From b81d5bf895b50be4ef5abdf63de2c1bfced3fe35 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 16:53:16 +0000 Subject: [PATCH 01/30] Bump actions/cache from 3 to 4 Bumps [actions/cache](https://github.com/actions/cache) from 3 to 4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index ffe789e..6d8091e 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -19,7 +19,7 @@ jobs: python-version: 3.11 - name: Cache pre-commit - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.cache/pre-commit key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} From 4cbe5359f3a3d03c01f07a51274ad38b97997f22 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Wed, 6 Nov 2024 17:37:05 +0100 Subject: [PATCH 02/30] Update Fortify starter workflow --- code-scanning/fortify.yml | 120 ++++++++++++++++++++++++++------------ 1 file changed, 82 insertions(+), 38 deletions(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index 01611e8..10834bc 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -34,51 +34,95 @@ jobs: actions: read contents: read security-events: write + # pull-requests: write # Required if DO_PR_COMMENT is set to true steps: # Check out source code - name: Check Out Source Code uses: actions/checkout@v4 - # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner. - - name: Setup Java - uses: actions/setup-java@v4 - with: - java-version: 17 - distribution: 'temurin' - - # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then - # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is + # Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on + # configuration, the Fortify GitHub Action can optionally set up the application version/release, generate + # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard. + # The Fortify GitHub Action provides many customization capabilities, but in case further customization is # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools - # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for - # details. - - name: Run FoD SAST Scan - uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418 + # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action + # documentation at https://github.com/fortify/github-action#readme for more information on the various + # configuration options and available sub-actions. + - name: Run Fortify Scan + # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example + # uses the commit id corresponding to version 1.5.2. It is recommended to check whether any later releases + # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability + # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version + # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. + uses: fortify/github-action@afb2d9e467caf7c6ad273799fc1b65ac492b0de2 with: - sast-scan: true + sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run + debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan + # is disabled). For SSC, run a Debricked scan and import results into SSC. env: - ### Required configuration when integrating with Fortify on Demand - FOD_URL: https://ams.fortify.com - FOD_TENANT: ${{secrets.FOD_TENANT}} - FOD_USER: ${{secrets.FOD_USER}} + ############################################################# + ##### Fortify on Demand configuration + ##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below) + ### Required configuration + FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret + FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required; + FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets. FOD_PASSWORD: ${{secrets.FOD_PAT}} - ### Optional configuration when integrating with Fortify on Demand - # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if - # Debricked SCA scan is enabled on Fortify on Demand - # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options - # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /:; may - # replace app+release name with numeric release ID - # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' - # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard - ### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral - # SSC_URL: ${{secrets.SSC_URL}} # SSC URL - # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken - # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token - # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan; - # usually defined as organization or repo variable - ### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral - # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options - # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: /: - # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options - # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' - # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard + # FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}} + # FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}} + ### Optional configuration + # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /: + # DO_SETUP: true # Setup FoD application, release & static scan configuration + # SETUP_ACTION: # Customize setup action + # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action + # PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options + # FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options + # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) + # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL + # POLICY_CHECK_ACTION: # Customize security policy checks + # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action + # DO_JOB_SUMMARY: true # Generate workflow job summary + # JOB_SUMMARY_ACTION: # Customize job summary + # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action + # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers + # PR_COMMENT_ACTION: # Customize PR comments + # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action + # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard + # EXPORT_ACTION: # Customize export action + # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action + # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions + + ############################################################# + ##### Fortify Hosted / Software Security Center & ScanCentral + ##### Remove this section if you're integrating with Fortify on Demand (see above) + ### Required configuration + SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret + SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets + SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled + DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled + SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled + ### Optional configuration + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options + # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options + # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: /: + # DO_SETUP: true # Set up SSC application & version + # SETUP_ACTION: # Customize setup action + # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action + # PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options + # EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options + # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) + # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL + # POLICY_CHECK_ACTION: # Customize security policy checks + # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action + # DO_JOB_SUMMARY: true # Generate workflow job summary + # JOB_SUMMARY_ACTION: # Customize job summary + # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action + # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers + # PR_COMMENT_ACTION: # Customize PR comments + # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action + # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard + # EXPORT_ACTION: # Customize export action + # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action + # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions From 196973618e5cac03cab78ca8fbd2f4ebfda1e10c Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Fri, 8 Nov 2024 11:30:15 +0100 Subject: [PATCH 03/30] Remove trailing spaces --- code-scanning/fortify.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index 10834bc..e669499 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -43,17 +43,17 @@ jobs: # Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on # configuration, the Fortify GitHub Action can optionally set up the application version/release, generate - # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard. - # The Fortify GitHub Action provides many customization capabilities, but in case further customization is + # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard. + # The Fortify GitHub Action provides many customization capabilities, but in case further customization is # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools - # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action + # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action # documentation at https://github.com/fortify/github-action#readme for more information on the various # configuration options and available sub-actions. - name: Run Fortify Scan # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example # uses the commit id corresponding to version 1.5.2. It is recommended to check whether any later releases # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability - # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version + # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. uses: fortify/github-action@afb2d9e467caf7c6ad273799fc1b65ac492b0de2 with: @@ -103,7 +103,7 @@ jobs: SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled - ### Optional configuration + ### Optional configuration # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: /: From 1c6c18c8ea84422a9275646598301aed90209eb7 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Fri, 8 Nov 2024 11:31:30 +0100 Subject: [PATCH 04/30] Remove trailing spaces --- code-scanning/fortify.