From 900a0204646df69c0d0d535eab4c8ef5a151abc6 Mon Sep 17 00:00:00 2001 From: fredster33 <64927044+fredster33@users.noreply.github.com> Date: Fri, 13 Aug 2021 17:09:48 -0700 Subject: [PATCH 001/234] Fix typo --- automation/greetings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index ee1cb11..fed28b7 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users first issue' - pr-message: 'Message that will be displayed on users first pull request' + issue-message: 'Message that will be displayed on users' first issue' + pr-message: 'Message that will be displayed on users' first pull request' From 25f4fd1b5fec908829d2da20f4009f1d8074ef12 Mon Sep 17 00:00:00 2001 From: Mattias Cibien Date: Wed, 27 Oct 2021 16:24:24 +0200 Subject: [PATCH 002/234] Fix dotnet-desktop template Removed environment variable which is not currently used and makes the build fail --- ci/dotnet-desktop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 0635779..c22b998 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -105,7 +105,7 @@ jobs: # Remove the pfx - name: Remove the pfx - run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate + run: Remove-Item -path $env:Wap_Project_Directory\GitHubActionsWorkflow.pfx # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts From e7b6150c5d5e51b08fd12c97dac956e3a2aff175 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Thu, 3 Feb 2022 13:54:14 +0530 Subject: [PATCH 003/234] Added underscore(_) in the name to fix yml errors caused by the empty spaces in the name --- code-scanning/apisec-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 3aa06ca..65a6baf 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -43,7 +43,7 @@ on: jobs: - Trigger APIsec scan: + Trigger_APIsec_scan: runs-on: ubuntu-latest steps: From 5d03c86e2615ba04a2dcb4ec2ed2cd659eecdb98 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 4 Feb 2022 10:42:13 +0530 Subject: [PATCH 004/234] Added token permission for deployments/azure-staticwebapp.yml --- deployments/azure-staticwebapp.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index 8e1faf7..5430f04 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -28,8 +28,14 @@ env: APP_ARTIFACT_LOCATION: "build" # location of client code build output AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app +permissions: + contents: read + jobs: build_and_deploy_job: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') runs-on: ubuntu-latest name: Build and Deploy Job @@ -52,6 +58,8 @@ jobs: ###### End of Repository/Build Configurations ###### close_pull_request_job: + permissions: + contents: none if: github.event_name == 'pull_request' && github.event.action == 'closed' runs-on: ubuntu-latest name: Close Pull Request Job From 6e8e5830e94403d54495f803067dd7653dabb0d2 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:56:36 +0530 Subject: [PATCH 005/234] added token permissions --- deployments/azure-container-webapp.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 57fe362..b6f339f 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -35,6 +35,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -63,6 +66,8 @@ jobs: file: ./Dockerfile deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 63beace25d14ca0b8918b467dbfe7bc0f3281742 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:16:12 +0530 Subject: [PATCH 006/234] added github_token permission --- deployments/terraform.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 589f1f3..b7cbc3a 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -50,6 +50,9 @@ on: - $default-branch pull_request: +permissions: + contents: read + jobs: terraform: name: 'Terraform' From fd8ffb3d9c4336e2e4584baebffce4196086e794 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:01:38 +0530 Subject: [PATCH 007/234] Update aws.yml --- deployments/aws.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/aws.yml b/deployments/aws.yml index dab851f..65f445f 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -41,6 +41,9 @@ env: CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the # containerDefinitions section of your task definition +permissions: + contents: read + jobs: deploy: name: Deploy From 394301af94ed4c4a052d067ef69a71885bc0a297 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 14 Feb 2022 10:11:33 +0000 Subject: [PATCH 008/234] Adding folder category check --- script/validate-data/index.ts | 17 ++++++++++++----- script/validate-data/settings.json | 18 ++++++++++++++++++ 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 7dce3d1..6669b34 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -1,7 +1,7 @@ #!/usr/bin/env npx ts-node import { promises as fs } from "fs"; import { safeLoad } from "js-yaml"; -import { basename, extname, join } from "path"; +import { basename, extname, join, dirname } from "path"; import { Validator as validator } from "jsonschema"; import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; @@ -40,7 +40,7 @@ const propertiesSchema = { } } -async function checkWorkflows(folders: string[], allowed_categories: string[]): Promise { +async function checkWorkflows(folders: string[], allowed_categories: string[], folder_category_map: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() for (const folder of folders) { @@ -55,7 +55,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[]): const workflowFilePath = join(folder, e.name); const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) - const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); + const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories, folder_category_map); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } @@ -69,7 +69,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[]): return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[]): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[], folder_category_map: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, @@ -104,10 +104,17 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow } } + var directoryName = dirname(workflowPath) + var folder_category = folder_category_map.find( folder_category => folder_category["name"] == directoryName)["category"] if (!workflowPath.endsWith("blank.yml") && (!properties.categories || !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) { workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`) } + + if(properties.categories && !properties.categories.some(category => category.toLowerCase() == folder_category.toLowerCase())) { + workflowErrors.errors.push(`Either workflow is not added to the correct directory or category specified is wrong. Allowed category for ${basename(directoryName)} directory is ${folder_category}`) + } + } catch (e) { workflowErrors.errors.push(e.toString()) } @@ -118,7 +125,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders, settings.allowed_categories + settings.folders, settings.allowed_categories, settings.folder_category_map ) if (erroredWorkflows.length > 0) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index ce89e36..ab1ada3 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -10,5 +10,23 @@ "Deployment", "Code Scanning", "Automation" + ], + "folder_category_map": [ + { + "name": "../../ci", + "category": "Continuous integration" + }, + { + "name": "../../automation", + "category": "Automation" + }, + { + "name": "../../deployments", + "category": "Deployment" + }, + { + "name": "../../code-scanning", + "category": "Code Scanning" + } ] } \ No newline at end of file From 8bcdd73aa893896b02a33bf844682a4a632c099a Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:36:24 +0530 Subject: [PATCH 009/234] added github_token permission --- deployments/alibabacloud.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded9178..c783305 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From 8c75e2d11fd9040bc7a3492d7bcfcb4c92a194d7 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:57:59 +0530 Subject: [PATCH 010/234] Update pmd.yml --- code-scanning/pmd.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 0604734..cf4b01d 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: pmd-code-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From aafd23c138797490f77148df749cb66c609c825a Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Thu, 24 Feb 2022 10:26:04 +0000 Subject: [PATCH 011/234] review comments --- script/validate-data/index.ts | 21 ++++++++++----------- script/validate-data/settings.json | 8 +------- 2 files changed, 11 insertions(+), 18 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 6669b34..c3b6fa9 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -69,7 +69,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[], f return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[], folder_category_map: object[]): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[], directory_category_map: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, @@ -105,16 +105,15 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow } var directoryName = dirname(workflowPath) - var folder_category = folder_category_map.find( folder_category => folder_category["name"] == directoryName)["category"] - if (!workflowPath.endsWith("blank.yml") && (!properties.categories || - !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) { - workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`) + var directory_category = directory_category_map.find( folder_category => folder_category["name"] == directoryName)["category"] + if (!workflowPath.endsWith("blank.yml") && ((!properties.categories || properties.categories.length == 0 )|| + properties.categories[0].toLowerCase() !== directory_category.toLowerCase())) { + if(!properties.categories || properties.categories.length == 0) { + workflowErrors.errors.push(`Workflow categories cannot be null or empty`) + } else { + workflowErrors.errors.push(`The first category in properties.json categories must be "${directory_category}" for ${basename(directoryName)} directory workflow.`) + } } - - if(properties.categories && !properties.categories.some(category => category.toLowerCase() == folder_category.toLowerCase())) { - workflowErrors.errors.push(`Either workflow is not added to the correct directory or category specified is wrong. Allowed category for ${basename(directoryName)} directory is ${folder_category}`) - } - } catch (e) { workflowErrors.errors.push(e.toString()) } @@ -125,7 +124,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders, settings.allowed_categories, settings.folder_category_map + settings.folders, settings.allowed_categories, settings.directory_category_map ) if (erroredWorkflows.length > 0) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index ab1ada3..2dd3898 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -5,13 +5,7 @@ "../../deployments", "../../code-scanning" ], - "allowed_categories" : [ - "Continuous integration", - "Deployment", - "Code Scanning", - "Automation" - ], - "folder_category_map": [ + "directory_category_map": [ { "name": "../../ci", "category": "Continuous integration" From ac7b3362da33824992eea1a04c15dccb84799abe Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Fri, 4 Mar 2022 05:59:55 +0000 Subject: [PATCH 012/234] removing unused variables --- script/validate-data/index.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index c3b6fa9..e54b6c1 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -40,7 +40,7 @@ const propertiesSchema = { } } -async function checkWorkflows(folders: string[], allowed_categories: string[], folder_category_map: object[]): Promise { +async function checkWorkflows(folders: string[], folder_category_map: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() for (const folder of folders) { @@ -55,7 +55,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[], f const workflowFilePath = join(folder, e.name); const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) - const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories, folder_category_map); + const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, folder_category_map); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } @@ -69,7 +69,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[], f return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[], directory_category_map: object[]): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, directory_category_map: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, @@ -124,7 +124,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders, settings.allowed_categories, settings.directory_category_map + settings.folders, settings.directory_category_map ) if (erroredWorkflows.length > 0) { From c6cf518c753c35074eb20e53d641c91e6d87528d Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Fri, 4 Mar 2022 06:28:56 +0000 Subject: [PATCH 013/234] reaming directory to folder and added creator check for deployment templates --- script/validate-data/index.ts | 17 +++++++++++------ script/validate-data/settings.json | 2 +- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index e54b6c1..da4d2d8 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -14,6 +14,7 @@ interface WorkflowWithErrors { interface WorkflowProperties { name: string; description: string; + creator: string; iconName: string; categories: string[]; } @@ -69,7 +70,7 @@ async function checkWorkflows(folders: string[], folder_category_map: object[]): return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string, directory_category_map: object[]): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, folder_category_map: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, @@ -104,16 +105,20 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, direc } } - var directoryName = dirname(workflowPath) - var directory_category = directory_category_map.find( folder_category => folder_category["name"] == directoryName)["category"] + var folderName = dirname(workflowPath) + var folder_category = folder_category_map.find( folder_category => folder_category["name"] == folderName)["category"] if (!workflowPath.endsWith("blank.yml") && ((!properties.categories || properties.categories.length == 0 )|| - properties.categories[0].toLowerCase() !== directory_category.toLowerCase())) { + properties.categories[0].toLowerCase() !== folder_category.toLowerCase())) { if(!properties.categories || properties.categories.length == 0) { workflowErrors.errors.push(`Workflow categories cannot be null or empty`) } else { - workflowErrors.errors.push(`The first category in properties.json categories must be "${directory_category}" for ${basename(directoryName)} directory workflow.`) + workflowErrors.errors.push(`The first category in properties.json categories must be "${folder_category}" for ${basename(folderName)} folder workflow.`) } } + + if(folder_category.toLowerCase() == 'deployment' && !properties.creator) { + workflowErrors.errors.push(`The "creator" in properties.json must be present.`) + } } catch (e) { workflowErrors.errors.push(e.toString()) } @@ -124,7 +129,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, direc try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders, settings.directory_category_map + settings.folders, settings.folder_category_map ) if (erroredWorkflows.length > 0) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 2dd3898..7d3ecfe 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -5,7 +5,7 @@ "../../deployments", "../../code-scanning" ], - "directory_category_map": [ + "folder_category_map": [ { "name": "../../ci", "category": "Continuous integration" From 002e1a441e4ada04aca6da6f20a4b1fd079548ed Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 6 Dec 2021 12:04:44 -0800 Subject: [PATCH 014/234] Support uppercase repository names with cosign. My previous PR didn't properly handle uppercase usernames (or repository names) when signing container images with `cosign`. It seems that the `docker buildx --push` doesn't like this either, but it's passed the output of the `docker/metadata-action` which seems to lowercase things. Fixes: https://github.com/actions/starter-workflows/issues/1293 Signed-off-by: Matt Moore --- ci/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 977635a..ee2ec63 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -90,4 +90,4 @@ jobs: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} + run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }} From 4657e39b91e5b80beea6f0cd14159141080b1f7d Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:39:54 +0530 Subject: [PATCH 015/234] Update azure-webapps-python.yml --- deployments/azure-webapps-python.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 8605e0a..6c43c1e 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -29,6 +29,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -61,6 +64,8 @@ jobs: !venv/ deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From bd76c74da653b228e83d45fea3d40d65a6197095 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:51:52 +0530 Subject: [PATCH 016/234] Update azure-webapps-php.yml --- deployments/azure-webapps-php.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index a2dd57b..a4442cf 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -30,6 +30,9 @@ env: AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root PHP_VERSION: '8.x' # set this to the PHP version to use +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -74,6 +77,8 @@ jobs: path: . deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From a1fe90c10dbf737fb1787b358028b5e33641dcc0 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:00:04 +0530 Subject: [PATCH 017/234] Update tencent.yml --- deployments/tencent.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 83bde94..165981a 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -27,6 +27,9 @@ env: TKE_CLUSTER_ID: cls-mywebapp DEPLOYMENT_NAME: tke-test +permissions: + contents: read + jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy From 53a9402455e3e377c93f0da9193a0f88b43645a7 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:39:47 +0530 Subject: [PATCH 018/234] Update azure-webapps-dotnet-core.yml --- deployments/azure-webapps-dotnet-core.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index ed45e22..758c6fa 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -30,6 +30,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -63,6 +66,8 @@ jobs: path: ${{env.DOTNET_ROOT}}/myapp deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 7b765747a5254b76a9408811ce5753c98f92a15f Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:41:42 +0530 Subject: [PATCH 019/234] Update azure-webapps-java-jar.yml --- deployments/azure-webapps-java-jar.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 210fd90..50d2679 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -29,6 +29,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -52,6 +55,8 @@ jobs: path: '${{ github.workspace }}/target/*.jar' deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 5e58bc6ef64e268fc508e06ed061209248c11423 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:47:46 +0530 Subject: [PATCH 020/234] Update azure-webapps-node.yml --- deployments/azure-webapps-node.