From 900a0204646df69c0d0d535eab4c8ef5a151abc6 Mon Sep 17 00:00:00 2001 From: fredster33 <64927044+fredster33@users.noreply.github.com> Date: Fri, 13 Aug 2021 17:09:48 -0700 Subject: [PATCH 01/66] Fix typo --- automation/greetings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index ee1cb11..fed28b7 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users first issue' - pr-message: 'Message that will be displayed on users first pull request' + issue-message: 'Message that will be displayed on users' first issue' + pr-message: 'Message that will be displayed on users' first pull request' From 5d03c86e2615ba04a2dcb4ec2ed2cd659eecdb98 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 4 Feb 2022 10:42:13 +0530 Subject: [PATCH 02/66] Added token permission for deployments/azure-staticwebapp.yml --- deployments/azure-staticwebapp.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index 8e1faf7..5430f04 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -28,8 +28,14 @@ env: APP_ARTIFACT_LOCATION: "build" # location of client code build output AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app +permissions: + contents: read + jobs: build_and_deploy_job: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') runs-on: ubuntu-latest name: Build and Deploy Job @@ -52,6 +58,8 @@ jobs: ###### End of Repository/Build Configurations ###### close_pull_request_job: + permissions: + contents: none if: github.event_name == 'pull_request' && github.event.action == 'closed' runs-on: ubuntu-latest name: Close Pull Request Job From 6e8e5830e94403d54495f803067dd7653dabb0d2 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:56:36 +0530 Subject: [PATCH 03/66] added token permissions --- deployments/azure-container-webapp.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 57fe362..b6f339f 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -35,6 +35,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -63,6 +66,8 @@ jobs: file: ./Dockerfile deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 4657e39b91e5b80beea6f0cd14159141080b1f7d Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:39:54 +0530 Subject: [PATCH 04/66] Update azure-webapps-python.yml --- deployments/azure-webapps-python.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 8605e0a..6c43c1e 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -29,6 +29,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -61,6 +64,8 @@ jobs: !venv/ deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From bd76c74da653b228e83d45fea3d40d65a6197095 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:51:52 +0530 Subject: [PATCH 05/66] Update azure-webapps-php.yml --- deployments/azure-webapps-php.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index a2dd57b..a4442cf 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -30,6 +30,9 @@ env: AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root PHP_VERSION: '8.x' # set this to the PHP version to use +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -74,6 +77,8 @@ jobs: path: . deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 53a9402455e3e377c93f0da9193a0f88b43645a7 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:39:47 +0530 Subject: [PATCH 06/66] Update azure-webapps-dotnet-core.yml --- deployments/azure-webapps-dotnet-core.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index ed45e22..758c6fa 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -30,6 +30,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -63,6 +66,8 @@ jobs: path: ${{env.DOTNET_ROOT}}/myapp deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 7b765747a5254b76a9408811ce5753c98f92a15f Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:41:42 +0530 Subject: [PATCH 07/66] Update azure-webapps-java-jar.yml --- deployments/azure-webapps-java-jar.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 210fd90..50d2679 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -29,6 +29,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -52,6 +55,8 @@ jobs: path: '${{ github.workspace }}/target/*.jar' deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 5e58bc6ef64e268fc508e06ed061209248c11423 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:47:46 +0530 Subject: [PATCH 08/66] Update azure-webapps-node.yml --- deployments/azure-webapps-node.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b6089d4..07cd361 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -28,6 +28,9 @@ env: AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root NODE_VERSION: '14.x' # set this to the node version to use +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -53,6 +56,8 @@ jobs: path: . deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 308401f5246098792d1a773569cb339141141361 Mon Sep 17 00:00:00 2001 From: DhavalPatelPersistent <93903969+DhavalPatelPersistent@users.noreply.github.com> Date: Mon, 25 Apr 2022 15:30:28 +0530 Subject: [PATCH 09/66] Update checkmarx.yml --- code-scanning/checkmarx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 297cae0..ed13389 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -46,7 +46,7 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 From b6633ec292d288db36de6e7d68e525bb129492c3 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Tue, 26 Apr 2022 22:00:20 -0700 Subject: [PATCH 10/66] Add starter workflow for hadolint --- code-scanning/hadolint.yml | 46 ++++++ .../properties/hadolint.properties.json | 6 + icons/hadolint.svg | 131 ++++++++++++++++++ 3 files changed, 183 insertions(+) create mode 100644 code-scanning/hadolint.yml create mode 100644 code-scanning/properties/hadolint.properties.json create mode 100644 icons/hadolint.svg diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml new file mode 100644 index 0000000..f941b95 --- /dev/null +++ b/code-scanning/hadolint.yml @@ -0,0 +1,46 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +name: Hadolint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + hadolint: + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run hado-lint + uses: hadolint/hadolint-action@v2.1.0 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/hadolint.properties.json b/code-scanning/properties/hadolint.properties.json new file mode 100644 index 0000000..b4f7141 --- /dev/null +++ b/code-scanning/properties/hadolint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Haskell Dockerfile Linter", + "description": "A smarter Dockerfile linter that helps you build best practice Docker images.", + "iconName": "hadolint", + "categories": ["Code Scanning", "Dockerfile"] +} \ No newline at end of file diff --git a/icons/hadolint.svg b/icons/hadolint.svg new file mode 100644 index 0000000..048b86c --- /dev/null +++ b/icons/hadolint.svg @@ -0,0 +1,131 @@ + + + + From ee2bbcf8d8f90b72461d884114f1f2f427779fb1 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 2 May 2022 01:53:59 -0700 Subject: [PATCH 11/66] update step name --- code-scanning/hadolint.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index f941b95..fbbf914 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,11 +27,12 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + steps: - name: Checkout code uses: actions/checkout@v3 - - name: Run hado-lint + - name: Run hadolint uses: hadolint/hadolint-action@v2.1.0 with: dockerfile: ./Dockerfile From fc57d752748ceaef22641be7fa94b6a17e691e13 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 9 May 2022 11:16:42 -0700 Subject: [PATCH 12/66] use action commitment sha --- code-scanning/hadolint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index fbbf914..2f554e4 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -33,7 +33,7 @@ jobs: uses: actions/checkout@v3 - name: Run hadolint - uses: hadolint/hadolint-action@v2.1.0 + uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 with: dockerfile: ./Dockerfile format: sarif From 1100f4c7e825065833089b4f25cb045226bf4bbc Mon Sep 17 00:00:00 2001 From: fredster33 Date: Sat, 14 May 2022 07:24:17 -0700 Subject: [PATCH 13/66] Escape to pass tests --- automation/greetings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index 1138ea8..562838f 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users' first issue' - pr-message: 'Message that will be displayed on users' first pull request' + issue-message: 'Message that will be displayed on users\' first issue' + pr-message: 'Message that will be displayed on users\' first pull request' From a3f4ca426faa51fdc07d753951ef8aa85bfb635a Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Mon, 16 May 2022 13:44:34 -0700 Subject: [PATCH 14/66] Fixing typo in dependency-review-action. --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 0e72a00..8966511 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,6 +1,6 @@ # Dependency Review Action # -# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement From bed5e488cf5db12055b60ea905d8f90c59ea3c56 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Mon, 16 May 2022 18:28:59 -0400 Subject: [PATCH 15/66] Fix link to `code-scanning` directory Changed https://github.com/actions/starter-workflows/tree/main/ci to https://github.com/actions/starter-workflows/tree/main/code-scanning --- .github/pull_request_template.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 752dd99..9b6c10f 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,7 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. -- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. +- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** @@ -38,7 +38,7 @@ It is not: **For _Code Scanning_ workflows, the workflow:** -- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci). +- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning). - [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: - [ ] `name`: Name of the Code Scanning integration. - [ ] `organization`: Name of the organization producing the Code Scanning integration. From fb28da064123bacb1ab14fe88c947dcf1c20aa82 Mon Sep 17 00:00:00 2001 From: fredster33 Date: Fri, 20 May 2022 16:55:27 -0700 Subject: [PATCH 16/66] Fix escaping --- automation/greetings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index 562838f..4677434 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users\' first issue' - pr-message: 'Message that will be displayed on users\' first pull request' + issue-message: "Message that will be displayed on users' first issue" + pr-message: "Message that will be displayed on users' first pull request" From 9f02725cf7ad47bd29fde61950948648c5abe693 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Sat, 21 May 2022 11:13:24 +0530 Subject: [PATCH 17/66] Fix the missing `on` trigger for AKS Kompose --- deployments/azure-kubernetes-service-kompose.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 0cf23ba..60fe536 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -31,6 +31,12 @@ name: Build and deploy an app to AKS with Kompose +on: + push: + branches: + - $default-branch + workflow_dispatch: + env: AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" CONTAINER_NAME: "your-container-name" @@ -148,4 +154,4 @@ jobs: images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + ${{ env.IMAGE_PULL_SECRET_NAME }} From ea7d7777b6893c6401b777663973a51be35b74c4 Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya Date: Mon, 23 May 2022 14:47:39 -0400 Subject: [PATCH 18/66] added checkout step to helm starter workflow --- deployments/azure-kubernetes-service-helm.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 510abcd..a6a2f4e 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -120,6 +120,9 @@ jobs: runs-on: ubuntu-latest needs: [buildImage, createSecret] steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + # Logs in with your Azure credentials - name: Azure login uses: azure/login@v1.4.3 From 2be3a09ccb9a825bd8bfed4d2e67a00fadf21648 Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya Date: Mon, 23 May 2022 14:59:13 -0400 Subject: [PATCH 19/66] removed unnecessary checkout from kustomize create-secret step --- deployments/azure-kubernetes-service-kustomize.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 14469db..d46cadb 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -74,9 +74,6 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - # Logs in with your Azure credentials - name: Azure login uses: azure/login@v1.4.3 From a4fc6b086e1052d83b7b3a6bae14aca6c055d20a Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Tue, 24 May 2022 16:52:04 -0300 Subject: [PATCH 20/66] SOOS DAST starter action submission --- .../properties/soos-dast-scan.properties.json | 8 ++++ code-scanning/soos-dast-scan.yml | 41 +++++++++++++++++++ icons/soos.svg | 17 ++++++++ 3 files changed, 66 insertions(+) create mode 100644 code-scanning/properties/soos-dast-scan.properties.json create mode 100644 code-scanning/soos-dast-scan.yml create mode 100644 icons/soos.svg diff --git a/code-scanning/properties/soos-dast-scan.properties.json b/code-scanning/properties/soos-dast-scan.properties.json new file mode 100644 index 0000000..b2834df --- /dev/null +++ b/code-scanning/properties/soos-dast-scan.properties.json @@ -0,0 +1,8 @@ +{ + "name": "SOOS DAST Scan", + "creator": "SOOS", + "description": "Integrate dynamic application security testing (DAST) and API security testing into your CI pipeline with StackHawk", + "iconName": "soos", + "categories": ["Code Scanning"] + } + \ No newline at end of file diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml new file mode 100644 index 0000000..a16ed9e --- /dev/null +++ b/code-scanning/soos-dast-scan.