From f263f7e886286af4c6edcb21f2fb4b2d45846a07 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Mon, 12 Feb 2024 06:56:37 -0600 Subject: [PATCH 01/23] Run ci/rubyonrails with bundle exec --- ci/rubyonrails.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 20ff014..dba16cb 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -51,8 +51,8 @@ jobs: bundler-cache: true # Add or replace any other lints here - name: Security audit dependencies - run: bin/bundler-audit --update + run: bundle exec bundler-audit --update - name: Security audit application code - run: bin/brakeman -q -w2 + run: bundle exec brakeman -q -w2 - name: Lint Ruby files - run: bin/rubocop --parallel + run: bundle exec rubocop --parallel From e4840c47d074b5cdaff1d1d3684b2fed38c548d7 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Mon, 12 Feb 2024 06:57:16 -0600 Subject: [PATCH 02/23] Spell bundle-audit without the r Usage as described in https://github.com/rubysec/bundler-audit#readme --- ci/rubyonrails.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index dba16cb..c9835fb 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -51,7 +51,7 @@ jobs: bundler-cache: true # Add or replace any other lints here - name: Security audit dependencies - run: bundle exec bundler-audit --update + run: bundle exec bundle-audit --update - name: Security audit application code run: bundle exec brakeman -q -w2 - name: Lint Ruby files From 4b8ca42dd9f838356c049899bc877fcda8bf6539 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Mon, 12 Feb 2024 06:59:39 -0600 Subject: [PATCH 03/23] Prefer ruby/setup-ruby@v1 As recommended in https://github.com/ruby/setup-ruby#setup-ruby --- ci/rubyonrails.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index c9835fb..d62b552 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + uses: ruby/setup-ruby@v1 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Install Ruby and gems - uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + uses: ruby/setup-ruby@v1 with: bundler-cache: true # Add or replace any other lints here From 37d6de723e3afd1add9316fdfcdbe9413b8603f9 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 13:38:10 -0400 Subject: [PATCH 04/23] Setup-Java: Update all workflows to use Setup-Java V4 Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- ci/android.yml | 2 +- ci/ant.yml | 2 +- ci/maven-publish.yml | 2 +- ci/maven.yml | 2 +- ci/scala.yml | 2 +- code-scanning/endorlabs.yml | 2 +- code-scanning/fortify.yml | 2 +- code-scanning/pmd.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-functions-app-java-gradle.yml | 4 +++- deployments/azure-functions-app-java.yml | 4 +++- deployments/azure-webapps-java-jar-gradle.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- 14 files changed, 18 insertions(+), 14 deletions(-) diff --git a/ci/android.yml b/ci/android.yml index 80a33b4..fec1eb9 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/ant.yml b/ci/ant.yml index 517a37a..8cfe641 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -17,7 +17,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 954e6c8..64b848b 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -18,7 +18,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/maven.yml b/ci/maven.yml index 47816ee..7709373 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 17 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '17' distribution: 'temurin' diff --git a/ci/scala.yml b/ci/scala.yml index 83b09f7..49ca1e7 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 670fe62..46d1428 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -26,7 +26,7 @@ jobs: ### Use this section to define the build steps used by your software package. ### Endor Labs builds your software for you where possible but the required build tools must be made available. # - name: Setup Java - # uses: actions/setup-java@v3 + # uses: actions/setup-java@v4 # with: # distribution: 'microsoft' # java-version: '17' diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index c52b70e..8a94fca 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -44,7 +44,7 @@ jobs: # Java is required to run the various Fortify utilities. # When scanning a Java application, please use the appropriate Java version for building your application. - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: 8 distribution: 'temurin' diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index ed5eec9..d904a49 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -26,7 +26,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 379493f..df2f8b6 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -42,7 +42,7 @@ jobs: - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - run: unzip -o pipeline-scan-LATEST.zip - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: java-version: 8 distribution: 'temurin' diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 32c977e..3b323e9 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -62,7 +62,7 @@ jobs: # Set up the correct Java version for your project # Please comment out, if your project does not contain Java source code. - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: 11 distribution: 'temurin' diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml index 131e287..87d9ec0 100644 --- a/deployments/azure-functions-app-java-gradle.yml +++ b/deployments/azure-functions-app-java-gradle.yml @@ -28,6 +28,7 @@ permissions: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure BUILD_GRADLE_DIRECTORY: '.' # set this to the directory which contains build.gradle file + DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft') JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17') jobs: @@ -47,8 +48,9 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Java Sdk ${{ env.JAVA_VERSION }} - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: + distribution: ${{ env.DISTRIBUTION }} java-version: ${{ env.JAVA_VERSION }} # Build function project with functions gradle plugin diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml index e7b78c0..c487aff 100644 --- a/deployments/azure-functions-app-java.yml +++ b/deployments/azure-functions-app-java.yml @@ -25,6 +25,7 @@ on: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure POM_XML_DIRECTORY: '.' # set this to the directory which contains pom.xml file + DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft') JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17') jobs: @@ -42,8 +43,9 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Java Sdk ${{ env.JAVA_VERSION }} - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: + distribution: ${{ env.DISTRIBUTION }} java-version: ${{ env.JAVA_VERSION }} - name: 'Restore Project Dependencies Using Mvn' diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index 63a45cc..51817b5 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up Java version - uses: actions/setup-java@v3.0.0 + uses: actions/setup-java@v4 with: java-version: ${{ env.JAVA_VERSION }} distribution: ${{ env.DISTRIBUTION }} diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 608fb8e..c98baed 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up Java version - uses: actions/setup-java@v3.0.0 + uses: actions/setup-java@v4 with: java-version: ${{ env.JAVA_VERSION }} distribution: ${{ env.DISTRIBUTION }} From 545832af8bf577275404c16cbca83d07fd475543 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 14:23:34 -0400 Subject: [PATCH 05/23] Setup-Dotnet: Update all workflows to Setup-Dotnet V4 --- code-scanning/defender-for-devops.yml | 2 +- code-scanning/ossar.yml | 2 +- deployments/azure-functions-app-dotnet.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml index 07aa7d1..0b058ce 100644 --- a/code-scanning/defender-for-devops.yml +++ b/code-scanning/defender-for-devops.yml @@ -33,7 +33,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: actions/setup-dotnet@v3 + - uses: actions/setup-dotnet@v4 with: dotnet-version: | 5.0.x diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index ad46e1d..c1ecac1 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -40,7 +40,7 @@ jobs: # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: # - name: Install .NET - # uses: actions/setup-dotnet@v2 + # uses: actions/setup-dotnet@v4 # with: # dotnet-version: '3.1.x' diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml index bf1169b..99ad945 100644 --- a/deployments/azure-functions-app-dotnet.yml +++ b/deployments/azure-functions-app-dotnet.yml @@ -42,7 +42,7 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index b4bfafb..73b6380 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up .NET Core - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} From d51dfabea2a2164939745ecebe07826579c2626c Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 16:03:52 -0400 Subject: [PATCH 06/23] Artifacts: Update all workflows to use Artifacts V4 Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- ci/dotnet-desktop.yml | 4 ++-- code-scanning/msvc.yml | 2 +- code-scanning/scorecard.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 ++-- deployments/azure-webapps-java-jar-gradle.yml | 4 ++-- deployments/azure-webapps-java-jar.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- deployments/azure-webapps-php.yml | 4 ++-- deployments/azure-webapps-python.yml | 4 ++-- 10 files changed, 17 insertions(+), 17 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index ad99b56..400a721 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: - name: MSIX Package + name: MSIX Package ${{ matrix.configuration }} path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0700989..b905ef8 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -60,7 +60,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v3 + # uses: actions/upload-artifact@v4 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 162c788..729d741 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: SARIF file path: results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 32c977e..2fd110a 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -87,7 +87,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index b4bfafb..64124e5 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -59,7 +59,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -75,7 +75,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index 63a45cc..a066d89 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -50,7 +50,7 @@ jobs: run: gradle build - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/build/libs/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 608fb8e..f6c17a9 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -50,7 +50,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 147d4e6..891a7d6 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -49,7 +49,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: node-app path: . @@ -65,7 +65,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 1182c2a..3391c83 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -70,7 +70,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: php-app path: . @@ -86,7 +86,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 656f95c..e4868c4 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -55,7 +55,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: python-app path: | @@ -73,7 +73,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: python-app path: . From 1830845916d09bee7327d12cbf1e387edfdb9846 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 13:37:42 -0400 Subject: [PATCH 07/23] Setup-Node: Update all workflows to use Setup-Node V4 * Switch default node version to 20 * Update version set to 18.x, 20.x, 22.x Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- .github/workflows/sync-ghes.yaml | 4 ++-- .github/workflows/validate-data.yaml | 4 ++-- ci/node.js.yml | 4 ++-- ci/npm-grunt.yml | 4 ++-- ci/npm-gulp.yml | 4 ++-- ci/npm-publish-github-packages.yml | 8 ++++---- ci/npm-publish.yml | 8 ++++---- ci/webpack.yml | 4 ++-- code-scanning/crda.yml | 4 ++-- code-scanning/jscrambler-code-integrity.yml | 4 ++-- code-scanning/snyk-security.yml | 4 ++-- deployments/azure-functions-app-nodejs.