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b6089d4..07cd361 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -28,6 +28,9 @@ env: AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root NODE_VERSION: '14.x' # set this to the node version to use +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -53,6 +56,8 @@ jobs: path: . deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 2e60d03ab7a47f3c73e7a5a95e75fdc1b2d6893c Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 12:38:39 +0530 Subject: [PATCH 021/234] Zscaler IaC Action Publish --- .../properties/zscaler.properties.json | 7 +++ code-scanning/zscaler.yml | 46 +++++++++++++++++++ icons/zscaler.svg | 3 ++ 3 files changed, 56 insertions(+) create mode 100644 code-scanning/properties/zscaler.properties.json create mode 100644 code-scanning/zscaler.yml create mode 100644 icons/zscaler.svg diff --git a/code-scanning/properties/zscaler.properties.json b/code-scanning/properties/zscaler.properties.json new file mode 100644 index 0000000..784a52b --- /dev/null +++ b/code-scanning/properties/zscaler.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Zscaler IaC Scan", + "creator": "Zscaler CWP Team", + "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", + "iconName": "zscaler", + "categories": ["Code Scanning","HCL"] +} \ No newline at end of file diff --git a/code-scanning/zscaler.yml b/code-scanning/zscaler.yml new file mode 100644 index 0000000..beea601 --- /dev/null +++ b/code-scanning/zscaler.yml @@ -0,0 +1,46 @@ +#This workflow uses actions that are not certified by GitHub. +#They are provided by a third party and are governed by +#separate terms of service, privacy policy, and support +#documentation. + +#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app, +#which detects security misconfigurations in IaC templates and publishes the findings +#under the code scanning alerts section within the repository. + +name: Zscanner IaC Scan +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + zscaler-iac-scan: + runs-on: ubuntu-latest + steps: + - name : Code Checkout + uses: actions/checkout@v2 + - name : Zscaler IAC Scan + uses : ZscalerCWP/Zscaler-IaC-Action@v0.2.0 + id : zscaler-iac-scan + with: + #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. + #Copy the client ID and client secret key generated during the onboarding process and configure. + #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} + client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} + #This is the user region specified during the onboarding process within the ZWP Admin Portal. + region : 'US' + iac_dir : #Enter the IaC directory path from root. + iac_file : #Enter the IaC file path from root. + output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here. + #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true. + fail_build : #Enter true/false + #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. + - name: Upload SARIF file + if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file diff --git a/icons/zscaler.svg b/icons/zscaler.svg new file mode 100644 index 0000000..3897442 --- /dev/null +++ b/icons/zscaler.svg @@ -0,0 +1,3 @@ + + + From 5e3bc9a2fd200fc324e4bff09889cc80465d1a08 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 16:26:19 +0530 Subject: [PATCH 022/234] Update zscaler-iac-scan.yml --- code-scanning/{zscaler.yml => zscaler-iac-scan.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename code-scanning/{zscaler.yml => zscaler-iac-scan.yml} (98%) diff --git a/code-scanning/zscaler.yml b/code-scanning/zscaler-iac-scan.yml similarity index 98% rename from code-scanning/zscaler.yml rename to code-scanning/zscaler-iac-scan.yml index beea601..e23a8d6 100644 --- a/code-scanning/zscaler.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,7 +7,7 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. -name: Zscanner IaC Scan +name: Zscaler IaC Scan on: push: branches: [ $default-branch, $protected-branches ] From 7a322529a7f2fe483452dad5b1941ca7742216e8 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 16:29:09 +0530 Subject: [PATCH 023/234] Update zscaler-iac-scan.properties.json --- .../{zscaler.properties.json => zscaler-iac-scan.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/properties/{zscaler.properties.json => zscaler-iac-scan.properties.json} (100%) diff --git a/code-scanning/properties/zscaler.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json similarity index 100% rename from code-scanning/properties/zscaler.properties.json rename to code-scanning/properties/zscaler-iac-scan.properties.json From 3857754fa1839756e86ec089760bb20c7084c895 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 17:55:47 +0530 Subject: [PATCH 024/234] Update zscaler-iac-scan.properties.json --- code-scanning/properties/zscaler-iac-scan.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/zscaler-iac-scan.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json index 784a52b..b643037 100644 --- a/code-scanning/properties/zscaler-iac-scan.properties.json +++ b/code-scanning/properties/zscaler-iac-scan.properties.json @@ -1,7 +1,7 @@ { "name": "Zscaler IaC Scan", - "creator": "Zscaler CWP Team", + "creator": "Zscaler CWP", "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", "iconName": "zscaler", - "categories": ["Code Scanning","HCL"] + "categories": ["Code Scanning","Security"] } \ No newline at end of file From 74471dae6f1a513f17bdacfdce6fd69145a5271a Mon Sep 17 00:00:00 2001 From: mvecha Date: Tue, 5 Apr 2022 13:21:24 +0530 Subject: [PATCH 025/234] Update zscaler-iac-scan.yml --- code-scanning/zscaler-iac-scan.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index e23a8d6..a8424b7 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -16,14 +16,20 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: zscaler-iac-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name : Code Checkout uses: actions/checkout@v2 - name : Zscaler IAC Scan - uses : ZscalerCWP/Zscaler-IaC-Action@v0.2.0 + uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc id : zscaler-iac-scan with: #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. From 9e81e73fe1c6c6786692b02864aeb1271734d235 Mon Sep 17 00:00:00 2001 From: Andrew Freckelton <7751633+frecks@users.noreply.github.com> Date: Mon, 11 Apr 2022 15:04:06 -0400 Subject: [PATCH 026/234] chore: Update go version to 1.18 --- ci/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go.yml b/ci/go.yml index 6f498a6..bb3ec96 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -16,7 +16,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.17 + go-version: 1.18 - name: Build run: go build -v ./... From 66f87f9dfe82ccc8055c7063ef35ee994f1a3ae1 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 11 Apr 2022 21:41:27 -0700 Subject: [PATCH 027/234] Add clj-watson starter workflow (#1460) * Add clj-watson starter workflow * update permissions * update to latest release * Update clj-watson-action to official release * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * update categories * update categories * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * Update code-scanning/properties/clj-watson.properties.json Co-authored-by: Bishal Prasad * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * add comments to yml file * Update clj-watson.properties.json * use codeql-action/upload-sarif v2 Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> Co-authored-by: Bishal Prasad --- code-scanning/clj-watson.yml | 53 +++++++++++++++++++ .../properties/clj-watson.properties.json | 9 ++++ icons/clj-watson.svg | 1 + 3 files changed, 63 insertions(+) create mode 100644 code-scanning/clj-watson.yml create mode 100644 code-scanning/properties/clj-watson.properties.json create mode 100644 icons/clj-watson.svg diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml new file mode 100644 index 0000000..2e4ab3c --- /dev/null +++ b/code-scanning/clj-watson.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# clj-watson scans dependencies in a clojure deps.edn +# seeking for vulnerable direct/transitive dependencies and +# build a report with all the information needed to help you +# understand how the vulnerability manifest in your software. +# More details at https://github.com/clj-holmes/clj-watson + +name: clj-watson + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + clj-holmes: + name: Run clj-watson scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Dependency scan + uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c + with: + clj-watson-sha: "65d928c" + clj-watson-tag: "v4.0.1" + database-strategy: github-advisory + aliases: clojure-lsp,test + deps-edn-path: deps.edn + suggest-fix: true + output-type: sarif + output-file: clj-watson-results.sarif + fail-on-result: false + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{github.workspace}}/clj-watson-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/clj-watson.properties.json b/code-scanning/properties/clj-watson.properties.json new file mode 100644 index 0000000..966314a --- /dev/null +++ b/code-scanning/properties/clj-watson.properties.json @@ -0,0 +1,9 @@ +{ + "name": "clj-watson", + "description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.", + "iconName": "clj-watson", + "categories": [ + "Code Scanning", + "Clojure" + ] +} diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg new file mode 100644 index 0000000..74459e5 --- /dev/null +++ b/icons/clj-watson.svg @@ -0,0 +1 @@ + \ No newline at end of file From 94d3aff4c62f40e4751c3c71c61b23c4ec02a072 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Tue, 12 Apr 2022 10:27:04 +0530 Subject: [PATCH 028/234] Remove creator property from rust-clippy This is owned by @josepalafox's BD team in GitHub. --- code-scanning/properties/rust-clippy.properties.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json index ea5c871..4737786 100644 --- a/code-scanning/properties/rust-clippy.properties.json +++ b/code-scanning/properties/rust-clippy.properties.json @@ -1,10 +1,9 @@ { "name": "rust-clippy", - "creator": "Rust", "description": "A collection of lints to catch common mistakes and improve your Rust code.", "iconName": "rust", "categories": [ "Code Scanning", "rust" ] -} \ No newline at end of file +} From ae0ff4dd3a81c243bea35ec3e2035ab14b94bc9e Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Tue, 12 Apr 2022 10:29:04 +0530 Subject: [PATCH 029/234] Add Actions team as CODEOWNERS for code-scanning starter workflows --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 8866d17..91153de 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,3 @@ * @actions/starter-workflows -/code-scanning/ @actions/advanced-security-code-scanning +/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows From 92b20ce19b85f9e2d7eb558aa665eb6ac9287cb5 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 13 Apr 2022 23:04:48 -0700 Subject: [PATCH 030/234] Add ESLint starter workflow (#1461) * Add ESLint starter workflow * Specify versions * update permission * Add typescript to categories * Update codeql action to v2; add comments * address review feedbacks * update categories --- code-scanning/eslint.yml | 49 +++++++++++++++++++ .../properties/eslint.properties.json | 11 +++++ icons/eslint.svg | 1 + 3 files changed, 61 insertions(+) create mode 100644 code-scanning/eslint.yml create mode 100644 code-scanning/properties/eslint.properties.json create mode 100644 icons/eslint.svg diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml new file mode 100644 index 0000000..9067a7d --- /dev/null +++ b/code-scanning/eslint.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# ESLint is a tool for identifying and reporting on patterns +# found in ECMAScript/JavaScript code. +# More details at https://github.com/eslint/eslint +# and https://eslint.org + +name: ESLint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + eslint: + name: Run eslint scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install ESLint + run: | + npm install eslint@8.10.0 + npm install @microsoft/eslint-formatter-sarif@2.1.7 + + - name: Run ESLint + run: npx eslint . + --config .eslintrc.js + --ext .js,.jsx,.ts,.tsx + --format @microsoft/eslint-formatter-sarif + --output-file eslint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: eslint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json new file mode 100644 index 0000000..a84646a --- /dev/null +++ b/code-scanning/properties/eslint.properties.json @@ -0,0 +1,11 @@ +{ + "name": "ESLint", + "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", + "iconName": "eslint", + "categories": [ + "Code Scanning", + "JavaScript", + "EcmaScript", + "TypeScript" + ] +} \ No newline at end of file diff --git a/icons/eslint.svg b/icons/eslint.svg new file mode 100644 index 0000000..23964aa --- /dev/null +++ b/icons/eslint.svg @@ -0,0 +1 @@ + \ No newline at end of file From ac3c29ff5b1f47eab61e718d9a62519799d1a7a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Arko?= Date: Sun, 17 Apr 2022 03:07:19 -0700 Subject: [PATCH 031/234] Shorten Rails workflow name, in line with others The workflows for Ruby, RubyGem, Jekyll, and similar are all just the name of the language, package, or framework. This name change brings Rails in line with the other starters. --- ci/properties/rubyonrails.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json index 49b29a4..7a2c18a 100644 --- a/ci/properties/rubyonrails.properties.json +++ b/ci/properties/rubyonrails.properties.json @@ -1,5 +1,5 @@ { - "name": "Ruby on Rails continuous integration", + "name": "Ruby on Rails", "description": "Build, lint, and test a Rails application", "iconName": "rails", "categories": ["Continuous integration", "Ruby", "Rails"] From 2885b083c9ae49c16188ad79cf15bab9e2107547 Mon Sep 17 00:00:00 2001 From: Jesse Glick Date: Mon, 18 Apr 2022 15:39:08 -0400 Subject: [PATCH 032/234] Update docker/build-push-action https://github.com/docker/build-push-action/commit/ac9327eae2b366085ac7f6a2d02df8aa8ead720a to pick up https://github.com/docker/build-push-action/pull/569 --- ci/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 75f9770..a9fd4b3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -72,7 +72,7 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: context: . push: ${{ github.event_name != 'pull_request' }} From 73afccbbd54778fd08596f3fbe386823dcf15901 Mon Sep 17 00:00:00 2001 From: mvecha Date: Thu, 21 Apr 2022 15:20:01 +0530 Subject: [PATCH 033/234] Addressing PR Comments from Community --- .../properties/zscaler-iac-scan.properties.json | 2 +- code-scanning/zscaler-iac-scan.yml | 15 ++++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/code-scanning/properties/zscaler-iac-scan.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json index b643037..274d17a 100644 --- a/code-scanning/properties/zscaler-iac-scan.properties.json +++ b/code-scanning/properties/zscaler-iac-scan.properties.json @@ -3,5 +3,5 @@ "creator": "Zscaler CWP", "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", "iconName": "zscaler", - "categories": ["Code Scanning","Security"] + "categories": ["Code Scanning"] } \ No newline at end of file diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index a8424b7..195bb57 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,6 +7,14 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. +#Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. +#Copy the client ID and client secret key generated during the onboarding process and configure. +#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + +#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues +#for further investigation. + name: Zscaler IaC Scan on: push: @@ -27,14 +35,11 @@ jobs: runs-on: ubuntu-latest steps: - name : Code Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name : Zscaler IAC Scan uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc id : zscaler-iac-scan with: - #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. - #Copy the client ID and client secret key generated during the onboarding process and configure. - #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} #This is the user region specified during the onboarding process within the ZWP Admin Portal. @@ -47,6 +52,6 @@ jobs: #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. - name: Upload SARIF file if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file From cfa93d0eecf7f1b230986ff509814b1ab1ad0ece Mon Sep 17 00:00:00 2001 From: Jeevan Reddy Ragula <90408178+jragula-zs@users.noreply.github.com> Date: Thu, 21 Apr 2022 15:26:09 +0530 Subject: [PATCH 034/234] Update zscaler-iac-scan.yml --- code-scanning/zscaler-iac-scan.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index 195bb57..c6020a5 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -12,8 +12,7 @@ #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). #Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. -#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues -#for further investigation. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation. name: Zscaler IaC Scan on: @@ -54,4 +53,4 @@ jobs: if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} From bf7a4cab85f1dab83a885af2bfd3a5e85d273cd7 Mon Sep 17 00:00:00 2001 From: Jack G Kafaty <50452463+jackgkafaty@users.noreply.github.com> Date: Thu, 21 Apr 2022 13:09:39 -0400 Subject: [PATCH 035/234] Update codeql.yml Line 51 added the query packs by default but commented. Lines 62-63: added better instructions Lines 68-70 added an example which provides better detail --- code-scanning/codeql.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 37109ab..ded7f5d 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -48,8 +48,11 @@ jobs: # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild @@ -58,13 +61,12 @@ jobs: # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl - # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - #- run: | - # make bootstrap - # make release + # - run: | + # echo "Run, Build Application using script" + # pwsh -command .\location_of_script_within_repo\buildscript.ps1 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From a5cb76fffb46eedc8f79cc3868b3f1868c7fe766 Mon Sep 17 00:00:00 2001 From: Jack G Kafaty <50452463+jackgkafaty@users.noreply.github.com> Date: Thu, 21 Apr 2022 13:19:45 -0400 Subject: [PATCH 036/234] Update codeql.yml --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index ded7f5d..8da9bf2 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -66,7 +66,7 @@ jobs: # - run: | # echo "Run, Build Application using script" - # pwsh -command .