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# SOOS is the easy-to-integrate software security solution for your whole team we currently, learn more at https://soos.io/ +# +# To use this action you need to fill the following requirements: +# +# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product). +# +# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload) +# + +name: "SOOS DAST Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +jobs: + soos: + permissions: + security-events: write # for uploading code scanning alert info + name: SOOS DAST Scan + runs-on: ubuntu-latest + steps: + - name: Run SOOS DAST Scan + uses: soos-io/soos-dast-github-action@c32a9d22e9af91ccace86aa7e76673b89c6256fd + with: + client_id: ${{ secrets.SOOS_CLIENT_ID }} + api_key: ${{ secrets.SOOS_API_KEY }} + project_name: "DAST-GitHub-Action-Test" # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository + scan_mode: "baseline" + target_url: "https://www.example.com/" + sarif: true # Only set to true if you want to upload the SARIF report to Github + gpat: ${{ secrets.SOOS_GITHUB_PAT }} + + diff --git a/icons/soos.svg b/icons/soos.svg new file mode 100644 index 0000000..17a31fc --- /dev/null +++ b/icons/soos.svg @@ -0,0 +1,17 @@ + + + + + + + + + + + From a80536a617f6eb6cf9f1c398f5f163c24ec03e21 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 May 2022 14:46:58 +0000 Subject: [PATCH 21/66] Scorecard v1.1.0 hash bump --- code-scanning/scorecards.yml | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a6bde3a..846988e 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,37 +17,43 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write + # Used to receive a badge. (Upcoming feature) + id-token: write actions: read contents: read - + steps: - name: "Checkout code" - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 + uses: ossf/scorecard-action@5c8bc69dc88b65c66584e07611df79d3579b0377 # v1.1.0 with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, - # regardless of the value entered here. + # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. publish_results: true - # Upload the results as artifacts (optional). + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 From 866ad3b83c8b7a0f0730c2a7ce908c46784c8a74 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 May 2022 14:50:13 +0000 Subject: [PATCH 22/66] updates --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 846988e..28fb7f3 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -24,7 +24,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 with: persist-credentials: false @@ -48,7 +48,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 with: name: SARIF file path: results.sarif From e2e966c9107306a40bf07c880a1259514ccfab66 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Fri, 27 May 2022 09:36:07 -0300 Subject: [PATCH 23/66] couple fixes from review --- code-scanning/properties/soos-dast-scan.properties.json | 5 ++--- code-scanning/soos-dast-scan.yml | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/code-scanning/properties/soos-dast-scan.properties.json b/code-scanning/properties/soos-dast-scan.properties.json index b2834df..6ef5121 100644 --- a/code-scanning/properties/soos-dast-scan.properties.json +++ b/code-scanning/properties/soos-dast-scan.properties.json @@ -1,8 +1,7 @@ { "name": "SOOS DAST Scan", "creator": "SOOS", - "description": "Integrate dynamic application security testing (DAST) and API security testing into your CI pipeline with StackHawk", + "description": "SOOS DAST is the easy-to-integrate no-limit web vulnerability scanner. Integrate SOOS DAST with your CI pipeline to find vulnerabilities by scanning a web app or APIs.", "iconName": "soos", "categories": ["Code Scanning"] - } - \ No newline at end of file +} \ No newline at end of file diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index a16ed9e..75fe9ed 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. # -# SOOS is the easy-to-integrate software security solution for your whole team we currently, learn more at https://soos.io/ +# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/ # # To use this action you need to fill the following requirements: # @@ -32,7 +32,7 @@ jobs: with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} - project_name: "DAST-GitHub-Action-Test" # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository + project_name: ${{ github.repository }} # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository scan_mode: "baseline" target_url: "https://www.example.com/" sarif: true # Only set to true if you want to upload the SARIF report to Github From b9fbda1e7dcc2e8bc9899b02573484620eea0325 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Mon, 30 May 2022 14:11:28 +0200 Subject: [PATCH 24/66] Add actions read permission The CodeQL Action requires this permission to collect information of the workflow run. --- code-scanning/anchore.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 6f52d5d..5c19cc3 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # for github/codeql-action/upload-sarif to get Action run status runs-on: ubuntu-latest steps: - name: Checkout the code From 77df908268e8577f2b7955bbc9d27b46a316aae8 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Mon, 30 May 2022 14:16:42 +0200 Subject: [PATCH 25/66] Set `fail-build` property to false Whenever a security issue is found the `scan action` fails the build and the step, which causes the workflow to fail before uploading the results to Code Scanning. This change turns the error into a warning. --- code-scanning/anchore.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 6f52d5d..b0e542e 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -39,6 +39,7 @@ jobs: with: image: "localbuild/testimage:latest" acs-report-enable: true + fail-build: false - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v2 with: From 27f5b1e9fdf42fe0686ccb89a2926a08c5ca9abe Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Tue, 31 May 2022 12:28:16 +0200 Subject: [PATCH 26/66] Add descriptive comment The `actions: read` permission is only required when the workflow is executed in a private repository. --- code-scanning/anchore.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 5c19cc3..2753147 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # for github/codeql-action/upload-sarif to get Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository runs-on: ubuntu-latest steps: - name: Checkout the code From 477f6af84e7a702f1832787f81445d0c2bc33010 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Tue, 31 May 2022 14:19:53 +0200 Subject: [PATCH 27/66] Shorten the comment The comment is shortened by removing the URL to the documentation. Co-authored-by: Sampark Sharma --- code-scanning/anchore.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 2753147..4fbc9f0 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout the code From 45198b14e06f360979705d625fda2daa4d339653 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Tue, 31 May 2022 18:51:10 -0700 Subject: [PATCH 28/66] phpmd --- code-scanning/phpmd.yml | 50 ++++ .../properties/phpmd.properties.json | 6 + icons/phpmd.svg | 252 ++++++++++++++++++ 3 files changed, 308 insertions(+) create mode 100644 code-scanning/phpmd.yml create mode 100644 code-scanning/properties/phpmd.properties.json create mode 100644 icons/phpmd.svg diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml new file mode 100644 index 0000000..9b9545a --- /dev/null +++ b/code-scanning/phpmd.yml @@ -0,0 +1,50 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# PHPMD is a spin-off project of PHP Depend and +# aims to be a PHP equivalent of the well known Java tool PMD. +# More details at https://phpmd.org/ + +name: PHPMD + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + # workflow_dispatch: + +permissions: + contents: read + +jobs: + PHPMD: + name: Run PHPMD scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + coverage: none + tools: phpmd + + - name: Run PHPMD + run: phpmd . sarif codesize --reportfile phpmd-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: phpmd-results.sarif + wait-for-processing: true diff --git a/code-scanning/properties/phpmd.properties.json b/code-scanning/properties/phpmd.properties.json new file mode 100644 index 0000000..bd95bf9 --- /dev/null +++ b/code-scanning/properties/phpmd.properties.json @@ -0,0 +1,6 @@ +{ + "name": "PHPMD", + "description": "A spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD.", + "iconName": "phpmd", + "categories": [ "Code Scanning", "PHP" ] +} \ No newline at end of file diff --git a/icons/phpmd.svg b/icons/phpmd.svg new file mode 100644 index 0000000..c354f1d --- /dev/null +++ b/icons/phpmd.svg @@ -0,0 +1,252 @@ + + + + +Created by potrace 1.10, written by Peter Selinger 2001-2011 + + + + + + + + + + + + + + + + + + + + + From dfd625dcc4778d68e194f62e68e5dc65ef73b88b Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Tue, 31 May 2022 19:10:04 -0700 Subject: [PATCH 29/66] use hash --- code-scanning/phpmd.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 9b9545a..3c0a5f2 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -16,7 +16,6 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly - # workflow_dispatch: permissions: contents: read @@ -34,7 +33,7 @@ jobs: uses: actions/checkout@v3 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161 with: coverage: none tools: phpmd From 978c3bbb41242ad164fb5c43b4fdd3353056addc Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 1 Jun 2022 09:15:10 -0700 Subject: [PATCH 30/66] Update scorecards.yml --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 28fb7f3..6135414 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -29,7 +29,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@5c8bc69dc88b65c66584e07611df79d3579b0377 # v1.1.0 + uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1 with: results_file: results.sarif results_format: sarif From 74b6f422559f3c58f4adee47ffbefc98d22548e1 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 1 Jun 2022 10:50:44 -0700 Subject: [PATCH 31/66] Update scorecards.yml --- code-scanning/scorecards.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 6135414..eed834b 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -19,7 +19,6 @@ jobs: security-events: write # Used to receive a badge. (Upcoming feature) id-token: write - actions: read contents: read steps: From 74408a5287eb771031d02d73dbe14ed23ec90a41 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 1 Jun 2022 11:00:27 -0700 Subject: [PATCH 32/66] Update scorecards.yml --- code-scanning/scorecards.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index eed834b..539794d 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -19,7 +19,9 @@ jobs: security-events: write # Used to receive a badge. (Upcoming feature) id-token: write + # Needs for private repositories. contents: read + actions: read steps: - name: "Checkout code" From d33aefde62c5125d69e76f4dfc04aed7a0b28a12 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Thu, 2 Jun 2022 12:12:22 -0300 Subject: [PATCH 33/66] updated action version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 75fe9ed..47f6c48 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@c32a9d22e9af91ccace86aa7e76673b89c6256fd + uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From b812cc5edacb55ae2f748244f67187ae9cbe872b Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Sat, 4 Jun 2022 19:50:14 -0700 Subject: [PATCH 34/66] use new logo from repo owner --- icons/phpmd.svg | 845 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 594 insertions(+), 251 deletions(-) diff --git a/icons/phpmd.svg b/icons/phpmd.svg index c354f1d..7697766 100644 --- a/icons/phpmd.svg +++ b/icons/phpmd.svg @@ -1,252 +1,595 @@ - - - - -Created by potrace 1.10, written by Peter Selinger 2001-2011 - - - - - - - - - - - - - - - - - - - - + + + + + + + + From ab9d895e8dfdfcc309424b079d074d637b744367 Mon Sep 17 00:00:00 2001 From: satyamchaurasiapersistent <102941840+satyamchaurasiapersistent@users.noreply.github.com> Date: Mon, 6 Jun 2022 11:45:21 +0530 Subject: [PATCH 35/66] Repo Url and SHA value updated. --- code-scanning/checkmarx.yml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index ed13389..1c57150 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,27 +17,19 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action -permissions: - contents: read - jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action - permissions: - contents: read # for actions/checkout to fetch code - issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues - pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v2 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 + uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe with: project: ${{ secrets.CHECKMARX_PROJECT }} team: ${{ secrets.CHECKMARX_TEAMS }} @@ -46,9 +38,9 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v1 with: sarif_file: cx.sarif From eda5a46a9546396c96ef0e05ad1840c0fbe2e060 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Tue, 17 May 2022 19:00:28 -0400 Subject: [PATCH 36/66] Add Pyre starter workflow --- code-scanning/properties/pyre.properties.json | 7 +++ code-scanning/pyre.yml | 46 +++++++++++++++++++ icons/pyre.svg | 1 + 3 files changed, 54 insertions(+) create mode 100644 code-scanning/properties/pyre.properties.json create mode 100644 code-scanning/pyre.yml create mode 100644 icons/pyre.svg diff --git a/code-scanning/properties/pyre.properties.json b/code-scanning/properties/pyre.properties.json new file mode 100644 index 0000000..bc12321 --- /dev/null +++ b/code-scanning/properties/pyre.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pyre", + "creator": "Meta", + "description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code.", + "iconName": "pyre", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml new file mode 100644 index 0000000..3c32e8b --- /dev/null +++ b/code-scanning/pyre.yml @@ -0,0 +1,46 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Pyre with GitHub's +# Code Scanning feature. +# +# Pyre is a performant type checker for Python compliant with +# PEP 484. Pyre can analyze codebases with millions of lines +# of code incrementally – providing instantaneous feedback +# to developers as they write code. +# +# See https://pyre-check.org + +name: Pyre + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + pyre: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pyre + uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d + with: + # To customize these inputs: + # See https://github.com/facebook/pyre-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' diff --git a/icons/pyre.svg b/icons/pyre.svg new file mode 100644 index 0000000..2af14c0 --- /dev/null +++ b/icons/pyre.svg @@ -0,0 +1 @@ +Asset 1 \ No newline at end of file From 862560d6d0ce6dacc03697cf601d8e83c74520b9 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Mon, 16 May 2022 17:42:13 -0400 Subject: [PATCH 37/66] Add workflow for Pysa https://github.com/facebook/pysa-action https://github.com/facebook/pyre-check --- code-scanning/properties/pysa.properties.json | 7 +++ code-scanning/pysa.yml | 50 +++++++++++++++++++ icons/pysa.svg | 1 + 3 files changed, 58 insertions(+) create mode 100644 code-scanning/properties/pysa.properties.json create mode 100644 code-scanning/pysa.yml create mode 100644 icons/pysa.svg diff --git a/code-scanning/properties/pysa.properties.json b/code-scanning/properties/pysa.properties.json new file mode 100644 index 0000000..1a61c40 --- /dev/null +++ b/code-scanning/properties/pysa.