diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 67a60a7..6494e8d 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,32 +1,55 @@ + + +## Pre-requisites + +- [ ] Prior to submitting a new workflow, please apply to join the GitHub Technology Partner Program: [partner.github.com/apply](https://partner.github.com/apply?partnershipType=Technology+Partner). --- -**Please note that at this time we are only accepting new starter workflows for Code Scanning. Updates to existing starter workflows are fine.** +### **Please note that at this time we are only accepting new starter workflows for Code Scanning. Updates to existing starter workflows are fine.** --- -In the workflow and properties files: +## Tasks -- [ ] The workflow filename of CI workflows should be the name of the language or platform, in lower case. Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET"). +**For _all_ workflows, the workflow:** - The workflow filename of publishing workflows should be the name of the language or platform, in lower case, followed by "-publish". -- [ ] Includes a matching `ci/properties/*.properties.json` file. -- [ ] Use sentence case for the names of workflows and steps, for example "Run tests". -- [ ] The name of CI workflows should only be the name of the language or platform: for example "Go" (not "Go CI" or "Go Build") -- [ ] Include comments in the workflow for any parts that are not obvious or could use clarification. -- [ ] CI workflows should run on `push` to `branches: [ $default-branch ]` and `pull_request` to `branches: [ $default-branch ]`. +- [ ] Should be contained in a `.yml` file with the language or platform as its filename, in lower, [_kebab-cased_](https://en.wikipedia.org/wiki/Kebab_case) format (for example, [`docker-image.yml`](https://github.com/actions/starter-workflows/blob/main/ci/docker-image.yml)). Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET"). +- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). +- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). +- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. + +**For _CI_ workflows, the workflow:** + +- [ ] Should be preserved under [the `ci` directory](https://github.com/actions/starter-workflows/tree/main/ci). +- [ ] Should include a matching `ci/properties/*.properties.json` file (for example, [`ci/properties/docker-publish.properties.json`](https://github.com/actions/starter-workflows/blob/main/ci/properties/docker-publish.properties.json)). +- [ ] Should run on `push` to `branches: [ $default-branch ]` and `pull_request` to `branches: [ $default-branch ]`. - [ ] Packaging workflows should run on `release` with `types: [ created ]`. -- [ ] Code Scanning workflows should run on `push` to `branches: [ $default-branch, $protected-branches ]` and `pull_request` to `branches: [ $default-branch ]`. We also recommend a `schedule` trigger of `cron: $cron-weekly`. +- [ ] Publishing workflows should have a filename that is the name of the language or platform, in lower case, followed by "-publish" (for example, [`docker-publish.yml`](https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml)). -Some general notes: +**For _Code Scanning_ workflows, the workflow:** -- [ ] This workflow must only use actions that are produced by GitHub, [in the `actions` organization](https://github.com/actions), **or** -- [ ] This workflow must only use actions that are produced by the language or ecosystem that the workflow supports. These actions must be [published to the GitHub Marketplace](https://github.com/marketplace?type=actions). We recommend that these actions be referenced using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file: +- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci). +- [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: + - [ ] `name`: Name of the Code Scanning integration. + - [ ] `organization`: Name of the organization producing the Code Scanning integration. + - [ ] `description`: Short description of the Code Scanning integration. + - [ ] `categories`: Array of languages supported by the Code Scanning integration. + - [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons). +- [ ] Should run on `push` to `branches: [ $default-branch, $protected-branches ]` and `pull_request` to `branches: [ $default-branch ]`. We also recommend a `schedule` trigger of `cron: $cron-weekly` (for example, [`codeql.yml`](https://github.com/actions/starter-workflows/blob/c59b62dee0eae1f9f368b7011cf05c2fc42cf084/code-scanning/codeql.yml#L14-L21)). + +**Some