\location_of_script_within_repo\buildscript.ps1 + # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From c06604910c9a4312db162077a4e46fa7aad61356 Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya <35347859+jaiveerk@users.noreply.github.com> Date: Fri, 22 Apr 2022 04:10:20 -0400 Subject: [PATCH 037/234] Parallelize Jobs for AKS Starter Workflows (#1534) * Reworked AKS deployment workflows (#1403) * rebased to partner_templates * Renaming workflow * Updated corresponding properties.json files for the new aks workflows under deployments. * Updated properties.json titles for aks workflows * Renamed SECRET_NAME to IMAGE_PULL_SECRET_NAME * Moved permissions down to the job level * Updated documentation links * Updated permission for action to read * Removing redundant permissions * write -> read for actions * Updated descriptions * Less reference documentation in header * Added comments to each AKS Starter Workflow step Co-authored-by: Tommy Barnes * Update AKS workflows to not use imagePullSecrets (#1494) * removing old method of adding imagePullSecrets * fixing step casing * For testing: Dependency review starter workflow * changed back to image pull secret, added mask, clarified website and pull secret instructions * made changes to other aks files * Added back imagepullsecrets param to deploy action, reordered env vars * changing release version of deploy action * restructured starter workflows to parallelize secret creation and image building * renamed to buildImage and removed extra space * cleaned up some random newlines * removed extra space * removing changes from partner branch * removing changes from partner branch * through mistake in changing PR, two files lost step for createSecret Co-authored-by: Tommy Barnes Co-authored-by: Tommy Barnes Co-authored-by: Israel Miller Co-authored-by: Bishal Prasad Co-authored-by: Jaiveer Katariya Co-authored-by: Jaiveer Katariya --- deployments/azure-kubernetes-service-helm.yml | 55 ++++++++++++++--- .../azure-kubernetes-service-kompose.yml | 60 +++++++++++++++--- .../azure-kubernetes-service-kustomize.yml | 61 ++++++++++++++++--- deployments/azure-kubernetes-service.yml | 55 ++++++++++++++--- 4 files changed, 199 insertions(+), 32 deletions(-) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 948e7db..a5edeaa 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. # Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. @@ -48,12 +48,11 @@ env: CHART_OVERRIDE_PATH: "your-chart-override-path" jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -72,6 +71,21 @@ jobs: run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -85,7 +99,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -96,7 +112,30 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Helm to create manifest files - name: Bake deployment @@ -112,11 +151,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 7c25319..5b7e4d1 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. # Set your dockerComposeFile and kompose-version to suit your configuration. @@ -40,12 +40,11 @@ env: DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -63,7 +62,22 @@ jobs: - name: Build and push image to ACR run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - + + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -77,7 +91,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -88,7 +104,33 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Kompose to create manifest files - name: Bake deployment @@ -101,11 +143,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index f6928d0..305d6de 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. # Set your kustomizationPath and kubectl-version to suit your configuration. @@ -46,12 +46,11 @@ env: KUSTOMIZE_PATH: "your-kustomize-path" jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -69,6 +68,24 @@ jobs: - name: Build and push image to ACR run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context @@ -83,7 +100,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -94,7 +113,33 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Kustomize to create manifest files - name: Bake deployment @@ -107,11 +152,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index bb513d4..c471793 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -8,8 +8,7 @@ # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID @@ -19,7 +18,7 @@ # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) # - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) # # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions @@ -43,12 +42,11 @@ env: DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -67,6 +65,21 @@ jobs: run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -80,7 +93,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -93,13 +108,39 @@ jobs: container-registry-password: ${{ steps.get-acr-creds.outputs.password }} secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + # Deploys application based on given manifest file - name: Deploys application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file From 1c5c0f7c8a10324929bd35cc2fb63302ca57baef Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 22 Apr 2022 19:37:39 +0000 Subject: [PATCH 038/234] fix: upgrade @actions/core from 1.2.6 to 1.6.0 Snyk has created this PR to upgrade @actions/core from 1.2.6 to 1.6.0. See this package in npm: https://www.npmjs.com/package/@actions/core See this project in Snyk: https://app.snyk.io/org/cwp-2/project/fd2218da-0d06-448b-be57-a7d3e69b0389?utm_source=github-enterprise&utm_medium=referral&page=upgrade-pr --- script/validate-data/package-lock.json | 24 ++++++++++++++++++++---- script/validate-data/package.json | 2 +- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index 8839d6a..cf7c70a 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -1,13 +1,24 @@ { - "name": "sync-ghes-actions", + "name": "validate-data", "version": "1.0.0", "lockfileVersion": 1, "requires": true, "dependencies": { "@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz", + "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==", + "requires": { + "@actions/http-client": "^1.0.11" + } + }, + "@actions/http-client": { + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz", + "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==", + "requires": { + "tunnel": "0.0.6" + } }, "@types/js-yaml": { "version": "3.12.4", @@ -106,6 +117,11 @@ "yn": "3.1.1" } }, + "tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" + }, "typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", diff --git a/script/validate-data/package.json b/script/validate-data/package.json index e6403ee..7936f4e 100644 --- a/script/validate-data/package.json +++ b/script/validate-data/package.json @@ -14,7 +14,7 @@ "typescript": "^3.9.2" }, "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.6.0", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" } From ad9daa8da372928e50064995bb1c2f542c0c345c Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya <35347859+jaiveerk@users.noreply.github.com> Date: Sat, 23 Apr 2022 00:40:21 -0400 Subject: [PATCH 039/234] removed actions read permission from createSecret and buildImage steps (#1539) --- deployments/azure-kubernetes-service-helm.yml | 2 -- deployments/azure-kubernetes-service-kompose.yml | 2 -- deployments/azure-kubernetes-service-kustomize.yml | 2 -- deployments/azure-kubernetes-service.yml | 2 -- 4 files changed, 8 deletions(-) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index a5edeaa..510abcd 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -50,7 +50,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -73,7 +72,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 5b7e4d1..0cf23ba 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -42,7 +42,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -65,7 +64,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 305d6de..14469db 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -48,7 +48,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -71,7 +70,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index c471793..d04a2ac 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -44,7 +44,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -67,7 +66,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest From 308401f5246098792d1a773569cb339141141361 Mon Sep 17 00:00:00 2001 From: DhavalPatelPersistent <93903969+DhavalPatelPersistent@users.noreply.github.com> Date: Mon, 25 Apr 2022 15:30:28 +0530 Subject: [PATCH 040/234] Update checkmarx.yml --- code-scanning/checkmarx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 297cae0..ed13389 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -46,7 +46,7 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 From a52cd5a16a7422970cf0d09ddd7489c0abcd1cf3 Mon Sep 17 00:00:00 2001 From: Tristram Oaten Date: Mon, 25 Apr 2022 15:02:37 +0100 Subject: [PATCH 041/234] Update setup-ruby to the latest release The default github action ruby template references this old commit which doesn't have any modern rubies https://github.com/ruby/setup-ruby/commit/473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e The fix is to update the pinned version to the latest release https://github.com/alphagov/forms-api/pull/3/commits/e3c8ad2759088a12ba9f3040d2c47c23799c8455 --- ci/ruby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 256aa14..7daf2cc 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e + uses: ruby/setup-ruby@e3c8ad2759088a12ba9f3040d2c47c23799c8455 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically From a2a01a4b0b9b9f8f39c20efdd1f1eee8fd9772d2 Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Tue, 26 Apr 2022 02:26:34 -0700 Subject: [PATCH 042/234] CodeQL starter workflow: Replace git.io links git.io is deprecated. Replace the references with full links or aka.ms links to the same documentation. --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 37109ab..0e57f4b 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,7 +34,7 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] - # Learn more about CodeQL language support at https://git.io/codeql-language-support + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - name: Checkout repository @@ -56,7 +56,7 @@ jobs: uses: github/codeql-action/autobuild@v2 # ℹ️ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines # and modify them (or add more) to build your code if your project From b6633ec292d288db36de6e7d68e525bb129492c3 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Tue, 26 Apr 2022 22:00:20 -0700 Subject: [PATCH 043/234] Add starter workflow for hadolint --- code-scanning/hadolint.yml | 46 ++++++ .../properties/hadolint.properties.json | 6 + icons/hadolint.svg | 131 ++++++++++++++++++ 3 files changed, 183 insertions(+) create mode 100644 code-scanning/hadolint.yml create mode 100644 code-scanning/properties/hadolint.properties.json create mode 100644 icons/hadolint.svg diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml new file mode 100644 index 0000000..f941b95 --- /dev/null +++ b/code-scanning/hadolint.yml @@ -0,0 +1,46 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +name: Hadolint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + hadolint: + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run hado-lint + uses: hadolint/hadolint-action@v2.1.0 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/hadolint.properties.json b/code-scanning/properties/hadolint.properties.json new file mode 100644 index 0000000..b4f7141 --- /dev/null +++ b/code-scanning/properties/hadolint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Haskell Dockerfile Linter", + "description": "A smarter Dockerfile linter that helps you build best practice Docker images.", + "iconName": "hadolint", + "categories": ["Code Scanning", "Dockerfile"] +} \ No newline at end of file diff --git a/icons/hadolint.svg b/icons/hadolint.svg new file mode 100644 index 0000000..048b86c --- /dev/null +++ b/icons/hadolint.svg @@ -0,0 +1,131 @@ + + + + From 0ae51b0d1063d99894068034e0f6e7de60e6ec5b Mon Sep 17 00:00:00 2001 From: Tristram Oaten Date: Thu, 28 Apr 2022 10:58:56 +0100 Subject: [PATCH 044/234] fix sha --- ci/ruby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 7daf2cc..81ea363 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@e3c8ad2759088a12ba9f3040d2c47c23799c8455 + uses: ruby/setup-ruby@2b019609e2b0f1ea1a2bc8ca11cb82ab46ada124 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 662e915c0fe85c4d078b6de037bce62ebc69fe96 Mon Sep 17 00:00:00 2001 From: Bar Hofesh Date: Thu, 28 Apr 2022 22:01:20 +0300 Subject: [PATCH 045/234] Add NeuraLegion to starter workflows (#1203) * Added Neuralegion to starter workflows * Using an action * Fixed Indentation :) * Update neuralegion.yml Co-authored-by: Bishal Prasad --- code-scanning/neuralegion.yml | 175 ++++++++++++++++++ .../properties/neuralegion.properties.json | 24 +++ icons/neuralegion.svg | 57 ++++++ 3 files changed, 256 insertions(+) create mode 100644 code-scanning/neuralegion.yml create mode 100644 code-scanning/properties/neuralegion.properties.json create mode 100644 icons/neuralegion.svg diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml new file mode 100644 index 0000000..e24e14a --- /dev/null +++ b/code-scanning/neuralegion.yml @@ -0,0 +1,175 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Run a Nexploit Scan +# This action runs a new security scan in Nexploit, or reruns an existing one. +# Build Secure Apps & APIs. Fast. +# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love. +# Automatically Tests Every Aspect of Your Apps & APIs +# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports +# Seamlessly integrates with the Tools and Workflows You Already Use +# +# NeuraLegion works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. +# Spin-Up, Configure and Control Scans with Code +# One file. One command. One scan. No UI needed. +# +# Super-Fast Scans +# +# Interacts with applications and APIs, instead of just crawling them and guessing. +# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks. +# +# No False Positives +# +# Stop chasing ghosts and wasting time. NeuraLegion doesn’t return false positives, so you can focus on releasing code. +# +# Comprehensive Security Testing +# +# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities. +# +# More information is available on NeuraLegion’s: +# * [Website](https://www.neuralegion.com/) +# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart) +# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw) +# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+) +# +# Inputs +# +# `name` +# +# **Required**. Scan name. +# +# _Example:_ `name: GitHub scan ${{ github.sha }}` +# +# `api_token` +# +# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens). +# +# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}` +# +# `restart_scan` +# +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# +# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` +# +# `discovery_types` +# +# **Required**. Array of discovery types. The following types are available: +# * `archive` - uses an uploaded HAR-file for a scan +# * `crawler` - uses a crawler to define the attack surface for a scan +# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default. +# +# _Example:_ +# +# ```yml +# discovery_types: | +# [ "crawler", "archive" ] +# ``` +# +# `file_id` +# +# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login). +# +# _Example:_ +# +# ``` +# FILE_ID=$(nexploit-cli archive:upload \ +# --token ${{ secrets.NEXPLOIT_TOKEN }} \ +# --discard true \ +# ./example.har) +# ``` +# +# `crawler_urls` +# +# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface. +# +# _Example:_ +# +# ``` +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# ``` +# +# `hosts_filter` +# +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# +# Outputs +# +# `url` +# +# Url of the resulting scan +# +# `id` +# +# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions: +# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues) +# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan) +# +# Example usage +# +# Start a new scan with parameters +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# discovery_types: | +# [ "crawler", "archive" ] +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# file_id: LiYknMYSdbSZbqgMaC9Sj +# hosts_filter: | +# [ ] +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" +# ``` +# +# Restart an existing scan +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" + + +name: "NeuraLegion" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + neuralegion_scan: + runs-on: ubuntu-18.04 + name: A job to run a Nexploit scan + steps: + - uses: actions/checkout@v2 + - name: Start Nexploit Scan 🏁 + id: start + uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe + with: + api_token: ${{ secrets.NEURALEGION_TOKEN }} + name: GitHub scan ${{ github.sha }} + discovery_types: | + [ "crawler" ] + crawler_urls: | + [ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan diff --git a/code-scanning/properties/neuralegion.properties.json b/code-scanning/properties/neuralegion.properties.json new file mode 100644 index 0000000..ee64a52 --- /dev/null +++ b/code-scanning/properties/neuralegion.properties.json @@ -0,0 +1,24 @@ +{ + "name": "NeuraLegion", + "creator": "NeuraLegion", + "description": "Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports", + "iconName": "neuralegion", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/icons/neuralegion.svg b/icons/neuralegion.svg new file mode 100644 index 0000000..0534225 --- /dev/null +++ b/icons/neuralegion.svg @@ -0,0 +1,57 @@ + + + + + + + + + NeuraLegion Logo + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From d09e57c7a386f2c92c1d0d5af960c03c79b02eb0 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Thu, 28 Apr 2022 15:22:57 -0400 Subject: [PATCH 046/234] Adding workflow for sobelow (static analysis tool for the Phoenix framework) (#1528) * Adding sobelow workflow * Removing setup-beam dependency * Updating instructions --- .../properties/sobelow.properties.json | 11 +++++ code-scanning/sobelow.yml | 40 +++++++++++++++++++ icons/sobelow.svg | 20 ++++++++++ 3 files changed, 71 insertions(+) create mode 100644 code-scanning/properties/sobelow.properties.json create mode 100644 code-scanning/sobelow.yml create mode 100644 icons/sobelow.svg diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json new file mode 100644 index 0000000..163e866 --- /dev/null +++ b/code-scanning/properties/sobelow.properties.json @@ -0,0 +1,11 @@ +{ + "name": "Sobelow", + "creator": "nccgroup", + "description": "Sobelow is a security-focused static analysis tool for the Phoenix framework.", + "iconName": "sobelow", + "categories": [ + "Code Scanning", + "Elixir" + ] + } + \ No newline at end of file diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml new file mode 100644 index 0000000..21cb6e7 --- /dev/null +++ b/code-scanning/sobelow.