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pysa", + "creator": "Meta", + "description": "Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location.", + "iconName": "pysa", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/pysa.yml b/code-scanning/pysa.yml new file mode 100644 index 0000000..a9e3c81 --- /dev/null +++ b/code-scanning/pysa.yml @@ -0,0 +1,50 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Python Static Analyzer (Pysa) with +# GitHub's Code Scanning feature. +# +# Python Static Analyzer (Pysa) is a security-focused static +# analysis tool that tracks flows of data from where they +# originate to where they terminate in a dangerous location. +# +# See https://pyre-check.org/docs/pysa-basics/ + +name: Pysa + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + pysa: + permissions: + actions: read + contents: read + security-events: write + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pysa + uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b + with: + # To customize these inputs: + # See https://github.com/facebook/pysa-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' + infer-types: true + include-default-sapp-filters: true diff --git a/icons/pysa.svg b/icons/pysa.svg new file mode 100644 index 0000000..ed60fb1 --- /dev/null +++ b/icons/pysa.svg @@ -0,0 +1 @@ + \ No newline at end of file From 44f8355dd3fcc819e5064577d46aeb5d0b5070a4 Mon Sep 17 00:00:00 2001 From: Anton Krasovsky Date: Tue, 7 Jun 2022 17:57:25 +0100 Subject: [PATCH 38/66] Update workflow to use the newest version of 42Crunch REST API Static Security Testing Action --- code-scanning/crunch42.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 07cd73a..1ac846e 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -46,7 +46,7 @@ jobs: - uses: actions/checkout@v3 - name: 42Crunch REST API Static Security Testing - uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 + uses: 42Crunch/api-security-audit-action@f3a4f4d44ca6f538fe84361373d7a2a374018fdd with: # Please create free account at https://platform.42crunch.com/register # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm From 7ba355c39e6939dea937ef47c51c708de6ec51a6 Mon Sep 17 00:00:00 2001 From: Satyam Chaurasia Date: Wed, 8 Jun 2022 06:39:55 +0530 Subject: [PATCH 39/66] Adding changes of version and repo URL issue --- code-scanning/checkmarx.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 1c57150..e060654 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,16 +17,24 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe @@ -38,9 +46,9 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory --repo-url=${{ github.event.repository.url }} + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: cx.sarif From a54c80f225c1e6faedf983a842923f7ff81f5bfe Mon Sep 17 00:00:00 2001 From: Noah Irwin Date: Thu, 9 Jun 2022 12:52:18 +0100 Subject: [PATCH 40/66] Adds Contrast Scan workflow --- code-scanning/contrast-scan.yml | 43 +++++++++++++++++++ .../properties/contrast-scan.properties.json | 7 +++ icons/contrast.svg | 16 +++++++ 3 files changed, 66 insertions(+) create mode 100644 code-scanning/contrast-scan.yml create mode 100644 code-scanning/properties/contrast-scan.properties.json create mode 100644 icons/contrast.svg diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml new file mode 100644 index 0000000..0c8fe6b --- /dev/null +++ b/code-scanning/contrast-scan.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github. + +# Pre-requisites: +# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. +# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER. + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +name: Scan analyze workflow +jobs: + build-and-scan: + runs-on: ubuntu-latest + # check out project + steps: + - uses: actions/checkout@v3 + # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. + # -name: Build Project + # ... + # Scan Artifact + - name: Contrast Scan Action + uses: Contrast-Security-OSS/contrastscan-action@092c4e12ee0ee37b6116275f06efea84b2fe9d1a + with: + artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + apiKey: ${{ secrets.CONTRAST_API_KEY }} + orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} + authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} + #Upload the results to GitHub + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output diff --git a/code-scanning/properties/contrast-scan.properties.json b/code-scanning/properties/contrast-scan.properties.json new file mode 100644 index 0000000..67369b8 --- /dev/null +++ b/code-scanning/properties/contrast-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Contrast Scan", + "creator": "Contrast Security Inc", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.", + "iconName": "contrast", + "categories": ["Code Scanning", "java", "javascript", "dotnet"] +} \ No newline at end of file diff --git a/icons/contrast.svg b/icons/contrast.svg new file mode 100644 index 0000000..7680157 --- /dev/null +++ b/icons/contrast.svg @@ -0,0 +1,16 @@ + + + + + + + + From ad064a4af4a41be5048d447468dc06ef59b4036d Mon Sep 17 00:00:00 2001 From: Noah Irwin Date: Fri, 10 Jun 2022 11:35:06 +0100 Subject: [PATCH 41/66] Updates from PR feedback --- code-scanning/contrast-scan.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 0c8fe6b..e822508 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -4,6 +4,9 @@ # documentation. # This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github. +# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action. +# Contrast Scan currently supports Java, JavaScript and .NET artifacts. +# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action # Pre-requisites: # All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. @@ -21,6 +24,9 @@ on: name: Scan analyze workflow jobs: build-and-scan: + permissions: + contents: read # for actions/checkout + security-events: write # for github/codeql-action/upload-sarif runs-on: ubuntu-latest # check out project steps: @@ -30,12 +36,12 @@ jobs: # ... # Scan Artifact - name: Contrast Scan Action - uses: Contrast-Security-OSS/contrastscan-action@092c4e12ee0ee37b6116275f06efea84b2fe9d1a - with: - artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact - apiKey: ${{ secrets.CONTRAST_API_KEY }} - orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} - authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} + uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 + with: + artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + apiKey: ${{ secrets.CONTRAST_API_KEY }} + orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} + authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} #Upload the results to GitHub - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 From 5f8fa2190b68e24e1922720865c66a10c9739525 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Fri, 10 Jun 2022 15:31:19 -0300 Subject: [PATCH 42/66] use codeql upload sarif action --- code-scanning/soos-dast-scan.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 47f6c48..8969db0 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -24,18 +24,22 @@ jobs: soos: permissions: security-events: write # for uploading code scanning alert info + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: SOOS DAST Scan runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 + uses: soos-io/soos-dast-github-action@5f8c23ccf8366ea0a58deeb5c804e0524267df43 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} - project_name: ${{ github.repository }} # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository + project_name: "" scan_mode: "baseline" target_url: "https://www.example.com/" - sarif: true # Only set to true if you want to upload the SARIF report to Github - gpat: ${{ secrets.SOOS_GITHUB_PAT }} + output_format: "sarif" + - name: Upload SOOS DAST SARIF Report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif From 66d01dd6da6cc6d7770d1c579799dd00b2259cc6 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Mon, 13 Jun 2022 08:50:37 -0300 Subject: [PATCH 43/66] code review - put exact hash of release --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 8969db0..cf3b1b7 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8c23ccf8366ea0a58deeb5c804e0524267df43 + uses: soos-io/soos-dast-github-action@b524e2cfbc4f4a5733153a7e624f569913f6c6e9 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From a0d1fc31f74beaedb766543246743db312c31c30 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Mon, 13 Jun 2022 13:38:09 -0700 Subject: [PATCH 44/66] Add what PHPMD does --- code-scanning/phpmd.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 3c0a5f2..68e082e 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -2,6 +2,13 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# What PHPMD does is: It takes a given PHP source code base +# and look for several potential problems within that source. +# These problems can be things like: +# Possible bugs +# Suboptimal code +# Overcomplicated expressions +# Unused parameters, methods, properties # PHPMD is a spin-off project of PHP Depend and # aims to be a PHP equivalent of the well known Java tool PMD. # More details at https://phpmd.org/ From 5864b8200b647d56d3f99013661a16204d76451c Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Tue, 14 Jun 2022 03:20:43 -0700 Subject: [PATCH 45/66] move `What PHPMD does is...` below `PHPMD is a spin-off...` --- code-scanning/phpmd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 68e082e..91f4b2d 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -2,6 +2,8 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# PHPMD is a spin-off project of PHP Depend and +# aims to be a PHP equivalent of the well known Java tool PMD. # What PHPMD does is: It takes a given PHP source code base # and look for several potential problems within that source. # These problems can be things like: @@ -9,8 +11,6 @@ # Suboptimal code # Overcomplicated expressions # Unused parameters, methods, properties -# PHPMD is a spin-off project of PHP Depend and -# aims to be a PHP equivalent of the well known Java tool PMD. # More details at https://phpmd.org/ name: PHPMD From 191e0166339c8ab513d25af99ce94048b957db69 Mon Sep 17 00:00:00 2001 From: Julien Richard-Foy Date: Tue, 14 Jun 2022 18:02:02 +0200 Subject: [PATCH 46/66] Enable caching by default As shown in the documentation, enable caching by default. --- ci/scala.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/scala.yml b/ci/scala.yml index c985f74..6f80a22 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -21,5 +21,6 @@ jobs: with: java-version: '11' distribution: 'temurin' + cache: 'sbt' - name: Run tests run: sbt test From 746c698c90f01168f2f0bdfda89de9b7b9676cd8 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Fri, 10 Dec 2021 20:21:44 -0500 Subject: [PATCH 47/66] chore: upgrade package-lock.json to v2 --- script/sync-ghes/package-lock.json | 160 +++++++++++++++++++++- script/validate-data/package-lock.json | 177 ++++++++++++++++++++++++- 2 files changed, 334 insertions(+), 3 deletions(-) diff --git a/script/sync-ghes/package-lock.json b/script/sync-ghes/package-lock.json index ebcd318..768bbda 100644 --- a/script/sync-ghes/package-lock.json +++ b/script/sync-ghes/package-lock.json @@ -1,8 +1,166 @@ { "name": "sync-ghes-actions", "version": "1.0.0", - "lockfileVersion": 1, + "lockfileVersion": 2, "requires": true, + "packages": { + "": { + "name": "sync-ghes-actions", + "version": "1.0.0", + "license": "MIT", + "dependencies": { + "js-yaml": "^3.13.1" + }, + "devDependencies": { + "@types/js-yaml": "^3.12.4", + "@types/node": "^14.0.1", + "ts-node": "^8.10.1", + "typescript": "^3.9.2" + } + }, + "node_modules/@types/js-yaml": { + "version": "3.12.4", + "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.12.4.tgz", + "integrity": "sha512-fYMgzN+9e28R81weVN49inn/u798ruU91En1ZnGvSZzCRc5jXx9B2EDhlRaWmcO1RIxFHL8AajRXzxDuJu93+A==", + "dev": true + }, + "node_modules/@types/node": { + "version": "14.0.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-14.0.1.tgz", + "integrity": "sha512-FAYBGwC+W6F9+huFIDtn43cpy7+SzG+atzRiTfdp3inUKL2hXnd4rG8hylJLIh4+hqrQy1P17kvJByE/z825hA==", + "dev": true + }, + "node_modules/arg": { + "version": "4.1.3", + "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz", + "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==", + "dev": true + }, + "node_modules/argparse": { + "version": "1.0.10", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", + "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "dependencies": { + "sprintf-js": "~1.0.2" + } + }, + "node_modules/buffer-from": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz", + "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==", + "dev": true + }, + "node_modules/diff": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz", + "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==", + "dev": true, + "engines": { + "node": ">=0.3.1" + } + }, + "node_modules/esprima": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", + "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/js-yaml": { + "version": "3.13.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz", + "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==", + "dependencies": { + "argparse": "^1.0.7", + "esprima": "^4.0.0" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/make-error": { + "version": "1.3.6", + "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz", + "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==", + "dev": true + }, + "node_modules/source-map": { + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", + "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/source-map-support": { + "version": "0.5.19", + "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz", + "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==", + "dev": true, + "dependencies": { + "buffer-from": "^1.0.0", + "source-map": "^0.6.0" + } + }, + "node_modules/sprintf-js": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", + "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" + }, + "node_modules/ts-node": { + "version": "8.10.1", + "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-8.10.1.tgz", + "integrity": "sha512-bdNz1L4ekHiJul6SHtZWs1ujEKERJnHs4HxN7rjTyyVOFf3HaJ6sLqe6aPG62XTzAB/63pKRh5jTSWL0D7bsvw==", + "dev": true, + "dependencies": { + "arg": "^4.1.0", + "diff": "^4.0.1", + "make-error": "^1.1.1", + "source-map-support": "^0.5.17", + "yn": "3.1.1" + }, + "bin": { + "ts-node": "dist/bin.js", + "ts-node-script": "dist/bin-script.js", + "ts-node-transpile-only": "dist/bin-transpile.js", + "ts-script": "dist/bin-script-deprecated.js" + }, + "engines": { + "node": ">=6.0.0" + }, + "peerDependencies": { + "typescript": ">=2.7" + } + }, + "node_modules/typescript": { + "version": "3.9.2", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", + "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==", + "dev": true, + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=4.2.0" + } + }, + "node_modules/yn": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", + "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==", + "dev": true, + "engines": { + "node": ">=6" + } + } + }, "dependencies": { "@types/js-yaml": { "version": "3.12.4", diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index 8839d6a..e660b6a 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -1,8 +1,181 @@ { - "name": "sync-ghes-actions", + "name": "validate-data", "version": "1.0.0", - "lockfileVersion": 1, + "lockfileVersion": 2, "requires": true, + "packages": { + "": { + "name": "validate-data", + "version": "1.0.0", + "license": "MIT", + "dependencies": { + "@actions/core": "^1.2.6", + "js-yaml": "^3.13.1", + "jsonschema": "^1.2.6" + }, + "devDependencies": { + "@types/js-yaml": "^3.12.4", + "@types/node": "^14.0.1", + "ts-node": "^8.10.1", + "typescript": "^3.9.2" + } + }, + "node_modules/@actions/core": { + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", + "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + }, + "node_modules/@types/js-yaml": { + "version": "3.12.4", + "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.12.4.tgz", + "integrity": "sha512-fYMgzN+9e28R81weVN49inn/u798ruU91En1ZnGvSZzCRc5jXx9B2EDhlRaWmcO1RIxFHL8AajRXzxDuJu93+A==", + "dev": true + }, + "node_modules/@types/node": { + "version": "14.0.