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- 13 files changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 6a3da68..5d39d18 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -15,9 +15,9 @@ jobs: git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" git config user.name "GitHub Actions" - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: '16' + node-version: '20' cache: 'npm' cache-dependency-path: script/sync-ghes/package-lock.json - name: Check starter workflows for GHES compat diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 43f5578..52988aa 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -12,9 +12,9 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: '16' + node-version: '20' cache: 'npm' cache-dependency-path: script/validate-data/package-lock.json diff --git a/ci/node.js.yml b/ci/node.js.yml index 688a227..d5ccc14 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -16,13 +16,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} cache: 'npm' diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index 0039895..ccdabd8 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -12,13 +12,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 19bed27..3a4ec12 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -12,13 +12,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index 1899709..99531c0 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 - run: npm ci - run: npm test @@ -26,9 +26,9 @@ jobs: packages: write steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 registry-url: $registry-url(npm) - run: npm ci - run: npm publish diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 0049296..2a4766d 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 - run: npm ci - run: npm test @@ -23,9 +23,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 registry-url: https://registry.npmjs.org/ - run: npm ci - run: npm publish diff --git a/ci/webpack.yml b/ci/webpack.yml index 9e967c0..1013845 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -12,13 +12,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml index d5bb88f..82610ac 100644 --- a/code-scanning/crda.yml +++ b/code-scanning/crda.yml @@ -94,9 +94,9 @@ jobs: # # Example: # - name: Setup Node - # uses: actions/setup-node@v2 + # uses: actions/setup-node@v4 # with: - # node-version: '14' + # node-version: '20' # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md - name: Install CRDA CLI diff --git a/code-scanning/jscrambler-code-integrity.yml b/code-scanning/jscrambler-code-integrity.yml index 69d7c42..64a998a 100644 --- a/code-scanning/jscrambler-code-integrity.yml +++ b/code-scanning/jscrambler-code-integrity.yml @@ -28,9 +28,9 @@ jobs: contents: read steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 18 + node-version: 20 - run: npm ci - run: npm run build - name: Jscrambler Code Integrity diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml index 4941e00..bee888c 100644 --- a/code-scanning/snyk-security.yml +++ b/code-scanning/snyk-security.yml @@ -43,9 +43,9 @@ jobs: # For Snyk Open Source you must first set up the development environment for your application's dependencies # For example for Node - #- uses: actions/setup-node@v3 + #- uses: actions/setup-node@v4 # with: - # node-version: 16 + # node-version: 20 env: # This is where you will need to introduce the Snyk API token created with your Snyk account diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml index 6c2e45c..69d3d27 100644 --- a/deployments/azure-functions-app-nodejs.yml +++ b/deployments/azure-functions-app-nodejs.yml @@ -27,7 +27,7 @@ on: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root - NODE_VERSION: '16.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x') + NODE_VERSION: '20.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x') jobs: build-and-deploy: @@ -44,7 +44,7 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Node ${{ env.NODE_VERSION }} Environment - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 147d4e6..dfa9dbb 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -25,7 +25,7 @@ on: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '14.x' # set this to the node version to use + NODE_VERSION: '20.x' # set this to the node version to use permissions: contents: read @@ -37,7 +37,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' From e656ded9f0017958db40fbd074f083d5b9c29c62 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Fri, 26 Apr 2024 07:16:34 -0400 Subject: [PATCH 08/23] Reference ruby/setup-ruby with latest commit hash As required in pull_request_template.md --- ci/rubyonrails.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 17e08b4..b976f3f 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v4 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Install Ruby and gems - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1 with: bundler-cache: true # Add or replace any other lints here From 39131434ed4bd7dcf8071fc2faaaa0ef8a23c4eb Mon Sep 17 00:00:00 2001 From: Cory Miller <13227161+cory-miller@users.noreply.github.com> Date: Wed, 22 May 2024 10:25:41 -0400 Subject: [PATCH 09/23] Fix typo in grade starter workflow --- ci/gradle.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/gradle.yml b/ci/gradle.yml index 65a332b..74dffb5 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -28,7 +28,7 @@ jobs: java-version: '17' distribution: 'temurin' - # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. + # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 From 61d42c9d0c8d4a398799a581eb6ce48ca742a2bc Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 30 May 2024 09:34:08 -0700 Subject: [PATCH 10/23] Update cosign versions --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 8a042a5..f8e709f 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 with: - cosign-release: 'v2.1.1' + cosign-release: 'v2.2.4' # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache From de925c96d94d3e63cbeb7ff809d8ec64fc331c3b Mon Sep 17 00:00:00 2001 From: yahavi Date: Sat, 1 Jun 2024 18:57:06 +0300 Subject: [PATCH 11/23] Frogbot: Update to 2.21.0 --- code-scanning/frogbot-scan-and-fix.yml | 10 +++------- code-scanning/frogbot-scan-pr.yml | 14 +++++--------- 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 62eb9ec..549ef8c 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -5,9 +5,9 @@ # Frogbot Scan and Fix does the following: # Automatically creates pull requests with fixes for vulnerable project dependencies. # Uses JFrog Xray to scan the project. -# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot -# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration name: "Frogbot Scan and Fix" on: @@ -23,11 +23,7 @@ jobs: steps: - uses: actions/checkout@v4 - # IMPORTANT: - # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 + - uses: jfrog/frogbot@d01623d0fc8de585c21225f55842f2d2c45cf094 # v2.21.0 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index a2e29fa..465405c 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -5,9 +5,9 @@ # Frogbot Scan Pull Request does the following: # Automatically scans new pull requests for security vulnerabilities. # Uses JFrog Xray to scan the project. -# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot -# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration name: "Frogbot Scan Pull Request" on: @@ -21,18 +21,14 @@ jobs: runs-on: ubuntu-latest # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the # "frogbot" GitHub environment can approve the pull request to be scanned. - # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md + # Read more here (Install Frogbot Using GitHub Actions): https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions environment: frogbot steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - # IMPORTANT: - # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 + - uses: jfrog/frogbot@d01623d0fc8de585c21225f55842f2d2c45cf094 # v2.21.0 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies From 74366efdcd18a2e2f16bf04acdafd8c38625014e Mon Sep 17 00:00:00 2001 From: Antoine Do Nascimento Date: Mon, 3 Jun 2024 17:26:02 +0200 Subject: [PATCH 12/23] Update DataDog/synthetics-ci-github-action workflow --- ci/datadog-synthetics.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml index 7056f87..28a07c7 100644 --- a/ci/datadog-synthetics.yml +++ b/ci/datadog-synthetics.yml @@ -29,7 +29,7 @@ jobs: # Run Synthetic tests within your GitHub workflow. # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci - name: Run Datadog Synthetic tests - uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e + uses: DataDog/synthetics-ci-github-action@c36b031081c29b54513d7faba468ddd5b248baf3 # v1.4.0 with: api_key: ${{secrets.DD_API_KEY}} app_key: ${{secrets.DD_APP_KEY}} From 9f1db534549e072c20d5d1a79e0a4ff45a674caf Mon Sep 17 00:00:00 2001 From: Antoine Vinot Date: Mon, 3 Jun 2024 20:58:42 +0200 Subject: [PATCH 13/23] Update sonarcloud.yml after latest release of the action (#2405) Co-authored-by: Alexis Abril --- code-scanning/sonarcloud.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 41075e4..0e7f274 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -46,13 +46,12 @@ jobs: - name: Analyze with SonarCloud # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + # uses: SonarSource/sonarcloud-github-action@v2.2.0 + uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: - # Additional arguments for the sonarcloud scanner + # Additional arguments for the SonarScanner CLI args: # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) # mandatory @@ -60,9 +59,9 @@ jobs: -Dsonar.organization= # Comma-separated paths to directories containing main source files. #-Dsonar.sources= # optional, default is project base directory - # When you need the analysis to take place in a directory other than the one from which it was launched - #-Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. #-Dsonar.verbose= # optional, default is false + # When you need the analysis to take place in a directory other than the one from which it was launched, default is . + projectBaseDir: . From 5a11e5968cb905fe46c844bb8147628cfe226f40 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Sat, 8 Jun 2024 11:47:24 -0400 Subject: [PATCH 14/23] Reference latest ruby/setup-ruby (1.179.1) with commit hash Can build ruby 3.1.6 and 3.3.2 --- ci/rubyonrails.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index b976f3f..f3177e2 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v4 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1 + uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Install Ruby and gems - uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1 + uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 with: bundler-cache: true # Add or replace any other lints here From 0321f5f585a59bc25d0a7885165edf7f63b2d2f2 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Sat, 8 Jun 2024 12:19:48 -0400 Subject: [PATCH 15/23] Run lint with binstubs --- ci/rubyonrails.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index f3177e2..ad3ac88 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -49,10 +49,12 @@ jobs: uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 with: bundler-cache: true + - name: Generate binstubs + run: bundle binstubs bundler-audit brakeman rubocop # Add or replace any other lints here - name: Security audit dependencies - run: bundle exec bundle-audit --update + run: bin/bundler-audit --update - name: Security audit application code - run: bundle exec brakeman -q -w2 + run: bin/brakeman -q -w2 - name: Lint Ruby files - run: bundle exec rubocop --parallel + run: bin/rubocop --parallel From 647cac4f347894582e3fd841b84b0b2c6485b23d Mon Sep 17 00:00:00 2001 From: alankuo-aws <151653677+alankuo-aws@users.noreply.github.com> Date: Mon, 17 Jun 2024 16:32:21 -0400 Subject: [PATCH 16/23] Update policy validator starter workflows (#2433) * Update policy validator starter workflows * Fix reference policy argument --- code-scanning/policy-validator-cfn.yaml | 24 +++++++++++++++++++----- code-scanning/policy-validator-tf.yaml | 22 ++++++++++++++++++---- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/code-scanning/policy-validator-cfn.yaml b/code-scanning/policy-validator-cfn.yaml index b2cd163..8d32ce1 100644 --- a/code-scanning/policy-validator-cfn.yaml +++ b/code-scanning/policy-validator-cfn.yaml @@ -20,7 +20,8 @@ env: AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template. - ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. jobs: @@ -45,7 +46,7 @@ jobs: # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - name: Run AWS AccessAnalyzer ValidatePolicy check id: run-aws-validate-policy - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "VALIDATE_POLICY" template-path: ${{ env.TEMPLATE_PATH}} @@ -57,11 +58,12 @@ jobs: # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - name: Run AWS AccessAnalyzer CheckAccessNotGranted check id: run-aws-check-access-not-granted - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "CHECK_ACCESS_NOT_GRANTED" template-path: ${{ env.TEMPLATE_PATH}} actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} region: ${{ env.REGION }} # Print result from CHECK_ACCESS_NOT_GRANTED check - name: Print the result for CheckAccessNotGranted check @@ -71,14 +73,26 @@ jobs: # reference-policy is stored in GitHub secrets - name: Run AWS AccessAnalyzer CheckNoNewAccess check id: run-aws-check-no-new-access - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "CHECK_NO_NEW_ACCESS" template-path: ${{ env.TEMPLATE_PATH}} - reference-policy: ${{ env.REFERENCE }} + reference-policy: ${{ env.REFERENCE_POLICY }} reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} region: ${{env.REGION }} # Print result from CHECK_NO_NEW_ACCESS check - name: Print the result for CheckNoNewAccess check if: success() || failure() run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" diff --git a/code-scanning/policy-validator-tf.yaml b/code-scanning/policy-validator-tf.yaml index 1ca77b5..07f884f 100644 --- a/code-scanning/policy-validator-tf.yaml +++ b/code-scanning/policy-validator-tf.yaml @@ -21,7 +21,8 @@ env: AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON - ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. @@ -48,7 +49,7 @@ jobs: # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator - name: Run AWS AccessAnalyzer ValidatePolicy check id: run-aws-validate-policy - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "VALIDATE_POLICY" template-path: ${{ env.TEMPLATE_PATH }} @@ -60,11 +61,12 @@ jobs: # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator - name: Run AWS AccessAnalyzer CheckAccessNotGranted check id: run-aws-check-access-not-granted - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "CHECK_ACCESS_NOT_GRANTED" template-path: ${{ env.TEMPLATE_PATH }} actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} region: ${{ env.REGION }} # Print result from CHECK_ACCESS_NOT_GRANTED check - name: Print the result for CheckAccessNotGranted check @@ -74,7 +76,7 @@ jobs: # reference-policy is stored in GitHub secrets - name: Run AWS AccessAnalyzer CheckNoNewAccess check id: run-aws-check-no-new-access - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "CHECK_NO_NEW_ACCESS" template-path: ${{ env.TEMPLATE_PATH }} @@ -85,3 +87,15 @@ jobs: - name: Print the result CheckNoNewAccess check if: success() || failure() run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" From dc63c580c6738d293a9448f43221325cbe050570 Mon Sep 17 00:00:00 2001 From: Inaki Villar Date: Fri, 21 Jun 2024 11:33:35 -0700 Subject: [PATCH 17/23] Update for gradle/actions@v3.4.2 release --- ci/gradle-publish.yml | 2 +- ci/gradle.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 2af4616..4f36680 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,7 +30,7 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Setup Gradle - uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 - name: Build with Gradle run: ./gradlew build diff --git a/ci/gradle.yml b/ci/gradle.yml index 74dffb5..eb756d0 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -31,7 +31,7 @@ jobs: # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle - uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 - name: Build with Gradle Wrapper run: ./gradlew build @@ -40,7 +40,7 @@ jobs: # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. # # - name: Setup Gradle - # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + # uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 # with: # gradle-version: '8.5' # @@ -64,4 +64,4 @@ jobs: # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + uses: gradle/actions/dependency-submission@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 From eb0381de25dd68ef86956335a0f1edb9521591b7 Mon Sep 17 00:00:00 2001 From: yahavi Date: Fri, 28 Jun 2024 15:56:30 +0300 Subject: [PATCH 18/23] Update to 2.21.2 --- code-scanning/frogbot-scan-and-fix.yml | 2 +- code-scanning/frogbot-scan-pr.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 549ef8c..12f8011 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -23,7 +23,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: jfrog/frogbot@d01623d0fc8de585c21225f55842f2d2c45cf094 # v2.21.0 + - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 465405c..badcef0 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -28,7 +28,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - uses: jfrog/frogbot@d01623d0fc8de585c21225f55842f2d2c45cf094 # v2.21.0 + - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies From 46555797bbd57e663e8505f781c0c4576563c28a Mon Sep 17 00:00:00 2001 From: Antoine Do Nascimento <78449051+AntoineDona@users.noreply.github.com> Date: Fri, 28 Jun 2024 15:00:32 +0200 Subject: [PATCH 19/23] Fix wrong hash --- ci/datadog-synthetics.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml index 28a07c7..0ea0678 100644 --- a/ci/datadog-synthetics.yml +++ b/ci/datadog-synthetics.yml @@ -29,7 +29,7 @@ jobs: # Run Synthetic tests within your GitHub workflow. # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci - name: Run Datadog Synthetic tests - uses: DataDog/synthetics-ci-github-action@c36b031081c29b54513d7faba468ddd5b248baf3 # v1.4.0 + uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0 with: api_key: ${{secrets.DD_API_KEY}} app_key: ${{secrets.DD_APP_KEY}} From e6a84878775b73145774535516f255f521cfc68f Mon Sep 17 00:00:00 2001 From: Joe Mooring Date: Fri, 28 Jun 2024 13:52:35 -0700 Subject: [PATCH 20/23] pages: Update Hugo workflow - Bump version - Set cache directory - Remove outdated environment variable --- pages/hugo.