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/ +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. +name: Sobelow + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - id: run-action + uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 + - name: Upload report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/icons/sobelow.svg b/icons/sobelow.svg new file mode 100644 index 0000000..4d243ea --- /dev/null +++ b/icons/sobelow.svg @@ -0,0 +1,20 @@ + + + + + + + + From 5aba2798002b169baefab50eb36b19f8d4649fe0 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 2 May 2022 06:08:29 +0000 Subject: [PATCH 047/234] addressing review comments --- script/validate-data/index.ts | 20 ++++++++++---------- script/validate-data/settings.json | 18 +++++++++--------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index da4d2d8..5e6327a 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -41,7 +41,7 @@ const propertiesSchema = { } } -async function checkWorkflows(folders: string[], folder_category_map: object[]): Promise { +async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() for (const folder of folders) { @@ -56,7 +56,7 @@ async function checkWorkflows(folders: string[], folder_category_map: object[]): const workflowFilePath = join(folder, e.name); const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) - const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, folder_category_map); + const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } @@ -70,7 +70,7 @@ async function checkWorkflows(folders: string[], folder_category_map: object[]): return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string, folder_category_map: object[]): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, @@ -105,14 +105,14 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, folde } } - var folderName = dirname(workflowPath) - var folder_category = folder_category_map.find( folder_category => folder_category["name"] == folderName)["category"] - if (!workflowPath.endsWith("blank.yml") && ((!properties.categories || properties.categories.length == 0 )|| - properties.categories[0].toLowerCase() !== folder_category.toLowerCase())) { + var path = dirname(workflowPath) + var folder_category = allowed_categories.find( category => category["path"] == path)["name"] + if (!workflowPath.endsWith("blank.yml")) { if(!properties.categories || properties.categories.length == 0) { workflowErrors.errors.push(`Workflow categories cannot be null or empty`) - } else { - workflowErrors.errors.push(`The first category in properties.json categories must be "${folder_category}" for ${basename(folderName)} folder workflow.`) + } + else if(properties.categories[0].toLowerCase() !== folder_category.toLowerCase()) { + workflowErrors.errors.push(`The first category in properties.json categories must be "${folder_category}" for workflow in ${basename(path)} folder.`) } } @@ -129,7 +129,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, folde try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders, settings.folder_category_map + settings.folders, settings.allowed_categories ) if (erroredWorkflows.length > 0) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 7d3ecfe..667aff6 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -5,22 +5,22 @@ "../../deployments", "../../code-scanning" ], - "folder_category_map": [ + "allowed_categories": [ { - "name": "../../ci", - "category": "Continuous integration" + "name": "Continuous integration", + "path": "../../ci" }, { - "name": "../../automation", - "category": "Automation" + "name": "Automation", + "path": "../../automation" }, { - "name": "../../deployments", - "category": "Deployment" + "path": "../../deployments", + "name": "Deployment" }, { - "name": "../../code-scanning", - "category": "Code Scanning" + "name": "Code Scanning", + "path": "../../code-scanning" } ] } \ No newline at end of file From c032ee101f95b6b5be02ec2b43f8ad16f9af2e77 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 2 May 2022 06:32:43 +0000 Subject: [PATCH 048/234] adding dependency review to allowed categories --- script/validate-data/index.ts | 8 ++++---- script/validate-data/settings.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 5e6327a..7f7aa44 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -106,17 +106,17 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow } var path = dirname(workflowPath) - var folder_category = allowed_categories.find( category => category["path"] == path)["name"] + var folder_categories = allowed_categories.find( category => category["path"] == path)["categories"] if (!workflowPath.endsWith("blank.yml")) { if(!properties.categories || properties.categories.length == 0) { workflowErrors.errors.push(`Workflow categories cannot be null or empty`) } - else if(properties.categories[0].toLowerCase() !== folder_category.toLowerCase()) { - workflowErrors.errors.push(`The first category in properties.json categories must be "${folder_category}" for workflow in ${basename(path)} folder.`) + else if(!folder_categories.some(category => properties.categories[0].toLowerCase() == category.toLowerCase())) { + workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}"`) } } - if(folder_category.toLowerCase() == 'deployment' && !properties.creator) { + if(path.toLowerCase() == 'deployment' && !properties.creator) { workflowErrors.errors.push(`The "creator" in properties.json must be present.`) } } catch (e) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 2765c2a..852f575 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -20,7 +20,7 @@ }, { "path": "../../code-scanning", - "categories": ["Code Scanning", "Dependency review"], + "categories": ["Code Scanning", "Dependency review"] } ] } From ca970a212491702286740f8f0b943e097bdb4de3 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Mon, 2 May 2022 12:23:29 +0530 Subject: [PATCH 049/234] Fix typo --- code-scanning/properties/dependency-review.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index e84278c..c195c73 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -1,6 +1,6 @@ { "name": "Dependency Review", - "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable dependencies to the repository", "iconName": "octicon mark-github", "categories": [ "Dependency review", From ee2bbcf8d8f90b72461d884114f1f2f427779fb1 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 2 May 2022 01:53:59 -0700 Subject: [PATCH 050/234] update step name --- code-scanning/hadolint.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index f941b95..fbbf914 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,11 +27,12 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + steps: - name: Checkout code uses: actions/checkout@v3 - - name: Run hado-lint + - name: Run hadolint uses: hadolint/hadolint-action@v2.1.0 with: dockerfile: ./Dockerfile From 74122beced91569ee2a4181188911aae18aa909e Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Mon, 2 May 2022 13:22:36 +0000 Subject: [PATCH 051/234] Fixing creator check --- script/validate-data/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 7f7aa44..39328c5 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -116,7 +116,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow } } - if(path.toLowerCase() == 'deployment' && !properties.creator) { + if(basename(path).toLowerCase() == 'deployments' && !properties.creator) { workflowErrors.errors.push(`The "creator" in properties.json must be present.`) } } catch (e) { From f007e412eef70494c18a54191728f1138e84436b Mon Sep 17 00:00:00 2001 From: Daniel Schultz Date: Tue, 22 Mar 2022 21:17:20 -0400 Subject: [PATCH 052/234] Rename sync-ghes workflow for consistancy Issue #1497 --- .github/workflows/{sync_ghes.yaml => sync-ghes.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{sync_ghes.yaml => sync-ghes.yaml} (100%) diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync-ghes.yaml similarity index 100% rename from .github/workflows/sync_ghes.yaml rename to .github/workflows/sync-ghes.yaml From 52bd793f345de13bebd632f87f1d4544eb724768 Mon Sep 17 00:00:00 2001 From: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> Date: Tue, 3 May 2022 11:00:55 +0530 Subject: [PATCH 053/234] Update script/validate-data/index.ts Co-authored-by: Bishal Prasad --- script/validate-data/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 39328c5..4bd260d 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -112,7 +112,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow workflowErrors.errors.push(`Workflow categories cannot be null or empty`) } else if(!folder_categories.some(category => properties.categories[0].toLowerCase() == category.toLowerCase())) { - workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}"`) + workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}. Either move the workflow to an appropriate directory or change the category."`) } } From 2e396aeae52f0e011e01e06e2935845ce3b0cbd9 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 4 May 2022 16:07:22 +0530 Subject: [PATCH 054/234] Create auto_assign.yml --- .github/auto_assign.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/auto_assign.yml diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml new file mode 100644 index 0000000..02596ef --- /dev/null +++ b/.github/auto_assign.yml @@ -0,0 +1,16 @@ +# Set to true to add reviewers to pull requests +addReviewers: true + +# Set to true to add assignees to pull requests +addAssignees: false + +# A list of reviewers to be added to pull requests (GitHub user name) +reviewers: + - phantsure + - anuragc617 + - tiwarishub + - vsvipul + +# A number of reviewers added to the pull request +# Set 0 to add all the reviewers (default: 0) +numberOfReviewers: 1 From a2c02154b7ea27f764122739baf04c91934f5da1 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 4 May 2022 16:20:25 +0530 Subject: [PATCH 055/234] Create auto_assign.yml --- .github/workflows/auto_assign.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .github/workflows/auto_assign.yml diff --git a/.github/workflows/auto_assign.yml b/.github/workflows/auto_assign.yml new file mode 100644 index 0000000..4dcc612 --- /dev/null +++ b/.github/workflows/auto_assign.yml @@ -0,0 +1,10 @@ +name: 'Auto Assign' +on: + pull_request: + types: [opened, ready_for_review] + +jobs: + add-reviews: + runs-on: ubuntu-latest + steps: + - uses: kentaro-m/auto-assign-action@v1.2.1 From 49f91dc3426c0d13cb30524f991926c9abb64f9e Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 4 May 2022 16:30:09 +0530 Subject: [PATCH 056/234] Auto issue assignment --- .github/workflows/auto-assign-issues.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/workflows/auto-assign-issues.yml diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml new file mode 100644 index 0000000..b8406e9 --- /dev/null +++ b/.github/workflows/auto-assign-issues.yml @@ -0,0 +1,15 @@ +name: Issue assignment + +on: + issues: + types: [opened] + +jobs: + auto-assign: + runs-on: ubuntu-latest + steps: + - name: 'Auto-assign issue' + uses: pozil/auto-assign-issue@v1.4.0 + with: + assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft + numOfAssignee: 1 From 52fc31bdb1e5c4cd28755f48b5c6ed09abaa65fb Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 4 May 2022 16:35:40 +0530 Subject: [PATCH 057/234] Rename auto_assign.yml to auto-assign.yml --- .github/workflows/{auto_assign.yml => auto-assign.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{auto_assign.yml => auto-assign.yml} (100%) diff --git a/.github/workflows/auto_assign.yml b/.github/workflows/auto-assign.yml similarity index 100% rename from .github/workflows/auto_assign.yml rename to .github/workflows/auto-assign.yml From 41b1bb864a4f82c9c0b08e7b1364b2d5d0943ab8 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 4 May 2022 16:36:39 +0530 Subject: [PATCH 058/234] Adding bishal-pdmsft as a reviewer --- .github/auto_assign.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml index 02596ef..696b4f8 100644 --- a/.github/auto_assign.yml +++ b/.github/auto_assign.yml @@ -10,6 +10,7 @@ reviewers: - anuragc617 - tiwarishub - vsvipul + - bishal-pdmsft # A number of reviewers added to the pull request # Set 0 to add all the reviewers (default: 0) From 3e8902ca5688bff9a7736fff0197c2bd208b4a5f Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 5 May 2022 15:55:43 +0530 Subject: [PATCH 059/234] Add dependabot --- .github/dependabot.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..62283f9 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" From fc57d752748ceaef22641be7fa94b6a17e691e13 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 9 May 2022 11:16:42 -0700 Subject: [PATCH 060/234] use action commitment sha --- code-scanning/hadolint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index fbbf914..2f554e4 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -33,7 +33,7 @@ jobs: uses: actions/checkout@v3 - name: Run hadolint - uses: hadolint/hadolint-action@v2.1.0 + uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 with: dockerfile: ./Dockerfile format: sarif From 1100f4c7e825065833089b4f25cb045226bf4bbc Mon Sep 17 00:00:00 2001 From: fredster33 Date: Sat, 14 May 2022 07:24:17 -0700 Subject: [PATCH 061/234] Escape to pass tests --- automation/greetings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index 1138ea8..562838f 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users' first issue' - pr-message: 'Message that will be displayed on users' first pull request' + issue-message: 'Message that will be displayed on users\' first issue' + pr-message: 'Message that will be displayed on users\' first pull request' From a3f4ca426faa51fdc07d753951ef8aa85bfb635a Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Mon, 16 May 2022 13:44:34 -0700 Subject: [PATCH 062/234] Fixing typo in dependency-review-action. --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 0e72a00..8966511 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,6 +1,6 @@ # Dependency Review Action # -# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement From bed5e488cf5db12055b60ea905d8f90c59ea3c56 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Mon, 16 May 2022 18:28:59 -0400 Subject: [PATCH 063/234] Fix link to `code-scanning` directory Changed https://github.com/actions/starter-workflows/tree/main/ci to https://github.com/actions/starter-workflows/tree/main/code-scanning --- .github/pull_request_template.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 752dd99..9b6c10f 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,7 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. -- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. +- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** @@ -38,7 +38,7 @@ It is not: **For _Code Scanning_ workflows, the workflow:** -- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci). +- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning). - [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: - [ ] `name`: Name of the Code Scanning integration. - [ ] `organization`: Name of the organization producing the Code Scanning integration. From fb28da064123bacb1ab14fe88c947dcf1c20aa82 Mon Sep 17 00:00:00 2001 From: fredster33 Date: Fri, 20 May 2022 16:55:27 -0700 Subject: [PATCH 064/234] Fix escaping --- automation/greetings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index 562838f..4677434 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users\' first issue' - pr-message: 'Message that will be displayed on users\' first pull request' + issue-message: "Message that will be displayed on users' first issue" + pr-message: "Message that will be displayed on users' first pull request" From 9f02725cf7ad47bd29fde61950948648c5abe693 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Sat, 21 May 2022 11:13:24 +0530 Subject: [PATCH 065/234] Fix the missing `on` trigger for AKS Kompose --- deployments/azure-kubernetes-service-kompose.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 0cf23ba..60fe536 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -31,6 +31,12 @@ name: Build and deploy an app to AKS with Kompose +on: + push: + branches: + - $default-branch + workflow_dispatch: + env: AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" CONTAINER_NAME: "your-container-name" @@ -148,4 +154,4 @@ jobs: images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + ${{ env.IMAGE_PULL_SECRET_NAME }} From ea7d7777b6893c6401b777663973a51be35b74c4 Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya Date: Mon, 23 May 2022 14:47:39 -0400 Subject: [PATCH 066/234] added checkout step to helm starter workflow --- deployments/azure-kubernetes-service-helm.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 510abcd..a6a2f4e 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -120,6 +120,9 @@ jobs: runs-on: ubuntu-latest needs: [buildImage, createSecret] steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + # Logs in with your Azure credentials - name: Azure login uses: azure/login@v1.4.3 From 2be3a09ccb9a825bd8bfed4d2e67a00fadf21648 Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya Date: Mon, 23 May 2022 14:59:13 -0400 Subject: [PATCH 067/234] removed unnecessary checkout from kustomize create-secret step --- deployments/azure-kubernetes-service-kustomize.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 14469db..d46cadb 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -74,9 +74,6 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - # Logs in with your Azure credentials - name: Azure login uses: azure/login@v1.4.3 From a4fc6b086e1052d83b7b3a6bae14aca6c055d20a Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Tue, 24 May 2022 16:52:04 -0300 Subject: [PATCH 068/234] SOOS DAST starter action submission --- .../properties/soos-dast-scan.properties.json | 8 ++++ code-scanning/soos-dast-scan.yml | 41 +++++++++++++++++++ icons/soos.svg | 17 ++++++++ 3 files changed, 66 insertions(+) create mode 100644 code-scanning/properties/soos-dast-scan.properties.json create mode 100644 code-scanning/soos-dast-scan.yml create mode 100644 icons/soos.svg diff --git a/code-scanning/properties/soos-dast-scan.properties.json b/code-scanning/properties/soos-dast-scan.properties.json new file mode 100644 index 0000000..b2834df --- /dev/null +++ b/code-scanning/properties/soos-dast-scan.properties.json @@ -0,0 +1,8 @@ +{ + "name": "SOOS DAST Scan", + "creator": "SOOS", + "description": "Integrate dynamic application security testing (DAST) and API security testing into your CI pipeline with StackHawk", + "iconName": "soos", + "categories": ["Code Scanning"] + } + \ No newline at end of file diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml new file mode 100644 index 0000000..a16ed9e --- /dev/null +++ b/code-scanning/soos-dast-scan.