diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 752dd99..9b6c10f 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,7 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. -- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. +- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** @@ -38,7 +38,7 @@ It is not: **For _Code Scanning_ workflows, the workflow:** -- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci). +- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning). - [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: - [ ] `name`: Name of the Code Scanning integration. - [ ] `organization`: Name of the organization producing the Code Scanning integration. diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index fb9c623..aba7780 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -18,7 +18,9 @@ jobs: git config user.name "GitHub Actions" - uses: actions/setup-node@v3 with: - node-version: '12' + node-version: '16' + cache: 'npm' + cache-dependency-path: script/sync-ghes/package-lock.json - name: Check starter workflows for GHES compat run: | npm ci diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index d2ac9a5..7f8701d 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -14,7 +14,9 @@ jobs: - uses: actions/setup-node@v3 with: - node-version: "12" + node-version: '16' + cache: 'npm' + cache-dependency-path: script/validate-data/package-lock.json - name: Validate workflows run: | diff --git a/automation/greetings.yml b/automation/greetings.yml index 18ba13f..4677434 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users first issue' - pr-message: 'Message that will be displayed on users first pull request' + issue-message: "Message that will be displayed on users' first issue" + pr-message: "Message that will be displayed on users' first pull request" diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 2f68e66..e88539d 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605 + uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 with: - cosign-release: 'v1.7.1' + cosign-release: 'v1.9.0' # Workaround: https://github.com/docker/build-push-action/issues/461 @@ -90,4 +90,4 @@ jobs: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }} + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 00a78c7..bd2cb2e 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -71,7 +71,7 @@ jobs: - name: Install .NET Core uses: actions/setup-dotnet@v2 with: - dotnet-version: 5.0.x + dotnet-version: 6.0.x # Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild - name: Setup MSBuild.exe diff --git a/ci/dotnet.yml b/ci/dotnet.yml index 5974d4a..a8eccab 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -16,7 +16,7 @@ jobs: - name: Setup .NET uses: actions/setup-dotnet@v2 with: - dotnet-version: 5.0.x + dotnet-version: 6.0.x - name: Restore dependencies run: dotnet restore - name: Build diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml new file mode 100644 index 0000000..a738875 --- /dev/null +++ b/ci/go-ossf-slsa3-publish.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps +# that were performed to generate the final binary. +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA Go releaser +on: + workflow_dispatch: + release: + types: [created] + +permissions: read-all + +jobs: + # ======================================================================================================================================== + # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. + # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file + #========================================================================================================================================= + build: + permissions: + id-token: write # To sign. + contents: write # To upload release assets. + actions: read # To read workflow path. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0 + with: + go-version: 1.17 + # ============================================================================================================= + # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects + # ============================================================================================================= + diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 9aeb2b8..42eae27 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index 4642c75..0c0f12c 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -29,6 +29,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: build diff --git a/ci/properties/go-ossf-slsa3-publish.properties.json b/ci/properties/go-ossf-slsa3-publish.properties.json new file mode 100644 index 0000000..2d58eaf --- /dev/null +++ b/ci/properties/go-ossf-slsa3-publish.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SLSA Go releaser", + "creator": "Open Source Security Foundation (OpenSSF)", + "description": "Compile your Go project using a SLSA3 compliant builder", + "iconName": "go-ossf-slsa3-publish", + "categories": ["Continuous integration", "Go"] +} diff --git a/ci/scala.yml b/ci/scala.yml index c985f74..6f80a22 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -21,5 +21,6 @@ jobs: with: java-version: '11' distribution: 'temurin' + cache: 'sbt' - name: Run tests run: sbt test diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 6f52d5d..a3d2eed 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout the code @@ -39,6 +40,7 @@ jobs: with: image: "localbuild/testimage:latest" acs-report-enable: true + fail-build: false - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v2 with: diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 297cae0..e060654 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -37,7 +37,7 @@ jobs: - uses: actions/checkout@v3 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 + uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe with: project: ${{ secrets.CHECKMARX_PROJECT }} team: ${{ secrets.CHECKMARX_TEAMS }} @@ -46,7 +46,7 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml new file mode 100644 index 0000000..61ffd7a --- /dev/null +++ b/code-scanning/contrast-scan.