Mon Sep 17 00:00:00 2001 From: Ouvill Date: Fri, 10 Feb 2023 17:05:33 +0900 Subject: [PATCH 07/42] fix update cosign version on docker-publish.yml (#1917) upgrade cosign version https://github.com/sigstore/cosign/releases/tag/v1.13.1 The current version is out of date and the following error occurs ``` getting signer: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key ``` Co-authored-by: Sampark Sharma --- ci/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 11dd662..d57b2f1 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -43,7 +43,7 @@ jobs: if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 with: - cosign-release: 'v1.11.0' + cosign-release: 'v1.13.1' # Workaround: https://github.com/docker/build-push-action/issues/461 From 62569bfea96e8c89515a814c93df67a973323738 Mon Sep 17 00:00:00 2001 From: "Tajinder Singh (TJ)" Date: Wed, 15 Feb 2023 13:27:26 +0100 Subject: [PATCH 08/42] Add defender for devops workflow (#1940) * Created new workflow for defender for devops * Create defender-for-devops.properties.json * fixed pr comments * fixed linting issues * fixed linting issues * removed trailing white space * changed from preview to v1.6.0 --- code-scanning/defender-for-devops.yml | 43 +++++++++++++++++++ .../defender-for-devops.properties.json | 7 +++ 2 files changed, 50 insertions(+) create mode 100644 code-scanning/defender-for-devops.yml create mode 100644 code-scanning/properties/defender-for-devops.properties.json diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml new file mode 100644 index 0000000..c521f36 --- /dev/null +++ b/code-scanning/defender-for-devops.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. +# MSDO installs, configures and runs the latest versions of static analysis tools +# (including, but not limited to, SDL/security and compliance tools). +# +# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue, +# as well as Windows self hosted agents. ubuntu-latest support coming soon. +# +# For more information about the action , check out https://github.com/microsoft/security-devops-action + +name: "Microsoft Defender For Devops" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + MSDO: + # currently only windows latest is supported + runs-on: windows-latest + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-dotnet@v3 + with: + dotnet-version: | + 5.0.x + 6.0.x + - name: Run Microsoft Security DevOps + uses: microsoft/security-devops-action@v1.6.0 + id: msdo + - name: Upload results to Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} diff --git a/code-scanning/properties/defender-for-devops.properties.json b/code-scanning/properties/defender-for-devops.properties.json new file mode 100644 index 0000000..23b01d3 --- /dev/null +++ b/code-scanning/properties/defender-for-devops.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Microsoft Defender For DevOps Scan", + "creator": "Microsoft", + "description": "Defender for devops helps integrate multiple tools with GitHub Advanced Security and sends the results to Defender for cloud dashbord.", + "iconName": "microsoft", + "categories": ["Code Scanning", "IaC","Docker Images", "Defender For DevOps", "EsLint", "Bandit", "Trivy", "BinSkim", "TemplateAnalyzer"] +} From 10f6091ee89f01509479e792e3f982ea3d615fdb Mon Sep 17 00:00:00 2001 From: Chris Carini <6374067+ChrisCarini@users.noreply.github.com> Date: Wed, 15 Feb 2023 22:09:52 -0800 Subject: [PATCH 09/42] Update scorecard.yml with latest releases (#1944) Update scorecard.yml with latest releases for ossf/scorecard-action & github/codeql-action/upload-sarif --- code-scanning/scorecard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 69cf948..19b9b00 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -37,7 +37,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 with: results_file: results.sarif results_format: sarif @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27 + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 with: sarif_file: results.sarif From 1d039e1607c98d9b9a705102315b43896ad10633 Mon Sep 17 00:00:00 2001 From: "Tajinder Singh (TJ)" Date: Tue, 21 Feb 2023 13:50:42 +0100 Subject: [PATCH 10/42] fixed typo (#1942) * fixed typo * Update defender-for-devops.yml * update to valid categories * fixed request changes --- code-scanning/defender-for-devops.yml | 4 ++++ code-scanning/properties/defender-for-devops.properties.json | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml index c521f36..71971cd 100644 --- a/code-scanning/defender-for-devops.yml +++ b/code-scanning/defender-for-devops.yml @@ -11,6 +11,10 @@ # as well as Windows self hosted agents. ubuntu-latest support coming soon. # # For more information about the action , check out https://github.com/microsoft/security-devops-action +# +# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration +# and provide permission before this can report data back to azure. +# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github name: "Microsoft Defender For Devops" diff --git a/code-scanning/properties/defender-for-devops.properties.json b/code-scanning/properties/defender-for-devops.properties.json index 23b01d3..495fa26 100644 --- a/code-scanning/properties/defender-for-devops.properties.json +++ b/code-scanning/properties/defender-for-devops.properties.json @@ -1,7 +1,7 @@ { "name": "Microsoft Defender For DevOps Scan", "creator": "Microsoft", - "description": "Defender for devops helps integrate multiple tools with GitHub Advanced Security and sends the results to Defender for cloud dashbord.", + "description": "Defender for DevOps helps integrate multiple tools with GitHub Advanced Security and sends the results to Defender for Cloud dashboard.", "iconName": "microsoft", - "categories": ["Code Scanning", "IaC","Docker Images", "Defender For DevOps", "EsLint", "Bandit", "Trivy", "BinSkim", "TemplateAnalyzer"] + "categories": ["Code Scanning", "HCL","Dockerfile", "Python", "JavaScript", "EcmaScript", "TypeScript"] } From 77bc6e809fc1431ae3f609be5f4c35b63a5964d0 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Wed, 22 Feb 2023 15:39:47 +0000 Subject: [PATCH 11/42] add credo properties --- code-scanning/properties/credo.properties.