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index e669499..906eb3b 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -93,7 +93,7 @@ jobs: # EXPORT_ACTION: # Customize export action # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions - + ############################################################# ##### Fortify Hosted / Software Security Center & ScanCentral ##### Remove this section if you're integrating with Fortify on Demand (see above) From 0486897d48082c68d5b9570650593a60088b2144 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Fri, 22 Nov 2024 14:24:04 +0100 Subject: [PATCH 05/30] Update action version, update comment --- code-scanning/fortify.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index 906eb3b..a72ed11 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -51,11 +51,11 @@ jobs: # configuration options and available sub-actions. - name: Run Fortify Scan # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example - # uses the commit id corresponding to version 1.5.2. It is recommended to check whether any later releases + # uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. - uses: fortify/github-action@afb2d9e467caf7c6ad273799fc1b65ac492b0de2 + uses: fortify/github-action@d7cb5974c159fad242153f52f7c6fa4dda065b23 with: sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan @@ -76,7 +76,8 @@ jobs: # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /: # DO_SETUP: true # Setup FoD application, release & static scan configuration # SETUP_ACTION: # Customize setup action - # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action + # Pass extra options to setup action: + # SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}" # PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options # FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) From 1cc15629495895cfae7a6cc84033cefdb35a9b73 Mon Sep 17 00:00:00 2001 From: Sadman Anik Date: Wed, 18 Dec 2024 17:52:20 +0600 Subject: [PATCH 06/30] Added Black-Duck-Security-Scan logo --- icons/black-duck-icon.png | Bin 0 -> 25487 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 icons/black-duck-icon.png diff --git a/icons/black-duck-icon.png b/icons/black-duck-icon.png new file mode 100644 index 0000000000000000000000000000000000000000..b73482ce501f47c9e2daa7acf2f41aadd99b0e36 GIT binary patch literal 25487 zcmZ^~19)Z4(lEMX+upHl+cqb5GI1uhjfw4KV%ye)lT2(U6Pq{lp7Vd_-0%K(?Pu-o zRbAE9sOnW+)hj|tK@tHL7Zv~jAV^DzseGoRe{X2W&;Kf|>YUF6+(KAh7yzh?gL^fC z_8fPXLm@caq#KLP+;nE-$jLjZs$4FJG$$ZA*S`z#1H(~>rqmj}>% z=Ai))AgBPa&m73-4*-G-_*>g&4j==9_dj_R5UPLUfC2zvRsisS*e=n)e`!CJE zQm{Ob|J0ZV`ajsCd0_v^|0T0DQcC$uU>u~hodEziw7)k9AR`MK0014gQqywLl9%H# zvH!|oWNL40#^CGi9`Sv2n6yunVR#ch)MjL{PT&Q#L~sZfrpXN&CQL$jg`UP$%2uY zo12@FiG`7ch5i$R-r2*>#mJrB&YARImHeN2#LS#coU9yNtnBT8f9o|ews&>mCn5RE z=zp$%wbRAQ{6C!Rod4ae&ki#FEn#G4U}F5gk(s$${r`~tE%_JOKmGa_JHEe_@o1}< zIosR1{%w{3Ckx*{9R6Rx|FrL41pmQTx3h8)_&+573;e&SwEk26A2$CD{NDtMPF7~0 z1Nl$8nE&0Z|Aze+{@>p5C|S9i*=mVdeKoUl{@WK8CMG_{|7*$rrWCcewRci=FfuU{ z_+<1C$$x?VH}*e#wEutk{8!1pDft-x&h~%J{=Y=)ALyrS3Bd9({*Rmrz*c%~ZvX&7 z0BJE{HFuCdT`+kD;;w?e7Y~1Q_3z_@#gS1!Fvw|kPz$J}lxb45s+!9}emytnd~I_5 zF}tEs5$<|SG-F*Ap19SWAC9ahCb#sv)*dGQ?a%4MyI?M>vw7R*%UkzDz0mb__QSc` zR2KK)-}BvNx_bz6`Y?jRZwgt zF;U;yc$ws7qP|ylGRe+8Nhki4PHf~ItGDZ2w@PfbkY0r3mev6_w5mlDW$&igjjMbZ2snz-3RApMkw4}t!k2Ihu z1sQhvl)}ZvxHKJvAkYxHUq36yU}ChRE(cvT5%2I*(&R<>P!vukm&V}L2B3ars{2E zclS5r*kU$ZPIO}>qxRMzuqwZnw=n1v5vy?`TMpofgBD&YuF}?Y*4KHQb{@u<9n;P` zJtddrO-oiVb+omK=e!pd4vazPY&n=zjy{G7DD%#yg2p!G_KS~HZm5hLhfS$@7zXzb zf&)>QYvR;M3#R=ta^mOxlh8xN;=Vr52*O@RTo0 z$Hd5oHMM*jMf0$9XTl-EGpXnuA7}>Q$MdMf<8MDP1^lR{;krfnO3k-;g_{IUFa*W#pq&^`EnIjq67^WLPwo0ML!8`* zNiVDXTV?kF%CCnNSzy1WoyCgF5#gDaR#hV>7{ka=;glBe&V4dV{pTwI6k8JRa*Lvb zM5uP#(t`2C3{b#VFS!bQ(ixvEp}|FXA0Zf9hL}2jWDuVR{Ukm>E$k+kTU0!~fyIsw zcdGIS&ag<(wwAer_GPWa9Vn;Mz0{n#ayDILWGer;owj2b#@x5Pz=DgUP`+i;?+ro#yFu!V!& z`|I**PD^%UiFkT*7BY&E%rn4XZ;CtGgyj#BeIBg}T)xx7Z0Z-QyJlE^P16o#|nX zLx10-aoY8U5CaL%s>Rb`NXE_NS>aiF!xeg@#V&n4tk}HrW=8+k70Y|r%1p2|(zf{^ zGT$%cuKJ6KN#09HG{YNO{ZBS4PdlF1OPxqzR!lz?t}@KdB1!ub#TKoh11o)Y@g)jK z4;U>-9dww+IRGV1Jm3z1F(UzvX+W=IMJ_;6pC0}Q76>3KhU4)Ed$Gm0f5@EqQk)M@ z5@&E^Y4w`)t?N;M+`F`BXyf;*&x#NWUAolNU?=^e`|Fv7TTA0Zj5o4#9Z}ls^7`!R zNU3W_Y&E`L8%`QUjKUZ3}(og03^Rp}=_vHLUpsa<6v1fQT zc^ogaq6#wJAPmkferTb*H@P!*Y*imPM+){s+$w0K1rsCy>!KKPHUUS{U2%#ptqfln z*(DEb^a4!4K0ptw-q1wrd@k5c%2K(xW+bu!sq@@E_Jg=k9?lPc*yqZ*Tx487eCZIL z%(mUn>-ei=TxtX3H&+*WJX}JVVF}6FbJDMaMcwHMP7jM9!VvK1p)rW%_F9a=Gty)4J}+3$jU%?t zTh&BVm4$2R0Sz8u(|KjHdrKg(L0r3=Z=cIN*YPDfK&qk+G3b(9RszPL>-pYqh^7mv zrKy?H2dvARr;aWw88!7qNJR!hF=B7L z$4OG3NY9X0K8lADy8wd1!K5>A?n_B77=%)!Evc(XdVz2tCg8NP$?(KxR;klg?(sCv zI@^DNS2ZSJ1k|h^^tUh87IVKNZ|MfNx$0h7=e`*w=vs9wY=bA;2dwdcjn)iU;d^g^ z!lES;YSWM*7U{z!{CHAVcc|bU=RsVy#%sJKm|m)_`MUThS0OV0rP;-U<^v--qdvHmxX$x0jL)1Z!3}Zn7cq7< z?8w#GIvINE#uIf1ye)iiHf=rY>+Gj({QRpEmcmQFht87PNJBW6H!5{Ff3Hu=2#N7F zZg7V|7x84F;%pvL1F0aJunlj)L7(!l5VIt`sDwfdh45!sin*}IEPzz`5wv+&YQadL zfFNYE%YED3=-Biu%=a%m`kps7n+t@g#We-HKb+BWmJV71(3fl+a@J zkgOp5;BsKrjm4+Me`4Bp0f2du$v05t3Pprt(H*Woy6>hlBj7R z10Fi|=z|d8nD9)>jgVvlB-iymZJ^8CI#@13LKFDnk6O*4fvDEaY%<;`C}R=aMHrL+D~}#s z%M6ti>J0A;2(z%!vN39SR2u0M$`4X!Kw*eLn4>!wc0o7=Y?|4<-k;h+`xjR$ZlCqz z3;uUU)`=!Pf%#jf93IOWCgdq=y}PRlT&|7Q>zz!6zR8h?D<27)kF8#4mZh^_CK&kZ zYg)(e&Agppk@n?Lh@Ubcs|_&toCRa1GKU-?Akl4qz>Osm#3(X+IGB#q&C^YR{IEP1 zRX&MRu!aj62lQu?-QNK?#b{gnb@Dlm+AM*oQD;tHML`r^<{z>gV!ldqng8g^PHnd6 zS8NM#xchp|tj&=4ulOS%7_7m-!21TP z-D1+)P4VKJb&Np;d)hdTB^%%e8O*1sQaFm*Y|7cAGhl#n2p@{KG9e#M47M7GWn>LM zxn2SEqQS6F!5rT~6%;{FsF0Cyl#Ia=mAaLH43QczC@eC?uwXOXgc!xgGhs!J-ib3a z8;e8hS^`(4pEG4LSi|G2K5)G-^b*JHtJqOGDb$}{UeWD5;dWIujKk~MJcdhig!WXg z6O&|9hcX4VgJ-0ESP+zX>`>>)?p$~5ZO{!>?FR98W*05T+jx$$}&f(BgA=VqTjcYc2Tyi(JPdp|sX zJSJg>Pib6=E8A<%W3aZHciBo_a3D@jx|9CGjc3q;ktz~Z&2<S(6K6C3`-#Hx*KX zmvC|(E91Hl4aM5c2jB#PI10g83Ha$Z3Z+cCgD3)M!tzMGk!ub8m79Tz;9!w}+d;_4 z8$4vppcLvvP?TltjZ`+H%lBQ**Eg6N6Wd3jn6d|lEoshp+M3DBY$2ZesE>{xg>7}W zt5dPnCSK2OX?^YqsGr8V({5nAva)~Lk@<5bHj{EBg2Ymwe;!F^mn^15r#}!7WUA*G zx{CJns@-;?jk@dM`LiW)Hg(CLOlESY(9$e6K7fL>6BSQz%3eqdUZ+GUloEXuT(X^~ zJ@blxIwRBV^%?^|iVs8Lx(GKMcVtEV;oC#>ok0`m3z9V>0{O@Yf z#qM;pbur4&L^#mE$V&k@0ecW(fCLF?C(__kl$i|`l@UW+s7R4Vf{+9V%mEXKi4hG3 z3BEcR6|5LvTN;%Dn24${)iTlXS=#KH;LJ_fEJ0kS_tW@3sbX^ipA}@mup@VLp;6^U zdu;O*=`&=sqZ-YqHJpCJ1|LfqOGxmRn>!R&J_v=TvRw452J$iuXlLBDl0ST(|I++( zr&SZ2w=8B7Q|gG`Oq947G5|Z+8x(~lRR$faR_u`qnLIHnVux+Z5`SwRhM0~fFu{fW z0pYfi;KJjU{FA>JuSYP>YIdzw*B=e`==(1f!vSm=#fjmGk0y-ngRFa5F~-3!&Rmk@ z{+EfHFctvidzBevTK&3`dM*v(dO@ILy*jqfG;Sb>0MO7$LxD=iPhX9o{jEaGtHe-Et~(s0e?vl2 zR~UDOM;e3y@Wq8nZikd4GjIrp@pFfx(w+xKQn}_r%Y0AQbp?6=P=gc}e*}IiSD~%& zK{za%wv_FXmULGXsDeJ?>7_=X306C-G1i|)c~0KLh?`=Rkb%mo7;|U(!SuG8Q4!K(ObU*)>7KNb zqmdAqE)Jw({-SoLY%aJ)_1tHxMo+=2ZN);SzWcAF#Ce10k3kGk#Y~_rb72uMlk`Hr zJ_<&m@$Gg--Bh5`8zHMHaj_eYH6kNc`6~{KhJR-ZFnWitiJ5|6zKR3k)k%y!H%s-s zciW`Ihz?>zeXu0hFzKJ=EAbYc3eOD>cmbf3X`+oNG)3b- z)p!y`JPu$RwE(bD19*8m!w^mbu<|@^sgc51^hL4yH|7PRS2C!FgOnzF*ogTsb1|q5 z?z6&4LO|Ke@(F(^d2?a! z82-K*#hloIS11X|m{(BXAW|})W<_w5;ul)h+keZN)Bji2%1`FQkqcn&p|`<4Ei!4~ zYm;Nnpr|;Ec-;b6fpbo8V0}^@x%I%7;YH@h85rZseU1)9=PH7jVBzaRi=Dua;<_g% z{FT6+9WbA>WZ5C`78bYfG2bdS#3~w3+F6-DjeVT9YdCMAeNs?QC?0=P0p!E!C}=4P zhQfM}I%V7>3~}{*H#S5ik&BV1pD2)h0Jce#esKJ85CH-x;weclsT~`L!d5CnEoUn5 zi6sl1mv5J~DOcnZAKPZ9E+L^46Lx@a6#+-GS+w1*Z^ZjobAPxL@(7}w+6KgfSfllX zo8aFiApcrip=-qOz#ha>)GDO^Uaa;_SuMx(o{|O|;6jDdo6$Q<5AsQ63^{yn9S3ic z*j?-G;XoA{!IJtP9etg}gqZ;JCR8JXJh)K7Y?u;Rarg0qi?9bfBGh{^6Gro}{AWWU zq3( z8^A-h-~2U+6~VaT?*Cayx$;8Tas?T6fU@SD{*(Y|3kp(rRHTj~5K5brT1Fb9s{0i3 z1Ndesb{2=NQvOHPX!!c4y}bjB{HPnea5_i?8)Pi1{v*mrI91S3BRZ9I5@HM|zZ|Ok zRPTG7`}g7Px^3l7OM4`$)U^GqTsr2ZA15CT!g}Os&f1<~6;5XB` zI|pV)`th0`2W5K%iifa}63Rx((oQrMGB}X>%M1ug^D{#I?J!&#m=amO|0`P1R(=Lo zeoC^Zw>KRgF3uJTsJ7rYzcYfP{Wh}YUM0VQnb9rmI1@wHkueP`FI`H+dMkpF7)B6< z%X6x}!ynYsr@hiG*ZlA99&%ICY>ijXYkZ+(sr-Yo2fIKb)VS=8^P9gW0g z;7y$zrCr^1cN5M#X?b`}Qc)4LkJHL0-tjbEg=*|LfjhqQg;<#4ii09ld5q%~_NIqk zn-bySjn#^9dwJi4?ro0{$q~Bm<(R&`wUD>0y9J%-y#f0~lu!lUmnZ56khod6-M5XF zcOaljoh_ym>zMK4A{30g*@R3JJ@T|jc}DAKsHJ-UiV-*&EXiLnFR+1dcFae=)>!Be zi*$KnHg@U{%tKsR)mg!V429Hx820mAj%!lzq~?W^zo$@7oNxX3@XC9)?uDOM!7w5EgK-oiq;UCvZ?xQ}iO}9kOuHIj&pi zgW0-S+xf+jdM~1G+P33ZK?*^A=ZF(cpJwE-==*dSgb0h=D5)B%F(_K@D?Y{Sk^DP& zL&c*dvoIoem;1y+M%h@;XXo!hn1mTyFp+F?=p!T2Zj-Kk1$>$QqTE1C2I9ddOC&43 zQIsJG5S5{DJ!Mg5NW@XfIloc(W)>G+Ts*wfKAJ0wtgARi4`a7z$!|ZRLdFBUtnPJ& zy1HAdn!x7mz?$#EWlqLX4Z+quDuo1&9?LBLY6!XxmMTn|d)PyP=@`b(L_t&Fw`+4k2;i9oX?Wo{y?&wf~1@#S}7e|{Jm(X_+1RQ^Y zjWcm|6H7u5g2R4aN?BwDQ zfOX*Dx?}GwW{n$XCHn0ekJGoHqv56SnuTc$mO~qQPqLjAFh>itOl*TQW<&A9B3lJXHQ%WaT0da(%DP&#g$n=Er+PE1; z>OOO_hD*&h>uPz+kDH%@Po)_>1M*-`{(L+6GT7X$aB5%#fe6W(dv}3ebyN;$ELux zRz64duERZCW^SXlyont1A0z@{@jwM-u>rU*TL@q!zJl$y=U<*o-AdcFnr+MoV|JH+ zJ8<#eCl9_L+Ct%)Ekpc$RbXLmTK0bKb2_y_I9eG&Fb$EfVZcWtDfq%kgWwaxbVoG=ym6xtZ zE26*6yE45N@ocPWE3{%deWBS&b#hBmI#=7uwia$&e%}9G^FhU-`v_j@l3;o6<@B90 zl@$tn8EmSM9~~&l1VpqXu0BDiH~rp5ErJ^Xk&3Z4_bZXF+sx$YCDo7i>Aj{$JiC}J z`X?{ph`WDjhoce!GgOFoy|77M)luNjvyAV2&38uTz?ZF6f#j~sWk%UqcDc4H)DaGG z?N}LQex)ymI&1zdBAmimi4_+G_(~`y$Q<2)a$~a#C$^chzXX?Vra0ekCZ;!+Th3HD zkiS-Q*@OgcMvV6zMDx_v%cbnM=$r>2l@);6JmFV>Vef*W;fc!;)mo!M?u!p!&srxj zO$mu7YV494xTj(d_j5y0u6lA%iWc(qI9<50@*a#=YFunJ??3n~J75u~!3}-X+FOwQ&<)wkL)I&51;;ux++mzg?omGKh4e;SAxW44{dn_7x zdJ^Xua$c{9UfW@d5;^+j9l%&`h{wg9a!PDTYD{x*yu*6JG9^Qwx`qmgT&xL@*>`h? z=sbhny(F6qc#YTs)R;L?LFhq-`v++fjtF(u;WQ|aE*JMa_CyZ{XcxKIJ%Ef2(h*C@rS4W+Pzi?nnfQ(X;mk{>L+nCgmIS% zzTAB%`Tmrh-cmVDGUE(YD+~^(hb=cL+E9u#aR!(a`V+U51*TDLfIsTSN8z*5JZi~0 z>yoD2RQk+^rFQ$9iE}%v=^GPfxO{Io?{{U{y_=}1@gn-R7wQPV>lnG<<|2ofY6baK z2w8vuc=Ls6tfUmnmp1HnN*guV{+Eb|(vevN`6yMGroTW|jB2IubyX8{EEG`}qt}R} zqM{Z4jRgbhuHjHRgPlVWea{yk%$VIkXNr%2g`#sl z&66D(gZl*=bIRgHuUddT=HmNh5+(f1u@g63Afk(q93zId>7Fm>b0nUM814+#K4qka zZ&Z?a{csk)Bzv;a_xS=-p|rXs$9o81DUoa@>!Ae z#KZAiI2wANi1P3nA!s9z#i;V|XzPIdioC0{V7>KzN>Xf5j_8;;zF$l{4>%K=g#0Aa z;NDlb&T63)3xRZc?iuUG#rr{D{;-C-JVG@bc+5{J^^ifYpWbFNX3={mQzI{h8l)iNpMsWEs$f5^;nNeoHlr^yIu6EX1p1q>d@g>Iaa+pJr6Q!ankEuCv>)_ z9mMvap^LA6kWj)U3U@8SM1BfSef?$3QZK_4t86R8S!3^hwocaL5Q3wr>lmW{6H`n# zZh}Fp1DWx1)-!2kV$M75V!{OCIq?zxaPF2&<;xdaf6XjWZhvNBfFZI-t)4Fmnh19@)ZkF`(j58l6!w;%d4^}sbVw-mb2qeml{lKqi?VRmD|*guC} zy*Wqz^h5_f{;SOTfh=5e=CSQX)HGlzzO>a2g9)MxKxaY@g0LS^a&>k*p~-NXS%&fB z)7@{bi{v7=8B+tkIx_2-CnaH$NaJ?