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-14.0.1.tgz", + "integrity": "sha512-FAYBGwC+W6F9+huFIDtn43cpy7+SzG+atzRiTfdp3inUKL2hXnd4rG8hylJLIh4+hqrQy1P17kvJByE/z825hA==", + "dev": true + }, + "node_modules/arg": { + "version": "4.1.3", + "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz", + "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==", + "dev": true + }, + "node_modules/argparse": { + "version": "1.0.10", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", + "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "dependencies": { + "sprintf-js": "~1.0.2" + } + }, + "node_modules/buffer-from": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz", + "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==", + "dev": true + }, + "node_modules/diff": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz", + "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==", + "dev": true, + "engines": { + "node": ">=0.3.1" + } + }, + "node_modules/esprima": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", + "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/js-yaml": { + "version": "3.13.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz", + "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==", + "dependencies": { + "argparse": "^1.0.7", + "esprima": "^4.0.0" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/jsonschema": { + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/jsonschema/-/jsonschema-1.2.6.tgz", + "integrity": "sha512-SqhURKZG07JyKKeo/ir24QnS4/BV7a6gQy93bUSe4lUdNp0QNpIz2c9elWJQ9dpc5cQYY6cvCzgRwy0MQCLyqA==", + "engines": { + "node": "*" + } + }, + "node_modules/make-error": { + "version": "1.3.6", + "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz", + "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==", + "dev": true + }, + "node_modules/source-map": { + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", + "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/source-map-support": { + "version": "0.5.19", + "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz", + "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==", + "dev": true, + "dependencies": { + "buffer-from": "^1.0.0", + "source-map": "^0.6.0" + } + }, + "node_modules/sprintf-js": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", + "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" + }, + "node_modules/ts-node": { + "version": "8.10.1", + "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-8.10.1.tgz", + "integrity": "sha512-bdNz1L4ekHiJul6SHtZWs1ujEKERJnHs4HxN7rjTyyVOFf3HaJ6sLqe6aPG62XTzAB/63pKRh5jTSWL0D7bsvw==", + "dev": true, + "dependencies": { + "arg": "^4.1.0", + "diff": "^4.0.1", + "make-error": "^1.1.1", + "source-map-support": "^0.5.17", + "yn": "3.1.1" + }, + "bin": { + "ts-node": "dist/bin.js", + "ts-node-script": "dist/bin-script.js", + "ts-node-transpile-only": "dist/bin-transpile.js", + "ts-script": "dist/bin-script-deprecated.js" + }, + "engines": { + "node": ">=6.0.0" + }, + "peerDependencies": { + "typescript": ">=2.7" + } + }, + "node_modules/typescript": { + "version": "3.9.2", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", + "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==", + "dev": true, + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=4.2.0" + } + }, + "node_modules/yn": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", + "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==", + "dev": true, + "engines": { + "node": ">=6" + } + } + }, "dependencies": { "@actions/core": { "version": "1.2.6", From f13e67688e4d309342ada48c6c463d0c17e17d5c Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Sun, 16 Jan 2022 17:36:35 -0500 Subject: [PATCH 48/66] ci: use Node 16 with caching for internal actions --- .github/workflows/sync-ghes.yaml | 4 +++- .github/workflows/validate-data.yaml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index fb9c623..aba7780 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -18,7 +18,9 @@ jobs: git config user.name "GitHub Actions" - uses: actions/setup-node@v3 with: - node-version: '12' + node-version: '16' + cache: 'npm' + cache-dependency-path: script/sync-ghes/package-lock.json - name: Check starter workflows for GHES compat run: | npm ci diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index d2ac9a5..7f8701d 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -14,7 +14,9 @@ jobs: - uses: actions/setup-node@v3 with: - node-version: "12" + node-version: '16' + cache: 'npm' + cache-dependency-path: script/validate-data/package-lock.json - name: Validate workflows run: | From c369c58c3b3a1f95ed4b9bfabc69d58e60fab4c5 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Sun, 19 Jun 2022 23:24:36 -0700 Subject: [PATCH 49/66] =?UTF-8?q?=E2=9C=A8=20Add=20entry=20for=20SLSA=20Go?= =?UTF-8?q?=20builder=20(#1600)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add entry fo Go builder * updates * updates * updates * updates * updates * updates * updates * updates * updates * rename icon * updates * updates * updates * updates * updates * updates * disclaimer * fix icon name * updates * updates * comments --- ci/go-ossf-slsa3-publish.yml | 35 +++++++++++++++++++ .../go-ossf-slsa3-publish.properties.json | 7 ++++ icons/go-ossf-slsa3-publish.svg | 11 ++++++ 3 files changed, 53 insertions(+) create mode 100644 ci/go-ossf-slsa3-publish.yml create mode 100644 ci/properties/go-ossf-slsa3-publish.properties.json create mode 100644 icons/go-ossf-slsa3-publish.svg diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml new file mode 100644 index 0000000..09c98c0 --- /dev/null +++ b/ci/go-ossf-slsa3-publish.yml @@ -0,0 +1,35 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps +# that were performed to generate the final binary. +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA Go releaser +on: + workflow_dispatch: + release: + types: [created] + +permissions: read-all + +jobs: + build: + permissions: + id-token: write # To sign. + contents: write # To upload release assets. + actions: read # To read workflow path. + # If you need more configuration options, such as ldflag examples, + # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0 + with: + # By default, the config file is .slsa-goreleaser.yml in the root directory. + # The format of the config file is described in + # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file. + go-version: 1.17 diff --git a/ci/properties/go-ossf-slsa3-publish.properties.json b/ci/properties/go-ossf-slsa3-publish.properties.json new file mode 100644 index 0000000..2d58eaf --- /dev/null +++ b/ci/properties/go-ossf-slsa3-publish.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SLSA Go releaser", + "creator": "Open Source Security Foundation (OpenSSF)", + "description": "Compile your Go project using a SLSA3 compliant builder", + "iconName": "go-ossf-slsa3-publish", + "categories": ["Continuous integration", "Go"] +} diff --git a/icons/go-ossf-slsa3-publish.svg b/icons/go-ossf-slsa3-publish.svg new file mode 100644 index 0000000..ea77468 --- /dev/null +++ b/icons/go-ossf-slsa3-publish.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + From 3a8411e0fd6e81d48b98b81bb46c40d74658e301 Mon Sep 17 00:00:00 2001 From: Noah Irwin Date: Mon, 20 Jun 2022 11:44:08 +0100 Subject: [PATCH 50/66] Add workflow permissions --- code-scanning/contrast-scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index e822508..61ffd7a 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -21,6 +21,9 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + name: Scan analyze workflow jobs: build-and-scan: From 39cdb74736f7e54cd027748ea4fac30a7e47f7bf Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Mon, 20 Jun 2022 09:13:25 -0600 Subject: [PATCH 51/66] Update to v2.2.1 of gradle-build-action --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 9aeb2b8..42eae27 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index 4642c75..0c0f12c 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -29,6 +29,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: build From c85125e5394aa3157d87b34291af34a2c4756537 Mon Sep 17 00:00:00 2001 From: Dan Lorenc Date: Wed, 15 Jun 2022 15:20:38 -0500 Subject: [PATCH 52/66] Update cosign to 1.9.0 Signed-off-by: Dan Lorenc --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 2f68e66..71aff41 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605 + uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 with: - cosign-release: 'v1.7.1' + cosign-release: 'v1.9.0' # Workaround: https://github.com/docker/build-push-action/issues/461 From c91d79cf303724f7fd80537f25a0a4cb0fb1abd8 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Wed, 22 Jun 2022 07:40:07 -0400 Subject: [PATCH 53/66] Update tfsec.yml (#1616) --- code-scanning/tfsec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 6536fbe..77f8156 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@v3 - name: Run tfsec - uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f + uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f with: sarif_file: tfsec.sarif From 7ae8d12d9ac5aa4a27e5ed1884c54f97d39c78ae Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 22 Jun 2022 04:45:15 -0700 Subject: [PATCH 54/66] updates (#1615) Co-authored-by: Bishal Prasad --- ci/go-ossf-slsa3-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml index 09c98c0..3f1b732 100644 --- a/ci/go-ossf-slsa3-publish.yml +++ b/ci/go-ossf-slsa3-publish.yml @@ -27,7 +27,7 @@ jobs: actions: read # To read workflow path. # If you need more configuration options, such as ldflag examples, # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.1.1 with: # By default, the config file is .slsa-goreleaser.yml in the root directory. # The format of the config file is described in From be331aaa2f5c266fdcfe007cb93d0358f956e6a2 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Wed, 22 Jun 2022 17:54:14 -0700 Subject: [PATCH 55/66] Add puppet-lint starter workflow --- .../properties/puppet-lint.properties.json | 6 ++ code-scanning/puppet-lint.yml | 54 +++++++++++ icons/puppet-lint.svg | 95 +++++++++++++++++++ 3 files changed, 155 insertions(+) create mode 100644 code-scanning/properties/puppet-lint.properties.json create mode 100644 code-scanning/puppet-lint.yml create mode 100644 icons/puppet-lint.svg diff --git a/code-scanning/properties/puppet-lint.properties.json b/code-scanning/properties/puppet-lint.properties.json new file mode 100644 index 0000000..62ebd9e --- /dev/null +++ b/code-scanning/properties/puppet-lint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "puppet-lint", + "description": "Puppet Lint tests Puppet code against the recommended Puppet language style guide.", + "iconName": "puppet-lint", + "categories": [ "Code Scanning", "Puppet" ] +} \ No newline at end of file diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml new file mode 100644 index 0000000..682c6a9 --- /dev/null +++ b/code-scanning/puppet-lint.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Puppet Lint tests Puppet code against the recommended Puppet language style guide. +# https://puppet.com/docs/puppet/7/style_guide.html +# Puppet Lint validates only code style; it does not validate syntax. +# To test syntax, use Puppet's puppet parser validate command. +# More details at https://github.com/puppetlabs/puppet-lint/ + +name: puppet-lint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + puppet-lint: + name: Run puppet-lint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: 2.7 + bundler-cache: true + + - name: Install puppet-lint + run: gem install puppet-lint + + - name: Run puppet-lint + run: puppet-lint . --sarif > puppet-lint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: puppet-lint-results.sarif + wait-for-processing: true diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg new file mode 100644 index 0000000..c2e2cf7 --- /dev/null +++ b/icons/puppet-lint.svg @@ -0,0 +1,95 @@ + + + + + + + + + + From bbd824dff4fb1e648ee02ed2874c69e28ac1218a Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Wed, 22 Jun 2022 17:58:09 -0700 Subject: [PATCH 56/66] use hash --- code-scanning/puppet-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 682c6a9..801b90b 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf with: ruby-version: 2.7 bundler-cache: true From d26b20b23394d4bbd531b69b5188d6e7d0887312 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Wed, 22 Jun 2022 18:01:19 -0700 Subject: [PATCH 57/66] update image --- .vs/ProjectSettings.json | 3 +++ .vs/VSWorkspaceState.json | 7 +++++++ .vs/slnx.sqlite | Bin 0 -> 131072 bytes .vs/starter-workflows/v16/.suo | Bin 0 -> 34304 bytes icons/puppet-lint.svg | 6 +++--- 5 files changed, 13 insertions(+), 3 deletions(-) create mode 100644 .vs/ProjectSettings.json create mode 100644 .vs/VSWorkspaceState.json create mode 100644 .vs/slnx.sqlite create mode 100644 .vs/starter-workflows/v16/.suo diff --git a/.vs/ProjectSettings.json b/.vs/ProjectSettings.json new file mode 100644 index 0000000..f8b4888 --- /dev/null +++ b/.vs/ProjectSettings.json @@ -0,0 +1,3 @@ +{ + "CurrentProjectSetting": null +} \ No newline at end of file diff --git a/.vs/VSWorkspaceState.json b/.vs/VSWorkspaceState.json new file mode 100644 index 0000000..2aa7877 --- /dev/null +++ b/.vs/VSWorkspaceState.json @@ -0,0 +1,7 @@ +{ + "ExpandedNodes": [ + "", + "\\code-scanning" + ], + "PreviewInSolutionExplorer": false +} \ No newline at end of file diff --git a/.vs/slnx.sqlite b/.vs/slnx.sqlite new file mode 100644 index 0000000000000000000000000000000000000000..db13a0a0d99f0c0bebaa2b65171fe9fb27315cec GIT binary patch literal 131072 zcmeFa34B~t^*H{vc{A_L@|w13wk}EAv`yPdvoDlV+B9v`HtCY4ENuvrnU`eRWG0=N zv<+pOu*fC?B8bSYh_Z-+8!lfF1w|APK}Esu7eR1CL_tN=|2g-*eP-GM>i75m{a*NR zZ{I!Vo_p?j_nvd_IrrV^-M%HBQ7ea%sj*0=vXPm_uq<<8WhKKfqwqiG`ri!rhoC<| z&RYIm=%1rZZBwNOk(Iw8&UEE(fja`z{F~*=rAvK3_449&{z~qz+zxJ2Arfx+|8FGV zLr${`L*9~;!fbYXJP}h5^-hirCP&w)L-9mB6Hg`v=sy#~>*J$pS8SjwACl6sqjSy9 z&dRQyb)6?y?mi|O{Xw}B{G*>Otc=FU?p*Yxe&+SLPOyE}V!0$1>V-Q&ZHjE+ujpNNdchvI519|8OO z(Ccl6QDVwV@39VD6OF3rbbK&Aid{6s>O^yl!5loZ%T@v6MCqMOXVfu6gw7%qWu;mB z-NWD-~)PY>q z=`3?12JExU2`)&-GUuFiVC?0#-d}TGpG;=lh5cm4Icqte{q`B>1Vj7!jB|plbLJRk zoc2QV@tiYqY%`9ud-MVG-o}eQt*xEX$GeRi9nl!PdO^dojCNehOUx~_NXID39QqWg862p?WWJL`-rI3-RH;eQJFwqMrW3u*I`+B;z_ZgN) z$1y5dhL;Z0ItDgIFQF_u6o~=drKZv_(Q-8Z6yx)j)YP!