From 97a0ce792527c32b1a0a1e006bfec65ac6227c8c Mon Sep 17 00:00:00 2001 From: Manuel Zubieta Date: Wed, 24 Feb 2021 09:13:54 -0600 Subject: [PATCH 01/18] actions/setup-elixir now lives under erlef GH Org github.com/actions/setup-elixir is no longer maintained and now suggests using github.com/erlef/setup-elixir This should be updated to help new Github Actions users to use the supported action. --- ci/elixir.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index 76dd26d..ddeba63 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -15,7 +15,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Elixir - uses: actions/setup-elixir@v1 + uses: erlef/setup-elixir@v1 with: elixir-version: '1.10.3' # Define the elixir version [required] otp-version: '22.3' # Define the OTP version [required] From 559fd976e283ae4e9868ae91407f646da7d6fadd Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Fri, 5 Mar 2021 09:32:54 -0500 Subject: [PATCH 02/18] Update alibabacloud.yml --- ci/alibabacloud.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ci/alibabacloud.yml b/ci/alibabacloud.yml index 5d457d6..82e7dc0 100644 --- a/ci/alibabacloud.yml +++ b/ci/alibabacloud.yml @@ -16,6 +16,9 @@ # # 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. # +# 5. Create an environment named "production". +# For instructions see https://docs.github.com/en/actions/reference/environments#creating-an-environment. +# name: Build and Deploy to ACK @@ -42,6 +45,7 @@ env: jobs: build: runs-on: ubuntu-latest + environment: production steps: - name: Checkout From c451f7ec4794b5f8fbf264bfdbd530a77fe12cdc Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Fri, 5 Mar 2021 09:34:17 -0500 Subject: [PATCH 03/18] Update aws.yml --- ci/aws.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ci/aws.yml b/ci/aws.yml index 40094ae..a3defb3 100644 --- a/ci/aws.yml +++ b/ci/aws.yml @@ -22,6 +22,9 @@ # 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. # See the documentation for each action used below for the recommended IAM policies for this IAM user, # and best practices on handling the access key credentials. +# +# 5. Create an environment named "production". +# For instructions see https://docs.github.com/en/actions/reference/environments#creating-an-environment. on: release: @@ -33,6 +36,7 @@ jobs: deploy: name: Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout @@ -77,4 +81,4 @@ jobs: task-definition: ${{ steps.task-def.outputs.task-definition }} service: sample-app-service cluster: default - wait-for-service-stability: true \ No newline at end of file + wait-for-service-stability: true From 761b09ecde3c6f9772a9b38b86beeccf8e7c7bc0 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Fri, 5 Mar 2021 09:44:31 -0500 Subject: [PATCH 04/18] add production environment --- ci/alibabacloud.yml | 3 --- ci/aws.yml | 3 --- ci/ibm.yml | 1 + ci/openshift.yml | 1 + ci/tencent.yml | 1 + ci/terraform.yml | 1 + 6 files changed, 4 insertions(+), 6 deletions(-) diff --git a/ci/alibabacloud.yml b/ci/alibabacloud.yml index 82e7dc0..9ccc033 100644 --- a/ci/alibabacloud.yml +++ b/ci/alibabacloud.yml @@ -16,9 +16,6 @@ # # 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. # -# 5. Create an environment named "production". -# For instructions see https://docs.github.com/en/actions/reference/environments#creating-an-environment. -# name: Build and Deploy to ACK diff --git a/ci/aws.yml b/ci/aws.yml index a3defb3..8b10116 100644 --- a/ci/aws.yml +++ b/ci/aws.yml @@ -22,9 +22,6 @@ # 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. # See the documentation for each action used below for the recommended IAM policies for this IAM user, # and best practices on handling the access key credentials. -# -# 5. Create an environment named "production". -# For instructions see https://docs.github.com/en/actions/reference/environments#creating-an-environment. on: release: diff --git a/ci/ibm.yml b/ci/ibm.yml index 8af050f..a8502cd 100644 --- a/ci/ibm.yml +++ b/ci/ibm.yml @@ -28,6 +28,7 @@ jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout diff --git a/ci/openshift.yml b/ci/openshift.yml index d34131f..8a4875d 100644 --- a/ci/openshift.yml +++ b/ci/openshift.yml @@ -64,6 +64,7 @@ jobs: openshift-ci-cd: name: Build and deploy to OpenShift runs-on: ubuntu-20.04 + environment: production steps: - uses: actions/checkout@v2 diff --git a/ci/tencent.yml b/ci/tencent.yml index 2d4ad03..1a059a6 100644 --- a/ci/tencent.yml +++ b/ci/tencent.yml @@ -30,6 +30,7 @@ jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout diff --git a/ci/terraform.yml b/ci/terraform.yml index e6cf027..589f1f3 100644 --- a/ci/terraform.yml +++ b/ci/terraform.yml @@ -54,6 +54,7 @@ jobs: terraform: name: 'Terraform' runs-on: ubuntu-latest + environment: production # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest defaults: From a29df688f22c2a9c68c82771eb37b952a2ac3277 Mon Sep 17 00:00:00 2001 From: Jonathan Clem Date: Fri, 5 Mar 2021 10:04:52 -0500 Subject: [PATCH 05/18] Update ci/elixir.yml Co-authored-by: Andy McKay --- ci/elixir.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index ddeba63..e53e9a0 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -15,7 +15,8 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Elixir - uses: erlef/setup-elixir@v1 + uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24 + with: elixir-version: '1.10.3' # Define the elixir version [required] otp-version: '22.3' # Define the OTP version [required] From 3116545da6eafa440789b987092574461d7d9c8f Mon Sep 17 00:00:00 2001 From: Josh Gross Date: Fri, 5 Mar 2021 11:43:49 -0500 Subject: [PATCH 06/18] Remove extra line in Elixir workflow (#831) --- ci/elixir.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index e53e9a0..3f64657 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -16,7 +16,6 @@ jobs: - uses: actions/checkout@v2 - name: Set up Elixir uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24 - with: elixir-version: '1.10.3' # Define the elixir version [required] otp-version: '22.3' # Define the OTP version [required] From 20bd227226e068f8052363b9a153c7290a3dcd69 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Mon, 8 Mar 2021 13:40:39 +0000 Subject: [PATCH 07/18] add kubesec code scanning workflow --- code-scanning/kubesec.yml | 37 +++++++++++++++++++ .../properties/kubesec.properties.json | 7 ++++ icons/kubesec.svg | 16 ++++++++ 3 files changed, 60 insertions(+) create mode 100644 code-scanning/kubesec.yml create mode 100644 code-scanning/properties/kubesec.properties.json create mode 100644 icons/kubesec.svg diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml new file mode 100644 index 0000000..8d3d0eb --- /dev/null +++ b/code-scanning/kubesec.yml @@ -0,0 +1,37 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Kubesec + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + lint: + name: Kubesec + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run kubesec scanner + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 + with: + input: file.yaml # specify configuration file to scan here + format: template + template: template/sarif.tpl + output: kubesec-results.sarif + exit-code: "0" + + - name: Upload Kubesec scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/properties/kubesec.properties.json b/code-scanning/properties/kubesec.properties.json new file mode 100644 index 0000000..66d5619 --- /dev/null +++ b/code-scanning/properties/kubesec.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Kubesec", + "creator": "Controlplane", + "description": "Security risk analysis for Kubernetes resources. Submit pod-types (such as deployment, cronjob) to receive an itemised security risk score.", + "iconName": "kubesec", + "categories": ["Code Scanning"] +} diff --git a/icons/kubesec.svg b/icons/kubesec.svg new file mode 100644 index 0000000..828eb09 --- /dev/null +++ b/icons/kubesec.svg @@ -0,0 +1,16 @@ + + + + + + image/svg+xml + + + + + + + + + + From 16a1b76572ff62d6c4f295b55a88dd27c68eb178 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran Date: Tue, 9 Mar 2021 15:57:48 -0500 Subject: [PATCH 08/18] add_listing_to_github_ui --- .../properties/synopsysio.properties.json | 7 ++ code-scanning/synopsys-io-actions.yml | 77 +++++++++++++++++++ icons/synopsys.svg | 1 + 3 files changed, 85 insertions(+) create mode 100644 code-scanning/properties/synopsysio.properties.json create mode 100644 code-scanning/synopsys-io-actions.yml create mode 100644 icons/synopsys.svg diff --git a/code-scanning/properties/synopsysio.properties.json b/code-scanning/properties/synopsysio.properties.json new file mode 100644 index 0000000..257357e --- /dev/null +++ b/code-scanning/properties/synopsysio.