From a88b31b693bd5c861d974f4e0b0bd79efd9c0633 Mon Sep 17 00:00:00 2001 From: ljing Date: Fri, 11 Dec 2020 22:49:36 +0800 Subject: [PATCH 01/57] Create alibabacloud.yml This workflow will build and push a new container image to Alibaba Cloud Container Reigstry (ACR), and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when a release is created. --- ci/alibabacloud.yml | 118 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 ci/alibabacloud.yml diff --git a/ci/alibabacloud.yml b/ci/alibabacloud.yml new file mode 100644 index 0000000..2226613 --- /dev/null +++ b/ci/alibabacloud.yml @@ -0,0 +1,118 @@ +# This workflow will build and push a new container image to Alibaba Cloud Container Reigstry (ACR), +# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when a release is created. +# +# To use this workflow, you will need to complete the following set-up steps: +# +# 1. Create an ACR repository to store your container images. +# You can use ACR EE instance for more security and better performance. +# For instructions see https://www.alibabacloud.com/help/doc-detail/142168.htm +# +# 2. Create an ACK cluster to run your containerized application. +# You can use ACK Pro cluster for more security and better performance. +# For instructions see https://www.alibabacloud.com/help/doc-detail/95108.htm +# +# 3. Store your AccessKey pair in GitHub Actions secrets named `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET`. +# For instructions on setting up secrets see: https://developer.github.com/actions/managing-workflows/storing-secrets/ +# +# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. +# + +name: Build and Deploy to ACK + +on: + release: + types: [created] + +# Environment variables available to all jobs and steps in this workflow. +env: + REGION_ID: cn-hangzhou + REGISTRY: registry.cn-hangzhou.aliyuncs.com + NAMESPACE: namespace + IMAGE: repo + TAG: ${{ github.sha }} + ACK_CLUSTER_ID: clusterID + ACK_DEPLOYMENT_NAME: nginx-deployment + + ACR_EE_REGISTRY: myregistry.cn-hangzhou.cr.aliyuncs.com + ACR_EE_INSTANCE_ID: instanceID + ACR_EE_NAMESPACE: namespace + ACR_EE_IMAGE: repo + ACR_EE_TAG: ${{ github.sha }} + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # 1.1 Login to ACR + - name: Login to ACR with the AccessKey pair + uses: aliyun/acr-login@v1 + with: + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + + # 1.2 Buid and push image to ACR + - name: Build and push image to ACR + run: | + docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . + docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" + + # 1.3 Scan image in ACR + - name: Scan image in ACR + uses: aliyun/acr-scan@v1 + with: + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + repository: "${{ env.NAMESPACE }}/${{ env.IMAGE }}" + tag: "${{ env.TAG }}" + + # 2.1 (Optional) Login to ACR EE + - uses: actions/checkout@v2 + - name: Login to ACR EE with the AccessKey pair + uses: aliyun/acr-login@v1 + with: + login-server: "https://${{ env.ACR_EE_REGISTRY }}" + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" + + # 2.2 (Optional) Build and push image ACR EE + - name: Build and push image to ACR EE + run: | + docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" . + docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" + # 2.3 (Optional) Scan image in ACR EE + - name: Scan image in ACR EE + uses: aliyun/acr-scan@v1 + with: + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" + repository: "${{ env.ACR_EE_NAMESPACE}}/${{ env.ACR_EE_IMAGE }}" + tag: "${{ env.ACR_EE_TAG }}" + + # 3.1 Set ACK context + - name: Set K8s context + uses: aliyun/ack-set-context@v1 + with: + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + cluster-id: "${{ env.ACK_CLUSTER_ID }}" + + # 3.2 Deploy the image to the ACK cluster + - name: Set up Kustomize + run: |- + curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash /dev/stdin 3.8.6 + - name: Deploy + run: |- + ./kustomize edit set image REGISTRY/NAMESPACE/IMAGE:TAG=$REGISTRY/$NAMESPACE/$IMAGE:$TAG + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$ACK_DEPLOYMENT_NAME + kubectl get services -o wide From a921a9e19d1a3e6bf74ec10808dd9ad38bc5a34a Mon Sep 17 00:00:00 2001 From: ljing Date: Fri, 11 Dec 2020 23:02:57 +0800 Subject: [PATCH 02/57] Update alibabacloud.yml --- ci/alibabacloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/alibabacloud.yml b/ci/alibabacloud.yml index 2226613..5d457d6 100644 --- a/ci/alibabacloud.yml +++ b/ci/alibabacloud.yml @@ -1,4 +1,4 @@ -# This workflow will build and push a new container image to Alibaba Cloud Container Reigstry (ACR), +# This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR), # and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when a release is created. # # To use this workflow, you will need to complete the following set-up steps: From b3f8b48094362f3348ce6b9906b17bc58f6284cc Mon Sep 17 00:00:00 2001 From: ljing Date: Fri, 11 Dec 2020 23:17:45 +0800 Subject: [PATCH 03/57] Create alibabacloud.properties.json --- alibabacloud.properties.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 alibabacloud.properties.json diff --git a/alibabacloud.properties.json b/alibabacloud.properties.json new file mode 100644 index 0000000..67de4c1 --- /dev/null +++ b/alibabacloud.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Alibaba Cloud ACK", + "description": "Deploy a container to Alibaba Cloud Container Service for Kubernetes (ACK).", + "creator": "Alibaba Cloud", + "iconName": "acr", + "categories": null +} From 08c2049aede657b06d8e398a0bc0b192cdf0d5bd Mon Sep 17 00:00:00 2001 From: ljing Date: Fri, 11 Dec 2020 23:26:26 +0800 Subject: [PATCH 04/57] Create alibabacloud.properties.json --- ci/properties/alibabacloud.properties.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ci/properties/alibabacloud.properties.json diff --git a/ci/properties/alibabacloud.properties.json b/ci/properties/alibabacloud.properties.json new file mode 100644 index 0000000..bbee6df --- /dev/null +++ b/ci/properties/alibabacloud.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Alibaba Cloud ACK", + "description": "Deploy a container to Alibaba Cloud Container Service for Kubernetes (ACK).", + "creator": "Alibaba Cloud", + "iconName": "alibabacloud", + "categories": null +} From 90f8fd731d8251d8e803773036ddb9a817623548 Mon Sep 17 00:00:00 2001 From: ljing Date: Fri, 11 Dec 2020 23:39:46 +0800 Subject: [PATCH 05/57] Add icon --- icons/alibabacloud.svg | 1 + 1 file changed, 1 insertion(+) create mode 100644 icons/alibabacloud.svg diff --git a/icons/alibabacloud.svg b/icons/alibabacloud.svg new file mode 100644 index 0000000..c7acdab --- /dev/null +++ b/icons/alibabacloud.svg @@ -0,0 +1 @@ +AlibabacloudLogoGithub \ No newline at end of file From 14547bfc7977a2c28ac1914328643a671778dd7a Mon Sep 17 00:00:00 2001 From: ljing Date: Fri, 11 Dec 2020 23:40:14 +0800 Subject: [PATCH 06/57] Delete alibabacloud.properties.json --- alibabacloud.properties.json | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 alibabacloud.properties.json diff --git a/alibabacloud.properties.json b/alibabacloud.properties.json deleted file mode 100644 index 67de4c1..0000000 --- a/alibabacloud.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Deploy to Alibaba Cloud ACK", - "description": "Deploy a container to Alibaba Cloud Container Service for Kubernetes (ACK).", - "creator": "Alibaba Cloud", - "iconName": "acr", - "categories": null -} From b20b76eb795a7c869d4c2a1adf166d10448ec758 Mon Sep 17 00:00:00 2001 From: arnu515 <52203828+arnu515@users.noreply.github.com> Date: Thu, 7 Jan 2021 21:16:24 +0530 Subject: [PATCH 07/57] Fix grammar error (#773) In the comment on line `1`, it says "This workflows", but I think that "This workflow" makes more sense. --- ci/python-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 4e1ef42..1a03a7b 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -1,4 +1,4 @@ -# This workflows will upload a Python Package using Twine when a release is created +# This workflow will upload a Python Package using Twine when a release is created # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries name: Upload Python Package From 5760418d4f378a531680d729f4bf0b73eea45822 Mon Sep 17 00:00:00 2001 From: litetex <40789489+litetex@users.noreply.github.com> Date: Fri, 15 Jan 2021 21:20:42 +0100 Subject: [PATCH 08/57] dotnet-Workflows: Use latest channel version (#723) * Use latest channel-version * Use latest channel-version --- ci/dotnet-desktop.yml | 2 +- ci/dotnet.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 480be78..25af736 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -71,7 +71,7 @@ jobs: - name: Install .NET Core uses: actions/setup-dotnet@v1 with: - dotnet-version: 3.1.101 + dotnet-version: 5.0.x # Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild - name: Setup MSBuild.exe diff --git a/ci/dotnet.yml b/ci/dotnet.yml index aa0a093..c31cf68 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -16,7 +16,7 @@ jobs: - name: Setup .NET uses: actions/setup-dotnet@v1 with: - dotnet-version: 3.1.301 + dotnet-version: 5.0.x - name: Restore dependencies run: dotnet restore - name: Build From c59b62dee0eae1f9f368b7011cf05c2fc42cf084 Mon Sep 17 00:00:00 2001 From: Chris Patterson Date: Wed, 20 Jan 2021 11:34:18 -0500 Subject: [PATCH 09/57] Adding new environment tag (#784) --- ci/azure.