&tt8`6Cq~KJpCtPjv;!?8 zPzP9F(lLxYIx-A~X?ILDTX$3~tG8=(^;jz7D?85XE$IyFugp1+2ew60Y9cd$YTF6( z<$ZrnEGq@et8}8_f+3%EUJmAru;8qKV>!E4^p@-c%{OUkKFciBn$E3h(SH_nuht)J z3FNGH6lzE5+YvfZ?6EG3a+*b{k*RsL)netk&h=~hw(P8oPNc|;&FE?xCV7(gmeg0U*?DA|^s1RmJTXk>w6@-+ zC4zlC<>HZHM3(!sLZL}pvyBr=mMvpXAtNWfAJ%Bu@$0<1g%}+;D@$t-_J?Y6rG(0?_ zruXd0q@$#r+P&#yV!pPsH*4*Tq=wZD)J=fz&V=G(3<<7N2PcN-(-zOtz{lD$S%KDO z(nn}CAH%fTUTd}g5I6rK5gY*jXDpIY!;nPw?0F|*$XoSaBZ|DFkN9%_MdGlGMfH#x zedhy$)cV&5;T`evFY3QT@c+X3h|{v4Ov?GanMf)#F|H{N+*%S&H12w z)&-|}Jj}{VCERy*nGvI2>RC?LX@6nN9f=832V?CqwJF@t5LLrX4Q=(|NOPEsf!( z*0#EEq%j%`t1Zp-YF&GCYl{lSgN+T*mbTU~G!zXtMO$LwNJFGP+!$+XZ5kYkG{l-> z;nu;%!B}&wG2GVJ(f~ZQ#=_7fEXlQPUHiX;inj2f2fr(g4eN(upeyACc z+8e{oZB30sYD=RUX=@0#4-U1p54K0cYI_Wtt7~n9<{FXL*1?9>wxQ8hgv~sLrrbXO|9X&LA3>X7Xvn-zu{FaBgUt=$y0*HyhPt|FdjuF9YG{lN zHV-z0TVr)?bQDBd>)N$ZFxa9tHAcfjtNI@Oa5E@7x>5gz5aIp96v9=EI%oKQNB_>B=^h5%VpA=(odzYOCOgm zlJ-kIQlnJj`={?k-?x2t`Y!e*eZ9U`Uzzu9?_=J(ycc>C-d=B;w@iFZ{GRwJ@oMp~ zxLaH+E)l(+-+7+&e9m*FC+_L=%oF}9JSp5MoF_zt;{}O-k^d@x1s~xXct7_d_f_s{ zZa=q{t6=}gKF;33p39!Z*08)~OfH-hnO0U3$07&RMD2JgIj*KMaWzejBX;|q?LOT9 zmT=+nLn5<5#|n>6435UrBL%S+9~7BY1bZKR`97)^L|k-0WL5&=Xe0&Aj~2wMo)DRK zz}u_tn;b2SHa{aWjer(UrVEl5Z*5`UC<;&JE~-= z#zm$c(US!kT%4rB8&=1F+!3T)ouC}5snJMcxFEgiF%4}rekh(Qj5bQqV#!QG%@jln z@1y;tXyKTe-j_*^7e?Q!qeu6tsiTT#SzKf~K|HY}L646`h6@j#>Jg3Oz0m!_@?0=1 zGR;U+O%z6|9}=1Ehyi7k+yS2PoDc46uC#docer zI_n~d!g5&DPx*=@VyR@jur%iH(P+gY1=}m%Eiwy0rU%u*@kn%E?c~^~tm~=rQzJAYJdq1F#?0c3NGsrnJNNCVc9|52=a-h zB{5#ktSur_fwe~L)D~{0!z?+73xxOqH5?5eiY8-r-sf(j0!@sgUZe)d%2REZ$ZQ7c z7I=6#o*9`K4C62XQP^KV#YT~-*6@cXM(r%k-XJoIbzlmPBii~{zMhV<1oF7oPPV+0 z!p72r_;rA-Ugm7Pf6m1aAw zpjoTw3qgBnEiXTTlGAOZ6;`&2lGE&>6;yS+X55I$%-f6Nl_FCHas_>Dtyys#?VMrr ztiZB%+M;IXY@jv`L~WZ5)Jj2`J+p$US}30m8)idk)=_MB%Zf6ui7E}7t+FDNHEJAC z`(y=`G|X_$^lYFDg~ z^5t4B&6ZeUrOUKh#D3TyODTlf3@c<-4IOQ0C#>b=OK3Z~ZLq>-E!OHd^wYvcRAr#a z%&~G+x;3b-rqUdXB;d{)r$I5$7A~a3Mk9l{YfuAg$pVpCjYBu3!onaioU<}8FiYoC z5m4r!JCe>&SrrZmt8z3!m2|Xdyjp9O&ZG1we^$usxl~P=JXxVtbLb$pec(_#85tWb z))|^Jo9cPvy9+zGw8GI7qheJ#rA>GOqnSy?HDhC-RF+YlMo_|FTgQ`hw3-;DR*WGy z>5Xd^=z@VUw}dMF$V4U?j=&{D!wDO_dKP`d7I-+GPESx>Z;&Z1#(wz3gUQssq0!{Q zv{x6v;+dL7gs-axQutYXIx_&54ULb&Y4h5#n1NV6gN{*d)a=_%$fX^%f zt;hI8`t=t!J#f+J*Gi@VQ;a0SWnb&MJE1L|r(y*LJpi_Jb#(UhcIw4tA>aV0#MJT8 zCWJ0>4U-5{MSRD4qdN!luM+^U_F12G!R_CU$30UzmHE#9l;s==~7M5!*5ge zD}(%re67;M&z6FLH++8%{Kofu;CbH{0uT9a41Atvl@qu>aR2Q)5AGKj3|!?~9XRZp z9f?(iTgiMazg zO6*PJEFly=fqW-a_&#)09fqku3U3ecbGWhefhc+UI8q%;4yK35yR9(j{Q`?AJ(2DQOe`BD8=Y#aw3NNA423BWIH;#H+(RX zfvHT&KBSk8BuC*sD^hkfsXC%Y_l-qThe*)}vHigmtbf5ql9H?N4S*0qY(#mH!Yi@U z5nvkz87a78Houb7H;d+wA*zJ=00Q;hq7!&Iiid6&ouKzu@tvG)zv#rcj8rBYMknaf zGQOFNc;}LYxulZsz+rD}8J$%xrd46j=!9G}i(kRz_;;B1E#SL2eZQCAZ^v9{#nHBn zPVyJj@O=gy+rH6>dHy_pjgE;MM<@Ke3celSWRyB#Q>A<(&dQuh*+u+TE_Z|ItbZ=L zfGs;fC!KRv@KGx~XNTw@c=l|56~QMvLpMgT>@dRg9ijtv zMj7AA=Jm!-R`DAs#MoOo>K;ONjUA!`cn}-acZd$yfpWf`&F@{ED1n1|c|58aB&Y8X z9putTF2CnAHJ|U&K!tj-e->ZQ=6dwTv2(@_(a~ZOTg>kXO%PCC@8=kT@_Rf-kx$1C z(b48UielR#I#Bjj@|{4Xus1VKILPb494Y0S*?eBh;YIv*_UN9yqb-jo@ic5l-yu4<>nC+`J%)P} zegUg1ez5tw@mbgP@O)~JpT`>Bz*8`!WYg$?axy{Dy?!SJ_&KcZ>Dx7fUj`4Rss{8v ziaP;xyw1D4iEz8lBfYUXNuQv4~6l^Tw7h7~9lx#q$ z>v|BL*W7JtoqCX-zQ46S6Pw+GkQ5_COvhrPl^3dlwpw*)M z4ew8wKuwR&ast)8Jj?LO@a!x_DQn)G8my0zlvT-pY(JP(JiNf%1y;!Dc)p3K2HX!n@R zwzXP;^)yF;#WPZlW1AFPy&+|0sl@|QiWAb})xd#Rg3_{-Sv(!Huzkb3QA{*Q0guK^ zd{Y{8NOgwZlErf|9Y;U)Rumy+W8XCmU#sSqP>_(t84*H44i7{S1>Uh$cRK`7#5P}p zU*wC}Xk11-)2kriqs5hgt=8g~`4zZ!)HX2YYo$y1?*V)^E|0g-lLqRE%z<*Rr<<(GkqbS&&NR=|4r{} z-d}rP^gi$XvG)fM)qmLgb?*b-`@Q#g@9^I0{iydE?-kxlyytt*_8#)4yrbSB@9ExC zy*s@<-i_Y1-s8P3-a7A6??UffZ>e{>H{cb$jQE!LC-GJB74Ze}XW}#B6XK)dH^r}s zUlczp-X-2H-Yk9uP6}KuUL;P5XL=s?eBJYa=YG#Up6is~ii+|n_{QNz<-^LLvPapa zY=e^y%auh+rBbfUR6>eR;X-eR-VD7K`gQ2V(DR`mhkg)xEc9^b>!Ali_lNEY-4VJq z^ienuaYg8o(D|XWLx)1C&}e8Vbb9F2(9Teg|FzKC(D9*`P+e$gXkln>s5CS^6bOkS zCiqtHPa+%mc;LpswSg-F7YC*ShXa|wSYRkH5I8xoJ+LXz5jZ~39Hwn7snEzY;ulc{=zt{gs|E>P({a5?n@4wK0j{lHfht< z6MdeyJWqKZ^L#>jMtWTOw)CL%fOMa97o4`ZQMy*TLb_O*k`7B5X-pcD2Bedv?b0T3 zLQE)EDVHf1D(5O^C>bRIUx2JrPEgvEhTyAk-s6Sf&w|ecp9nr0{ATcL!7m0s8@wxc zd+_GqM}k)eFArW6oC=;9JP;fY?hVF*rv*C{Z4vGdd~B@=hvPWJkNS=lGaMcNe$9cX}(l0O_yYe^S$MJ-S=zX3%+N4 zKkz;3`-blU-)DWF5{Jao#9d;KxL!O#Y!Pe4MdDm>mN*OMkNf9J;NL9)<Ng5&P=_DN> z>1ibGC+QxN?k4G}Bt3$`7A9j*7BKJK10i=Yk85DPt$Tm%R^co)bfCq z`?Xxwa!Jd5TJF_yQOi9zs6(tkGoEG~%~+Z-BxC+bvwzU+?=*XxW`CpETQvJC&Hh5O zKhx|@n!Q1@Khf-uG<%(9f1ufG$QpAG^Ls6SRm*>;<-gVP-)Q--wft9F{)(2rtmVJd z@|U#yMJ@k@mcO9o|D)yqt>r)0^5?buIW7O0|M!f*Gb|A?@cFD({u3?#v6lZx%b(Hm zr?vctTK<%l|3J&1)bb~^{BbS+zLtMa%OBJ7?`rv@TK*j^|F)JtqU8^3`M0$En_B*m zmVZObA4Ku{nXl9Azi9R~nthdKU!mETY4!lkzC^Px((DT~`#jA)N3;8Bb|1|?OS8|= z>|UCEnr8RV>~5OfMYB6Y9-d|8Zu;~|n%zOOPtfdknthyRAEViAG`p2%x6tfnn%zXR z8)uE;K7jqqb`Y_F|rP(z!`w-2j4P&ScW3HlwSJLbX%(|Hm(2UrxZid*e zZid*eZid*eZsrn-axu*=qS^asb|K9!pxOB}JC9~lG|STLT$EM!IV3%sq-T-zOp+cZ z=@}%QB4N|aekb-T46l@!$VA~)C+XgAvHb}v?K?=4FQm}21f^CBo zY#XFt+aLwo1}WG!NWr#23bqYWux*fnZG#kS8>C>{AO+h7DcCkh!L~sPwhdCSZ7>GF zwm}NE4N|aekb-T46l@!$VA~)C+XgAvHb}v?K?=4FQm}21f^CBoY#XFK3QlA{`8U`$ zC;{6BDcCkh!L~sPwhdCSZIFU(gA{BVq+r`11=|KG*fvPPwm}NE4N|aekb-T46l@!$ zVA~)C+XgAvHb}v?K?=4FQm}21f^CBoY#XFt+aLwo1}WG!NWr#23bqYWux*fnZG#kS z8>C>{AO+h7DcCkh!L~sPwhdCSZ7f>_whdCSZIFU(gA{BV%SvF|AO+h7DcCkh!L~sP zwvALL7B5R(8b z9m&{bFTqC%6CWmCOhlw0c<`V2GkzYP=NXBEe{stFxTc+}{7AW9stnHM9+tRZ!1qev zAKa%ySHnK{btUV2EbuCKz3<+@^W25XBt+Lw^<5QsjO+9r2z-TWRECsYToo5o*06u| zogDa-@5I23zUsgSyl)3m-v0?i*`FzO?4#@#yx$D$@ZJ(w={++r-+NL(@*d~^i+7Iy zWiR7@hW$AE0rpJsfBX-L-}ZlAyv=`uc%lC?i0S`=9T7+TXDDxqJ^oR#-oKmegFSao zPz^p6Y7YIkIK$tiEb#ov-xAyy{D$WVi0$9+4|%SU-}W4mf9*M0e#X--KjiVsHwZ7u z?-RZv?-Op3`<0i2pOLqO9u&@#R|*k%kj^{F=(eBv2raY3xBbj@gsd6i_A?*WOSBlbpSgCXu$Z++x&6#Fq$~C~x1aft zQEEoI{mj*rfHl_bXFf={u|~W7%vH05Wvnya?Psne;;=-#{md0}g_Uffm^T;^0@foT z4nJBqb2$-R-nciIoCQKBd&I~$*dt0HU+f#KRE5yY=8b-X>6$NeAj}M^B5Y-k9ue2kw8hrTqzE+xCAZ*ZJ zg<{LyhY0INEXhg!AZc8WEIFYEX2aXk<4jKAL>auSe3A0*3?Zt=pq%y6glPU~d3S0d zjNGHd%e(iN3iW`L`+3Va>8ugEa<-f#E$5G#cPA(?Z`{0li~#dT&bvnm&yJXvv+aEv zk}U$}MA|zal#M+e=0u58PVz?3yGP1F*W`_%cMmTSwgV_Pa^`Gch| z(z|2ied{qcC&4Hg!Fi+U-Gj7d{&;$Kgx1U#QSUyT!1Bh_y9da~%oA1bK8>`e$L*Y) z_S1T~k@fC9MPTHuv2}SjDbZ~T#FgYz6=5E0#@FRjW(i?3By@(FPRK_{M_=P$POF8jJM0%$t=-p*fcs4+%^-I zC61W8ymcC^N-R-#xrY`Qad){pC{zH3_N~hn@_O>d-sR1ti;n2Kys28)d}OVR%ymtN zrIjrLFK?Uy3le(_Ufw|7jwK2&uO}tCmPJyX;G2{VRza zm8*4-WcwOWu|dx0k~d!;IX^%PEE)yO)=dXCrzqFC}k8 z{~Du))Ymluwy=c4wJ$FglL4GJieI&e^eTTGzp9#4q)~Q^h z(tILb6HBTh1!hEFsw6dNYtRX49+?bg3s^Rnywu#de(@YK)9sP{;@Nf{iYrKMEr4!` z?iZJn`9c8J_DM@<}sFle?X{UjEMg{KNfoCE!ZHm4GV&R|2jCTnV@ma3$bMz?Fb20apU91c(G0;rIIb z797iu8`jr0*TRnxHnh|>Ho}kj^)0A7hTovHR)Qb)>st^xhF@*8R9Xh%{k|E;@;it1 zwRL#^zo0ZT%3kFrrCIr*`-)u&xDs$B;7Y)ifGYu40U}IgqYT1Q=U~GQSJjTz@^GT_zi&V@D2DfrBo5%Yxw6vj{=JO=Sskp zfGYu402WaU5QSKk%i?e^>-RCcwe3 zQ?Q50?f3(q&t6jmKO;bj&NYgr!%qm1nui5i6VRr^ZwHXFbIr0M_`v{Db&8^W_ToPk z!7l}nqDh{#dH47KQ3SsaK#I;bi{J+WNYNp)2!0uW6rDwBLB;9tlK`a2L%dej@X&Pl zJpfX6wxtYy1%Q-ITFT(ge^Pdq*7>{r_ZGpW|C|H@(HOZanJwb9B8^=vf?oh2SQ>A4 zKD7$t|3%6rjPjQ9gz^pLkIM7P{on(*Qh5n(0Q@c72=Ha)cDOI^Za{JWTnV@ma3$bM zz?Fb20apU91Y8NY5^yEpO2CzXD}nbc0g;DI{ZtXj4o@T5xe9#>(WfBErUE3Jgx?K- z3TMkCJ0y|pEFXRHQkY1xNw}I8FwcUkX|V!aO$*s1=i$K>a0ui7%(VB+yi359fGYu4 z0JC%*0KZL#r|8)Oc3Ahq)CE!ZHm4GV&R|2jCTnV@ma3$bMz?Hzi zLjsK+iD5Zr^_&t`U=OFGsrYziPkJ&D4G)i~={@m8Og&VaN$dGKb#P*sYZXYP4W!b! zTBQS#(ReJ9QNxf#3RLXlNyW(O5|(Etb6U$Opv~@07X(m#A{-&Re*=;|J1;+Z3mxS1 z^}2`(xtwi zdUecj;&j^U|)N-cC6{`thr!Sz*`ayvzLT3k-<^b z*>&f0P-AB2nzdUx^YlC@FQIbD5n@-YALP5Ub3^Bj%56Kky4UPDrE+uUDV1ybc5dzJ z0kYklJv)Ib_`h$pecuY-MYwI`^1z*CB&h?!;I(s@gdnnBD>C$~?4p%{v*v3vyV??bP*8AgdIFTKY)bWJp>rql7k_$YSK5UUf-F$Qz+%r096 zh!drEGM!P!3=ukuP?VKs?RO)~Ey-vE=jV>(!NMKTkvfv26Jv>7yr5i@UE%kZ48Xh^ zAoGfF8jU0pYN{g=9Z?5zS*Nqii5RfYGAFno9m||^)`78?+j@V^d3`dOaToTJ8Rx9! zeD>RCoD&S~>od*?vd)=fm~q+*&Bt@j$g#~h((cg*%zGOz`n0xoN+0hwZgfOr@ahFQ z^FRM2-#IxBT2j|kdK3E0+Zi8I)0xQFcz-1-kDXoJph-br;YbWi-jWqH?36-AqTVdh z8^A;_pp41dYwhdl+TLea9v#Q1WEoyMOzRlf7`=qD>`){IbeEb+!$ix`{8Nn2TT)ZQ zp0|>WL!B5UZ-0{PW6%z?j6fY=eM!eK^61Dg7^dAZ)ok5SwXEK*(bZ$AjIZoCueYQ# ztiLknKpxl@NvVm<0IF>#%$N85IkBu1EU(guh6{##)_FOYGs1$i0*>YETG3mw4>aGT zsrf9kP-{B3rbYi*(7jrJv?Y+U+EJ(-rEf>*M6t)ZEXrvXrIMdv@hA+NHIKqvKEcpIu3>D#iiGCGkWGd82EX_(|m-dj>% z!Di=?Y0|4^GV#PPnbX>Oo0bUn@sx{4h7nor(+Y(qZOt}LELpaUJ%x;%^nO^QsRLdeJi)2l7jaDMf|7NcWl zWv)J`T+>^*Hj=ij!MkG1D+^6v#P6Wvo}y3-j#W@i*ua^Q%Jn<8cIUKe&RkfJZ0#{0 zDVOFma=xuL4|{f$^}V(4oZTD}g#9zmtX#ZjaV2EiYK?9}KdimZjF@$4{~WIpvA3Bx zT|GUp3*7|!&KyY~=K5aP)|=SSnLKZ4m6abU63gsM4M$-rFLLJ z8hOn$l0!vn($K}+UvvJU>0|+W@iK>v#!6-dd@8oB%lq2n=Ofzuwb^NzQJHqs>aV%5Lh+U~HnNvm zyd`!?=aK2OLet%lN!~ecKyxSVG3;V>|A{_r^3AXO^IorU^ojP4U6xLH{%bXn*`0Ue z0yM;}4N#M}|J{v2Zz!_kthz{l7Z!@Bh*L|0|60w(@7? zb>(-;EAOd6x3Vh%R|2jCTnV@ma3$bMz?Fb20apU91Y8NY5^yE(zbFBLXIKv=0wz2r z9M3Znp8qfMeT-2q3_Tm#AF2wD1>O$a;s1yKTK`7*GjdXHmTr{xNb>>3{c|PYO2CzX zD*;ymt^`~O{Kq74W|7QrY+tsFVM^F3PK~uS4aJ%x;U-nB4>vWnwTIhdu~@i17Heu5 z8ftGHs&DT&ZqJ5|d(tD3Bz!+H3>Qi5flC5X88sC?m`v>(8ciNd@5y@~QzjivCWhj} zaB)&HL9R$@n7&8^H8{1ZL4n{s&8&+ZfPJN zYQc?FCn{RaIq$TlP9ZxpM7q8*TYStky5PE~p~%E&rWboWF%BOy>{X+g!}x8$eEfoS z{&A2eV``<|O68LANOWIhSS6jVnNLo*&(Fa5c0`R)YV(8gS$c)Gped4b-ty-y`(k z0>1Z1FK4XiJd-Jut>H9b&sohtQ~w@eo4q`CL7R1Sh7YlX)oc+;`K*7ng)`gBwQd;y zFH$aHlG}V&g31q=gDl+t{~P7MlBRQkH~ap@vyztkf&N+rI3`d;*X+jpn$VqenN z>udFudEfRv=Do{%p*P{}^|pD-#Mi{{iJua$77vTN#kJxR(d+r0=Sk1!JXd<+o=(p^ z;jhAz!kxl-LPR)TkoXt*uku&$5x#->cd6>`815{Com$ zd0h)9MW&UN#IeW$HBmdBf{;Nf1J?}_Z+N%w*`0TvaNaMkTYgAnHt1O4@rl9FczUED z_Tqygvx;EvgPZS1)q;qN4v5T3Kpc&vp!v~)c-0dk(++rh)qRtrh0*3`M5YnY;>mPD zQj5~G$&pBUpLzsZ)hXKKa4HfzLJz|GMWzdyq-aN#Ox3u^)FXPbAcKpORCvSc7?3-H zl&cezLp3!TNemaHS3Rbojm8hfQ-#q+DOxO3EE$;2yC^;jz7Nkj~TSSY%&e znJkKE)JBtgCsKv+7M`wA3rEKbzrBS66l)L$*uH{2n133bb#PBxL7YYXl&?r4mP*D8 zOJn{XjaDpDkXHF_ky!vTJ*W<1;^;i%b|H6QKOUqj9);FJ(h0JxQw?jf_TYkdj>@GY6`sCen7AbNfVQ837DVCKIVh zd^ByZxKpnDQ(~7cq8`Uj36^asu zpfAYVia2Mh$kYH68e#+ni4|PdBQjM4jKZ>mx)J0P%~?xc&I`ZVcKxg^B2$62M(orU zZl=R5If$X!_yIK>4Ihd^jMheY?j|bG#5n3jYJjXf)pm)@W}t3?hlk^tk%_^u7T~qN zfQpSGQ?20-PmJ1Gn!Q0}7VE&&grkq;>**-NI5OBt8=K{w6gHL~oQRLcY_QUGbQn=v zYh}K&gX#$a$=kh(wUk|){=}wQtCz2#jp}yP3M)I2zAMdkT0yf`(-(sF(pp}A0wt&0 zNGq&t6(y(HMJuT4c+I#GlbN>{#VbXo4CD&>+FG;XINCYG=2?Md?X*SB&e=e18i?99 z8>p3nG<#+RRkct)9X8B{(yXJ{?3NW}UK3RsHd|#yC~MR>p!UfMDrumTpV%ZTpt@eO zX}NaDidIsm)koW71S&#lbK`Xs&s2mT}`Dq7D>Qw z-Z%}4fwpiVB{muv%w2;TSW6a&%xWCEDHRq5iQ$};fq_{%pNfDo2i=i$hRUjNNLZDl z396){MdQ_4t8^ZvNBOftX3wQ+%H+ukt(rpzu`RS+I~f@pE!G*DGn?vpBS>lomsU7> zVpOaur?d%AU^FwSIIh*8c>|@gjOsLk5(e8ko}{DI#3;3545^U}u34-!=9W;UADPG` z!x8wAq2YuLUOkJxVGBGQPp2nf|6(OmT8#bhiN^6KuP%VaGc}6{S9A}g@LK$IW&nO{ zXnYiYNw0P+W+0Z&prcglFp@W5bElhJ4wzgT@R>!R^%$Q>L-u;pCDVW@MiSx2zSebj zLR&hZSb;$gfGu4eojtvsdU06@H~=a!b$m2AIi@BuX&p2t2n;}tj;%dAcXX}o+u7B# z!9uV!0Aq`Q*L7|^2`(G&)hkx`VE_S5w6@_i{!$T)YyjTd9a`TvO%|CV1jZ5lg;yKS zDV30rPegH#ksnOb36=V26SZJ+;Uy(gstzgkVsCsRLckd7#j`~idB77EM=~&c1}8GA z(V>MNIwg1Yo&+b>(qO<ULV2eI$_@dsCaHpu>*8Dil6zaK02Di%8M&^JOigeF2=p&7wn1n&!8 z5!@SG6)Xw77WhWs`amks1$%wJ|9AfH`|t5z?oYyAztvwR|4sfO?DVgf&yfe@wemvQ zEB!+Hwsep5era6VF11LU?*-q(>~DM@@TGj)ef2)S_f_ws-dnuqdt=@cy;WXD{JHo| z@sr}E;wbF$XL^3+`Ksp%Pt?=u2?;L=4+tL+b_)%HkN-LUS^grvpKs(j?pf|W?gDN% zw}SJsUt%v~qij3thtA-CRCSe%9Z z3HEE>#Gnd7D2%xz3wxGTfH?wNYO+r#_@WkPVef)Oq4`XF=m-OEX%@CHI7)^_BM0GE z72(JD3Ujb13)>hRdusY$9-i*-8-c z5_7nOeKMR<@rOMM6JL^roe)Ya3R{loNK?a+P+>bnP(gDad3-I(!p;a;MkT*LXBlL& zyeJD>A`LMTJ;F{yq{i?4ESwk>n`+ zx>;f5nk;Oma5lmZ>qYmCMN)?f<1Wd<1`EYCn1cNitg#BCE`wjPBGVD30gP{A6$@i8 z&cfCUM@|G@7--qTn6tC65yL&@p$PsK=o!?-fI5iSr;03W#&AD+KutyT&94D1&BB%p zoflvz4-kKW1q3@X0vf{U29NaH8$l2qM_{Oe7A!x@aR- zo`o$NX-OS}6*JlK8w3_)VY`NYLZaB=hb-|O6klWG?zY~ZNd$F!nWgz_wG z-H?aW1T~yiU}+Y%Z}=*WC85EdRKd*7W4_4HDa*nhj<{o}iM5iPlZ9Oz@#L6R)e4`L zg`FI6%77uY0$>GEL3jb%=>U~xVJC-dQgdmoH9HHNIpR1mETk1&o`wA!_FgxNR^Z$$ zZ0b;URy$}#D9OTp4xMep^jRULS=hoMN7UL`K~-7Ux8V?V7&t3Vc@}nT$d+!?tiXya zY}#;Q8fMH2EziQf4Xf&w%L<&6g`FD;-(sw+@UkrI-|)q0_Q?t>&%*8v3F{`w3M|XQ zz6~pCR>%rln1xLnMs#4G;4nN^w2Cb3;ILbUt+7L4^G2ZgWKs)%d)U# z(_m;stgzWx*skH|FztpFJSPj=G!&P`RM_FLS<~T~b+E!`XJL;<$QuU13a-e)HVyk^ z*Z?bZZWcCaIQpz=--=M4h5Z`75M9$-fs3-RXG1-uJEa{<9V3voC=0tdqR=!Cbs@xs zS=iIzYozY#LTJmfu(#_(G^_8r5ca|>?Dq&!;>a$9wjc{TKh%Z9t6d0dX%=>a9R$mC zaTh{fkcAB*B?L0U zxK!k+^t~$V_C4XdTUhVA);B3M`G$R+LZz?HH&dAA6TC0+|MWiP{kr#F@0H$jyr=QM z^={&~@F~9C+w7eQUW6C;XT>M@N5n7kUl#8YujKC%r^HjlRs5ymbk8fE?|L5a zT(8{fxfsq5?DDk3mkyufXL0`oZ^DDzz3jKx``N4EoWKCPnGI7ff+gi2Wc84MQ=;h^ zLN&|TOeAwlrLc-K%N$jhdzc^05Eiqn-FZ28p0L_l=BQP*V46^ca1xaV6)dlsEwmd2 z4(#q!sZg&2Z2^hn7YbcD0B7y}MbH*EoJbt88446IMP{Eo|V7q5``n_VQ9;1?#{w1}Y4fC@fWljq18=zqfJg)jpojy#89p9ZHEU=@NE z2!RWNLInU1rpeR%>B0h*v#wy6E2J`^k!2%!BJO*NTwM+a{AFcm@mI9>e`VLQ~z1v;q=(f0H( zUL9>O--!|x20V}?Y^^APSp@%fQj5XZWLbUGV+U&I2rJDJCw`PDZQBNb`3O@cfGw_=;QLk9i+gZ7ZJ7MAV!a`gqXh( zwUP_WB{OXftWg|ok~J)JKg7JXRM_t1h(L1*DP%ohZ*p(sKqR~u;ueJ1U&#Wa07fps z&_ZE@lQZpH1bVnA&A-$O15O65NV#N#mJZuY65;XBmJZvXxr71>U@@Xe4!tueIGm`a z!}#0laeYnoW}VQlvzG@am#9B1oKl!*cppT-l4IbZrM-XSIAMQb@)qpehU8^J-;o+h zj*TbNS~GuY6UL6zjE0-rh_po5dW1$GkTym;^2cUj_y{c!#9Z<|%aAkts@lw=bYEBK z8Ut1kxZ)_cjKG`T%307F=ky0LS1u4bfZ-!W2bgbwM1WE4q)QEz4?JNz z^XPgDo*W(SK8>s`;WX<69ONRnbBXD&o{U+d;m~uGNN)}?COVFjWq?~5N(*SL4GUTr28v+uV;-t%^a(Q<7R~?&WVBdLAOwU8 z0MK&>-Wfs-eK1cOh%)nW6sBme6sbr6F(d z_2AEfUkQFHcx~`dPz|=RSvU{ykH8-SF9yCBxG`{MpgXWE5b(d{f7<^Q|4ncz;4FW? zzYD$rSn8MLH{}=PZ^HinX7~CLcZ2T|-$CE0zAj(2FX;V)_kX-kdOrpG{)67Aw-fgJ3%#QFC-Fz( zBjRo1`^5v|E^(b$FNQp?d7k%t&vU2eTF;bc(9`2t;h8P`TKJ}Lt8keR6*dUfLJ|Kq z|2+Ra{yzRX{(L^k@8s9>ZR{=Vett20H}H4vRqngo=ee8Vzj5v~_rL+w61f zsUWap`eUDCO1N=2^P|G9Ogkg$XRjkW7aCE(w|Nb0_9fU(har+M6i$z(BaOx`9pP8c z5n4Hp;yXqVa}WCgxrg}?H$Iuyi^fbTJD7*q@j~Z%W|D=XNi@WAjuJm}4;gAEj@<1i zkg6(RgTQU0mkjl)8G0~`98zJ=)98_74`iKlHyO>^L5TDLvaWJ=u5w9(B$O}`Ij2I_ zbC&ZEgvwoHYiTJ(Nu5L%ca}nvYwb`3^Bmd3>A@W4PNJ0X5$o?FS~%}%3g&0iV2P}~ z1>}HzKbgAdmV`%n3nc_kNT{zIc9V#lqurS7OraXyrsjY}A+ZP9b8`z1u!qZp6$U2k z>fw~PhJH=~$N}~Y!lfCKVm?U*Pk|#H%(G;vix*_2N3`?cA(ka(!7RiM?If?sEOQ7J zG}$b&8qIaUqHs17#)b4R(XpFb+p=oC_;!!c1Ow?pYu_4Q!m4-ax#0g&n(RlDA+Ur@`UH+(F)gS%`0; zm%IhD%)u_$sGpF@h3jTGk&RV$5ZkG{ict#diKWy_93;9AgWpTy5UL*-hf|G_1ROp~ z!C5;(ayxNtSc8|$Cx|iCi?H2o#F*+Oj#hxtACqN;Gswx@4g&z1x10e&Vq3{#!&;h4 z@J9+bEjS}6%6xpb(9F^2T;yknRCLEUN~M!XMK5vG=%&-kjH@yqBRZTGAcs9$)z$W|>RA|x=|dEYWix%HH9DVa{zpgVIbnNE5U%At!)C%wecBuuBLi0mz2 zH=IZmfmVPNHj6oV$1X|AXbyLdA{!lGt-1Q97nIL%A~R3# ziX5+m5L|&(ISxYhvgN`_g%BK!b+eZcZD;$k=QyI;j3Q^1BvA|212xReWZdgTI5~k+rj>6iKZjYiCPgF105Vp@QSc{f#jB53q;G+TL<(hq;lA zUabVF9#8zvg-)I_j}x_J`KGCz5}+URB7v1;_!s!PH$khL-#xX_>a+l>A4jX_|LS*) zRM(sz_)fKrHvRY)tGAQt8iqq4-J@FE5kD0+z5zxuusw&3ndTcT^l|V$!m2iqv915L zFs3ZN55E7uVTQQF^N`rV-RON<_zKT>CZ(NXh4>Ti)xPiYQ^L)@2Rw1#Cxwf|Gd%s? zG(Q$NfjiH0hv#a~{(r*Hf zNZ$?IBz-z?NV+=EBOTy23kmLc&sJ|Ax0K&4?BpsuYrHL-kKf2$>z&2^iEr|G*#G7$ zg*NtaPrWb8euWPTbJ@E+3*_&xH;BWq%lG0vw38gtTTx zWsCS~&InK-!XiYl#ANZ2c-@I^U0A`lYhG)cgBxou2=En_fGl*w;fI9Zs4T*$tCyca z+*)v5gI)#Z81si9KgSX&$4=V<?E=M?uF++so!iE; z59wuQh>5w{E@@X#`9iEk?`u*8G9MK~gJ!^e#ebDaRMoB)z{2CtC=OH^5056Y;R58FN1ICU$E_{ENRGuE}ZoTu|O zNKUB$g*tCEX z;TyC0m4-%e0v{wQO#e6r`}7e~qT3BDxeiP0@ebsu;E9Is>fJ5yamvHKn-POXRCD54 z*y8JizRrV_=SR^Lpk>SR>CJbDC<`7Pctnme@=N$WshYIJg=m2#2xL{HI8`&WRXr#!dw|-E&ogi1*mgjvqnY`eX;k&V zKJn$@J9x`{M>@H zC}`ESHP)B|1&eemO$HYf6gyrLxtJu!r%{v#GdDKCPRm6juhuzslw3UHH9K)bIxbZa z*0YK@81&PNd5Z7~ z%%P`~D=d^+e!xM~IuD$j22B=hbHa%i2=n~~$7#->@VD~&3u0U5inA5DnIAhsy#gmB zB-ovl7o0=pVUL{F;3rRBC|s{_YwTSGYvtFw(9k5F6~Iw74<6vUrJTb7r{$OcK!