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 code-scanning/properties/credo.properties.json diff --git a/code-scanning/properties/credo.properties.json b/code-scanning/properties/credo.properties.json new file mode 100644 index 0000000..3a86a10 --- /dev/null +++ b/code-scanning/properties/credo.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Credo Scan", + "creator": "Credo", + "description": "Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.", + "categories": ["Code Scanning", "Elixir"] +} \ No newline at end of file From 44ca9a5fd13509852c27c825be45925da1e2c6b5 Mon Sep 17 00:00:00 2001 From: jongwooo Date: Tue, 28 Feb 2023 00:18:12 +0900 Subject: [PATCH 12/42] Replace deprecated command with environment file --- code-scanning/detekt.yml | 2 +- deployments/azure-webapps-php.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index a13a517..15aeb45 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -77,7 +77,7 @@ jobs: fi DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) - echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" + echo "download_url=$DETEKT_DOWNLOAD_URL" >> $GITHUB_OUTPUT # Sets up the detekt cli - name: Setup Detekt diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 4d08dbd..b3aee8d 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -54,7 +54,7 @@ jobs: id: composer-cache if: steps.check_files.outputs.files_exists == 'true' run: | - echo "::set-output name=dir::$(composer config cache-files-dir)" + echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT - name: Set up dependency caching for faster installs uses: actions/cache@v3 From da484b4eb58a75ee389d1483a295b33c9774ea0f Mon Sep 17 00:00:00 2001 From: syed-imran <100760767+SyedsImran@users.noreply.github.com> Date: Sat, 4 Mar 2023 18:12:33 +0530 Subject: [PATCH 13/42] Update apisec-scan.yml (#1898) Co-authored-by: Sampark Sharma --- code-scanning/apisec-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index ec8b8bb..34defa9 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -10,7 +10,7 @@ # How to Get Started with APIsec.ai # 1. Schedule a demo at https://www.apisec.ai/request-a-demo . # -# 2. Register your account at https://cloud.fxlabs.io/#/signup . +# 2. Register your account at https://cloud.apisec.ai/#/signup . # # 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly. # @@ -55,7 +55,7 @@ jobs: steps: - name: APIsec scan - uses: apisec-inc/apisec-run-scan@f748a240d69ca6cd7e9532fd0a47bec4ccd6a73c + uses: apisec-inc/apisec-run-scan@025432089674a28ba8fb55f8ab06c10215e772ea with: # The APIsec username with which the scans will be executed apisec-username: ${{ secrets.apisec_username }} From 02af783829f3f5b38e36ff3145c01c38ca02ede3 Mon Sep 17 00:00:00 2001 From: Eric Fernandez <90832420+EricFernandezSnyk@users.noreply.github.com> Date: Tue, 7 Mar 2023 10:52:52 +0000 Subject: [PATCH 14/42] Addition of snyk-security workflow to enable the Snyk platform from a single GitHub Action (#1939) * Create snyk-security.properties.json * Create snyk-security.yml * Update snyk-security.yml * Fix mispelling Co-authored-by: Sampark Sharma * Apply comments from PR - Moved documentation link to the top - Made `|| true` optional - Added commit SHA for the Snyk GitHub Action * Remove empty space Co-authored-by: Sampark Sharma * Remove empty space in line end Co-authored-by: Sampark Sharma * Update Categories * Updated after running pre-commit linting --------- Co-authored-by: Sampark Sharma --- .../properties/snyk-security.properties.json | 7 ++ code-scanning/snyk-security.yml | 79 +++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100644 code-scanning/properties/snyk-security.properties.json create mode 100644 code-scanning/snyk-security.yml diff --git a/code-scanning/properties/snyk-security.properties.json b/code-scanning/properties/snyk-security.properties.json new file mode 100644 index 0000000..3c10ca1 --- /dev/null +++ b/code-scanning/properties/snyk-security.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Snyk Security", + "creator": "Snyk", + "description": "Detect vulnerabilities across your applications and infrastructure with the Snyk platform.", + "iconName": "snyk", + "categories": ["Code Scanning","JavaScript", "Python", "Java", "PHP", "C#", "C", "C++", "Ruby", "Swift", "Go", "TypeScript", "Kotlin", "Apex", "Scala", "Terraform", "Dockerfile"] +} diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml new file mode 100644 index 0000000..715fa1b --- /dev/null +++ b/code-scanning/snyk-security.yml @@ -0,0 +1,79 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code, +# Snyk Container and Snyk Infrastructure as Code) +# The setup installs the Snyk CLI - for more details on the possible commands +# check https://docs.snyk.io/snyk-cli/cli-reference +# The results of Snyk Code are then uploaded to GitHub Security Code Scanning +# +# In order to use the Snyk Action you will need to have a Snyk API token. +# More details in https://github.com/snyk/actions#getting-your-snyk-token +# or you can signup for free at https://snyk.io/login +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Security + +on: + push: + branches: [$default-branch, $protected-branches] + pull_request: + branches: [$default-branch] + +permissions: + contents: read + +jobs: + snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + + # For Snyk Open Source you must first set up the development environment for your application's dependencies + # For example for Node + #- uses: actions/setup-node@v3 + # with: + # node-version: 16 + + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Runs Snyk Code (SAST) analysis and uploads result into GitHub. + # Use || true to not fail the pipeline + - name: Snyk Code test + run: snyk code test --sarif > snyk-code.sarif # || true + + # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. + - name: Snyk Open Source monitor + run: snyk monitor --all-projects + + # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk. + # Use || true to not fail the pipeline. + - name: Snyk IaC test and report + run: snyk iac test --report # || true + + # Build the docker image for testing + - name: Build a Docker image + run: docker build -t your/image-to-test . + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + - name: Snyk Container monitor + run: snyk container monitor your/image-to-test --file=Dockerfile + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif From 1375dc0a9d3bf61ca8ba1b64c6c24568375d792e Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 7 Mar 2023 18:30:19 +0530 Subject: [PATCH 15/42] Update comment for third party action usage (#1960) * Update comment for third party action usage * Update third party usage comment * Update third party usage comment --- ci/elixir.yml | 5 +++++ ci/msbuild.yml | 5 +++++ ci/symfony.yml | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/ci/elixir.yml b/ci/elixir.yml index 6c76f54..371ff24 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Elixir CI on: diff --git a/ci/msbuild.yml b/ci/msbuild.yml index c50354e..a52ec35 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: MSBuild on: diff --git a/ci/symfony.yml b/ci/symfony.yml index d1ac71a..4b957e1 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Symfony on: From f5cfb3ea9c17d9f3031dc88a7b065108653916e8 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Tue, 7 Mar 2023 14:52:54 -0600 Subject: [PATCH 16/42] Update code-scanning/credo.yml Co-authored-by: Sampark Sharma --- code-scanning/credo.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index f69159b..7861c02 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -33,6 +33,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest strategy: fail-fast: false From 07c72062df203ca1bd7062f410eaeaf37992e0b1 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Tue, 7 Mar 2023 20:56:57 +0000 Subject: [PATCH 17/42] adding commit sha to for action --- code-scanning/credo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index 7861c02..9a77881 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -42,7 +42,7 @@ jobs: elixir: [version] steps: - uses: actions/checkout@v3 - - uses: erlef/setup-beam@v1 + - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: otp-version: ${{matrix.otp}} elixir-version: ${{matrix.elixir}} From 4813d8a07f7a3de9033856273303d278f6292b53 Mon Sep 17 00:00:00 2001 From: Jess Bees Date: Thu, 9 Mar 2023 14:08:16 -0500 Subject: [PATCH 18/42] Trim whitespace on pages/mdbook.yml --- pages/mdbook.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 57f3636..216f186 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -38,14 +38,14 @@ jobs: # Runs a single command using the runners shell - name: install mdbook run: | - curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh + curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh rustup update cargo install --version ${MDBOOK_VERSION} mdbook - name: Setup Pages id: pages uses: actions/configure-pages@v1 - name: Build with mdbook - run: mdbook build + run: mdbook build - name: Upload artifact uses: actions/upload-pages-artifact@v1 with: From add94e933cf74933f403110e720822f95cae1c36 Mon Sep 17 00:00:00 2001 From: Tommy Byrd Date: Thu, 9 Mar 2023 16:54:17 -0500 Subject: [PATCH 19/42] Update mdbook.properties.json --- pages/properties/mdbook.properties.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/properties/mdbook.properties.json b/pages/properties/mdbook.properties.json index 8617e7f..2a4fe8d 100644 --- a/pages/properties/mdbook.properties.json +++ b/pages/properties/mdbook.properties.json @@ -1,6 +1,6 @@ { - "name": "Mdbook", - "description": "Package a Mdbook site.", + "name": "mdBook", + "description": "Package a site using mdBook.", "iconName": "mdbook", - "categories": ["Pages", "Mdbook"] + "categories": ["Pages", "mdBook"] } From 39018ecd743923c6534e2569aed15a92fa51a9c5 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 9 Mar 2023 19:50:49 -0600 Subject: [PATCH 20/42] Update casing of mdBook within copy in mdbook.yml --- pages/mdbook.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 216f186..b4f0585 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -1,8 +1,8 @@ -# Sample workflow for building and deploying a mdbook site to GitHub Pages +# Sample workflow for building and deploying a mdBook site to GitHub Pages # -# To get started with mdbook see: https://rust-lang.github.io/mdBook/index.html +# To get started with mdBook see: https://rust-lang.github.io/mdBook/index.html # -name: Deploy mdbook site to Pages +name: Deploy mdBook site to Pages on: # Runs on pushes targeting the default branch From 9ab053c67bbd9ee6a5129255ac0efb4072ffc719 Mon Sep 17 00:00:00 2001 From: Hanxiao Liu Date: Fri, 10 Mar 2023 14:06:31 +0800 Subject: [PATCH 21/42] Add workflow for Azure Web App with Gradle (#1955) * Add starter workflow for Azure Web App with Gradle * Use gradle build instead of assemable and mark template as preview --------- Co-authored-by: Sampark Sharma --- deployments/azure-webapps-java-jar-gradle.yml | 79 +++++++++++++++++++ ...re-webapps-java-jar-gradle.properties.json | 8 ++ 2 files changed, 87 insertions(+) create mode 100644 deployments/azure-webapps-java-jar-gradle.yml create mode 100644 deployments/properties/azure-webapps-java-jar-gradle.properties.json diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml new file mode 100644 index 0000000..b1c1df9 --- /dev/null +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -0,0 +1,79 @@ +# This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-java?tabs=javase&pivots=platform-linux +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the JAVA_VERSION environment variable below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +name: Build and deploy Gradle