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/azure.yml b/ci/azure.yml index 5842381..4079237 100644 --- a/ci/azure.yml +++ b/ci/azure.yml @@ -28,6 +28,7 @@ jobs: build-and-deploy: name: Build and Deploy runs-on: ubuntu-latest + environment: production steps: - uses: actions/checkout@v2 - name: Use Node.js ${{ env.NODE_VERSION }} From 950da0156827e3d0c607a7413e73d580126cd7dc Mon Sep 17 00:00:00 2001 From: Steve Winton Date: Thu, 11 Feb 2021 16:13:49 -0600 Subject: [PATCH 10/57] Add emphasis to acceptance criteria --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 67a60a7..ebd66ad 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -6,7 +6,7 @@ It is not: --- -**Please note that at this time we are only accepting new starter workflows for Code Scanning. Updates to existing starter workflows are fine.** +### **Please note that at this time we are only accepting new starter workflows for Code Scanning. Updates to existing starter workflows are fine.** --- From 06274ce3304986be463fb8c2298049af793674bf Mon Sep 17 00:00:00 2001 From: Steve Winton Date: Thu, 11 Feb 2021 17:50:08 -0600 Subject: [PATCH 11/57] Add comments around general guidance So that they are only visible to the PR author --- .github/pull_request_template.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index ebd66ad..5e5859c 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,8 +1,13 @@ + + --- From 0e973208b84d14b88eb1b1ef8e8ed1e71b4ea3de Mon Sep 17 00:00:00 2001 From: Steve Winton Date: Thu, 11 Feb 2021 17:51:24 -0600 Subject: [PATCH 12/57] Add pre-requisites section --- .github/pull_request_template.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 5e5859c..f80e4f1 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -8,6 +8,9 @@ It is not: * A place for you to create a workflow for your repository --> +## Pre-requisites + +- [ ] Prior to submitting a new workflow, please apply to join the GitHub Technology Partner Program: [partner.github.com/apply](https://partner.github.com/apply?partnershipType=Technology+Partner). --- From cdcc451eadcac85a9f017f05b2658c25ccfa0f8e Mon Sep 17 00:00:00 2001 From: Steve Winton Date: Thu, 11 Feb 2021 17:54:56 -0600 Subject: [PATCH 13/57] Add separate sections based on workflow type --- .github/pull_request_template.md | 34 +++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index f80e4f1..60ddcd7 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -18,23 +18,33 @@ It is not: --- -In the workflow and properties files: +## Tasks -- [ ] The workflow filename of CI workflows should be the name of the language or platform, in lower case. Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET"). +**For _all_ workflows, the workflow:** - The workflow filename of publishing workflows should be the name of the language or platform, in lower case, followed by "-publish". -- [ ] Includes a matching `ci/properties/*.properties.json` file. -- [ ] Use sentence case for the names of workflows and steps, for example "Run tests". -- [ ] The name of CI workflows should only be the name of the language or platform: for example "Go" (not "Go CI" or "Go Build") -- [ ] Include comments in the workflow for any parts that are not obvious or could use clarification. -- [ ] CI workflows should run on `push` to `branches: [ $default-branch ]` and `pull_request` to `branches: [ $default-branch ]`. +- [ ] Should be contained in a file having the name of the language or platform, in lower, [_kebab-cased_](https://en.wikipedia.org/wiki/Kebab_case) format. Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET"). +- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). +- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build") +- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. + +**For _CI_ workflows, the workflow:** + +- [ ] Should be preserved under [the `ci` directory](https://github.com/actions/starter-workflows/tree/main/ci) +- [ ] Should include a matching `ci/properties/*.properties.json` file (for example, [`ci/properties/docker-publish.properties.json`](https://github.com/actions/starter-workflows/blob/main/ci/properties/docker-publish.properties.json)). +- [ ] Should run on `push` to `branches: [ $default-branch ]` and `pull_request` to `branches: [ $default-branch ]`. - [ ] Packaging workflows should run on `release` with `types: [ created ]`. -- [ ] Code Scanning workflows should run on `push` to `branches: [ $default-branch, $protected-branches ]` and `pull_request` to `branches: [ $default-branch ]`. We also recommend a `schedule` trigger of `cron: $cron-weekly`. +- [ ] Publishing workflows should have a filename that is the name of the language or platform, in lower case, followed by "-publish" (for example, [`docker-publish.yml`](https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml)). -Some general notes: +**For _Code Scanning_ workflows, the workflow:** -- [ ] This workflow must only use actions that are produced by GitHub, [in the `actions` organization](https://github.com/actions), **or** -- [ ] This workflow must only use actions that are produced by the language or ecosystem that the workflow supports. These actions must be [published to the GitHub Marketplace](https://github.com/marketplace?type=actions). We recommend that these actions be referenced using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file: +- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci) +- [ ] Should include a matching `code-scanning/properties/*.properties.json` file. +- [ ] Should run on `push` to `branches: [ $default-branch, $protected-branches ]` and `pull_request` to `branches: [ $default-branch ]`. We also recommend a `schedule` trigger of `cron: $cron-weekly` (for example, [`codeql.yml`](https://github.com/actions/starter-workflows/blob/c59b62dee0eae1f9f368b7011cf05c2fc42cf084/code-scanning/codeql.yml#L14-L21)). + +**Some general notes:** + +- [ ] This workflow must _only_ use actions that are produced by GitHub, [in the `actions` organization](https://github.com/actions), **or** +- [ ] This workflow must _only_ use actions that are produced by the language or ecosystem that the workflow supports. These actions must be [published to the GitHub Marketplace](https://github.com/marketplace?type=actions). We recommend that these actions be referenced using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file: ``` # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by From 14be8c2b5a8b7c56b0400d841f705234487214eb Mon Sep 17 00:00:00 2001 From: Steve Winton Date: Thu, 11 Feb 2021 17:55:44 -0600 Subject: [PATCH 14/57] Ensure consistent line-endings --- .github/pull_request_template.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 60ddcd7..3eb7bcf 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -24,12 +24,12 @@ It is not: - [ ] Should be contained in a file having the name of the language or platform, in lower, [_kebab-cased_](https://en.wikipedia.org/wiki/Kebab_case) format. Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET"). - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). -- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build") +- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. **For _CI_ workflows, the workflow:** -- [ ] Should be preserved under [the `ci` directory](https://github.com/actions/starter-workflows/tree/main/ci) +- [ ] Should be preserved under [the `ci` directory](https://github.com/actions/starter-workflows/tree/main/ci). - [ ] Should include a matching `ci/properties/*.properties.json` file (for example, [`ci/properties/docker-publish.properties.json`](https://github.com/actions/starter-workflows/blob/main/ci/properties/docker-publish.properties.json)). - [ ] Should run on `push` to `branches: [ $default-branch ]` and `pull_request` to `branches: [ $default-branch ]`. - [ ] Packaging workflows should run on `release` with `types: [ created ]`. @@ -37,7 +37,7 @@ It is not: **For _Code Scanning_ workflows, the workflow:** -- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci) +- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci). - [ ] Should include a matching `code-scanning/properties/*.properties.json` file. - [ ] Should run on `push` to `branches: [ $default-branch, $protected-branches ]` and `pull_request` to `branches: [ $default-branch ]`. We also recommend a `schedule` trigger of `cron: $cron-weekly` (for example, [`codeql.yml`](https://github.com/actions/starter-workflows/blob/c59b62dee0eae1f9f368b7011cf05c2fc42cf084/code-scanning/codeql.yml#L14-L21)). From 23285c07c690607f52471713592e171626c14022 Mon Sep 17 00:00:00 2001 From: Steve Winton Date: Thu, 11 Feb 2021 17:59:41 -0600 Subject: [PATCH 15/57] Add kebab-case example --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 3eb7bcf..3c45890 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -22,7 +22,7 @@ It is not: **For _all_ workflows, the workflow:** -- [ ] Should be contained in a file having the name of the language or platform, in lower, [_kebab-cased_](https://en.wikipedia.org/wiki/Kebab_case) format. Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET"). +- [ ] Should be contained in a `.yml` file with the language or platform as its filename, in lower, [_kebab-cased_](https://en.wikipedia.org/wiki/Kebab_case) format (for example, [`docker-image.yml`](https://github.com/actions/starter-workflows/blob/main/ci/docker-image.yml)). Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET"). - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. From f089b6db62c3e01d471902405d2bac8c1ba5befa Mon Sep 17 00:00:00 2001 From: Steve Winton Date: Thu, 11 Feb 2021 18:08:32 -0600 Subject: [PATCH 16/57] Add code scanning instructions for properties.json file --- .github/pull_request_template.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 3c45890..db8f484 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -38,7 +38,12 @@ It is not: **For _Code Scanning_ workflows, the workflow:** - [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci). -- [ ] Should include a matching `code-scanning/properties/*.properties.json` file. +- [ ] Should include a matching `code-scanning/properties/*.properties.json` file, with properties set as follows: + - [ ] `name`: Name of the Code Scanning integration. + - [ ] `organization`: Name of the organization producing the Code Scanning integration. + - [ ] `description`: Short description of the Code Scanning integration. + - [ ] `languages`: Array of languages supported by the Code Scanning integration. + - [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons). - [ ] Should run on `push` to `branches: [ $default-branch, $protected-branches ]` and `pull_request` to `branches: [ $default-branch ]`. We also recommend a `schedule` trigger of `cron: $cron-weekly` (for example, [`codeql.yml`](https://github.com/actions/starter-workflows/blob/c59b62dee0eae1f9f368b7011cf05c2fc42cf084/code-scanning/codeql.yml#L14-L21)). **Some general notes:** From 26b35f5776f1339679a6cf7cfba528227f752370 Mon Sep 17 00:00:00 2001 From: Bharath KKB Date: Sat, 13 Feb 2021 13:39:55 -0600 Subject: [PATCH 17/57] feat: Add new GitHub env tag --- ci/google.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/google.yml b/ci/google.yml index cc3cffb..5e803ed 100644 --- a/ci/google.yml +++ b/ci/google.yml @@ -27,6 +27,7 @@ jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout From e0e30a049072e5faa350a978ca488946590534f9 Mon Sep 17 00:00:00 2001 From: Steve Winton Date: Tue, 16 Feb 2021 10:53:00 -0600 Subject: [PATCH 18/57] Add link to codeql.properties.json as example --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index db8f484..f7775f6 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -38,7 +38,7 @@ It is not: **For _Code Scanning_ workflows, the workflow:** - [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci). -- [ ] Should include a matching `code-scanning/properties/*.properties.json` file, with properties set as follows: +- [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: - [ ] `name`: Name of the Code Scanning integration. - [ ] `organization`: Name of the organization producing the Code Scanning integration. - [ ] `description`: Short description of the Code Scanning integration. From 9786331c771877627fc201a98cd8cba0cb89b1a4 Mon Sep 17 00:00:00 2001 From: Steve Winton Date: Tue, 16 Feb 2021 10:53:36 -0600 Subject: [PATCH 19/57] Remove languages in favor of categories --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index f7775f6..3ca40ef 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -42,7 +42,7 @@ It is not: - [ ] `name`: Name of the Code Scanning integration. - [ ] `organization`: Name of the organization producing the Code Scanning integration. - [ ] `description`: Short description of the Code Scanning integration. - - [ ] `languages`: Array of languages supported by the Code Scanning integration. + - [ ] `categories`: Array of languages supported by the Code Scanning integration. - [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons). - [ ] Should run on `push` to `branches: [ $default-branch, $protected-branches ]` and `pull_request` to `branches: [ $default-branch ]`. We also recommend a `schedule` trigger of `cron: $cron-weekly` (for example, [`codeql.yml`](https://github.com/actions/starter-workflows/blob/c59b62dee0eae1f9f368b7011cf05c2fc42cf084/code-scanning/codeql.yml#L14-L21)). From ccc4742cb31514684de92f7f779c680aaf076ad5 Mon Sep 17 00:00:00 2001 From: Steve Winton Date: Tue, 16 Feb 2021 10:56:46 -0600 Subject: [PATCH 20/57] Require 40 character SHA of referenced actions Co-authored-by: Andy McKay --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 3ca40ef..6494e8d 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -49,7 +49,7 @@ It is not: **Some general notes:** - [ ] This workflow must _only_ use actions that are produced by GitHub, [in the `actions` organization](https://github.com/actions), **or** -- [ ] This workflow must _only_ use actions that are produced by the language or ecosystem that the workflow supports. These actions must be [published to the GitHub Marketplace](https://github.com/marketplace?type=actions). We recommend that these actions be referenced using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file: +- [ ] This workflow must _only_ use actions that are produced by the language or ecosystem that the workflow supports. These actions must be [published to the GitHub Marketplace](https://github.com/marketplace?type=actions). We require that these actions be referenced using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file: ``` # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by From 97a0ce792527c32b1a0a1e006bfec65ac6227c8c Mon Sep 17 00:00:00 2001 From: Manuel Zubieta Date: Wed, 24 Feb 2021 09:13:54 -0600 Subject: [PATCH 21/57] actions/setup-elixir now lives under erlef GH Org github.com/actions/setup-elixir is no longer maintained and now suggests using github.com/erlef/setup-elixir This should be updated to help new Github Actions users to use the supported action. --- ci/elixir.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index 76dd26d..ddeba63 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -15,7 +15,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Elixir - uses: actions/setup-elixir@v1 + uses: erlef/setup-elixir@v1 with: elixir-version: '1.10.3' # Define the elixir version [required] otp-version: '22.3' # Define the OTP version [required] From 3cf906bc1bf47f7da3fafe67423b374774389ee2 Mon Sep 17 00:00:00 2001 From: Michael Thomsen Date: Fri, 26 Feb 2021 23:25:23 +0100 Subject: [PATCH 22/57] Update dart.yml (#820) * Update dart.yml Update Dart starter workflow to use `setup-dart` from the Dart team. This enables testing on more operating systems (Linux, Windows, and macOS), and offers more control over the Dart SDK version to test with. * Update dart.yml Add required disclaimer * Update ci/dart.yml Co-authored-by: Josh Gross Co-authored-by: Josh Gross --- ci/dart.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/ci/dart.yml b/ci/dart.yml index 138921f..7486577 100644 --- a/ci/dart.yml +++ b/ci/dart.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Dart on: @@ -10,18 +15,14 @@ jobs: build: runs-on: ubuntu-latest - # Note that this workflow uses the latest stable version of the Dart SDK. - # Docker images for other release channels - like dev and beta - are also - # available. See https://hub.docker.com/r/google/dart/ for the available - # images. - container: - image: google/dart:latest - steps: - uses: actions/checkout@v2 - - name: Print Dart SDK version - run: dart --version + # Note: This workflow uses the latest stable version of the Dart SDK. + # You can specify other versions if desired, see documentation here: + # https://github.com/dart-lang/setup-dart/blob/main/README.md + # - uses: dart-lang/setup-dart@v1 + - uses: dart-lang/setup-dart@9a04e6d73cca37bd455e0608d7e5092f881fd603 - name: Install dependencies run: dart pub get From db576e4bf486f3f0592e3d5ed45bcae36d8fa3e5 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Fri, 26 Feb 2021 23:31:13 +0100 Subject: [PATCH 23/57] Make the validation strict by default (#824) Co-authored-by: Josh Gross --- ci/php.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/php.yml b/ci/php.yml index 5053b43..f811a18 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -15,7 +15,7 @@ jobs: - uses: actions/checkout@v2 - name: Validate composer.json and composer.lock - run: composer validate + run: composer validate --strict - name: Cache Composer packages id: composer-cache From a1152703407cf97bb8e3cb39eeb909649f69fa02 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Fri, 26 Feb 2021 23:34:09 +0100 Subject: [PATCH 24/57] Always run composer install even if the vendor dir was restored (#825) Co-authored-by: Josh Gross --- ci/php.