diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c9e8299..2a0e55f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -19,6 +19,6 @@ Before merging a new workflow, the following requirements need to be met: - There are many programming languages and tools out there. Right now we don't have a page that allows for a really large number of workflows, so we do have to be a little choosy about what we accept. Less popular tools or languages might not be accepted. - Automation and CI workflows should not send data to any 3rd party service except for the purposes of installing dependencies. - Automation and CI workflows cannot be dependent on a paid service or product. -- We recommend that Actions outside of the `actions` organization be pinned to a specific SHA. +- We require that Actions outside of the `actions` organization be pinned to a specific SHA. Thank you diff --git a/ci/alibabacloud.yml b/ci/alibabacloud.yml index 5d457d6..9ccc033 100644 --- a/ci/alibabacloud.yml +++ b/ci/alibabacloud.yml @@ -42,6 +42,7 @@ env: jobs: build: runs-on: ubuntu-latest + environment: production steps: - name: Checkout diff --git a/ci/aws.yml b/ci/aws.yml index 40094ae..8b10116 100644 --- a/ci/aws.yml +++ b/ci/aws.yml @@ -33,6 +33,7 @@ jobs: deploy: name: Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout @@ -77,4 +78,4 @@ jobs: task-definition: ${{ steps.task-def.outputs.task-definition }} service: sample-app-service cluster: default - wait-for-service-stability: true \ No newline at end of file + wait-for-service-stability: true diff --git a/ci/elixir.yml b/ci/elixir.yml index 76dd26d..3f64657 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -15,7 +15,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Elixir - uses: actions/setup-elixir@v1 + uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24 with: elixir-version: '1.10.3' # Define the elixir version [required] otp-version: '22.3' # Define the OTP version [required] diff --git a/ci/ibm.yml b/ci/ibm.yml index 8af050f..a8502cd 100644 --- a/ci/ibm.yml +++ b/ci/ibm.yml @@ -28,6 +28,7 @@ jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout diff --git a/ci/openshift.yml b/ci/openshift.yml index d34131f..b9bcd0b 100644 --- a/ci/openshift.yml +++ b/ci/openshift.yml @@ -27,6 +27,7 @@ # For a more sophisticated example, see https://github.com/redhat-actions/spring-petclinic/blob/main/.github/workflows/petclinic-sample.yaml # Also see our GitHub organization, https://github.com/redhat-actions/ +# ▶️ See a video of how to set up this workflow at https://www.youtube.com/watch?v=6hgBO-1pKho name: OpenShift @@ -64,8 +65,44 @@ jobs: openshift-ci-cd: name: Build and deploy to OpenShift runs-on: ubuntu-20.04 + environment: production + + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} steps: + - name: Check if secrets exists + uses: actions/github-script@v3 + with: + script: | + const secrets = { + REGISTRY_PASSWORD: `${{ secrets.REGISTRY_PASSWORD }}`, + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.warning(`Secret "${name}" is not set`); + return true; + } + core.info(`✔️ Secret "${name}" is set`); + return false; + + }); + + if (missingSecrets.length > 0) { + core.setFailed(`❌ At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`✅ All the required secrets are set`); + } + - uses: actions/checkout@v2 - name: Determine app name @@ -80,12 +117,13 @@ jobs: # https://github.com/redhat-actions/buildah-build#readme - name: Build from Dockerfile - uses: redhat-actions/buildah-build@v1 + id: image-build + uses: redhat-actions/buildah-build@v2 with: image: ${{ env.APP_NAME }} - tag: ${{ env.TAG }} + tags: ${{ env.TAG }} # If you don't have a dockerfile, see: - # https://github.com/redhat-actions/buildah-build#building-from-scratch + # https://github.com/redhat-actions/buildah-build#scratch-build-inputs # Otherwise, point this to your Dockerfile relative to the repository root. dockerfiles: | ./Dockerfile @@ -93,10 +131,10 @@ jobs: # https://github.com/redhat-actions/push-to-registry#readme - name: Push to registry id: push-to-registry - uses: redhat-actions/push-to-registry@v1 + uses: redhat-actions/push-to-registry@v2 with: - image: ${{ env.APP_NAME }} - tag: ${{ env.TAG }} + image: ${{ steps.image-build.outputs.image }} + tags: ${{ steps.image-build.outputs.tags }} registry: ${{ env.REGISTRY }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} @@ -117,30 +155,15 @@ jobs: namespace: ${{ env.OPENSHIFT_NAMESPACE }} # This step should create a deployment, service, and route to run your app and expose it to the internet. - # Feel free to replace this with 'oc apply', 'helm install', or however you like to deploy your app. + # https://github.com/redhat-actions/oc-new-app#readme - name: Create and expose app - run: | - export IMAGE="${{ steps.push-to-registry.outputs.registry-path }}" - export PORT=${{ env.APP_PORT }} - - export SELECTOR="app=${{ env.APP_NAME }}" - echo "SELECTOR=$SELECTOR" >> $GITHUB_ENV - - set -x - # Take down any old deployment - oc delete all --selector="$SELECTOR" - oc new-app --name $APP_NAME --docker-image="$IMAGE" - - # Make sure the app port is exposed - oc patch svc $APP_NAME -p "{ \"spec\": { \"ports\": [{ \"name\": \"$PORT-tcp\", \"port\": $PORT }] } }" - oc expose service $APP_NAME --port=$PORT - - oc get