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github. +# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action. +# Contrast Scan currently supports Java, JavaScript and .NET artifacts. +# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action + +# Pre-requisites: +# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. +# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER. + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +name: Scan analyze workflow +jobs: + build-and-scan: + permissions: + contents: read # for actions/checkout + security-events: write # for github/codeql-action/upload-sarif + runs-on: ubuntu-latest + # check out project + steps: + - uses: actions/checkout@v3 + # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. + # -name: Build Project + # ... + # Scan Artifact + - name: Contrast Scan Action + uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 + with: + artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + apiKey: ${{ secrets.CONTRAST_API_KEY }} + orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} + authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} + #Upload the results to GitHub + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml new file mode 100644 index 0000000..d5bb88f --- /dev/null +++ b/code-scanning/crda.yml @@ -0,0 +1,126 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your source code using +# Red Hat CodeReady Dependency Analytics. + +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event + +# 💁 The CRDA Starter workflow will: +# - Checkout your repository +# - Setup the required tool stack +# - Install the CRDA command line tool +# - Auto detect the manifest file and install the project's dependencies +# - Perform the security scan using CRDA +# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab +# - Optionally upload the SARIF file as an artifact for the future reference + +# â„šī¸ Configure your repository and the workflow with the following steps: +# 1. Setup the tool stack based on the project's requirement. +# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack +# 2. (Optional) CRDA action attempt to detect the language and install the +# required dependencies for your project. If your project doesn't aligns +# with the default dependency installation command mentioned here +# https://github.com/redhat-actions/crda/#3-installing-dependencies. +# Use the required inputs to setup the same +# 3. (Optional) CRDA action attempts to detect the manifest file if it is +# present in the root of the project and named as per the default mentioned +# here https://github.com/redhat-actions/crda/#3-installing-dependencies. +# If it deviates from the default, use the required inputs to setup the same +# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN. +# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication +# 5. (Optional) Upload SARIF file as an Artifact to download and view +# 6. Commit and push the workflow file to your default branch to trigger a workflow run. + +# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. + +name: CRDA Scan + +# Controls when the workflow will run +on: + # TODO: Customize trigger events based on your DevSecOps processes + # + # This workflow is made to run with OpenShift starter workflow + # https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml + # However, if you want to run this workflow as a standalone workflow, please + # uncomment the 'push' trigger below and configure it based on your requirements. + # + workflow_call: + secrets: + CRDA_KEY: + required: false + SNYK_TOKEN: + required: false + workflow_dispatch: + + # push: + # branches: [ $default-branch, $protected-branches ] + + # pull_request_target is used to securely share secret to the PR's workflow run. + # For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target + pull_request_target: + branches: [ $default-branch ] + types: [ assigned, opened, synchronize, reopened, labeled, edited ] + +permissions: + contents: read + +jobs: + crda-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for redhat-actions/crda to upload SARIF results + name: Scan project vulnerabilities with CRDA + runs-on: ubuntu-20.04 + steps: + + - name: Check out repository + uses: actions/checkout@v2 + + # ******************************************************************* + # Required: Instructions to setup project + # 1. Setup Go, Java, Node.js or Python depending on your project type + # 2. Setup Actions are listed below, choose one from them: + # - Go: https://github.com/actions/setup-go + # - Java: https://github.com/actions/setup-java + # - Node.js: https://github.com/actions/setup-node + # - Python: https://github.com/actions/setup-python + # + # Example: + # - name: Setup Node + # uses: actions/setup-node@v2 + # with: + # node-version: '14' + + # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md + - name: Install CRDA CLI + uses: redhat-actions/openshift-tools-installer@v1 + with: + source: github + github_pat: ${{ github.token }} + # Choose the desired version of the CRDA CLI + crda: "latest" + + ###################################################################################### + # https://github.com/redhat-actions/crda/blob/main/README.md + # + # By default, CRDA will detect the manifest file and install the required dependencies + # using the standard command for the project type. + # If your project doesn't aligns with the defaults mentioned in this action, you will + # need to set few inputs that are described here: + # https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies + # Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand + # process to get a SNYK_TOKEN or a CRDA_KEY + - name: CRDA Scan + id: scan + uses: redhat-actions/crda@v1 + with: + crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token + # snyk_token: ${{ secrets.SNYK_TOKEN }} + # upload_artifact: false # Set this to false to skip artifact upload diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 07cd73a..1ac846e 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -46,7 +46,7 @@ jobs: - uses: actions/checkout@v3 - name: 42Crunch REST API Static Security Testing - uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 + uses: 42Crunch/api-security-audit-action@f3a4f4d44ca6f538fe84361373d7a2a374018fdd with: # Please create free account at https://platform.42crunch.com/register # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 0e72a00..fe461b4 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,6 +1,6 @@ # Dependency Review Action # -# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@v1 + uses: actions/dependency-review-action@v2 diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml new file mode 100644 index 0000000..2f554e4 --- /dev/null +++ b/code-scanning/hadolint.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +name: Hadolint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + hadolint: + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run hadolint + uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml new file mode 100644 index 0000000..91f4b2d --- /dev/null +++ b/code-scanning/phpmd.yml @@ -0,0 +1,56 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# PHPMD is a spin-off project of PHP Depend and +# aims to be a PHP equivalent of the well known Java tool PMD. +# What PHPMD does is: It takes a given PHP source code base +# and look for several potential problems within that source. +# These problems can be things like: +# Possible bugs +# Suboptimal code +# Overcomplicated expressions +# Unused parameters, methods, properties +# More details at https://phpmd.org/ + +name: PHPMD + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + PHPMD: + name: Run PHPMD scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup PHP + uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161 + with: + coverage: none + tools: phpmd + + - name: Run PHPMD + run: phpmd . sarif codesize --reportfile phpmd-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: phpmd-results.sarif + wait-for-processing: true diff --git a/code-scanning/properties/contrast-scan.properties.json b/code-scanning/properties/contrast-scan.properties.json new file mode 100644 index 0000000..67369b8 --- /dev/null +++ b/code-scanning/properties/contrast-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Contrast Scan", + "creator": "Contrast Security Inc", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.", + "iconName": "contrast", + "categories": ["Code Scanning", "java", "javascript", "dotnet"] +} \ No newline at end of file diff --git a/code-scanning/properties/crda.properties.json b/code-scanning/properties/crda.properties.json new file mode 100644 index 0000000..9e1a7ac --- /dev/null +++ b/code-scanning/properties/crda.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Red Hat CodeReady Dependency Analytics", + "creator": "Red Hat", + "description": "Scan your project's dependencies with CodeReady Dependency Analytics.", + "iconName": "openshift", + "categories": ["Code Scanning", "Go", "Python", "Node.js", "Java"] +} diff --git a/code-scanning/properties/hadolint.properties.json b/code-scanning/properties/hadolint.properties.json new file mode 100644 index 0000000..b4f7141 --- /dev/null +++ b/code-scanning/properties/hadolint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Haskell Dockerfile Linter", + "description": "A smarter Dockerfile linter that helps you build best practice Docker images.", + "iconName": "hadolint", + "categories": ["Code Scanning", "Dockerfile"] +} \ No newline at end of file diff --git a/code-scanning/properties/phpmd.properties.json b/code-scanning/properties/phpmd.properties.json new file mode 100644 index 0000000..bd95bf9 --- /dev/null +++ b/code-scanning/properties/phpmd.properties.json @@ -0,0 +1,6 @@ +{ + "name": "PHPMD", + "description": "A spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD.", + "iconName": "phpmd", + "categories": [ "Code Scanning", "PHP" ] +} \ No newline at end of file diff --git a/code-scanning/properties/puppet-lint.properties.json b/code-scanning/properties/puppet-lint.properties.json new file mode 100644 index 0000000..62ebd9e --- /dev/null +++ b/code-scanning/properties/puppet-lint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "puppet-lint", + "description": "Puppet Lint tests Puppet code against the recommended Puppet language style guide.", + "iconName": "puppet-lint", + "categories": [ "Code Scanning", "Puppet" ] +} \ No newline at end of file diff --git a/code-scanning/properties/pyre.properties.json b/code-scanning/properties/pyre.properties.json new file mode 100644 index 0000000..bc12321 --- /dev/null +++ b/code-scanning/properties/pyre.