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ci/php.yml b/ci/php.yml index f811a18..e1dceef 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -27,7 +27,6 @@ jobs: ${{ runner.os }}-php- - name: Install dependencies - if: steps.composer-cache.outputs.cache-hit != 'true' run: composer install --prefer-dist --no-progress --no-suggest # Add a test script to composer.json, for instance: "test": "vendor/bin/phpunit" From ce889525cc7fd3a56964e5873804bf178349be53 Mon Sep 17 00:00:00 2001 From: AlyonaSviridenko Date: Tue, 2 Mar 2021 18:43:44 +0300 Subject: [PATCH 25/57] updated workflows with new version of setup-java --- ci/android.yml | 8 +++++--- ci/ant.yml | 7 ++++--- ci/gradle-publish.yml | 9 +++++---- ci/gradle.yml | 7 ++++--- ci/maven-publish.yml | 9 +++++---- ci/maven.yml | 7 ++++--- ci/scala.yml | 7 ++++--- 7 files changed, 31 insertions(+), 23 deletions(-) diff --git a/ci/android.yml b/ci/android.yml index 6954a61..3edebb5 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -13,10 +13,12 @@ jobs: steps: - uses: actions/checkout@v2 - - name: set up JDK 1.8 - uses: actions/setup-java@v1 + - name: set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adoptium' + - name: Grant execute permission for gradlew run: chmod +x gradlew - name: Build with Gradle diff --git a/ci/ant.yml b/ci/ant.yml index 28fe6d0..8b8a5ba 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -16,9 +16,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adoptium' - name: Build with Ant run: ant -noinput -buildfile build.xml diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index cec487e..2faa3aa 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -1,5 +1,5 @@ # This workflow will build a package using Gradle and then publish it to GitHub packages when a release is created -# For more information see: https://github.com/actions/setup-java#publishing-using-gradle +# For more information see: https://github.com/actions/setup-java/docs/advanced-usage.md#Publishing-using-gradle name: Gradle Package @@ -14,10 +14,11 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adoptium' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file diff --git a/ci/gradle.yml b/ci/gradle.yml index 4550f58..6ffdc6a 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -16,10 +16,11 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adoptium' - name: Grant execute permission for gradlew run: chmod +x gradlew - name: Build with Gradle diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index fb1c7ee..831b54b 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -1,5 +1,5 @@ # This workflow will build a package using Maven and then publish it to GitHub packages when a release is created -# For more information see: https://github.com/actions/setup-java#apache-maven-with-a-settings-path +# For more information see: https://github.com/actions/setup-java/docs/advanced-usage.md#apache-maven-with-a-settings-path name: Maven Package @@ -14,10 +14,11 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adoptium' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file diff --git a/ci/maven.yml b/ci/maven.yml index a46556a..005184b 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -16,9 +16,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adoptium' - name: Build with Maven run: mvn -B package --file pom.xml diff --git a/ci/scala.yml b/ci/scala.yml index 96bfc70..e650d8a 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -13,9 +13,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - java-version: 1.8 + java-version: '11' + distribution: 'adoptium' - name: Run tests run: sbt test From 559fd976e283ae4e9868ae91407f646da7d6fadd Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Fri, 5 Mar 2021 09:32:54 -0500 Subject: [PATCH 26/57] Update alibabacloud.yml --- ci/alibabacloud.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ci/alibabacloud.yml b/ci/alibabacloud.yml index 5d457d6..82e7dc0 100644 --- a/ci/alibabacloud.yml +++ b/ci/alibabacloud.yml @@ -16,6 +16,9 @@ # # 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. # +# 5. Create an environment named "production". +# For instructions see https://docs.github.com/en/actions/reference/environments#creating-an-environment. +# name: Build and Deploy to ACK @@ -42,6 +45,7 @@ env: jobs: build: runs-on: ubuntu-latest + environment: production steps: - name: Checkout From c451f7ec4794b5f8fbf264bfdbd530a77fe12cdc Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Fri, 5 Mar 2021 09:34:17 -0500 Subject: [PATCH 27/57] Update aws.yml --- ci/aws.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ci/aws.yml b/ci/aws.yml index 40094ae..a3defb3 100644 --- a/ci/aws.yml +++ b/ci/aws.yml @@ -22,6 +22,9 @@ # 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. # See the documentation for each action used below for the recommended IAM policies for this IAM user, # and best practices on handling the access key credentials. +# +# 5. Create an environment named "production". +# For instructions see https://docs.github.com/en/actions/reference/environments#creating-an-environment. on: release: @@ -33,6 +36,7 @@ jobs: deploy: name: Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout @@ -77,4 +81,4 @@ jobs: task-definition: ${{ steps.task-def.outputs.task-definition }} service: sample-app-service cluster: default - wait-for-service-stability: true \ No newline at end of file + wait-for-service-stability: true From 761b09ecde3c6f9772a9b38b86beeccf8e7c7bc0 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Fri, 5 Mar 2021 09:44:31 -0500 Subject: [PATCH 28/57] add production environment --- ci/alibabacloud.yml | 3 --- ci/aws.yml | 3 --- ci/ibm.yml | 1 + ci/openshift.yml | 1 + ci/tencent.yml | 1 + ci/terraform.yml | 1 + 6 files changed, 4 insertions(+), 6 deletions(-) diff --git a/ci/alibabacloud.yml b/ci/alibabacloud.yml index 82e7dc0..9ccc033 100644 --- a/ci/alibabacloud.yml +++ b/ci/alibabacloud.yml @@ -16,9 +16,6 @@ # # 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. # -# 5. Create an environment named "production". -# For instructions see https://docs.github.com/en/actions/reference/environments#creating-an-environment. -# name: Build and Deploy to ACK diff --git a/ci/aws.yml b/ci/aws.yml index a3defb3..8b10116 100644 --- a/ci/aws.yml +++ b/ci/aws.yml @@ -22,9 +22,6 @@ # 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. # See the documentation for each action used below for the recommended IAM policies for this IAM user, # and best practices on handling the access key credentials. -# -# 5. Create an environment named "production". -# For instructions see https://docs.github.com/en/actions/reference/environments#creating-an-environment. on: release: diff --git a/ci/ibm.yml b/ci/ibm.yml index 8af050f..a8502cd 100644 --- a/ci/ibm.yml +++ b/ci/ibm.yml @@ -28,6 +28,7 @@ jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout diff --git a/ci/openshift.yml b/ci/openshift.yml index d34131f..8a4875d 100644 --- a/ci/openshift.yml +++ b/ci/openshift.yml @@ -64,6 +64,7 @@ jobs: openshift-ci-cd: name: Build and deploy to OpenShift runs-on: ubuntu-20.04 + environment: production steps: - uses: actions/checkout@v2 diff --git a/ci/tencent.yml b/ci/tencent.yml index 2d4ad03..1a059a6 100644 --- a/ci/tencent.yml +++ b/ci/tencent.yml @@ -30,6 +30,7 @@ jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy runs-on: ubuntu-latest + environment: production steps: - name: Checkout diff --git a/ci/terraform.yml b/ci/terraform.yml index e6cf027..589f1f3 100644 --- a/ci/terraform.yml +++ b/ci/terraform.yml @@ -54,6 +54,7 @@ jobs: terraform: name: 'Terraform' runs-on: ubuntu-latest + environment: production # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest defaults: From a29df688f22c2a9c68c82771eb37b952a2ac3277 Mon Sep 17 00:00:00 2001 From: Jonathan Clem Date: Fri, 5 Mar 2021 10:04:52 -0500 Subject: [PATCH 29/57] Update ci/elixir.yml Co-authored-by: Andy McKay --- ci/elixir.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index ddeba63..e53e9a0 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -15,7 +15,8 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Elixir - uses: erlef/setup-elixir@v1 + uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24 + with: elixir-version: '1.10.3' # Define the elixir version [required] otp-version: '22.3' # Define the OTP version [required] From 3116545da6eafa440789b987092574461d7d9c8f Mon Sep 17 00:00:00 2001 From: Josh Gross Date: Fri, 5 Mar 2021 11:43:49 -0500 Subject: [PATCH 30/57] Remove extra line in Elixir workflow (#831) --- ci/elixir.