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# SOOS is the easy-to-integrate software security solution for your whole team we currently, learn more at https://soos.io/ +# +# To use this action you need to fill the following requirements: +# +# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product). +# +# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload) +# + +name: "SOOS DAST Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +jobs: + soos: + permissions: + security-events: write # for uploading code scanning alert info + name: SOOS DAST Scan + runs-on: ubuntu-latest + steps: + - name: Run SOOS DAST Scan + uses: soos-io/soos-dast-github-action@c32a9d22e9af91ccace86aa7e76673b89c6256fd + with: + client_id: ${{ secrets.SOOS_CLIENT_ID }} + api_key: ${{ secrets.SOOS_API_KEY }} + project_name: "DAST-GitHub-Action-Test" # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository + scan_mode: "baseline" + target_url: "https://www.example.com/" + sarif: true # Only set to true if you want to upload the SARIF report to Github + gpat: ${{ secrets.SOOS_GITHUB_PAT }} + + diff --git a/icons/soos.svg b/icons/soos.svg new file mode 100644 index 0000000..17a31fc --- /dev/null +++ b/icons/soos.svg @@ -0,0 +1,17 @@ + + + + + + + + + + + From a80536a617f6eb6cf9f1c398f5f163c24ec03e21 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 May 2022 14:46:58 +0000 Subject: [PATCH 069/234] Scorecard v1.1.0 hash bump --- code-scanning/scorecards.yml | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a6bde3a..846988e 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,37 +17,43 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write + # Used to receive a badge. (Upcoming feature) + id-token: write actions: read contents: read - + steps: - name: "Checkout code" - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 + uses: ossf/scorecard-action@5c8bc69dc88b65c66584e07611df79d3579b0377 # v1.1.0 with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, - # regardless of the value entered here. + # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. publish_results: true - # Upload the results as artifacts (optional). + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 From 866ad3b83c8b7a0f0730c2a7ce908c46784c8a74 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 May 2022 14:50:13 +0000 Subject: [PATCH 070/234] updates --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 846988e..28fb7f3 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -24,7 +24,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 with: persist-credentials: false @@ -48,7 +48,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 with: name: SARIF file path: results.sarif From e2e966c9107306a40bf07c880a1259514ccfab66 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Fri, 27 May 2022 09:36:07 -0300 Subject: [PATCH 071/234] couple fixes from review --- code-scanning/properties/soos-dast-scan.properties.json | 5 ++--- code-scanning/soos-dast-scan.yml | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/code-scanning/properties/soos-dast-scan.properties.json b/code-scanning/properties/soos-dast-scan.properties.json index b2834df..6ef5121 100644 --- a/code-scanning/properties/soos-dast-scan.properties.json +++ b/code-scanning/properties/soos-dast-scan.properties.json @@ -1,8 +1,7 @@ { "name": "SOOS DAST Scan", "creator": "SOOS", - "description": "Integrate dynamic application security testing (DAST) and API security testing into your CI pipeline with StackHawk", + "description": "SOOS DAST is the easy-to-integrate no-limit web vulnerability scanner. Integrate SOOS DAST with your CI pipeline to find vulnerabilities by scanning a web app or APIs.", "iconName": "soos", "categories": ["Code Scanning"] - } - \ No newline at end of file +} \ No newline at end of file diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index a16ed9e..75fe9ed 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. # -# SOOS is the easy-to-integrate software security solution for your whole team we currently, learn more at https://soos.io/ +# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/ # # To use this action you need to fill the following requirements: # @@ -32,7 +32,7 @@ jobs: with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} - project_name: "DAST-GitHub-Action-Test" # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository + project_name: ${{ github.repository }} # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository scan_mode: "baseline" target_url: "https://www.example.com/" sarif: true # Only set to true if you want to upload the SARIF report to Github From b9fbda1e7dcc2e8bc9899b02573484620eea0325 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Mon, 30 May 2022 14:11:28 +0200 Subject: [PATCH 072/234] Add actions read permission The CodeQL Action requires this permission to collect information of the workflow run. --- code-scanning/anchore.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 6f52d5d..5c19cc3 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # for github/codeql-action/upload-sarif to get Action run status runs-on: ubuntu-latest steps: - name: Checkout the code From 77df908268e8577f2b7955bbc9d27b46a316aae8 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Mon, 30 May 2022 14:16:42 +0200 Subject: [PATCH 073/234] Set `fail-build` property to false Whenever a security issue is found the `scan action` fails the build and the step, which causes the workflow to fail before uploading the results to Code Scanning. This change turns the error into a warning. --- code-scanning/anchore.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 6f52d5d..b0e542e 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -39,6 +39,7 @@ jobs: with: image: "localbuild/testimage:latest" acs-report-enable: true + fail-build: false - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v2 with: From 27f5b1e9fdf42fe0686ccb89a2926a08c5ca9abe Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Tue, 31 May 2022 12:28:16 +0200 Subject: [PATCH 074/234] Add descriptive comment The `actions: read` permission is only required when the workflow is executed in a private repository. --- code-scanning/anchore.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 5c19cc3..2753147 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # for github/codeql-action/upload-sarif to get Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository runs-on: ubuntu-latest steps: - name: Checkout the code From 477f6af84e7a702f1832787f81445d0c2bc33010 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Tue, 31 May 2022 14:19:53 +0200 Subject: [PATCH 075/234] Shorten the comment The comment is shortened by removing the URL to the documentation. Co-authored-by: Sampark Sharma --- code-scanning/anchore.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 2753147..4fbc9f0 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout the code From 45198b14e06f360979705d625fda2daa4d339653 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Tue, 31 May 2022 18:51:10 -0700 Subject: [PATCH 076/234] phpmd --- code-scanning/phpmd.yml | 50 ++++ .../properties/phpmd.properties.json | 6 + icons/phpmd.svg | 252 ++++++++++++++++++ 3 files changed, 308 insertions(+) create mode 100644 code-scanning/phpmd.yml create mode 100644 code-scanning/properties/phpmd.properties.json create mode 100644 icons/phpmd.svg diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml new file mode 100644 index 0000000..9b9545a --- /dev/null +++ b/code-scanning/phpmd.yml @@ -0,0 +1,50 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# PHPMD is a spin-off project of PHP Depend and +# aims to be a PHP equivalent of the well known Java tool PMD. +# More details at https://phpmd.org/ + +name: PHPMD + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + # workflow_dispatch: + +permissions: + contents: read + +jobs: + PHPMD: + name: Run PHPMD scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + coverage: none + tools: phpmd + + - name: Run PHPMD + run: phpmd . sarif codesize --reportfile phpmd-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: phpmd-results.sarif + wait-for-processing: true diff --git a/code-scanning/properties/phpmd.properties.json b/code-scanning/properties/phpmd.properties.json new file mode 100644 index 0000000..bd95bf9 --- /dev/null +++ b/code-scanning/properties/phpmd.properties.json @@ -0,0 +1,6 @@ +{ + "name": "PHPMD", + "description": "A spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD.", + "iconName": "phpmd", + "categories": [ "Code Scanning", "PHP" ] +} \ No newline at end of file diff --git a/icons/phpmd.svg b/icons/phpmd.svg new file mode 100644 index 0000000..c354f1d --- /dev/null +++ b/icons/phpmd.svg @@ -0,0 +1,252 @@ + + + + +Created by potrace 1.10, written by Peter Selinger 2001-2011 + + + + + + + + + + + + + + + + + + + + + From dfd625dcc4778d68e194f62e68e5dc65ef73b88b Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Tue, 31 May 2022 19:10:04 -0700 Subject: [PATCH 077/234] use hash --- code-scanning/phpmd.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 9b9545a..3c0a5f2 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -16,7 +16,6 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly - # workflow_dispatch: permissions: contents: read @@ -34,7 +33,7 @@ jobs: uses: actions/checkout@v3 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161 with: coverage: none tools: phpmd From 978c3bbb41242ad164fb5c43b4fdd3353056addc Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 1 Jun 2022 09:15:10 -0700 Subject: [PATCH 078/234] Update scorecards.yml --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 28fb7f3..6135414 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -29,7 +29,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@5c8bc69dc88b65c66584e07611df79d3579b0377 # v1.1.0 + uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1 with: results_file: results.sarif results_format: sarif From 74b6f422559f3c58f4adee47ffbefc98d22548e1 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 1 Jun 2022 10:50:44 -0700 Subject: [PATCH 079/234] Update scorecards.yml --- code-scanning/scorecards.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 6135414..eed834b 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -19,7 +19,6 @@ jobs: security-events: write # Used to receive a badge. (Upcoming feature) id-token: write - actions: read contents: read steps: From 74408a5287eb771031d02d73dbe14ed23ec90a41 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 1 Jun 2022 11:00:27 -0700 Subject: [PATCH 080/234] Update scorecards.yml --- code-scanning/scorecards.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index eed834b..539794d 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -19,7 +19,9 @@ jobs: security-events: write # Used to receive a badge. (Upcoming feature) id-token: write + # Needs for private repositories. contents: read + actions: read steps: - name: "Checkout code" From d33aefde62c5125d69e76f4dfc04aed7a0b28a12 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Thu, 2 Jun 2022 12:12:22 -0300 Subject: [PATCH 081/234] updated action version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 75fe9ed..47f6c48 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@c32a9d22e9af91ccace86aa7e76673b89c6256fd + uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From b812cc5edacb55ae2f748244f67187ae9cbe872b Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Sat, 4 Jun 2022 19:50:14 -0700 Subject: [PATCH 082/234] use new logo from repo owner --- icons/phpmd.svg | 845 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 594 insertions(+), 251 deletions(-) diff --git a/icons/phpmd.svg b/icons/phpmd.svg index c354f1d..7697766 100644 --- a/icons/phpmd.svg +++ b/icons/phpmd.svg @@ -1,252 +1,595 @@ - - - - -Created by potrace 1.10, written by Peter Selinger 2001-2011 - - - - - - - - - - - - - - - - - - - - + + + + + + + + From ab9d895e8dfdfcc309424b079d074d637b744367 Mon Sep 17 00:00:00 2001 From: satyamchaurasiapersistent <102941840+satyamchaurasiapersistent@users.noreply.github.com> Date: Mon, 6 Jun 2022 11:45:21 +0530 Subject: [PATCH 083/234] Repo Url and SHA value updated. --- code-scanning/checkmarx.yml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index ed13389..1c57150 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,27 +17,19 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action -permissions: - contents: read - jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action - permissions: - contents: read # for actions/checkout to fetch code - issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues - pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v2 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 + uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe with: project: ${{ secrets.CHECKMARX_PROJECT }} team: ${{ secrets.CHECKMARX_TEAMS }} @@ -46,9 +38,9 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v1 with: sarif_file: cx.sarif From eda5a46a9546396c96ef0e05ad1840c0fbe2e060 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Tue, 17 May 2022 19:00:28 -0400 Subject: [PATCH 084/234] Add Pyre starter workflow --- code-scanning/properties/pyre.properties.json | 7 +++ code-scanning/pyre.yml | 46 +++++++++++++++++++ icons/pyre.svg | 1 + 3 files changed, 54 insertions(+) create mode 100644 code-scanning/properties/pyre.properties.json create mode 100644 code-scanning/pyre.yml create mode 100644 icons/pyre.svg diff --git a/code-scanning/properties/pyre.properties.json b/code-scanning/properties/pyre.properties.json new file mode 100644 index 0000000..bc12321 --- /dev/null +++ b/code-scanning/properties/pyre.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pyre", + "creator": "Meta", + "description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code.", + "iconName": "pyre", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml new file mode 100644 index 0000000..3c32e8b --- /dev/null +++ b/code-scanning/pyre.yml @@ -0,0 +1,46 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Pyre with GitHub's +# Code Scanning feature. +# +# Pyre is a performant type checker for Python compliant with +# PEP 484. Pyre can analyze codebases with millions of lines +# of code incrementally – providing instantaneous feedback +# to developers as they write code. +# +# See https://pyre-check.org + +name: Pyre + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + pyre: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pyre + uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d + with: + # To customize these inputs: + # See https://github.com/facebook/pyre-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' diff --git a/icons/pyre.svg b/icons/pyre.svg new file mode 100644 index 0000000..2af14c0 --- /dev/null +++ b/icons/pyre.svg @@ -0,0 +1 @@ +Asset 1 \ No newline at end of file From 862560d6d0ce6dacc03697cf601d8e83c74520b9 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Mon, 16 May 2022 17:42:13 -0400 Subject: [PATCH 085/234] Add workflow for Pysa https://github.com/facebook/pysa-action https://github.com/facebook/pyre-check --- code-scanning/properties/pysa.properties.json | 7 +++ code-scanning/pysa.yml | 50 +++++++++++++++++++ icons/pysa.svg | 1 + 3 files changed, 58 insertions(+) create mode 100644 code-scanning/properties/pysa.properties.json create mode 100644 code-scanning/pysa.yml create mode 100644 icons/pysa.svg diff --git a/code-scanning/properties/pysa.properties.json b/code-scanning/properties/pysa.properties.json new file mode 100644 index 0000000..1a61c40 --- /dev/null +++ b/code-scanning/properties/pysa.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pysa", + "creator": "Meta", + "description": "Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location.", + "iconName": "pysa", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/pysa.yml b/code-scanning/pysa.yml new file mode 100644 index 0000000..a9e3c81 --- /dev/null +++ b/code-scanning/pysa.yml @@ -0,0 +1,50 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Python Static Analyzer (Pysa) with +# GitHub's Code Scanning feature. +# +# Python Static Analyzer (Pysa) is a security-focused static +# analysis tool that tracks flows of data from where they +# originate to where they terminate in a dangerous location. +# +# See https://pyre-check.org/docs/pysa-basics/ + +name: Pysa + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + pysa: + permissions: + actions: read + contents: read + security-events: write + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pysa + uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b + with: + # To customize these inputs: + # See https://github.com/facebook/pysa-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' + infer-types: true + include-default-sapp-filters: true diff --git a/icons/pysa.svg b/icons/pysa.svg new file mode 100644 index 0000000..ed60fb1 --- /dev/null +++ b/icons/pysa.svg @@ -0,0 +1 @@ + \ No newline at end of file From 44f8355dd3fcc819e5064577d46aeb5d0b5070a4 Mon Sep 17 00:00:00 2001 From: Anton Krasovsky Date: Tue, 7 Jun 2022 17:57:25 +0100 Subject: [PATCH 086/234] Update workflow to use the newest version of 42Crunch REST API Static Security Testing Action --- code-scanning/crunch42.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 07cd73a..1ac846e 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -46,7 +46,7 @@ jobs: - uses: actions/checkout@v3 - name: 42Crunch REST API Static Security Testing - uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 + uses: 42Crunch/api-security-audit-action@f3a4f4d44ca6f538fe84361373d7a2a374018fdd with: # Please create free account at https://platform.42crunch.com/register # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm From 7ba355c39e6939dea937ef47c51c708de6ec51a6 Mon Sep 17 00:00:00 2001 From: Satyam Chaurasia Date: Wed, 8 Jun 2022 06:39:55 +0530 Subject: [PATCH 087/234] Adding changes of version and repo URL issue --- code-scanning/checkmarx.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 1c57150..e060654 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,16 +17,24 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe @@ -38,9 +46,9 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory --repo-url=${{ github.event.repository.url }} + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: cx.sarif From a54c80f225c1e6faedf983a842923f7ff81f5bfe Mon Sep 17 00:00:00 2001 From: Noah Irwin Date: Thu, 9 Jun 2022 12:52:18 +0100 Subject: [PATCH 088/234] Adds Contrast Scan workflow --- code-scanning/contrast-scan.yml | 43 +++++++++++++++++++ .../properties/contrast-scan.properties.json | 7 +++ icons/contrast.svg | 16 +++++++ 3 files changed, 66 insertions(+) create mode 100644 code-scanning/contrast-scan.yml create mode 100644 code-scanning/properties/contrast-scan.properties.json create mode 100644 icons/contrast.svg diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml new file mode 100644 index 0000000..0c8fe6b --- /dev/null +++ b/code-scanning/contrast-scan.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github. + +# Pre-requisites: +# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. +# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER. + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +name: Scan analyze workflow +jobs: + build-and-scan: + runs-on: ubuntu-latest + # check out project + steps: + - uses: actions/checkout@v3 + # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. + # -name: Build Project + # ... + # Scan Artifact + - name: Contrast Scan Action + uses: Contrast-Security-OSS/contrastscan-action@092c4e12ee0ee37b6116275f06efea84b2fe9d1a + with: + artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + apiKey: ${{ secrets.CONTRAST_API_KEY }} + orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} + authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} + #Upload the results to GitHub + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output diff --git a/code-scanning/properties/contrast-scan.properties.json b/code-scanning/properties/contrast-scan.properties.json new file mode 100644 index 0000000..67369b8 --- /dev/null +++ b/code-scanning/properties/contrast-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Contrast Scan", + "creator": "Contrast Security Inc", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.", + "iconName": "contrast", + "categories": ["Code Scanning", "java", "javascript", "dotnet"] +} \ No newline at end of file diff --git a/icons/contrast.svg b/icons/contrast.svg new file mode 100644 index 0000000..7680157 --- /dev/null +++ b/icons/contrast.svg @@ -0,0 +1,16 @@ + + + + + + + + From ad064a4af4a41be5048d447468dc06ef59b4036d Mon Sep 17 00:00:00 2001 From: Noah Irwin Date: Fri, 10 Jun 2022 11:35:06 +0100 Subject: [PATCH 089/234] Updates from PR feedback --- code-scanning/contrast-scan.