~5tm*=B_w8?gQ7r>i)AUK6j@qxeSBk3<4;LO zobVB~oE)M!V$Mfy-*G5`8%Bqh@0g}vNLF6-5+lgRk>=9$)6`?${_R$T;pa$NQQxF3 zcQW$KL^)(%zn5_#fd`PZU9d3`s@ODzZ$X{Z z0;U-K={4Nqx44u*{?X>YnS6nj!aK zSrw;+qDB7vDVkfNHM|8Yh!_d?p8C%r+gEBc1WpEilYl#&JvUIBiro@`)%nd|7gjKS zKD$wWY4oI>)|R0v@qs{&<@s0inB4B?N`pt?FEc{(E=gIil_VCbW6*fa%7OE0X9#6L zj_9Y?oo^PYZwFplmRwm=10AvLj@bNlUedd1>utcN>vF}C2Yx50l%l1p@P)1;)Y>(c zfdfC%w@m*w(G;;=xO4>hcYXC=aPsnI#Fd62OOepP$>>GwDQiI&(TvW79e4lA$e%Cj z2x8L}kbRpDMtHC^xic~$h{fRP;pH~|noeOVKm)d|?7*am?zwpjg*5|#*sEb~?vyZZ zmf|S0Q#XDG-EXss(~5`FdRewB-NM5J<1KPIvr<;5Y9pQ4AF7b*+tY zFt|wWP#ZT0f||>K$d@`y-I};WFziy|vtjdjFv|wwI=DgVMbnUO5g-~<76#ude>{6w zkg_$(#}zs7^eLmRoI;~A4PT=|H!s( zHq9}U73;mFj9vH3^BGc$en`NRu=Iz6qP`kG9j;Uz{ywv}qMy=rP(_dS^Uu3fi!!;_ zjioh-{8?O~O&(BBYKFrK3jkLz*%wc`R=3p6Mn(r zy05xjo>@38{2;z|t@mq~LHB_}d=?86RgflkqP98-`OL4c#8e7Oj|u&7`b-?d?$+q2 z@)Ygia;kNazqv$@eNDt^6OyfiBKH&Rd_^}nXEMKB-_%4z6L7WYM{i13g6V_((#znB zy@J+FWYoXDx;?n_qcfQ$B4j(uSn?8uRA+gkVd&PBDT>AoCCWpuMApU59~BBNpaEaH zt#34PXw8+*sXN)M$rZ8Annf^KwP z5X?toTmy}5EccWm$*bGZ9vUX`5zPk2d6Y;qt!xD3;ToCT$VG}ntf%VpLYme}&j-2z zzL?$9bqjn)SCAJ81nG!i?@>@dQSL?aPfbevG}{2s_6fX%-olf^EI?^}s7@WreuwEzBAPlA{{Z)yq0*IPmXewwy0D@aE6NugXyuWrD6z4|j7w7q!xi(frDK2O;tb%ijQV?JL zwON*+!DFcI$L6_gq%}P|aoPTqWxeJd<^7!kJmqkjyzpZ==pN?cQ2doybr3pHJw^l; zSysE3@drLiz1Ii>BKn{^*4+jq(oZMaFEW-KvxzoBC_6o|?JyXr61}N#CNB9kWBiQ- zPzOI6N|I)}-Uzyg2^8xYGU|d5*{gohXyMVCty&jw(p$XqM=;W>yR4}rZpfWeJ5U4% zk-{#I&@+P9?GFLUFK#33SrDLDnjfJ&KabVzf>EjsV@2%Ks|+$wiV+Ji)QN>WD(#PV zJhgjm@0GFtSRVJYWQwIY*=M?HnWCLDN5aw>=r}$=(XDpDt*+rmel_MIX`q*ir}Y;e zJ!BA>BLl^P;M0enhWN+riQxJ9?K=7!RXp1q8((wnxr?&hV~kKP zA}l>!54ZTfVoa;@D(P6zS7@eFZ-(sdqxCvaanSiYI@qPnIb0bq?rUr&#*cpBa9ocS zH!f;wQ?LM4kbMET)zC(u6#O$1jxva+!{;YRUpqgK#XRp18Lo3VaT-VVp;RuP5FJY& zOlhTMeRTOTetB)UVLg+NchpsD{MG7C3VXgz7JrV(BP6!)Ue`FTLcV`;#Aby}h_{24 zJfeRa!9G1aX+F&F!>()rTy3sG!`{^DO35s$Ga(U^(xz!}Dy!ixxR?|X%Ec*e>c$OG zGuM1G$&sRaA_+!<-V5Rg=@rFC%IyQ4IGcL0OMyOzQg`d92C*w`Z?iC|H#`s?i}Q1H zJVrC{uy^_>Je`ndLOtV%^KJXqW~<|wt2Y;!cVS=G@jJE})^NE=|Db44E<-IkCJ_`S zCC7zgf3{ALc)3}7HR}tsf3;M3gJzjJWn47;O?JGt4l3;8Aem%$RjshlZniYJ*1Xb2`Z?tw&4CdnyA*(R%si+g>-Y~0~r!u zH(}62!(7GU8$2&Xj2Zos?P?Rnxd6({gy^|GPdg1xZKXyo_X=w z8J_yC8th7|Wntz|R50x>&!$Jg=Q&r&pp!J>%C10G4Rq-$WAvwJARPpXHyM!T`!Ex; zl7hgyAlyOHH%gW>%HoQHqPi>RIqQ7#bGK@9pe)z@6z;zlBsYdjEao+y z#H9?_zV>x;vLJ7KgZA^BQncYJ2dmSF<*68V62vM83FoVmRQ>)>kwA)4)DicK#zfrc z15jd!Z74&z;c%eF5luKk)GLX?{EY;$h#35CtM-jaCK0(uBwD6JgOj`;up03^8Zx?@ z`)jw4p(;y{m!s34uRSzf7dL(h`i|>y6QToe=C+`-M<>s#yvi!*Q4^jN$ies>s58^t zF;14^VvU#)-CQS-nvcy*(VRU=e6rt*jq$FX2Z!|sG^X^&gfSUzMSsx=eW6+-`$O|X z3K}{}cmjPCJ(@Vh;8m%l$g1qEW=J;UNsb!Hhl_!9+m|Cw;3_Y8WaLW)_4f1h`2yhX zZ7^2y`&3H$SoGrZF@)fw+VOV-FTZc6KEG4BFZbIiZ>9z}^1QESyB1b!IN2rnKzL;G zZLqjlu2z;ckvgr4y%ql9Pe>)`y>f za8RpbJW>puUjeKJ!kv*z>d}WUg0VV|iQ=7O88xqBLstiNsDhPXC?OUch``JP|tvc$J4*U%s`H`Ky}2qR3c{M98t{4>Cfjb~N= z!tZp03aP2r8fY+GQoK+R!`#@+Mi?ZpyECi26EHDWv7(}cYxSoXIJ-j<48sHxP{3t& z>0MHsXGva!q)8jjCGdlba+-DJ!sk)JXq&Rw^E8R^a-P17m7kz~iwKb)m=Geup*1tj;L!=Ul?v^9OledjTx7-hY3tmrH zAon~^E)*v!TM}~Bcwb-U~9b6jOl{A=pR3NeHO+ge50zo;aMaWi)c7V zlKFP&ImiJ{u3TFJ&ug~cmUCXn7P1DOgF^LVxsQj^T-vTvR*NFd*DJ~WKR%g8RP=KN zqmP;hL*|U_Lm6h`)>_`;GG-3U>@oeyIDjndu%t&{ux3NOU8gK1S>)Yo6G;hfkD*wj zEGg{Cp*<=2%FojUE9eWNouAO=F}EiveSbf{Vc`4DYLKX-&FlKYZL43PB1*z;7-5!bD@@_92?B__fc zKW;0&joM;F?@Co(l{z{&7GOhp+@U_GXAsnC8axL|Q%`x@?B!gDb!d&SL z`p0<+Q3Jqr0bg%Df)!r2UdNG??h&Oc*|DrCu*8GV#oNrDN8@9kkGqoFxrv^f^^c=< zmcT<{!PlITXjM}-WQ;rw{%~k^WKGgOTyz_YVV?$;%HA~IH6>3TQZwgJ)QueHRN+5~ zWpqD^AV7ZjHKVp4A=f$%(*h^+3k>gs#AQ(^sB8BzkOT{NNwoxfSr-2kiD-Jk6hymz z8CFukDKz99xqaz*GSFY1$bF$)o{05P|8`VBs*+_M$|}dgjg|=JiMyDjr&iNQFiuR3 zJn`V31C0pahs{475@K5T*632nHWWS$zQ@^5>$pX_@!egD%KBe1Vp?T^S>TlaYjP=w zc|9)kgAf)nj@X+UiMY@21G5+c4nMYsF`LnM8GnBKuJiO7<_IsH!}nb_f`1KEMelK zPM@A0RY<2TPer?47R~Z3E1{;WY6BYqyBT*0Ppz9Ja47n>`55fxc;RX8#@kWV@%m<0 za;xnV?bKK-|IVZB)tab^_g%*IdI(W&yogpIQ4meIQaKkaJx0&1RGg`c)xzh;Bg_nf z;F7*d9PJk+?b5|0CX=>epd;>W!9bu|ynr5hG$=-$e#t%t$adUyl-~FGQ7+rg`rRnb zZ*^?gGUWqaRgkZLc62}egm~Nn368KFsM4Bm&;4^@Q+{60f`S5!UJkqbTIkDXw3QZ3 zcT>L-`e}r8x^m%9KkNd}6PSD2b4lRwDqE(<3InP$KKiW;TWxY zKz7rPS!~dHYasJ`(-k3(y*G$MlelrT+L)?f35$hJJ}IP1o1>#G>*t8h`SLv6#c;TJ=%!bs}F+71vNRUlx4N{267sA&&ie#TqK33Q_;Ft z1930g{-6cPw$JCQjDXu%*c`!|t_kVbLYU5wy2>ImPQb2B&B5?NXi=RDz&!2y(43eN zbxlR@(@GiYk!~p!3??Le-FKYJ@@T%APp&p7%ne^F#8Wx%vVA^9OO>gJQA0%VM*vzY>KvTF$!XIY!#M%! z&JCgmD3F;@3x%KALG9#}msIxLW8}WlW5ZyPn<}BSljx(QV1A+FCWBg?!|zlY*2zM+ z3Otz+r~ygO5u=`b1XGvTX#LHQvWWV;aDrV3%w&W!qTUC?b)@PAy&1&h7?7elrCSUx zha&4P7iQwvF{=eNnj3xNp@E_j{tQw??z5brPbYyL5|L0b)KzyJ7lJGj!7tY7Xmw-% z#GK+~8Zd=FY0ijctXPcjPQF18#!m(d(4Gm8UC^r&U?ZpD1G*0CYoXItg~Uw=GgH?q z1&lI3<|!SF!m*H+!Lo!av(u+J14BeSOq#vLe+jI=Ar+L|2P@nn$`#FymHxD2>0!1q z{`_19zmoNa$ZIvV;XHPk9RKc2A74VHP$(^z24$3I1kY0RfK9}><;jv|JEozB~w*X_VtTc)e&0*0zNWI|C$HJNpCsxjl zGBqW-L3Az|azyaG4m)&o0%-U^ZrcSuhhnw|`~EA(;|hbv=QE2QgOCR3RZ)nM&KGS< z$P#I781An;d=!*2e}3Y|ulingT9``m|5@6b8JdtBW{{``)K`Wql5VOGQj zBj4N zc&i;oAPbfd;CV6AoaQG8=h*Hgaaw7L2M@-;>(ZC7i~=Rdo4(AhtKqrJpWdl%=Ck{K zosTajamHARbpRo^j@C2u4^N#o4CeZH)KVjeqND8v&uI4TgjRY0fBkTsEto4@|5CkS z09q=GBO3Ux9+vwwo20^4UL9V%+Dt^qVT4_Gw*`L_PL{Ltbk`==(yvw7%hC7eMGakW zaF`u4L)MCTxOl}KtdaJd4!AXY4XxD+mE6kf5md};@r%szJdfXs=c`BDD7dr>kr57^ zF^f&nD|%4XQ49j&qp=Lt<Ukdv!1lA8i1Xv>K1X|mviG@NFMXyXDL?Z~MS60pHW8eYMsIyq|- z-NQyjby1=~HrC+hhx%>Ncj6Jg)iJe!@<_D4425N5lfF7)ha?0tU>})a9dN}aC?OO0 zGZV8)la9`D2%zXZF5>tl-lefXL(EBi*@jgralnypyT9uU(qBe*Kv8fMx=`p%WkVl^Kz;EkxbxoR96}2ZZm0yVWusSV+fPDmYqeY zzI&2sO?!hrd(K^?ICN&M~3oiPmk%hu2nHbl+@+_JuPdK8G zS@orK5Lw0}_*R$-1O_sCQGM!F5tY6c@(u_!bf)q}Y{&D^YIY^cZx4Ad-ft z%%F#K2^@FQHuGg6e$yNmQ5Alk8JhLVRF?83i(&}lIP}IPJFb)L3^$7I!S3;Ejn&}h zq1X0Yvq8nrH1BpzE88EfKq_Y`QF!)9nHm;CaQ*}k(uIA4M*I8Xdug)@N;J_rHq$@ zk49Kp8^MNSj%5=*09*}LgU0f}5TQj*)MbYq)@X&rWRLb&u>w_t*1&}@flC8T0#R0G za<{d$R8Z8r#x?5a^P=+f>~9@gv%z5)GM1;4E9P*bC}=OR&la`{HU{gFP!l50BUShJ z4XMC6wr3ut$g7N}3zufL^0`H_juw`%iKcPW0fEiEW zMsEIRBPN%s+-p0fN5UX%Kt=>;Arop;(f<>nAYR|NG`u}l2sSxVw9R0JNR5voJkmiH z&>5{+U2{txKI=Te&gzuUHVgB)uOkOX`(($$wd>cU8@4=@H8yhj9g7X;lw*Rmej`#1 z6f)F^)F}7?SSY0sIVmPXWNKxhlu0EnHUZn<1n=WoNwu{o6swt&$bw90JpC%p8J?pl zV9KF#K`&V&97YkwP$lG1j*0-EqS)dxIp**s>GD^eo$=_fIb8=tG}9?yR}G|VZ~ra6 zk>OyS&&Y{O7^yD`{I5U5cwRN+)cVPpk0@`)~amOWm=S+E=U zM8SXMNVP(!$%3L?X+YNNOaK5MlSxEDRBI$!X%x(ilVEbDK`SR0^trEyh!Gmfi}wNo z2*l`K@>`Mg;Q2>nTY4W$+M2oog6RYHV2OWc%dF%Fzx_t~*p^2!ejp{wxeJP@I;8LP zD1kh2M469_cqgE&}iC{&>_GT)Os--=GnZCuOBNtX6!4;dN*Q^d7(u zK#iT)SEj0zhCq#ip$exm3L`71Cq$Tf0?qK_u_W0t&|iL{bl~XtCdhxh)X-qQ1Diym zl}5p|l`+UifKrft7|MRdUPZr3Rs$AqhMs<5M)=2T}&L*lK%Ot&t_!CPdUv_ zjJ_KZaP70;_JJpo_NE!hcdj@;-L!oJ#v<4qL=>wV2Q+I?i?TO+`Y8UUJb9A*H zk@p8mHywPomOTSoW&5LVUH+wX^Nz>xUL@a&*pjMZ5DdV{sX-a&S9OL+jiQirQgW&$ zP!XYZId2ppAs-r;y`rJqNxT>cg13Z3m4XU#nnUG+UYtfaj3NS~V4R{IT@}F6sbLtZ z0%k?g&$+@VK05dnS<;Z6_OdsU1IyygURpW!eKtsqk7w8lsdXmHklwKVTDBs-Jb_{Y z(8o^%DN|KCL$J3QMVMW5qOjvAPOeJIw-Ij*B)ye0S*Uak-nz83^aH18pcKqeREbb( zA6;EQkRCzHszzbbQ+X!jI27#=22gZFokOw};fBbwX3Q)7%iF#vv37IhxFY3b?`uJB z`NQwjzj4`l>9(FtWp*jd#vM-8lP^+EhsBJ>B$Tv}re4caY#}7HIVN`cn}R-dhnG05@{EPD(cjC(jY4*M|TbNm{t zNVp$fGLQD-fXF6{Da$P0qC`9~^moIA9Fxj) z2m>fOqMkg`v{ayH9`cS|E$$nIZ%0ZiPXAEGJ#6RA;9K_T;xMB%xK#>s=@nl~dj_`S zgeE(qRj9*!xs6FEX+BoMH6sf-Y9jR^R+Gp@PBC#qE^Dw#<%Zu=%o<#!StrescOTgB z^xA=;eok-6H=2@;ra|91MF!PbQ4yVE@PMV8l2H`M)a0CCMMSiPNMV_*qNODn8%th% z%(C<)N1t5gSrju`r_0j#OeQ4ebRK|hfi|Xh+rqp{bOV4sI(wQ-L@$!EnmJ|45W8%`yJTf?tZNF#Bc-y zbuv5WB{|3ej;K0dX_cj_7L|a0;6k*E3XuV=mmMK%wiYp^4M9E)giFP-L?ivPSH6uA z8ILCB4A69OJp*Pl?;ri<;OzyUwWLIJwvSP)OQIzxAX0F%4>I=iGB@e2dM;Vf$U(oPL#HmBw zaG2Xma`wbrs&30%AX6wH!)`r^T9kq$;T>s73_3s-T$yVrutlClXhd z>Uk>5X8=id4M{FI=K>7K)65RgEmxNQ3bo`-sC{N!qQa^w0ZMdn00`q<0zY_{Gu}|S z%;&t3Ak=T&`;^>R?ts+TXpxU1zyl;(JnkvM59sO4XO9BP57XuaW8t5`#-Nxf$qEHq z$9Ei69f@-5`Z?Fdk zy_Iloh}5!3LsDr#NuSDNrE9>e6WJUYF!4}qHaa?zjEoFrL&Jl~z)&Bqe(b8zm!W@G z>Ko|A;^EN-oEVf2jtn4AsNy&)f?XNefD8gY6QHWuf36I_XDtbzG4Eg3hxVXGq;d)xK)`yz@Gz*FSd zYPB}CW!S#6y!NiE8+rWjbTN>jvHoN(X0+~j`1;a4kKSH>_S0V=8(X`FO0i0c)HEsF zUSt%S-!kf1+Ro>Z0p^UY~KEO^2C-6$%f4jCl5Y$cd}v21HSgzmy+NM zTdfdgzKUE(!xuGlddo!q!SjyD4w!Rb#^csz&zPHZcg-&2%(}FzqnlH;2|k2MIZexT zM`}DY7}Nd3&Z~0AC=%l2Kgc%GHVUmsx^>4UiL_^`FfY@>^$qt*Ij&gyqvVJKk6~A< zdMmOMCElY(!Te~Am>_Re$jVsFT|%Az!-{`Dc_ZI{;PM87T9I9N!P=%|MS?y<_VcEO z#wEjP2``Tt8aUm_)UjQCHaOIu?daPshJa5ulZQ6mm)!oq4WS_fH7k+x@7i$aBE+y_ zLW+5!Qy#im{B;Ghbx?{YPcAe9>|nV{i?GTdlH2F=tFQi%o`n5pT*4dtI9=dnUv|iX z!;=H%E>7mnT$s&*5zXkFm2|Xprd-`xYQ%vp%pZ&fM<&U@903s}zxbhn-Sf!p$$gLA zQJUE{Pd-2j(%R=iu3(li-*{Jc z7IGFQG>{~jHS0b>pxO8d_Obmax;&+xzOCggJ2oYcZGI$q;L*F2TkpF*dGHB&ZxR_o zd-DuFrKQVdj>Q^EMzE%7WDNe8Y<(GIX7_^9vSB4MwiT6CsvZ>{ zx1_kjgr(j;>)_{SPhWgwvKU82&!4p@!A>VQ)36(78McYhI0o4A{TtV3Utax5DL0LB zI=Z1zIjb;TbHioXVT+!{ErO!^JlQhuQNu9LtqHR-Nir)ZYeG*bX)HI0fy~-wUVSh! zQ~+W0HnP%Ro%)_T?tSFWBYt|f6M@9gl!N8!`cAw2kG$zIK}?t4aIi-XP)>T?6ix%RI= zbMgyN|IvZ5Ut5AC?B8c6o_Jy-B54#q!Sy~l@Ud++o+Di4I)l)c)bcUx>_9ytP{(S(LWqv0-#95O$9rluSv2@lB~9x zSqX5<2L^hx@htg1iNo#{!;yg?%ol{|ZTGLe4*t!!o?~(BW=(rXeT|L}$u;c@Tcd!S z;e$)ByKPN&;Jiao7t!aKQjMGv@uZu8DN3zTLPQy1<2Y8j5w9GsUUBZpcdlHCl_e|9 zG1$sn)VWln`L-nzZ7D0?_T%{T!vaqGz%r`IHOq@<>z z)?`r9nnaU{R6#yXnZ1JbUqtqW8!oJ92#O5EE;C8K10MFp`0l}rM4;}bvj)tq=8h+D z>Gjy$0j|pZCt5F(O~Or*T*>I~lB+HVA4fG{_NsRqW^H8ran1$jaQq#)A_HNIK}&i7 z*H3ZLsnM8F{dd}HfE&$m5@Xex3$VGv;C?yfsPj0t2n*o-s||%7FBM-TIZFdr1WdJ zNs`r&5JXK$Sk}PreXxtgS1Cc4TLsbttY#qE)LaItTXAt*Qg1~>W&6tyKd3TG;V-)U z3-~N|OR&K}&Gas zm|QIbVZ0i|mjQD-qp`udH{CTbINFO=WI^)B z^;f2kY`RaTeC^wISN(RmE^9sBWkI|f)r4_s7b~^X(&yiI-ts|yR$Hs}prnZmgfwap zp98F|$ZjbHh1cD_p#gq60GIv|XN%yIP%dJWYPid}*Sfsh1XZh=nQ1)+dp67%>tc^6 zDS9!O&&Fg7L|YNATKv2fP_tReCsGgZ>l#RtzLD*6w#d)__?`6e?HjTD1pE0;Fczs= zYBh>#b-5~IQG^OBiVJZmmbJGb&*`U@pLYUU4~#v6W$htl2v5d9NUyEPX92UjRUeB` zEBlSZJP#Hy+TA6wm~|bdIB}ZHRGil1sc}_FVamcdbJc|X7Ve$-&<+_YOf>e;gePkt z+KTW~x=&hWH5!#w_oulAb_{Nj68_-o|4VoDZ^Nh56SN{zuE(_$ICWvlfyyfjF7dVO zN0;M;;AF-gnv=;I2^n655`|3@o$YB`@M zH}&|vUITW@H@W8K%Vo+}cA3-~ss1jNLWNANY87#Dh6-=Hv7}^-hVp)st))|`^OKsz z3X98Dghs+uzCX0^q^%M3b+?aefK$G++UF;0?_QH`*!-X!tg{Ect4^!<-PPpxh20Jk(FMrOd8J^OzGbR@RPV88HrtYT1CB&t% z_LhzY?Be-OY({-8r*;3~+&53zKz61DVd-?h{-1!k1xRy%16X&{R|DK$c0B2Bo5Lce z>mR-qTgK|T)>@@zt({Ue7wSoKDWOSXw5_EbUkmp9;;+v=`5UXwT-C7R!X-O36xdk< zVK#KY{tl}ahE4V?qV7#!4fGA|kiuPk)6bK^p@EG1DpxFppIQ|cd2v0TK!3%=+-J85 z`#ujfW~H+ykT7BN&Kd{>vlU^>aTBhO;-cFrD>bb3-+f5~+;neN`vP>c)}@bZz8`~i z^t$EEdU36tsBFqL5uL=>CLV8V>EK)bcfb8}CqK-t72kbKN^Swst{4c#(ID8qei9eY zRiMGtjRZ>AAKWpE!K5J^F)_P8VLN^IwRK$_?)