app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + JAVA_VERSION: '11' # set this to the Java version to use + DISTRIBUTION: zulu # set this to the Java distribution + +on: + push: + branches: [ $default-branch ] + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Set up Java version + uses: actions/setup-java@v3.0.0 + with: + java-version: ${{ env.JAVA_VERSION }} + distribution: ${{ env.DISTRIBUTION }} + cache: 'gradle' + + - name: Build with Gradle + run: gradle build + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v3 + with: + name: java-app + path: '${{ github.workspace }}/build/libs/*.jar' + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v3 + with: + name: java-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: '*.jar' diff --git a/deployments/properties/azure-webapps-java-jar-gradle.properties.json b/deployments/properties/azure-webapps-java-jar-gradle.properties.json new file mode 100644 index 0000000..31804d7 --- /dev/null +++ b/deployments/properties/azure-webapps-java-jar-gradle.properties.json @@ -0,0 +1,8 @@ +{ + "name": "Deploy a Gradle .jar app to an Azure Web App", + "description": "Build a Gradle project and deploy it to an Azure Web App.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Java", "Gradle"], + "labels": ["preview"] +} From e46e854a2150e3cb8e2bc5bde009ae0d96815d9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=81=AA=E3=81=A4=E3=81=8D?= Date: Mon, 13 Mar 2023 03:38:16 -0700 Subject: [PATCH 22/42] Update jekyll workflow to use ruby 3.1 (#1969) --- pages/jekyll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/jekyll.yml b/pages/jekyll.yml index f4f1825..e8fff64 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -35,7 +35,7 @@ jobs: - name: Setup Ruby uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 with: - ruby-version: '3.0' # Not needed with a .ruby-version file + ruby-version: '3.1' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically cache-version: 0 # Increment this number if you need to re-download cached gems - name: Setup Pages From c1b76c45d4bb701afdb26b132bc865f261d555be Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Mon, 13 Mar 2023 12:56:25 +0200 Subject: [PATCH 23/42] Frogbot update (#1980) * Update Frogbot starter workflows * Update * Update Frogbot starter-workflows commit hash --------- Co-authored-by: Sampark Sharma --- code-scanning/frogbot-scan-and-fix.yml | 36 +++++++++++++++++++------- code-scanning/frogbot-scan-pr.yml | 36 +++++++++++++++++++------- 2 files changed, 54 insertions(+), 18 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 96dcfb5..feacb7f 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -7,8 +7,7 @@ # Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot -# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file: -# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md name: "Frogbot Scan and Fix" on: @@ -26,10 +25,17 @@ jobs: # IMPORTANT: # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md + # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716 + - uses: jfrog/frogbot@3395426f351556d4568e30a6dfd2909dbedae99e env: + # [Mandatory if the two conditions below are met] + # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies + # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. + # + # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore") + # JF_INSTALL_DEPS_CMD: "" + # [Mandatory] # JFrog platform URL JF_URL: ${{ secrets.JF_URL }} @@ -38,14 +44,26 @@ jobs: # JFrog access token with 'read' permissions on Xray service JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - # [Mandatory] - # The GitHub token automatically generated for the job - JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD # JF_USER: ${{ secrets.JF_USER }} # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog password. Must be provided with JF_USER - # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} \ No newline at end of file + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Optional] + # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository + # in Artifactory, which proxies https://releases.jfrog.io/artifactory + # The 'frogbot' executable and other tools it needs will be downloaded through this repository. + # JF_RELEASES_REPO: "" + + # [Optional] + # Frogbot will download the project dependencies, if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no + # need to set this value, if it is set in the frogbot-config.yml file. + # JF_DEPS_REPO: "" \ No newline at end of file diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index fe7d125..9e8b6c5 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -7,8 +7,7 @@ # Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot -# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file: -# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md name: "Frogbot Scan Pull Request" on: @@ -31,10 +30,17 @@ jobs: # IMPORTANT: # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md + # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716 + - uses: jfrog/frogbot@3395426f351556d4568e30a6dfd2909dbedae99e env: + # [Mandatory if the two conditions below are met] + # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies + # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. + # + # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore") + # JF_INSTALL_DEPS_CMD: "" + # [Mandatory] # JFrog platform URL JF_URL: ${{ secrets.JF_URL }} @@ -43,14 +49,26 @@ jobs: # JFrog access token with 'read' permissions on Xray service JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - # [Mandatory] - # The GitHub token automatically generated for the job - JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD # JF_USER: ${{ secrets.JF_USER }} # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog password. Must be provided with JF_USER - # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} \ No newline at end of file + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Optional] + # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository + # in Artifactory, which proxies https://releases.jfrog.io/artifactory + # The 'frogbot' executable and other tools it needs will be downloaded through this repository. + # JF_RELEASES_REPO: "" + + # [Optional] + # Frogbot will download the project dependencies, if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no + # need to set this value, if it is set in the frogbot-config.yml file. + # JF_DEPS_REPO: "" \ No newline at end of file From 6e49802a68a601c443c4df09ea4ed977ceb0b283 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lu=C3=ADs=20Reis?