general notes:** + +- [ ] This workflow must _only_ use actions that are produced by GitHub, [in the `actions` organization](https://github.com/actions), **or** +- [ ] This workflow must _only_ use actions that are produced by the language or ecosystem that the workflow supports. These actions must be [published to the GitHub Marketplace](https://github.com/marketplace?type=actions). We require that these actions be referenced using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file: ``` # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync_ghes.yaml index aa5e741..a3c298a 100644 --- a/.github/workflows/sync_ghes.yaml +++ b/.github/workflows/sync_ghes.yaml @@ -14,7 +14,7 @@ jobs: git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" git config user.name "GitHub Actions" - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v2 with: node-version: '12' - name: Check starter workflows for GHES compat diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 20eee71..745bc25 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -10,7 +10,7 @@ jobs: steps: - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v2 with: node-version: "12" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c9e8299..2a0e55f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -19,6 +19,6 @@ Before merging a new workflow, the following requirements need to be met: - There are many programming languages and tools out there. Right now we don't have a page that allows for a really large number of workflows, so we do have to be a little choosy about what we accept. Less popular tools or languages might not be accepted. - Automation and CI workflows should not send data to any 3rd party service except for the purposes of installing dependencies. - Automation and CI workflows cannot be dependent on a paid service or product. -- We recommend that Actions outside of the `actions` organization be pinned to a specific SHA. +- We require that Actions outside of the `actions` organization be pinned to a specific SHA. Thank you diff --git a/ci/alibabacloud.yml b/ci/alibabacloud.yml new file mode 100644 index 0000000..9ccc033 --- /dev/null +++ b/ci/alibabacloud.yml @@ -0,0 +1,119 @@ +# This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR), +# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when a release is created. +# +# To use this workflow, you will need to complete the following set-up steps: +# +# 1. Create an ACR repository to store your container images. +# You can use ACR EE instance for more security and better performance. +# For instructions see https://www.alibabacloud.com/help/doc-detail/142168.htm +# +# 2. Create an ACK cluster to run your containerized application. +# You can use ACK Pro cluster for more security and better performance. +# For instructions see https://www.alibabacloud.com/help/doc-detail/95108.htm +# +# 3. Store your AccessKey pair in GitHub Actions secrets named `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET`. +# For instructions on setting up secrets see: https://developer.github.com/actions/managing-workflows/storing-secrets/ +# +# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. +# + +name: Build and Deploy to ACK + +on: + release: + types: [created] + +# Environment variables available to all jobs and steps in this workflow. +env: + REGION_ID: cn-hangzhou + REGISTRY: registry.cn-hangzhou.aliyuncs.com + NAMESPACE: namespace + IMAGE: repo + TAG: ${{ github.sha }} + ACK_CLUSTER_ID: clusterID + ACK_DEPLOYMENT_NAME: nginx-deployment + + ACR_EE_REGISTRY: myregistry.cn-hangzhou.cr.aliyuncs.com + ACR_EE_INSTANCE_ID: instanceID + ACR_EE_NAMESPACE: namespace + ACR_EE_IMAGE: repo + ACR_EE_TAG: ${{ github.sha }} + +jobs: + build: + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # 1.1 Login to ACR + - name: Login to ACR with the AccessKey pair + uses: aliyun/acr-login@v1 + with: + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + + # 1.2 Buid and push image to ACR + - name: Build and push image to ACR + run: | + docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . + docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" + + # 1.3 Scan image in ACR + - name: Scan image in ACR + uses: aliyun/acr-scan@v1 + with: + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + repository: "${{ env.NAMESPACE }}/${{ env.IMAGE }}" + tag: "${{ env.TAG }}" + + # 2.1 (Optional) Login to ACR EE + - uses: actions/checkout@v2 + - name: Login to ACR EE with the AccessKey pair + uses: aliyun/acr-login@v1 + with: + login-server: "https://${{ env.ACR_EE_REGISTRY }}" + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" + + # 2.2 (Optional) Build and push image ACR EE + - name: Build and push image to ACR EE + run: | + docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" . + docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" + # 2.3 (Optional) Scan image in ACR EE + - name: Scan image in ACR EE + uses: aliyun/acr-scan@v1 + with: + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" + repository: "${{ env.ACR_EE_NAMESPACE}}/${{ env.ACR_EE_IMAGE }}" + tag: "${{ env.ACR_EE_TAG }}" + + # 3.1 Set ACK context + - name: Set K8s context + uses: aliyun/ack-set-context@v1 + with: + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + cluster-id: "${{ env.ACK_CLUSTER_ID }}" + + # 3.2 Deploy the image to the ACK cluster + - name: Set up Kustomize + run: |- + curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash /dev/stdin 3.8.6 + - name: Deploy + run: |- + ./kustomize edit set image REGISTRY/NAMESPACE/IMAGE:TAG=$REGISTRY/$NAMESPACE/$IMAGE:$TAG + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$ACK_DEPLOYMENT_NAME + kubectl get services -o wide diff --git a/ci/android.yml b/ci/android.yml index 6954a61..4bbc689 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -13,10 +13,12 @@ jobs: steps: - uses: actions/checkout@v2 - - name: set up JDK 1.8 - uses: actions/setup-java@v1 + - name: set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adopt' + - name: Grant execute permission for gradlew run: chmod +x gradlew - name: Build with Gradle diff --git a/ci/ant.yml b/ci/ant.yml index 28fe6d0..655a94c 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -16,9 +16,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adopt' - name: Build with Ant run: ant -noinput -buildfile build.xml diff --git a/ci/aws.yml b/ci/aws.yml index 40094ae..8b10116 100644 --- a/ci/aws.yml +++ b/ci/aws.yml @@ -33,6 +33,7 @@ jobs: deploy: name: Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout @@ -77,4 +78,4 @@ jobs: task-definition: ${{ steps.task-def.outputs.task-definition }} service: sample-app-service cluster: default - wait-for-service-stability: true \ No newline at end of file + wait-for-service-stability: true diff --git a/ci/azure.yml b/ci/azure.yml index 5842381..0262b49 100644 --- a/ci/azure.yml +++ b/ci/azure.yml @@ -28,10 +28,11 @@ jobs: build-and-deploy: name: Build and Deploy runs-on: ubuntu-latest + environment: production steps: - uses: actions/checkout@v2 - name: Use Node.js ${{ env.NODE_VERSION }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} - name: npm install, build, and test diff --git a/ci/dart.yml b/ci/dart.yml index 138921f..7486577 100644 --- a/ci/dart.yml +++ b/ci/dart.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Dart on: @@ -10,18 +15,14 @@ jobs: build: runs-on: ubuntu-latest - # Note that this workflow uses the latest stable version of the Dart SDK. - # Docker images for other release channels - like dev and beta - are also - # available. See https://hub.docker.com/r/google/dart/ for the available - # images. - container: - image: google/dart:latest - steps: - uses: actions/checkout@v2 - - name: Print Dart SDK version - run: dart --version + # Note: This workflow uses the latest stable version of the Dart SDK. + # You can specify other versions if desired, see documentation here: + # https://github.com/dart-lang/setup-dart/blob/main/README.md + # - uses: dart-lang/setup-dart@v1 + - uses: dart-lang/setup-dart@9a04e6d73cca37bd455e0608d7e5092f881fd603 - name: Install dependencies run: dart pub get diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 480be78..25af736 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -71,7 +71,7 @@ jobs: - name: Install .NET Core uses: actions/setup-dotnet@v1 with: - dotnet-version: 3.1.101 + dotnet-version: 5.0.x # Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild - name: Setup MSBuild.exe diff --git a/ci/dotnet.yml b/ci/dotnet.yml index aa0a093..c31cf68 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -16,7 +16,7 @@ jobs: - name: Setup .NET uses: actions/setup-dotnet@v1 with: - dotnet-version: 3.1.301 + dotnet-version: 5.0.x - name: Restore dependencies run: dotnet restore - name: Build diff --git a/ci/elixir.yml b/ci/elixir.yml index 76dd26d..3f64657 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -15,7 +15,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Elixir - uses: actions/setup-elixir@v1 + uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24 with: elixir-version: '1.10.3' # Define the elixir version [required] otp-version: '22.3' # Define the OTP version [required] diff --git a/ci/google.yml b/ci/google.yml index cc3cffb..5e803ed 100644 --- a/ci/google.yml +++ b/ci/google.yml @@ -27,6 +27,7 @@ jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index cec487e..ef99e13 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -1,5 +1,5 @@ # This workflow will build a package using Gradle and then publish it to GitHub packages when a release is created -# For more information see: https://github.com/actions/setup-java#publishing-using-gradle +# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-gradle name: Gradle Package @@ -14,10 +14,11 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adopt' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file diff --git a/ci/gradle.yml b/ci/gradle.yml index 4550f58..6e7e922 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -16,10 +16,11 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adopt' - name: Grant execute permission for gradlew run: chmod +x gradlew - name: Build with Gradle diff --git a/ci/ibm.yml b/ci/ibm.yml index 8af050f..a8502cd 100644 --- a/ci/ibm.yml +++ b/ci/ibm.yml @@ -28,6 +28,7 @@ jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout diff --git a/ci/jekyll.yml b/ci/jekyll.yml index 9449a6e..71920c1 100644 --- a/ci/jekyll.yml +++ b/ci/jekyll.yml @@ -17,4 +17,4 @@ jobs: run: | docker run \ -v ${{ github.workspace }}:/srv/jekyll -v ${{ github.workspace }}/_site:/srv/jekyll/_site \ - jekyll/builder:latest /bin/bash -c "chmod 777 /srv/jekyll && jekyll build --future" + jekyll/builder:latest /bin/bash -c "chmod -R 777 /srv/jekyll && jekyll build --future" diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index fb1c7ee..c3f4855 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -1,5 +1,5 @@ # This workflow will build a package using Maven and then publish it to GitHub packages when a release is created -# For more information see: https://github.com/actions/setup-java#apache-maven-with-a-settings-path +# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path name: Maven Package @@ -14,10 +14,11 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adopt' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file @@ -27,4 +28,4 @@ jobs: - name: Publish to GitHub Packages Apache Maven run: mvn deploy -s $GITHUB_WORKSPACE/settings.xml env: - GITHUB_TOKEN: ${{ github.token }} \ No newline at end of file + GITHUB_TOKEN: ${{ github.token }} diff --git a/ci/maven.yml b/ci/maven.yml index a46556a..923425b 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -16,9 +16,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adopt' - name: Build with Maven run: mvn -B package --file pom.xml diff --git a/ci/node.js.yml b/ci/node.js.yml index 632c1a6..06cd54b 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v2 with: node-version: ${{ matrix.node-version }} - run: npm ci diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index b460edc..1b4952d 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v2 with: node-version: 12 - run: npm ci @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v2 with: node-version: 12 registry-url: https://registry.npmjs.org/ @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v2 with: node-version: 12 registry-url: $registry-url(npm) diff --git a/ci/openshift.yml b/ci/openshift.yml index d34131f..3e39dea 100644 --- a/ci/openshift.yml +++ b/ci/openshift.yml @@ -27,6 +27,7 @@ # For a more sophisticated example, see https://github.com/redhat-actions/spring-petclinic/blob/main/.github/workflows/petclinic-sample.yaml # Also see our GitHub organization, https://github.com/redhat-actions/ +# ▶️ See a video of how to set up this workflow at https://www.youtube.com/watch?v=6hgBO-1pKho name: OpenShift @@ -63,9 +64,45 @@ on: jobs: openshift-ci-cd: name: Build and deploy to OpenShift - runs-on: ubuntu-20.04 + runs-on: ubuntu-18.04 + environment: production + + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} steps: + - name: Check if secrets exists + uses: actions/github-script@v3 + with: + script: | + const secrets = { + REGISTRY_PASSWORD: `${{ secrets.REGISTRY_PASSWORD }}`, + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.warning(`Secret "${name}" is not set`); + return true; + } + core.info(`✔️ Secret "${name}" is set`); + return false; + + }); + + if (missingSecrets.length > 0) { + core.setFailed(`❌ At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`✅ All the required secrets are set`); + } + - uses: actions/checkout@v2 - name: Determine app name @@ -80,12 +117,13 @@ jobs: # https://github.com/redhat-actions/buildah-build#readme - name: Build from Dockerfile - uses: redhat-actions/buildah-build@v1 + id: image-build + uses: redhat-actions/buildah-build@v2 with: image: ${{ env.APP_NAME }} - tag: ${{ env.TAG }} + tags: ${{ env.TAG }} # If you don't have a dockerfile, see: - # https://github.com/redhat-actions/buildah-build#building-from-scratch + # https://github.com/redhat-actions/buildah-build#scratch-build-inputs # Otherwise, point this to your Dockerfile relative to the repository root. dockerfiles: | ./Dockerfile @@ -93,10 +131,10 @@ jobs: # https://github.com/redhat-actions/push-to-registry#readme - name: Push to registry id: push-to-registry - uses: redhat-actions/push-to-registry@v1 + uses: redhat-actions/push-to-registry@v2 with: - image: ${{ env.APP_NAME }} - tag: ${{ env.TAG }} + image: ${{ steps.image-build.outputs.image }} + tags: ${{ steps.image-build.outputs.tags }} registry: ${{ env.REGISTRY }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} @@ -117,30 +155,15 @@ jobs: namespace: ${{ env.OPENSHIFT_NAMESPACE }} # This step should create a deployment, service, and route to run your app and expose it to the internet. - # Feel free to replace this with 'oc apply', 'helm install', or however you like to deploy your app. + # https://github.com/redhat-actions/oc-new-app#readme - name: Create and expose app - run: | - export IMAGE="${{ steps.push-to-registry.outputs.registry-path }}" - export PORT=${{ env.APP_PORT }} - - export SELECTOR="app=${{ env.APP_NAME }}" - echo "SELECTOR=$SELECTOR" >> $GITHUB_ENV - - set -x - # Take down any old deployment - oc delete all --selector="$SELECTOR" - oc new-app --name $APP_NAME --docker-image="$IMAGE" - - # Make sure the app port is exposed - oc patch svc $APP_NAME -p "{ \"spec\": { \"ports\": [{ \"name\": \"$PORT-tcp\", \"port\": $PORT }] } }" - oc expose service $APP_NAME --port=$PORT - - oc get all --selector="$SELECTOR" - set +x - - export ROUTE="$(oc get route $APP_NAME -o jsonpath='{.spec.host}')" - echo "$APP_NAME is exposed at $ROUTE" - echo "ROUTE=$ROUTE" >> $GITHUB_ENV + id: deploy-and-expose + uses: redhat-actions/oc-new-app@v1 + with: + app_name: ${{ env.APP_NAME }} + image: ${{ steps.push-to-registry.outputs.registry-path }} + namespace: ${{ env.OPENSHIFT_NAMESPACE }} + port: ${{ env.APP_PORT }} - name: View application route run: | @@ -150,3 +173,6 @@ jobs: echo "===================================================================================" echo echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\"" + env: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} diff --git a/ci/php.yml b/ci/php.yml index 5053b43..6acfdd1 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -15,7 +15,7 @@ jobs: - uses: actions/checkout@v2 - name: Validate composer.json and composer.lock - run: composer validate + run: composer validate --strict - name: Cache Composer packages id: composer-cache @@ -27,8 +27,7 @@ jobs: ${{ runner.os }}-php- - name: Install dependencies - if: steps.composer-cache.outputs.cache-hit != 'true' - run: composer install --prefer-dist --no-progress --no-suggest + run: composer install --prefer-dist --no-progress # Add a test script to composer.json, for instance: "test": "vendor/bin/phpunit" # Docs: https://getcomposer.org/doc/articles/scripts.md diff --git a/ci/properties/alibabacloud.properties.json b/ci/properties/alibabacloud.properties.json new file mode 100644 index 0000000..bbee6df --- /dev/null +++ b/ci/properties/alibabacloud.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Alibaba Cloud ACK", + "description": "Deploy a container to Alibaba Cloud Container Service for Kubernetes (ACK).", + "creator": "Alibaba Cloud", + "iconName": "alibabacloud", + "categories": null +} diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 4e1ef42..1a03a7b 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -1,4 +1,4 @@ -# This workflows will upload a Python Package using Twine when a release is created +# This workflow will upload a Python Package using Twine when a release is created # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries name: Upload Python Package diff --git a/ci/scala.yml b/ci/scala.yml index 96bfc70..4a3c112 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -13,9 +13,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adopt' - name: Run tests run: sbt test diff --git a/ci/tencent.yml b/ci/tencent.yml index 2d4ad03..1a059a6 100644 --- a/ci/tencent.yml +++ b/ci/tencent.yml @@ -30,6 +30,7 @@ jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout diff --git a/ci/terraform.yml b/ci/terraform.yml index e6cf027..589f1f3 100644 --- a/ci/terraform.yml +++ b/ci/terraform.yml @@ -54,6 +54,7 @@ jobs: terraform: name: 'Terraform' runs-on: ubuntu-latest + environment: production # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest defaults: diff --git a/code-scanning/README.md b/code-scanning/README.md index 5b910da..076d57c 100644 --- a/code-scanning/README.md +++ b/code-scanning/README.md @@ -1,4 +1,3 @@ # Code Scanning Workflows -GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production. Before you can configure code scanning for a repository, you must enable code scanning by adding a GitHub Actions workflow to the repository. For more information, see [Enabling Code Scanning for a repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository). - +GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production. Before you can configure code scanning for a repository, you must enable code scanning by adding a GitHub Actions workflow to the repository. For more information, see [Setting up code scanning for a repository](https://docs.github.com/en/code-security/secure-coding/setting-up-code-scanning-for-a-repository). diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml new file mode 100644 index 0000000..8d3d0eb --- /dev/null +++ b/code-scanning/kubesec.yml @@ -0,0 +1,37 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Kubesec + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + lint: + name: Kubesec + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run kubesec scanner + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 + with: + input: file.yaml # specify configuration file to scan here + format: template + template: template/sarif.tpl + output: kubesec-results.sarif + exit-code: "0" + + - name: Upload Kubesec scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml new file mode 100644 index 0000000..1601ff5 --- /dev/null +++ b/code-scanning/mayhem-for-api.yml @@ -0,0 +1,62 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# This workflow starts your API and fuzzes it with ForAllSecure Mayhem for API +# to find reliability, performance and security issues before they reach +# production. +# +# To use this workflow, you will need to: +# +# 1. Create a Mayhem for API account at +# https://mayhem4api.forallsecure.com/signup (30-day free trial) +# +# 2. Create a service account token `mapi organization service-account create +# ` +# +# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN" +# +# 4. Update the "Start your API" step to run your API in the background before +# starting the Mayhem for API scan, and update the `api-url` & `api-spec` +# field. +# +# If you have any questions, please contact us at mayhem4api@forallsecure.com + +name: "Mayhem for API" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + +jobs: + mayhem-for-api: + name: Mayhem for API + # Mayhem for API runs on linux, mac and windows + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + # Run your API in the background. Ideally, the API would run in debug + # mode & send stacktraces back on "500 Internal Server Error" responses + # (don't do this in production though!) + - name: Start your API + run: ./run_your_api.sh & # <- ✏️ update this + + - name: Mayhem for API + uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010 + continue-on-error: true + with: + mapi-token: ${{ secrets.MAPI_TOKEN }} + api-url: http://localhost:8080 # <- ✏️ update this + api-spec: http://localhost:8080/openapi.json # <- ✏️ update this + duration: 60 + sarif-report: mapi.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: mapi.sarif diff --git a/code-scanning/properties/kubesec.properties.json b/code-scanning/properties/kubesec.properties.json new file mode 100644 index 0000000..66d5619 --- /dev/null +++ b/code-scanning/properties/kubesec.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Kubesec", + "creator": "Controlplane", + "description": "Security risk analysis for Kubernetes resources. Submit pod-types (such as deployment, cronjob) to receive an itemised security risk score.", + "iconName": "kubesec", + "categories": ["Code Scanning"] +} diff --git a/code-scanning/properties/mayhem-for-api.properties.json b/code-scanning/properties/mayhem-for-api.properties.json new file mode 100644 index 0000000..b700dae --- /dev/null +++ b/code-scanning/properties/mayhem-for-api.