=q9C`hykcp7PaQ=~`)i zcGW*nH6_9>Dc>Ty%85`sXV?{i+@8TCH4}?s7fcT~o8n2nXpLj~syO zg}6p=?JoHcRd;)%2KZgbI8NFc85zl*|BMr`L3kri2SZlb^PYm6nnC0Rk9M|o;{crg zkDYVwDgR63*x6aDyx`r@f~ZU#2)z@CwYciz5!K8z_PMulciY_LmIwZjZrJkBq&~@Y z>Y!2R<&aYbIPPf1Zv8)paeTt8wOXRDA*L)W&#*fUghkaB<8^>J56G^U8Vb~mtE*nSFaP5WI9G6Fba*^%Xn4(vm9HJ( z?uff%+!1DRcN++0bMBAbtKZ=IYg}|Rklkk0BC-Cn*JwbO!4HoOrVl@HpDcryamemB z3R7k~$ieyb3Em36{_OvJ)g3EWu4-O3#f6BIQJ{8-CPOsDi%(ygWy+1YQ_Yw9N( z?ZS*z|8UP|vGLm%R-#+AyJoD4lHHRA5_YNn5{dr;SKUa8?!q*{ajJJ#`#hE;-LUBa zIrF~goyaa0b)=)Mn=@A5Jm<5o`A5!JeQf24dvp?LPZ|hy!Lf&St4;xYEv~weKnc^) z@q}YK9+!<%lF<{|oxQAVq_b@XjpIj{&gBDF+(i3YDc#Qcd)h#lFIu=73CALQnOHXx zC}Fy}!4d9Kn6E}7+0laV0lY`ulVKn%fDYO@ z1~~!OEx77N0wqi*He4TSljA!sZ1 z&w%g6^%Y!fT{x-E)xdSP4{3le4C%0UZ^|7F@s*!!d_BQCkrA%S#j$8*?A-W<73ZG% z1HK{WOTaz-o?{}_YUP}WZcoOuOU14hjrFUzmg3?j*))#&(iA9RUvlG_>0&*;?NPic z93PiKdzF!;t^D#m2aMy9Qkp)O#$mn&TsHPp8wd5iHy8->K^0Q79EV(u>sh$M{kH1k z5-4P!aMl>G`yy5qmTT3o@iKPU;$R%#b6h^!)$**r{_M%Oa#il0Tw66&9X{1vtbBgi zVzA}dfNKe^3viu-i>}_~GJ4o2e(_GE`VmxFGK!-Unz&U^|Gc{q6I8zvgcMYyiPbuq3N;nMEd-kNu0aX)svYq&!g zPw*T=-m8*XvzU%z>)s~rwvIJbKW}Mndh1{P$4Of_-T)rm>z&`+ZBJ@@Z?0r&2<&p* zhl|ToK89;0F6LXiV>|t-7BcE?H*27jHezaWELkvXaf!!8V;oXWvUI$ywXJDjcwnq| zpy$0SK6i>7qPaVFAKA^taN_pHE|$xj1+>dWL-;tZ=i|B&S2Hf+7+-gLi3S>AAavaw zvw3#NC_bVpb+&ai4Gs@niFYK=q;Z(Vh8a$J+PMv-pUk4}%`Hf%2kmmvC~m;TZ#qAO z>l3)x!f*zR#-d{vfOYp&Xh8Pp9ZSY$cFoPY+Gk>kdT$@PRR6HzbFblqOS1CJRn1sW zHIl4;DsngVH1`z)VaeF#Vz-KUra}BWu1j$J7p_0SMW?OJzR)t798a&`al8%ZK)h*Q z_W{Z1*vLiYfr0nG^ZYZO;9K#dZaXR!Vhr2%rM%4`Hf4DdEKjk6UVWJ!gc@2)d0Ix+O49|ybsqFTxt-!X}ozFuKT-J7tS!O zjvs>mc3k3Cp187+3k_|s?mdMX2)l~hO_|-Veq3r0bwlyGP@U|GpEnFXls<@yTRhRF zC!Tm>cux$r{`-__Am8m;h}?V@SKd%Ke%Y1Eu|M-tcO2)b4tP%GCveFY@9^o^o#MTy zyS-EcY|_I%FAaq)%4S@8V|kN#)yFAbC#svgPaUxZ4j(KJBFs+{X5ms-Hw@LpKH}#M zg-^Nn;<^)8SPAksKaAU-VHyN=6YAiP2%m+E)9vc&hM}6+NBz8^u=(e#*H3VT19LVr4U!&o*g zYiJbI#f`Y$k83e5b$qyR@LeBcs79u#&zr2%!&=0b0r(=W`*4NELYQ3*j#=`RC{MR9 zgjoh1gXQyk2jV`Bi#yJQj{4%Y-?{z$Nx)WxhQbP?j$MbB;Cd~tlW`r5D|CG7@}i^u zC}VHcBlD?708q*r=9TeWy7O~fKgM+(E_I}%QP7~Yyc)OP_@T1)n?hG9s6HXt+u0wH!vpNVm$BLGJimT4)>qQ2| z6V}SEaFMUPYLKMKJ8qVH4=%P6*WltT6uVLEGOD8-8U^#IdDXc6-Vbleey@xI1yDb% zfV@~~^Q{Zx55aXLF19r6jvayPU|c*4K;J9_+@p>&O`CAtkBbJty^n9j#n$05TzRLh zCCgMdioAA$aNR%xWlRDL4Tcq~S~sK>ar1F4!gZka*)>~$Yc4LnlbK Date: Wed, 18 Dec 2024 18:07:23 +0600 Subject: [PATCH 07/30] Added black duck security scan action template --- code-scanning/black-duck-security-scan-ci.yml | 34 +++++++++++++++++++ ...lack-duck-security-scan-ci.properties.json | 21 ++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 code-scanning/black-duck-security-scan-ci.yml create mode 100644 code-scanning/properties/black-duck-security-scan-ci.properties.json diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml new file mode 100644 index 0000000..ab8efe5 --- /dev/null +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -0,0 +1,34 @@ +name: CI-Black-Duck-Security-Scan +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout Source + uses: actions/checkout@v3 + - name: Black Duck SCA Scan + uses: blackduck-inc/black-duck-security-scan@v2.0.0 + with: + ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ---------- + blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }} + blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }} + + ### ---------- COVERITY SCANNING: REQUIRED FIELDS ---------- + coverity_url: ${{ vars.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + + ### ---------- POLARIS SCANNING: REQUIRED FIELDS ---------- + polaris_server_url: ${{ vars.POLARIS_SERVER_URL }} + polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_assessment_types: "SCA,SAST" + + ### ---------- SRM SCANNING: REQUIRED FIELDS ---------- + srm_url: ${{ vars.SRM_URL }} + srm_apikey: ${{ secrets.SRM_API_KEY }} + srm_assessment_types: "SCA,SAST" \ No newline at end of file diff --git a/code-scanning/properties/black-duck-security-scan-ci.properties.json b/code-scanning/properties/black-duck-security-scan-ci.properties.json new file mode 100644 index 0000000..8376dbb --- /dev/null +++ b/code-scanning/properties/black-duck-security-scan-ci.properties.json @@ -0,0 +1,21 @@ +{ + "name": "Black Duck Security Scan Workflow", + "description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results", + "iconName": "black-duck-icon.png", + "categories": [ + "Code Scanning", + "C", + "C++", + "C#", + "Go", + "Java", + "JavaScript", + "Ruby", + "PHP", + "Swift", + "Kotlin", + "Python", + "VB.NET", + "Objective C" + ] +} \ No newline at end of file From 84747ed35587c6e7075987c2c7e62744d8b381d2 Mon Sep 17 00:00:00 2001 From: Sadman Anik Date: Mon, 23 Dec 2024 16:49:39 +0600 Subject: [PATCH 08/30] Used hash instead of tag name --- code-scanning/black-duck-security-scan-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml index ab8efe5..2200b6a 100644 --- a/code-scanning/black-duck-security-scan-ci.yml +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -12,7 +12,7 @@ jobs: - name: Checkout Source uses: actions/checkout@v3 - name: Black Duck SCA Scan - uses: blackduck-inc/black-duck-security-scan@v2.0.0 + uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 with: ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ---------- blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }} From 1e05f3c86d6d916a8c3aa3c073f5a0891e844652 Mon Sep 17 00:00:00 2001 From: Josh Gross Date: Tue, 21 Jan 2025 15:06:02 -0500 Subject: [PATCH 09/30] Update starter workflows to use the latest artifact actions (#2726) * Update starter workflows to use the latest artifact actions * Ensure incompatible artifact actions aren't synced to GHES --- ci/dotnet-desktop.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 ++-- deployments/azure-webapps-java-jar-gradle.yml | 4 ++-- deployments/azure-webapps-java-jar.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- deployments/azure-webapps-php.yml | 4 ++-- deployments/azure-webapps-python.yml | 4 ++-- script/sync-ghes/index.ts | 21 +++++++++++++++++++ 10 files changed, 36 insertions(+), 15 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index ad99b56..a7b9152 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: MSIX Package path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index b8469de..1d7b31f 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -60,7 +60,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v3 + # uses: actions/upload-artifact@v4 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 4e2b49b..834d71f 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -87,7 +87,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 73b6380..72eab26 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -59,7 +59,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -75,7 +75,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index 51817b5..9957493 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -50,7 +50,7 @@ jobs: run: gradle build - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/build/libs/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index c98baed..14580c6 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -50,7 +50,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index dfa9dbb..408c99e 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -49,7 +49,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: node-app path: . @@ -65,7 +65,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 1182c2a..3391c83 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -70,7 +70,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: php-app path: . @@ -86,7 +86,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 656f95c..e4868c4 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -55,7 +55,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: python-app path: | @@ -73,7 +73,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: python-app path: . diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index fcdaaad..99c746b 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -196,6 +196,27 @@ async function checkWorkflow( }) ), ]); + + // The v4 versions of upload and download artifact are not yet supported on GHES + console.group("Updating all compatible workflows to use v3 of the artifact actions"); + for (const workflow of result.compatibleWorkflows) { + const path = join(workflow.folder, `${workflow.id}.yml`); + console.log(`Updating ${path}`); + const contents = await fs.readFile(path, "utf8"); + + if (contents.includes("actions/upload-artifact@v4") || contents.includes("actions/download-artifact@v4")) { + console.log("Found v4 artifact actions, updating to v3"); + } else { + continue; + } + + let updatedContents = contents.replace(/actions\/upload-artifact@v4/g, "actions/upload-artifact@v3"); + updatedContents = updatedContents.replace(/actions\/download-artifact@v4/g, "actions/download-artifact@v3"); + + await fs.writeFile(path, updatedContents); + } + console.groupEnd(); + } catch (e) { console.error("Unhandled error while syncing workflows", e); process.exitCode = 1; From 90859767037601d0655bb14ed4cbcf9a22c7d3cf Mon Sep 17 00:00:00 2001 From: SOOS-GSteen Date: Thu, 23 Jan 2025 19:15:51 -0500 Subject: [PATCH 10/30] SOOS Dast Feature Update (#2733) * Update soos-dast-scan.yml * Update soos-dast-scan.yml * Update soos-dast-scan.yml --- code-scanning/soos-dast-scan.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 0d42c92..4853c4e 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -36,15 +36,25 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Analysis - uses: soos-io/soos-dast-github-action@65d9878d77c8993f3db9e86a92bc2ad3a6e060af + uses: soos-io/soos-dast-github-action@a7eb40b94c1c81eb76b178ba1befdc21823f86fa with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} project_name: "" scan_mode: "baseline" target_url: "https://www.example.com/" - output_format: "sarif" + export_format: "Sarif" + export_file_type: "Json" + - name: Find and rename SARIF file since it is unique + run: | + file=$(find . -name "*.sarif.json" | head -n 1) + if [ -n "$file" ]; then + mv "$file" output.sarif.json + echo "Renamed $file to output.sarif.json" + else + echo "No SARIF file found" && exit 1 + fi - name: Upload SOOS DAST SARIF Report uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: results.sarif + sarif_file: output.sarif.json From 2abfcee18db6e143e9da1f75f6d08283650266a7 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Wed, 29 Jan 2025 14:23:54 -0800 Subject: [PATCH 11/30] Update codeql.yml Explicitly suggest that users add their setup steps before calling init. --- code-scanning/codeql.