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Synopsys Intelligent Security Scan Action", + "creator": "Synopsys", + "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", + "iconName": "synopsys", + "categories": ["Code Scanning"] +} diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml new file mode 100644 index 0000000..b5aa503 --- /dev/null +++ b/code-scanning/synopsys-io-actions.yml @@ -0,0 +1,77 @@ +name: "Synopsys Intelligent Security Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + - name: Synopsys Intelligent Security Scan + id: prescription + uses: synopsys-sig/intelligent-security-scan@v1 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + stage: "IO" + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN + # is defined in settings + - name: Static Analysis with Polaris + if: ${{steps.prescription.outputs.sastScan == 'true' }} + run: | + export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} + export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} + wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip + unzip -j polaris_cli-linux64.zip -d /tmp + /tmp/polaris analyze -w + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work + - name: Software Composition Analysis with Black Duck + if: ${{steps.prescription.outputs.scaScan == 'true' }} + uses: blackducksoftware/github-action@v2 + with: + args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' + + - name: Synopsys Intelligent Security Scan + if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} + uses: synopsys-sig/intelligent-security-scan@v1 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} + --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} + stage: "WORKFLOW" + + - name: Upload SARIF file + if: ${{steps.prescription.outputs.sastScan == 'true' }} + uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: workflowengine-results.sarif.json diff --git a/icons/synopsys.svg b/icons/synopsys.svg new file mode 100644 index 0000000..764a3be --- /dev/null +++ b/icons/synopsys.svg @@ -0,0 +1 @@ + \ No newline at end of file From 93599e25052bb0825cd15e7fbec78289ce008d49 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran <71350204+rahulguna10@users.noreply.github.com> Date: Wed, 10 Mar 2021 08:22:45 -0500 Subject: [PATCH 09/18] Updated suggested changes in code-scanning/synopsys-io-actions.yml Co-authored-by: Nick Fyson --- code-scanning/synopsys-io-actions.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml index b5aa503..39ed12a 100644 --- a/code-scanning/synopsys-io-actions.yml +++ b/code-scanning/synopsys-io-actions.yml @@ -17,15 +17,6 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v2 - with: - # We must fetch at least the immediate parents so that if this is - # a pull request then we can checkout the head. - fetch-depth: 2 - - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} - name: Synopsys Intelligent Security Scan id: prescription From a74640c1ec12ff8eced90ca1e13436b09ff3975f Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran Date: Wed, 10 Mar 2021 08:53:33 -0500 Subject: [PATCH 10/18] updated suggested filename changes --- .../{synopsysio.properties.json => synopsys-io.properties.json} | 2 +- icons/{synopsys.svg => synopsys-io.svg} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename code-scanning/properties/{synopsysio.properties.json => synopsys-io.properties.json} (92%) rename icons/{synopsys.svg => synopsys-io.svg} (100%) diff --git