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 0c8fe6b..e822508 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -4,6 +4,9 @@ # documentation. # This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github. +# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action. +# Contrast Scan currently supports Java, JavaScript and .NET artifacts. +# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action # Pre-requisites: # All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. @@ -21,6 +24,9 @@ on: name: Scan analyze workflow jobs: build-and-scan: + permissions: + contents: read # for actions/checkout + security-events: write # for github/codeql-action/upload-sarif runs-on: ubuntu-latest # check out project steps: @@ -30,12 +36,12 @@ jobs: # ... # Scan Artifact - name: Contrast Scan Action - uses: Contrast-Security-OSS/contrastscan-action@092c4e12ee0ee37b6116275f06efea84b2fe9d1a - with: - artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact - apiKey: ${{ secrets.CONTRAST_API_KEY }} - orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} - authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} + uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 + with: + artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + apiKey: ${{ secrets.CONTRAST_API_KEY }} + orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} + authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} #Upload the results to GitHub - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 From 5f8fa2190b68e24e1922720865c66a10c9739525 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Fri, 10 Jun 2022 15:31:19 -0300 Subject: [PATCH 090/234] use codeql upload sarif action --- code-scanning/soos-dast-scan.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 47f6c48..8969db0 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -24,18 +24,22 @@ jobs: soos: permissions: security-events: write # for uploading code scanning alert info + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: SOOS DAST Scan runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 + uses: soos-io/soos-dast-github-action@5f8c23ccf8366ea0a58deeb5c804e0524267df43 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} - project_name: ${{ github.repository }} # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository + project_name: "" scan_mode: "baseline" target_url: "https://www.example.com/" - sarif: true # Only set to true if you want to upload the SARIF report to Github - gpat: ${{ secrets.SOOS_GITHUB_PAT }} + output_format: "sarif" + - name: Upload SOOS DAST SARIF Report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif From 66d01dd6da6cc6d7770d1c579799dd00b2259cc6 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Mon, 13 Jun 2022 08:50:37 -0300 Subject: [PATCH 091/234] code review - put exact hash of release --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 8969db0..cf3b1b7 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8c23ccf8366ea0a58deeb5c804e0524267df43 + uses: soos-io/soos-dast-github-action@b524e2cfbc4f4a5733153a7e624f569913f6c6e9 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From a0d1fc31f74beaedb766543246743db312c31c30 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Mon, 13 Jun 2022 13:38:09 -0700 Subject: [PATCH 092/234] Add what PHPMD does --- code-scanning/phpmd.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 3c0a5f2..68e082e 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -2,6 +2,13 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# What PHPMD does is: It takes a given PHP source code base +# and look for several potential problems within that source. +# These problems can be things like: +# Possible bugs +# Suboptimal code +# Overcomplicated expressions +# Unused parameters, methods, properties # PHPMD is a spin-off project of PHP Depend and # aims to be a PHP equivalent of the well known Java tool PMD. # More details at https://phpmd.org/ From 5864b8200b647d56d3f99013661a16204d76451c Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Tue, 14 Jun 2022 03:20:43 -0700 Subject: [PATCH 093/234] move `What PHPMD does is...` below `PHPMD is a spin-off...` --- code-scanning/phpmd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 68e082e..91f4b2d 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -2,6 +2,8 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# PHPMD is a spin-off project of PHP Depend and +# aims to be a PHP equivalent of the well known Java tool PMD. # What PHPMD does is: It takes a given PHP source code base # and look for several potential problems within that source. # These problems can be things like: @@ -9,8 +11,6 @@ # Suboptimal code # Overcomplicated expressions # Unused parameters, methods, properties -# PHPMD is a spin-off project of PHP Depend and -# aims to be a PHP equivalent of the well known Java tool PMD. # More details at https://phpmd.org/ name: PHPMD From 191e0166339c8ab513d25af99ce94048b957db69 Mon Sep 17 00:00:00 2001 From: Julien Richard-Foy Date: Tue, 14 Jun 2022 18:02:02 +0200 Subject: [PATCH 094/234] Enable caching by default As shown in the documentation, enable caching by default. --- ci/scala.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/scala.yml b/ci/scala.yml index c985f74..6f80a22 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -21,5 +21,6 @@ jobs: with: java-version: '11' distribution: 'temurin' + cache: 'sbt' - name: Run tests run: sbt test From 746c698c90f01168f2f0bdfda89de9b7b9676cd8 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Fri, 10 Dec 2021 20:21:44 -0500 Subject: [PATCH 095/234] chore: upgrade package-lock.json to v2 --- script/sync-ghes/package-lock.json | 160 +++++++++++++++++++++- script/validate-data/package-lock.json | 177 ++++++++++++++++++++++++- 2 files changed, 334 insertions(+), 3 deletions(-) diff --git a/script/sync-ghes/package-lock.json b/script/sync-ghes/package-lock.json index ebcd318..768bbda 100644 --- a/script/sync-ghes/package-lock.json +++ b/script/sync-ghes/package-lock.json @@ -1,8 +1,166 @@ { "name": "sync-ghes-actions", "version": "1.0.0", - "lockfileVersion": 1, + "lockfileVersion": 2, "requires": true, + "packages": { + "": { + "name": "sync-ghes-actions", + "version": "1.0.0", + "license": "MIT", + "dependencies": { + "js-yaml": "^3.13.1" + }, + "devDependencies": { + "@types/js-yaml": "^3.12.4", + "@types/node": "^14.0.1", + "ts-node": "^8.10.1", + "typescript": "^3.9.2" + } + }, + "node_modules/@types/js-yaml": { + "version": "3.12.4", + "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.12.4.tgz", + "integrity": "sha512-fYMgzN+9e28R81weVN49inn/u798ruU91En1ZnGvSZzCRc5jXx9B2EDhlRaWmcO1RIxFHL8AajRXzxDuJu93+A==", + "dev": true + }, + "node_modules/@types/node": { + "version": "14.0.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-14.0.1.tgz", + "integrity": "sha512-FAYBGwC+W6F9+huFIDtn43cpy7+SzG+atzRiTfdp3inUKL2hXnd4rG8hylJLIh4+hqrQy1P17kvJByE/z825hA==", + "dev": true + }, + "node_modules/arg": { + "version": "4.1.3", + "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz", + "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==", + "dev": true + }, + "node_modules/argparse": { + "version": "1.0.10", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", + "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "dependencies": { + "sprintf-js": "~1.0.2" + } + }, + "node_modules/buffer-from": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz", + "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==", + "dev": true + }, + "node_modules/diff": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz", + "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==", + "dev": true, + "engines": { + "node": ">=0.3.1" + } + }, + "node_modules/esprima": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", + "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/js-yaml": { + "version": "3.13.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz", + "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==", + "dependencies": { + "argparse": "^1.0.7", + "esprima": "^4.0.0" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/make-error": { + "version": "1.3.6", + "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz", + "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==", + "dev": true + }, + "node_modules/source-map": { + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", + "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/source-map-support": { + "version": "0.5.19", + "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz", + "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==", + "dev": true, + "dependencies": { + "buffer-from": "^1.0.0", + "source-map": "^0.6.0" + } + }, + "node_modules/sprintf-js": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", + "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" + }, + "node_modules/ts-node": { + "version": "8.10.1", + "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-8.10.1.tgz", + "integrity": "sha512-bdNz1L4ekHiJul6SHtZWs1ujEKERJnHs4HxN7rjTyyVOFf3HaJ6sLqe6aPG62XTzAB/63pKRh5jTSWL0D7bsvw==", + "dev": true, + "dependencies": { + "arg": "^4.1.0", + "diff": "^4.0.1", + "make-error": "^1.1.1", + "source-map-support": "^0.5.17", + "yn": "3.1.1" + }, + "bin": { + "ts-node": "dist/bin.js", + "ts-node-script": "dist/bin-script.js", + "ts-node-transpile-only": "dist/bin-transpile.js", + "ts-script": "dist/bin-script-deprecated.js" + }, + "engines": { + "node": ">=6.0.0" + }, + "peerDependencies": { + "typescript": ">=2.7" + } + }, + "node_modules/typescript": { + "version": "3.9.2", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", + "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==", + "dev": true, + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=4.2.0" + } + }, + "node_modules/yn": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", + "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==", + "dev": true, + "engines": { + "node": ">=6" + } + } + }, "dependencies": { "@types/js-yaml": { "version": "3.12.4", diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index 8839d6a..e660b6a 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -1,8 +1,181 @@ { - "name": "sync-ghes-actions", + "name": "validate-data", "version": "1.0.0", - "lockfileVersion": 1, + "lockfileVersion": 2, "requires": true, + "packages": { + "": { + "name": "validate-data", + "version": "1.0.0", + "license": "MIT", + "dependencies": { + "@actions/core": "^1.2.6", + "js-yaml": "^3.13.1", + "jsonschema": "^1.2.6" + }, + "devDependencies": { + "@types/js-yaml": "^3.12.4", + "@types/node": "^14.0.1", + "ts-node": "^8.10.1", + "typescript": "^3.9.2" + } + }, + "node_modules/@actions/core": { + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", + "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + }, + "node_modules/@types/js-yaml": { + "version": "3.12.4", + "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.12.4.tgz", + "integrity": "sha512-fYMgzN+9e28R81weVN49inn/u798ruU91En1ZnGvSZzCRc5jXx9B2EDhlRaWmcO1RIxFHL8AajRXzxDuJu93+A==", + "dev": true + }, + "node_modules/@types/node": { + "version": "14.0.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-14.0.1.tgz", + "integrity": "sha512-FAYBGwC+W6F9+huFIDtn43cpy7+SzG+atzRiTfdp3inUKL2hXnd4rG8hylJLIh4+hqrQy1P17kvJByE/z825hA==", + "dev": true + }, + "node_modules/arg": { + "version": "4.1.3", + "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz", + "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==", + "dev": true + }, + "node_modules/argparse": { + "version": "1.0.10", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", + "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "dependencies": { + "sprintf-js": "~1.0.2" + } + }, + "node_modules/buffer-from": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz", + "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==", + "dev": true + }, + "node_modules/diff": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz", + "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==", + "dev": true, + "engines": { + "node": ">=0.3.1" + } + }, + "node_modules/esprima": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", + "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/js-yaml": { + "version": "3.13.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz", + "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==", + "dependencies": { + "argparse": "^1.0.7", + "esprima": "^4.0.0" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/jsonschema": { + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/jsonschema/-/jsonschema-1.2.6.tgz", + "integrity": "sha512-SqhURKZG07JyKKeo/ir24QnS4/BV7a6gQy93bUSe4lUdNp0QNpIz2c9elWJQ9dpc5cQYY6cvCzgRwy0MQCLyqA==", + "engines": { + "node": "*" + } + }, + "node_modules/make-error": { + "version": "1.3.6", + "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz", + "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==", + "dev": true + }, + "node_modules/source-map": { + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", + "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/source-map-support": { + "version": "0.5.19", + "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz", + "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==", + "dev": true, + "dependencies": { + "buffer-from": "^1.0.0", + "source-map": "^0.6.0" + } + }, + "node_modules/sprintf-js": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", + "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" + }, + "node_modules/ts-node": { + "version": "8.10.1", + "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-8.10.1.tgz", + "integrity": "sha512-bdNz1L4ekHiJul6SHtZWs1ujEKERJnHs4HxN7rjTyyVOFf3HaJ6sLqe6aPG62XTzAB/63pKRh5jTSWL0D7bsvw==", + "dev": true, + "dependencies": { + "arg": "^4.1.0", + "diff": "^4.0.1", + "make-error": "^1.1.1", + "source-map-support": "^0.5.17", + "yn": "3.1.1" + }, + "bin": { + "ts-node": "dist/bin.js", + "ts-node-script": "dist/bin-script.js", + "ts-node-transpile-only": "dist/bin-transpile.js", + "ts-script": "dist/bin-script-deprecated.js" + }, + "engines": { + "node": ">=6.0.0" + }, + "peerDependencies": { + "typescript": ">=2.7" + } + }, + "node_modules/typescript": { + "version": "3.9.2", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", + "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==", + "dev": true, + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=4.2.0" + } + }, + "node_modules/yn": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", + "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==", + "dev": true, + "engines": { + "node": ">=6" + } + } + }, "dependencies": { "@actions/core": { "version": "1.2.6", From f13e67688e4d309342ada48c6c463d0c17e17d5c Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Sun, 16 Jan 2022 17:36:35 -0500 Subject: [PATCH 096/234] ci: use Node 16 with caching for internal actions --- .github/workflows/sync-ghes.yaml | 4 +++- .github/workflows/validate-data.yaml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index fb9c623..aba7780 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -18,7 +18,9 @@ jobs: git config user.name "GitHub Actions" - uses: actions/setup-node@v3 with: - node-version: '12' + node-version: '16' + cache: 'npm' + cache-dependency-path: script/sync-ghes/package-lock.json - name: Check starter workflows for GHES compat run: | npm ci diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index d2ac9a5..7f8701d 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -14,7 +14,9 @@ jobs: - uses: actions/setup-node@v3 with: - node-version: "12" + node-version: '16' + cache: 'npm' + cache-dependency-path: script/validate-data/package-lock.json - name: Validate workflows run: | From c369c58c3b3a1f95ed4b9bfabc69d58e60fab4c5 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Sun, 19 Jun 2022 23:24:36 -0700 Subject: [PATCH 097/234] =?UTF-8?q?=E2=9C=A8=20Add=20entry=20for=20SLSA=20?= =?UTF-8?q?Go=20builder=20(#1600)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add entry fo Go builder * updates * updates * updates * updates * updates * updates * updates * updates * updates * rename icon * updates * updates * updates * updates * updates * updates * disclaimer * fix icon name * updates * updates * comments --- ci/go-ossf-slsa3-publish.yml | 35 +++++++++++++++++++ .../go-ossf-slsa3-publish.properties.json | 7 ++++ icons/go-ossf-slsa3-publish.svg | 11 ++++++ 3 files changed, 53 insertions(+) create mode 100644 ci/go-ossf-slsa3-publish.yml create mode 100644 ci/properties/go-ossf-slsa3-publish.properties.json create mode 100644 icons/go-ossf-slsa3-publish.svg diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml new file mode 100644 index 0000000..09c98c0 --- /dev/null +++ b/ci/go-ossf-slsa3-publish.yml @@ -0,0 +1,35 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps +# that were performed to generate the final binary. +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA Go releaser +on: + workflow_dispatch: + release: + types: [created] + +permissions: read-all + +jobs: + build: + permissions: + id-token: write # To sign. + contents: write # To upload release assets. + actions: read # To read workflow path. + # If you need more configuration options, such as ldflag examples, + # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0 + with: + # By default, the config file is .slsa-goreleaser.yml in the root directory. + # The format of the config file is described in + # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file. + go-version: 1.17 diff --git a/ci/properties/go-ossf-slsa3-publish.properties.json b/ci/properties/go-ossf-slsa3-publish.properties.json new file mode 100644 index 0000000..2d58eaf --- /dev/null +++ b/ci/properties/go-ossf-slsa3-publish.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SLSA Go releaser", + "creator": "Open Source Security Foundation (OpenSSF)", + "description": "Compile your Go project using a SLSA3 compliant builder", + "iconName": "go-ossf-slsa3-publish", + "categories": ["Continuous integration", "Go"] +} diff --git a/icons/go-ossf-slsa3-publish.svg b/icons/go-ossf-slsa3-publish.svg new file mode 100644 index 0000000..ea77468 --- /dev/null +++ b/icons/go-ossf-slsa3-publish.