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 7e46549..7cdb425 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -55,6 +55,12 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime + # uses: actions/setup-XXX@vXXX + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 From 7398b4eca4dc8d1aa3c84fcbcb7a31fa0f22bfe7 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Wed, 29 Jan 2025 15:39:32 -0800 Subject: [PATCH 12/30] Remove trailing whitespace --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 7cdb425..a0a86f3 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -56,7 +56,7 @@ jobs: uses: actions/checkout@v4 # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` + # This includes steps like installing compilers or runtimes (`actions/setup-node` # or others). This is typically only required for manual builds. # - name: Setup runtime # uses: actions/setup-XXX@vXXX From 1de3a149b31945bb5edb3d500d0cb16baaf7d2c3 Mon Sep 17 00:00:00 2001 From: Sadman Anik <36187489+sadmananik@users.noreply.github.com> Date: Thu, 30 Jan 2025 13:48:02 +0600 Subject: [PATCH 13/30] Update black-duck-security-scan-ci.yml --- code-scanning/black-duck-security-scan-ci.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml index 2200b6a..1766443 100644 --- a/code-scanning/black-duck-security-scan-ci.yml +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -1,3 +1,12 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines. +# For more information about configuring your workflow, +# read our documentation at https://github.com/blackduck-inc/black-duck-security-scan + name: CI-Black-Duck-Security-Scan on: push: @@ -31,4 +40,4 @@ jobs: ### ---------- SRM SCANNING: REQUIRED FIELDS ---------- srm_url: ${{ vars.SRM_URL }} srm_apikey: ${{ secrets.SRM_API_KEY }} - srm_assessment_types: "SCA,SAST" \ No newline at end of file + srm_assessment_types: "SCA,SAST" From adcb922ec209f8b3dd061a0901eeb325fec3edd1 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Thu, 30 Jan 2025 16:50:30 -0800 Subject: [PATCH 14/30] Make the example setup more explicit. --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index a0a86f3..eeb0dce 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -58,8 +58,8 @@ jobs: # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` # or others). This is typically only required for manual builds. - # - name: Setup runtime - # uses: actions/setup-XXX@vXXX + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From 7db00754dc1478099891cb586cb1f8fab5a68dbd Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Mon, 3 Feb 2025 15:12:05 -0500 Subject: [PATCH 15/30] Code Scanning: bandit to latest hash ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd --- code-scanning/bandit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/bandit.yml b/code-scanning/bandit.yml index 1a33e8f..a3858a3 100644 --- a/code-scanning/bandit.yml +++ b/code-scanning/bandit.yml @@ -31,7 +31,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Bandit Scan - uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c + uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd with: # optional arguments # exit with 0, even with results found exit_zero: true # optional, default is DEFAULT From 5969febe64ddd5e977901cd7fb785fb7a7de50f9 Mon Sep 17 00:00:00 2001 From: Sadman Anik Date: Wed, 5 Feb 2025 13:47:33 +0600 Subject: [PATCH 16/30] Resolved reviwed comments --- code-scanning/black-duck-security-scan-ci.yml | 19 +- ...lack-duck-security-scan-ci.properties.json | 5 +- icons/black-duck-icon.png | Bin 25487 -> 0 bytes icons/black-duck.svg | 219 ++++++++++++++++++ 4 files changed, 237 insertions(+), 6 deletions(-) delete mode 100644 icons/black-duck-icon.png create mode 100644 icons/black-duck.svg diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml index 1766443..a777a04 100644 --- a/code-scanning/black-duck-security-scan-ci.yml +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -7,20 +7,30 @@ # For more information about configuring your workflow, # read our documentation at https://github.com/blackduck-inc/black-duck-security-scan -name: CI-Black-Duck-Security-Scan +name: CI Black Duck security scan + on: push: - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] + schedule: + - cron: $cron-weekly jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + security-events: write + actions: read + steps: - - name: Checkout Source + - name: Checkout source uses: actions/checkout@v3 - - name: Black Duck SCA Scan + - name: Black Duck SCA scan uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 with: ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ---------- @@ -41,3 +51,4 @@ jobs: srm_url: ${{ vars.SRM_URL }} srm_apikey: ${{ secrets.SRM_API_KEY }} srm_assessment_types: "SCA,SAST" + diff --git a/code-scanning/properties/black-duck-security-scan-ci.properties.json b/code-scanning/properties/black-duck-security-scan-ci.properties.json index 8376dbb..277ca27 100644 --- a/code-scanning/properties/black-duck-security-scan-ci.properties.json +++ b/code-scanning/properties/black-duck-security-scan-ci.properties.json @@ -1,7 +1,8 @@ { "name": "Black Duck Security Scan Workflow", + "creator": "Black Duck Software, Inc.", "description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results", - "iconName": "black-duck-icon.png", + "iconName": "black-duck.svg", "categories": [ "Code Scanning", "C", @@ -18,4 +19,4 @@ "VB.NET", "Objective C" ] -} \ No newline at end of file +} diff --git a/icons/black-duck-icon.png b/icons/black-duck-icon.png deleted file mode 100644 index b73482ce501f47c9e2daa7acf2f41aadd99b0e36..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 25487 zcmZ^~19)Z4(lEMX+upHl+cqb5GI1uhjfw4KV%ye)lT2(U6Pq{lp7Vd_-0%K(?Pu-o zRbAE9sOnW+)hj|tK@tHL7Zv~jAV^DzseGoRe{X2W&;Kf|>YUF6+(KAh7yzh?gL^fC z_8fPXLm@caq#KLP+;nE-$jLjZs$4FJG$$ZA*S`z#1H(~>rqmj}>% z=Ai))AgBPa&m73-4*-G-_*>g&4j==9_dj_R5UPLUfC2zvRsisS*e=n)e`!CJE zQm{Ob|J0ZV`ajsCd0_v^|0T0DQcC$uU>u~hodEziw7)k9AR`MK0014gQqywLl9%H# zvH!|oWNL40#^CGi9`Sv2n6yunVR#ch)MjL{PT&Q#L~sZfrpXN&CQL$jg`UP$%2uY zo12@FiG`7ch5i$R-r2*>#mJrB&YARImHeN2#LS#coU9yNtnBT8f9o|ews&>mCn5RE z=zp$%wbRAQ{6C!Rod4ae&ki#FEn#G4U}F5gk(s$${r`~tE%_JOKmGa_JHEe_@o1}< zIosR1{%w{3Ckx*{9R6Rx|FrL41pmQTx3h8)_&+573;e&SwEk26A2$CD{NDtMPF7~0 z1Nl$8nE&0Z|Aze+{@>p5C|S9i*=mVdeKoUl{@WK8CMG_{|7*$rrWCcewRci=FfuU{ z_+<1C$$x?VH}*e#wEutk{8!1pDft-x&h~%J{=Y=)ALyrS3Bd9({*Rmrz*c%~ZvX&7 z0BJE{HFuCdT`+kD;;w?e7Y~1Q_3z_@#gS1!Fvw|kPz$J}lxb45s+!9}emytnd~I_5 zF}tEs5$<|SG-F*Ap19SWAC9ahCb#sv)*dGQ?a%4MyI?M>vw7R*%UkzDz0mb__QSc` zR2KK)-}BvNx_bz6`Y?jRZwgt zF;U;yc$ws7qP|ylGRe+8Nhki4PHf~ItGDZ2w@PfbkY0r3mev6_w5mlDW$&igjjMbZ2snz-3RApMkw4}t!k2Ihu z1sQhvl)}ZvxHKJvAkYxHUq36yU}ChRE(cvT5%2I*(&R<>P!vukm&V}L2B3ars{2E zclS5r*kU$ZPIO}>qxRMzuqwZnw=n1v5vy?`TMpofgBD&YuF}?Y*4KHQb{@u<9n;P` zJtddrO-oiVb+omK=e!pd4vazPY&n=zjy{G7DD%#yg2p!G_KS~HZm5hLhfS$@7zXzb zf&)>QYvR;M3#R=ta^mOxlh8xN;=Vr52*O@RTo0 z$Hd5oHMM*jMf0$9XTl-EGpXnuA7}>Q$MdMf<8MDP1^lR{;krfnO3k-;g_{IUFa*W#pq&^`EnIjq67^WLPwo0ML!8`* zNiVDXTV?kF%CCnNSzy1WoyCgF5#gDaR#hV>7{ka=;glBe&V4dV{pTwI6k8JRa*Lvb zM5uP#(t`2C3{b#VFS!bQ(ixvEp}|FXA0Zf9hL}2jWDuVR{Ukm>E$k+kTU0!~fyIsw zcdGIS&ag<(wwAer_GPWa9Vn;Mz0{n#ayDILWGer;owj2b#@x5Pz=DgUP`+i;?+ro#yFu!V!& z`|I**PD^%UiFkT*7BY&E%rn4XZ;CtGgyj#BeIBg}T)xx7Z0Z-QyJlE^P16o#|nX zLx10-aoY8U5CaL%s>Rb`NXE_NS>aiF!xeg@#V&n4tk}HrW=8+k70Y|r%1p2|(zf{^ zGT$%cuKJ6KN#09HG{YNO{ZBS4PdlF1OPxqzR!lz?t}@KdB1!ub#TKoh11o)Y@g)jK z4;U>-9dww+IRGV1Jm3z1F(UzvX+W=IMJ_;6pC0}Q76>3KhU4)Ed$Gm0f5@EqQk)M@ z5@&E^Y4w`)t?N;M+`F`BXyf;*&x#NWUAolNU?=^e`|Fv7TTA0Zj5o4#9Z}ls^7`!R zNU3W_Y&E`L8%`QUjKUZ3}(og03^Rp}=_vHLUpsa<6v1fQT zc^ogaq6#wJAPmkferTb*H@P!*Y*imPM+){s+$w0K1rsCy>!KKPHUUS{U2%#ptqfln z*(DEb^a4!4K0ptw-q1wrd@k5c%2K(xW+bu!sq@@E_Jg=k9?lPc*yqZ*Tx487eCZIL z%(mUn>-ei=TxtX3H&+*WJX}JVVF}6FbJDMaMcwHMP7jM9!VvK1p)rW%_F9a=Gty)4J}+3$jU%?t zTh&BVm4$2R0Sz8u(|KjHdrKg(L0r3=Z=cIN*YPDfK&qk+G3b(9RszPL>-pYqh^7mv zrKy?H2dvARr;aWw88!7qNJR!hF=B7L z$4OG3NY9X0K8lADy8wd1!K5>A?n_B77=%)!Evc(XdVz2tCg8NP$?(KxR;klg?(sCv zI@^DNS2ZSJ1k|h^^tUh87IVKNZ|MfNx$0h7=e`*w=vs9wY=bA;2dwdcjn)iU;d^g^ z!lES;YSWM*7U{z!{CHAVcc|bU=RsVy#%sJKm|m)_`MUThS0OV0rP;-U<^v--qdvHmxX$x0jL)1Z!3}Zn7cq7< z?8w#GIvINE#uIf1ye)iiHf=rY>+Gj({QRpEmcmQFht87PNJBW6H!5{Ff3Hu=2#N7F zZg7V|7x84F;%pvL1F0aJunlj)L7(!l5VIt`sDwfdh45!sin*}IEPzz`5wv+&YQadL zfFNYE%YED3=-Biu%=a%m`kps7n+t@g#We-HKb+BWmJV71(3fl+a@J zkgOp5;BsKrjm4+Me`4Bp0f2du$v05t3Pprt(H*Woy6>hlBj7R z10Fi|=z|d8nD9)>jgVvlB-iymZJ^8CI#@13LKFDnk6O*4fvDEaY%<;`C}R=aMHrL+D~}#s z%M6ti>J0A;2(z%!vN39SR2u0M$`4X!Kw*eLn4>!wc0o7=Y?|4<-k;h+`xjR$ZlCqz z3;uUU)`=!Pf%#jf93IOWCgdq=y}PRlT&|7Q>zz!6zR8h?D<27)kF8#4mZh^_CK&kZ zYg)(e&Agppk@n?Lh@Ubcs|_&toCRa1GKU-?Akl4qz>Osm#3(X+IGB#q&C^YR{IEP1 zRX&MRu!aj62lQu?-QNK?#b{gnb@Dlm+AM*oQD;tHML`r^<{z>gV!ldqng8g^PHnd6 zS8NM#xchp|tj&=4ulOS%7_7m-!21TP z-D1+)P4VKJb&Np;d)hdTB^%%e8O*1sQaFm*Y|7cAGhl#n2p@{KG9e#M47M7GWn>LM zxn2SEqQS6F!5rT~6%;{FsF0Cyl#Ia=mAaLH43QczC@eC?uwXOXgc!xgGhs!J-ib3a z8;e8hS^`(4pEG4LSi|G2K5)G-^b*JHtJqOGDb$}{UeWD5;dWIujKk~MJcdhig!WXg z6O&|9hcX4VgJ-0ESP+zX>`>>)?p$~5ZO{!>?FR98W*05T+jx$$}&f(BgA=VqTjcYc2Tyi(JPdp|sX zJSJg>Pib6=E8A<%W3aZHciBo_a3D@jx|9CGjc3q;ktz~Z&2<S(6K6C3`-#Hx*KX zmvC|(E91Hl4aM5c2jB#PI10g83Ha$Z3Z+cCgD3)M!tzMGk!ub8m79Tz;9!w}+d;_4 z8$4vppcLvvP?TltjZ`+H%lBQ**Eg6N6Wd3jn6d|lEoshp+M3DBY$2ZesE>{xg>7}W zt5dPnCSK2OX?^YqsGr8V({5nAva)~Lk@<5bHj{EBg2Ymwe;!F^mn^15r#}!7WUA*G zx{CJns@-;?jk@dM`LiW)Hg(CLOlESY(9$e6K7fL>6BSQz%3eqdUZ+GUloEXuT(X^~ zJ@blxIwRBV^%?