diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index ffe789e..6d8091e 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -19,7 +19,7 @@ jobs: python-version: 3.11 - name: Cache pre-commit - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.cache/pre-commit key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} diff --git a/README.md b/README.md index d8ccca4..c069342 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,24 @@ These are the workflow files for helping people get started with GitHub Actions. +### Note + +Thank you for your interest in this GitHub repo, however, right now we are not taking contributions. + +We continue to focus our resources on strategic areas that help our customers be successful while making developers' lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time. The GitHub public roadmap is the best place to follow along for any updates on features we’re working on and what stage they’re in. + +We are taking the following steps to better direct requests related to GitHub Actions, including: + +1. We will be directing questions and support requests to our [Community Discussions area](https://github.com/orgs/community/discussions/categories/actions) + +2. High Priority bugs can be reported through Community Discussions or you can report these to our support team https://support.github.com/contact/bug-report. + +3. Security Issues should be handled as per our [security.md](security.md) + +We will still provide security updates for this project and fix major breaking changes during this time. + +You are welcome to still raise bugs in this repo. + ### Directory structure * [ci](ci): solutions for Continuous Integration workflows diff --git a/automation/properties/summary.properties.json b/automation/properties/summary.properties.json new file mode 100644 index 0000000..5ff7364 --- /dev/null +++ b/automation/properties/summary.properties.json @@ -0,0 +1,6 @@ +{ + "name": "AI issue summary", + "description": "Summarizes new issues", + "iconName": "octicon ai-model", + "categories": ["Automation", "SDLC"] +} diff --git a/automation/summary.yml b/automation/summary.yml new file mode 100644 index 0000000..4a8e31f --- /dev/null +++ b/automation/summary.yml @@ -0,0 +1,34 @@ +name: Summarize new issues + +on: + issues: + types: [opened] + +jobs: + summary: + runs-on: ubuntu-latest + permissions: + issues: write + models: read + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run AI inference + id: inference + uses: actions/ai-inference@v1 + with: + prompt: | + Summarize the following GitHub issue in one paragraph: + Title: ${{ github.event.issue.title }} + Body: ${{ github.event.issue.body }} + + - name: Comment with AI summary + run: | + gh issue comment $ISSUE_NUMBER --body '${{ steps.inference.outputs.response }}' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ISSUE_NUMBER: ${{ github.event.issue.number }} + RESPONSE: ${{ steps.inference.outputs.response }} \ No newline at end of file diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index ad99b56..a7b9152 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: MSIX Package path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/bandit.yml b/code-scanning/bandit.yml index 1a33e8f..a3858a3 100644 --- a/code-scanning/bandit.yml +++ b/code-scanning/bandit.yml @@ -31,7 +31,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Bandit Scan - uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c + uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd with: # optional arguments # exit with 0, even with results found exit_zero: true # optional, default is DEFAULT diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml new file mode 100644 index 0000000..c6a132b --- /dev/null +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines. +# For more information about configuring your workflow, +# read our documentation at https://github.com/blackduck-inc/black-duck-security-scan + +name: CI Black Duck security scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + security-events: write + actions: read + + steps: + - name: Checkout source + uses: actions/checkout@v4 + - name: Black Duck SCA scan + uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 + with: + ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ---------- + blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }} + blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }} + + ### ---------- COVERITY SCANNING: REQUIRED FIELDS ---------- + coverity_url: ${{ vars.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + + ### ---------- POLARIS SCANNING: REQUIRED FIELDS ---------- + polaris_server_url: ${{ vars.POLARIS_SERVER_URL }} + polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_assessment_types: "SCA,SAST" + + ### ---------- SRM SCANNING: REQUIRED FIELDS ---------- + srm_url: ${{ vars.SRM_URL }} + srm_apikey: ${{ secrets.SRM_API_KEY }} + srm_assessment_types: "SCA,SAST" + diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 7e46549..39d0d8e 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -55,9 +55,15 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -74,7 +80,8 @@ jobs: # to build your code. # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' + - name: Run manual build steps + if: matrix.build-mode == 'manual' shell: bash run: | echo 'If you are using a "manual" build mode for one or more of the' \ @@ -85,6 +92,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: "/language:${{matrix.language}}" diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index 01611e8..fd7b723 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -34,51 +34,96 @@ jobs: actions: read contents: read security-events: write + # pull-requests: write # Required if DO_PR_COMMENT is set to true steps: # Check out source code - name: Check Out Source Code uses: actions/checkout@v4 - # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner. - - name: Setup Java - uses: actions/setup-java@v4 - with: - java-version: 17 - distribution: 'temurin' - - # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then - # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is + # Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on + # configuration, the Fortify GitHub Action can optionally set up the application version/release, generate + # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard. + # The Fortify GitHub Action provides many customization capabilities, but in case further customization is # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools - # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for - # details. - - name: Run FoD SAST Scan - uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418 + # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action + # documentation at https://github.com/fortify/github-action#readme for more information on the various + # configuration options and available sub-actions. + - name: Run Fortify Scan + # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example + # uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases + # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability + # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version + # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. + uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297 with: - sast-scan: true + sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run + debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan + # is disabled). For SSC, run a Debricked scan and import results into SSC. env: - ### Required configuration when integrating with Fortify on Demand - FOD_URL: https://ams.fortify.com - FOD_TENANT: ${{secrets.FOD_TENANT}} - FOD_USER: ${{secrets.FOD_USER}} + ############################################################# + ##### Fortify on Demand configuration + ##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below) + ### Required configuration + FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret + FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required; + FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets. FOD_PASSWORD: ${{secrets.FOD_PAT}} - ### Optional configuration when integrating with Fortify on Demand - # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if - # Debricked SCA scan is enabled on Fortify on Demand - # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options - # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /:; may - # replace app+release name with numeric release ID - # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' - # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard - ### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral - # SSC_URL: ${{secrets.SSC_URL}} # SSC URL - # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken - # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token - # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan; - # usually defined as organization or repo variable - ### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral - # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options - # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: /: - # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options - # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' - # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard + # FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}} + # FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}} + ### Optional configuration + # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /: + # DO_SETUP: true # Setup FoD application, release & static scan configuration + # SETUP_ACTION: # Customize setup action + # Pass extra options to setup action: + # SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}" + # PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options + # FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options + # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) + # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL + # POLICY_CHECK_ACTION: # Customize security policy checks + # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action + # DO_JOB_SUMMARY: true # Generate workflow job summary + # JOB_SUMMARY_ACTION: # Customize job summary + # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action + # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers + # PR_COMMENT_ACTION: # Customize PR comments + # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action + # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard + # EXPORT_ACTION: # Customize export action + # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action + # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions + + ############################################################# + ##### Fortify Hosted / Software Security Center & ScanCentral + ##### Remove this section if you're integrating with Fortify on Demand (see above) + ### Required configuration + SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret + SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets + SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled + DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled + SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled + ### Optional configuration + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options + # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options + # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: /: + # DO_SETUP: true # Set up SSC application & version + # SETUP_ACTION: # Customize setup action + # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action + # PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options + # EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options + # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) + # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL + # POLICY_CHECK_ACTION: # Customize security policy checks + # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action + # DO_JOB_SUMMARY: true # Generate workflow job summary + # JOB_SUMMARY_ACTION: # Customize job summary + # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action + # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers + # PR_COMMENT_ACTION: # Customize PR comments + # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action + # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard + # EXPORT_ACTION: # Customize export action + # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action + # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index b8469de..1d7b31f 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -60,7 +60,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v3 + # uses: actions/upload-artifact@v4 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/properties/black-duck-security-scan-ci.properties.json b/code-scanning/properties/black-duck-security-scan-ci.properties.json new file mode 100644 index 0000000..3e196fd --- /dev/null +++ b/code-scanning/properties/black-duck-security-scan-ci.properties.json @@ -0,0 +1,22 @@ +{ + "name": "Black Duck Security Scan Workflow", + "creator": "Black Duck Software, Inc.", + "description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results", + "iconName": "black-duck", + "categories": [ + "Code Scanning", + "C", + "C++", + "C#", + "Go", + "Java", + "JavaScript", + "Ruby", + "PHP", + "Swift", + "Kotlin", + "Python", + "VB.NET", + "Objective C" + ] +} diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index b58ec1f..b5b838e 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -21,6 +21,8 @@ jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest + # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled. + if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' permissions: # Needed to upload the results to code-scanning dashboard. security-events: write @@ -32,12 +34,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif @@ -56,10 +58,13 @@ jobs: # of the value entered here. publish_results: true + # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore + # file_mode: git + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: name: SARIF file path: results.sarif diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 0d42c92..4853c4e 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -36,15 +36,25 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Analysis - uses: soos-io/soos-dast-github-action@65d9878d77c8993f3db9e86a92bc2ad3a6e060af + uses: soos-io/soos-dast-github-action@a7eb40b94c1c81eb76b178ba1befdc21823f86fa with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} project_name: "" scan_mode: "baseline" target_url: "https://www.example.com/" - output_format: "sarif" + export_format: "Sarif" + export_file_type: "Json" + - name: Find and rename SARIF file since it is unique + run: | + file=$(find . -name "*.sarif.json" | head -n 1) + if [ -n "$file" ]; then + mv "$file" output.sarif.json + echo "Renamed $file to output.sarif.json" + else + echo "No SARIF file found" && exit 1 + fi - name: Upload SOOS DAST SARIF Report uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: results.sarif + sarif_file: output.sarif.json diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 4e2b49b..834d71f 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -87,7 +87,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 73b6380..72eab26 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -59,7 +59,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -75,7 +75,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index 51817b5..9957493 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -50,7 +50,7 @@ jobs: run: gradle build - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/build/libs/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index c98baed..14580c6 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -50,7 +50,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index dfa9dbb..408c99e 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -49,7 +49,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: node-app path: . @@ -65,7 +65,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 1182c2a..3391c83 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -70,7 +70,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: php-app path: . @@ -86,7 +86,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 656f95c..e4868c4 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -55,7 +55,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: python-app path: | @@ -73,7 +73,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: python-app path: . diff --git a/icons/black-duck.svg b/icons/black-duck.svg new file mode 100644 index 0000000..2afce62 --- /dev/null +++ b/icons/black-duck.svg @@ -0,0 +1,219 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index fcdaaad..99c746b 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -196,6 +196,27 @@ async function checkWorkflow( }) ), ]); + + // The v4 versions of upload and download artifact are not yet supported on GHES + console.group("Updating all compatible workflows to use v3 of the artifact actions"); + for (const workflow of result.compatibleWorkflows) { + const path = join(workflow.folder, `${workflow.id}.yml`); + console.log(`Updating ${path}`); + const contents = await fs.readFile(path, "utf8"); + + if (contents.includes("actions/upload-artifact@v4") || contents.includes("actions/download-artifact@v4")) { + console.log("Found v4 artifact actions, updating to v3"); + } else { + continue; + } + + let updatedContents = contents.replace(/actions\/upload-artifact@v4/g, "actions/upload-artifact@v3"); + updatedContents = updatedContents.replace(/actions\/download-artifact@v4/g, "actions/download-artifact@v3"); + + await fs.writeFile(path, updatedContents); + } + console.groupEnd(); + } catch (e) { console.error("Unhandled error while syncing workflows", e); process.exitCode = 1;