=~;v(D4xsrE>4>)x-V=Y;PFpA&8o z&KJ_cp!XGFyYf+`LpjU)WMHH3H-QHKoBn6~pYmVgPp}_jv+VQiL+pO`elE&w4?YuE z$Tj-+a8;bgznOi*zly)yU&m+pL(=2YhxyYX9^dY-A=dsC_m4EpYuR>-gVZued(KNEOce#m=3zF#T|-s`)@yC<;IyHdU> z@UnNVe0lI>c~p7PccHvT{HNR%>I_$PxyZ0`@ZjMzI%l(@7*9? z^2h&z37L*!5U^tL6XR;u>fxQwcWGz&jkv$#UGFDVj3fBWKk*Hl$NyL1)*!!&I5mr} zcM^x8emw37bbmQKpMaYz{n^oY8V8!;DaUzo3oc%a5(hf-1Kc0j+~9NP@T)B)jtUEq z7cJ<5%ljF~vi58V!j$92iiTVOX&&w)>63%pLfqpLh&B9DW|mrlFQqu)aZRCpG|b$J z3va!^L6~_8rEbPpPDH8a52#GwhD-~mtj0ZRo?uGG$CuDR3C?ycPQo&{q|6r=DaIk7 z9r!_w(n@xRSv5E0v03TP|g#-DsD)~ zdYI&(C6=AWSF?s+8%mBtUUVll@^Z7a06TL6ie1NWG{`)O&K8Sf8Y$f5C_^HvaP@1! zbJBSNC1`r9nHw$7SpRrjKNfIRKaRaN{nYKGs>MrLUQ{`XGe}#}=>BJ*(1MD_QS1=XKH3Q0_eBhG8>QsD|EpR2 z4&y`5CZ%WtJ1Fj*$%pL&3OH#(Q5U!i<#~LKM>xat9L|t@XLNohS1A#^l z_Wih@%6|yvS)31rk5v2wM`od83_r$w{E?0&{HTm?&VL5s8RRJcd4Z=F@LflX^8XO^ zb%DV40iyDAB3k3K`Bmn$biAb`DlF|R(-u^%xrcQ?j+@bMWIcxiWt$f8o2_N}PTq8( zMj+>3v?~TTqKPmM!~mHMXavZ@o?a!m9-sB&7y$1??QfiESclr&ei{LAI4w1a1ojYeZC=y zZRjz#&M_?9YQ7?T?7@~D$7@RXdgmlU)Gef@c@_r6Y77}f*n|w|D*!C$!ai6JQt0Ly zfg4cT=1~Q#tFNLE+-X}nVaYnweA>s9j`73JM9pW7UE9B#Wd4C$+yZbXtr_`fX|X7n z3C!Q~(bC{fTGN9wv76?47PmN7KFEkT(a)DbDf#zm#MjSaF(0quH_$0lXnlJKb(8TL z9PJ+rKE}YsS(d?z9k|;uc(Lp*eemMLou&yu!C&JXM~HKKo>7A3#93{AiN}02_!u^? zl_0qmq;8zEWIkyh`$*#s>qy3ePoTpiSFbvH%bYup@31OV=f3Y8RQ zhew!K80CA)ZAwZxUYQOYsG{PBDx@8y2WJqf;m>$!6|mD|KE;}rHU?2p*5u(z@ov!m=bww0a73eX|P zU)dB~0k#0HMYL#l{o<+8DY*5k3Sg$9*FnWoaL-o-fV8t~diks=xYKJ6l{@Ji-3%8 zXiN}XrA0u-*EBk4))ZWxh0@o*zt;g}Q+Q(*0wUyIe5^^lK(91o3hu}% z!Ae&2@+r6(3tzwW1cF|rYzlA1LZEgFzD2U-Q*bF3si;TTEWpw!ywwpa8V5ymnk7?k zD;AC%<9mJ`QZWU0Vl7695qYzaESrKGu?R2bNfN#0>?ye27zcsnGh9p6*;8;amJT-0 zm*}-CrtoqstZhANqC-oj;BG9!uYT%8hm=pj#aJi->j4xUSTa>js~KleOvpkCA>L@~ zyI42{cVe{zLF%WrdG;;cDV~CBv2glpw+HBiE2iK^EbNEv+=>n@oq`*&@RgXM5gk-K z1@~bQg4EfqmzPb!Jy)fFawuA;ui!? zyT$34HB)de7E(36Nd<8iOu;2tjewiaQ)W;Z=@Q0~T(&WeV=hI>kUd`jsR) z&n;7Mn^wMx1y<4qYfbPgKTIFANC%%Du__QMGpf~3!S!2spQfW)?mm+>>NHHjtz6r4 z>X6kyK>@c+!3|y5F?&M=BWgx#?Ne}L*Fa81&Fe(M%mo{5nEL;459M(l$LUD~OiX-6QbyzuJP-~91cc*x0ta`P2+7U|CkQBLDN)OyR!U7w5JZ%x zkW?xuHKit&R!EsB90w{QmN6PlVx_xhXJ_{DU0L}nRo?x#)7>+@vorHe_jUgoV7#QJ zfgM>;=vxfXyr%gB;%|E>J-VRicNrjjE$v3MoBzW3FMK5f0I6cD1~GsU!)+9scq|tA`OE-xHRS3xmsPM=vIHEA0C^=( z2e`^Qf?Uo3Bn%Pc#DSm^%NU@71@Vb}!Ab^5VA!ubA5_s|1{h$7;plnNeYr9hpuPqG z!8-+1p;{N9y{__Uk&PeZ1t_mLUTIbPW7fEU=7q3d!R;d>JbccL!_9HFkzC>Jc05hVU>4|7{NP+UPN5l!NY)Vj;m8I5c% zRjFckDPMyEBSLejbqjLWy7T!Iz|!(yb_?>>yYo0=cL;O0 zpukYK89pOSgaW`@kh#X4%P%bgjkh4@aCeTWHDb3h(7Xku>fKvB?NQ2KQsE1V{Ngq4 zY)>H%w6|c_!`xY>)_@8jG`ou6TTmngcJhxCBQ)b0W28}L*kFZsC0hoOeR9nNe(5Ey2UaRxXE`_k+u*+1Gf+5Oq4vmJH@stSy@zQ}&lTwz|D?Vb5F z^HSz1>r`fgbtJPgGtv5O=88;d`b%qf`Yr2GKofi_{ZM*Cx;Z^AJ>1%o9+Xa`J~kgo z{WZ1M`eEv^)M{%EAPZcR8exr1on?JH`Jd$5*3jfD$sJaCavQ`l47W1ohGa)_j`=xM zBN&-1HcuuK_9x~W_MgmO+Xu~^=FX7Apy#n?2EOhyFigd-Ade?lkNQt3OlMd%b6lHkH=zq4ag4M<;QMM+D|5aWg>`@vA0Ov50}7$V2|0t}7h) z9j+&oCa+QaHxhoDqJd`(+M0fenxdlRP*J62?)+x%$!^yfwYIAGA9}m)#_+c3t73TD zbPj|NsMOR)Zzo6#zcy1Jy^Zp2d2Kvgb}J~mUf!FqZ8@b%uAB)45$3m`*GF%q7BIB& z-Kb?5r2zYPC}dhnNy;nQ`TsbV&_Mj=gw$L4Gu@EzxrGLnW)8M3rUX>awjtLVjkSn2 zjCyH8=7nCXyc}Wc0vd)RUgPt88b)4I@maqt4cW9_wO|F>NL;Xz#UX{3Xw1AtsNQJ+{(gL6zJkW(IxGKG>RJu?cKn+Q5XetXIYiDvr>9zFq1*xe*U^5l@3vEx!)G* z4>EN>q-4^-(&tsks%ZJkiWk}o1T|6MKChkT?6gK{K&lp47E8V3UhPH6P4S9ME855vNDNhNSqJ8uwWn*YWnA`UVh9qP~k?dYV8wpXO9lT2^ z=E~7S!h0y2TxpF8o}>hKaXgXK^R$LUQ&i*x|4cEa7KuMsmuM_1`bw6V*2UjDXn#>J zyZL(uDN$XHbM=)XD%!JL{X!<1)=4;7k<*n%-8Cf90J?`y-srf;(up!n=SB4T@VO6G zVbPx9b1z$?ogC#0%P-_Ri7)8bdI%b#QtP^3+ZRBx0PQQbD1vq;?Np?JD~*b$(aY_m zovJoRReA@03vm=#MFB)p69)qH6AUI>Ly`^JdQUyCg75@Sy_fU(m+d>fu6ML*gLVfU?&5Bxlj;Q@$YD4;;{)OzAtJt(UzWW=IG0lGcwEXjq^&Y06&X9sIyF=T&Eqz14Zt-so(#S2^pQA2`$OMa~$z z31aH6bE+Y3;G^uT*?rkZ?8~zEW>?zvXzSbM*^9GvS;N*KlHe8VOy;1OH>YJD$heuw zneSLfGySdCGTHQL>p=QQdUyI^YkPXN^-y|YdVKoo^vHDI)R(DFYh&sSs51DZ`Sa9$ zspVEX)Ed0pnw6?eWs?80#w6deE=j(a+zyuiw&WVCBDum`Vve>P^Zw-YXll957 z?a$0p_DTDQ`4@Yi`Fr~bbC0>_>u%=tynoLO^vuBjG6QgU)+_!A=_0{+Lxn&V&^8Ph zR~tizwf5u))X{b}M9_PlnGIAg8( z4}$9vkAMWuP+>!!(%*#1j{LoFQba@ORrHeZGRC(*fG3)|wnI|dsqi{Ssr_6^F8;98 z`v@W8?{%88O8kJrM2AkMpswOMEPoe%d*5Jh!byuY*R@TUo)oakq3g+*rVwZh_rH<) z7l!)4z*7Y-o>(LOyx@Munb?P4sIYl<4U&$EnqIV41+c@-YddFaUScBv0X@)}2l1c?k z@Xpwy4#jp=_iBh9g5lAQVg8V3dWX(N?Bp4mTzOuG#gEc55k~hUT9k1nx3&RciRe^? zZf``T=^@`9VaOYB)r6YE z19zyR(w-i#ipE>h+FDGE5Z#Au>2U~t5lakfum;aJj}!k#1Bzddt4C=Hi{$C@#c|$& zeJrI=#=^d9jFc<@`hIrsQl}ST{Qns9xR&e8y_kC(to)YT*xW@q!+9U-0Bm>ecUC(y zoKa4#(>MD$RQx-XeLTA<+nSw_y)fH1^F`)wnM0Y!GwU)fnX#FAu-?x=1%Ulf`L83r zAU!rcEL{xw0dJ*#1Ni~@)Get|sllmavMc#J$gJ;3-khvWnt=3w*xqcmoUHmCFvjjaIg9Svt~?At#N*%4SKTjhq|WGYnu z*~mA)SDc3o2}}zTUK@m!i(UJ(k~}0aa0>So z(Q9;CeSR@G4_OK$aaJ&jC43>-j$L;eN9qUXAuEBiMV&}Ih_SQi<<{{+(>)!Kz#j73rxL0~e9x@8908;$) z0BZ_g;@C$otv@#pc?4K>J2|$yAmBZ!olmc15au4y&Ldzn$95cqkUQ8ig#UKJ4Pg2$CqjXTk zAm*FXrF%!AmoSL(M#Z>4Mxj(Ni0MYfq&q~R7BdLo#*W-%xRDC~{>C zBD8VN6_=?o>%6W7 SzKIYnXQTPy;$v(mV*dpvnS6!- literal 0 HcmV?d00001 diff --git a/.vs/starter-workflows/v16/.suo b/.vs/starter-workflows/v16/.suo new file mode 100644 index 0000000000000000000000000000000000000000..962942ea22fff9b452b61562d7bf63660eb5293e GIT binary patch literal 34304 zcmeHQdvIJ;89$r0w53Hsuth{jp#`kj&E5B=FPdzU7NNE!AuTkey}Nri*=Do5-MiZ~ zG(|x`5Ffl>0tzbp!Hf>$=&0iiIx^0Hj({@?|2XRCAC8JMj{gBtf4}=kZZ^ByyN|Zn z^q!sXo^$VceCPR{@B7YU-+beOKR@^KC4UhmW{X%PK0L8poMZX!vbe?hLVN`8ZGaC? zoH#)*`orm%7OH_8MHat;Xcv7V13ND!*_5`;DzRj`&Dj^K8EGQ%!>8|g$Mq=$`uV5z zkh_2}D-Mb4fISIUpEz1Ai8+3&&;za2Jtsh!4=>;wy02z-iXuv#7AfE-jEDie%K$|T z39kr=FrJmoHKNV64BnRmn2*XKXZw7^c(sGyKRfEIH{h?i{ELvn<3=jX`~R#JXmN8~ ze;ocR0sMR(Yi|~)0sw0qyY7$?FARHig*3L{`?Y{>!+%AEaCULFa=6nu{?EVj?z^6J#y@(S5c6gH zn|*f)@o z{2%$g9CDHcKd1m^xG*zTc^mkrX%h2MKGf{53B0~;e5%HO^`Z{)v!l*=Gs{oDg_6_NkYQ1nuDWR*^u~*HQo9 z2JROP{CB{1=s#QT>@*JjuPpzc4fKBxC~5|DHY+B?4p7((fIL86ctjNQ0V#17v(q4+ zoFPbobCx+_gE9Y8hUW+}$VydfDSW9@pxHg0vRcB0^lJ287S|&;m3302f7BP4Itne( zlRPNTTxx_Fz`PO%W@@31plk`F?4|ReN1KCW_(u`4hJmUhm><@^90;};E{kY2<@Ct`!cC< zj6%~47f>4;#4y@W!Pi`gs~@GC@i~H&3R)=Q^c$EXz}N*XTc`%i>_4W->lxT4wgb6} zjLT@A9I``Io*OW#eWyw<5A^KVZgh3BnPVst8O{mB8%EQ|;U>d7jQB+WQz;;{t{g0& zGE{Vt5%I?6b%%elsx6cG<7?R;eDJ6DpL+Z5+ZX-l*5yyM_3ppuZ})1Fed%OkW_OM~ z_3ksT{%q*bQD5ib$&G#QaTuLe!6X7|VGR1V7nlT!Gbi?qr?ZfJ*oXshj5%Fk6$oQh{N>Tqr}H=gjQM@AUWOy!c%LLs-IvvXo%!ZYFbWb-4P zK1q@~5v+x)VS=9`Fxj9qubO77{51Yfa?J_0CoUA2iOU)mUF=JJ_Pq3 zz+S-3fLj3j0K)(oa4X;d;2?l$#9+q_w*or};B;!He+cd|60D#gD8F0w`awT(BqL{~ z`arb*EJmeV9!tNiz=xGK@DBkSnf5_oj$!nrz*-fwT1mhj#T&G=bt^mUqFp;jk2Uk;{I?jds{nTK??%{4 z^RF}ioBW3}|6Avu`K;KCLYtkR9{(le{xw7Qw}9=8aPjC z_9KKD(4=>HP&&XRxidjQO;E!|zG#LwF_B>XL&M$9G;QMlJiePu}By};f>PSvbIO5Ka_ zqZA&%^B6b^A8NV}QhESSFQob&&FzPatKGej?cE4PzizlB{JH^A$nz3n@)w27e;m4i z1bDXDc=i1&I#!lpqo}N@W<7BJc8RB5y&EL_j&=L``@(@fue&E4@VmX8^wVj|(+r(?8PS`dwO4w@lUA=`ER?nmQKg@kf04 zxkEn5$MNoUM{Zljh zU39_X1w}2WN}-U-jGRpM!swdb%j8S74>dl>i!>6Sd>7*ru2~%oJoeZ7uUNUa zs|T;P4E6A4d_6*LtF4GephokrA!nyED`7Dm|8WgWss&}-6V0a6O1zN5PB+gsC8Ok1 zaZhhb`yl5h5Bm1)GXf42@@TS-_Hi|y&8Jhbj`kr4_K3GR;F0+2Xpf?ui+N>pMkyBZ za=N2^S231O#jjT;2eV^JW^*hYmV@zN$lK))C{m9m&MWz4#5Rz+O@a1i*+bPT#i*RV!$morDomOQ9Q2;j8rrXk5z7r;S}dkx zK4z1hm8- zVMt8ew#$`q6_A9y)UK`Ls*swf&E>f!>LPiLD2wpqcD>Lc4nywKwYhms`s2<51z(4N zpSzj$z3$u!yaOrdU%k*(dXNHlNc**P{II!kn0v8#b}FHzA;fPML^ah1;dH97jQ)0t=`-JUlV3mFIUYNefEb zhnw|Dwe{X7#BUcwsZyAaI5UzS{9!?qNI!ZrhSuW#Q=QVaCgnE!nn~%X=S?r5mg4Cy zj;cILmBKDH_Q7`+L?2|y^5E{sFQz~R$tMcYnsku+DAFiH5@nj1bb$8_|6^IzBO=>O)&8bGOZ@96*L*BVV}`#AbP?k1dn^sTg=9Q~hu1LOQ}DM$a; z3TxGl{*OF%YwRnS-Bzbc|L4*)H}yztdK_~feZ47Ae&zit&DzFSYd#v4pLve{ee9iD z8xP6e5RP29l|az%4g`}icPtQ&;jBf_+ZFRmK{*_BiTmn0WTqV)QM2hHH=^a0v|LCX zQ8rXKZd2chmU)!1T8^&-;*oefaJ=`7Wq;28!IjjA9Nm$M=d)@yS?~;{RBVYGC=?T^ ztY^2rJ8m$WO{<>4R1S|~Dz{6HkI5t0&}VKL^oDHj8I=6VU^1NadJ{oO_RCAypEp;) zK8U@g)=GIroV5Aumkj{PYmop7<3=dKWQPf9J< zZv@1FGS}(~U9_S{hphO*awsO@uu>rC4)`JwcULHpbO#kV>F)|Cia*rlktBaO9GpT1 zW|@nHmMP0O9!y>f;3iS-Z`91}OCWi6%{)H`C$C;&1rXMAjkfx=ksfXFAXjT}Ucf;N z+j*|l`qNLk@=JA>H4fc0T+cgMeoL>p97Q&mk@}58{|)*d^U2|G68$w0i}~CEB@n?W zLT}QY^h)ud5|R==MVg27-z1>(`$XdmP1)GMST~(-<v!U95$EB*H*_jAi1_v00$%(5 zo;rX{DTek%0n7g>%~b4p0}uG zcz}m@D)AQiW?$mYLx|=k9$f(79fP&sSMNo?@S%4cz#TQ*VH?1&^q%}Ue1iC%M0pc% z&EVDK!KRh4wsET8b1>R8?6WV)FFoX`3pMrCF;C{q{3k$dV^P1gxRG1XTlW+^dlyC9 zdU;#t{-4&q|B3fGoBE4!xEm0U%HGd2eG|~k{XbnD-hh7n5B?&;#{ECbaKV;y{}1j8 zn~(SZIP!nVznWA~SvFbzFDsc~_||Ni#W~f+SCsOe^>I}p?S^6g{}9j9`fzed(l{sU z-=&1WZz=d5fj{r%_29%K|FNnU*Bw`-)A_N Sx>z-0_Wlj8R>`+f`S1TJ`3C6# literal 0 HcmV?d00001 diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg index c2e2cf7..4e5d4d0 100644 --- a/icons/puppet-lint.svg +++ b/icons/puppet-lint.svg @@ -4,9 +4,9 @@ Date: Wed, 22 Jun 2022 18:01:39 -0700 Subject: [PATCH 58/66] Revert "update image" This reverts commit d26b20b23394d4bbd531b69b5188d6e7d0887312. --- .vs/ProjectSettings.json | 3 --- .vs/VSWorkspaceState.json | 7 ------- .vs/slnx.sqlite | Bin 131072 -> 0 bytes .vs/starter-workflows/v16/.suo | Bin 34304 -> 0 bytes icons/puppet-lint.svg | 6 +++--- 5 files changed, 3 insertions(+), 13 deletions(-) delete mode 100644 .vs/ProjectSettings.json delete mode 100644 .vs/VSWorkspaceState.json delete mode 100644 .vs/slnx.sqlite delete mode 100644 .vs/starter-workflows/v16/.suo diff --git a/.vs/ProjectSettings.json b/.vs/ProjectSettings.json deleted file mode 100644 index f8b4888..0000000 --- a/.vs/ProjectSettings.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "CurrentProjectSetting": null -} \ No newline at end of file diff --git a/.vs/VSWorkspaceState.json b/.vs/VSWorkspaceState.json deleted file mode 100644 index 2aa7877..0000000 --- a/.vs/VSWorkspaceState.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "ExpandedNodes": [ - "", - "\\code-scanning" - ], - "PreviewInSolutionExplorer": false -} \ No newline at end of file diff --git a/.vs/slnx.sqlite b/.vs/slnx.sqlite deleted file mode 100644 index db13a0a0d99f0c0bebaa2b65171fe9fb27315cec..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 131072 zcmeFa34B~t^*H{vc{A_L@|w13wk}EAv`yPdvoDlV+B9v`HtCY4ENuvrnU`eRWG0=N zv<+pOu*fC?B8bSYh_Z-+8!lfF1w|APK}Esu7eR1CL_tN=|2g-*eP-GM>i75m{a*NR zZ{I!Vo_p?j_nvd_IrrV^-M%HBQ7ea%sj*0=vXPm_uq<<8WhKKfqwqiG`ri!rhoC<| z&RYIm=%1rZZBwNOk(Iw8&UEE(fja`z{F~*=rAvK3_449&{z~qz+zxJ2Arfx+|8FGV zLr${`L*9~;!fbYXJP}h5^-hirCP&w)L-9mB6Hg`v=sy#~>*J$pS8SjwACl6sqjSy9 z&dRQyb)6?y?mi|O{Xw}B{G*>Otc=FU?p*Yxe&+SLPOyE}V!0$1>V-Q&ZHjE+ujpNNdchvI519|8OO z(Ccl6QDVwV@39VD6OF3rbbK&Aid{6s>O^yl!5loZ%T@v6MCqMOXVfu6gw7%qWu;mB z-NWD-~)PY>q z=`3?12JExU2`)&-GUuFiVC?0#-d}TGpG;=lh5cm4Icqte{q`B>1Vj7!jB|plbLJRk zoc2QV@tiYqY%`9ud-MVG-o}eQt*xEX$GeRi9nl!PdO^dojCNehOUx~_NXID39QqWg862p?WWJL`-rI3-RH;eQJFwqMrW3u*I`+B;z_ZgN) z$1y5dhL;Z0ItDgIFQF_u6o~=drKZv_(Q-8Z6yx)j)YP!&tt8`6Cq~KJpCtPjv;!?8 zPzP9F(lLxYIx-A~X?ILDTX$3~tG8=(^;jz7D?85XE$IyFugp1+2ew60Y9cd$YTF6( z<$ZrnEGq@et8}8_f+3%EUJmAru;8qKV>!E4^p@-c%{OUkKFciBn$E3h(SH_nuht)J z3FNGH6lzE5+YvfZ?6EG3a+*b{k*RsL)netk&h=~hw(P8oPNc|;&FE?xCV7(gmeg0U*?DA|^s1RmJTXk>w6@-+ zC4zlC<>HZHM3(!sLZL}pvyBr=mMvpXAtNWfAJ%Bu@$0<1g%}+;D@$t-_J?Y6rG(0?_ zruXd0q@$#r+P&#yV!pPsH*4*Tq=wZD)J=fz&V=G(3<<7N2PcN-(-zOtz{lD$S%KDO z(nn}CAH%fTUTd}g5I6rK5gY*jXDpIY!;nPw?0F|*$XoSaBZ|DFkN9%_MdGlGMfH#x zedhy$)cV&5;T`evFY3QT@c+X3h|{v4Ov?GanMf)#F|H{N+*%S&H12w z)&-|}Jj}{VCERy*nGvI2>RC?LX@6nN9f=832V?CqwJF@t5LLrX4Q=(|NOPEsf!( z*0#EEq%j%`t1Zp-YF&GCYl{lSgN+T*mbTU~G!zXtMO$LwNJFGP+!$+XZ5kYkG{l-> z;nu;%!B}&wG2GVJ(f~ZQ#=_7fEXlQPUHiX;inj2f2fr(g4eN(upeyACc z+8e{oZB30sYD=RUX=@0#4-U1p54K0cYI_Wtt7~n9<{FXL*1?9>wxQ8hgv~sLrrbXO|9X&LA3>X7Xvn-zu{FaBgUt=$y0*HyhPt|FdjuF9YG{lN zHV-z0TVr)?bQDBd>)N$ZFxa9tHAcfjtNI@Oa5E@7x>5gz5aIp96v9=EI%oKQNB_>B=^h5%VpA=(odzYOCOgm zlJ-kIQlnJj`={?k-?x2t`Y!e*eZ9U`Uzzu9?_=J(ycc>C-d=B;w@iFZ{GRwJ@oMp~ zxLaH+E)l(+-+7+&e9m*FC+_L=%oF}9JSp5MoF_zt;{}O-k^d@x1s~xXct7_d_f_s{ zZa=q{t6=}gKF;33p39!Z*08)~OfH-hnO0U3$07&RMD2JgIj*KMaWzejBX;|q?LOT9 zmT=+nLn5<5#|n>6435UrBL%S+9~7BY1bZKR`97)^L|k-0WL5&=Xe0&Aj~2wMo)DRK zz}u_tn;b2SHa{aWjer(UrVEl5Z*5`UC<;&JE~-= z#zm$c(US!kT%4rB8&=1F+!3T)ouC}5snJMcxFEgiF%4}rekh(Qj5bQqV#!QG%@jln z@1y;tXyKTe-j_*^7e?Q!qeu6tsiTT#SzKf~K|HY}L646`h6@j#>Jg3Oz0m!_@?0=1 zGR;U+O%z6|9}=1Ehyi7k+yS2PoDc46uC#docer zI_n~d!g5&DPx*=@VyR@jur%iH(P+gY1=}m%Eiwy0rU%u*@kn%E?c~^~tm~=rQzJAYJdq1F#?0c3NGsrnJNNCVc9|52=a-h zB{5#ktSur_fwe~L)D~{0!z?+73xxOqH5?5eiY8-r-sf(j0!@sgUZe)d%2REZ$ZQ7c z7I=6#o*9`K4C62XQP^KV#YT~-*6@cXM(r%k-XJoIbzlmPBii~{zMhV<1oF7oPPV+0 z!p72r_;rA-Ugm7Pf6m1aAw zpjoTw3qgBnEiXTTlGAOZ6;`&2lGE&>6;yS+X55I$%-f6Nl_FCHas_>Dtyys#?VMrr ztiZB%+M;IXY@jv`L~WZ5)Jj2`J+p$US}30m8)idk)=_MB%Zf6ui7E}7t+FDNHEJAC z`(y=`G|X_$^lYFDg~ z^5t4B&6ZeUrOUKh#D3TyODTlf3@c<-4IOQ0C#>b=OK3Z~ZLq>-E!OHd^wYvcRAr#a z%&~G+x;3b-rqUdXB;d{)r$I5$7A~a3Mk9l{YfuAg$pVpCjYBu3!onaioU<}8FiYoC z5m4r!JCe>&SrrZmt8z3!m2|Xdyjp9O&ZG1we^$usxl~P=JXxVtbLb$pec(_#85tWb z))|^Jo9cPvy9+zGw8GI7qheJ#rA>GOqnSy?HDhC-RF+YlMo_|FTgQ`hw3-;DR*WGy z>5Xd^=z@VUw}dMF$V4U?j=&{D!wDO_dKP`d7I-+GPESx>Z;&Z1#(wz3gUQssq0!{Q zv{x6v;+dL7gs-axQutYXIx_&54ULb&Y4h5#n1NV6gN{*d)a=_%$fX^%f zt;hI8`t=t!J#f+J*Gi@VQ;a0SWnb&MJE1L|r(y*LJpi_Jb#(UhcIw4tA>aV0#MJT8 zCWJ0>4U-5{MSRD4qdN!luM+^U_F12G!R_CU$30UzmHE#9l;s==~7M5!*5ge zD}(%re67;M&z6FLH++8%{Kofu;CbH{0uT9a41Atvl@qu>aR2Q)5AGKj3|!?~9XRZp z9f?(iTgiMazg zO6*PJEFly=fqW-a_&#)09fqku3U3ecbGWhefhc+UI8q%;4yK35yR9(j{Q`?AJ(2DQOe`BD8=Y#aw3NNA423BWIH;#H+(RX zfvHT&KBSk8BuC*sD^hkfsXC%Y_l-qThe*)}vHigmtbf5ql9H?N4S*0qY(#mH!Yi@U z5nvkz87a78Houb7H;d+wA*zJ=00Q;hq7!&Iiid6&ouKzu@tvG)zv#rcj8rBYMknaf zGQOFNc;}LYxulZsz+rD}8J$%xrd46j=!9G}i(kRz_;;B1E#SL2eZQCAZ^v9{#nHBn zPVyJj@O=gy+rH6>dHy_pjgE;MM<@Ke3celSWRyB#Q>A<(&dQuh*+u+TE_Z|ItbZ=L zfGs;fC!KRv@KGx~XNTw@c=l|56~QMvLpMgT>@dRg9ijtv zMj7AA=Jm!-R`DAs#MoOo>K;ONjUA!`cn}-acZd$yfpWf`&F@{ED1n1|c|58aB&Y8X z9putTF2CnAHJ|U&K!tj-e->ZQ=6dwTv2(@_(a~ZOTg>kXO%PCC@8=kT@_Rf-kx$1C z(b48UielR#I#Bjj@|{4Xus1VKILPb494Y0S*?eBh;YIv*_UN9yqb-jo@ic5l-yu4<>nC+`J%)P} zegUg1ez5tw@mbgP@O)~JpT`>Bz*8`!WYg$?axy{Dy?!SJ_&KcZ>Dx7fUj`4Rss{8v ziaP;xyw1D4iEz8lBfYUXNuQv4~6l^Tw7h7~9lx#q$ z>v|BL*W7JtoqCX-zQ46S6Pw+GkQ5_COvhrPl^3dlwpw*)M z4ew8wKuwR&ast)8Jj?LO@a!x_DQn)G8my0zlvT-pY(JP(JiNf%1y;!Dc)p3K2HX!n@R zwzXP;^)yF;#WPZlW1AFPy&+|0sl@|QiWAb})xd#Rg3_{-Sv(!Huzkb3QA{*Q0guK^ zd{Y{8NOgwZlErf|9Y;U)Rumy+W8XCmU#sSqP>_(t84*H44i7{S1>Uh$cRK`7#5P}p zU*wC}Xk11-)2kriqs5hgt=8g~`4zZ!)HX2YYo$y1?*V)^E|0g-lLqRE%z<*Rr<<(GkqbS&&NR=|4r{} z-d}rP^gi$XvG)fM)qmLgb?*b-`@Q#g@9^I0{iydE?-kxlyytt*_8#)4yrbSB@9ExC zy*s@<-i_Y1-s8P3-a7A6??UffZ>e{>H{cb$jQE!LC-GJB74Ze}XW}#B6XK)dH^r}s zUlczp-X-2H-Yk9uP6}KuUL;P5XL=s?eBJYa=YG#Up6is~ii+|n_{QNz<-^LLvPapa zY=e^y%auh+rBbfUR6>eR;X-eR-VD7K`gQ2V(DR`mhkg)xEc9^b>!Ali_lNEY-4VJq z^ienuaYg8o(D|XWLx)1C&}e8Vbb9F2(9Teg|FzKC(D9*`P+e$gXkln>s5CS^6bOkS zCiqtHPa+%mc;LpswSg-F7YC*ShXa|wSYRkH5I8xoJ+LXz5jZ~39Hwn7snEzY;ulc{=zt{gs|E>P({a5?n@4wK0j{lHfht< z6MdeyJWqKZ^L#>jMtWTOw)CL%fOMa97o4`ZQMy*TLb_O*k`7B5X-pcD2Bedv?b0T3 zLQE)EDVHf1D(5O^C>bRIUx2JrPEgvEhTyAk-s6Sf&w|ecp9nr0{ATcL!7m0s8@wxc zd+_GqM}k)eFArW6oC=;9JP;fY?hVF*rv*C{Z4vGdd~B@=hvPWJkNS=lGaMcNe$9cX}(l0O_yYe^S$MJ-S=zX3%+N4 zKkz;3`-blU-)DWF5{Jao#9d;KxL!O#Y!Pe4MdDm>mN*OMkNf9J;NL9)<Ng5&P=_DN> z>1ibGC+QxN?k4G}Bt3$`7A9j*7BKJK10i=Yk85DPt$Tm%R^co)bfCq z`?Xxwa!Jd5TJF_yQOi9zs6(tkGoEG~%~+Z-BxC+bvwzU+?=*XxW`CpETQvJC&Hh5O zKhx|@n!Q1@Khf-uG<%(9f1ufG$QpAG^Ls6SRm*>;<-gVP-)Q--wft9F{)(2rtmVJd z@|U#yMJ@k@mcO9o|D)yqt>r)0^5?buIW7O0|M!f*Gb|A?@cFD({u3?#v6lZx%b(Hm zr?vctTK<%l|3J&1)bb~^{BbS+zLtMa%OBJ7?