^|iVs8Lx(GKMcVtEV;oC#>ok0`m3z9V>0{O@Yf z#qM;pbur4&L^#mE$V&k@0ecW(fCLF?C(__kl$i|`l@UW+s7R4Vf{+9V%mEXKi4hG3 z3BEcR6|5LvTN;%Dn24${)iTlXS=#KH;LJ_fEJ0kS_tW@3sbX^ipA}@mup@VLp;6^U zdu;O*=`&=sqZ-YqHJpCJ1|LfqOGxmRn>!R&J_v=TvRw452J$iuXlLBDl0ST(|I++( zr&SZ2w=8B7Q|gG`Oq947G5|Z+8x(~lRR$faR_u`qnLIHnVux+Z5`SwRhM0~fFu{fW z0pYfi;KJjU{FA>JuSYP>YIdzw*B=e`==(1f!vSm=#fjmGk0y-ngRFa5F~-3!&Rmk@ z{+EfHFctvidzBevTK&3`dM*v(dO@ILy*jqfG;Sb>0MO7$LxD=iPhX9o{jEaGtHe-Et~(s0e?vl2 zR~UDOM;e3y@Wq8nZikd4GjIrp@pFfx(w+xKQn}_r%Y0AQbp?6=P=gc}e*}IiSD~%& zK{za%wv_FXmULGXsDeJ?>7_=X306C-G1i|)c~0KLh?`=Rkb%mo7;|U(!SuG8Q4!K(ObU*)>7KNb zqmdAqE)Jw({-SoLY%aJ)_1tHxMo+=2ZN);SzWcAF#Ce10k3kGk#Y~_rb72uMlk`Hr zJ_<&m@$Gg--Bh5`8zHMHaj_eYH6kNc`6~{KhJR-ZFnWitiJ5|6zKR3k)k%y!H%s-s zciW`Ihz?>zeXu0hFzKJ=EAbYc3eOD>cmbf3X`+oNG)3b- z)p!y`JPu$RwE(bD19*8m!w^mbu<|@^sgc51^hL4yH|7PRS2C!FgOnzF*ogTsb1|q5 z?z6&4LO|Ke@(F(^d2?a! z82-K*#hloIS11X|m{(BXAW|})W<_w5;ul)h+keZN)Bji2%1`FQkqcn&p|`<4Ei!4~ zYm;Nnpr|;Ec-;b6fpbo8V0}^@x%I%7;YH@h85rZseU1)9=PH7jVBzaRi=Dua;<_g% z{FT6+9WbA>WZ5C`78bYfG2bdS#3~w3+F6-DjeVT9YdCMAeNs?QC?0=P0p!E!C}=4P zhQfM}I%V7>3~}{*H#S5ik&BV1pD2)h0Jce#esKJ85CH-x;weclsT~`L!d5CnEoUn5 zi6sl1mv5J~DOcnZAKPZ9E+L^46Lx@a6#+-GS+w1*Z^ZjobAPxL@(7}w+6KgfSfllX zo8aFiApcrip=-qOz#ha>)GDO^Uaa;_SuMx(o{|O|;6jDdo6$Q<5AsQ63^{yn9S3ic z*j?-G;XoA{!IJtP9etg}gqZ;JCR8JXJh)K7Y?u;Rarg0qi?9bfBGh{^6Gro}{AWWU zq3( z8^A-h-~2U+6~VaT?*Cayx$;8Tas?T6fU@SD{*(Y|3kp(rRHTj~5K5brT1Fb9s{0i3 z1Ndesb{2=NQvOHPX!!c4y}bjB{HPnea5_i?8)Pi1{v*mrI91S3BRZ9I5@HM|zZ|Ok zRPTG7`}g7Px^3l7OM4`$)U^GqTsr2ZA15CT!g}Os&f1<~6;5XB` zI|pV)`th0`2W5K%iifa}63Rx((oQrMGB}X>%M1ug^D{#I?J!&#m=amO|0`P1R(=Lo zeoC^Zw>KRgF3uJTsJ7rYzcYfP{Wh}YUM0VQnb9rmI1@wHkueP`FI`H+dMkpF7)B6< z%X6x}!ynYsr@hiG*ZlA99&%ICY>ijXYkZ+(sr-Yo2fIKb)VS=8^P9gW0g z;7y$zrCr^1cN5M#X?b`}Qc)4LkJHL0-tjbEg=*|LfjhqQg;<#4ii09ld5q%~_NIqk zn-bySjn#^9dwJi4?ro0{$q~Bm<(R&`wUD>0y9J%-y#f0~lu!lUmnZ56khod6-M5XF zcOaljoh_ym>zMK4A{30g*@R3JJ@T|jc}DAKsHJ-UiV-*&EXiLnFR+1dcFae=)>!Be zi*$KnHg@U{%tKsR)mg!V429Hx820mAj%!lzq~?W^zo$@7oNxX3@XC9)?uDOM!7w5EgK-oiq;UCvZ?xQ}iO}9kOuHIj&pi zgW0-S+xf+jdM~1G+P33ZK?*^A=ZF(cpJwE-==*dSgb0h=D5)B%F(_K@D?Y{Sk^DP& zL&c*dvoIoem;1y+M%h@;XXo!hn1mTyFp+F?=p!T2Zj-Kk1$>$QqTE1C2I9ddOC&43 zQIsJG5S5{DJ!Mg5NW@XfIloc(W)>G+Ts*wfKAJ0wtgARi4`a7z$!|ZRLdFBUtnPJ& zy1HAdn!x7mz?$#EWlqLX4Z+quDuo1&9?LBLY6!XxmMTn|d)PyP=@`b(L_t&Fw`+4k2;i9oX?Wo{y?&wf~1@#S}7e|{Jm(X_+1RQ^Y zjWcm|6H7u5g2R4aN?BwDQ zfOX*Dx?}GwW{n$XCHn0ekJGoHqv56SnuTc$mO~qQPqLjAFh>itOl*TQW<&A9B3lJXHQ%WaT0da(%DP&#g$n=Er+PE1; z>OOO_hD*&h>uPz+kDH%@Po)_>1M*-`{(L+6GT7X$aB5%#fe6W(dv}3ebyN;$ELux zRz64duERZCW^SXlyont1A0z@{@jwM-u>rU*TL@q!zJl$y=U<*o-AdcFnr+MoV|JH+ zJ8<#eCl9_L+Ct%)Ekpc$RbXLmTK0bKb2_y_I9eG&Fb$EfVZcWtDfq%kgWwaxbVoG=ym6xtZ zE26*6yE45N@ocPWE3{%deWBS&b#hBmI#=7uwia$&e%}9G^FhU-`v_j@l3;o6<@B90 zl@$tn8EmSM9~~&l1VpqXu0BDiH~rp5ErJ^Xk&3Z4_bZXF+sx$YCDo7i>Aj{$JiC}J z`X?{ph`WDjhoce!GgOFoy|77M)luNjvyAV2&38uTz?ZF6f#j~sWk%UqcDc4H)DaGG z?N}LQex)ymI&1zdBAmimi4_+G_(~`y$Q<2)a$~a#C$^chzXX?Vra0ekCZ;!+Th3HD zkiS-Q*@OgcMvV6zMDx_v%cbnM=$r>2l@);6JmFV>Vef*W;fc!;)mo!M?u!p!&srxj zO$mu7YV494xTj(d_j5y0u6lA%iWc(qI9<50@*a#=YFunJ??3n~J75u~!3}-X+FOwQ&<)wkL)I&51;;ux++mzg?omGKh4e;SAxW44{dn_7x zdJ^Xua$c{9UfW@d5;^+j9l%&`h{wg9a!PDTYD{x*yu*6JG9^Qwx`qmgT&xL@*>`h? z=sbhny(F6qc#YTs)R;L?LFhq-`v++fjtF(u;WQ|aE*JMa_CyZ{XcxKIJ%Ef2(h*C@rS4W+Pzi?nnfQ(X;mk{>L+nCgmIS% zzTAB%`Tmrh-cmVDGUE(YD+~^(hb=cL+E9u#aR!(a`V+U51*TDLfIsTSN8z*5JZi~0 z>yoD2RQk+^rFQ$9iE}%v=^GPfxO{Io?{{U{y_=}1@gn-R7wQPV>lnG<<|2ofY6baK z2w8vuc=Ls6tfUmnmp1HnN*guV{+Eb|(vevN`6yMGroTW|jB2IubyX8{EEG`}qt}R} zqM{Z4jRgbhuHjHRgPlVWea{yk%$VIkXNr%2g`#sl z&66D(gZl*=bIRgHuUddT=HmNh5+(f1u@g63Afk(q93zId>7Fm>b0nUM814+#K4qka zZ&Z?a{csk)Bzv;a_xS=-p|rXs$9o81DUoa@>!Ae z#KZAiI2wANi1P3nA!s9z#i;V|XzPIdioC0{V7>KzN>Xf5j_8;;zF$l{4>%K=g#0Aa z;NDlb&T63)3xRZc?iuUG#rr{D{;-C-JVG@bc+5{J^^ifYpWbFNX3={mQzI{h8l)iNpMsWEs$f5^;nNeoHlr^yIu6EX1p1q>d@g>Iaa+pJr6Q!ankEuCv>)_ z9mMvap^LA6kWj)U3U@8SM1BfSef?$3QZK_4t86R8S!3^hwocaL5Q3wr>lmW{6H`n# zZh}Fp1DWx1)-!2kV$M75V!{OCIq?zxaPF2&<;xdaf6XjWZhvNBfFZI-t)4Fmnh19@)ZkF`(j58l6!w;%d4^}sbVw-mb2qeml{lKqi?VRmD|*guC} zy*Wqz^h5_f{;SOTfh=5e=CSQX)HGlzzO>a2g9)MxKxaY@g0LS^a&>k*p~-NXS%&fB z)7@{bi{v7=8B+tkIx_2-CnaH$NaJ?~5tm*=B_w8?gQ7r>i)AUK6j@qxeSBk3<4;LO zobVB~oE)M!V$Mfy-*G5`8%Bqh@0g}vNLF6-5+lgRk>=9$)6`?${_R$T;pa$NQQxF3 zcQW$KL^)(%zn5_#fd`PZU9d3`s@ODzZ$X{Z z0;U-K={4Nqx44u*{?X>YnS6nj!aK zSrw;+qDB7vDVkfNHM|8Yh!_d?p8C%r+gEBc1WpEilYl#&JvUIBiro@`)%nd|7gjKS zKD$wWY4oI>)|R0v@qs{&<@s0inB4B?N`pt?FEc{(E=gIil_VCbW6*fa%7OE0X9#6L zj_9Y?oo^PYZwFplmRwm=10AvLj@bNlUedd1>utcN>vF}C2Yx50l%l1p@P)1;)Y>(c zfdfC%w@m*w(G;;=xO4>hcYXC=aPsnI#Fd62OOepP$>>GwDQiI&(TvW79e4lA$e%Cj z2x8L}kbRpDMtHC^xic~$h{fRP;pH~|noeOVKm)d|?7*am?zwpjg*5|#*sEb~?vyZZ zmf|S0Q#XDG-EXss(~5`FdRewB-NM5J<1KPIvr<;5Y9pQ4AF7b*+tY zFt|wWP#ZT0f||>K$d@`y-I};WFziy|vtjdjFv|wwI=DgVMbnUO5g-~<76#ude>{6w zkg_$(#}zs7^eLmRoI;~A4PT=|H!s( zHq9}U73;mFj9vH3^BGc$en`NRu=Iz6qP`kG9j;Uz{ywv}qMy=rP(_dS^Uu3fi!!;_ zjioh-{8?O~O&(BBYKFrK3jkLz*%wc`R=3p6Mn(r zy05xjo>@38{2;z|t@mq~LHB_}d=?86RgflkqP98-`OL4c#8e7Oj|u&7`b-?d?$+q2 z@)Ygia;kNazqv$@eNDt^6OyfiBKH&Rd_^}nXEMKB-_%4z6L7WYM{i13g6V_((#znB zy@J+FWYoXDx;?n_qcfQ$B4j(uSn?8uRA+gkVd&PBDT>AoCCWpuMApU59~BBNpaEaH zt#34PXw8+*sXN)M$rZ8Annf^KwP z5X?toTmy}5EccWm$*bGZ9vUX`5zPk2d6Y;qt!xD3;ToCT$VG}ntf%VpLYme}&j-2z zzL?$9bqjn)SCAJ81nG!i?@>@dQSL?aPfbevG}{2s_6fX%-olf^EI?^}s7@WreuwEzBAPlA{{Z)yq0*IPmXewwy0D@aE6NugXyuWrD6z4|j7w7q!xi(frDK2O;tb%ijQV?JL zwON*+!DFcI$L6_gq%}P|aoPTqWxeJd<^7!kJmqkjyzpZ==pN?cQ2doybr3pHJw^l; zSysE3@drLiz1Ii>BKn{^*4+jq(oZMaFEW-KvxzoBC_6o|?JyXr61}N#CNB9kWBiQ- zPzOI6N|I)}-Uzyg2^8xYGU|d5*{gohXyMVCty&jw(p$XqM=;W>yR4}rZpfWeJ5U4% zk-{#I&@+P9?GFLUFK#33SrDLDnjfJ&KabVzf>EjsV@2%Ks|+$wiV+Ji)QN>WD(#PV zJhgjm@0GFtSRVJYWQwIY*=M?HnWCLDN5aw>=r}$=(XDpDt*+rmel_MIX`q*ir}Y;e zJ!BA>BLl^P;M0enhWN+riQxJ9?K=7!RXp1q8((wnxr?&hV~kKP zA}l>!54ZTfVoa;@D(P6zS7@eFZ-(sdqxCvaanSiYI@qPnIb0bq?rUr&#*cpBa9ocS zH!f;wQ?LM4kbMET)zC(u6#O$1jxva+!{;YRUpqgK#XRp18Lo3VaT-VVp;RuP5FJY& zOlhTMeRTOTetB)UVLg+NchpsD{MG7C3VXgz7JrV(BP6!)Ue`FTLcV`;#Aby}h_{24 zJfeRa!9G1aX+F&F!>()rTy3sG!`{^DO35s$Ga(U^(xz!}Dy!ixxR?|X%Ec*e>c$OG zGuM1G$&sRaA_+!<-V5Rg=@rFC%IyQ4IGcL0OMyOzQg`d92C*w`Z?iC|H#`s?i}Q1H zJVrC{uy^_>Je`ndLOtV%^KJXqW~<|wt2Y;!cVS=G@jJE})^NE=|Db44E<-IkCJ_`S zCC7zgf3{ALc)3}7HR}tsf3;M3gJzjJWn47;O?JGt4l3;8Aem%$RjshlZniYJ*1Xb2`Z?tw&4CdnyA*(R%si+g>-Y~0~r!u zH(}62!(7GU8$2&Xj2Zos?P?Rnxd6({gy^|GPdg1xZKXyo_X=w z8J_yC8th7|Wntz|R50x>&!$Jg=Q&r&pp!J>%C10G4Rq-$WAvwJARPpXHyM!T`!Ex; zl7hgyAlyOHH%gW>%HoQHqPi>RIqQ7#bGK@9pe)z@6z;zlBsYdjEao+y z#H9?_zV>x;vLJ7KgZA^BQncYJ2dmSF<*68V62vM83FoVmRQ>)>kwA)4)DicK#zfrc z15jd!Z74&z;c%eF5luKk)GLX?{EY;$h#35CtM-jaCK0(uBwD6JgOj`;up03^8Zx?@ z`)jw4p(;y{m!s34uRSzf7dL(h`i|>y6QToe=C+`-M<>s#yvi!*Q4^jN$ies>s58^t zF;14^VvU#)-CQS-nvcy*(VRU=e6rt*jq$FX2Z!|sG^X^&gfSUzMSsx=eW6+-`$O|X z3K}{}cmjPCJ(@Vh;8m%l$g1qEW=J;UNsb!Hhl_!9+m|Cw;3_Y8WaLW)_4f1h`2yhX zZ7^2y`&3H$SoGrZF@)fw+VOV-FTZc6KEG4BFZbIiZ>9z}^1QESyB1b!IN2rnKzL;G zZLqjlu2z;ckvgr4y%ql9Pe>)`y>f za8RpbJW>puUjeKJ!kv*z>d}WUg0VV|iQ=7O88xqBLstiNsDhPXC?OUch``JP|tvc$J4*U%s`H`Ky}2qR3c{M98t{4>Cfjb~N= z!tZp03aP2r8fY+GQoK+R!`#@+Mi?ZpyECi26EHDWv7(}cYxSoXIJ-j<48sHxP{3t& z>0MHsXGva!q)8jjCGdlba+-DJ!sk)JXq&Rw^E8R^a-P17m7kz~iwKb)m=Geup*1tj;L!=Ul?v^9OledjTx7-hY3tmrH zAon~^E)*v!TM}~Bcwb-U~9b6jOl{A=pR3NeHO+ge50zo;aMaWi)c7V zlKFP&ImiJ{u3TFJ&ug~cmUCXn7P1DOgF^LVxsQj^T-vTvR*NFd*DJ~WKR%g8RP=KN zqmP;hL*|U_Lm6h`)>_`;GG-3U>@oeyIDjndu%t&{ux3NOU8gK1S>)Yo6G;hfkD*wj zEGg{Cp*<=2%FojUE9eWNouAO=F}EiveSbf{Vc`4DYLKX-&FlKYZL43PB1*z;7-5!bD@@_92?B__fc zKW;0&joM;F?@Co(l{z{&7GOhp+@U_GXAsnC8axL|Q%`x@?B!gDb!d&SL z`p0<+Q3Jqr0bg%Df)!r2UdNG??h&Oc*|DrCu*8GV#oNrDN8@9kkGqoFxrv^f^^c=< zmcT<{!PlITXjM}-WQ;rw{%~k^WKGgOTyz_YVV?$;%HA~IH6>3TQZwgJ)QueHRN+5~ zWpqD^AV7ZjHKVp4A=f$%(*h^+3k>gs#AQ(^sB8BzkOT{NNwoxfSr-2kiD-Jk6hymz z8CFukDKz99xqaz*GSFY1$bF$)o{05P|8`VBs*+_M$|}dgjg|=JiMyDjr&iNQFiuR3 zJn`V31C0pahs{475@K5T*632nHWWS$zQ@^5>$pX_@!egD%KBe1Vp?T^S>TlaYjP=w zc|9)kgAf)nj@X+UiMY@21G5+c4nMYsF`LnM8GnBKuJiO7<_IsH!}nb_f`1KEMelK zPM@A0RY<2TPer?47R~Z3E1{;WY6BYqyBT*0Ppz9Ja47n>`55fxc;RX8#@kWV@%m<0 za;xnV?bKK-|IVZB)tab^_g%*IdI(W&yogpIQ4meIQaKkaJx0&1RGg`c)xzh;Bg_nf z;F7*d9PJk+?b5|0CX=>epd;>W!9bu|ynr5hG$=-$e#t%t$adUyl-~FGQ7+rg`rRnb zZ*^?gGUWqaRgkZLc62}egm~Nn368KFsM4Bm&;4^@Q+{60f`S5!UJkqbTIkDXw3QZ3 zcT>L-`e}r8x^m%9KkNd}6PSD2b4lRwDqE(<3InP$KKiW;TWxY zKz7rPS!~dHYasJ`(-k3(y*G$MlelrT+L)?f35$hJJ}IP1o1>#G>*t8h`SLv6#c;TJ=%!bs}F+71vNRUlx4N{267sA&&ie#TqK33Q_;Ft z1930g{-6cPw$JCQjDXu%*c`!|t_kVbLYU5wy2>ImPQb2B&B5?NXi=RDz&!2y(43eN zbxlR@(@GiYk!~p!3??Le-FKYJ@@T%APp&p7%ne^F#8Wx%vVA^9OO>gJQA0%VM*vzY>KvTF$!XIY!#M%! z&JCgmD3F;@3x%KALG9#}msIxLW8}WlW5ZyPn<}BSljx(QV1A+FCWBg?!|zlY*2zM+ z3Otz+r~ygO5u=`b1XGvTX#LHQvWWV;aDrV3%w&W!qTUC?b)@PAy&1&h7?7elrCSUx zha&4P7iQwvF{=eNnj3xNp@E_j{tQw??z5brPbYyL5|L0b)KzyJ7lJGj!7tY7Xmw-% z#GK+~8Zd=FY0ijctXPcjPQF18#!m(d(4Gm8UC^r&U?ZpD1G*0CYoXItg~Uw=GgH?q z1&lI3<|!SF!m*H+!Lo!av(u+J14BeSOq#vLe+jI=Ar+L|2P@nn$`#FymHxD2>0!1q z{`_19zmoNa$ZIvV;XHPk9RKc2A74VHP$(^z24$3I1kY0RfK9}><;jv|JEozB~w*X_VtTc)e&0*0zNWI|C$HJNpCsxjl zGBqW-L3Az|azyaG4m)&o0%-U^ZrcSuhhnw|`~EA(;|hbv=QE2QgOCR3RZ)nM&KGS< z$P#I781An;d=!*2e}3Y|ulingT9``m|5@6b8JdtBW{{``)K`Wql5VOGQj zBj4N zc&i;oAPbfd;CV6AoaQG8=h*Hgaaw7L2M@-;>(ZC7i~=Rdo4(AhtKqrJpWdl%=Ck{K zosTajamHARbpRo^j@C2u4^N#o4CeZH)KVjeqND8v&uI4TgjRY0fBkTsEto4@|5CkS z09q=GBO3Ux9+vwwo20^4UL9V%+Dt^qVT4_Gw*`L_PL{Ltbk`==(yvw7%hC7eMGakW zaF`u4L)MCTxOl}KtdaJd4!AXY4XxD+mE6kf5md};@r%szJdfXs=c`BDD7dr>kr57^ zF^f&nD|%4XQ49j&qp=Lt<Ukdv!1lA8i1Xv>K1X|mviG@NFMXyXDL?Z~MS60pHW8eYMsIyq|- z-NQyjby1=~HrC+hhx%>Ncj6Jg)iJe!@<_D4425N5lfF7)ha?0tU>})a9dN}aC?OO0 zGZV8)la9`D2%zXZF5>tl-lefXL(EBi*@jgralnypyT9uU(qBe*Kv8fMx=`p%WkVl^Kz;EkxbxoR96}2ZZm0yVWusSV+fPDmYqeY zzI&2sO?!hrd(K^?ICN&M~3oiPmk%hu2nHbl+@+_JuPdK8G zS@orK5Lw0}_*R$-1O_sCQGM!F5tY6c@(u_!bf)q}Y{&D^YIY^cZx4Ad-ft z%%F#K2^@FQHuGg6e$yNmQ5Alk8JhLVRF?83i(&}lIP}IPJFb)L3^$7I!S3;Ejn&}h zq1X0Yvq8nrH1BpzE88EfKq_Y`QF!)9nHm;CaQ*}k(uIA4M*I8Xdug)@N;J_rHq$@ zk49Kp8^MNSj%5=*09*}LgU0f}5TQj*)MbYq)@X&rWRLb&u>w_t*1&}@flC8T0#R0G za<{d$R8Z8r#x?5a^P=+f>~9@gv%z5)GM1;4E9P*bC}=OR&la`{HU{gFP!l50BUShJ z4XMC6wr3ut$g7N}3zufL^0`H_juw`%iKcPW0fEiEW zMsEIRBPN%s+-p0fN5UX%Kt=>;Arop;(f<>nAYR|NG`u}l2sSxVw9R0JNR5voJkmiH z&>5{+U2{txKI=Te&gzuUHVgB)uOkOX`(($$wd>cU8@4=@H8yhj9g7X;lw*Rmej`#1 z6f)F^)F}7?SSY0sIVmPXWNKxhlu0EnHUZn<1n=WoNwu{o6swt&$bw90JpC%p8J?pl zV9KF#K`&V&97YkwP$lG1j*0-EqS)dxIp**s>GD^eo$=_fIb8=tG}9?yR}G|VZ~ra6 zk>OyS&&Y{O7^yD`{I5U5cwRN+)cVPpk0@`)~amOWm=S+E=U zM8SXMNVP(!