= Date: Mon, 13 Mar 2023 12:37:25 +0000 Subject: [PATCH 24/42] Update Jscrambler logo (#1964) Co-authored-by: Luis Reis --- icons/jscrambler.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/icons/jscrambler.svg b/icons/jscrambler.svg index 17f79b7..7b96427 100644 --- a/icons/jscrambler.svg +++ b/icons/jscrambler.svg @@ -1 +1 @@ - \ No newline at end of file + \ No newline at end of file From ed18ec10673b224bf43c4a3fe4c2c291afe95090 Mon Sep 17 00:00:00 2001 From: Tommy Byrd Date: Mon, 13 Mar 2023 22:39:36 -0400 Subject: [PATCH 25/42] Update mdbook.svg Remove embedded style tag --- icons/mdbook.svg | 5 ----- 1 file changed, 5 deletions(-) diff --git a/icons/mdbook.svg b/icons/mdbook.svg index 90e0ea5..c61e0a6 100644 --- a/icons/mdbook.svg +++ b/icons/mdbook.svg @@ -1,9 +1,4 @@ - Date: Tue, 14 Mar 2023 00:04:25 -0500 Subject: [PATCH 26/42] Update mdbook.yml, primarily to update to configure-pages@v3 --- pages/mdbook.yml | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/pages/mdbook.yml b/pages/mdbook.yml index b4f0585..ddff0de 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -22,34 +22,31 @@ permissions: concurrency: group: "pages" cancel-in-progress: true + jobs: - # This workflow contains a single job called "build" + # Build job build: - env: - MDBOOK_VERSION : 0.4.21 - # The type of runner that the job will run on runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job + env: + MDBOOK_VERSION: 0.4.21 steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - uses: actions/checkout@v3 - - # Runs a single command using the runners shell - - name: install mdbook + - name: Install mdBook run: | curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh rustup update cargo install --version ${MDBOOK_VERSION} mdbook - name: Setup Pages id: pages - uses: actions/configure-pages@v1 - - name: Build with mdbook + uses: actions/configure-pages@v3 + - name: Build with mdBook run: mdbook build - name: Upload artifact uses: actions/upload-pages-artifact@v1 with: path: ./book + + # Deployment job deploy: environment: name: github-pages From db26d12511a69937b8396fc443f57e37e2a0e740 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 14 Mar 2023 00:12:22 -0500 Subject: [PATCH 27/42] Update concurrency.cancel-in-progress to false for all Pages starter workflows --- pages/astro.yml | 5 +++-- pages/gatsby.yml | 5 +++-- pages/hugo.yml | 5 +++-- pages/jekyll-gh-pages.yml | 5 +++-- pages/jekyll.yml | 5 +++-- pages/mdbook.yml | 6 ++++-- pages/nextjs.yml | 5 +++-- pages/nuxtjs.yml | 5 +++-- pages/static.yml | 5 +++-- 9 files changed, 28 insertions(+), 18 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 1b6478f..dbe49db 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -18,10 +18,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false env: BUILD_PATH: "." # default value when not using subfolders diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 34f15dd..fbe9e70 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -18,10 +18,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false # Default to bash defaults: diff --git a/pages/hugo.yml b/pages/hugo.yml index d4363fd..3431284 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -15,10 +15,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false # Default to bash defaults: diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 792aa18..7d18dc8 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -15,10 +15,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false jobs: # Build job diff --git a/pages/jekyll.yml b/pages/jekyll.yml index e8fff64..9e6bf67 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -20,10 +20,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false jobs: # Build job diff --git a/pages/mdbook.yml b/pages/mdbook.yml index b4f0585..2966fa0 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -18,10 +18,12 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false + jobs: # This workflow contains a single job called "build" build: diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 5bd6c15..bf15a71 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -18,10 +18,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false jobs: # Build job diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index e7d8891..3ded228 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -18,10 +18,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false jobs: # Build job diff --git a/pages/static.yml b/pages/static.yml index d6b7192..c0cfa35 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -15,10 +15,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false jobs: # Single deploy job since we're just deploying From 20496ebfca42582d0ca772172a927616bc3bcd41 Mon Sep 17 00:00:00 2001 From: Hanxiao Liu Date: Thu, 16 Mar 2023 18:10:14 +0800 Subject: [PATCH 28/42] Add workflow for Azure Function App with Gradle (#1963) * Add starter workflow for Azure Function App with Gradle * Mark as preview * Fix properties for function gradle template * Add workflow and job level permissions to function gradle template --------- Co-authored-by: Sampark Sharma --- .../azure-functions-app-java-gradle.yml | 70 +++++++++++++++++++ ...