`rv@TK*j^|F)JtqU8^3`M0$En_B*m zmVZObA4Ku{nXl9Azi9R~nthdKU!mETY4!lkzC^Px((DT~`#jA)N3;8Bb|1|?OS8|= z>|UCEnr8RV>~5OfMYB6Y9-d|8Zu;~|n%zOOPtfdknthyRAEViAG`p2%x6tfnn%zXR z8)uE;K7jqqb`Y_F|rP(z!`w-2j4P&ScW3HlwSJLbX%(|Hm(2UrxZid*e zZid*eZid*eZsrn-axu*=qS^asb|K9!pxOB}JC9~lG|STLT$EM!IV3%sq-T-zOp+cZ z=@}%QB4N|aekb-T46l@!$VA~)C+XgAvHb}v?K?=4FQm}21f^CBo zY#XFt+aLwo1}WG!NWr#23bqYWux*fnZG#kS8>C>{AO+h7DcCkh!L~sPwhdCSZ7>GF zwm}NE4N|aekb-T46l@!$VA~)C+XgAvHb}v?K?=4FQm}21f^CBoY#XFK3QlA{`8U`$ zC;{6BDcCkh!L~sPwhdCSZIFU(gA{BVq+r`11=|KG*fvPPwm}NE4N|aekb-T46l@!$ zVA~)C+XgAvHb}v?K?=4FQm}21f^CBoY#XFt+aLwo1}WG!NWr#23bqYWux*fnZG#kS z8>C>{AO+h7DcCkh!L~sPwhdCSZ7f>_whdCSZIFU(gA{BV%SvF|AO+h7DcCkh!L~sP zwvALL7B5R(8b z9m&{bFTqC%6CWmCOhlw0c<`V2GkzYP=NXBEe{stFxTc+}{7AW9stnHM9+tRZ!1qev zAKa%ySHnK{btUV2EbuCKz3<+@^W25XBt+Lw^<5QsjO+9r2z-TWRECsYToo5o*06u| zogDa-@5I23zUsgSyl)3m-v0?i*`FzO?4#@#yx$D$@ZJ(w={++r-+NL(@*d~^i+7Iy zWiR7@hW$AE0rpJsfBX-L-}ZlAyv=`uc%lC?i0S`=9T7+TXDDxqJ^oR#-oKmegFSao zPz^p6Y7YIkIK$tiEb#ov-xAyy{D$WVi0$9+4|%SU-}W4mf9*M0e#X--KjiVsHwZ7u z?-RZv?-Op3`<0i2pOLqO9u&@#R|*k%kj^{F=(eBv2raY3xBbj@gsd6i_A?*WOSBlbpSgCXu$Z++x&6#Fq$~C~x1aft zQEEoI{mj*rfHl_bXFf={u|~W7%vH05Wvnya?Psne;;=-#{md0}g_Uffm^T;^0@foT z4nJBqb2$-R-nciIoCQKBd&I~$*dt0HU+f#KRE5yY=8b-X>6$NeAj}M^B5Y-k9ue2kw8hrTqzE+xCAZ*ZJ zg<{LyhY0INEXhg!AZc8WEIFYEX2aXk<4jKAL>auSe3A0*3?Zt=pq%y6glPU~d3S0d zjNGHd%e(iN3iW`L`+3Va>8ugEa<-f#E$5G#cPA(?Z`{0li~#dT&bvnm&yJXvv+aEv zk}U$}MA|zal#M+e=0u58PVz?3yGP1F*W`_%cMmTSwgV_Pa^`Gch| z(z|2ied{qcC&4Hg!Fi+U-Gj7d{&;$Kgx1U#QSUyT!1Bh_y9da~%oA1bK8>`e$L*Y) z_S1T~k@fC9MPTHuv2}SjDbZ~T#FgYz6=5E0#@FRjW(i?3By@(FPRK_{M_=P$POF8jJM0%$t=-p*fcs4+%^-I zC61W8ymcC^N-R-#xrY`Qad){pC{zH3_N~hn@_O>d-sR1ti;n2Kys28)d}OVR%ymtN zrIjrLFK?Uy3le(_Ufw|7jwK2&uO}tCmPJyX;G2{VRza zm8*4-WcwOWu|dx0k~d!;IX^%PEE)yO)=dXCrzqFC}k8 z{~Du))Ymluwy=c4wJ$FglL4GJieI&e^eTTGzp9#4q)~Q^h z(tILb6HBTh1!hEFsw6dNYtRX49+?bg3s^Rnywu#de(@YK)9sP{;@Nf{iYrKMEr4!` z?iZJn`9c8J_DM@<}sFle?X{UjEMg{KNfoCE!ZHm4GV&R|2jCTnV@ma3$bMz?Fb20apU91c(G0;rIIb z797iu8`jr0*TRnxHnh|>Ho}kj^)0A7hTovHR)Qb)>st^xhF@*8R9Xh%{k|E;@;it1 zwRL#^zo0ZT%3kFrrCIr*`-)u&xDs$B;7Y)ifGYu40U}IgqYT1Q=U~GQSJjTz@^GT_zi&V@D2DfrBo5%Yxw6vj{=JO=Sskp zfGYu402WaU5QSKk%i?e^>-RCcwe3 zQ?Q50?f3(q&t6jmKO;bj&NYgr!%qm1nui5i6VRr^ZwHXFbIr0M_`v{Db&8^W_ToPk z!7l}nqDh{#dH47KQ3SsaK#I;bi{J+WNYNp)2!0uW6rDwBLB;9tlK`a2L%dej@X&Pl zJpfX6wxtYy1%Q-ITFT(ge^Pdq*7>{r_ZGpW|C|H@(HOZanJwb9B8^=vf?oh2SQ>A4 zKD7$t|3%6rjPjQ9gz^pLkIM7P{on(*Qh5n(0Q@c72=Ha)cDOI^Za{JWTnV@ma3$bM zz?Fb20apU91Y8NY5^yEpO2CzXD}nbc0g;DI{ZtXj4o@T5xe9#>(WfBErUE3Jgx?K- z3TMkCJ0y|pEFXRHQkY1xNw}I8FwcUkX|V!aO$*s1=i$K>a0ui7%(VB+yi359fGYu4 z0JC%*0KZL#r|8)Oc3Ahq)CE!ZHm4GV&R|2jCTnV@ma3$bMz?Hzi zLjsK+iD5Zr^_&t`U=OFGsrYziPkJ&D4G)i~={@m8Og&VaN$dGKb#P*sYZXYP4W!b! zTBQS#(ReJ9QNxf#3RLXlNyW(O5|(Etb6U$Opv~@07X(m#A{-&Re*=;|J1;+Z3mxS1 z^}2`(xtwi zdUecj;&j^U|)N-cC6{`thr!Sz*`ayvzLT3k-<^b z*>&f0P-AB2nzdUx^YlC@FQIbD5n@-YALP5Ub3^Bj%56Kky4UPDrE+uUDV1ybc5dzJ z0kYklJv)Ib_`h$pecuY-MYwI`^1z*CB&h?!;I(s@gdnnBD>C$~?4p%{v*v3vyV??bP*8AgdIFTKY)bWJp>rql7k_$YSK5UUf-F$Qz+%r096 zh!drEGM!P!3=ukuP?VKs?RO)~Ey-vE=jV>(!NMKTkvfv26Jv>7yr5i@UE%kZ48Xh^ zAoGfF8jU0pYN{g=9Z?5zS*Nqii5RfYGAFno9m||^)`78?+j@V^d3`dOaToTJ8Rx9! zeD>RCoD&S~>od*?vd)=fm~q+*&Bt@j$g#~h((cg*%zGOz`n0xoN+0hwZgfOr@ahFQ z^FRM2-#IxBT2j|kdK3E0+Zi8I)0xQFcz-1-kDXoJph-br;YbWi-jWqH?36-AqTVdh z8^A;_pp41dYwhdl+TLea9v#Q1WEoyMOzRlf7`=qD>`){IbeEb+!$ix`{8Nn2TT)ZQ zp0|>WL!B5UZ-0{PW6%z?j6fY=eM!eK^61Dg7^dAZ)ok5SwXEK*(bZ$AjIZoCueYQ# ztiLknKpxl@NvVm<0IF>#%$N85IkBu1EU(guh6{##)_FOYGs1$i0*>YETG3mw4>aGT zsrf9kP-{B3rbYi*(7jrJv?Y+U+EJ(-rEf>*M6t)ZEXrvXrIMdv@hA+NHIKqvKEcpIu3>D#iiGCGkWGd82EX_(|m-dj>% z!Di=?Y0|4^GV#PPnbX>Oo0bUn@sx{4h7nor(+Y(qZOt}LELpaUJ%x;%^nO^QsRLdeJi)2l7jaDMf|7NcWl zWv)J`T+>^*Hj=ij!MkG1D+^6v#P6Wvo}y3-j#W@i*ua^Q%Jn<8cIUKe&RkfJZ0#{0 zDVOFma=xuL4|{f$^}V(4oZTD}g#9zmtX#ZjaV2EiYK?9}KdimZjF@$4{~WIpvA3Bx zT|GUp3*7|!&KyY~=K5aP)|=SSnLKZ4m6abU63gsM4M$-rFLLJ z8hOn$l0!vn($K}+UvvJU>0|+W@iK>v#!6-dd@8oB%lq2n=Ofzuwb^NzQJHqs>aV%5Lh+U~HnNvm zyd`!?=aK2OLet%lN!~ecKyxSVG3;V>|A{_r^3AXO^IorU^ojP4U6xLH{%bXn*`0Ue z0yM;}4N#M}|J{v2Zz!_kthz{l7Z!@Bh*L|0|60w(@7? zb>(-;EAOd6x3Vh%R|2jCTnV@ma3$bMz?Fb20apU91Y8NY5^yE(zbFBLXIKv=0wz2r z9M3Znp8qfMeT-2q3_Tm#AF2wD1>O$a;s1yKTK`7*GjdXHmTr{xNb>>3{c|PYO2CzX zD*;ymt^`~O{Kq74W|7QrY+tsFVM^F3PK~uS4aJ%x;U-nB4>vWnwTIhdu~@i17Heu5 z8ftGHs&DT&ZqJ5|d(tD3Bz!+H3>Qi5flC5X88sC?m`v>(8ciNd@5y@~QzjivCWhj} zaB)&HL9R$@n7&8^H8{1ZL4n{s&8&+ZfPJN zYQc?FCn{RaIq$TlP9ZxpM7q8*TYStky5PE~p~%E&rWboWF%BOy>{X+g!}x8$eEfoS z{&A2eV``<|O68LANOWIhSS6jVnNLo*&(Fa5c0`R)YV(8gS$c)Gped4b-ty-y`(k z0>1Z1FK4XiJd-Jut>H9b&sohtQ~w@eo4q`CL7R1Sh7YlX)oc+;`K*7ng)`gBwQd;y zFH$aHlG}V&g31q=gDl+t{~P7MlBRQkH~ap@vyztkf&N+rI3`d;*X+jpn$VqenN z>udFudEfRv=Do{%p*P{}^|pD-#Mi{{iJua$77vTN#kJxR(d+r0=Sk1!JXd<+o=(p^ z;jhAz!kxl-LPR)TkoXt*uku&$5x#->cd6>`815{Com$ zd0h)9MW&UN#IeW$HBmdBf{;Nf1J?}_Z+N%w*`0TvaNaMkTYgAnHt1O4@rl9FczUED z_Tqygvx;EvgPZS1)q;qN4v5T3Kpc&vp!v~)c-0dk(++rh)qRtrh0*3`M5YnY;>mPD zQj5~G$&pBUpLzsZ)hXKKa4HfzLJz|GMWzdyq-aN#Ox3u^)FXPbAcKpORCvSc7?3-H zl&cezLp3!TNemaHS3Rbojm8hfQ-#q+DOxO3EE$;2yC^;jz7Nkj~TSSY%&e znJkKE)JBtgCsKv+7M`wA3rEKbzrBS66l)L$*uH{2n133bb#PBxL7YYXl&?r4mP*D8 zOJn{XjaDpDkXHF_ky!vTJ*W<1;^;i%b|H6QKOUqj9);FJ(h0JxQw?jf_TYkdj>@GY6`sCen7AbNfVQ837DVCKIVh zd^ByZxKpnDQ(~7cq8`Uj36^asu zpfAYVia2Mh$kYH68e#+ni4|PdBQjM4jKZ>mx)J0P%~?xc&I`ZVcKxg^B2$62M(orU zZl=R5If$X!_yIK>4Ihd^jMheY?j|bG#5n3jYJjXf)pm)@W}t3?hlk^tk%_^u7T~qN zfQpSGQ?20-PmJ1Gn!Q0}7VE&&grkq;>**-NI5OBt8=K{w6gHL~oQRLcY_QUGbQn=v zYh}K&gX#$a$=kh(wUk|){=}wQtCz2#jp}yP3M)I2zAMdkT0yf`(-(sF(pp}A0wt&0 zNGq&t6(y(HMJuT4c+I#GlbN>{#VbXo4CD&>+FG;XINCYG=2?Md?X*SB&e=e18i?99 z8>p3nG<#+RRkct)9X8B{(yXJ{?3NW}UK3RsHd|#yC~MR>p!UfMDrumTpV%ZTpt@eO zX}NaDidIsm)koW71S&#lbK`Xs&s2mT}`Dq7D>Qw z-Z%}4fwpiVB{muv%w2;TSW6a&%xWCEDHRq5iQ$};fq_{%pNfDo2i=i$hRUjNNLZDl z396){MdQ_4t8^ZvNBOftX3wQ+%H+ukt(rpzu`RS+I~f@pE!G*DGn?vpBS>lomsU7> zVpOaur?d%AU^FwSIIh*8c>|@gjOsLk5(e8ko}{DI#3;3545^U}u34-!=9W;UADPG` z!x8wAq2YuLUOkJxVGBGQPp2nf|6(OmT8#bhiN^6KuP%VaGc}6{S9A}g@LK$IW&nO{ zXnYiYNw0P+W+0Z&prcglFp@W5bElhJ4wzgT@R>!R^%$Q>L-u;pCDVW@MiSx2zSebj zLR&hZSb;$gfGu4eojtvsdU06@H~=a!b$m2AIi@BuX&p2t2n;}tj;%dAcXX}o+u7B# z!9uV!0Aq`Q*L7|^2`(G&)hkx`VE_S5w6@_i{!$T)YyjTd9a`TvO%|CV1jZ5lg;yKS zDV30rPegH#ksnOb36=V26SZJ+;Uy(gstzgkVsCsRLckd7#j`~idB77EM=~&c1}8GA z(V>MNIwg1Yo&+b>(qO<ULV2eI$_@dsCaHpu>*8Dil6zaK02Di%8M&^JOigeF2=p&7wn1n&!8 z5!@SG6)Xw77WhWs`amks1$%wJ|9AfH`|t5z?oYyAztvwR|4sfO?DVgf&yfe@wemvQ zEB!+Hwsep5era6VF11LU?*-q(>~DM@@TGj)ef2)S_f_ws-dnuqdt=@cy;WXD{JHo| z@sr}E;wbF$XL^3+`Ksp%Pt?=u2?;L=4+tL+b_)%HkN-LUS^grvpKs(j?pf|W?gDN% zw}SJsUt%v~qij3thtA-CRCSe%9Z z3HEE>#Gnd7D2%xz3wxGTfH?wNYO+r#_@WkPVef)Oq4`XF=m-OEX%@CHI7)^_BM0GE z72(JD3Ujb13)>hRdusY$9-i*-8-c z5_7nOeKMR<@rOMM6JL^roe)Ya3R{loNK?a+P+>bnP(gDad3-I(!p;a;MkT*LXBlL& zyeJD>A`LMTJ;F{yq{i?4ESwk>n`+ zx>;f5nk;Oma5lmZ>qYmCMN)?f<1Wd<1`EYCn1cNitg#BCE`wjPBGVD30gP{A6$@i8 z&cfCUM@|G@7--qTn6tC65yL&@p$PsK=o!?-fI5iSr;03W#&AD+KutyT&94D1&BB%p zoflvz4-kKW1q3@X0vf{U29NaH8$l2qM_{Oe7A!x@aR- zo`o$NX-OS}6*JlK8w3_)VY`NYLZaB=hb-|O6klWG?zY~ZNd$F!nWgz_wG z-H?aW1T~yiU}+Y%Z}=*WC85EdRKd*7W4_4HDa*nhj<{o}iM5iPlZ9Oz@#L6R)e4`L zg`FI6%77uY0$>GEL3jb%=>U~xVJC-dQgdmoH9HHNIpR1mETk1&o`wA!_FgxNR^Z$$ zZ0b;URy$}#D9OTp4xMep^jRULS=hoMN7UL`K~-7Ux8V?V7&t3Vc@}nT$d+!?tiXya zY}#;Q8fMH2EziQf4Xf&w%L<&6g`FD;-(sw+@UkrI-|)q0_Q?t>&%*8v3F{`w3M|XQ zz6~pCR>%rln1xLnMs#4G;4nN^w2Cb3;ILbUt+7L4^G2ZgWKs)%d)U# z(_m;stgzWx*skH|FztpFJSPj=G!&P`RM_FLS<~T~b+E!`XJL;<$QuU13a-e)HVyk^ z*Z?bZZWcCaIQpz=--=M4h5Z`75M9$-fs3-RXG1-uJEa{<9V3voC=0tdqR=!Cbs@xs zS=iIzYozY#LTJmfu(#_(G^_8r5ca|>?Dq&!;>a$9wjc{TKh%Z9t6d0dX%=>a9R$mC zaTh{fkcAB*B?L0U zxK!k+^t~$V_C4XdTUhVA);B3M`G$R+LZz?HH&dAA6TC0+|MWiP{kr#F@0H$jyr=QM z^={&~@F~9C+w7eQUW6C;XT>M@N5n7kUl#8YujKC%r^HjlRs5ymbk8fE?|L5a zT(8{fxfsq5?DDk3mkyufXL0`oZ^DDzz3jKx``N4EoWKCPnGI7ff+gi2Wc84MQ=;h^ zLN&|TOeAwlrLc-K%N$jhdzc^05Eiqn-FZ28p0L_l=BQP*V46^ca1xaV6)dlsEwmd2 z4(#q!sZg&2Z2^hn7YbcD0B7y}MbH*EoJbt88446IMP{Eo|V7q5``n_VQ9;1?#{w1}Y4fC@fWljq18=zqfJg)jpojy#89p9ZHEU=@NE z2!RWNLInU1rpeR%>B0h*v#wy6E2J`^k!2%!BJO*NTwM+a{AFcm@mI9>e`VLQ~z1v;q=(f0H( zUL9>O--!|x20V}?Y^^APSp@%fQj5XZWLbUGV+U&I2rJDJCw`PDZQBNb`3O@cfGw_=;QLk9i+gZ7ZJ7MAV!a`gqXh( zwUP_WB{OXftWg|ok~J)JKg7JXRM_t1h(L1*DP%ohZ*p(sKqR~u;ueJ1U&#Wa07fps z&_ZE@lQZpH1bVnA&A-$O15O65NV#N#mJZuY65;XBmJZvXxr71>U@@Xe4!tueIGm`a z!}#0laeYnoW}VQlvzG@am#9B1oKl!*cppT-l4IbZrM-XSIAMQb@)qpehU8^J-;o+h zj*TbNS~GuY6UL6zjE0-rh_po5dW1$GkTym;^2cUj_y{c!#9Z<|%aAkts@lw=bYEBK z8Ut1kxZ)_cjKG`T%307F=ky0LS1u4bfZ-!W2bgbwM1WE4q)QEz4?JNz z^XPgDo*W(SK8>s`;WX<69ONRnbBXD&o{U+d;m~uGNN)}?COVFjWq?~5N(*SL4GUTr28v+uV;-t%^a(Q<7R~?&WVBdLAOwU8 z0MK&>-Wfs-eK1cOh%)nW6sBme6sbr6F(d z_2AEfUkQFHcx~`dPz|=RSvU{ykH8-SF9yCBxG`{MpgXWE5b(d{f7<^Q|4ncz;4FW? zzYD$rSn8MLH{}=PZ^HinX7~CLcZ2T|-$CE0zAj(2FX;V)_kX-kdOrpG{)67Aw-fgJ3%#QFC-Fz( zBjRo1`^5v|E^(b$FNQp?d7k%t&vU2eTF;bc(9`2t;h8P`TKJ}Lt8keR6*dUfLJ|Kq z|2+Ra{yzRX{(L^k@8s9>ZR{=Vett20H}H4vRqngo=ee8Vzj5v~_rL+w61f zsUWap`eUDCO1N=2^P|G9Ogkg$XRjkW7aCE(w|Nb0_9fU(har+M6i$z(BaOx`9pP8c z5n4Hp;yXqVa}WCgxrg}?H$Iuyi^fbTJD7*q@j~Z%W|D=XNi@WAjuJm}4;gAEj@<1i zkg6(RgTQU0mkjl)8G0~`98zJ=)98_74`iKlHyO>^L5TDLvaWJ=u5w9(B$O}`Ij2I_ zbC&ZEgvwoHYiTJ(Nu5L%ca}nvYwb`3^Bmd3>A@W4PNJ0X5$o?FS~%}%3g&0iV2P}~ z1>}HzKbgAdmV`%n3nc_kNT{zIc9V#lqurS7OraXyrsjY}A+ZP9b8`z1u!qZp6$U2k z>fw~PhJH=~$N}~Y!lfCKVm?U*Pk|#H%(G;vix*_2N3`?cA(ka(!7RiM?If?sEOQ7J zG}$b&8qIaUqHs17#)b4R(XpFb+p=oC_;!!c1Ow?pYu_4Q!m4-ax#0g&n(RlDA+Ur@`UH+(F)gS%`0; zm%IhD%)u_$sGpF@h3jTGk&RV$5ZkG{ict#diKWy_93;9AgWpTy5UL*-hf|G_1ROp~ z!C5;(ayxNtSc8|$Cx|iCi?H2o#F*+Oj#hxtACqN;Gswx@4g&z1x10e&Vq3{#!&;h4 z@J9+bEjS}6%6xpb(9F^2T;yknRCLEUN~M!XMK5vG=%&-kjH@yqBRZTGAcs9$)z$W|>RA|x=|dEYWix%HH9DVa{zpgVIbnNE5U%At!)C%wecBuuBLi0mz2 zH=IZmfmVPNHj6oV$1X|AXbyLdA{!lGt-1Q97nIL%A~R3# ziX5+m5L|&(ISxYhvgN`_g%BK!b+eZcZD;$k=QyI;j3Q^1BvA|212xReWZdgTI5~k+rj>6iKZjYiCPgF105Vp@QSc{f#jB53q;G+TL<(hq;lA zUabVF9#8zvg-)I_j}x_J`KGCz5}+URB7v1;_!s!PH$khL-#xX_>a+l>A4jX_|LS*) zRM(sz_)fKrHvRY)tGAQt8iqq4-J@FE5kD0+z5zxuusw&3ndTcT^l|V$!m2iqv915L zFs3ZN55E7uVTQQF^N`rV-RON<_zKT>CZ(NXh4>Ti)xPiYQ^L)@2Rw1#Cxwf|Gd%s? zG(Q$NfjiH0hv#a~{(r*Hf zNZ$?IBz-z?NV+=EBOTy23kmLc&sJ|Ax0K&4?BpsuYrHL-kKf2$>z&2^iEr|G*#G7$ zg*NtaPrWb8euWPTbJ@E+3*_&xH;BWq%lG0vw38gtTTx zWsCS~&InK-!XiYl#ANZ2c-@I^U0A`lYhG)cgBxou2=En_fGl*w;fI9Zs4T*$tCyca z+*)v5gI)#Z81si9KgSX&$4=V<?E=M?uF++so!iE; z59wuQh>5w{E@@X#`9iEk?`u*8G9MK~gJ!^e#ebDaRMoB)z{2CtC=OH^5056Y;R58FN1ICU$E_{ENRGuE}ZoTu|O zNKUB$g*tCEX z;TyC0m4-%e0v{wQO#e6r`}7e~qT3BDxeiP0@ebsu;E9Is>fJ5yamvHKn-POXRCD54 z*y8JizRrV_=SR^Lpk>SR>CJbDC<`7Pctnme@=N$WshYIJg=m2#2xL{HI8`&WRXr#!dw|-E&ogi1*mgjvqnY`eX;k&V zKJn$@J9x`{M>@H zC}`ESHP)B|1&eemO$HYf6gyrLxtJu!r%{v#GdDKCPRm6juhuzslw3UHH9K)bIxbZa z*0YK@81&PNd5Z7~ z%%P`~D=d^+e!xM~IuD$j22B=hbHa%i2=n~~$7#->@VD~&3u0U5inA5DnIAhsy#gmB zB-ovl7o0=pVUL{F;3rRBC|s{_YwTSGYvtFw(9k5F6~Iw74<6vUrJTb7r{$OcK!=~;v(D4xsrE>4>)x-V=Y;PFpA&8o z&KJ_cp!XGFyYf+`LpjU)WMHH3H-QHKoBn6~pYmVgPp}_jv+VQiL+pO`elE&w4?YuE z$Tj-+a8;bgznOi*zly)yU&m+pL(=2YhxyYX9^dY-A=dsC_m4EpYuR>-gVZued(KNEOce#m=3zF#T|-s`)@yC<;IyHdU> z@UnNVe0lI>c~p7PccHvT{HNR%>I_$PxyZ0`@ZjMzI%l(@7*9? z^2h&z37L*!5U^tL6XR;u>fxQwcWGz&jkv$#UGFDVj3fBWKk*Hl$NyL1)*!!&I5mr} zcM^x8emw37bbmQKpMaYz{n^oY8V8!;DaUzo3oc%a5(hf-1Kc0j+~9NP@T)B)jtUEq z7cJ<5%ljF~vi58V!j$92iiTVOX&&w)>63%pLfqpLh&B9DW|mrlFQqu)aZRCpG|b$J z3va!^L6~_8rEbPpPDH8a52#GwhD-~mtj0ZRo?uGG$CuDR3C?ycPQo&{q|6r=DaIk7 z9r!_w(n@xRSv5E0v03TP|g#-DsD)~ zdYI&(C6=AWSF?s+8%mBtUUVll@^Z7a06TL6ie1NWG{`)O&K8Sf8Y$f5C_^HvaP@1! zbJBSNC1`r9nHw$7SpRrjKNfIRKaRaN{nYKGs>MrLUQ{`XGe}#}=>BJ*(1MD_QS1=XKH3Q0_eBhG8>QsD|EpR2 z4&y`5CZ%WtJ1Fj*$%pL&3OH#(Q5U!i<#~LKM>xat9L|t@XLNohS1A#^l z_Wih@%6|yvS)31rk5v2wM`od83_r$w{E?0&{HTm?&VL5s8RRJcd4Z=F@LflX^8XO^ zb%DV40iyDAB3k3K`Bmn$biAb`DlF|R(-u^%xrcQ?j+@bMWIcxiWt$f8o2_N}PTq8( zMj+>3v?~TTqKPmM!~mHMXavZ@o?a!m9-sB&7y$1??QfiESclr&ei{LAI4w1a1ojYeZC=y zZRjz#&M_?9YQ7?T?7@~D$7@RXdgmlU)Gef@c@_r6Y77}f*n|w|D*!C$!ai6JQt0Ly zfg4cT=1~Q#tFNLE+-X}nVaYnweA>s9j`73JM9pW7UE9B#Wd4C$+yZbXtr_`fX|X7n z3C!Q~(bC{fTGN9wv76?47PmN7KFEkT(a)DbDf#zm#MjSaF(0quH_$0lXnlJKb(8TL z9PJ+rKE}YsS(d?z9k|;uc(Lp*eemMLou&yu!C&JXM~HKKo>7A3#93{AiN}02_!u^? zl_0qmq;8zEWIkyh`$*#s>qy3ePoTpiSFbvH%bYup@31OV=f3Y8RQ zhew!K80CA)ZAwZxUYQOYsG{PBDx@8y2WJqf;m>$!6|mD|KE;}rHU?2p*5u(z@ov!m=bww0a73eX|P zU)dB~0k#0HMYL#l{o<+8DY*5k3Sg$9*FnWoaL-o-fV8t~diks=xYKJ6l{@Ji-3%8 zXiN}XrA0u-*EBk4))ZWxh0@o*zt;g}Q+Q(*0wUyIe5^^lK(91o3hu}% z!Ae&2@+r6(3tzwW1cF|rYzlA1LZEgFzD2U-Q*bF3si;TTEWpw!ywwpa8V5ymnk7?k zD;AC%<9mJ`QZWU0Vl7695qYzaESrKGu?R2bNfN#0>?ye27zcsnGh9p6*;8;amJT-0 zm*}-CrtoqstZhANqC-oj;BG9!uYT%8hm=pj#aJi->j4xUSTa>js~KleOvpkCA>L@~ zyI42{cVe{zLF%WrdG;;cDV~CBv2glpw+HBiE2iK^EbNEv+=>n@oq`*&@RgXM5gk-K z1@~bQg4EfqmzPb!Jy)fFawuA;ui!? zyT$34HB)de7E(36Nd<8iOu;2tjewiaQ)W;Z=@Q0~T(&WeV=hI>kUd`jsR) z&n;7Mn^wMx1y<4qYfbPgKTIFANC%%Du__QMGpf~3!S!2spQfW)?mm+>>NHHjtz6r4 z>X6kyK>@c+!3|y5F?&M=BWgx#?Ne}L*Fa81&Fe(M%mo{5nEL;459M(l$LUD~OiX-6QbyzuJP-~91cc*x0ta`P2+7U|CkQBLDN)OyR!U7w5JZ%x zkW?xuHKit&R!EsB90w{QmN6PlVx_xhXJ_{DU0L}nRo?x#)7>+@vorHe_jUgoV7#QJ zfgM>;=vxfXyr%gB;%|E>J-VRicNrjjE$v3MoBzW3FMK5f0I6cD1~GsU!)+9scq|tA`OE-xHRS3xmsPM=vIHEA0C^=( z2e`^Qf?Uo3Bn%Pc#DSm^%NU@71@Vb}!Ab^5VA!ubA5_s|1{h$7;plnNeYr9hpuPqG z!8-+1p;{N9y{__Uk&PeZ1t_mLUTIbPW7fEU=7q3d!R;d>JbccL!_9HFkzC>Jc05hVU>4|7{NP+UPN5l!NY)Vj;m8I5c% zRjFckDPMyEBSLejbqjLWy7T!Iz|!(yb_?>>yYo0=cL;O0 zpukYK89pOSgaW`@kh#X4%P%bgjkh4@aCeTWHDb3h(7Xku>fKvB?NQ2KQsE1V{Ngq4 zY)>H%w6|c_!`xY>)_@8jG`ou6TTmngcJhxCBQ)b0W28}L*kFZsC0hoOeR9nNe(5Ey2UaRxXE`_k+u*+1Gf+5Oq4vmJH@stSy@zQ}&lTwz|D?Vb5F z^HSz1>r`fgbtJPgGtv5O=88;d`b%qf`Yr2GKofi_{ZM*Cx;Z^AJ>1%o9+Xa`J~kgo z{WZ1M`eEv^)M{%EAPZcR8exr1on?JH`Jd$5*3jfD$sJaCavQ`l47W1ohGa)_j`=xM zBN&-1HcuuK_9x~W_MgmO+Xu~^=FX7Apy#n?2EOhyFigd-Ade?lkNQt3OlMd%b6lHkH=zq4ag4M<;QMM+D|5aWg>`@vA0Ov50}7$V2|0t}7h) z9j+&oCa+QaHxhoDqJd`(+M0fenxdlRP*J62?)+x%$!^yfwYIAGA9}m)#_+c3t73TD zbPj|NsMOR)Zzo6#zcy1Jy^Zp2d2Kvgb}J~mUf!FqZ8@b%uAB)45$3m`*GF%q7BIB& z-Kb?5r2zYPC}dhnNy;nQ`TsbV&_Mj=gw$L4Gu@EzxrGLnW)8M3rUX>awjtLVjkSn2 zjCyH8=7nCXyc}Wc0vd)RUgPt88b)4I@maqt4cW9_wO|F>NL;Xz#UX{3Xw1AtsNQJ+{(gL6zJkW(IxGKG>RJu?cKn+Q5XetXIYiDvr>9zFq1*xe*U^5l@3vEx!)G* z4>EN>q-4^-(&tsks%ZJkiWk}o1T|6MKChkT?6gK{K&lp47E8V3UhPH6P4S9ME855vNDNhNSqJ8uwWn*YWnA`UVh9qP~k?dYV8wpXO9lT2^ z=E~7S!h0y2TxpF8o}>hKaXgXK^R$LUQ&i*x|4cEa7KuMsmuM_1`bw6V*2UjDXn#>J zyZL(uDN$XHbM=)XD%!JL{X!<1)=4;7k<*n%-8Cf90J?`y-srf;(up!n=SB4T@VO6G zVbPx9b1z$?ogC#0%P-_Ri7)8bdI%b#QtP^3+ZRBx0PQQbD1vq;?Np?JD~*b$(aY_m zovJoRReA@03vm=#MFB)p69)qH6AUI>Ly`^JdQUyCg75@Sy_fU(m+d>fu6ML*gLVfU?&5Bxlj;Q@$YD4;;{)OzAtJt(UzWW=IG0lGcwEXjq^&Y06&X9sIyF=T&Eqz14Zt-so(#S2^pQA2`$OMa~$z z31aH6bE+Y3;G^uT*?rkZ?8~zEW>?zvXzSbM*^9GvS;N*KlHe8VOy;1OH>YJD$heuw zneSLfGySdCGTHQL>p=QQdUyI^YkPXN^-y|YdVKoo^vHDI)R(DFYh&sSs51DZ`Sa9$ zspVEX)Ed0pnw6?eWs?80#w6deE=j(a+zyuiw&WVCBDum`Vve>P^Zw-YXll957 z?a$0p_DTDQ`4@Yi`Fr~bbC0>_>u%=tynoLO^vuBjG6QgU)+_!A=_0{+Lxn&V&^8Ph zR~tizwf5u))X{b}M9_PlnGIAg8( z4}$9vkAMWuP+>!!(%*#1j{LoFQba@ORrHeZGRC(*fG3)|wnI|dsqi{Ssr_6^F8;98 z`v@W8?{%88O8kJrM2AkMpswOMEPoe%d*5Jh!byuY*R@TUo)oakq3g+*rVwZh_rH<) z7l!)4z*7Y-o>(LOyx@Munb?P4sIYl<4U&$EnqIV41+c@-YddFaUScBv0X@)}2l1c?k z@Xpwy4#jp=_iBh9g5lAQVg8V3dWX(N?Bp4mTzOuG#gEc55k~hUT9k1nx3&RciRe^? zZf``T=^@`9VaOYB)r6YE z19zyR(w-i#ipE>h+FDGE5Z#Au>2U~t5lakfum;aJj}!k#1Bzddt4C=Hi{$C@#c|$& zeJrI=#=^d9jFc<@`hIrsQl}ST{Qns9xR&e8y_kC(to)YT*xW@q!+9U-0Bm>ecUC(y zoKa4#(>MD$RQx-XeLTA<+nSw_y)fH1^F`)wnM0Y!GwU)fnX#FAu-?x=1%Ulf`L83r zAU!rcEL{xw0dJ*#1Ni~@)Get|sllmavMc#J$gJ;3-khvWnt=3w*xqcmoUHmCFvjjaIg9Svt~?At#N*%4SKTjhq|WGYnu z*~mA)SDc3o2}}zTUK@m!i(UJ(k~}0aa0>So z(Q9;CeSR@G4_OK$aaJ&jC43>-j$L;eN9qUXAuEBiMV&}Ih_SQi<<{{+(>)!Kz#j73rxL0~e9x@8908;$) z0BZ_g;@C$otv@#pc?4K>J2|$yAmBZ!olmc15au4y&Ldzn$95cqkUQ8ig#UKJ4Pg2$CqjXTk zAm*FXrF%!AmoSL(M#Z>4Mxj(Ni0MYfq&q~R7BdLo#*W-%xRDC~{>C zBD8VN6_=?o>%6W7 SzKIYnXQTPy;$v(mV*dpvnS6!