all --selector="$SELECTOR" - set +x - - export ROUTE="$(oc get route $APP_NAME -o jsonpath='{.spec.host}')" - echo "$APP_NAME is exposed at $ROUTE" - echo "ROUTE=$ROUTE" >> $GITHUB_ENV + id: deploy-and-expose + uses: redhat-actions/oc-new-app@v1 + with: + app_name: ${{ env.APP_NAME }} + image: ${{ steps.push-to-registry.outputs.registry-path }} + namespace: ${{ env.OPENSHIFT_NAMESPACE }} + port: ${{ env.APP_PORT }} - name: View application route run: | @@ -150,3 +173,6 @@ jobs: echo "===================================================================================" echo echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\"" + env: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} diff --git a/ci/php.yml b/ci/php.yml index e1dceef..6acfdd1 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -27,7 +27,7 @@ jobs: ${{ runner.os }}-php- - name: Install dependencies - run: composer install --prefer-dist --no-progress --no-suggest + run: composer install --prefer-dist --no-progress # Add a test script to composer.json, for instance: "test": "vendor/bin/phpunit" # Docs: https://getcomposer.org/doc/articles/scripts.md diff --git a/ci/tencent.yml b/ci/tencent.yml index 2d4ad03..1a059a6 100644 --- a/ci/tencent.yml +++ b/ci/tencent.yml @@ -30,6 +30,7 @@ jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout diff --git a/ci/terraform.yml b/ci/terraform.yml index e6cf027..589f1f3 100644 --- a/ci/terraform.yml +++ b/ci/terraform.yml @@ -54,6 +54,7 @@ jobs: terraform: name: 'Terraform' runs-on: ubuntu-latest + environment: production # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest defaults: diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml new file mode 100644 index 0000000..8d3d0eb --- /dev/null +++ b/code-scanning/kubesec.yml @@ -0,0 +1,37 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Kubesec + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + lint: + name: Kubesec + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run kubesec scanner + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 + with: + input: file.yaml # specify configuration file to scan here + format: template + template: template/sarif.tpl + output: kubesec-results.sarif + exit-code: "0" + + - name: Upload Kubesec scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/properties/kubesec.properties.json b/code-scanning/properties/kubesec.properties.json new file mode 100644 index 0000000..66d5619 --- /dev/null +++ b/code-scanning/properties/kubesec.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Kubesec", + "creator": "Controlplane", + "description": "Security risk analysis for Kubernetes resources. Submit pod-types (such as deployment, cronjob) to receive an itemised security risk score.", + "iconName": "kubesec", + "categories": ["Code Scanning"] +} diff --git a/code-scanning/properties/synopsys-io.properties.json b/code-scanning/properties/synopsys-io.properties.json new file mode 100644 index 0000000..ea7fae7 --- /dev/null +++ b/code-scanning/properties/synopsys-io.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Synopsys Intelligent Security Scan Action", + "creator": "Synopsys", + "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events", + "iconName": "synopsys-io", + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "Ruby", "PHP", "Swift", "Kotlin" , "Python", "VB.NET", "Objective C"] +} diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml new file mode 100644 index 0000000..9b5a080 --- /dev/null +++ b/code-scanning/synopsys-io.yml @@ -0,0 +1,73 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Synopsys Intelligent Security Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Synopsys Intelligent Security Scan + id: prescription + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + stage: "IO" + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN + # is defined in settings + - name: Static Analysis with Polaris + if: ${{steps.prescription.outputs.sastScan == 'true' }} + run: | + export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} + export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} + wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip + unzip -j polaris_cli-linux64.zip -d /tmp + /tmp/polaris analyze -w + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work + - name: Software Composition Analysis with Black Duck + if: ${{steps.prescription.outputs.scaScan == 'true' }} + uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 + with: + args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' + + - name: Synopsys Intelligent Security Scan + if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} + --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} + stage: "WORKFLOW" + + - name: Upload SARIF file + if: ${{steps.prescription.outputs.sastScan == 'true' }} + uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: workflowengine-results.sarif.json diff --git a/icons/kubesec.svg b/icons/kubesec.svg new file mode 100644 index 0000000..828eb09 --- /dev/null +++ b/icons/kubesec.svg @@ -0,0 +1,16 @@ + + + + + + image/svg+xml + + + + + + + + + + diff --git a/icons/synopsys-io.svg b/icons/synopsys-io.svg new file mode 100644 index 0000000..764a3be --- /dev/null +++ b/icons/synopsys-io.svg @@ -0,0 +1 @@ + \ No newline at end of file