$%3L?X+YNNOaK5MlSxEDRBI$!X%x(ilVEbDK`SR0^trEyh!Gmfi}wNo z2*l`K@>`Mg;Q2>nTY4W$+M2oog6RYHV2OWc%dF%Fzx_t~*p^2!ejp{wxeJP@I;8LP zD1kh2M469_cqgE&}iC{&>_GT)Os--=GnZCuOBNtX6!4;dN*Q^d7(u zK#iT)SEj0zhCq#ip$exm3L`71Cq$Tf0?qK_u_W0t&|iL{bl~XtCdhxh)X-qQ1Diym zl}5p|l`+UifKrft7|MRdUPZr3Rs$AqhMs<5M)=2T}&L*lK%Ot&t_!CPdUv_ zjJ_KZaP70;_JJpo_NE!hcdj@;-L!oJ#v<4qL=>wV2Q+I?i?TO+`Y8UUJb9A*H zk@p8mHywPomOTSoW&5LVUH+wX^Nz>xUL@a&*pjMZ5DdV{sX-a&S9OL+jiQirQgW&$ zP!XYZId2ppAs-r;y`rJqNxT>cg13Z3m4XU#nnUG+UYtfaj3NS~V4R{IT@}F6sbLtZ z0%k?g&$+@VK05dnS<;Z6_OdsU1IyygURpW!eKtsqk7w8lsdXmHklwKVTDBs-Jb_{Y z(8o^%DN|KCL$J3QMVMW5qOjvAPOeJIw-Ij*B)ye0S*Uak-nz83^aH18pcKqeREbb( zA6;EQkRCzHszzbbQ+X!jI27#=22gZFokOw};fBbwX3Q)7%iF#vv37IhxFY3b?`uJB z`NQwjzj4`l>9(FtWp*jd#vM-8lP^+EhsBJ>B$Tv}re4caY#}7HIVN`cn}R-dhnG05@{EPD(cjC(jY4*M|TbNm{t zNVp$fGLQD-fXF6{Da$P0qC`9~^moIA9Fxj) z2m>fOqMkg`v{ayH9`cS|E$$nIZ%0ZiPXAEGJ#6RA;9K_T;xMB%xK#>s=@nl~dj_`S zgeE(qRj9*!xs6FEX+BoMH6sf-Y9jR^R+Gp@PBC#qE^Dw#<%Zu=%o<#!StrescOTgB z^xA=;eok-6H=2@;ra|91MF!PbQ4yVE@PMV8l2H`M)a0CCMMSiPNMV_*qNODn8%th% z%(C<)N1t5gSrju`r_0j#OeQ4ebRK|hfi|Xh+rqp{bOV4sI(wQ-L@$!EnmJ|45W8%`yJTf?tZNF#Bc-y zbuv5WB{|3ej;K0dX_cj_7L|a0;6k*E3XuV=mmMK%wiYp^4M9E)giFP-L?ivPSH6uA z8ILCB4A69OJp*Pl?;ri<;OzyUwWLIJwvSP)OQIzxAX0F%4>I=iGB@e2dM;Vf$U(oPL#HmBw zaG2Xma`wbrs&30%AX6wH!)`r^T9kq$;T>s73_3s-T$yVrutlClXhd z>Uk>5X8=id4M{FI=K>7K)65RgEmxNQ3bo`-sC{N!qQa^w0ZMdn00`q<0zY_{Gu}|S z%;&t3Ak=T&`;^>R?ts+TXpxU1zyl;(JnkvM59sO4XO9BP57XuaW8t5`#-Nxf$qEHq z$9Ei69f@-5`Z?Fdk zy_Iloh}5!3LsDr#NuSDNrE9>e6WJUYF!4}qHaa?zjEoFrL&Jl~z)&Bqe(b8zm!W@G z>Ko|A;^EN-oEVf2jtn4AsNy&)f?XNefD8gY6QHWuf36I_XDtbzG4Eg3hxVXGq;d)xK)`yz@Gz*FSd zYPB}CW!S#6y!NiE8+rWjbTN>jvHoN(X0+~j`1;a4kKSH>_S0V=8(X`FO0i0c)HEsF zUSt%S-!kf1+Ro>Z0p^UY~KEO^2C-6$%f4jCl5Y$cd}v21HSgzmy+NM zTdfdgzKUE(!xuGlddo!q!SjyD4w!Rb#^csz&zPHZcg-&2%(}FzqnlH;2|k2MIZexT zM`}DY7}Nd3&Z~0AC=%l2Kgc%GHVUmsx^>4UiL_^`FfY@>^$qt*Ij&gyqvVJKk6~A< zdMmOMCElY(!Te~Am>_Re$jVsFT|%Az!-{`Dc_ZI{;PM87T9I9N!P=%|MS?y<_VcEO z#wEjP2``Tt8aUm_)UjQCHaOIu?daPshJa5ulZQ6mm)!oq4WS_fH7k+x@7i$aBE+y_ zLW+5!Qy#im{B;Ghbx?{YPcAe9>|nV{i?GTdlH2F=tFQi%o`n5pT*4dtI9=dnUv|iX z!;=H%E>7mnT$s&*5zXkFm2|Xprd-`xYQ%vp%pZ&fM<&U@903s}zxbhn-Sf!p$$gLA zQJUE{Pd-2j(%R=iu3(li-*{Jc z7IGFQG>{~jHS0b>pxO8d_Obmax;&+xzOCggJ2oYcZGI$q;L*F2TkpF*dGHB&ZxR_o zd-DuFrKQVdj>Q^EMzE%7WDNe8Y<(GIX7_^9vSB4MwiT6CsvZ>{ zx1_kjgr(j;>)_{SPhWgwvKU82&!4p@!A>VQ)36(78McYhI0o4A{TtV3Utax5DL0LB zI=Z1zIjb;TbHioXVT+!{ErO!^JlQhuQNu9LtqHR-Nir)ZYeG*bX)HI0fy~-wUVSh! zQ~+W0HnP%Ro%)_T?tSFWBYt|f6M@9gl!N8!`cAw2kG$zIK}?t4aIi-XP)>T?6ix%RI= zbMgyN|IvZ5Ut5AC?B8c6o_Jy-B54#q!Sy~l@Ud++o+Di4I)l)c)bcUx>_9ytP{(S(LWqv0-#95O$9rluSv2@lB~9x zSqX5<2L^hx@htg1iNo#{!;yg?%ol{|ZTGLe4*t!!o?~(BW=(rXeT|L}$u;c@Tcd!S z;e$)ByKPN&;Jiao7t!aKQjMGv@uZu8DN3zTLPQy1<2Y8j5w9GsUUBZpcdlHCl_e|9 zG1$sn)VWln`L-nzZ7D0?_T%{T!vaqGz%r`IHOq@<>z z)?`r9nnaU{R6#yXnZ1JbUqtqW8!oJ92#O5EE;C8K10MFp`0l}rM4;}bvj)tq=8h+D z>Gjy$0j|pZCt5F(O~Or*T*>I~lB+HVA4fG{_NsRqW^H8ran1$jaQq#)A_HNIK}&i7 z*H3ZLsnM8F{dd}HfE&$m5@Xex3$VGv;C?yfsPj0t2n*o-s||%7FBM-TIZFdr1WdJ zNs`r&5JXK$Sk}PreXxtgS1Cc4TLsbttY#qE)LaItTXAt*Qg1~>W&6tyKd3TG;V-)U z3-~N|OR&K}&Gas zm|QIbVZ0i|mjQD-qp`udH{CTbINFO=WI^)B z^;f2kY`RaTeC^wISN(RmE^9sBWkI|f)r4_s7b~^X(&yiI-ts|yR$Hs}prnZmgfwap zp98F|$ZjbHh1cD_p#gq60GIv|XN%yIP%dJWYPid}*Sfsh1XZh=nQ1)+dp67%>tc^6 zDS9!O&&Fg7L|YNATKv2fP_tReCsGgZ>l#RtzLD*6w#d)__?`6e?HjTD1pE0;Fczs= zYBh>#b-5~IQG^OBiVJZmmbJGb&*`U@pLYUU4~#v6W$htl2v5d9NUyEPX92UjRUeB` zEBlSZJP#Hy+TA6wm~|bdIB}ZHRGil1sc}_FVamcdbJc|X7Ve$-&<+_YOf>e;gePkt z+KTW~x=&hWH5!#w_oulAb_{Nj68_-o|4VoDZ^Nh56SN{zuE(_$ICWvlfyyfjF7dVO zN0;M;;AF-gnv=;I2^n655`|3@o$YB`@M zH}&|vUITW@H@W8K%Vo+}cA3-~ss1jNLWNANY87#Dh6-=Hv7}^-hVp)st))|`^OKsz z3X98Dghs+uzCX0^q^%M3b+?aefK$G++UF;0?_QH`*!-X!tg{Ect4^!<-PPpxh20Jk(FMrOd8J^OzGbR@RPV88HrtYT1CB&t% z_LhzY?Be-OY({-8r*;3~+&53zKz61DVd-?h{-1!k1xRy%16X&{R|DK$c0B2Bo5Lce z>mR-qTgK|T)>@@zt({Ue7wSoKDWOSXw5_EbUkmp9;;+v=`5UXwT-C7R!X-O36xdk< zVK#KY{tl}ahE4V?qV7#!4fGA|kiuPk)6bK^p@EG1DpxFppIQ|cd2v0TK!3%=+-J85 z`#ujfW~H+ykT7BN&Kd{>vlU^>aTBhO;-cFrD>bb3-+f5~+;neN`vP>c)}@bZz8`~i z^t$EEdU36tsBFqL5uL=>CLV8V>EK)bcfb8}CqK-t72kbKN^Swst{4c#(ID8qei9eY zRiMGtjRZ>AAKWpE!K5J^F)_P8VLN^IwRK$_?)=q9C`hykcp7PaQ=~`)i zcGW*nH6_9>Dc>Ty%85`sXV?{i+@8TCH4}?s7fcT~o8n2nXpLj~syO zg}6p=?JoHcRd;)%2KZgbI8NFc85zl*|BMr`L3kri2SZlb^PYm6nnC0Rk9M|o;{crg zkDYVwDgR63*x6aDyx`r@f~ZU#2)z@CwYciz5!K8z_PMulciY_LmIwZjZrJkBq&~@Y z>Y!2R<&aYbIPPf1Zv8)paeTt8wOXRDA*L)W&#*fUghkaB<8^>J56G^U8Vb~mtE*nSFaP5WI9G6Fba*^%Xn4(vm9HJ( z?uff%+!1DRcN++0bMBAbtKZ=IYg}|Rklkk0BC-Cn*JwbO!4HoOrVl@HpDcryamemB z3R7k~$ieyb3Em36{_OvJ)g3EWu4-O3#f6BIQJ{8-CPOsDi%(ygWy+1YQ_Yw9N( z?ZS*z|8UP|vGLm%R-#+AyJoD4lHHRA5_YNn5{dr;SKUa8?!q*{ajJJ#`#hE;-LUBa zIrF~goyaa0b)=)Mn=@A5Jm<5o`A5!JeQf24dvp?LPZ|hy!Lf&St4;xYEv~weKnc^) z@q}YK9+!<%lF<{|oxQAVq_b@XjpIj{&gBDF+(i3YDc#Qcd)h#lFIu=73CALQnOHXx zC}Fy}!4d9Kn6E}7+0laV0lY`ulVKn%fDYO@ z1~~!OEx77N0wqi*He4TSljA!sZ1 z&w%g6^%Y!fT{x-E)xdSP4{3le4C%0UZ^|7F@s*!!d_BQCkrA%S#j$8*?A-W<73ZG% z1HK{WOTaz-o?{}_YUP}WZcoOuOU14hjrFUzmg3?j*))#&(iA9RUvlG_>0&*;?NPic z93PiKdzF!;t^D#m2aMy9Qkp)O#$mn&TsHPp8wd5iHy8->K^0Q79EV(u>sh$M{kH1k z5-4P!aMl>G`yy5qmTT3o@iKPU;$R%#b6h^!)$**r{_M%Oa#il0Tw66&9X{1vtbBgi zVzA}dfNKe^3viu-i>}_~GJ4o2e(_GE`VmxFGK!-Unz&U^|Gc{q6I8zvgcMYyiPbuq3N;nMEd-kNu0aX)svYq&!g zPw*T=-m8*XvzU%z>)s~rwvIJbKW}Mndh1{P$4Of_-T)rm>z&`+ZBJ@@Z?0r&2<&p* zhl|ToK89;0F6LXiV>|t-7BcE?H*27jHezaWELkvXaf!!8V;oXWvUI$ywXJDjcwnq| zpy$0SK6i>7qPaVFAKA^taN_pHE|$xj1+>dWL-;tZ=i|B&S2Hf+7+-gLi3S>AAavaw zvw3#NC_bVpb+&ai4Gs@niFYK=q;Z(Vh8a$J+PMv-pUk4}%`Hf%2kmmvC~m;TZ#qAO z>l3)x!f*zR#-d{vfOYp&Xh8Pp9ZSY$cFoPY+Gk>kdT$@PRR6HzbFblqOS1CJRn1sW zHIl4;DsngVH1`z)VaeF#Vz-KUra}BWu1j$J7p_0SMW?OJzR)t798a&`al8%ZK)h*Q z_W{Z1*vLiYfr0nG^ZYZO;9K#dZaXR!Vhr2%rM%4`Hf4DdEKjk6UVWJ!gc@2)d0Ix+O49|ybsqFTxt-!X}ozFuKT-J7tS!O zjvs>mc3k3Cp187+3k_|s?mdMX2)l~hO_|-Veq3r0bwlyGP@U|GpEnFXls<@yTRhRF zC!Tm>cux$r{`-__Am8m;h}?V@SKd%Ke%Y1Eu|M-tcO2)b4tP%GCveFY@9^o^o#MTy zyS-EcY|_I%FAaq)%4S@8V|kN#)yFAbC#svgPaUxZ4j(KJBFs+{X5ms-Hw@LpKH}#M zg-^Nn;<^)8SPAksKaAU-VHyN=6YAiP2%m+E)9vc&hM}6+NBz8^u=(e#*H3VT19LVr4U!&o*g zYiJbI#f`Y$k83e5b$qyR@LeBcs79u#&zr2%!&=0b0r(=W`*4NELYQ3*j#=`RC{MR9 zgjoh1gXQyk2jV`Bi#yJQj{4%Y-?{z$Nx)WxhQbP?j$MbB;Cd~tlW`r5D|CG7@}i^u zC}VHcBlD?708q*r=9TeWy7O~fKgM+(E_I}%QP7~Yyc)OP_@T1)n?hG9s6HXt+u0wH!vpNVm$BLGJimT4)>qQ2| z6V}SEaFMUPYLKMKJ8qVH4=%P6*WltT6uVLEGOD8-8U^#IdDXc6-Vbleey@xI1yDb% zfV@~~^Q{Zx55aXLF19r6jvayPU|c*4K;J9_+@p>&O`CAtkBbJty^n9j#n$05TzRLh zCCgMdioAA$aNR%xWlRDL4Tcq~S~sK>ar1F4!gZka*)>~$Yc4LnlbK + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 345594d7f51cb7226562ed4a32ef962ce7a61188 Mon Sep 17 00:00:00 2001 From: Sadman Anik Date: Fri, 7 Feb 2025 14:47:21 +0600 Subject: [PATCH 17/30] Updated actions/checkout v3 to v4 --- code-scanning/black-duck-security-scan-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml index a777a04..2b47330 100644 --- a/code-scanning/black-duck-security-scan-ci.yml +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout source - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Black Duck SCA scan uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 with: From fcdc1287fc1cf0705620c88aebe7ed39f30648de Mon Sep 17 00:00:00 2001 From: Sadman Anik Date: Mon, 10 Feb 2025 11:43:15 +0600 Subject: [PATCH 18/30] Fixed Linting Issues --- code-scanning/black-duck-security-scan-ci.yml | 10 +++---- ...lack-duck-security-scan-ci.properties.json | 28 +++++++++---------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml index 2b47330..c6a132b 100644 --- a/code-scanning/black-duck-security-scan-ci.yml +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines. +# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines. # For more information about configuring your workflow, # read our documentation at https://github.com/blackduck-inc/black-duck-security-scan @@ -17,7 +17,7 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly - + jobs: build: runs-on: ubuntu-latest @@ -31,7 +31,7 @@ jobs: - name: Checkout source uses: actions/checkout@v4 - name: Black Duck SCA scan - uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 + uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 with: ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ---------- blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }} @@ -46,9 +46,9 @@ jobs: polaris_server_url: ${{ vars.POLARIS_SERVER_URL }} polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} polaris_assessment_types: "SCA,SAST" - + ### ---------- SRM SCANNING: REQUIRED FIELDS ---------- srm_url: ${{ vars.SRM_URL }} srm_apikey: ${{ secrets.SRM_API_KEY }} srm_assessment_types: "SCA,SAST" - + diff --git a/code-scanning/properties/black-duck-security-scan-ci.properties.json b/code-scanning/properties/black-duck-security-scan-ci.properties.json index 277ca27..3e196fd 100644 --- a/code-scanning/properties/black-duck-security-scan-ci.properties.json +++ b/code-scanning/properties/black-duck-security-scan-ci.properties.json @@ -2,21 +2,21 @@ "name": "Black Duck Security Scan Workflow", "creator": "Black Duck Software, Inc.", "description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results", - "iconName": "black-duck.svg", + "iconName": "black-duck", "categories": [ - "Code Scanning", - "C", - "C++", - "C#", - "Go", - "Java", - "JavaScript", - "Ruby", - "PHP", - "Swift", - "Kotlin", - "Python", - "VB.NET", + "Code Scanning", + "C", + "C++", + "C#", + "Go", + "Java", + "JavaScript", + "Ruby", + "PHP", + "Swift", + "Kotlin", + "Python", + "VB.NET", "Objective C" ] } From f70f9c8252eb9b8f08f52c35e28be7337259bd13 Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Mon, 24 Feb 2025 11:11:43 -0700 Subject: [PATCH 19/30] bump action versions to latest to resolve issues 1. Scorecard update v2.4.1 was released, which includes months of bug fixes and a new `file_mode` input to address a .gitattributes bug. 2. Bumped actions/upload-artifact to the v4 branch. This was previously kept at v3 as GHES doesn't support v4, but github.com no longer supports v3: as uploads return the following error "Create Artifact Container failed: The artifact name JSON file is not valid." Signed-off-by: Spencer Schrock --- code-scanning/scorecard.