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 141ad91..b4f316a 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -31,7 +31,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.124.1 + HUGO_VERSION: 0.128.0 steps: - name: Install Hugo CLI run: | @@ -50,9 +50,8 @@ jobs: run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Build with Hugo env: - # For maximum backward compatibility with Hugo modules + HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache HUGO_ENVIRONMENT: production - HUGO_ENV: production run: | hugo \ --minify \ From 763a1a60f8e6b874e2ebd4bbb9203789caaecd3a Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 13:24:02 -0400 Subject: [PATCH 21/23] Upload-Sarif: Update all workflows to use Upload-Sarif V3 --- code-scanning/anchore.yml | 2 +- code-scanning/apisec-scan.yml | 2 +- code-scanning/bearer.yml | 2 +- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx-one.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/clj-holmes.yml | 2 +- code-scanning/clj-watson.yml | 2 +- code-scanning/cloudrail.yml | 2 +- code-scanning/codacy.yml | 2 +- code-scanning/codescan.yml | 2 +- code-scanning/contrast-scan.yml | 2 +- code-scanning/credo.yml | 2 +- code-scanning/datree.yml | 2 +- code-scanning/defender-for-devops.yml | 2 +- code-scanning/detekt.yml | 2 +- code-scanning/devskim.yml | 2 +- code-scanning/endorlabs.yml | 2 +- code-scanning/eslint.yml | 2 +- code-scanning/ethicalcheck.yml | 2 +- code-scanning/flawfinder.yml | 2 +- code-scanning/hadolint.yml | 2 +- code-scanning/kubesec.yml | 2 +- code-scanning/lintr.yml | 2 +- code-scanning/mayhem-for-api.yml | 2 +- code-scanning/mobsf.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/njsscan.yml | 2 +- code-scanning/nowsecure.yml | 2 +- code-scanning/ossar.yml | 2 +- code-scanning/phpmd.yml | 2 +- code-scanning/pmd.yml | 2 +- code-scanning/powershell.yml | 2 +- code-scanning/prisma.yml | 2 +- code-scanning/psalm.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/rubocop.yml | 2 +- code-scanning/rust-clippy.yml | 2 +- code-scanning/scorecard.yml | 2 +- code-scanning/securitycodescan.yml | 2 +- code-scanning/semgrep.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/snyk-security.yml | 2 +- code-scanning/sobelow.yml | 2 +- code-scanning/synopsys-io.yml | 2 +- code-scanning/sysdig-scan.yml | 2 +- code-scanning/tfsec.yml | 2 +- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- code-scanning/zscaler-iac-scan.yml | 2 +- code-scanning/zscan.yml | 2 +- 53 files changed, 53 insertions(+), 53 deletions(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 2bbc55e..8ada351 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -43,6 +43,6 @@ jobs: fail-build: true severity-cutoff: critical - name: Upload vulnerability report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 34defa9..f425ca8 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -66,6 +66,6 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - name: Import results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ./apisec-results.sarif diff --git a/code-scanning/bearer.yml b/code-scanning/bearer.yml index 7971be9..b384d82 100644 --- a/code-scanning/bearer.yml +++ b/code-scanning/bearer.yml @@ -38,6 +38,6 @@ jobs: exit-code: 0 # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index 0d1cb05..38e572c 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -53,6 +53,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index 7feeb25..ae326bd 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -49,7 +49,7 @@ jobs: cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One additional_params: --report-format sarif --output-path . - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: cx_result.sarif diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index b4a99f3..5406860 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -50,6 +50,6 @@ jobs: params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: cx.sarif diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 87f11cb..2d919a5 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -38,7 +38,7 @@ jobs: fail-on-result: 'false' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{github.workspace}}/clj-holmes-results.sarif wait-for-processing: true diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 59bfd41..b0a7443 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -48,7 +48,7 @@ jobs: fail-on-result: false - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{github.workspace}}/clj-watson-results.sarif wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 8273881..846c43d 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -50,7 +50,7 @@ jobs: cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() # is needed to ensure the SARIF file is uploaded if: always() diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index c3cd9f5..2f2acc3 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -56,6 +56,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index c4858c6..cb338df 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -44,6 +44,6 @@ jobs: organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: codescan.sarif diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 1950d3a..197779f 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -48,6 +48,6 @@ jobs: authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} #Upload the results to GitHub - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index 8c8c8be..5a322a4 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -55,7 +55,7 @@ jobs: - name: credo-scan run: mix credo --format=sarif > credo_output.sarif - name: upload sarif - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: credo_output.sarif diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index a892cf8..a98eabe 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -42,6 +42,6 @@ jobs: # Setting a SARIF output will generate a file named "datree.sarif" containing your test results cliArguments: "-o sarif" - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: datree.sarif diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml index 07aa7d1..59eaaa7 100644 --- a/code-scanning/defender-for-devops.yml +++ b/code-scanning/defender-for-devops.yml @@ -42,6 +42,6 @@ jobs: uses: microsoft/security-devops-action@v1.6.0 id: msdo - name: Upload results to Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 76a116b..2d6293b 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -111,7 +111,7 @@ jobs: )" > ${{ github.workspace }}/detekt.sarif.json # Uploads results to GitHub repository using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: ${{ github.workspace }}/detekt.sarif.json diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 