-functions-app-java-gradle.properties.json | 8 +++ 2 files changed, 78 insertions(+) create mode 100644 deployments/azure-functions-app-java-gradle.yml create mode 100644 deployments/properties/azure-functions-app-java-gradle.properties.json diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml new file mode 100644 index 0000000..69f6343 --- /dev/null +++ b/deployments/azure-functions-app-java-gradle.yml @@ -0,0 +1,70 @@ +# This workflow will build a Java project and deploy it to an Azure Functions App on Windows or Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app and applied azure functions plugin for gradle. +# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-first-java-gradle +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Action: https://github.com/Azure/functions-action +# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp + +name: Deploy Gradle Java project to Azure Function App + +on: + push: + branches: + - [$default-branch] + +permissions: + contents: read + +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + BUILD_GRADLE_DIRECTORY: '.' # set this to the directory which contains build.gradle file + JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17') + +jobs: + build-and-deploy: + permissions: + contents: none + runs-on: windows-latest # For Linux, use ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v3 + + # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below + # - name: 'Login via Azure CLI' + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository + + - name: Setup Java Sdk ${{ env.JAVA_VERSION }} + uses: actions/setup-java@v1 + with: + java-version: ${{ env.JAVA_VERSION }} + + # Build function project with functions gradle plugin + # For project with function plugin lower than 1.12.1, please make sure you have set same app name in gradle configuration + - name: 'Restore Project Dependencies Using Gradle Plugin for Azure Functions' + shell: pwsh # For Linux, use bash + run: | + pushd './${{ env.BUILD_GRADLE_DIRECTORY }}' + gradle azureFunctionsPackage -DappName=${{ env.AZURE_FUNCTIONAPP_NAME }} + popd + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + package: '${{ env.BUILD_GRADLE_DIRECTORY }}/build/azure-functions/${{ env.AZURE_FUNCTIONAPP_NAME }}' + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC diff --git a/deployments/properties/azure-functions-app-java-gradle.properties.json b/deployments/properties/azure-functions-app-java-gradle.properties.json new file mode 100644 index 0000000..5c3bd16 --- /dev/null +++ b/deployments/properties/azure-functions-app-java-gradle.properties.json @@ -0,0 +1,8 @@ +{ + "name": "Deploy Gradle app to Azure Functions App", + "description": "Build a Java project and deploy it to an Azure Functions App on Windows or Linux.", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Java", "Gradle", "Azure Functions"], + "labels": ["preview"] +} From f31b00f6cce1cd19ed8b231e5eca4694a464e5f9 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 20 Mar 2023 23:25:38 -0500 Subject: [PATCH 29/42] Update all Pages starter workflows to use actions/deploy-pages@v2 --- pages/astro.yml | 2 +- pages/gatsby.yml | 2 +- pages/hugo.yml | 2 +- pages/jekyll-gh-pages.yml | 2 +- pages/jekyll.yml | 2 +- pages/mdbook.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- pages/static.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index dbe49db..8377ee4 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -85,4 +85,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/gatsby.yml b/pages/gatsby.yml index fbe9e70..8303af4 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -94,4 +94,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/hugo.yml b/pages/hugo.yml index 3431284..fd6c4b4 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -72,4 +72,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 7d18dc8..851f2ce 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -48,4 +48,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 9e6bf67..b680516 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -61,4 +61,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/mdbook.yml b/pages/mdbook.yml index 191aa48..78d664e 100644 --- a/pages/mdbook.yml +++ b/pages/mdbook.yml @@ -57,4 +57,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/nextjs.yml b/pages/nextjs.yml index bf15a71..5dd673d 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -92,4 +92,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 3ded228..1ec761a 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -87,4 +87,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 diff --git a/pages/static.yml b/pages/static.yml index c0cfa35..43bec60 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -40,4 +40,4 @@ jobs: path: '.' - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v1 + uses: actions/deploy-pages@v2 From fc5ffa2714ad1088b5c57c94e31093aaeeb0f592 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Fri, 24 Mar 2023 14:14:25 +0000 Subject: [PATCH 30/42] removed whitespace --- code-scanning/credo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index 9a77881..c1fb8d1 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -46,7 +46,7 @@ jobs: with: otp-version: ${{matrix.otp}} elixir-version: ${{matrix.elixir}} - - name: get dependencies + - name: get dependencies run: mix deps.get - name: compile dependencies run: mix deps.compile From b294ad2ff3d618c03a33966760f39e2730bcef9b Mon Sep 17 00:00:00 2001 From: Josh Goldberg Date: Mon, 27 Mar 2023 18:13:09 -0400 Subject: [PATCH 31/42] chore: fix package(r) manager typo --- pages/astro.yml | 2 +- pages/gatsby.yml | 2 +- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index dbe49db..bde3560 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -49,7 +49,7 @@ jobs: echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else - echo "Unable to determine packager manager" + echo "Unable to determine package manager" exit 1 fi - name: Setup Node diff --git a/pages/gatsby.yml b/pages/gatsby.yml index fbe9e70..a5dceb3 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -48,7 +48,7 @@ jobs: echo "command=ci" >> $GITHUB_OUTPUT exit 0 else - echo "Unable to determine packager manager" + echo "Unable to determine package manager" exit 1 fi - name: Setup Node diff --git a/pages/nextjs.yml b/pages/nextjs.yml index bf15a71..a9da03d 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -45,7 +45,7 @@ jobs: echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else - echo "Unable to determine packager manager" + echo "Unable to determine package manager" exit 1 fi - name: Setup Node diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 3ded228..d3c9921 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -43,7 +43,7 @@ jobs: echo "command=ci" >> $GITHUB_OUTPUT exit 0 else - echo "Unable to determine packager manager" + echo "Unable to determine package manager" exit 1 fi - name: Setup Node From eeb9248ea6d958f2adcb504c334b98464be041ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=81=AA=E3=81=A4=E3=81=8D?