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + From 3a8411e0fd6e81d48b98b81bb46c40d74658e301 Mon Sep 17 00:00:00 2001 From: Noah Irwin Date: Mon, 20 Jun 2022 11:44:08 +0100 Subject: [PATCH 098/234] Add workflow permissions --- code-scanning/contrast-scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index e822508..61ffd7a 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -21,6 +21,9 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + name: Scan analyze workflow jobs: build-and-scan: From 39cdb74736f7e54cd027748ea4fac30a7e47f7bf Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Mon, 20 Jun 2022 09:13:25 -0600 Subject: [PATCH 099/234] Update to v2.2.1 of gradle-build-action --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 9aeb2b8..42eae27 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index 4642c75..0c0f12c 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -29,6 +29,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: build From c85125e5394aa3157d87b34291af34a2c4756537 Mon Sep 17 00:00:00 2001 From: Dan Lorenc Date: Wed, 15 Jun 2022 15:20:38 -0500 Subject: [PATCH 100/234] Update cosign to 1.9.0 Signed-off-by: Dan Lorenc --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 2f68e66..71aff41 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605 + uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 with: - cosign-release: 'v1.7.1' + cosign-release: 'v1.9.0' # Workaround: https://github.com/docker/build-push-action/issues/461 From c91d79cf303724f7fd80537f25a0a4cb0fb1abd8 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Wed, 22 Jun 2022 07:40:07 -0400 Subject: [PATCH 101/234] Update tfsec.yml (#1616) --- code-scanning/tfsec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 6536fbe..77f8156 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@v3 - name: Run tfsec - uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f + uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f with: sarif_file: tfsec.sarif From 7ae8d12d9ac5aa4a27e5ed1884c54f97d39c78ae Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 22 Jun 2022 04:45:15 -0700 Subject: [PATCH 102/234] updates (#1615) Co-authored-by: Bishal Prasad --- ci/go-ossf-slsa3-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml index 09c98c0..3f1b732 100644 --- a/ci/go-ossf-slsa3-publish.yml +++ b/ci/go-ossf-slsa3-publish.yml @@ -27,7 +27,7 @@ jobs: actions: read # To read workflow path. # If you need more configuration options, such as ldflag examples, # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.1.1 with: # By default, the config file is .slsa-goreleaser.yml in the root directory. # The format of the config file is described in From be331aaa2f5c266fdcfe007cb93d0358f956e6a2 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Wed, 22 Jun 2022 17:54:14 -0700 Subject: [PATCH 103/234] Add puppet-lint starter workflow --- .../properties/puppet-lint.properties.json | 6 ++ code-scanning/puppet-lint.yml | 54 +++++++++++ icons/puppet-lint.svg | 95 +++++++++++++++++++ 3 files changed, 155 insertions(+) create mode 100644 code-scanning/properties/puppet-lint.properties.json create mode 100644 code-scanning/puppet-lint.yml create mode 100644 icons/puppet-lint.svg diff --git a/code-scanning/properties/puppet-lint.properties.json b/code-scanning/properties/puppet-lint.properties.json new file mode 100644 index 0000000..62ebd9e --- /dev/null +++ b/code-scanning/properties/puppet-lint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "puppet-lint", + "description": "Puppet Lint tests Puppet code against the recommended Puppet language style guide.", + "iconName": "puppet-lint", + "categories": [ "Code Scanning", "Puppet" ] +} \ No newline at end of file diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml new file mode 100644 index 0000000..682c6a9 --- /dev/null +++ b/code-scanning/puppet-lint.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Puppet Lint tests Puppet code against the recommended Puppet language style guide. +# https://puppet.com/docs/puppet/7/style_guide.html +# Puppet Lint validates only code style; it does not validate syntax. +# To test syntax, use Puppet's puppet parser validate command. +# More details at https://github.com/puppetlabs/puppet-lint/ + +name: puppet-lint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + puppet-lint: + name: Run puppet-lint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: 2.7 + bundler-cache: true + + - name: Install puppet-lint + run: gem install puppet-lint + + - name: Run puppet-lint + run: puppet-lint . --sarif > puppet-lint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: puppet-lint-results.sarif + wait-for-processing: true diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg new file mode 100644 index 0000000..c2e2cf7 --- /dev/null +++ b/icons/puppet-lint.svg @@ -0,0 +1,95 @@ + + + + + + + + + + From bbd824dff4fb1e648ee02ed2874c69e28ac1218a Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Wed, 22 Jun 2022 17:58:09 -0700 Subject: [PATCH 104/234] use hash --- code-scanning/puppet-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 682c6a9..801b90b 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf with: ruby-version: 2.7 bundler-cache: true From d26b20b23394d4bbd531b69b5188d6e7d0887312 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Wed, 22 Jun 2022 18:01:19 -0700 Subject: [PATCH 105/234] update image --- .vs/ProjectSettings.json | 3 +++ .vs/VSWorkspaceState.json | 7 +++++++ .vs/slnx.sqlite | Bin 0 -> 131072 bytes .vs/starter-workflows/v16/.suo | Bin 0 -> 34304 bytes icons/puppet-lint.svg | 6 +++--- 5 files changed, 13 insertions(+), 3 deletions(-) create mode 100644 .vs/ProjectSettings.json create mode 100644 .vs/VSWorkspaceState.json create mode 100644 .vs/slnx.sqlite create mode 100644 .vs/starter-workflows/v16/.suo diff --git a/.vs/ProjectSettings.json b/.vs/ProjectSettings.json new file mode 100644 index 0000000..f8b4888 --- /dev/null +++ b/.vs/ProjectSettings.json @@ -0,0 +1,3 @@ +{ + "CurrentProjectSetting": null +} \ No newline at end of file diff --git a/.vs/VSWorkspaceState.json b/.vs/VSWorkspaceState.json new file mode 100644 index 0000000..2aa7877 --- /dev/null +++ b/.vs/VSWorkspaceState.json @@ -0,0 +1,7 @@ +{ + "ExpandedNodes": [ + "", + "\\code-scanning" + ], + "PreviewInSolutionExplorer": false +} \ No newline at end of file diff --git a/.vs/slnx.sqlite b/.vs/slnx.sqlite new file mode 100644 index 0000000000000000000000000000000000000000..db13a0a0d99f0c0bebaa2b65171fe9fb27315cec GIT binary patch literal 131072 zcmeFa34B~t^*H{vc{A_L@|w13wk}EAv`yPdvoDlV+B9v`HtCY4ENuvrnU`eRWG0=N zv<+pOu*fC?B8bSYh_Z-+8!lfF1w|APK}Esu7eR1CL_tN=|2g-*eP-GM>i75m{a*NR zZ{I!Vo_p?j_nvd_IrrV^-M%HBQ7ea%sj*0=vXPm_uq<<8WhKKfqwqiG`ri!rhoC<| z&RYIm=%1rZZBwNOk(Iw8&UEE(fja`z{F~*=rAvK3_449&{z~qz+zxJ2Arfx+|8FGV zLr${`L*9~;!fbYXJP}h5^-hirCP&w)L-9mB6Hg`v=sy#~>*J$pS8SjwACl6sqjSy9 z&dRQyb)6?y?mi|O{Xw}B{G*>Otc=FU?p*Yxe&+SLPOyE}V!0$1>V-Q&ZHjE+ujpNNdchvI519|8OO z(Ccl6QDVwV@39VD6OF3rbbK&Aid{6s>O^yl!5loZ%T@v6MCqMOXVfu6gw7%qWu;mB z-NWD-~)PY>q z=`3?12JExU2`)&-GUuFiVC?0#-d}TGpG;=lh5cm4Icqte{q`B>1Vj7!jB|plbLJRk zoc2QV@tiYqY%`9ud-MVG-o}eQt*xEX$GeRi9nl!PdO^dojCNehOUx~_NXID39QqWg862p?WWJL`-rI3-RH;eQJFwqMrW3u*I`+B;z_ZgN) z$1y5dhL;Z0ItDgIFQF_u6o~=drKZv_(Q-8Z6yx)j)YP!&tt8`6Cq~KJpCtPjv;!?8 zPzP9F(lLxYIx-A~X?ILDTX$3~tG8=(^;jz7D?85XE$IyFugp1+2ew60Y9cd$YTF6( z<$ZrnEGq@et8}8_f+3%EUJmAru;8qKV>!E4^p@-c%{OUkKFciBn$E3h(SH_nuht)J z3FNGH6lzE5+YvfZ?6EG3a+*b{k*RsL)netk&h=~hw(P8oPNc|;&FE?xCV7(gmeg0U*?DA|^s1RmJTXk>w6@-+ zC4zlC<>HZHM3(!sLZL}pvyBr=mMvpXAtNWfAJ%Bu@$0<1g%}+;D@$t-_J?Y6rG(0?_ zruXd0q@$#r+P&#yV!pPsH*4*Tq=wZD)J=fz&V=G(3<<7N2PcN-(-zOtz{lD$S%KDO z(nn}CAH%fTUTd}g5I6rK5gY*jXDpIY!;nPw?0F|*$XoSaBZ|DFkN9%_MdGlGMfH#x zedhy$)cV&5;T`evFY3QT@c+X3h|{v4Ov?GanMf)#F|H{N+*%S&H12w z)&-|}Jj}{VCERy*nGvI2>RC?LX@6nN9f=832V?CqwJF@t5LLrX4Q=(|NOPEsf!( z*0#EEq%j%`t1Zp-YF&GCYl{lSgN+T*mbTU~G!zXtMO$LwNJFGP+!$+XZ5kYkG{l-> z;nu;%!B}&wG2GVJ(f~ZQ#=_7fEXlQPUHiX;inj2f2fr(g4eN(upeyACc z+8e{oZB30sYD=RUX=@0#4-U1p54K0cYI_Wtt7~n9<{FXL*1?9>wxQ8hgv~sLrrbXO|9X&LA3>X7Xvn-zu{FaBgUt=$y0*HyhPt|FdjuF9YG{lN zHV-z0TVr)?bQDBd>)N$ZFxa9tHAcfjtNI@Oa5E@7x>5gz5aIp96v9=EI%oKQNB_>B=^h5%VpA=(odzYOCOgm zlJ-kIQlnJj`={?k-?x2t`Y!e*eZ9U`Uzzu9?_=J(ycc>C-d=B;w@iFZ{GRwJ@oMp~ zxLaH+E)l(+-+7+&e9m*FC+_L=%oF}9JSp5MoF_zt;{}O-k^d@x1s~xXct7_d_f_s{ zZa=q{t6=}gKF;33p39!Z*08)~OfH-hnO0U3$07&RMD2JgIj*KMaWzejBX;|q?LOT9 zmT=+nLn5<5#|n>6435UrBL%S+9~7BY1bZKR`97)^L|k-0WL5&=Xe0&Aj~2wMo)DRK zz}u_tn;b2SHa{aWjer(UrVEl5Z*5`UC<;&JE~-= z#zm$c(US!kT%4rB8&=1F+!3T)ouC}5snJMcxFEgiF%4}rekh(Qj5bQqV#!QG%@jln z@1y;tXyKTe-j_*^7e?Q!qeu6tsiTT#SzKf~K|HY}L646`h6@j#>Jg3Oz0m!_@?0=1 zGR;U+O%z6|9}=1Ehyi7k+yS2PoDc46uC#docer zI_n~d!g5&DPx*=@VyR@jur%iH(P+gY1=}m%Eiwy0rU%u*@kn%E?c~^~tm~=rQzJAYJdq1F#?0c3NGsrnJNNCVc9|52=a-h zB{5#ktSur_fwe~L)D~{0!z?+73xxOqH5?5eiY8-r-sf(j0!@sgUZe)d%2REZ$ZQ7c z7I=6#o*9`K4C62XQP^KV#YT~-*6@cXM(r%k-XJoIbzlmPBii~{zMhV<1oF7oPPV+0 z!p72r_;rA-Ugm7Pf6m1aAw zpjoTw3qgBnEiXTTlGAOZ6;`&2lGE&>6;yS+X55I$%-f6Nl_FCHas_>Dtyys#?VMrr ztiZB%+M;IXY@jv`L~WZ5)Jj2`J+p$US}30m8)idk)=_MB%Zf6ui7E}7t+FDNHEJAC z`(y=`G|X_$^lYFDg~ z^5t4B&6ZeUrOUKh#D3TyODTlf3@c<-4IOQ0C#>b=OK3Z~ZLq>-E!OHd^wYvcRAr#a z%&~G+x;3b-rqUdXB;d{)r$I5$7A~a3Mk9l{YfuAg$pVpCjYBu3!onaioU<}8FiYoC z5m4r!JCe>&SrrZmt8z3!m2|Xdyjp9O&ZG1we^$usxl~P=JXxVtbLb$pec(_#85tWb z))|^Jo9cPvy9+zGw8GI7qheJ#rA>GOqnSy?HDhC-RF+YlMo_|FTgQ`hw3-;DR*WGy z>5Xd^=z@VUw}dMF$V4U?j=&{D!wDO_dKP`d7I-+GPESx>Z;&Z1#(wz3gUQssq0!{Q zv{x6v;+dL7gs-axQutYXIx_&54ULb&Y4h5#n1NV6gN{*d)a=_%$fX^%f zt;hI8`t=t!J#f+J*Gi@VQ;a0SWnb&MJE1L|r(y*LJpi_Jb#(UhcIw4tA>aV0#MJT8 zCWJ0>4U-5{MSRD4qdN!luM+^U_F12G!R_CU$30UzmHE#9l;s==~7M5!*5ge zD}(%re67;M&z6FLH++8%{Kofu;CbH{0uT9a41Atvl@qu>aR2Q)5AGKj3|!?~9XRZp z9f?(iTgiMazg zO6*PJEFly=fqW-a_&#)09fqku3U3ecbGWhefhc+UI8q%;4yK35yR9(j{Q`?AJ(2DQOe`BD8=Y#aw3NNA423BWIH;#H+(RX zfvHT&KBSk8BuC*sD^hkfsXC%Y_l-qThe*)}vHigmtbf5ql9H?N4S*0qY(#mH!Yi@U z5nvkz87a78Houb7H;d+wA*zJ=00Q;hq7!&Iiid6&ouKzu@tvG)zv#rcj8rBYMknaf zGQOFNc;}LYxulZsz+rD}8J$%xrd46j=!9G}i(kRz_;;B1E#SL2eZQCAZ^v9{#nHBn zPVyJj@O=gy+rH6>dHy_pjgE;MM<@Ke3celSWRyB#Q>A<(&dQuh*+u+TE_Z|ItbZ=L zfGs;fC!KRv@KGx~XNTw@c=l|56~QMvLpMgT>@dRg9ijtv zMj7AA=Jm!-R`DAs#MoOo>K;ONjUA!`cn}-acZd$yfpWf`&F@{ED1n1|c|58aB&Y8X z9putTF2CnAHJ|U&K!tj-e->ZQ=6dwTv2(@_(a~ZOTg>kXO%PCC@8=kT@_Rf-kx$1C z(b48UielR#I#Bjj@|{4Xus1VKILPb494Y0S*?eBh;YIv*_UN9yqb-jo@ic5l-yu4<>nC+`J%)P} zegUg1ez5tw@mbgP@O)~JpT`>Bz*8`!WYg$?axy{Dy?!SJ_&KcZ>Dx7fUj`4Rss{8v ziaP;xyw1D4iEz8lBfYUXNuQv4~6l^Tw7h7~9lx#q$ z>v|BL*W7JtoqCX-zQ46S6Pw+GkQ5_COvhrPl^3dlwpw*)M z4ew8wKuwR&ast)8Jj?LO@a!x_DQn)G8my0zlvT-pY(JP(JiNf%1y;!Dc)p3K2HX!n@R zwzXP;^)yF;#WPZlW1AFPy&+|0sl@|QiWAb})xd#Rg3_{-Sv(!Huzkb3QA{*Q0guK^ zd{Y{8NOgwZlErf|9Y;U)Rumy+W8XCmU#sSqP>_(t84*H44i7{S1>Uh$cRK`7#5P}p zU*wC}Xk11-)2kriqs5hgt=8g~`4zZ!)HX2YYo$y1?*V)^E|0g-lLqRE%z<*Rr<<(GkqbS&&NR=|4r{} z-d}rP^gi$XvG)fM)qmLgb?*b-`@Q#g@9^I0{iydE?-kxlyytt*_8#)4yrbSB@9ExC zy*s@<-i_Y1-s8P3-a7A6??UffZ>e{>H{cb$jQE!LC-GJB74Ze}XW}#B6XK)dH^r}s zUlczp-X-2H-Yk9uP6}KuUL;P5XL=s?eBJYa=YG#Up6is~ii+|n_{QNz<-^LLvPapa zY=e^y%auh+rBbfUR6>eR;X-eR-VD7K`gQ2V(DR`mhkg)xEc9^b>!Ali_lNEY-4VJq z^ienuaYg8o(D|XWLx)1C&}e8Vbb9F2(9Teg|FzKC(D9*`P+e$gXkln>s5CS^6bOkS zCiqtHPa+%mc;LpswSg-F7YC*ShXa|wSYRkH5I8xoJ+LXz5jZ~39Hwn7snEzY;ulc{=zt{gs|E>P({a5?n@4wK0j{lHfht< z6MdeyJWqKZ^L#>jMtWTOw)CL%fOMa97o4`ZQMy*TLb_O*k`7B5X-pcD2Bedv?b0T3 zLQE)EDVHf1D(5O^C>bRIUx2JrPEgvEhTyAk-s6Sf&w|ecp9nr0{ATcL!7m0s8@wxc zd+_GqM}k)eFArW6oC=;9JP;fY?hVF*rv*C{Z4vGdd~B@=hvPWJkNS=lGaMcNe$9cX}(l0O_yYe^S$MJ-S=zX3%+N4 zKkz;3`-blU-)DWF5{Jao#9d;KxL!O#Y!Pe4MdDm>mN*OMkNf9J;NL9)<Ng5&P=_DN> z>1ibGC+QxN?k4G}Bt3$`7A9j*7BKJK10i=Yk85DPt$Tm%R^co)bfCq z`?Xxwa!Jd5TJF_yQOi9zs6(tkGoEG~%~+Z-BxC+bvwzU+?=*XxW`CpETQvJC&Hh5O zKhx|@n!Q1@Khf-uG<%(9f1ufG$QpAG^Ls6SRm*>;<-gVP-)Q--wft9F{)(2rtmVJd z@|U#yMJ@k@mcO9o|D)yqt>r)0^5?buIW7O0|M!f*Gb|A?@cFD({u3?#v6lZx%b(Hm zr?vctTK<%l|3J&1)bb~^{BbS+zLtMa%OBJ7?`rv@TK*j^|F)JtqU8^3`M0$En_B*m zmVZObA4Ku{nXl9Azi9R~nthdKU!mETY4!lkzC^Px((DT~`#jA)N3;8Bb|1|?OS8|= z>|UCEnr8RV>~5OfMYB6Y9-d|8Zu;~|n%zOOPtfdknthyRAEViAG`p2%x6tfnn%zXR z8)uE;K7jqqb`Y_F|rP(z!`w-2j4P&ScW3HlwSJLbX%(|Hm(2UrxZid*e zZid*eZid*eZsrn-axu*=qS^asb|K9!pxOB}JC9~lG|STLT$EM!IV3%sq-T-zOp+cZ z=@}%QB4N|aekb-T46l@!$VA~)C+XgAvHb}v?K?=4FQm}21f^CBo zY#XFt+aLwo1}WG!NWr#23bqYWux*fnZG#kS8>C>{AO+h7DcCkh!L~sPwhdCSZ7>GF zwm}NE4N|aekb-T46l@!$VA~)C+XgAvHb}v?K?=4FQm}21f^CBoY#XFK3QlA{`8U`$ zC;{6BDcCkh!L~sPwhdCSZIFU(gA{BVq+r`11=|KG*fvPPwm}NE4N|aekb-T46l@!$ zVA~)C+XgAvHb}v?K?=4FQm}21f^CBoY#XFt+aLwo1}WG!NWr#23bqYWux*fnZG#kS z8>C>{AO+h7DcCkh!L~sPwhdCSZ7f>_whdCSZIFU(gA{BV%SvF|AO+h7DcCkh!L~sP zwvALL7B5R(8b z9m&{bFTqC%6CWmCOhlw0c<`V2GkzYP=NXBEe{stFxTc+}{7AW9stnHM9+tRZ!1qev zAKa%ySHnK{btUV2EbuCKz3<+@^W25XBt+Lw^<5QsjO+9r2z-TWRECsYToo5o*06u| zogDa-@5I23zUsgSyl)3m-v0?i*`FzO?4#@#yx$D$@ZJ(w={++r-+NL(@*d~^i+7Iy zWiR7@hW$AE0rpJsfBX-L-}ZlAyv=`uc%lC?i0S`=9T7+TXDDxqJ^oR#-oKmegFSao zPz^p6Y7YIkIK$tiEb#ov-xAyy{D$WVi0$9+4|%SU-}W4mf9*M0e#X--KjiVsHwZ7u z?-RZv?-Op3`<0i2pOLqO9u&@#R|*k%kj^{F=(eBv2raY3xBbj@gsd6i_A?*WOSBlbpSgCXu$Z++x&6#Fq$~C~x1aft zQEEoI{mj*rfHl_bXFf={u|~W7%vH05Wvnya?Psne;;=-#{md0}g_Uffm^T;^0@foT z4nJBqb2$-R-nciIoCQKBd&I~$*dt0HU+f#KRE5yY=8b-X>6$NeAj}M^B5Y-k9ue2kw8hrTqzE+xCAZ*ZJ zg<{LyhY0INEXhg!AZc8WEIFYEX2aXk<4jKAL>auSe3A0*3?Zt=pq%y6glPU~d3S0d zjNGHd%e(iN3iW`L`+3Va>8ugEa<-f#E$5G#cPA(?Z`{0li~#dT&bvnm&yJXvv+aEv zk}U$}MA|zal#M+e=0u58PVz?3yGP1F*W`_%cMmTSwgV_Pa^`Gch| z(z|2ied{qcC&4Hg!Fi+U-Gj7d{&;$Kgx1U#QSUyT!1Bh_y9da~%oA1bK8>`e$L*Y) z_S1T~k@fC9MPTHuv2}SjDbZ~T#FgYz6=5E0#@FRjW(i?3By@(FPRK_{M_=P$POF8jJM0%$t=-p*fcs4+%^-I zC61W8ymcC^N-R-#xrY`Qad){pC{zH3_N~hn@_O>d-sR1ti;n2Kys28)d}OVR%ymtN zrIjrLFK?Uy3le(_Ufw|7jwK2&uO}tCmPJyX;G2{VRza zm8*4-WcwOWu|dx0k~d!;IX^%PEE)yO)=dXCrzqFC}k8 z{~Du))Ymluwy=c4wJ$FglL4GJieI&e^eTTGzp9#4q)~Q^h z(tILb6HBTh1!hEFsw6dNYtRX49+?bg3s^Rnywu#de(@YK)9sP{;@Nf{iYrKMEr4!` z?iZJn`9c8J_DM@<}sFle?X{UjEMg{KNfoCE!ZHm4GV&R|2jCTnV@ma3$bMz?Fb20apU91c(G0;rIIb z797iu8`jr0*TRnxHnh|>Ho}kj^)0A7hTovHR)Qb)>st^xhF@*8R9Xh%{k|E;@;it1 zwRL#^zo0ZT%3kFrrCIr*`-)u&xDs$B;7Y)ifGYu40U}IgqYT1Q=U~GQSJjTz@^GT_zi&V@D2DfrBo5%Yxw6vj{=JO=Sskp zfGYu402WaU5QSKk%i?e^>-RCcwe3 zQ?Q50?f3(q&t6jmKO;bj&NYgr!%qm1nui5i6VRr^ZwHXFbIr0M_`v{Db&8^W_ToPk z!7l}nqDh{#dH47KQ3SsaK#I;bi{J+WNYNp)2!0uW6rDwBLB;9tlK`a2L%dej@X&Pl zJpfX6wxtYy1%Q-ITFT(ge^Pdq*7>{r_ZGpW|C|H@(HOZanJwb9B8^=vf?oh2SQ>A4 zKD7$t|3%6rjPjQ9gz^pLkIM7P{on(*Qh5n(0Q@c72=Ha)cDOI^Za{JWTnV@ma3$bM zz?Fb20apU91Y8NY5^yEpO2CzXD}nbc0g;DI{ZtXj4o@T5xe9#>(WfBErUE3Jgx?K- z3TMkCJ0y|pEFXRHQkY1xNw}I8FwcUkX|V!aO$*s1=i$K>a0ui7%(VB+yi359fGYu4 z0JC%*0KZL#r|8)Oc3Ahq)CE!ZHm4GV&R|2jCTnV@ma3$bMz?Hzi zLjsK+iD5Zr^_&t`U=OFGsrYziPkJ&D4G)i~={@m8Og&VaN$dGKb#P*sYZXYP4W!b! zTBQS#(ReJ9QNxf#3RLXlNyW(O5|(Etb6U$Opv~@07X(m#A{-&Re*=;|J1;+Z3mxS1 z^}2`(xtwi zdUecj;&j^U|)N-cC6{`thr!Sz*`ayvzLT3k-<^b z*>&f0P-AB2nzdUx^YlC@FQIbD5n@-YALP5Ub3^Bj%56Kky4UPDrE+uUDV1ybc5dzJ z0kYklJv)Ib_`h$pecuY-MYwI`^1z*CB&h?!;I(s@gdnnBD>C$~?4p%{v*v3vyV??bP*8AgdIFTKY)bWJp>rql7k_$YSK5UUf-F$Qz+%r096 zh!drEGM!P!3=ukuP?VKs?RO)~Ey-vE=jV>(!NMKTkvfv26Jv>7yr5i@UE%kZ48Xh^ zAoGfF8jU0pYN{g=9Z?5zS*Nqii5RfYGAFno9m||^)`78?+j@V^d3`dOaToTJ8Rx9! zeD>RCoD&S~>od*?vd)=fm~q+*&Bt@j$g#~h((cg*%zGOz`n0xoN+0hwZgfOr@ahFQ z^FRM2-#IxBT2j|kdK3E0+Zi8I)0xQFcz-1-kDXoJph-br;YbWi-jWqH?36-AqTVdh z8^A;_pp41dYwhdl+TLea9v#Q1WEoyMOzRlf7`=qD>`){IbeEb+!$ix`{8Nn2TT)ZQ zp0|>WL!B5UZ-0{PW6%z?j6fY=eM!eK^61Dg7^dAZ)ok5SwXEK*(bZ$AjIZoCueYQ# ztiLknKpxl@NvVm<0IF>#%$N85IkBu1EU(guh6{##)_FOYGs1$i0*>YETG3mw4>aGT zsrf9kP-{B3rbYi*(7jrJv?Y+U+EJ(-rEf>*M6t)ZEXrvXrIMdv@hA+NHIKqvKEcpIu3>D#iiGCGkWGd82EX_(|m-dj>% z!Di=?Y0|4^GV#PPnbX>Oo0bUn@sx{4h7nor(+Y(qZOt}LELpaUJ%x;%^nO^QsRLdeJi)2l7jaDMf|7NcWl zWv)J`T+>^*Hj=ij!MkG1D+^6v#P6Wvo}y3-j#W@i*ua^Q%Jn<8cIUKe&RkfJZ0#{0 zDVOFma=xuL4|{f$^}V(4oZTD}g#9zmtX#ZjaV2EiYK?9}KdimZjF@$4{~WIpvA3Bx zT|GUp3*7|!&KyY~=K5aP)|=SSnLKZ4m6abU63gsM4M$-rFLLJ z8hOn$l0!vn($K}+UvvJU>0|+W@iK>v#!6-dd@8oB%lq2n=Ofzuwb^NzQJHqs>aV%5Lh+U~HnNvm zyd`!?=aK2OLet%lN!~ecKyxSVG3;V>|A{_r^3AXO^IorU^ojP4U6xLH{%bXn*`0Ue z0yM;}4N#M}|J{v2Zz!_kthz{l7Z!@Bh*L|0|60w(@7? zb>(-;EAOd6x3Vh%R|2jCTnV@ma3$bMz?Fb20apU91Y8NY5^yE(zbFBLXIKv=0wz2r z9M3Znp8qfMeT-2q3_Tm#AF2wD1>O$a;s1yKTK`7*GjdXHmTr{xNb>>3{c|PYO2CzX zD*;ymt^`~O{Kq74W|7QrY+tsFVM^F3PK~uS4aJ%x;U-nB4>vWnwTIhdu~@i17Heu5 z8ftGHs&DT&ZqJ5|d(tD3Bz!+H3>Qi5flC5X88sC?m`v>(8ciNd@5y@~QzjivCWhj} zaB)&HL9R$@n7&8^H8{1ZL4n{s&8&+ZfPJN zYQc?FCn{RaIq$TlP9ZxpM7q8*TYStky5PE~p~%E&rWboWF%BOy>{X+g!}x8$eEfoS z{&A2eV``<|O68LANOWIhSS6jVnNLo*&(Fa5c0`R)YV(8gS$c)Gped4b-ty-y`(k z0>1Z1FK4XiJd-Jut>H9b&sohtQ~w@eo4q`CL7R1Sh7YlX)oc+;`K*7ng)`gBwQd;y zFH$aHlG}V&g31q=gDl+t{~P7MlBRQkH~ap@vyztkf&N+rI3`d;*X+jpn$VqenN z>udFudEfRv=Do{%p*P{}^|pD-#Mi{{iJua$77vTN#kJxR(d+r0=Sk1!JXd<+o=(p^ z;jhAz!kxl-LPR)TkoXt*uku&$5x#->cd6>`815{Com$ zd0h)9MW&UN#IeW$HBmdBf{;Nf1J?}_Z+N%w*`0TvaNaMkTYgAnHt1O4@rl9FczUED z_Tqygvx;EvgPZS1)q;qN4v5T3Kpc&vp!v~)c-0dk(++rh)qRtrh0*3`M5YnY;>mPD zQj5~G$&pBUpLzsZ)hXKKa4HfzLJz|GMWzdyq-aN#Ox3u^)FXPbAcKpORCvSc7?3-H zl&cezLp3!TNemaHS3Rbojm8hfQ-#q+DOxO3EE$;2yC^;jz7Nkj~TSSY%&e znJkKE)JBtgCsKv+7M`wA3rEKbzrBS66l)L$*uH{2n133bb#PBxL7YYXl&?r4mP*D8 zOJn{XjaDpDkXHF_ky!vTJ*W<1;^;i%b|H6QKOUqj9);FJ(h0JxQw?jf_TYkdj>@GY6`sCen7AbNfVQ837DVCKIVh zd^ByZxKpnDQ(~7cq8`Uj36^asu zpfAYVia2Mh$kYH68e#+ni4|PdBQjM4jKZ>mx)J0P%~?xc&I`ZVcKxg^B2$62M(orU zZl=R5If$X!_yIK>4Ihd^jMheY?j|bG#5n3jYJjXf)pm)@W}t3?hlk^tk%_^u7T~qN zfQpSGQ?20-PmJ1Gn!Q0}7VE&&grkq;>**-NI5OBt8=K{w6gHL~oQRLcY_QUGbQn=v zYh}K&gX#$a$=kh(wUk|){=}wQtCz2#jp}yP3M)I2zAMdkT0yf`(-(sF(pp}A0wt&0 zNGq&t6(y(HMJuT4c+I#GlbN>{#VbXo4CD&>+FG;XINCYG=2?Md?X*SB&e=e18i?99 z8>p3nG<#+RRkct)9X8B{(yXJ{?3NW}UK3RsHd|#yC~MR>p!UfMDrumTpV%ZTpt@eO zX}NaDidIsm)koW71S&#lbK`Xs&s2mT}`Dq7D>Qw z-Z%}4fwpiVB{muv%w2;TSW6a&%xWCEDHRq5iQ$};fq_{%pNfDo2i=i$hRUjNNLZDl z396){MdQ_4t8^ZvNBOftX3wQ+%H+ukt(rpzu`RS+I~f@pE!G*DGn?vpBS>lomsU7> zVpOaur?d%AU^FwSIIh*8c>|@gjOsLk5(e8ko}{DI#3;3545^U}u34-!=9W;UADPG` z!x8wAq2YuLUOkJxVGBGQPp2nf|6(OmT8#bhiN^6KuP%VaGc}6{S9A}g@LK$IW&nO{ zXnYiYNw0P+W+0Z&prcglFp@W5bElhJ4wzgT@R>!R^%$Q>L-u;pCDVW@MiSx2zSebj zLR&hZSb;$gfGu4eojtvsdU06@H~=a!b$m2AIi@BuX&p2t2n;}tj;%dAcXX}o+u7B# z!9uV!0Aq`Q*L7|^2`(G&)hkx`VE_S5w6@_i{!$T)YyjTd9a`TvO%|CV1jZ5lg;yKS zDV30rPegH#ksnOb36=V26SZJ+;Uy(gstzgkVsCsRLckd7#j`~idB77EM=~&c1}8GA z(V>MNIwg1Yo&+b>(qO<ULV2eI$_@dsCaHpu>*8Dil6zaK02Di%8M&^JOigeF2=p&7wn1n&!8 z5!@SG6)Xw77WhWs`amks1$%wJ|9AfH`|t5z?oYyAztvwR|4sfO?DVgf&yfe@wemvQ zEB!+Hwsep5era6VF11LU?*-q(>~DM@@TGj)ef2)S_f_ws-dnuqdt=@cy;WXD{JHo| z@sr}E;wbF$XL^3+`Ksp%Pt?=u2?;L=4+tL+b_)%HkN-LUS^grvpKs(j?pf|W?gDN% zw}SJsUt%v~qij3thtA-CRCSe%9Z z3HEE>#Gnd7D2%xz3wxGTfH?wNYO+r#_@WkPVef)Oq4`XF=m-OEX%@CHI7)^_BM0GE z72(JD3Ujb13)>hRdusY$9-i*-8-c z5_7nOeKMR<@rOMM6JL^roe)Ya3R{loNK?a+P+>bnP(gDad3-I(!p;a;MkT*LXBlL& zyeJD>A`LMTJ;F{yq{i?4ESwk>n`+ zx>;f5nk;Oma5lmZ>qYmCMN)?f<1Wd<1`EYCn1cNitg#BCE`wjPBGVD30gP{A6$@i8 z&cfCUM@|G@7--qTn6tC65yL&@p$PsK=o!?-fI5iSr;03W#&AD+KutyT&94D1&BB%p zoflvz4-kKW1q3@X0vf{U29NaH8$l2qM_{Oe7A!x@aR- zo`o$NX-OS}6*JlK8w3_)VY`NYLZaB=hb-|O6klWG?zY~ZNd$F!nWgz_wG z-H?aW1T~yiU}+Y%Z}=*WC85EdRKd*7W4_4HDa*nhj<{o}iM5iPlZ9Oz@#L6R)e4`L zg`FI6%77uY0$>GEL3jb%=>U~xVJC-dQgdmoH9HHNIpR1mETk1&o`wA!_FgxNR^Z$$ zZ0b;URy$}#D9OTp4xMep^jRULS=hoMN7UL`K~-7Ux8V?V7&t3Vc@}nT$d+!?tiXya zY}#;Q8fMH2EziQf4Xf&w%L<&6g`FD;-(sw+@UkrI-|)q0_Q?t>&%*8v3F{`w3M|XQ zz6~pCR>%rln1xLnMs#4G;4nN^w2Cb3;ILbUt+7L4^G2ZgWKs)%d)U# z(_m;stgzWx*skH|FztpFJSPj=G!&P`RM_FLS<~T~b+E!`XJL;<$QuU13a-e)HVyk^ z*Z?bZZWcCaIQpz=--=M4h5Z`75M9$-fs3-RXG1-uJEa{<9V3voC=0tdqR=!Cbs@xs zS=iIzYozY#LTJmfu(#_(G^_8r5ca|>?Dq&!;>a$9wjc{TKh%Z9t6d0dX%=>a9R$mC zaTh{fkcAB*B?L0U zxK!k+^t~$V_C4XdTUhVA);B3M`G$R+LZz?HH&dAA6TC0+|MWiP{kr#F@0H$jyr=QM z^={&~@F~9C+w7eQUW6C;XT>M@N5n7kUl#8YujKC%r^HjlRs5ymbk8fE?|L5a zT(8{fxfsq5?DDk3mkyufXL0`oZ^DDzz3jKx``N4EoWKCPnGI7ff+gi2Wc84MQ=;h^ zLN&|TOeAwlrLc-K%N$jhdzc^05Eiqn-FZ28p0L_l=BQP*V46^ca1xaV6)dlsEwmd2 z4(#q!sZg&2Z2^hn7YbcD0B7y}MbH*EoJbt88446IMP{Eo|V7q5``n_VQ9;1?