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ci/elixir.yml b/ci/elixir.yml index e53e9a0..3f64657 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -16,7 +16,6 @@ jobs: - uses: actions/checkout@v2 - name: Set up Elixir uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24 - with: elixir-version: '1.10.3' # Define the elixir version [required] otp-version: '22.3' # Define the OTP version [required] From 20bd227226e068f8052363b9a153c7290a3dcd69 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Mon, 8 Mar 2021 13:40:39 +0000 Subject: [PATCH 31/57] add kubesec code scanning workflow --- code-scanning/kubesec.yml | 37 +++++++++++++++++++ .../properties/kubesec.properties.json | 7 ++++ icons/kubesec.svg | 16 ++++++++ 3 files changed, 60 insertions(+) create mode 100644 code-scanning/kubesec.yml create mode 100644 code-scanning/properties/kubesec.properties.json create mode 100644 icons/kubesec.svg diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml new file mode 100644 index 0000000..8d3d0eb --- /dev/null +++ b/code-scanning/kubesec.yml @@ -0,0 +1,37 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Kubesec + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + lint: + name: Kubesec + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run kubesec scanner + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 + with: + input: file.yaml # specify configuration file to scan here + format: template + template: template/sarif.tpl + output: kubesec-results.sarif + exit-code: "0" + + - name: Upload Kubesec scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/properties/kubesec.properties.json b/code-scanning/properties/kubesec.properties.json new file mode 100644 index 0000000..66d5619 --- /dev/null +++ b/code-scanning/properties/kubesec.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Kubesec", + "creator": "Controlplane", + "description": "Security risk analysis for Kubernetes resources. Submit pod-types (such as deployment, cronjob) to receive an itemised security risk score.", + "iconName": "kubesec", + "categories": ["Code Scanning"] +} diff --git a/icons/kubesec.svg b/icons/kubesec.svg new file mode 100644 index 0000000..828eb09 --- /dev/null +++ b/icons/kubesec.svg @@ -0,0 +1,16 @@ + + + + + + image/svg+xml + + + + + + + + + + From 16a1b76572ff62d6c4f295b55a88dd27c68eb178 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran Date: Tue, 9 Mar 2021 15:57:48 -0500 Subject: [PATCH 32/57] add_listing_to_github_ui --- .../properties/synopsysio.properties.json | 7 ++ code-scanning/synopsys-io-actions.yml | 77 +++++++++++++++++++ icons/synopsys.svg | 1 + 3 files changed, 85 insertions(+) create mode 100644 code-scanning/properties/synopsysio.properties.json create mode 100644 code-scanning/synopsys-io-actions.yml create mode 100644 icons/synopsys.svg diff --git a/code-scanning/properties/synopsysio.properties.json b/code-scanning/properties/synopsysio.properties.json new file mode 100644 index 0000000..257357e --- /dev/null +++ b/code-scanning/properties/synopsysio.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Synopsys Intelligent Security Scan Action", + "creator": "Synopsys", + "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", + "iconName": "synopsys", + "categories": ["Code Scanning"] +} diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml new file mode 100644 index 0000000..b5aa503 --- /dev/null +++ b/code-scanning/synopsys-io-actions.yml @@ -0,0 +1,77 @@ +name: "Synopsys Intelligent Security Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + - name: Synopsys Intelligent Security Scan + id: prescription + uses: synopsys-sig/intelligent-security-scan@v1 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + stage: "IO" + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN + # is defined in settings + - name: Static Analysis with Polaris + if: ${{steps.prescription.outputs.sastScan == 'true' }} + run: | + export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} + export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} + wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip + unzip -j polaris_cli-linux64.zip -d /tmp + /tmp/polaris analyze -w + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work + - name: Software Composition Analysis with Black Duck + if: ${{steps.prescription.outputs.scaScan == 'true' }} + uses: blackducksoftware/github-action@v2 + with: + args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' + + - name: Synopsys Intelligent Security Scan + if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} + uses: synopsys-sig/intelligent-security-scan@v1 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} + --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} + stage: "WORKFLOW" + + - name: Upload SARIF file + if: ${{steps.prescription.outputs.sastScan == 'true' }} + uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: workflowengine-results.sarif.json diff --git a/icons/synopsys.svg b/icons/synopsys.svg new file mode 100644 index 0000000..764a3be --- /dev/null +++ b/icons/synopsys.svg @@ -0,0 +1 @@ + \ No newline at end of file From 93599e25052bb0825cd15e7fbec78289ce008d49 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran <71350204+rahulguna10@users.noreply.github.com> Date: Wed, 10 Mar 2021 08:22:45 -0500 Subject: [PATCH 33/57] Updated suggested changes in code-scanning/synopsys-io-actions.yml Co-authored-by: Nick Fyson --- code-scanning/synopsys-io-actions.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml index b5aa503..39ed12a 100644 --- a/code-scanning/synopsys-io-actions.yml +++ b/code-scanning/synopsys-io-actions.yml @@ -17,15 +17,6 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v2 - with: - # We must fetch at least the immediate parents so that if this is - # a pull request then we can checkout the head. - fetch-depth: 2 - - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} - name: Synopsys Intelligent Security Scan id: prescription From a74640c1ec12ff8eced90ca1e13436b09ff3975f Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran Date: Wed, 10 Mar 2021 08:53:33 -0500 Subject: [PATCH 34/57] updated suggested filename changes --- .../{synopsysio.properties.json => synopsys-io.properties.json} | 2 +- icons/{synopsys.svg => synopsys-io.svg} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename code-scanning/properties/{synopsysio.properties.json => synopsys-io.properties.json} (92%) rename icons/{synopsys.svg => synopsys-io.svg} (100%) diff --git a/code-scanning/properties/synopsysio.properties.json b/code-scanning/properties/synopsys-io.properties.json similarity index 92% rename from code-scanning/properties/synopsysio.properties.json rename to code-scanning/properties/synopsys-io.properties.json index 257357e..67aeb09 100644 --- a/code-scanning/properties/synopsysio.properties.json +++ b/code-scanning/properties/synopsys-io.properties.json @@ -2,6 +2,6 @@ "name": "Synopsys Intelligent Security Scan Action", "creator": "Synopsys", "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", - "iconName": "synopsys", + "iconName": "synopsys-io", "categories": ["Code Scanning"] } diff --git a/icons/synopsys.svg b/icons/synopsys-io.svg similarity index 100% rename from icons/synopsys.svg rename to icons/synopsys-io.svg From f42ac9c022d58205b5936aa59a174f00962a7070 Mon Sep 17 00:00:00 2001 From: AlyonaSviridenko Date: Thu, 11 Mar 2021 12:56:09 +0300 Subject: [PATCH 35/57] renamed adoptium to adopt --- ci/android.yml | 2 +- ci/ant.yml | 2 +- ci/gradle-publish.yml | 2 +- ci/gradle.yml | 2 +- ci/maven-publish.yml | 2 +- ci/maven.yml | 2 +- ci/scala.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/android.yml b/ci/android.yml index 3edebb5..4bbc689 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -17,7 +17,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adoptium' + distribution: 'adopt' - name: Grant execute permission for gradlew run: chmod +x gradlew diff --git a/ci/ant.yml b/ci/ant.yml index 8b8a5ba..655a94c 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -20,6 +20,6 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adoptium' + distribution: 'adopt' - name: Build with Ant run: ant -noinput -buildfile build.xml diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 2faa3aa..e69fc09 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -18,7 +18,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adoptium' + distribution: 'adopt' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file diff --git a/ci/gradle.yml b/ci/gradle.yml index 6ffdc6a..6e7e922 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -20,7 +20,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adoptium' + distribution: 'adopt' - name: Grant execute permission for gradlew run: chmod +x gradlew - name: Build with Gradle diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 831b54b..6538c9e 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -18,7 +18,7 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adoptium' + distribution: 'adopt' server-id: github # Value of the distributionManagement/repository/id field of the pom.xml settings-path: ${{ github.workspace }} # location for the settings.xml file diff --git a/ci/maven.yml b/ci/maven.yml index 005184b..923425b 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -20,6 +20,6 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adoptium' + distribution: 'adopt' - name: Build with Maven run: mvn -B package --file pom.xml diff --git a/ci/scala.yml b/ci/scala.yml index e650d8a..4a3c112 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -17,6 +17,6 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adoptium' + distribution: 'adopt' - name: Run tests run: sbt test From fe22e77a67382caac9adf68816cc67bc94e82be1 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran Date: Thu, 11 Mar 2021 13:18:53 -0500 Subject: [PATCH 36/57] changes for checklist items --- code-scanning/properties/synopsys-io.properties.json | 4 ++-- code-scanning/synopsys-io-actions.yml | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/synopsys-io.properties.json b/code-scanning/properties/synopsys-io.properties.json index 67aeb09..ea7fae7 100644 --- a/code-scanning/properties/synopsys-io.properties.json +++ b/code-scanning/properties/synopsys-io.properties.json @@ -1,7 +1,7 @@ { "name": "Synopsys Intelligent Security Scan Action", "creator": "Synopsys", - "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", + "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events", "iconName": "synopsys-io", - "categories": ["Code Scanning"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "Ruby", "PHP", "Swift", "Kotlin" , "Python", "VB.NET", "Objective C"] } diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml index 39ed12a..edc3cbc 100644 --- a/code-scanning/synopsys-io-actions.yml +++ b/code-scanning/synopsys-io-actions.yml @@ -1,4 +1,9 @@ -name: "Synopsys Intelligent Security Scan" +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Synopsys Intelligent Security Scan on: push: From ba6a2f292c765fc881d0ffd3472e7101d74ec1e4 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran <71350204+rahulguna10@users.noreply.github.com> Date: Thu, 11 Mar 2021 21:33:39 -0500 Subject: [PATCH 37/57] Updated version to commit SHA --- code-scanning/synopsys-io-actions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml index edc3cbc..7501726 100644 --- a/code-scanning/synopsys-io-actions.yml +++ b/code-scanning/synopsys-io-actions.yml @@ -25,7 +25,7 @@ jobs: - name: Synopsys Intelligent Security Scan id: prescription - uses: synopsys-sig/intelligent-security-scan@v1 + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 with: ioServerUrl: ${{secrets.IO_SERVER_URL}} ioServerToken: ${{secrets.IO_SERVER_TOKEN}} @@ -55,7 +55,7 @@ jobs: - name: Synopsys Intelligent Security Scan if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} - uses: synopsys-sig/intelligent-security-scan@v1 + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 with: ioServerUrl: ${{secrets.IO_SERVER_URL}} ioServerToken: ${{secrets.IO_SERVER_TOKEN}} From 5eb695baece07fb726877d04c0e98d3eeb0a63a5 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran <71350204+rahulguna10@users.noreply.github.com> Date: Fri, 12 Mar 2021 12:23:28 -0500 Subject: [PATCH 38/57] Updated commit SHA Co-authored-by: Nick Fyson --- code-scanning/synopsys-io-actions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml index 7501726..9b5a080 100644 --- a/code-scanning/synopsys-io-actions.yml +++ b/code-scanning/synopsys-io-actions.yml @@ -49,7 +49,7 @@ jobs: # in order for this logic to work - name: Software Composition Analysis with Black Duck if: ${{steps.prescription.outputs.scaScan == 'true' }} - uses: blackducksoftware/github-action@v2 + uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 with: args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' From 6e127e8439bd8533948e209ff4379084becc9094 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Fri, 12 Mar 2021 20:00:40 +0000 Subject: [PATCH 39/57] fix id of synosys-io workflow --- code-scanning/{synopsys-io-actions.yml => synopsys-io.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/{synopsys-io-actions.yml => synopsys-io.yml} (100%) diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io.yml similarity index 100% rename from code-scanning/synopsys-io-actions.yml rename to code-scanning/synopsys-io.yml From d3f35ae32d2e17b003fc6428afafc97c1bd50a13 Mon Sep 17 00:00:00 2001 From: pastelmind Date: Sat, 13 Mar 2021 14:34:06 +0900 Subject: [PATCH 40/57] Use actions/setup-node v2 Since actions/setup-node v2 has been declared stable since v2.1.4 (released on 2020-12-16), it should be safe to move everyone to v2. --- .github/workflows/sync_ghes.yaml | 2 +- .github/workflows/validate-data.yaml | 2 +- ci/azure.yml | 2 +- ci/node.js.yml | 2 +- ci/npm-publish.yml | 6 +++--- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync_ghes.yaml index aa5e741..a3c298a 100644 --- a/.github/workflows/sync_ghes.yaml +++ b/.github/workflows/sync_ghes.yaml @@ -14,7 +14,7 @@ jobs: git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" git config user.name "GitHub Actions" - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v2 with: node-version: '12' - name: Check starter workflows for GHES compat diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 20eee71..745bc25 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -10,7 +10,7 @@ jobs: steps: - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v2 with: node-version: "12" diff --git a/ci/azure.yml b/ci/azure.yml index 4079237..0262b49 100644 --- a/ci/azure.yml +++ b/ci/azure.yml @@ -32,7 +32,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Use Node.js ${{ env.NODE_VERSION }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v2 with: node-version: ${{ env.NODE_VERSION }} - name: npm install, build, and test diff --git a/ci/node.js.yml b/ci/node.js.yml index 632c1a6..06cd54b 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v2 with: node-version: ${{ matrix.node-version }} - run: npm ci diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index b460edc..1b4952d 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v2 with: node-version: 12 - run: npm ci @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v2 with: node-version: 12 registry-url: https://registry.npmjs.org/ @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v2 with: node-version: 12 registry-url: $registry-url(npm) From 3d5dfdfe67b1a3b1e69b1425acf2bb1c56b811af Mon Sep 17 00:00:00 2001 From: Geod24 Date: Sun, 14 Mar 2021 16:22:28 +0900 Subject: [PATCH 41/57] Fix wording in README to follow pull request template The wording in the pull request template was changed from recommend to require, but the same change was not made to the README. --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c9e8299..2a0e55f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -19,6 +19,6 @@ Before merging a new workflow, the following requirements need to be met: - There are many programming languages and tools out there. Right now we don't have a page that allows for a really large number of workflows, so we do have to be a little choosy about what we accept. Less popular tools or languages might not be accepted. - Automation and CI workflows should not send data to any 3rd party service except for the purposes of installing dependencies. - Automation and CI workflows cannot be dependent on a paid service or product. -- We recommend that Actions outside of the `actions` organization be pinned to a specific SHA. +- We require that Actions outside of the `actions` organization be pinned to a specific SHA. Thank you From 019de53cfb24ce35e5b64d47aca87779a47de011 Mon Sep 17 00:00:00 2001 From: Sergey Yakimov Date: Thu, 18 Mar 2021 15:28:14 +0200 Subject: [PATCH 42/57] Remove the deprecated "--no-suggest" option from the Composer install step --- ci/php.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/php.yml b/ci/php.yml index e1dceef..6acfdd1 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -27,7 +27,7 @@ jobs: ${{ runner.os }}-php- - name: Install dependencies - run: composer install --prefer-dist --no-progress --no-suggest + run: composer install --prefer-dist --no-progress # Add a test script to composer.json, for instance: "test": "vendor/bin/phpunit" # Docs: https://getcomposer.org/doc/articles/scripts.md From 7c8569ab2bcbca327d9745f7f77ad89918d68585 Mon Sep 17 00:00:00 2001 From: Divyanshu Agrawal Date: Tue, 9 Mar 2021 19:32:22 +0530 Subject: [PATCH 43/57] Modify openshift workflow with v2 version of actions and add oc-new-app (#1) * Modify openshift workflow with v2 version of actions and add oc-new-app Signed-off-by: divyansh42 --- ci/openshift.yml | 84 +++++++++++++++++++++++++++++++----------------- 1 file changed, 55 insertions(+), 29 deletions(-) diff --git a/ci/openshift.yml b/ci/openshift.yml index 8a4875d..e25afef 100644 --- a/ci/openshift.yml +++ b/ci/openshift.yml @@ -27,6 +27,7 @@ # For a more sophisticated example, see https://github.com/redhat-actions/spring-petclinic/blob/main/.github/workflows/petclinic-sample.yaml # Also see our GitHub organization, https://github.com/redhat-actions/ +# ▶️ See a video of how to set up this workflow at https://www.youtube.com/watch?v=6hgBO-1pKho name: OpenShift @@ -52,6 +53,7 @@ env: # If you wish to manually provide the APP_NAME and TAG, set them here, otherwise they will be auto-detected. APP_NAME: "" + TAG: "" on: @@ -66,7 +68,42 @@ jobs: runs-on: ubuntu-20.04 environment: production + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + steps: + - name: Check if secrets exists + uses: actions/github-script@v3 + with: + script: | + const secrets = { + REGISTRY_PASSWORD: `${{ secrets.REGISTRY_PASSWORD }}`, + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.warning(`Secret "${name}" is not set`); + return true; + } + core.info(` ✔️ Secret "${name}" is set`); + return false; + + }); + + if (missingSecrets.length > 0) { + core.setFailed(`❌ At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "Github UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "Github CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`✅ All the required secrets are set`); + } + - uses: actions/checkout@v2 - name: Determine app name @@ -81,12 +118,13 @@ jobs: # https://github.com/redhat-actions/buildah-build#readme - name: Build from Dockerfile - uses: redhat-actions/buildah-build@v1 + id: image-build + uses: redhat-actions/buildah-build@v2 with: image: ${{ env.APP_NAME }} - tag: ${{ env.TAG }} + tags: ${{ env.TAG }} # If you don't have a dockerfile, see: - # https://github.com/redhat-actions/buildah-build#building-from-scratch + # https://github.com/redhat-actions/buildah-build#scratch-build-inputs # Otherwise, point this to your Dockerfile relative to the repository root. dockerfiles: | ./Dockerfile @@ -94,10 +132,10 @@ jobs: # https://github.com/redhat-actions/push-to-registry#readme - name: Push to registry id: push-to-registry - uses: redhat-actions/push-to-registry@v1 + uses: redhat-actions/push-to-registry@v2 with: - image: ${{ env.APP_NAME }} - tag: ${{ env.TAG }} + image: ${{ steps.image-build.outputs.image }} + tags: ${{ steps.image-build.outputs.tags }} registry: ${{ env.REGISTRY }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} @@ -118,30 +156,15 @@ jobs: namespace: ${{ env.OPENSHIFT_NAMESPACE }} # This step should create a deployment, service, and route to run your app and expose it to the internet. - # Feel free to replace this with 'oc apply', 'helm install', or however you like to deploy your app. + # https://github.com/redhat-actions/oc-new-app#readme - name: Create and expose app - run: | - export IMAGE="${{ steps.push-to-registry.outputs.registry-path }}" - export PORT=${{ env.APP_PORT }} - - export SELECTOR="app=${{ env.APP_NAME }}" - echo "SELECTOR=$SELECTOR" >> $GITHUB_ENV - - set -x - # Take down any old deployment - oc delete all --selector="$SELECTOR" - oc new-app --name $APP_NAME --docker-image="$IMAGE" - - # Make sure the app port is exposed - oc patch svc $APP_NAME -p "{ \"spec\": { \"ports\": [{ \"name\": \"$PORT-tcp\", \"port\": $PORT }] } }" - oc expose service $APP_NAME --port=$PORT - - oc get all --selector="$SELECTOR" - set +x - - export ROUTE="$(oc get route $APP_NAME -o jsonpath='{.spec.host}')" - echo "$APP_NAME is exposed at $ROUTE" - echo "ROUTE=$ROUTE" >> $GITHUB_ENV + id: deploy-and-expose + uses: redhat-actions/oc-new-app@v1 + with: + app_name: ${{ env.APP_NAME }} + image: ${{ steps.push-to-registry.outputs.registry-path }} + namespace: ${{ env.OPENSHIFT_NAMESPACE }} + port: ${{ env.APP_PORT }} - name: View application route run: | @@ -151,3 +174,6 @@ jobs: echo "===================================================================================" echo echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\"" + env: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} From c08e24c17b12e3bc9d346fa5aa745aa8c497fd23 Mon Sep 17 00:00:00 2001 From: divyansh42 Date: Wed, 24 Mar 2021 20:21:19 +0530 Subject: [PATCH 44/57] Resolve reviews Signed-off-by: divyansh42 --- ci/openshift.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/ci/openshift.yml b/ci/openshift.yml index e25afef..b9bcd0b 100644 --- a/ci/openshift.yml +++ b/ci/openshift.yml @@ -53,7 +53,6 @@ env: # If you wish to manually provide the APP_NAME and TAG, set them here, otherwise they will be auto-detected. APP_NAME: "" - TAG: "" on: @@ -88,7 +87,7 @@ jobs: core.warning(`Secret "${name}" is not set`); return true; } - core.info(` ✔️ Secret "${name}" is set`); + core.info(`✔️ Secret "${name}" is set`); return false; }); @@ -96,14 +95,14 @@ jobs: if (missingSecrets.length > 0) { core.setFailed(`❌ At least one required secret is not set in the repository. \n` + "You can add it using:\n" + - "Github UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + - "Github CLI: https://cli.github.com/manual/gh_secret_set \n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); } else { core.info(`✅ All the required secrets are set`); } - + - uses: actions/checkout@v2 - name: Determine app name From 1f729c2f025d52b5407657a3fe8130bec1353717 Mon Sep 17 00:00:00 2001 From: Alena Sviridenko Date: Mon, 5 Apr 2021 17:44:33 +0300 Subject: [PATCH 45/57] Fixed docs path Co-authored-by: Konrad Pabjan --- ci/gradle-publish.yml | 2 +- ci/maven-publish.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index e69fc09..ef99e13 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -1,5 +1,5 @@ # This workflow will build a package using Gradle and then publish it to GitHub packages when a release is created -# For more information see: https://github.com/actions/setup-java/docs/advanced-usage.md#Publishing-using-gradle +# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-gradle name: Gradle Package diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 6538c9e..c3f4855 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -1,5 +1,5 @@ # This workflow will build a package using Maven and then publish it to GitHub packages when a release is created -# For more information see: https://github.com/actions/setup-java/docs/advanced-usage.md#apache-maven-with-a-settings-path +# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path name: Maven Package @@ -28,4 +28,4 @@ jobs: - name: Publish to GitHub Packages Apache Maven run: mvn deploy -s $GITHUB_WORKSPACE/settings.xml env: - GITHUB_TOKEN: ${{ github.token }} \ No newline at end of file + GITHUB_TOKEN: ${{ github.token }} From a5afdf402855e60f84f7832f18eb5410b9e31b83 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Mon, 5 Apr 2021 15:01:23 -0400 Subject: [PATCH 46/57] Update openshift.yml --- ci/openshift.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/openshift.yml b/ci/openshift.yml index b9bcd0b..3e39dea 100644 --- a/ci/openshift.yml +++ b/ci/openshift.yml @@ -64,7 +64,7 @@ on: jobs: openshift-ci-cd: name: Build and deploy to OpenShift - runs-on: ubuntu-20.04 + runs-on: ubuntu-18.04 environment: production outputs: From 97a16c82c55eb2ed003fbe2a11bc7fbe1dd40493 Mon Sep 17 00:00:00 2001 From: Alexandre Rebert Date: Mon, 12 Apr 2021 14:50:41 -0400 Subject: [PATCH 47/57] Add Mayhem for API code scanning workflow --- code-scanning/mayhem-for-api.yml | 62 +++++++++++++++++++ .../properties/mayhem-for-api.properties.json | 7 +++ icons/mayhem-for-api.svg | 19 ++++++ 3 files changed, 88 insertions(+) create mode 100644 code-scanning/mayhem-for-api.yml create mode 100644 code-scanning/properties/mayhem-for-api.properties.json create mode 100644 icons/mayhem-for-api.svg diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml new file mode 100644 index 0000000..1601ff5 --- /dev/null +++ b/code-scanning/mayhem-for-api.yml @@ -0,0 +1,62 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# This workflow starts your API and fuzzes it with ForAllSecure Mayhem for API +# to find reliability, performance and security issues before they reach +# production. +# +# To use this workflow, you will need to: +# +# 1. Create a Mayhem for API account at +# https://mayhem4api.forallsecure.com/signup (30-day free trial) +# +# 2. Create a service account token `mapi organization service-account create +# ` +# +# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN" +# +# 4. Update the "Start your API" step to run your API in the background before +# starting the Mayhem for API scan, and update the `api-url` & `api-spec` +# field. +# +# If you have any questions, please contact us at mayhem4api@forallsecure.com + +name: "Mayhem for API" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + +jobs: + mayhem-for-api: + name: Mayhem for API + # Mayhem for API runs on linux, mac and windows + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + # Run your API in the background. Ideally, the API would run in debug + # mode & send stacktraces back on "500 Internal Server Error" responses + # (don't do this in production though!) + - name: Start your API + run: ./run_your_api.sh & # <- ✏️ update this + + - name: Mayhem for API + uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010 + continue-on-error: true + with: + mapi-token: ${{ secrets.MAPI_TOKEN }} + api-url: http://localhost:8080 # <- ✏️ update this + api-spec: http://localhost:8080/openapi.json # <- ✏️ update this + duration: 60 + sarif-report: mapi.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: mapi.sarif diff --git a/code-scanning/properties/mayhem-for-api.properties.json b/code-scanning/properties/mayhem-for-api.properties.json new file mode 100644 index 0000000..ccbb75c --- /dev/null +++ b/code-scanning/properties/mayhem-for-api.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Mayhem for API", + "creator": "ForAllSecure", + "description": "Automatically test your REST APIs with your OpenAPI specs and Postman collections", + "iconName": "mayhem-for-api", + "categories": ["Code Scanning", "C#", "Go", "Java", "Scala", "JavaScript", "TypeScript", "Ruby", "PHP", "Swift", "Kotlin" , "Python", "Rust", "Objective C"] +} diff --git a/icons/mayhem-for-api.svg b/icons/mayhem-for-api.svg new file mode 100644 index 0000000..af426ff --- /dev/null +++ b/icons/mayhem-for-api.