a/code-scanning/properties/synopsysio.properties.json b/code-scanning/properties/synopsys-io.properties.json similarity index 92% rename from code-scanning/properties/synopsysio.properties.json rename to code-scanning/properties/synopsys-io.properties.json index 257357e..67aeb09 100644 --- a/code-scanning/properties/synopsysio.properties.json +++ b/code-scanning/properties/synopsys-io.properties.json @@ -2,6 +2,6 @@ "name": "Synopsys Intelligent Security Scan Action", "creator": "Synopsys", "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", - "iconName": "synopsys", + "iconName": "synopsys-io", "categories": ["Code Scanning"] } diff --git a/icons/synopsys.svg b/icons/synopsys-io.svg similarity index 100% rename from icons/synopsys.svg rename to icons/synopsys-io.svg From fe22e77a67382caac9adf68816cc67bc94e82be1 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran Date: Thu, 11 Mar 2021 13:18:53 -0500 Subject: [PATCH 11/18] changes for checklist items --- code-scanning/properties/synopsys-io.properties.json | 4 ++-- code-scanning/synopsys-io-actions.yml | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/synopsys-io.properties.json b/code-scanning/properties/synopsys-io.properties.json index 67aeb09..ea7fae7 100644 --- a/code-scanning/properties/synopsys-io.properties.json +++ b/code-scanning/properties/synopsys-io.properties.json @@ -1,7 +1,7 @@ { "name": "Synopsys Intelligent Security Scan Action", "creator": "Synopsys", - "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", + "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events", "iconName": "synopsys-io", - "categories": ["Code Scanning"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "Ruby", "PHP", "Swift", "Kotlin" , "Python", "VB.NET", "Objective C"] } diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml index 39ed12a..edc3cbc 100644 --- a/code-scanning/synopsys-io-actions.yml +++ b/code-scanning/synopsys-io-actions.yml @@ -1,4 +1,9 @@ -name: "Synopsys Intelligent Security Scan" +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Synopsys Intelligent Security Scan on: push: From ba6a2f292c765fc881d0ffd3472e7101d74ec1e4 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran <71350204+rahulguna10@users.noreply.github.com> Date: Thu, 11 Mar 2021 21:33:39 -0500 Subject: [PATCH 12/18] Updated version to commit SHA --- code-scanning/synopsys-io-actions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml index edc3cbc..7501726 100644 --- a/code-scanning/synopsys-io-actions.yml +++ b/code-scanning/synopsys-io-actions.yml @@ -25,7 +25,7 @@ jobs: - name: Synopsys Intelligent Security Scan id: prescription - uses: synopsys-sig/intelligent-security-scan@v1 + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 with: ioServerUrl: ${{secrets.IO_SERVER_URL}} ioServerToken: ${{secrets.IO_SERVER_TOKEN}} @@ -55,7 +55,7 @@ jobs: - name: Synopsys Intelligent Security Scan if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} - uses: synopsys-sig/intelligent-security-scan@v1 + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 with: ioServerUrl: ${{secrets.IO_SERVER_URL}} ioServerToken: ${{secrets.IO_SERVER_TOKEN}} From 5eb695baece07fb726877d04c0e98d3eeb0a63a5 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran <71350204+rahulguna10@users.noreply.github.com> Date: Fri, 12 Mar 2021 12:23:28 -0500 Subject: [PATCH 13/18] Updated commit SHA Co-authored-by: Nick Fyson --- code-scanning/synopsys-io-actions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml index 7501726..9b5a080 100644 --- a/code-scanning/synopsys-io-actions.yml +++ b/code-scanning/synopsys-io-actions.yml @@ -49,7 +49,7 @@ jobs: # in order for this logic to work - name: Software Composition Analysis with Black Duck if: ${{steps.prescription.outputs.scaScan == 'true' }} - uses: blackducksoftware/github-action@v2 + uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 with: args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' From 6e127e8439bd8533948e209ff4379084becc9094 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Fri, 12 Mar 2021 20:00:40 +0000 Subject: [PATCH 14/18] fix id of synosys-io workflow --- code-scanning/{synopsys-io-actions.yml => synopsys-io.