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pyre", + "creator": "Meta", + "description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code.", + "iconName": "pyre", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/properties/pysa.properties.json b/code-scanning/properties/pysa.properties.json new file mode 100644 index 0000000..1a61c40 --- /dev/null +++ b/code-scanning/properties/pysa.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pysa", + "creator": "Meta", + "description": "Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location.", + "iconName": "pysa", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/properties/soos-dast-scan.properties.json b/code-scanning/properties/soos-dast-scan.properties.json new file mode 100644 index 0000000..6ef5121 --- /dev/null +++ b/code-scanning/properties/soos-dast-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SOOS DAST Scan", + "creator": "SOOS", + "description": "SOOS DAST is the easy-to-integrate no-limit web vulnerability scanner. Integrate SOOS DAST with your CI pipeline to find vulnerabilities by scanning a web app or APIs.", + "iconName": "soos", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml new file mode 100644 index 0000000..801b90b --- /dev/null +++ b/code-scanning/puppet-lint.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Puppet Lint tests Puppet code against the recommended Puppet language style guide. +# https://puppet.com/docs/puppet/7/style_guide.html +# Puppet Lint validates only code style; it does not validate syntax. +# To test syntax, use Puppet's puppet parser validate command. +# More details at https://github.com/puppetlabs/puppet-lint/ + +name: puppet-lint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + puppet-lint: + name: Run puppet-lint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup Ruby + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + with: + ruby-version: 2.7 + bundler-cache: true + + - name: Install puppet-lint + run: gem install puppet-lint + + - name: Run puppet-lint + run: puppet-lint . --sarif > puppet-lint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: puppet-lint-results.sarif + wait-for-processing: true diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml new file mode 100644 index 0000000..3c32e8b --- /dev/null +++ b/code-scanning/pyre.yml @@ -0,0 +1,46 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Pyre with GitHub's +# Code Scanning feature. +# +# Pyre is a performant type checker for Python compliant with +# PEP 484. Pyre can analyze codebases with millions of lines +# of code incrementally – providing instantaneous feedback +# to developers as they write code. +# +# See https://pyre-check.org + +name: Pyre + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + pyre: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pyre + uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d + with: + # To customize these inputs: + # See https://github.com/facebook/pyre-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' diff --git a/code-scanning/pysa.yml b/code-scanning/pysa.yml new file mode 100644 index 0000000..a9e3c81 --- /dev/null +++ b/code-scanning/pysa.yml @@ -0,0 +1,50 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Python Static Analyzer (Pysa) with +# GitHub's Code Scanning feature. +# +# Python Static Analyzer (Pysa) is a security-focused static +# analysis tool that tracks flows of data from where they +# originate to where they terminate in a dangerous location. +# +# See https://pyre-check.org/docs/pysa-basics/ + +name: Pysa + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + pysa: + permissions: + actions: read + contents: read + security-events: write + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pysa + uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b + with: + # To customize these inputs: + # See https://github.com/facebook/pysa-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' + infer-types: true + include-default-sapp-filters: true diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a6bde3a..539794d 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,9 +17,12 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write - actions: read + # Used to receive a badge. (Upcoming feature) + id-token: write + # Needs for private repositories. contents: read - + actions: read + steps: - name: "Checkout code" uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 @@ -27,27 +30,31 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 + uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1 with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, - # regardless of the value entered here. + # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. publish_results: true - # Upload the results as artifacts (optional). + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. - name: "Upload artifact" uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 with: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml new file mode 100644 index 0000000..cf3b1b7 --- /dev/null +++ b/code-scanning/soos-dast-scan.yml @@ -0,0 +1,45 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/ +# +# To use this action you need to fill the following requirements: +# +# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product). +# +# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload) +# + +name: "SOOS DAST Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +jobs: + soos: + permissions: + security-events: write # for uploading code scanning alert info + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: SOOS DAST Scan + runs-on: ubuntu-latest + steps: + - name: Run SOOS DAST Scan + uses: soos-io/soos-dast-github-action@b524e2cfbc4f4a5733153a7e624f569913f6c6e9 + with: + client_id: ${{ secrets.SOOS_CLIENT_ID }} + api_key: ${{ secrets.SOOS_API_KEY }} + project_name: "" + scan_mode: "baseline" + target_url: "https://www.example.com/" + output_format: "sarif" + - name: Upload SOOS DAST SARIF Report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif + + diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 6536fbe..77f8156 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@v3 - name: Run tfsec - uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f + uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f with: sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 06b5cae..63be947 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -33,7 +33,7 @@ jobs: docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'template' diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index c882bde..8b69065 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -35,6 +35,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -63,6 +66,8 @@ jobs: file: ./Dockerfile deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 510abcd..a6a2f4e 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -120,6 +120,9 @@ jobs: runs-on: ubuntu-latest needs: [buildImage, createSecret] steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + # Logs in with your Azure credentials - name: Azure login uses: azure/login@v1.4.3 diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 0cf23ba..60fe536 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -31,6 +31,12 @@ name: Build and deploy an app to AKS with Kompose +on: + push: + branches: + - $default-branch + workflow_dispatch: + env: AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" CONTAINER_NAME: "your-container-name" @@ -148,4 +154,4 @@ jobs: images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 14469db..d46cadb 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -74,9 +74,6 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - # Logs in with your Azure credentials - name: Azure login uses: azure/login@v1.4.3 diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index becfede..a40ecc2 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -28,8 +28,14 @@ env: APP_ARTIFACT_LOCATION: "build" # location of client code build output AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app +permissions: + contents: read + jobs: build_and_deploy_job: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') runs-on: ubuntu-latest name: Build and Deploy Job @@ -52,6 +58,8 @@ jobs: ###### End of Repository/Build Configurations ###### close_pull_request_job: + permissions: + contents: none if: github.event_name == 'pull_request' && github.event.action == 'closed' runs-on: ubuntu-latest name: Close Pull Request Job diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 3357dc8..0b59686 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -30,6 +30,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -63,6 +66,8 @@ jobs: path: ${{env.DOTNET_ROOT}}/myapp deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index d29b0c9..6e3df8d 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -30,6 +30,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -54,6 +57,8 @@ jobs: path: '${{ github.workspace }}/target/*.jar' deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index c967bdb..1480c92 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -28,6 +28,9 @@ env: AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root NODE_VERSION: '14.x' # set this to the node version to use +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -53,6 +56,8 @@ jobs: path: . deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 04f55f4..98e8dc7 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -30,6 +30,9 @@ env: AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root PHP_VERSION: '8.x' # set this to the PHP version to use +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -74,6 +77,8 @@ jobs: path: . deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index af6a9dd..50f4823 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -29,6 +29,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -61,6 +64,8 @@ jobs: !venv/ deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 5775cb0..8504059 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -54,15 +54,30 @@ env: on: # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + workflow_dispatch: push: # Edit to the branch(es) you want to build and deploy on each push. branches: [ $default-branch ] jobs: + # đŸ–Šī¸ EDIT if you want to run vulnerability check on your project before deploying + # the application. Please uncomment the below CRDA scan job and configure to run it in + # your workflow. For