diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index c9e8299..2a0e55f 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -19,6 +19,6 @@ Before merging a new workflow, the following requirements need to be met:
- There are many programming languages and tools out there. Right now we don't have a page that allows for a really large number of workflows, so we do have to be a little choosy about what we accept. Less popular tools or languages might not be accepted.
- Automation and CI workflows should not send data to any 3rd party service except for the purposes of installing dependencies.
- Automation and CI workflows cannot be dependent on a paid service or product.
-- We recommend that Actions outside of the `actions` organization be pinned to a specific SHA.
+- We require that Actions outside of the `actions` organization be pinned to a specific SHA.
Thank you
diff --git a/ci/alibabacloud.yml b/ci/alibabacloud.yml
index 5d457d6..9ccc033 100644
--- a/ci/alibabacloud.yml
+++ b/ci/alibabacloud.yml
@@ -42,6 +42,7 @@ env:
jobs:
build:
runs-on: ubuntu-latest
+ environment: production
steps:
- name: Checkout
diff --git a/ci/aws.yml b/ci/aws.yml
index 40094ae..8b10116 100644
--- a/ci/aws.yml
+++ b/ci/aws.yml
@@ -33,6 +33,7 @@ jobs:
deploy:
name: Deploy
runs-on: ubuntu-latest
+ environment: production
steps:
- name: Checkout
@@ -77,4 +78,4 @@ jobs:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: sample-app-service
cluster: default
- wait-for-service-stability: true
\ No newline at end of file
+ wait-for-service-stability: true
diff --git a/ci/elixir.yml b/ci/elixir.yml
index 76dd26d..3f64657 100644
--- a/ci/elixir.yml
+++ b/ci/elixir.yml
@@ -15,7 +15,7 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Set up Elixir
- uses: actions/setup-elixir@v1
+ uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24
with:
elixir-version: '1.10.3' # Define the elixir version [required]
otp-version: '22.3' # Define the OTP version [required]
diff --git a/ci/ibm.yml b/ci/ibm.yml
index 8af050f..a8502cd 100644
--- a/ci/ibm.yml
+++ b/ci/ibm.yml
@@ -28,6 +28,7 @@ jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
runs-on: ubuntu-latest
+ environment: production
steps:
- name: Checkout
diff --git a/ci/openshift.yml b/ci/openshift.yml
index d34131f..b9bcd0b 100644
--- a/ci/openshift.yml
+++ b/ci/openshift.yml
@@ -27,6 +27,7 @@
# For a more sophisticated example, see https://github.com/redhat-actions/spring-petclinic/blob/main/.github/workflows/petclinic-sample.yaml
# Also see our GitHub organization, https://github.com/redhat-actions/
+# ▶️ See a video of how to set up this workflow at https://www.youtube.com/watch?v=6hgBO-1pKho
name: OpenShift
@@ -64,8 +65,44 @@ jobs:
openshift-ci-cd:
name: Build and deploy to OpenShift
runs-on: ubuntu-20.04
+ environment: production
+
+ outputs:
+ ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
+ SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
steps:
+ - name: Check if secrets exists
+ uses: actions/github-script@v3
+ with:
+ script: |
+ const secrets = {
+ REGISTRY_PASSWORD: `${{ secrets.REGISTRY_PASSWORD }}`,
+ OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
+ OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
+ };
+
+ const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
+ if (value.length === 0) {
+ core.warning(`Secret "${name}" is not set`);
+ return true;
+ }
+ core.info(`✔️ Secret "${name}" is set`);
+ return false;
+
+ });
+
+ if (missingSecrets.length > 0) {
+ core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
+ "You can add it using:\n" +
+ "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
+ "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
+ "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
+ }
+ else {
+ core.info(`✅ All the required secrets are set`);
+ }
+
- uses: actions/checkout@v2
- name: Determine app name
@@ -80,12 +117,13 @@ jobs:
# https://github.com/redhat-actions/buildah-build#readme
- name: Build from Dockerfile
- uses: redhat-actions/buildah-build@v1
+ id: image-build
+ uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.APP_NAME }}
- tag: ${{ env.TAG }}
+ tags: ${{ env.TAG }}
# If you don't have a dockerfile, see:
- # https://github.com/redhat-actions/buildah-build#building-from-scratch
+ # https://github.com/redhat-actions/buildah-build#scratch-build-inputs
# Otherwise, point this to your Dockerfile relative to the repository root.
dockerfiles: |
./Dockerfile
@@ -93,10 +131,10 @@ jobs:
# https://github.com/redhat-actions/push-to-registry#readme
- name: Push to registry
id: push-to-registry
- uses: redhat-actions/push-to-registry@v1
+ uses: redhat-actions/push-to-registry@v2
with:
- image: ${{ env.APP_NAME }}
- tag: ${{ env.TAG }}
+ image: ${{ steps.image-build.outputs.image }}
+ tags: ${{ steps.image-build.outputs.tags }}
registry: ${{ env.REGISTRY }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
@@ -117,30 +155,15 @@ jobs:
namespace: ${{ env.OPENSHIFT_NAMESPACE }}
# This step should create a deployment, service, and route to run your app and expose it to the internet.
- # Feel free to replace this with 'oc apply', 'helm install', or however you like to deploy your app.
+ # https://github.com/redhat-actions/oc-new-app#readme
- name: Create and expose app
- run: |
- export IMAGE="${{ steps.push-to-registry.outputs.registry-path }}"
- export PORT=${{ env.APP_PORT }}
-
- export SELECTOR="app=${{ env.APP_NAME }}"
- echo "SELECTOR=$SELECTOR" >> $GITHUB_ENV
-
- set -x
- # Take down any old deployment
- oc delete all --selector="$SELECTOR"
- oc new-app --name $APP_NAME --docker-image="$IMAGE"
-
- # Make sure the app port is exposed
- oc patch svc $APP_NAME -p "{ \"spec\": { \"ports\": [{ \"name\": \"$PORT-tcp\", \"port\": $PORT }] } }"
- oc expose service $APP_NAME --port=$PORT
-
- oc get all --selector="$SELECTOR"
- set +x
-
- export ROUTE="$(oc get route $APP_NAME -o jsonpath='{.spec.host}')"
- echo "$APP_NAME is exposed at $ROUTE"
- echo "ROUTE=$ROUTE" >> $GITHUB_ENV
+ id: deploy-and-expose
+ uses: redhat-actions/oc-new-app@v1
+ with:
+ app_name: ${{ env.APP_NAME }}
+ image: ${{ steps.push-to-registry.outputs.registry-path }}
+ namespace: ${{ env.OPENSHIFT_NAMESPACE }}
+ port: ${{ env.APP_PORT }}
- name: View application route
run: |
@@ -150,3 +173,6 @@ jobs:
echo "==================================================================================="
echo
echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\""
+ env:
+ ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
+ SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
diff --git a/ci/php.yml b/ci/php.yml
index e1dceef..6acfdd1 100644
--- a/ci/php.yml
+++ b/ci/php.yml
@@ -27,7 +27,7 @@ jobs:
${{ runner.os }}-php-
- name: Install dependencies
- run: composer install --prefer-dist --no-progress --no-suggest
+ run: composer install --prefer-dist --no-progress
# Add a test script to composer.json, for instance: "test": "vendor/bin/phpunit"
# Docs: https://getcomposer.org/doc/articles/scripts.md
diff --git a/ci/tencent.yml b/ci/tencent.yml
index 2d4ad03..1a059a6 100644
--- a/ci/tencent.yml
+++ b/ci/tencent.yml
@@ -30,6 +30,7 @@ jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
runs-on: ubuntu-latest
+ environment: production
steps:
- name: Checkout
diff --git a/ci/terraform.yml b/ci/terraform.yml
index e6cf027..589f1f3 100644
--- a/ci/terraform.yml
+++ b/ci/terraform.yml
@@ -54,6 +54,7 @@ jobs:
terraform:
name: 'Terraform'
runs-on: ubuntu-latest
+ environment: production
# Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
defaults:
diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml
new file mode 100644
index 0000000..8d3d0eb
--- /dev/null
+++ b/code-scanning/kubesec.yml
@@ -0,0 +1,37 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Kubesec
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ lint:
+ name: Kubesec
+ runs-on: ubuntu-20.04
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Run kubesec scanner
+ uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14