98daab8..794986a 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -29,6 +29,6 @@ jobs: uses: microsoft/DevSkim-Action@v1 - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: devskim-results.sarif diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 670fe62..7f3951a 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -46,6 +46,6 @@ jobs: ci_run: "false" sarif_file: findings.sarif - name: Upload SARIF to github - uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd + uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 with: sarif_file: findings.sarif diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 876ea2b..7304e83 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -44,7 +44,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: eslint-results.sarif wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index a68d0a2..fac8a74 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -63,7 +63,7 @@ jobs: sarif-result-file: "ethicalcheck-results.sarif" - name: Upload sarif file to repository - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ./ethicalcheck-results.sarif diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index d564b68..d3898b6 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -33,6 +33,6 @@ jobs: output: 'flawfinder_results.sarif' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{github.workspace}}/flawfinder_results.sarif \ No newline at end of file diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 2d901a4..eacbabb 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -41,7 +41,7 @@ jobs: no-fail: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: hadolint-results.sarif wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 98fd8e0..750acc7 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -36,6 +36,6 @@ jobs: exit-code: "0" - name: Upload Kubesec scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 01ce719..7bb83e3 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: lintr-results.sarif wait-for-processing: true diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 9e533fe..93b0dd2 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -61,6 +61,6 @@ jobs: sarif-report: mapi.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: mapi.sarif diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 9f876ae..05e014e 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -38,6 +38,6 @@ jobs: args: . --sarif --output results.sarif || true - name: Upload mobsfscan report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0700989..b8469de 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -54,7 +54,7 @@ jobs: # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8062259..767b967 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -37,6 +37,6 @@ jobs: with: args: '. --sarif --output results.sarif || true' - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 324a533..5cb6c29 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -47,6 +47,6 @@ jobs: group_id: {{ groupId }} # Update this to your desired Platform group ID - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: NowSecure.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index ad46e1d..1c7a6d9 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -51,6 +51,6 @@ jobs: # Upload results to the Security tab - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 58ca4f8..5ceaabc 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -51,7 +51,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: phpmd-results.sarif wait-for-processing: true diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index ed5eec9..50524ae 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -38,6 +38,6 @@ jobs: sourcePath: 'src/main/java' analyzeModifiedFilesOnly: false - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: pmd-report.sarif diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 52f65a0..216f1dc 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -44,6 +44,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 4b84b21..5461f5c 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -49,7 +49,7 @@ jobs: # The service need to know the type of IaC being scanned template_type: 'CFT' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 # Results are generated only on a success or failure # this is required since GitHub by default won't run the next step # when the previous one has failed. diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index dddbfdd..a0563d9 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -33,6 +33,6 @@ jobs: uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 - name: Upload Security Analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index e039085..014b0a0 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: puppet-lint-results.sarif wait-for-processing: true diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index feef351..a3e7af8 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -47,6 +47,6 @@ jobs: " - name: Upload Sarif output - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: rubocop.sarif diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index 4f50c3e..e4b2508 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: rust-clippy-results.sarif wait-for-processing: true diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 162c788..d7474f9 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 with: sarif_file: results.