= Date: Tue, 4 Apr 2023 14:26:08 -0700 Subject: [PATCH 32/42] Update ruby/setup-ruby for CVE-2023-28755 and CVE-2023-28756 --- ci/ruby.yml | 2 +- ci/rubyonrails.yml | 4 ++-- code-scanning/brakeman.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/rubocop.yml | 2 +- pages/jekyll.yml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index e1551d5..9e94081 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 5102b3d..20ff014 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Install Ruby and gems - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: bundler-cache: true # Add or replace any other lints here diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index d381e85..197300c 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -35,7 +35,7 @@ jobs: # Customize the ruby version depending on your needs - name: Setup Ruby - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: '2.7' diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 0804ba9..047ff00 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -36,7 +36,7 @@ jobs: uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: 2.7 bundler-cache: true diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index 97a693f..e2347db 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -28,7 +28,7 @@ jobs: # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners - name: Set up Ruby - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: 2.6 diff --git a/pages/jekyll.yml b/pages/jekyll.yml index b680516..5adebe4 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -34,7 +34,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: ruby-version: '3.1' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically From b9b82275918a75a68714fe4edda0810552a65e23 Mon Sep 17 00:00:00 2001 From: Issy Long Date: Tue, 11 Apr 2023 15:40:06 +0100 Subject: [PATCH 33/42] Add Swift to the list of CodeQL-supported languages - This is in public beta. --- code-scanning/properties/codeql.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index f5e78bf..8aaa8f5 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -2,7 +2,7 @@ "name": "CodeQL Analysis", "creator": "GitHub", "enterprise": true, - "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby and Kotlin developers.", + "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Kotlin and Swift developers.", "iconName": "octicon mark-github", - "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin", "Swift"] } From 6a1457d1e2dbee50677ff2610ac2ea7b2f1dad1c Mon Sep 17 00:00:00 2001 From: Marcos Pereira <3464445+marcospgp@users.noreply.github.com> Date: Fri, 14 Apr 2023 23:02:17 +0100 Subject: [PATCH 34/42] Update manual.yml --- automation/manual.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/manual.yml b/automation/manual.yml index 4a7131e..faabdec 100644 --- a/automation/manual.yml +++ b/automation/manual.yml @@ -27,4 +27,4 @@ jobs: steps: # Runs a single command using the runners shell - name: Send greeting - run: echo "Hello ${{ github.event.inputs.name }}" \ No newline at end of file + run: echo "Hello ${{ inputs.name }}" From 73f69c4600dd494bc6311ba2c4c2e362e25fde2f Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Mon, 17 Apr 2023 12:06:44 -0700 Subject: [PATCH 35/42] CodeQL: Run on macOS by default if the target language is Swift CodeQL Swift analysis is best supported on macOS. In preparation for CodeQL supporting Swift analysis in beta, adjust the CodeQL starter workflow template to run the `swift` matrix job on `macos-latest`, and all other matrix jobs on `ubuntu-latest`. This does not affect the matrix itself. --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index f0c3beb..bd394ae 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -23,7 +23,7 @@ on: jobs: analyze: name: Analyze - runs-on: ubuntu-latest + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: actions: read contents: read @@ -51,7 +51,7 @@ jobs: # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality From 1c781c4e6aa4c2db08b9133b742b4f35871e150e Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 18 Apr 2023 11:20:09 -0500 Subject: [PATCH 36/42] Add data type to workflow_dispatch inputs --- automation/manual.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/automation/manual.yml b/automation/manual.yml index faabdec..11b2e35 100644 --- a/automation/manual.yml +++ b/automation/manual.yml @@ -15,6 +15,8 @@ on: default: 'World' # Input has to be provided for the workflow to run required: true + # The data type of the input + type: string # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: From d4482bb5829c32e2d0803b022eebc6f0280c4649 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Apr 2023 20:55:06 +0000 Subject: [PATCH 37/42] Bump actions/stale from 7 to 8 Bumps [actions/stale](https://github.com/actions/stale) from 7 to 8. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v7...v8) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0cae015..ecdf037 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v7 + - uses: actions/stale@v8 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' From d841affe4c5e9554c36059bf0b297818f4778a16 Mon Sep 17 00:00:00 2001 From: Trevor Blanarik Date: Mon, 24 Apr 2023 15:53:48 +0000 Subject: [PATCH 38/42] corrects the syntax for so that the array is inline --- deployments/azure-functions-app-container.yml | 3 +-- deployments/azure-functions-app-dotnet.yml | 3 +-- deployments/azure-functions-app-java-gradle.yml | 3 +-- deployments/azure-functions-app-java.yml | 3 +-- deployments/azure-functions-app-nodejs.yml | 3 +-- deployments/azure-functions-app-powershell.yml | 3 +-- deployments/azure-functions-app-python.yml | 3 +-- 7 files changed, 7 insertions(+), 14 deletions(-) diff --git a/deployments/azure-functions-app-container.yml b/deployments/azure-functions-app-container.yml index 7b438be..1173b95 100644 --- a/deployments/azure-functions-app-container.yml +++ b/deployments/azure-functions-app-container.yml @@ -21,8 +21,7 @@ name: Deploy container to Azure Functions App on: push: - branches: - - [$default-branch] + branches: [$default-branch] permissions: contents: read diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml index 8b2c23b..824614e 100644 --- a/deployments/azure-functions-app-dotnet.yml +++ b/deployments/azure-functions-app-dotnet.yml @@ -20,8 +20,7 @@ name: Deploy DotNet project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml index 69f6343..36c50b8 100644 --- a/deployments/azure-functions-app-java-gradle.yml +++ b/deployments/azure-functions-app-java-gradle.yml @@ -20,8 +20,7 @@ name: Deploy Gradle Java project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] permissions: contents: read diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml index 0774544..5608328 100644 --- a/deployments/azure-functions-app-java.yml +++ b/deployments/azure-functions-app-java.yml @@ -20,8 +20,7 @@ name: Deploy Java project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml index b8033f0..916f396 100644 --- a/deployments/azure-functions-app-nodejs.yml +++ b/deployments/azure-functions-app-nodejs.yml @@ -22,8 +22,7 @@ name: Deploy Node.js project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-powershell.yml b/deployments/azure-functions-app-powershell.yml index 505b5af..5d62316 100644 --- a/deployments/azure-functions-app-powershell.yml +++ b/deployments/azure-functions-app-powershell.yml @@ -20,8 +20,7 @@ name: Deploy PowerShell project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure diff --git a/deployments/azure-functions-app-python.yml b/deployments/azure-functions-app-python.yml index 0220227..6452a18 100644 --- a/deployments/azure-functions-app-python.yml +++ b/deployments/azure-functions-app-python.yml @@ -20,8 +20,7 @@ name: Deploy Python project to Azure Function App on: push: - branches: - - [$default-branch] + branches: [$default-branch] env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure From b015c848b62afa863d3f5607a61b1604ee66ebea Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Mon, 22 May 2023 10:10:15 -0700 Subject: [PATCH 39/42] CodeQL: Reduce job timeout to 2h if the target language is Swift Some projects observed intermittent build timeouts with Swift. In case this happens, and our CodeQL-level mitigations do not prevent the problem, we want to avoid using up 6h of the customer's billed macOS Actions minutes (which is the default timeout), so we suggest a reduced timeout of 2h. This value is chosen to accommodate the total job time (build + CodeQL extraction + CodeQL analysis) we expect for large Swift projects. We may choose to adjust it in future. --- code-scanning/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index bd394ae..e901a24 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -24,6 +24,7 @@ jobs: analyze: name: Analyze runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: actions: read contents: read From ee518ae76c27a9700e06499dd8f8c1c99d6d0316 Mon Sep 17 00:00:00 2001 From: Beth Brennan <34719884+elbrenn@users.noreply.github.com> Date: Wed, 31 May 2023 13:38:11 -0400 Subject: [PATCH 40/42] Update CODEOWNERS --- CODEOWNERS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 0a7c0a5..a47bd5b 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,4 +1,4 @@ -* @actions/starter-workflows +* @actions/actions-workflow-development-reviewers -/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows -/pages/ @actions/pages @actions/starter-workflows +/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers +/pages/ @actions/pages @actions/actions-workflow-development-reviewers From bb9bbc31d84c8b28e3aad02f5a7124bf710ccc72 Mon Sep 17 00:00:00 2001 From: ElizabethBarrord Date: Wed, 7 Jun 2023 17:28:33 -0500 Subject: [PATCH 41/42] add line at eof and adding icon --- code-scanning/properties/credo.properties.json | 3 ++- icons/code.svg | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 icons/code.svg diff --git a/code-scanning/properties/credo.properties.json b/code-scanning/properties/credo.properties.json index 3a86a10..cdc621f 100644 --- a/code-scanning/properties/credo.properties.json +++ b/code-scanning/properties/credo.properties.json @@ -2,5 +2,6 @@ "name": "Credo Scan", "creator": "Credo", "description": "Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.", + "iconName": "code", "categories": ["Code Scanning", "Elixir"] -} \ No newline at end of file +} diff --git a/icons/code.svg b/icons/code.svg new file mode 100644 index 0000000..ee64cbc --- /dev/null +++ b/icons/code.svg @@ -0,0 +1 @@ + \ No newline at end of file From 47e25f909529738fcd02d3f6a07224e4cd35f0b6 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Mon, 12 Jun 2023 11:13:06 +0100 Subject: [PATCH 42/42] CodeQL: Update autobuild comment Add Swift to the list of compiled languages that autobuild will try to build. --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index e901a24..0b8af33 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -56,7 +56,7 @@ jobs: # queries: security-extended,security-and-quality - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@v2