+ with:
+ input: file.yaml # specify configuration file to scan here
+ format: template
+ template: template/sarif.tpl
+ output: kubesec-results.sarif
+ exit-code: "0"
+
+ - name: Upload Kubesec scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: kubesec-results.sarif
\ No newline at end of file
diff --git a/code-scanning/properties/kubesec.properties.json b/code-scanning/properties/kubesec.properties.json
new file mode 100644
index 0000000..66d5619
--- /dev/null
+++ b/code-scanning/properties/kubesec.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Kubesec",
+ "creator": "Controlplane",
+ "description": "Security risk analysis for Kubernetes resources. Submit pod-types (such as deployment, cronjob) to receive an itemised security risk score.",
+ "iconName": "kubesec",
+ "categories": ["Code Scanning"]
+}
diff --git a/code-scanning/properties/synopsys-io.properties.json b/code-scanning/properties/synopsys-io.properties.json
new file mode 100644
index 0000000..ea7fae7
--- /dev/null
+++ b/code-scanning/properties/synopsys-io.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Synopsys Intelligent Security Scan Action",
+ "creator": "Synopsys",
+ "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events",
+ "iconName": "synopsys-io",
+ "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "Ruby", "PHP", "Swift", "Kotlin" , "Python", "VB.NET", "Objective C"]
+}
diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml
new file mode 100644
index 0000000..9b5a080
--- /dev/null
+++ b/code-scanning/synopsys-io.yml
@@ -0,0 +1,73 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Synopsys Intelligent Security Scan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v2
+
+ - name: Synopsys Intelligent Security Scan
+ id: prescription
+ uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08
+ with:
+ ioServerUrl: ${{secrets.IO_SERVER_URL}}
+ ioServerToken: ${{secrets.IO_SERVER_TOKEN}}
+ workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}}
+ additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}}
+ stage: "IO"
+
+ # Please note that the ID in previous step was set to prescription
+ # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN
+ # is defined in settings
+ - name: Static Analysis with Polaris
+ if: ${{steps.prescription.outputs.sastScan == 'true' }}
+ run: |
+ export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}}
+ export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}}
+ wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip
+ unzip -j polaris_cli-linux64.zip -d /tmp
+ /tmp/polaris analyze -w
+
+ # Please note that the ID in previous step was set to prescription
+ # in order for this logic to work
+ - name: Software Composition Analysis with Black Duck
+ if: ${{steps.prescription.outputs.scaScan == 'true' }}
+ uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38
+ with:
+ args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"'
+
+ - name: Synopsys Intelligent Security Scan
+ if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }}
+ uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08
+ with:
+ ioServerUrl: ${{secrets.IO_SERVER_URL}}
+ ioServerToken: ${{secrets.IO_SERVER_TOKEN}}
+ workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}}
+ additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}}
+ --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}}
+ --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}}
+ stage: "WORKFLOW"
+
+ - name: Upload SARIF file
+ if: ${{steps.prescription.outputs.sastScan == 'true' }}
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ # Path to SARIF file relative to the root of the repository
+ sarif_file: workflowengine-results.sarif.json
diff --git a/icons/kubesec.svg b/icons/kubesec.svg
new file mode 100644
index 0000000..828eb09
--- /dev/null
+++ b/icons/kubesec.svg
@@ -0,0 +1,16 @@
+
+
diff --git a/icons/synopsys-io.svg b/icons/synopsys-io.svg
new file mode 100644
index 0000000..764a3be
--- /dev/null
+++ b/icons/synopsys-io.svg
@@ -0,0 +1 @@
+
\ No newline at end of file