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index b58ec1f..9381468 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -32,12 +32,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif @@ -56,10 +56,13 @@ jobs: # of the value entered here. publish_results: true + # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore + # file_mode: git + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: name: SARIF file path: results.sarif From 41e00af395c8dace730165ef22d546e504b5c305 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Tue, 4 Feb 2025 15:54:05 -0500 Subject: [PATCH 20/30] Limit scorecard to default branch Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- code-scanning/scorecard.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 9381468..248c9f9 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -21,6 +21,8 @@ jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest + # This action only works when run from the default branch + if: github.event.repository.default_branch == github.ref_name permissions: # Needed to upload the results to code-scanning dashboard. security-events: write From 4a5b4939a642720a98cb0c99db033cf7722eeced Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Mon, 24 Feb 2025 11:19:07 -0700 Subject: [PATCH 21/30] add future looking pull_request event to conditional Scorecard currently has experimental support for the `pull_request` trigger, so we want to allow analysis to be run for it in the future. Signed-off-by: Spencer Schrock --- code-scanning/scorecard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 248c9f9..b5b838e 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -21,8 +21,8 @@ jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest - # This action only works when run from the default branch - if: github.event.repository.default_branch == github.ref_name + # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled. + if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' permissions: # Needed to upload the results to code-scanning dashboard. security-events: write From dd84e34b8d9a59b95268c894e46209dfd66e5c10 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Mon, 17 Mar 2025 22:57:43 +0100 Subject: [PATCH 22/30] Update to latest published action version --- code-scanning/fortify.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index a72ed11..fd7b723 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -55,7 +55,7 @@ jobs: # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. - uses: fortify/github-action@d7cb5974c159fad242153f52f7c6fa4dda065b23 + uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297 with: sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan From a041377b16caa5c111c5d0f367e294a1335509d0 Mon Sep 17 00:00:00 2001 From: Sean Goedecke Date: Tue, 22 Apr 2025 06:16:47 +0000 Subject: [PATCH 23/30] Add summary preview workflow --- automation/properties/summary.properties.json | 7 ++++ automation/summary.yml | 33 +++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 automation/properties/summary.properties.json create mode 100644 automation/summary.yml diff --git a/automation/properties/summary.properties.json b/automation/properties/summary.properties.json new file mode 100644 index 0000000..71b47c9 --- /dev/null +++ b/automation/properties/summary.properties.json @@ -0,0 +1,7 @@ +{ + "name": "AI issue summary", + "description": "Summarizes new issues", + "iconName": "octicon ai-model", + "categories": ["Automation", "SDLC"], + "labels": ["preview"] +} diff --git a/automation/summary.yml b/automation/summary.yml new file mode 100644 index 0000000..63e54ad --- /dev/null +++ b/automation/summary.yml @@ -0,0 +1,33 @@ +name: Summarize new issues + +on: + issues: + types: [opened] + +jobs: + summary: + runs-on: ubuntu-latest + permissions: + issues: write + models: read + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Run AI Inference + id: inference + uses: actions/ai-inference@v1 + with: + prompt: | + Summarize the following GitHub issue in one paragraph: + + Title: ${{ github.event.issue.title }} + Body: ${{ github.event.issue.body }} + + - name: Comment with AI Summary + run: | + gh issue comment $ISSUE_NUMBER --body '${{ steps.inference.outputs.response }}' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ISSUE_NUMBER: ${{ github.event.issue.number }} \ No newline at end of file From f0c24a69515f14f466fad42696124641c5f140ff Mon Sep 17 00:00:00 2001 From: Sean Goedecke Date: Tue, 22 Apr 2025 06:21:00 +0000 Subject: [PATCH 24/30] Sentence case step names --- automation/summary.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/automation/summary.yml b/automation/summary.yml index 63e54ad..0494ce0 100644 --- a/automation/summary.yml +++ b/automation/summary.yml @@ -14,8 +14,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v3 - - - name: Run AI Inference + + - name: Run AI inference id: inference uses: actions/ai-inference@v1 with: @@ -25,7 +25,7 @@ jobs: Title: ${{ github.event.issue.title }} Body: ${{ github.event.issue.body }} - - name: Comment with AI Summary + - name: Comment with AI summary run: | gh issue comment $ISSUE_NUMBER --body '${{ steps.inference.outputs.response }}' env: From f1f24bdbc64df1e0c98745cbbd39784f5878228d Mon Sep 17 00:00:00 2001 From: Sean Goedecke Date: Tue, 22 Apr 2025 06:22:40 +0000 Subject: [PATCH 25/30] Remove newline --- automation/summary.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/automation/summary.yml b/automation/summary.yml index 0494ce0..321dcb5 100644 --- a/automation/summary.yml +++ b/automation/summary.yml @@ -21,7 +21,6 @@ jobs: with: prompt: | Summarize the following GitHub issue in one paragraph: - Title: ${{ github.event.issue.title }} Body: ${{ github.event.issue.body }} From 17b8575ef8c32ef1126349d3f3500188b7818d46 Mon Sep 17 00:00:00 2001 From: Sean Goedecke Date: Tue, 22 Apr 2025 21:41:43 +0000 Subject: [PATCH 26/30] Use latest version of checkout, add permission for checkout, and use RESPONSE variable --- automation/summary.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/automation/summary.yml b/automation/summary.yml index 321dcb5..4a8e31f 100644 --- a/automation/summary.yml +++ b/automation/summary.yml @@ -10,10 +10,11 @@ jobs: permissions: issues: write models: read + contents: read steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run AI inference id: inference @@ -29,4 +30,5 @@ jobs: gh issue comment $ISSUE_NUMBER --body '${{ steps.inference.outputs.response }}' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - ISSUE_NUMBER: ${{ github.event.issue.number }} \ No newline at end of file + ISSUE_NUMBER: ${{ github.event.issue.number }} + RESPONSE: ${{ steps.inference.outputs.response }} \ No newline at end of file From 736803bd214b740ab92c494da5ded897fb1b7d75 Mon Sep 17 00:00:00 2001 From: Sean Goedecke Date: Thu, 24 Apr 2025 10:30:31 +1000 Subject: [PATCH 27/30] Remove preview label from summary.properties.json --- automation/properties/summary.properties.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/automation/properties/summary.properties.json b/automation/properties/summary.properties.json index 71b47c9..5ff7364 100644 --- a/automation/properties/summary.properties.json +++ b/automation/properties/summary.properties.json @@ -2,6 +2,5 @@ "name": "AI issue summary", "description": "Summarizes new issues", "iconName": "octicon ai-model", - "categories": ["Automation", "SDLC"], - "labels": ["preview"] + "categories": ["Automation", "SDLC"] } From 84e227a101e0a0b8145e5b4060213bf0b88a1108 Mon Sep 17 00:00:00 2001 From: Ben De St Paer-Gotch Date: Fri, 6 Jun 2025 11:45:43 +0100 Subject: [PATCH 28/30] Update README.md --- README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/README.md b/README.md index d8ccca4..c069342 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,24 @@ These are the workflow files for helping people get started with GitHub Actions. +### Note + +Thank you for your interest in this GitHub repo, however, right now we are not taking contributions. + +We continue to focus our resources on strategic areas that help our customers be successful while making developers' lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time. The GitHub public roadmap is the best place to follow along for any updates on features we’re working on and what stage they’re in. + +We are taking the following steps to better direct requests related to GitHub Actions, including: + +1. We will be directing questions and support requests to our [Community Discussions area](https://github.com/orgs/community/discussions/categories/actions) + +2. High Priority bugs can be reported through Community Discussions or you can report these to our support team https://support.github.com/contact/bug-report. + +3. Security Issues should be handled as per our [security.md](security.md) + +We will still provide security updates for this project and fix major breaking changes during this time. + +You are welcome to still raise bugs in this repo. + ### Directory structure * [ci](ci): solutions for Continuous Integration workflows From 69b278ad65f080335071ecc1a2a2535ee182e3d0 Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Tue, 7 Oct 2025 10:11:06 -0500 Subject: [PATCH 29/30] Update CodeQL action versions to v4 in workflow configuration --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index eeb0dce..c6b0d46 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -63,7 +63,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -91,6 +91,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: "/language:${{matrix.language}}" From 43f0e192265aa00b299d2f39ff83f1f6ba096193 Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Thu, 9 Oct 2025 13:42:49 -0500 Subject: [PATCH 30/30] Add `name` to manual build step in CodeQL starter workflow --- code-scanning/codeql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index c6b0d46..39d0d8e 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -80,7 +80,8 @@ jobs: # to build your code. # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' + - name: Run manual build steps + if: matrix.build-mode == 'manual' shell: bash run: | echo 'If you are using a "manual" build mode for one or more of the' \