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 5d5e87b..58cb9c6 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -38,4 +38,4 @@ jobs: uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 - name: Upload sarif - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index f21aa9a..bbf787a 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -43,7 +43,7 @@ jobs: # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: semgrep.sarif if: always() diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index edbea1d..c485691 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -50,6 +50,6 @@ jobs: image: your/image-to-test args: --file=Dockerfile - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index a5605a3..f1466b2 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -49,6 +49,6 @@ jobs: # or `main.tf` for a Terraform configuration file file: your-file-to-test.yaml - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml index 4941e00..8f23020 100644 --- a/code-scanning/snyk-security.yml +++ b/code-scanning/snyk-security.yml @@ -74,6 +74,6 @@ jobs: # Push the Snyk Code results into GitHub Code Scanning tab - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk-code.sarif diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 6dd4ffe..cfbf1f4 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -36,6 +36,6 @@ jobs: - id: run-action uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 - name: Upload report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index df50d9d..6e245d7 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -71,7 +71,7 @@ jobs: - name: Upload SARIF file if: ${{steps.prescription.outputs.sastScan == 'true' }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: workflowengine-results.sarif.json diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index c9a0edb..11fd8b7 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -55,7 +55,7 @@ jobs: # Sysdig inline scanner requires privileged rights run-as-user: root - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 #Upload SARIF file if: always() with: diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 388fc37..c8ef49c 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -32,7 +32,7 @@ jobs: sarif_file: tfsec.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index ec90221..7180f72 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -43,6 +43,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 379493f..c1b9b33 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -53,7 +53,7 @@ jobs: uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be with: pipeline-results-json: results.json - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: veracode-results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 32c977e..0f96c5a 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -95,6 +95,6 @@ jobs: *-Findings-List.sarif # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 with: sarif_file: Xanitizer-Findings-List.sarif diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index 7a2fc00..523c495 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -51,6 +51,6 @@ jobs: #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. - name: Upload SARIF file if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml index 018e473..9c9b303 100644 --- a/code-scanning/zscan.yml +++ b/code-scanning/zscan.yml @@ -55,6 +55,6 @@ jobs: app_file: app-release-unsigned.apk - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: Zimperium.sarif From 570cd926cd9d81217009010cf740cb6e18bf4267 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Mon, 29 Jul 2024 14:37:50 -0400 Subject: [PATCH 22/23] Switch github upload sarif to tag GitHub owed actions are allowed to use tags instead of SHAs Co-authored-by: Jacob Wallraff --- code-scanning/endorlabs.yml | 2 +- code-scanning/scorecard.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 7f3951a..cea041d 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -46,6 +46,6 @@ jobs: ci_run: "false" sarif_file: findings.sarif - name: Upload SARIF to github - uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: findings.sarif diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index d7474f9..b58ec1f 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif From 47f69d786f0bb6108917098d195cd3a9ff64ee00 Mon Sep 17 00:00:00 2001 From: Jacob Wallraff Date: Tue, 30 Jul 2024 10:17:07 -0700 Subject: [PATCH 23/23] Revert "Artifacts: Update all workflows to use Artifacts V4" --- ci/dotnet-desktop.yml | 4 ++-- code-scanning/msvc.yml | 2 +- code-scanning/scorecard.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 ++-- deployments/azure-webapps-java-jar-gradle.yml | 4 ++-- deployments/azure-webapps-java-jar.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- deployments/azure-webapps-php.yml | 4 ++-- deployments/azure-webapps-python.yml | 4 ++-- 10 files changed, 17 insertions(+), 17 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 400a721..ad99b56 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: - name: MSIX Package ${{ matrix.configuration }} + name: MSIX Package path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index b905ef8..0700989 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -60,7 +60,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v4 + # uses: actions/upload-artifact@v3 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 729d741..162c788 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 with: name: SARIF file path: results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 2fd110a..32c977e 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -87,7 +87,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v3 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 64124e5..b4bfafb 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -59,7 +59,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -75,7 +75,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index a066d89..63a45cc 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -50,7 +50,7 @@ jobs: run: gradle build - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: java-app path: '${{ github.workspace }}/build/libs/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: java-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index f6c17a9..608fb8e 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -50,7 +50,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 891a7d6..147d4e6 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -49,7 +49,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: node-app path: . @@ -65,7 +65,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 3391c83..1182c2a 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -70,7 +70,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: php-app path: . @@ -86,7 +86,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index e4868c4..656f95c 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -55,7 +55,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: python-app path: | @@ -73,7 +73,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: python-app path: .