details about CRDA action visit https://github.com/redhat-actions/crda/blob/main/README.md + # + # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab. + # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows + + crda-scan: + uses: ./.github/workflows/crda.yml + secrets: + CRDA_KEY: ${{ secrets.CRDA_KEY }} + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY + openshift-ci-cd: + # đŸ–Šī¸ Uncomment this if you are using CRDA scan step above + # needs: crda-scan name: Build and deploy to OpenShift - # ubuntu-20.04 can also be used. - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 environment: production outputs: diff --git a/icons/contrast.svg b/icons/contrast.svg new file mode 100644 index 0000000..7680157 --- /dev/null +++ b/icons/contrast.svg @@ -0,0 +1,16 @@ + + + + + + + + diff --git a/icons/go-ossf-slsa3-publish.svg b/icons/go-ossf-slsa3-publish.svg new file mode 100644 index 0000000..ea77468 --- /dev/null +++ b/icons/go-ossf-slsa3-publish.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + diff --git a/icons/hadolint.svg b/icons/hadolint.svg new file mode 100644 index 0000000..048b86c --- /dev/null +++ b/icons/hadolint.svg @@ -0,0 +1,131 @@ + + + + diff --git a/icons/phpmd.svg b/icons/phpmd.svg new file mode 100644 index 0000000..7697766 --- /dev/null +++ b/icons/phpmd.svg @@ -0,0 +1,595 @@ + + + + + + + + + diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg new file mode 100644 index 0000000..4e5d4d0 --- /dev/null +++ b/icons/puppet-lint.svg @@ -0,0 +1,95 @@ + + + + + + + + + + diff --git a/icons/pyre.svg b/icons/pyre.svg new file mode 100644 index 0000000..2af14c0 --- /dev/null +++ b/icons/pyre.svg @@ -0,0 +1 @@ +Asset 1 \ No newline at end of file diff --git a/icons/pysa.svg b/icons/pysa.svg new file mode 100644 index 0000000..ed60fb1 --- /dev/null +++ b/icons/pysa.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/soos.svg b/icons/soos.svg new file mode 100644 index 0000000..17a31fc --- /dev/null +++ b/icons/soos.svg @@ -0,0 +1,17 @@ + + + + + + + + + + + diff --git a/script/sync-ghes/package-lock.json b/script/sync-ghes/package-lock.json index ebcd318..768bbda 100644 --- a/script/sync-ghes/package-lock.json +++ b/script/sync-ghes/package-lock.json @@ -1,8 +1,166 @@ { "name": "sync-ghes-actions", "version": "1.0.0", - "lockfileVersion": 1, + "lockfileVersion": 2, "requires": true, + "packages": { + "": { + "name": "sync-ghes-actions", + "version": "1.0.0", + "license": "MIT", + "dependencies": { + "js-yaml": "^3.13.1" + }, + "devDependencies": { + "@types/js-yaml": "^3.12.4", + "@types/node": "^14.0.1", + "ts-node": "^8.10.1", + "typescript": "^3.9.2" + } + }, + "node_modules/@types/js-yaml": { + "version": "3.12.4", + "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.12.4.tgz", + "integrity": "sha512-fYMgzN+9e28R81weVN49inn/u798ruU91En1ZnGvSZzCRc5jXx9B2EDhlRaWmcO1RIxFHL8AajRXzxDuJu93+A==", + "dev": true + }, + "node_modules/@types/node": { + "version": "14.0.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-14.0.1.tgz", + "integrity": "sha512-FAYBGwC+W6F9+huFIDtn43cpy7+SzG+atzRiTfdp3inUKL2hXnd4rG8hylJLIh4+hqrQy1P17kvJByE/z825hA==", + "dev": true + }, + "node_modules/arg": { + "version": "4.1.3", + "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz", + "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==", + "dev": true + }, + "node_modules/argparse": { + "version": "1.0.10", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", + "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "dependencies": { + "sprintf-js": "~1.0.2" + } + }, + "node_modules/buffer-from": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz", + "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==", + "dev": true + }, + "node_modules/diff": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz", + "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==", + "dev": true, + "engines": { + "node": ">=0.3.1" + } + }, + "node_modules/esprima": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", + "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/js-yaml": { + "version": "3.13.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz", + "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==", + "dependencies": { + "argparse": "^1.0.7", + "esprima": "^4.0.0" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/make-error": { + "version": "1.3.6", + "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz", + "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==", + "dev": true + }, + "node_modules/source-map": { + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", + "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/source-map-support": { + "version": "0.5.19", + "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz", + "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==", + "dev": true, + "dependencies": { + "buffer-from": "^1.0.0", + "source-map": "^0.6.0" + } + }, + "node_modules/sprintf-js": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", + "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" + }, + "node_modules/ts-node": { + "version": "8.10.1", + "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-8.10.1.tgz", + "integrity": "sha512-bdNz1L4ekHiJul6SHtZWs1ujEKERJnHs4HxN7rjTyyVOFf3HaJ6sLqe6aPG62XTzAB/63pKRh5jTSWL0D7bsvw==", + "dev": true, + "dependencies": { + "arg": "^4.1.0", + "diff": "^4.0.1", + "make-error": "^1.1.1", + "source-map-support": "^0.5.17", + "yn": "3.1.1" + }, + "bin": { + "ts-node": "dist/bin.js", + "ts-node-script": "dist/bin-script.js", + "ts-node-transpile-only": "dist/bin-transpile.js", + "ts-script": "dist/bin-script-deprecated.js" + }, + "engines": { + "node": ">=6.0.0" + }, + "peerDependencies": { + "typescript": ">=2.7" + } + }, + "node_modules/typescript": { + "version": "3.9.2", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", + "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==", + "dev": true, + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=4.2.0" + } + }, + "node_modules/yn": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", + "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==", + "dev": true, + "engines": { + "node": ">=6" + } + } + }, "dependencies": { "@types/js-yaml": { "version": "3.12.4", diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index 8839d6a..e660b6a 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -1,8 +1,181 @@ { - "name": "sync-ghes-actions", + "name": "validate-data", "version": "1.0.0", - "lockfileVersion": 1, + "lockfileVersion": 2, "requires": true, + "packages": { + "": { + "name": "validate-data", + "version": "1.0.0", + "license": "MIT", + "dependencies": { + "@actions/core": "^1.2.6", + "js-yaml": "^3.13.1", + "jsonschema": "^1.2.6" + }, + "devDependencies": { + "@types/js-yaml": "^3.12.4", + "@types/node": "^14.0.1", + "ts-node": "^8.10.1", + "typescript": "^3.9.2" + } + }, + "node_modules/@actions/core": { + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", + "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + }, + "node_modules/@types/js-yaml": { + "version": "3.12.4", + "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.12.4.tgz", + "integrity": "sha512-fYMgzN+9e28R81weVN49inn/u798ruU91En1ZnGvSZzCRc5jXx9B2EDhlRaWmcO1RIxFHL8AajRXzxDuJu93+A==", + "dev": true + }, + "node_modules/@types/node": { + "version": "14.0.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-14.0.1.tgz", + "integrity": "sha512-FAYBGwC+W6F9+huFIDtn43cpy7+SzG+atzRiTfdp3inUKL2hXnd4rG8hylJLIh4+hqrQy1P17kvJByE/z825hA==", + "dev": true + }, + "node_modules/arg": { + "version": "4.1.3", + "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz", + "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==", + "dev": true + }, + "node_modules/argparse": { + "version": "1.0.10", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", + "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "dependencies": { + "sprintf-js": "~1.0.2" + } + }, + "node_modules/buffer-from": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz", + "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==", + "dev": true + }, + "node_modules/diff": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz", + "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==", + "dev": true, + "engines": { + "node": ">=0.3.1" + } + }, + "node_modules/esprima": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", + "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/js-yaml": { + "version": "3.13.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz", + "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==", + "dependencies": { + "argparse": "^1.0.7", + "esprima": "^4.0.0" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/jsonschema": { + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/jsonschema/-/jsonschema-1.2.6.tgz", + "integrity": "sha512-SqhURKZG07JyKKeo/ir24QnS4/BV7a6gQy93bUSe4lUdNp0QNpIz2c9elWJQ9dpc5cQYY6cvCzgRwy0MQCLyqA==", + "engines": { + "node": "*" + } + }, + "node_modules/make-error": { + "version": "1.3.6", + "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz", + "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==", + "dev": true + }, + "node_modules/source-map": { + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", + "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/source-map-support": { + "version": "0.5.19", + "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz", + "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==", + "dev": true, + "dependencies": { + "buffer-from": "^1.0.0", + "source-map": "^0.6.0" + } + }, + "node_modules/sprintf-js": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", + "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" + }, + "node_modules/ts-node": { + "version": "8.10.1", + "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-8.10.1.tgz", + "integrity": "sha512-bdNz1L4ekHiJul6SHtZWs1ujEKERJnHs4HxN7rjTyyVOFf3HaJ6sLqe6aPG62XTzAB/63pKRh5jTSWL0D7bsvw==", + "dev": true, + "dependencies": { + "arg": "^4.1.0", + "diff": "^4.0.1", + "make-error": "^1.1.1", + "source-map-support": "^0.5.17", + "yn": "3.1.1" + }, + "bin": { + "ts-node": "dist/bin.js", + "ts-node-script": "dist/bin-script.js", + "ts-node-transpile-only": "dist/bin-transpile.js", + "ts-script": "dist/bin-script-deprecated.js" + }, + "engines": { + "node": ">=6.0.0" + }, + "peerDependencies": { + "typescript": ">=2.7" + } + }, + "node_modules/typescript": { + "version": "3.9.2", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", + "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==", + "dev": true, + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=4.2.0" + } + }, + "node_modules/yn": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", + "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==", + "dev": true, + "engines": { + "node": ">=6" + } + } + }, "dependencies": { "@actions/core": { "version": "1.2.6",