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + From 9d7a348464c230b5a34103bbde5049e6d6a1dd56 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Tue, 13 Apr 2021 11:34:49 -0400 Subject: [PATCH 48/57] Update code-scanning/properties/mayhem-for-api.properties.json --- code-scanning/properties/mayhem-for-api.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/mayhem-for-api.properties.json b/code-scanning/properties/mayhem-for-api.properties.json index ccbb75c..b700dae 100644 --- a/code-scanning/properties/mayhem-for-api.properties.json +++ b/code-scanning/properties/mayhem-for-api.properties.json @@ -1,7 +1,7 @@ { "name": "Mayhem for API", "creator": "ForAllSecure", - "description": "Automatically test your REST APIs with your OpenAPI specs and Postman collections", + "description": "Automatically test your REST APIs with your OpenAPI specs and Postman collections.", "iconName": "mayhem-for-api", "categories": ["Code Scanning", "C#", "Go", "Java", "Scala", "JavaScript", "TypeScript", "Ruby", "PHP", "Swift", "Kotlin" , "Python", "Rust", "Objective C"] } From a2e5f8e5480715e8fcec103ec5c179ac65bac41b Mon Sep 17 00:00:00 2001 From: Owen Rumney Date: Wed, 14 Apr 2021 18:37:01 +0100 Subject: [PATCH 49/57] Add tfsec starter action --- .../properties/tfsec.properties.json | 7 ++++ code-scanning/tfsec.yml | 35 +++++++++++++++++++ icons/tfsec.svg | 1 + 3 files changed, 43 insertions(+) create mode 100644 code-scanning/properties/tfsec.properties.json create mode 100644 code-scanning/tfsec.yml create mode 100644 icons/tfsec.svg diff --git a/code-scanning/properties/tfsec.properties.json b/code-scanning/properties/tfsec.properties.json new file mode 100644 index 0000000..0ecfb53 --- /dev/null +++ b/code-scanning/properties/tfsec.properties.json @@ -0,0 +1,7 @@ +{ + "name": "tfsec", + "creator": "tfsec", + "description": "Static analysis for Terraform.", + "iconName": "tfsec", + "categories": ["Code Scanning"] +} diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml new file mode 100644 index 0000000..d06e719 --- /dev/null +++ b/code-scanning/tfsec.yml @@ -0,0 +1,35 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: tfsec + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + tfsec: + name: Run tfsec sarif report + runs-on: ubuntu-latest + + steps: + - name: Clone repo + uses: actions/checkout@master + + - name: Run tfsec + uses: tfsec/tfsec-sarif-action@v0.0.4 + with: + sarif_file: tfsec.sarif + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: tfsec.sarif \ No newline at end of file diff --git a/icons/tfsec.svg b/icons/tfsec.svg new file mode 100644 index 0000000..6d78f75 --- /dev/null +++ b/icons/tfsec.svg @@ -0,0 +1 @@ + \ No newline at end of file From b80a1555aa6242b8543299266ccbaf38ac49f5ff Mon Sep 17 00:00:00 2001 From: Owen Rumney Date: Wed, 14 Apr 2021 18:45:51 +0100 Subject: [PATCH 50/57] Update code-scanning/tfsec.yml Co-authored-by: John Bohannon --- code-scanning/tfsec.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index d06e719..0b91d26 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@master + uses: actions/checkout@v2 - name: Run tfsec uses: tfsec/tfsec-sarif-action@v0.0.4 @@ -32,4 +32,4 @@ jobs: uses: github/codeql-action/upload-sarif@v1 with: # Path to SARIF file relative to the root of the repository - sarif_file: tfsec.sarif \ No newline at end of file + sarif_file: tfsec.sarif From 4adf815cfcd663e714d9656c85cc9be36f2ea92f Mon Sep 17 00:00:00 2001 From: Owen Rumney Date: Wed, 14 Apr 2021 18:53:21 +0100 Subject: [PATCH 51/57] update to use the hash rather than tag --- code-scanning/tfsec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 0b91d26..05879a1 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -23,7 +23,7 @@ jobs: uses: actions/checkout@v2 - name: Run tfsec - uses: tfsec/tfsec-sarif-action@v0.0.4 + uses: tfsec/tfsec-sarif-action@2ec44316ed27c50d48c931c3c628adc4c8bb1d2b with: sarif_file: tfsec.sarif github_token: ${{ secrets.GITHUB_TOKEN }} From cabc659a07e308ca1cedd4185279b64ed80eddb2 Mon Sep 17 00:00:00 2001 From: Owen Rumney Date: Wed, 14 Apr 2021 19:16:05 +0100 Subject: [PATCH 52/57] some tweaks for appearance Improve the description, make it more punchy :-) Use a better SVG for the icon --- .../properties/tfsec.properties.json | 2 +- icons/tfsec.svg | 37 ++++++++++++++++++- 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/tfsec.properties.json b/code-scanning/properties/tfsec.properties.json index 0ecfb53..1a6a2f0 100644 --- a/code-scanning/properties/tfsec.properties.json +++ b/code-scanning/properties/tfsec.properties.json @@ -1,7 +1,7 @@ { "name": "tfsec", "creator": "tfsec", - "description": "Static analysis for Terraform.", + "description": "A static analysis security scanner for your Terraform code. Discover problems with your infrastructure before hackers do.", "iconName": "tfsec", "categories": ["Code Scanning"] } diff --git a/icons/tfsec.svg b/icons/tfsec.svg index 6d78f75..a68cb4c 100644 --- a/icons/tfsec.svg +++ b/icons/tfsec.svg @@ -1 +1,36 @@ - \ No newline at end of file + +image/svg+xml \ No newline at end of file From 678e77e33cf6cfafd482dfc6844cf29810fad5ac Mon Sep 17 00:00:00 2001 From: Owen Rumney Date: Wed, 14 Apr 2021 19:27:00 +0100 Subject: [PATCH 53/57] fix the svg to make it nicer --- icons/tfsec.svg | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/icons/tfsec.svg b/icons/tfsec.svg index a68cb4c..5e04b87 100644 --- a/icons/tfsec.svg +++ b/icons/tfsec.svg @@ -21,16 +21,16 @@ id="g12"> \ No newline at end of file + d="M 296.3 217.1 c 37.2 16.7 73 31.2 107.5 43.6 c 53 18.9 103.3 32.7 152.1 41.6 v 115.9 C 499.5 407.9 441.2 391 379 367.3 C 343.9 354 307.6 338.5 269.7 320.8 C 276.5 285.7 285.3 251 296.3 217.1" /> \ No newline at end of file From 78f5a8e8b5eac295f3bc3855f0c4d109aaf18cd2 Mon Sep 17 00:00:00 2001 From: Owen Rumney Date: Wed, 14 Apr 2021 19:35:46 +0100 Subject: [PATCH 54/57] center the icon better --- icons/tfsec.svg | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/icons/tfsec.svg b/icons/tfsec.svg index 5e04b87..60b6014 100644 --- a/icons/tfsec.svg +++ b/icons/tfsec.svg @@ -5,7 +5,7 @@ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" - viewBox="0 0 180 180" + viewBox="0 0 120 120" height="180" width="180" xml:space="preserve" @@ -21,16 +21,16 @@ id="g12"> \ No newline at end of file + d="M 65.6 456 c 37.2 16.7 73 31.2 107.5 43.6 c 53 18.9 103.3 32.7 152.1 41.6 v 115.9 C 268.8 646.8 210.5 629.9 148.3 606.2 C 113.2 592.9 76.9 577.4 39 559.7 C 45.8 524.6 54.6 489.9 65.6 456" /> \ No newline at end of file From 7dab5895e67103ca158b93552580f6918b6a0524 Mon Sep 17 00:00:00 2001 From: Owen Rumney Date: Wed, 14 Apr 2021 20:17:04 +0100 Subject: [PATCH 55/57] add HCL as a category --- code-scanning/properties/tfsec.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/tfsec.properties.json b/code-scanning/properties/tfsec.properties.json index 1a6a2f0..6796d79 100644 --- a/code-scanning/properties/tfsec.properties.json +++ b/code-scanning/properties/tfsec.properties.json @@ -3,5 +3,5 @@ "creator": "tfsec", "description": "A static analysis security scanner for your Terraform code. Discover problems with your infrastructure before hackers do.", "iconName": "tfsec", - "categories": ["Code Scanning"] + "categories": ["Code Scanning", "HCL"] } From 7d3cfbd03503bceaa75ac3b07f6302dfd0b341e8 Mon Sep 17 00:00:00 2001 From: sceee Date: Thu, 15 Apr 2021 18:17:57 +0200 Subject: [PATCH 56/57] Add recursive write permissions to "/srv/jekyll" Add recursive write permissions to the site directory to avoid permission denied errors in case of jekyll requiring to create the output directory --- ci/jekyll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/jekyll.yml b/ci/jekyll.yml index 9449a6e..71920c1 100644 --- a/ci/jekyll.yml +++ b/ci/jekyll.yml @@ -17,4 +17,4 @@ jobs: run: | docker run \ -v ${{ github.workspace }}:/srv/jekyll -v ${{ github.workspace }}/_site:/srv/jekyll/_site \ - jekyll/builder:latest /bin/bash -c "chmod 777 /srv/jekyll && jekyll build --future" + jekyll/builder:latest /bin/bash -c "chmod -R 777 /srv/jekyll && jekyll build --future" From ed015ab7b9a5055065bd3c7a111ea7f623f8c785 Mon Sep 17 00:00:00 2001 From: Stephen Wade Date: Sat, 17 Apr 2021 14:08:56 -0400 Subject: [PATCH 57/57] Fix broken link in README.md --- code-scanning/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/README.md b/code-scanning/README.md index 5b910da..076d57c 100644 --- a/code-scanning/README.md +++ b/code-scanning/README.md @@ -1,4 +1,3 @@ # Code Scanning Workflows -GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production. Before you can configure code scanning for a repository, you must enable code scanning by adding a GitHub Actions workflow to the repository. For more information, see [Enabling Code Scanning for a repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository). - +GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production. Before you can configure code scanning for a repository, you must enable code scanning by adding a GitHub Actions workflow to the repository. For more information, see [Setting up code scanning for a repository](https://docs.github.com/en/code-security/secure-coding/setting-up-code-scanning-for-a-repository).