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/{synopsys-io-actions.yml => synopsys-io.yml} (100%) diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io.yml similarity index 100% rename from code-scanning/synopsys-io-actions.yml rename to code-scanning/synopsys-io.yml From 3d5dfdfe67b1a3b1e69b1425acf2bb1c56b811af Mon Sep 17 00:00:00 2001 From: Geod24 Date: Sun, 14 Mar 2021 16:22:28 +0900 Subject: [PATCH 15/18] Fix wording in README to follow pull request template The wording in the pull request template was changed from recommend to require, but the same change was not made to the README. --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c9e8299..2a0e55f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -19,6 +19,6 @@ Before merging a new workflow, the following requirements need to be met: - There are many programming languages and tools out there. Right now we don't have a page that allows for a really large number of workflows, so we do have to be a little choosy about what we accept. Less popular tools or languages might not be accepted. - Automation and CI workflows should not send data to any 3rd party service except for the purposes of installing dependencies. - Automation and CI workflows cannot be dependent on a paid service or product. -- We recommend that Actions outside of the `actions` organization be pinned to a specific SHA. +- We require that Actions outside of the `actions` organization be pinned to a specific SHA. Thank you From 019de53cfb24ce35e5b64d47aca87779a47de011 Mon Sep 17 00:00:00 2001 From: Sergey Yakimov Date: Thu, 18 Mar 2021 15:28:14 +0200 Subject: [PATCH 16/18] Remove the deprecated "--no-suggest" option from the Composer install step --- ci/php.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/php.yml b/ci/php.yml index e1dceef..6acfdd1 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -27,7 +27,7 @@ jobs: ${{ runner.os }}-php- - name: Install dependencies - run: composer install --prefer-dist --no-progress --no-suggest + run: composer install --prefer-dist --no-progress # Add a test script to composer.json, for instance: "test": "vendor/bin/phpunit" # Docs: https://getcomposer.org/doc/articles/scripts.md From 7c8569ab2bcbca327d9745f7f77ad89918d68585 Mon Sep 17 00:00:00 2001 From: Divyanshu Agrawal Date: Tue, 9 Mar 2021 19:32:22 +0530 Subject: [PATCH 17/18] Modify openshift workflow with v2 version of actions and add oc-new-app (#1) * Modify openshift workflow with v2 version of actions and add oc-new-app Signed-off-by: divyansh42 --- ci/openshift.yml | 84 +++++++++++++++++++++++++++++++----------------- 1 file changed, 55 insertions(+), 29 deletions(-) diff --git a/ci/openshift.yml b/ci/openshift.yml index 8a4875d..e25afef 100644 --- a/ci/openshift.yml +++ b/ci/openshift.yml @@ -27,6 +27,7 @@ # For a more sophisticated example, see https://github.com/redhat-actions/spring-petclinic/blob/main/.github/workflows/petclinic-sample.yaml # Also see our GitHub organization, https://github.com/redhat-actions/ +# ▶️ See a video of how to set up this workflow at https://www.youtube.com/watch?v=6hgBO-1pKho name: OpenShift @@ -52,6 +53,7 @@ env: # If you wish to manually provide the APP_NAME and TAG, set them here, otherwise they will be auto-detected. APP_NAME: "" + TAG: "" on: @@ -66,7 +68,42 @@ jobs: runs-on: ubuntu-20.04 environment: production + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + steps: + - name: Check if secrets exists + uses: actions/github-script@v3 + with: + script: | + const secrets = { + REGISTRY_PASSWORD: `${{ secrets.REGISTRY_PASSWORD }}`, + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.warning(`Secret "${name}" is not set`); + return true; + } + core.info(` ✔️ Secret "${name}" is set`); + return false; + + }); + + if (missingSecrets.length > 0) { + core.setFailed(`❌ At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "Github UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "Github CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`✅ All the required secrets are set`); + } + - uses: actions/checkout@v2 - name: Determine app name @@ -81,12 +118,13 @@ jobs: # https://github.com/redhat-actions/buildah-build#readme - name: Build from Dockerfile - uses: redhat-actions/buildah-build@v1 + id: image-build + uses: redhat-actions/buildah-build@v2 with: image: ${{ env.APP_NAME }} - tag: ${{ env.TAG }} + tags: ${{ env.TAG }} # If you don't have a dockerfile, see: - # https://github.com/redhat-actions/buildah-build#building-from-scratch + # https://github.com/redhat-actions/buildah-build#scratch-build-inputs # Otherwise, point this to your Dockerfile relative to the repository root. dockerfiles: | ./Dockerfile @@ -94,10 +132,10 @@ jobs: # https://github.com/redhat-actions/push-to-registry#readme - name: Push to registry id: push-to-registry - uses: redhat-actions/push-to-registry@v1 + uses: redhat-actions/push-to-registry@v2 with: - image: ${{ env.APP_NAME }} - tag: ${{ env.TAG }} + image: ${{ steps.image-build.outputs.image }} + tags: ${{ steps.image-build.outputs.tags }} registry: ${{ env.REGISTRY }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} @@ -118,30 +156,15 @@ jobs: namespace: ${{ env.OPENSHIFT_NAMESPACE }} # This step should create a deployment, service, and route to run your app and expose it to the internet. - # Feel free to replace this with 'oc apply', 'helm install', or however you like to deploy your app. + # https://github.com/redhat-actions/oc-new-app#readme - name: Create and expose app - run: | - export IMAGE="${{ steps.push-to-registry.outputs.registry-path }}" - export PORT=${{ env.APP_PORT }} - - export SELECTOR="app=${{ env.APP_NAME }}" - echo "SELECTOR=$SELECTOR" >> $GITHUB_ENV - - set -x - # Take down any old deployment - oc delete all --selector="$SELECTOR" - oc new-app --name $APP_NAME --docker-image="$IMAGE" - - # Make sure the app port is exposed - oc patch svc $APP_NAME -p "{ \"spec\": { \"ports\": [{ \"name\": \"$PORT-tcp\", \"port\": $PORT }] } }" - oc expose service $APP_NAME --port=$PORT - - oc get all --selector="$SELECTOR" - set +x - - export ROUTE="$(oc get route $APP_NAME -o jsonpath='{.spec.host}')" - echo "$APP_NAME is exposed at $ROUTE" - echo "ROUTE=$ROUTE" >> $GITHUB_ENV + id: deploy-and-expose + uses: redhat-actions/oc-new-app@v1 + with: + app_name: ${{ env.APP_NAME }} + image: ${{ steps.push-to-registry.outputs.registry-path }} + namespace: ${{ env.OPENSHIFT_NAMESPACE }} + port: ${{ env.APP_PORT }} - name: View application route run: | @@ -151,3 +174,6 @@ jobs: echo "===================================================================================" echo echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\"" + env: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} From c08e24c17b12e3bc9d346fa5aa745aa8c497fd23 Mon Sep 17 00:00:00 2001 From: divyansh42 Date: Wed, 24 Mar 2021 20:21:19 +0530 Subject: [PATCH 18/18] Resolve reviews Signed-off-by: divyansh42 --- ci/openshift.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/ci/openshift.yml b/ci/openshift.yml index e25afef..b9bcd0b 100644 --- a/ci/openshift.yml +++ b/ci/openshift.yml @@ -53,7 +53,6 @@ env: # If you wish to manually provide the APP_NAME and TAG, set them here, otherwise they will be auto-detected. APP_NAME: "" - TAG: "" on: @@ -88,7 +87,7 @@ jobs: core.warning(`Secret "${name}" is not set`); return true; } - core.info(` ✔️ Secret "${name}" is set`); + core.info(`✔️ Secret "${name}" is set`); return false; }); @@ -96,14 +95,14 @@ jobs: if (missingSecrets.length > 0) { core.setFailed(`❌ At least one required secret is not set in the repository. \n` + "You can add it using:\n" + - "Github UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + - "Github CLI: https://cli.github.com/manual/gh_secret_set \n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); } else { core.info(`✅ All the required secrets are set`); } - + - uses: actions/checkout@v2 - name: Determine app name