diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index c116b93..b34c768 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -2,7 +2,7 @@ name: Mark stale issues and pull requests on: schedule: - - cron: "21 4 * * *" + - cron: $cron-daily jobs: stale: diff --git a/automation/stale.yml b/automation/stale.yml index 30c3dd9..277380b 100644 --- a/automation/stale.yml +++ b/automation/stale.yml @@ -2,7 +2,7 @@ name: Mark stale issues and pull requests on: schedule: - - cron: "30 1 * * *" + - cron: $cron-daily jobs: stale: diff --git a/ci/deno.yml b/ci/deno.yml index 178b61f..cf91f5e 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -3,8 +3,8 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow will install Deno and run tests across stable and nightly builds on Windows, Ubuntu and macOS. -# For more information see: https://github.com/denolib/setup-deno +# This workflow will install Deno and run tests across stable and canary builds on Windows, Ubuntu and macOS. +# For more information see: https://github.com/denoland/setup-deno name: Deno @@ -20,7 +20,7 @@ jobs: strategy: matrix: - deno: ["v1.x", "nightly"] + deno: ["v1.x", "canary"] os: [macOS-latest, windows-latest, ubuntu-latest] steps: @@ -28,12 +28,20 @@ jobs: uses: actions/checkout@v2 - name: Setup Deno - uses: denolib/setup-deno@c7d7968ad4a59c159a777f79adddad6872ee8d96 + # uses: denoland/setup-deno@v1 + uses: denoland/setup-deno@4a4e59637fa62bd6c086a216c7e4c5b457ea9e79 with: deno-version: ${{ matrix.deno }} # tests across multiple Deno versions - - name: Cache Dependencies + # Uncomment this step to verify the use of 'deno fmt' on each commit. + # - name: Verify formatting + # run: deno fmt --check + + - name: Run linter + run: deno lint + + - name: Cache dependencies run: deno cache deps.ts - - name: Run Tests + - name: Run tests run: deno test -A --unstable diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index ba69744..ab266ef 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -1,80 +1,63 @@ name: Docker +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + on: + schedule: + - cron: $cron-daily push: - # Publish `$default-branch` as Docker `latest` image. - branches: - - $default-branch - - # Publish `v1.2.3` tags as releases. - tags: - - v* - - # Run tests for any PRs. + branches: [ $default-branch ] + # Publish semver tags as releases. + tags: [ 'v*.*.*' ] pull_request: + branches: [ $default-branch ] env: - # TODO: Change variable to your image's name. - IMAGE_NAME: image + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + jobs: - # Run tests. - # See also https://docs.docker.com/docker-hub/builds/automated-testing/ - test: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Run tests - run: | - if [ -f docker-compose.test.yml ]; then - docker-compose --file docker-compose.test.yml build - docker-compose --file docker-compose.test.yml run sut - else - docker build . --file Dockerfile - fi - - # Push image to GitHub Packages. - # See also https://docs.docker.com/docker-hub/builds/ - push: - # Ensure test job passes before pushing image. - needs: test + build: runs-on: ubuntu-latest - if: github.event_name == 'push' - permissions: contents: read packages: write steps: - - uses: actions/checkout@v2 + - name: Checkout repository + uses: actions/checkout@v2 - - name: Build image - run: docker build . --file Dockerfile --tag $IMAGE_NAME + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Log into registry - run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login docker.pkg.github.com -u ${{ github.actor }} --password-stdin + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - name: Push image - run: | - IMAGE_ID=docker.pkg.github.com/${{ github.repository }}/$IMAGE_NAME - - # Change all uppercase to lowercase - IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]') - - # Strip git ref prefix from version - VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') - - # Strip "v" prefix from tag name - [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') - - # Use Docker `latest` tag convention - [ "$VERSION" == "$default-branch" ] && VERSION=latest - - echo IMAGE_ID=$IMAGE_ID - echo VERSION=$VERSION - - docker tag $IMAGE_NAME $IMAGE_ID:$VERSION - docker push $IMAGE_ID:$VERSION + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/ci/ios.yml b/ci/ios.yml index 74c974d..032b77a 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -37,7 +37,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'`` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` diff --git a/ci/openshift.yml b/ci/openshift.yml index 6d5c20a..ec5e0fb 100644 --- a/ci/openshift.yml +++ b/ci/openshift.yml @@ -144,7 +144,8 @@ jobs: # oc-login works on all platforms, but oc must be installed first. # The GitHub Ubuntu runner already includes oc. - # Otherwise, https://github.com/redhat-actions/oc-installer#readme is available. + # Otherwise, https://github.com/redhat-actions/openshift-tools-installer can be used to install oc, + # as well as many other tools. # https://github.com/redhat-actions/oc-login#readme - name: Log in to OpenShift diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 1a03a7b..3bfabfc 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -1,11 +1,16 @@ # This workflow will upload a Python Package using Twine when a release is created # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Upload Python Package on: release: - types: [created] + types: [published] jobs: deploy: @@ -21,11 +26,11 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install setuptools wheel twine - - name: Build and publish - env: - TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} - TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} - run: | - python setup.py sdist bdist_wheel - twine upload dist/* + pip install build + - name: Build package + run: python -m build + - name: Publish package + uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29 + with: + user: __token__ + password: ${{ secrets.PYPI_API_TOKEN }} diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml new file mode 100644 index 0000000..3a5c45f --- /dev/null +++ b/code-scanning/devskim.yml @@ -0,0 +1,34 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: DevSkim + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + lint: + name: DevSkim + runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run DevSkim scanner + uses: microsoft/DevSkim-Action@v1 + + - name: Upload DevSkim scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: devskim-results.sarif diff --git a/code-scanning/properties/devskim.properties.json b/code-scanning/properties/devskim.properties.json new file mode 100644 index 0000000..0eab5c6 --- /dev/null +++ b/code-scanning/properties/devskim.properties.json @@ -0,0 +1,7 @@ +{ + "name": "DevSkim", + "creator": "Microsoft CST-E", + "description": "DevSkim is security linter that highlights common security issues in source code.", + "iconName": "cst-logo", + "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python", "Powershell", "Cobol", "Objective C", "PHP", "Ruby", "Rust", "SQL", "Swift", "Visual Basic"] +} diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 9040659..479f713 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@v2 - name: Run tfsec - uses: tfsec/tfsec-sarif-action@2ec44316ed27c50d48c931c3c628adc4c8bb1d2b + uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f with: sarif_file: tfsec.sarif diff --git a/icons/cst-logo.svg b/icons/cst-logo.svg new file mode 100644 index 0000000..a7beb3d --- /dev/null +++ b/icons/cst-logo.svg @@ -0,0 +1,5 @@ + + + + +