- diff --git a/.vs/starter-workflows/v16/.suo b/.vs/starter-workflows/v16/.suo deleted file mode 100644 index 962942ea22fff9b452b61562d7bf63660eb5293e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34304 zcmeHQdvIJ;89$r0w53Hsuth{jp#`kj&E5B=FPdzU7NNE!AuTkey}Nri*=Do5-MiZ~ zG(|x`5Ffl>0tzbp!Hf>$=&0iiIx^0Hj({@?|2XRCAC8JMj{gBtf4}=kZZ^ByyN|Zn z^q!sXo^$VceCPR{@B7YU-+beOKR@^KC4UhmW{X%PK0L8poMZX!vbe?hLVN`8ZGaC? zoH#)*`orm%7OH_8MHat;Xcv7V13ND!*_5`;DzRj`&Dj^K8EGQ%!>8|g$Mq=$`uV5z zkh_2}D-Mb4fISIUpEz1Ai8+3&&;za2Jtsh!4=>;wy02z-iXuv#7AfE-jEDie%K$|T z39kr=FrJmoHKNV64BnRmn2*XKXZw7^c(sGyKRfEIH{h?i{ELvn<3=jX`~R#JXmN8~ ze;ocR0sMR(Yi|~)0sw0qyY7$?FARHig*3L{`?Y{>!+%AEaCULFa=6nu{?EVj?z^6J#y@(S5c6gH zn|*f)@o z{2%$g9CDHcKd1m^xG*zTc^mkrX%h2MKGf{53B0~;e5%HO^`Z{)v!l*=Gs{oDg_6_NkYQ1nuDWR*^u~*HQo9 z2JROP{CB{1=s#QT>@*JjuPpzc4fKBxC~5|DHY+B?4p7((fIL86ctjNQ0V#17v(q4+ zoFPbobCx+_gE9Y8hUW+}$VydfDSW9@pxHg0vRcB0^lJ287S|&;m3302f7BP4Itne( zlRPNTTxx_Fz`PO%W@@31plk`F?4|ReN1KCW_(u`4hJmUhm><@^90;};E{kY2<@Ct`!cC< zj6%~47f>4;#4y@W!Pi`gs~@GC@i~H&3R)=Q^c$EXz}N*XTc`%i>_4W->lxT4wgb6} zjLT@A9I``Io*OW#eWyw<5A^KVZgh3BnPVst8O{mB8%EQ|;U>d7jQB+WQz;;{t{g0& zGE{Vt5%I?6b%%elsx6cG<7?R;eDJ6DpL+Z5+ZX-l*5yyM_3ppuZ})1Fed%OkW_OM~ z_3ksT{%q*bQD5ib$&G#QaTuLe!6X7|VGR1V7nlT!Gbi?qr?ZfJ*oXshj5%Fk6$oQh{N>Tqr}H=gjQM@AUWOy!c%LLs-IvvXo%!ZYFbWb-4P zK1q@~5v+x)VS=9`Fxj9qubO77{51Yfa?J_0CoUA2iOU)mUF=JJ_Pq3 zz+S-3fLj3j0K)(oa4X;d;2?l$#9+q_w*or};B;!He+cd|60D#gD8F0w`awT(BqL{~ z`arb*EJmeV9!tNiz=xGK@DBkSnf5_oj$!nrz*-fwT1mhj#T&G=bt^mUqFp;jk2Uk;{I?jds{nTK??%{4 z^RF}ioBW3}|6Avu`K;KCLYtkR9{(le{xw7Qw}9=8aPjC z_9KKD(4=>HP&&XRxidjQO;E!|zG#LwF_B>XL&M$9G;QMlJiePu}By};f>PSvbIO5Ka_ zqZA&%^B6b^A8NV}QhESSFQob&&FzPatKGej?cE4PzizlB{JH^A$nz3n@)w27e;m4i z1bDXDc=i1&I#!lpqo}N@W<7BJc8RB5y&EL_j&=L``@(@fue&E4@VmX8^wVj|(+r(?8PS`dwO4w@lUA=`ER?nmQKg@kf04 zxkEn5$MNoUM{Zljh zU39_X1w}2WN}-U-jGRpM!swdb%j8S74>dl>i!>6Sd>7*ru2~%oJoeZ7uUNUa zs|T;P4E6A4d_6*LtF4GephokrA!nyED`7Dm|8WgWss&}-6V0a6O1zN5PB+gsC8Ok1 zaZhhb`yl5h5Bm1)GXf42@@TS-_Hi|y&8Jhbj`kr4_K3GR;F0+2Xpf?ui+N>pMkyBZ za=N2^S231O#jjT;2eV^JW^*hYmV@zN$lK))C{m9m&MWz4#5Rz+O@a1i*+bPT#i*RV!$morDomOQ9Q2;j8rrXk5z7r;S}dkx zK4z1hm8- zVMt8ew#$`q6_A9y)UK`Ls*swf&E>f!>LPiLD2wpqcD>Lc4nywKwYhms`s2<51z(4N zpSzj$z3$u!yaOrdU%k*(dXNHlNc**P{II!kn0v8#b}FHzA;fPML^ah1;dH97jQ)0t=`-JUlV3mFIUYNefEb zhnw|Dwe{X7#BUcwsZyAaI5UzS{9!?qNI!ZrhSuW#Q=QVaCgnE!nn~%X=S?r5mg4Cy zj;cILmBKDH_Q7`+L?2|y^5E{sFQz~R$tMcYnsku+DAFiH5@nj1bb$8_|6^IzBO=>O)&8bGOZ@96*L*BVV}`#AbP?k1dn^sTg=9Q~hu1LOQ}DM$a; z3TxGl{*OF%YwRnS-Bzbc|L4*)H}yztdK_~feZ47Ae&zit&DzFSYd#v4pLve{ee9iD z8xP6e5RP29l|az%4g`}icPtQ&;jBf_+ZFRmK{*_BiTmn0WTqV)QM2hHH=^a0v|LCX zQ8rXKZd2chmU)!1T8^&-;*oefaJ=`7Wq;28!IjjA9Nm$M=d)@yS?~;{RBVYGC=?T^ ztY^2rJ8m$WO{<>4R1S|~Dz{6HkI5t0&}VKL^oDHj8I=6VU^1NadJ{oO_RCAypEp;) zK8U@g)=GIroV5Aumkj{PYmop7<3=dKWQPf9J< zZv@1FGS}(~U9_S{hphO*awsO@uu>rC4)`JwcULHpbO#kV>F)|Cia*rlktBaO9GpT1 zW|@nHmMP0O9!y>f;3iS-Z`91}OCWi6%{)H`C$C;&1rXMAjkfx=ksfXFAXjT}Ucf;N z+j*|l`qNLk@=JA>H4fc0T+cgMeoL>p97Q&mk@}58{|)*d^U2|G68$w0i}~CEB@n?W zLT}QY^h)ud5|R==MVg27-z1>(`$XdmP1)GMST~(-<v!U95$EB*H*_jAi1_v00$%(5 zo;rX{DTek%0n7g>%~b4p0}uG zcz}m@D)AQiW?$mYLx|=k9$f(79fP&sSMNo?@S%4cz#TQ*VH?1&^q%}Ue1iC%M0pc% z&EVDK!KRh4wsET8b1>R8?6WV)FFoX`3pMrCF;C{q{3k$dV^P1gxRG1XTlW+^dlyC9 zdU;#t{-4&q|B3fGoBE4!xEm0U%HGd2eG|~k{XbnD-hh7n5B?&;#{ECbaKV;y{}1j8 zn~(SZIP!nVznWA~SvFbzFDsc~_||Ni#W~f+SCsOe^>I}p?S^6g{}9j9`fzed(l{sU z-=&1WZz=d5fj{r%_29%K|FNnU*Bw`-)A_N Sx>z-0_Wlj8R>`+f`S1TJ`3C6# diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg index 4e5d4d0..c2e2cf7 100644 --- a/icons/puppet-lint.svg +++ b/icons/puppet-lint.svg @@ -4,9 +4,9 @@ Date: Wed, 22 Jun 2022 18:02:42 -0700 Subject: [PATCH 59/66] fix image --- icons/puppet-lint.svg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg index c2e2cf7..4e5d4d0 100644 --- a/icons/puppet-lint.svg +++ b/icons/puppet-lint.svg @@ -4,9 +4,9 @@ Date: Thu, 23 Jun 2022 08:36:06 +0300 Subject: [PATCH 60/66] Update trivy-action to fix the performance issue This version of trivy-action fixed an issue reported by GitHub. The detail is in https://github.com/aquasecurity/trivy/issues/2357. --- code-scanning/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 06b5cae..63be947 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -33,7 +33,7 @@ jobs: docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'template' From beafd2dec2a4a449a4d7adf79bf9c087826bf851 Mon Sep 17 00:00:00 2001 From: divyansh42 Date: Mon, 28 Mar 2022 17:37:21 +0530 Subject: [PATCH 61/66] Add CRDA starter workflow and modify openshift workflow Signed-off-by: divyansh42 --- code-scanning/crda.yml | 126 ++++++++++++++++++ code-scanning/properties/crda.properties.json | 7 + deployments/openshift.yml | 19 ++- 3 files changed, 150 insertions(+), 2 deletions(-) create mode 100644 code-scanning/crda.yml create mode 100644 code-scanning/properties/crda.properties.json diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml new file mode 100644 index 0000000..d5bb88f --- /dev/null +++ b/code-scanning/crda.yml @@ -0,0 +1,126 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your source code using +# Red Hat CodeReady Dependency Analytics. + +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event + +# 💁 The CRDA Starter workflow will: +# - Checkout your repository +# - Setup the required tool stack +# - Install the CRDA command line tool +# - Auto detect the manifest file and install the project's dependencies +# - Perform the security scan using CRDA +# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab +# - Optionally upload the SARIF file as an artifact for the future reference + +# â„šī¸ Configure your repository and the workflow with the following steps: +# 1. Setup the tool stack based on the project's requirement. +# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack +# 2. (Optional) CRDA action attempt to detect the language and install the +# required dependencies for your project. If your project doesn't aligns +# with the default dependency installation command mentioned here +# https://github.com/redhat-actions/crda/#3-installing-dependencies. +# Use the required inputs to setup the same +# 3. (Optional) CRDA action attempts to detect the manifest file if it is +# present in the root of the project and named as per the default mentioned +# here https://github.com/redhat-actions/crda/#3-installing-dependencies. +# If it deviates from the default, use the required inputs to setup the same +# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN. +# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication +# 5. (Optional) Upload SARIF file as an Artifact to download and view +# 6. Commit and push the workflow file to your default branch to trigger a workflow run. + +# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. + +name: CRDA Scan + +# Controls when the workflow will run +on: + # TODO: Customize trigger events based on your DevSecOps processes + # + # This workflow is made to run with OpenShift starter workflow + # https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml + # However, if you want to run this workflow as a standalone workflow, please + # uncomment the 'push' trigger below and configure it based on your requirements. + # + workflow_call: + secrets: + CRDA_KEY: + required: false + SNYK_TOKEN: + required: false + workflow_dispatch: + + # push: + # branches: [ $default-branch, $protected-branches ] + + # pull_request_target is used to securely share secret to the PR's workflow run. + # For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target + pull_request_target: + branches: [ $default-branch ] + types: [ assigned, opened, synchronize, reopened, labeled, edited ] + +permissions: + contents: read + +jobs: + crda-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for redhat-actions/crda to upload SARIF results + name: Scan project vulnerabilities with CRDA + runs-on: ubuntu-20.04 + steps: + + - name: Check out repository + uses: actions/checkout@v2 + + # ******************************************************************* + # Required: Instructions to setup project + # 1. Setup Go, Java, Node.js or Python depending on your project type + # 2. Setup Actions are listed below, choose one from them: + # - Go: https://github.com/actions/setup-go + # - Java: https://github.com/actions/setup-java + # - Node.js: https://github.com/actions/setup-node + # - Python: https://github.com/actions/setup-python + # + # Example: + # - name: Setup Node + # uses: actions/setup-node@v2 + # with: + # node-version: '14' + + # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md + - name: Install CRDA CLI + uses: redhat-actions/openshift-tools-installer@v1 + with: + source: github + github_pat: ${{ github.token }} + # Choose the desired version of the CRDA CLI + crda: "latest" + + ###################################################################################### + # https://github.com/redhat-actions/crda/blob/main/README.md + # + # By default, CRDA will detect the manifest file and install the required dependencies + # using the standard command for the project type. + # If your project doesn't aligns with the defaults mentioned in this action, you will + # need to set few inputs that are described here: + # https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies + # Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand + # process to get a SNYK_TOKEN or a CRDA_KEY + - name: CRDA Scan + id: scan + uses: redhat-actions/crda@v1 + with: + crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token + # snyk_token: ${{ secrets.SNYK_TOKEN }} + # upload_artifact: false # Set this to false to skip artifact upload diff --git a/code-scanning/properties/crda.properties.json b/code-scanning/properties/crda.properties.json new file mode 100644 index 0000000..9e1a7ac --- /dev/null +++ b/code-scanning/properties/crda.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Red Hat CodeReady Dependency Analytics", + "creator": "Red Hat", + "description": "Scan your project's dependencies with CodeReady Dependency Analytics.", + "iconName": "openshift", + "categories": ["Code Scanning", "Go", "Python", "Node.js", "Java"] +} diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 5775cb0..8504059 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -54,15 +54,30 @@ env: on: # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + workflow_dispatch: push: # Edit to the branch(es) you want to build and deploy on each push. branches: [ $default-branch ] jobs: + # đŸ–Šī¸ EDIT if you want to run vulnerability check on your project before deploying + # the application. Please uncomment the below CRDA scan job and configure to run it in + # your workflow. For details about CRDA action visit https://github.com/redhat-actions/crda/blob/main/README.md + # + # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab. + # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows + + crda-scan: + uses: ./.github/workflows/crda.yml + secrets: + CRDA_KEY: ${{ secrets.CRDA_KEY }} + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY + openshift-ci-cd: + # đŸ–Šī¸ Uncomment this if you are using CRDA scan step above + # needs: crda-scan name: Build and deploy to OpenShift - # ubuntu-20.04 can also be used. - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 environment: production outputs: From 4235f787e51ef913ae2ae78052c2d771b01f515f Mon Sep 17 00:00:00 2001 From: James Moore Date: Tue, 28 Jun 2022 08:00:44 +0100 Subject: [PATCH 62/66] fix cosign command line args --- ci/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 71aff41..e88539d 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -90,4 +90,4 @@ jobs: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }} + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} From 948fdf226a354119fd08717925bc56caaf64c165 Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Tue, 28 Jun 2022 17:20:56 +0200 Subject: [PATCH 63/66] Update the sample version of the Dependency Review action. --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 8966511..fe461b4 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@v1 + uses: actions/dependency-review-action@v2 From 313d29fe98742126d16aed69a2e4e534180470d8 Mon Sep 17 00:00:00 2001 From: Andreas Nesheim Date: Tue, 5 Jul 2022 09:53:27 +0200 Subject: [PATCH 64/66] Update dotnet.yml --- ci/dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet.yml b/ci/dotnet.yml index 5974d4a..a8eccab 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -16,7 +16,7 @@ jobs: - name: Setup .NET uses: actions/setup-dotnet@v2 with: - dotnet-version: 5.0.x + dotnet-version: 6.0.x - name: Restore dependencies run: dotnet restore - name: Build From b8cd0487750ed06b0ca6a9e878f561ddaa3d6ab0 Mon Sep 17 00:00:00 2001 From: Andreas Nesheim Date: Tue, 5 Jul 2022 09:57:44 +0200 Subject: [PATCH 65/66] Update dotnet-desktop.yml --- ci/dotnet-desktop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 00a78c7..bd2cb2e 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -71,7 +71,7 @@ jobs: - name: Install .NET Core uses: actions/setup-dotnet@v2 with: - dotnet-version: 5.0.x + dotnet-version: 6.0.x # Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild - name: Setup MSBuild.exe From 4d31a0b2a19136fed4d8f8beb6745c43c9530d66 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 00:47:52 +0000 Subject: [PATCH 66/66] update --- ci/go-ossf-slsa3-publish.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml index 3f1b732..a738875 100644 --- a/ci/go-ossf-slsa3-publish.yml +++ b/ci/go-ossf-slsa3-publish.yml @@ -20,16 +20,19 @@ on: permissions: read-all jobs: + # ======================================================================================================================================== + # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. + # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file + #========================================================================================================================================= build: permissions: id-token: write # To sign. contents: write # To upload release assets. actions: read # To read workflow path. - # If you need more configuration options, such as ldflag examples, - # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.1.1 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0 with: - # By default, the config file is .slsa-goreleaser.yml in the root directory. - # The format of the config file is described in - # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file. go-version: 1.17 + # ============================================================================================================= + # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects + # ============================================================================================================= +