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Mayhem for API", + "creator": "ForAllSecure", + "description": "Automatically test your REST APIs with your OpenAPI specs and Postman collections.", + "iconName": "mayhem-for-api", + "categories": ["Code Scanning", "C#", "Go", "Java", "Scala", "JavaScript", "TypeScript", "Ruby", "PHP", "Swift", "Kotlin" , "Python", "Rust", "Objective C"] +} diff --git a/code-scanning/properties/synopsys-io.properties.json b/code-scanning/properties/synopsys-io.properties.json new file mode 100644 index 0000000..ea7fae7 --- /dev/null +++ b/code-scanning/properties/synopsys-io.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Synopsys Intelligent Security Scan Action", + "creator": "Synopsys", + "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events", + "iconName": "synopsys-io", + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "Ruby", "PHP", "Swift", "Kotlin" , "Python", "VB.NET", "Objective C"] +} diff --git a/code-scanning/properties/tfsec.properties.json b/code-scanning/properties/tfsec.properties.json new file mode 100644 index 0000000..6796d79 --- /dev/null +++ b/code-scanning/properties/tfsec.properties.json @@ -0,0 +1,7 @@ +{ + "name": "tfsec", + "creator": "tfsec", + "description": "A static analysis security scanner for your Terraform code. Discover problems with your infrastructure before hackers do.", + "iconName": "tfsec", + "categories": ["Code Scanning", "HCL"] +} diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml new file mode 100644 index 0000000..9b5a080 --- /dev/null +++ b/code-scanning/synopsys-io.yml @@ -0,0 +1,73 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Synopsys Intelligent Security Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Synopsys Intelligent Security Scan + id: prescription + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + stage: "IO" + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN + # is defined in settings + - name: Static Analysis with Polaris + if: ${{steps.prescription.outputs.sastScan == 'true' }} + run: | + export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} + export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} + wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip + unzip -j polaris_cli-linux64.zip -d /tmp + /tmp/polaris analyze -w + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work + - name: Software Composition Analysis with Black Duck + if: ${{steps.prescription.outputs.scaScan == 'true' }} + uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 + with: + args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' + + - name: Synopsys Intelligent Security Scan + if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} + --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} + stage: "WORKFLOW" + + - name: Upload SARIF file + if: ${{steps.prescription.outputs.sastScan == 'true' }} + uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: workflowengine-results.sarif.json diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml new file mode 100644 index 0000000..05879a1 --- /dev/null +++ b/code-scanning/tfsec.yml @@ -0,0 +1,35 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: tfsec + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + tfsec: + name: Run tfsec sarif report + runs-on: ubuntu-latest + + steps: + - name: Clone repo + uses: actions/checkout@v2 + + - name: Run tfsec + uses: tfsec/tfsec-sarif-action@2ec44316ed27c50d48c931c3c628adc4c8bb1d2b + with: + sarif_file: tfsec.sarif + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: tfsec.sarif diff --git a/icons/alibabacloud.svg b/icons/alibabacloud.svg new file mode 100644 index 0000000..c7acdab --- /dev/null +++ b/icons/alibabacloud.svg @@ -0,0 +1 @@ +AlibabacloudLogoGithub \ No newline at end of file diff --git a/icons/kubesec.svg b/icons/kubesec.svg new file mode 100644 index 0000000..828eb09 --- /dev/null +++ b/icons/kubesec.svg @@ -0,0 +1,16 @@ + + + + + + image/svg+xml + + + + + + + + + + diff --git a/icons/mayhem-for-api.svg b/icons/mayhem-for-api.svg new file mode 100644 index 0000000..af426ff --- /dev/null +++ b/icons/mayhem-for-api.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + diff --git a/icons/synopsys-io.svg b/icons/synopsys-io.svg new file mode 100644 index 0000000..764a3be --- /dev/null +++ b/icons/synopsys-io.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/tfsec.svg b/icons/tfsec.svg new file mode 100644 index 0000000..60b6014 --- /dev/null +++ b/icons/tfsec.svg @@ -0,0 +1,36 @@ + +image/svg+xml \ No newline at end of file