#{w1}Y4fC@fWljq18=zqfJg)jpojy#89p9ZHEU=@NE z2!RWNLInU1rpeR%>B0h*v#wy6E2J`^k!2%!BJO*NTwM+a{AFcm@mI9>e`VLQ~z1v;q=(f0H( zUL9>O--!|x20V}?Y^^APSp@%fQj5XZWLbUGV+U&I2rJDJCw`PDZQBNb`3O@cfGw_=;QLk9i+gZ7ZJ7MAV!a`gqXh( zwUP_WB{OXftWg|ok~J)JKg7JXRM_t1h(L1*DP%ohZ*p(sKqR~u;ueJ1U&#Wa07fps z&_ZE@lQZpH1bVnA&A-$O15O65NV#N#mJZuY65;XBmJZvXxr71>U@@Xe4!tueIGm`a z!}#0laeYnoW}VQlvzG@am#9B1oKl!*cppT-l4IbZrM-XSIAMQb@)qpehU8^J-;o+h zj*TbNS~GuY6UL6zjE0-rh_po5dW1$GkTym;^2cUj_y{c!#9Z<|%aAkts@lw=bYEBK z8Ut1kxZ)_cjKG`T%307F=ky0LS1u4bfZ-!W2bgbwM1WE4q)QEz4?JNz z^XPgDo*W(SK8>s`;WX<69ONRnbBXD&o{U+d;m~uGNN)}?COVFjWq?~5N(*SL4GUTr28v+uV;-t%^a(Q<7R~?&WVBdLAOwU8 z0MK&>-Wfs-eK1cOh%)nW6sBme6sbr6F(d z_2AEfUkQFHcx~`dPz|=RSvU{ykH8-SF9yCBxG`{MpgXWE5b(d{f7<^Q|4ncz;4FW? zzYD$rSn8MLH{}=PZ^HinX7~CLcZ2T|-$CE0zAj(2FX;V)_kX-kdOrpG{)67Aw-fgJ3%#QFC-Fz( zBjRo1`^5v|E^(b$FNQp?d7k%t&vU2eTF;bc(9`2t;h8P`TKJ}Lt8keR6*dUfLJ|Kq z|2+Ra{yzRX{(L^k@8s9>ZR{=Vett20H}H4vRqngo=ee8Vzj5v~_rL+w61f zsUWap`eUDCO1N=2^P|G9Ogkg$XRjkW7aCE(w|Nb0_9fU(har+M6i$z(BaOx`9pP8c z5n4Hp;yXqVa}WCgxrg}?H$Iuyi^fbTJD7*q@j~Z%W|D=XNi@WAjuJm}4;gAEj@<1i zkg6(RgTQU0mkjl)8G0~`98zJ=)98_74`iKlHyO>^L5TDLvaWJ=u5w9(B$O}`Ij2I_ zbC&ZEgvwoHYiTJ(Nu5L%ca}nvYwb`3^Bmd3>A@W4PNJ0X5$o?FS~%}%3g&0iV2P}~ z1>}HzKbgAdmV`%n3nc_kNT{zIc9V#lqurS7OraXyrsjY}A+ZP9b8`z1u!qZp6$U2k z>fw~PhJH=~$N}~Y!lfCKVm?U*Pk|#H%(G;vix*_2N3`?cA(ka(!7RiM?If?sEOQ7J zG}$b&8qIaUqHs17#)b4R(XpFb+p=oC_;!!c1Ow?pYu_4Q!m4-ax#0g&n(RlDA+Ur@`UH+(F)gS%`0; zm%IhD%)u_$sGpF@h3jTGk&RV$5ZkG{ict#diKWy_93;9AgWpTy5UL*-hf|G_1ROp~ z!C5;(ayxNtSc8|$Cx|iCi?H2o#F*+Oj#hxtACqN;Gswx@4g&z1x10e&Vq3{#!&;h4 z@J9+bEjS}6%6xpb(9F^2T;yknRCLEUN~M!XMK5vG=%&-kjH@yqBRZTGAcs9$)z$W|>RA|x=|dEYWix%HH9DVa{zpgVIbnNE5U%At!)C%wecBuuBLi0mz2 zH=IZmfmVPNHj6oV$1X|AXbyLdA{!lGt-1Q97nIL%A~R3# ziX5+m5L|&(ISxYhvgN`_g%BK!b+eZcZD;$k=QyI;j3Q^1BvA|212xReWZdgTI5~k+rj>6iKZjYiCPgF105Vp@QSc{f#jB53q;G+TL<(hq;lA zUabVF9#8zvg-)I_j}x_J`KGCz5}+URB7v1;_!s!PH$khL-#xX_>a+l>A4jX_|LS*) zRM(sz_)fKrHvRY)tGAQt8iqq4-J@FE5kD0+z5zxuusw&3ndTcT^l|V$!m2iqv915L zFs3ZN55E7uVTQQF^N`rV-RON<_zKT>CZ(NXh4>Ti)xPiYQ^L)@2Rw1#Cxwf|Gd%s? zG(Q$NfjiH0hv#a~{(r*Hf zNZ$?IBz-z?NV+=EBOTy23kmLc&sJ|Ax0K&4?BpsuYrHL-kKf2$>z&2^iEr|G*#G7$ zg*NtaPrWb8euWPTbJ@E+3*_&xH;BWq%lG0vw38gtTTx zWsCS~&InK-!XiYl#ANZ2c-@I^U0A`lYhG)cgBxou2=En_fGl*w;fI9Zs4T*$tCyca z+*)v5gI)#Z81si9KgSX&$4=V<?E=M?uF++so!iE; z59wuQh>5w{E@@X#`9iEk?`u*8G9MK~gJ!^e#ebDaRMoB)z{2CtC=OH^5056Y;R58FN1ICU$E_{ENRGuE}ZoTu|O zNKUB$g*tCEX z;TyC0m4-%e0v{wQO#e6r`}7e~qT3BDxeiP0@ebsu;E9Is>fJ5yamvHKn-POXRCD54 z*y8JizRrV_=SR^Lpk>SR>CJbDC<`7Pctnme@=N$WshYIJg=m2#2xL{HI8`&WRXr#!dw|-E&ogi1*mgjvqnY`eX;k&V zKJn$@J9x`{M>@H zC}`ESHP)B|1&eemO$HYf6gyrLxtJu!r%{v#GdDKCPRm6juhuzslw3UHH9K)bIxbZa z*0YK@81&PNd5Z7~ z%%P`~D=d^+e!xM~IuD$j22B=hbHa%i2=n~~$7#->@VD~&3u0U5inA5DnIAhsy#gmB zB-ovl7o0=pVUL{F;3rRBC|s{_YwTSGYvtFw(9k5F6~Iw74<6vUrJTb7r{$OcK!=~;v(D4xsrE>4>)x-V=Y;PFpA&8o z&KJ_cp!XGFyYf+`LpjU)WMHH3H-QHKoBn6~pYmVgPp}_jv+VQiL+pO`elE&w4?YuE z$Tj-+a8;bgznOi*zly)yU&m+pL(=2YhxyYX9^dY-A=dsC_m4EpYuR>-gVZued(KNEOce#m=3zF#T|-s`)@yC<;IyHdU> z@UnNVe0lI>c~p7PccHvT{HNR%>I_$PxyZ0`@ZjMzI%l(@7*9? z^2h&z37L*!5U^tL6XR;u>fxQwcWGz&jkv$#UGFDVj3fBWKk*Hl$NyL1)*!!&I5mr} zcM^x8emw37bbmQKpMaYz{n^oY8V8!;DaUzo3oc%a5(hf-1Kc0j+~9NP@T)B)jtUEq z7cJ<5%ljF~vi58V!j$92iiTVOX&&w)>63%pLfqpLh&B9DW|mrlFQqu)aZRCpG|b$J z3va!^L6~_8rEbPpPDH8a52#GwhD-~mtj0ZRo?uGG$CuDR3C?ycPQo&{q|6r=DaIk7 z9r!_w(n@xRSv5E0v03TP|g#-DsD)~ zdYI&(C6=AWSF?s+8%mBtUUVll@^Z7a06TL6ie1NWG{`)O&K8Sf8Y$f5C_^HvaP@1! zbJBSNC1`r9nHw$7SpRrjKNfIRKaRaN{nYKGs>MrLUQ{`XGe}#}=>BJ*(1MD_QS1=XKH3Q0_eBhG8>QsD|EpR2 z4&y`5CZ%WtJ1Fj*$%pL&3OH#(Q5U!i<#~LKM>xat9L|t@XLNohS1A#^l z_Wih@%6|yvS)31rk5v2wM`od83_r$w{E?0&{HTm?&VL5s8RRJcd4Z=F@LflX^8XO^ zb%DV40iyDAB3k3K`Bmn$biAb`DlF|R(-u^%xrcQ?j+@bMWIcxiWt$f8o2_N}PTq8( zMj+>3v?~TTqKPmM!~mHMXavZ@o?a!m9-sB&7y$1??QfiESclr&ei{LAI4w1a1ojYeZC=y zZRjz#&M_?9YQ7?T?7@~D$7@RXdgmlU)Gef@c@_r6Y77}f*n|w|D*!C$!ai6JQt0Ly zfg4cT=1~Q#tFNLE+-X}nVaYnweA>s9j`73JM9pW7UE9B#Wd4C$+yZbXtr_`fX|X7n z3C!Q~(bC{fTGN9wv76?47PmN7KFEkT(a)DbDf#zm#MjSaF(0quH_$0lXnlJKb(8TL z9PJ+rKE}YsS(d?z9k|;uc(Lp*eemMLou&yu!C&JXM~HKKo>7A3#93{AiN}02_!u^? zl_0qmq;8zEWIkyh`$*#s>qy3ePoTpiSFbvH%bYup@31OV=f3Y8RQ zhew!K80CA)ZAwZxUYQOYsG{PBDx@8y2WJqf;m>$!6|mD|KE;}rHU?2p*5u(z@ov!m=bww0a73eX|P zU)dB~0k#0HMYL#l{o<+8DY*5k3Sg$9*FnWoaL-o-fV8t~diks=xYKJ6l{@Ji-3%8 zXiN}XrA0u-*EBk4))ZWxh0@o*zt;g}Q+Q(*0wUyIe5^^lK(91o3hu}% z!Ae&2@+r6(3tzwW1cF|rYzlA1LZEgFzD2U-Q*bF3si;TTEWpw!ywwpa8V5ymnk7?k zD;AC%<9mJ`QZWU0Vl7695qYzaESrKGu?R2bNfN#0>?ye27zcsnGh9p6*;8;amJT-0 zm*}-CrtoqstZhANqC-oj;BG9!uYT%8hm=pj#aJi->j4xUSTa>js~KleOvpkCA>L@~ zyI42{cVe{zLF%WrdG;;cDV~CBv2glpw+HBiE2iK^EbNEv+=>n@oq`*&@RgXM5gk-K z1@~bQg4EfqmzPb!Jy)fFawuA;ui!? zyT$34HB)de7E(36Nd<8iOu;2tjewiaQ)W;Z=@Q0~T(&WeV=hI>kUd`jsR) z&n;7Mn^wMx1y<4qYfbPgKTIFANC%%Du__QMGpf~3!S!2spQfW)?mm+>>NHHjtz6r4 z>X6kyK>@c+!3|y5F?&M=BWgx#?Ne}L*Fa81&Fe(M%mo{5nEL;459M(l$LUD~OiX-6QbyzuJP-~91cc*x0ta`P2+7U|CkQBLDN)OyR!U7w5JZ%x zkW?xuHKit&R!EsB90w{QmN6PlVx_xhXJ_{DU0L}nRo?x#)7>+@vorHe_jUgoV7#QJ zfgM>;=vxfXyr%gB;%|E>J-VRicNrjjE$v3MoBzW3FMK5f0I6cD1~GsU!)+9scq|tA`OE-xHRS3xmsPM=vIHEA0C^=( z2e`^Qf?Uo3Bn%Pc#DSm^%NU@71@Vb}!Ab^5VA!ubA5_s|1{h$7;plnNeYr9hpuPqG z!8-+1p;{N9y{__Uk&PeZ1t_mLUTIbPW7fEU=7q3d!R;d>JbccL!_9HFkzC>Jc05hVU>4|7{NP+UPN5l!NY)Vj;m8I5c% zRjFckDPMyEBSLejbqjLWy7T!Iz|!(yb_?>>yYo0=cL;O0 zpukYK89pOSgaW`@kh#X4%P%bgjkh4@aCeTWHDb3h(7Xku>fKvB?NQ2KQsE1V{Ngq4 zY)>H%w6|c_!`xY>)_@8jG`ou6TTmngcJhxCBQ)b0W28}L*kFZsC0hoOeR9nNe(5Ey2UaRxXE`_k+u*+1Gf+5Oq4vmJH@stSy@zQ}&lTwz|D?Vb5F z^HSz1>r`fgbtJPgGtv5O=88;d`b%qf`Yr2GKofi_{ZM*Cx;Z^AJ>1%o9+Xa`J~kgo z{WZ1M`eEv^)M{%EAPZcR8exr1on?JH`Jd$5*3jfD$sJaCavQ`l47W1ohGa)_j`=xM zBN&-1HcuuK_9x~W_MgmO+Xu~^=FX7Apy#n?2EOhyFigd-Ade?lkNQt3OlMd%b6lHkH=zq4ag4M<;QMM+D|5aWg>`@vA0Ov50}7$V2|0t}7h) z9j+&oCa+QaHxhoDqJd`(+M0fenxdlRP*J62?)+x%$!^yfwYIAGA9}m)#_+c3t73TD zbPj|NsMOR)Zzo6#zcy1Jy^Zp2d2Kvgb}J~mUf!FqZ8@b%uAB)45$3m`*GF%q7BIB& z-Kb?5r2zYPC}dhnNy;nQ`TsbV&_Mj=gw$L4Gu@EzxrGLnW)8M3rUX>awjtLVjkSn2 zjCyH8=7nCXyc}Wc0vd)RUgPt88b)4I@maqt4cW9_wO|F>NL;Xz#UX{3Xw1AtsNQJ+{(gL6zJkW(IxGKG>RJu?cKn+Q5XetXIYiDvr>9zFq1*xe*U^5l@3vEx!)G* z4>EN>q-4^-(&tsks%ZJkiWk}o1T|6MKChkT?6gK{K&lp47E8V3UhPH6P4S9ME855vNDNhNSqJ8uwWn*YWnA`UVh9qP~k?dYV8wpXO9lT2^ z=E~7S!h0y2TxpF8o}>hKaXgXK^R$LUQ&i*x|4cEa7KuMsmuM_1`bw6V*2UjDXn#>J zyZL(uDN$XHbM=)XD%!JL{X!<1)=4;7k<*n%-8Cf90J?`y-srf;(up!n=SB4T@VO6G zVbPx9b1z$?ogC#0%P-_Ri7)8bdI%b#QtP^3+ZRBx0PQQbD1vq;?Np?JD~*b$(aY_m zovJoRReA@03vm=#MFB)p69)qH6AUI>Ly`^JdQUyCg75@Sy_fU(m+d>fu6ML*gLVfU?&5Bxlj;Q@$YD4;;{)OzAtJt(UzWW=IG0lGcwEXjq^&Y06&X9sIyF=T&Eqz14Zt-so(#S2^pQA2`$OMa~$z z31aH6bE+Y3;G^uT*?rkZ?8~zEW>?zvXzSbM*^9GvS;N*KlHe8VOy;1OH>YJD$heuw zneSLfGySdCGTHQL>p=QQdUyI^YkPXN^-y|YdVKoo^vHDI)R(DFYh&sSs51DZ`Sa9$ zspVEX)Ed0pnw6?eWs?80#w6deE=j(a+zyuiw&WVCBDum`Vve>P^Zw-YXll957 z?a$0p_DTDQ`4@Yi`Fr~bbC0>_>u%=tynoLO^vuBjG6QgU)+_!A=_0{+Lxn&V&^8Ph zR~tizwf5u))X{b}M9_PlnGIAg8( z4}$9vkAMWuP+>!!(%*#1j{LoFQba@ORrHeZGRC(*fG3)|wnI|dsqi{Ssr_6^F8;98 z`v@W8?{%88O8kJrM2AkMpswOMEPoe%d*5Jh!byuY*R@TUo)oakq3g+*rVwZh_rH<) z7l!)4z*7Y-o>(LOyx@Munb?P4sIYl<4U&$EnqIV41+c@-YddFaUScBv0X@)}2l1c?k z@Xpwy4#jp=_iBh9g5lAQVg8V3dWX(N?Bp4mTzOuG#gEc55k~hUT9k1nx3&RciRe^? zZf``T=^@`9VaOYB)r6YE z19zyR(w-i#ipE>h+FDGE5Z#Au>2U~t5lakfum;aJj}!k#1Bzddt4C=Hi{$C@#c|$& zeJrI=#=^d9jFc<@`hIrsQl}ST{Qns9xR&e8y_kC(to)YT*xW@q!+9U-0Bm>ecUC(y zoKa4#(>MD$RQx-XeLTA<+nSw_y)fH1^F`)wnM0Y!GwU)fnX#FAu-?x=1%Ulf`L83r zAU!rcEL{xw0dJ*#1Ni~@)Get|sllmavMc#J$gJ;3-khvWnt=3w*xqcmoUHmCFvjjaIg9Svt~?At#N*%4SKTjhq|WGYnu z*~mA)SDc3o2}}zTUK@m!i(UJ(k~}0aa0>So z(Q9;CeSR@G4_OK$aaJ&jC43>-j$L;eN9qUXAuEBiMV&}Ih_SQi<<{{+(>)!Kz#j73rxL0~e9x@8908;$) z0BZ_g;@C$otv@#pc?4K>J2|$yAmBZ!olmc15au4y&Ldzn$95cqkUQ8ig#UKJ4Pg2$CqjXTk zAm*FXrF%!AmoSL(M#Z>4Mxj(Ni0MYfq&q~R7BdLo#*W-%xRDC~{>C zBD8VN6_=?o>%6W7 SzKIYnXQTPy;$v(mV*dpvnS6!- literal 0 HcmV?d00001 diff --git a/.vs/starter-workflows/v16/.suo b/.vs/starter-workflows/v16/.suo new file mode 100644 index 0000000000000000000000000000000000000000..962942ea22fff9b452b61562d7bf63660eb5293e GIT binary patch literal 34304 zcmeHQdvIJ;89$r0w53Hsuth{jp#`kj&E5B=FPdzU7NNE!AuTkey}Nri*=Do5-MiZ~ zG(|x`5Ffl>0tzbp!Hf>$=&0iiIx^0Hj({@?|2XRCAC8JMj{gBtf4}=kZZ^ByyN|Zn z^q!sXo^$VceCPR{@B7YU-+beOKR@^KC4UhmW{X%PK0L8poMZX!vbe?hLVN`8ZGaC? zoH#)*`orm%7OH_8MHat;Xcv7V13ND!*_5`;DzRj`&Dj^K8EGQ%!>8|g$Mq=$`uV5z zkh_2}D-Mb4fISIUpEz1Ai8+3&&;za2Jtsh!4=>;wy02z-iXuv#7AfE-jEDie%K$|T z39kr=FrJmoHKNV64BnRmn2*XKXZw7^c(sGyKRfEIH{h?i{ELvn<3=jX`~R#JXmN8~ ze;ocR0sMR(Yi|~)0sw0qyY7$?FARHig*3L{`?Y{>!+%AEaCULFa=6nu{?EVj?z^6J#y@(S5c6gH zn|*f)@o z{2%$g9CDHcKd1m^xG*zTc^mkrX%h2MKGf{53B0~;e5%HO^`Z{)v!l*=Gs{oDg_6_NkYQ1nuDWR*^u~*HQo9 z2JROP{CB{1=s#QT>@*JjuPpzc4fKBxC~5|DHY+B?4p7((fIL86ctjNQ0V#17v(q4+ zoFPbobCx+_gE9Y8hUW+}$VydfDSW9@pxHg0vRcB0^lJ287S|&;m3302f7BP4Itne( zlRPNTTxx_Fz`PO%W@@31plk`F?4|ReN1KCW_(u`4hJmUhm><@^90;};E{kY2<@Ct`!cC< zj6%~47f>4;#4y@W!Pi`gs~@GC@i~H&3R)=Q^c$EXz}N*XTc`%i>_4W->lxT4wgb6} zjLT@A9I``Io*OW#eWyw<5A^KVZgh3BnPVst8O{mB8%EQ|;U>d7jQB+WQz;;{t{g0& zGE{Vt5%I?6b%%elsx6cG<7?R;eDJ6DpL+Z5+ZX-l*5yyM_3ppuZ})1Fed%OkW_OM~ z_3ksT{%q*bQD5ib$&G#QaTuLe!6X7|VGR1V7nlT!Gbi?qr?ZfJ*oXshj5%Fk6$oQh{N>Tqr}H=gjQM@AUWOy!c%LLs-IvvXo%!ZYFbWb-4P zK1q@~5v+x)VS=9`Fxj9qubO77{51Yfa?J_0CoUA2iOU)mUF=JJ_Pq3 zz+S-3fLj3j0K)(oa4X;d;2?l$#9+q_w*or};B;!He+cd|60D#gD8F0w`awT(BqL{~ z`arb*EJmeV9!tNiz=xGK@DBkSnf5_oj$!nrz*-fwT1mhj#T&G=bt^mUqFp;jk2Uk;{I?jds{nTK??%{4 z^RF}ioBW3}|6Avu`K;KCLYtkR9{(le{xw7Qw}9=8aPjC z_9KKD(4=>HP&&XRxidjQO;E!|zG#LwF_B>XL&M$9G;QMlJiePu}By};f>PSvbIO5Ka_ zqZA&%^B6b^A8NV}QhESSFQob&&FzPatKGej?cE4PzizlB{JH^A$nz3n@)w27e;m4i z1bDXDc=i1&I#!lpqo}N@W<7BJc8RB5y&EL_j&=L``@(@fue&E4@VmX8^wVj|(+r(?8PS`dwO4w@lUA=`ER?nmQKg@kf04 zxkEn5$MNoUM{Zljh zU39_X1w}2WN}-U-jGRpM!swdb%j8S74>dl>i!>6Sd>7*ru2~%oJoeZ7uUNUa zs|T;P4E6A4d_6*LtF4GephokrA!nyED`7Dm|8WgWss&}-6V0a6O1zN5PB+gsC8Ok1 zaZhhb`yl5h5Bm1)GXf42@@TS-_Hi|y&8Jhbj`kr4_K3GR;F0+2Xpf?ui+N>pMkyBZ za=N2^S231O#jjT;2eV^JW^*hYmV@zN$lK))C{m9m&MWz4#5Rz+O@a1i*+bPT#i*RV!$morDomOQ9Q2;j8rrXk5z7r;S}dkx zK4z1hm8- zVMt8ew#$`q6_A9y)UK`Ls*swf&E>f!>LPiLD2wpqcD>Lc4nywKwYhms`s2<51z(4N zpSzj$z3$u!yaOrdU%k*(dXNHlNc**P{II!kn0v8#b}FHzA;fPML^ah1;dH97jQ)0t=`-JUlV3mFIUYNefEb zhnw|Dwe{X7#BUcwsZyAaI5UzS{9!?qNI!ZrhSuW#Q=QVaCgnE!nn~%X=S?r5mg4Cy zj;cILmBKDH_Q7`+L?2|y^5E{sFQz~R$tMcYnsku+DAFiH5@nj1bb$8_|6^IzBO=>O)&8bGOZ@96*L*BVV}`#AbP?k1dn^sTg=9Q~hu1LOQ}DM$a; z3TxGl{*OF%YwRnS-Bzbc|L4*)H}yztdK_~feZ47Ae&zit&DzFSYd#v4pLve{ee9iD z8xP6e5RP29l|az%4g`}icPtQ&;jBf_+ZFRmK{*_BiTmn0WTqV)QM2hHH=^a0v|LCX zQ8rXKZd2chmU)!1T8^&-;*oefaJ=`7Wq;28!IjjA9Nm$M=d)@yS?~;{RBVYGC=?T^ ztY^2rJ8m$WO{<>4R1S|~Dz{6HkI5t0&}VKL^oDHj8I=6VU^1NadJ{oO_RCAypEp;) zK8U@g)=GIroV5Aumkj{PYmop7<3=dKWQPf9J< zZv@1FGS}(~U9_S{hphO*awsO@uu>rC4)`JwcULHpbO#kV>F)|Cia*rlktBaO9GpT1 zW|@nHmMP0O9!y>f;3iS-Z`91}OCWi6%{)H`C$C;&1rXMAjkfx=ksfXFAXjT}Ucf;N z+j*|l`qNLk@=JA>H4fc0T+cgMeoL>p97Q&mk@}58{|)*d^U2|G68$w0i}~CEB@n?W zLT}QY^h)ud5|R==MVg27-z1>(`$XdmP1)GMST~(-<v!U95$EB*H*_jAi1_v00$%(5 zo;rX{DTek%0n7g>%~b4p0}uG zcz}m@D)AQiW?$mYLx|=k9$f(79fP&sSMNo?@S%4cz#TQ*VH?1&^q%}Ue1iC%M0pc% z&EVDK!KRh4wsET8b1>R8?6WV)FFoX`3pMrCF;C{q{3k$dV^P1gxRG1XTlW+^dlyC9 zdU;#t{-4&q|B3fGoBE4!xEm0U%HGd2eG|~k{XbnD-hh7n5B?&;#{ECbaKV;y{}1j8 zn~(SZIP!nVznWA~SvFbzFDsc~_||Ni#W~f+SCsOe^>I}p?S^6g{}9j9`fzed(l{sU z-=&1WZz=d5fj{r%_29%K|FNnU*Bw`-)A_N Sx>z-0_Wlj8R>`+f`S1TJ`3C6# literal 0 HcmV?d00001 diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg index c2e2cf7..4e5d4d0 100644 --- a/icons/puppet-lint.svg +++ b/icons/puppet-lint.svg @@ -4,9 +4,9 @@ Date: Wed, 22 Jun 2022 18:01:39 -0700 Subject: [PATCH 106/234] Revert "update image" This reverts commit d26b20b23394d4bbd531b69b5188d6e7d0887312. --- .vs/ProjectSettings.json | 3 --- .vs/VSWorkspaceState.json | 7 ------- .vs/slnx.sqlite | Bin 131072 -> 0 bytes .vs/starter-workflows/v16/.suo | Bin 34304 -> 0 bytes icons/puppet-lint.svg | 6 +++--- 5 files changed, 3 insertions(+), 13 deletions(-) delete mode 100644 .vs/ProjectSettings.json delete mode 100644 .vs/VSWorkspaceState.json delete mode 100644 .vs/slnx.sqlite delete mode 100644 .vs/starter-workflows/v16/.suo diff --git a/.vs/ProjectSettings.json b/.vs/ProjectSettings.json deleted file mode 100644 index f8b4888..0000000 --- a/.vs/ProjectSettings.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "CurrentProjectSetting": null -} \ No newline at end of file diff --git a/.vs/VSWorkspaceState.json b/.vs/VSWorkspaceState.json deleted file mode 100644 index 2aa7877..0000000 --- a/.vs/VSWorkspaceState.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "ExpandedNodes": [ - "", - "\\code-scanning" - ], - "PreviewInSolutionExplorer": false -} \ No newline at end of file diff --git a/.vs/slnx.sqlite b/.vs/slnx.sqlite deleted file mode 100644 index db13a0a0d99f0c0bebaa2b65171fe9fb27315cec..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 131072 zcmeFa34B~t^*H{vc{A_L@|w13wk}EAv`yPdvoDlV+B9v`HtCY4ENuvrnU`eRWG0=N zv<+pOu*fC?B8bSYh_Z-+8!lfF1w|APK}Esu7eR1CL_tN=|2g-*eP-GM>i75m{a*NR zZ{I!Vo_p?j_nvd_IrrV^-M%HBQ7ea%sj*0=vXPm_uq<<8WhKKfqwqiG`ri!rhoC<| z&RYIm=%1rZZBwNOk(Iw8&UEE(fja`z{F~*=rAvK3_449&{z~qz+zxJ2Arfx+|8FGV zLr${`L*9~;!fbYXJP}h5^-hirCP&w)L-9mB6Hg`v=sy#~>*J$pS8SjwACl6sqjSy9 z&dRQyb)6?y?mi|O{Xw}B{G*>Otc=FU?p*Yxe&+SLPOyE}V!0$1>V-Q&ZHjE+ujpNNdchvI519|8OO z(Ccl6QDVwV@39VD6OF3rbbK&Aid{6s>O^yl!5loZ%T@v6MCqMOXVfu6gw7%qWu;mB z-NWD-~)PY>q z=`3?12JExU2`)&-GUuFiVC?0#-d}TGpG;=lh5cm4Icqte{q`B>1Vj7!jB|plbLJRk zoc2QV@tiYqY%`9ud-MVG-o}eQt*xEX$GeRi9nl!PdO^dojCNehOUx~_NXID39QqWg862p?WWJL`-rI3-RH;eQJFwqMrW3u*I`+B;z_ZgN) z$1y5dhL;Z0ItDgIFQF_u6o~=drKZv_(Q-8Z6yx)j)YP!&tt8`6Cq~KJpCtPjv;!?8 zPzP9F(lLxYIx-A~X?ILDTX$3~tG8=(^;jz7D?85XE$IyFugp1+2ew60Y9cd$YTF6( z<$ZrnEGq@et8}8_f+3%EUJmAru;8qKV>!E4^p@-c%{OUkKFciBn$E3h(SH_nuht)J z3FNGH6lzE5+YvfZ?6EG3a+*b{k*RsL)netk&h=~hw(P8oPNc|;&FE?xCV7(gmeg0U*?DA|^s1RmJTXk>w6@-+ zC4zlC<>HZHM3(!sLZL}pvyBr=mMvpXAtNWfAJ%Bu@$0<1g%}+;D@$t-_J?Y6rG(0?_ zruXd0q@$#r+P&#yV!pPsH*4*Tq=wZD)J=fz&V=G(3<<7N2PcN-(-zOtz{lD$S%KDO z(nn}CAH%fTUTd}g5I6rK5gY*jXDpIY!;nPw?0F|*$XoSaBZ|DFkN9%_MdGlGMfH#x zedhy$)cV&5;T`evFY3QT@c+X3h|{v4Ov?GanMf)#F|H{N+*%S&H12w z)&-|}Jj}{VCERy*nGvI2>RC?LX@6nN9f=832V?CqwJF@t5LLrX4Q=(|NOPEsf!( z*0#EEq%j%`t1Zp-YF&GCYl{lSgN+T*mbTU~G!zXtMO$LwNJFGP+!$+XZ5kYkG{l-> z;nu;%!B}&wG2GVJ(f~ZQ#=_7fEXlQPUHiX;inj2f2fr(g4eN(upeyACc z+8e{oZB30sYD=RUX=@0#4-U1p54K0cYI_Wtt7~n9<{FXL*1?9>wxQ8hgv~sLrrbXO|9X&LA3>X7Xvn-zu{FaBgUt=$y0*HyhPt|FdjuF9YG{lN zHV-z0TVr)?bQDBd>)N$ZFxa9tHAcfjtNI@Oa5E@7x>5gz5aIp96v9=EI%oKQNB_>B=^h5%VpA=(odzYOCOgm zlJ-kIQlnJj`={?k-?x2t`Y!e*eZ9U`Uzzu9?_=J(ycc>C-d=B;w@iFZ{GRwJ@oMp~ zxLaH+E)l(+-+7+&e9m*FC+_L=%oF}9JSp5MoF_zt;{}O-k^d@x1s~xXct7_d_f_s{ zZa=q{t6=}gKF;33p39!Z*08)~OfH-hnO0U3$07&RMD2JgIj*KMaWzejBX;|q?LOT9 zmT=+nLn5<5#|n>6435UrBL%S+9~7BY1bZKR`97)^L|k-0WL5&=Xe0&Aj~2wMo)DRK zz}u_tn;b2SHa{aWjer(UrVEl5Z*5`UC<;&JE~-= z#zm$c(US!kT%4rB8&=1F+!3T)ouC}5snJMcxFEgiF%4}rekh(Qj5bQqV#!QG%@jln z@1y;tXyKTe-j_*^7e?Q!qeu6tsiTT#SzKf~K|HY}L646`h6@j#>Jg3Oz0m!_@?0=1 zGR;U+O%z6|9}=1Ehyi7k+yS2PoDc46uC#docer zI_n~d!g5&DPx*=@VyR@jur%iH(P+gY1=}m%Eiwy0rU%u*@kn%E?c~^~tm~=rQzJAYJdq1F#?0c3NGsrnJNNCVc9|52=a-h zB{5#ktSur_fwe~L)D~{0!z?+73xxOqH5?5eiY8-r-sf(j0!@sgUZe)d%2REZ$ZQ7c z7I=6#o*9`K4C62XQP^KV#YT~-*6@cXM(r%k-XJoIbzlmPBii~{zMhV<1oF7oPPV+0 z!p72r_;rA-Ugm7Pf6m1aAw zpjoTw3qgBnEiXTTlGAOZ6;`&2lGE&>6;yS+X55I$%-f6Nl_FCHas_>Dtyys#?VMrr ztiZB%+M;IXY@jv`L~WZ5)Jj2`J+p$US}30m8)idk)=_MB%Zf6ui7E}7t+FDNHEJAC z`(y=`G|X_$^lYFDg~ z^5t4B&6ZeUrOUKh#D3TyODTlf3@c<-4IOQ0C#>b=OK3Z~ZLq>-E!OHd^wYvcRAr#a z%&~G+x;3b-rqUdXB;d{)r$I5$7A~a3Mk9l{YfuAg$pVpCjYBu3!onaioU<}8FiYoC z5m4r!JCe>&SrrZmt8z3!m2|Xdyjp9O&ZG1we^$usxl~P=JXxVtbLb$pec(_#85tWb z))|^Jo9cPvy9+zGw8GI7qheJ#rA>GOqnSy?HDhC-RF+YlMo_|FTgQ`hw3-;DR*WGy z>5Xd^=z@VUw}dMF$V4U?j=&{D!wDO_dKP`d7I-+GPESx>Z;&Z1#(wz3gUQssq0!{Q zv{x6v;+dL7gs-axQutYXIx_&54ULb&Y4h5#n1NV6gN{*d)a=_%$fX^%f zt;hI8`t=t!J#f+J*Gi@VQ;a0SWnb&MJE1L|r(y*LJpi_Jb#(UhcIw4tA>aV0#MJT8 zCWJ0>4U-5{MSRD4qdN!luM+^U_F12G!R_CU$30UzmHE#9l;s==~7M5!*5ge zD}(%re67;M&z6FLH++8%{Kofu;CbH{0uT9a41Atvl@qu>aR2Q)5AGKj3|!?~9XRZp z9f?(iTgiMazg zO6*PJEFly=fqW-a_&#)09fqku3U3ecbGWhefhc+UI8q%;4yK35yR9(j{Q`?AJ(2DQOe`BD8=Y#aw3NNA423BWIH;#H+(RX zfvHT&KBSk8BuC*sD^hkfsXC%Y_l-qThe*)}vHigmtbf5ql9H?N4S*0qY(#mH!Yi@U z5nvkz87a78Houb7H;d+wA*zJ=00Q;hq7!&Iiid6&ouKzu@tvG)zv#rcj8rBYMknaf zGQOFNc;}LYxulZsz+rD}8J$%xrd46j=!9G}i(kRz_;;B1E#SL2eZQCAZ^v9{#nHBn zPVyJj@O=gy+rH6>dHy_pjgE;MM<@Ke3celSWRyB#Q>A<(&dQuh*+u+TE_Z|ItbZ=L zfGs;fC!KRv@KGx~XNTw@c=l|56~QMvLpMgT>@dRg9ijtv zMj7AA=Jm!-R`DAs#MoOo>K;ONjUA!`cn}-acZd$yfpWf`&F@{ED1n1|c|58aB&Y8X z9putTF2CnAHJ|U&K!tj-e->ZQ=6dwTv2(@_(a~ZOTg>kXO%PCC@8=kT@_Rf-kx$1C z(b48UielR#I#Bjj@|{4Xus1VKILPb494Y0S*?eBh;YIv*_UN9yqb-jo@ic5l-yu4<>nC+`J%)P} zegUg1ez5tw@mbgP@O)~JpT`>Bz*8`!WYg$?axy{Dy?!SJ_&KcZ>Dx7fUj`4Rss{8v ziaP;xyw1D4iEz8lBfYUXNuQv4~6l^Tw7h7~9lx#q$ z>v|BL*W7JtoqCX-zQ46S6Pw+GkQ5_COvhrPl^3dlwpw*)M z4ew8wKuwR&ast)8Jj?LO@a!x_DQn)G8my0zlvT-pY(JP(JiNf%1y;!Dc)p3K2HX!n@R zwzXP;^)yF;#WPZlW1AFPy&+|0sl@|QiWAb})xd#Rg3_{-Sv(!Huzkb3QA{*Q0guK^ zd{Y{8NOgwZlErf|9Y;U)Rumy+W8XCmU#sSqP>_(t84*H44i7{S1>Uh$cRK`7#5P}p zU*wC}Xk11-)2kriqs5hgt=8g~`4zZ!)HX2YYo$y1?*V)^E|0g-lLqRE%z<*Rr<<(GkqbS&&NR=|4r{} z-d}rP^gi$XvG)fM)qmLgb?*b-`@Q#g@9^I0{iydE?-kxlyytt*_8#)4yrbSB@9ExC zy*s@<-i_Y1-s8P3-a7A6??UffZ>e{>H{cb$jQE!LC-GJB74Ze}XW}#B6XK)dH^r}s zUlczp-X-2H-Yk9uP6}KuUL;P5XL=s?eBJYa=YG#Up6is~ii+|n_{QNz<-^LLvPapa zY=e^y%auh+rBbfUR6>eR;X-eR-VD7K`gQ2V(DR`mhkg)xEc9^b>!Ali_lNEY-4VJq z^ienuaYg8o(D|XWLx)1C&}e8Vbb9F2(9Teg|FzKC(D9*`P+e$gXkln>s5CS^6bOkS zCiqtHPa+%mc;LpswSg-F7YC*ShXa|wSYRkH5I8xoJ+LXz5jZ~39Hwn7snEzY;ulc{=zt{gs|E>P({a5?n@4wK0j{lHfht< z6MdeyJWqKZ^L#>jMtWTOw)CL%fOMa97o4`ZQMy*TLb_O*k`7B5X-pcD2Bedv?b0T3 zLQE)EDVHf1D(5O^C>bRIUx2JrPEgvEhTyAk-s6Sf&w|ecp9nr0{ATcL!7m0s8@wxc zd+_GqM}k)eFArW6oC=;9JP;fY?hVF*rv*C{Z4vGdd~B@=hvPWJkNS=lGaMcNe$9cX}(l0O_yYe^S$MJ-S=zX3%+N4 zKkz;3`-blU-)DWF5{Jao#9d;KxL!O#Y!Pe4MdDm>mN*OMkNf9J;NL9)<Ng5&P=_DN> z>1ibGC+QxN?k4G}Bt3$`7A9j*7BKJK10i=Yk85DPt$Tm%R^co)bfCq z`?Xxwa!Jd5TJF_yQOi9zs6(tkGoEG~%~+Z-BxC+bvwzU+?=*XxW`CpETQvJC&Hh5O zKhx|@n!Q1@Khf-uG<%(9f1ufG$QpAG^Ls6SRm*>;<-gVP-)Q--wft9F{)(2rtmVJd z@|U#yMJ@k@mcO9o|D)yqt>r)0^5?buIW7O0|M!f*Gb|A?@cFD({u3?#v6lZx%b(Hm zr?vctTK<%l|3J&1)bb~^{BbS+zLtMa%OBJ7?`rv@TK*j^|F)JtqU8^3`M0$En_B*m zmVZObA4Ku{nXl9Azi9R~nthdKU!mETY4!lkzC^Px((DT~`#jA)N3;8Bb|1|?OS8|= z>|UCEnr8RV>~5OfMYB6Y9-d|8Zu;~|n%zOOPtfdknthyRAEViAG`p2%x6tfnn%zXR z8)uE;K7jqqb`Y_F|rP(z!`w-2j4P&ScW3HlwSJLbX%(|Hm(2UrxZid*e zZid*eZid*eZsrn-axu*=qS^asb|K9!pxOB}JC9~lG|STLT$EM!IV3%sq-T-zOp+cZ z=@}%QB4N|aekb-T46l@!$VA~)C+XgAvHb}v?K?=4FQm}21f^CBo zY#XFt+aLwo1}WG!NWr#23bqYWux*fnZG#kS8>C>{AO+h7DcCkh!L~sPwhdCSZ7>GF zwm}NE4N|aekb-T46l@!$VA~)C+XgAvHb}v?K?=4FQm}21f^CBoY#XFK3QlA{`8U`$ zC;{6BDcCkh!L~sPwhdCSZIFU(gA{BVq+r`11=|KG*fvPPwm}NE4N|aekb-T46l@!$ zVA~)C+XgAvHb}v?K?=4FQm}21f^CBoY#XFt+aLwo1}WG!NWr#23bqYWux*fnZG#kS z8>C>{AO+h7DcCkh!L~sPwhdCSZ7f>_whdCSZIFU(gA{BV%SvF|AO+h7DcCkh!L~sP zwvALL7B5R(8b z9m&{bFTqC%6CWmCOhlw0c<`V2GkzYP=NXBEe{stFxTc+}{7AW9stnHM9+tRZ!1qev zAKa%ySHnK{btUV2EbuCKz3<+@^W25XBt+Lw^<5QsjO+9r2z-TWRECsYToo5o*06u| zogDa-@5I23zUsgSyl)3m-v0?i*`FzO?4#@#yx$D$@ZJ(w={++r-+NL(@*d~^i+7Iy zWiR7@hW$AE0rpJsfBX-L-}ZlAyv=`uc%lC?i0S`=9T7+TXDDxqJ^oR#-oKmegFSao zPz^p6Y7YIkIK$tiEb#ov-xAyy{D$WVi0$9+4|%SU-}W4mf9*M0e#X--KjiVsHwZ7u z?-RZv?-Op3`<0i2pOLqO9u&@#R|*k%kj^{F=(eBv2raY3xBbj@gsd6i_A?*WOSBlbpSgCXu$Z++x&6#Fq$~C~x1aft zQEEoI{mj*rfHl_bXFf={u|~W7%vH05Wvnya?Psne;;=-#{md0}g_Uffm^T;^0@foT z4nJBqb2$-R-nciIoCQKBd&I~$*dt0HU+f#KRE5yY=8b-X>6$NeAj}M^B5Y-k9ue2kw8hrTqzE+xCAZ*ZJ zg<{LyhY0INEXhg!AZc8WEIFYEX2aXk<4jKAL>auSe3A0*3?Zt=pq%y6glPU~d3S0d zjNGHd%e(iN3iW`L`+3Va>8ugEa<-f#E$5G#cPA(?Z`{0li~#dT&bvnm&yJXvv+aEv zk}U$}MA|zal#M+e=0u58PVz?3yGP1F*W`_%cMmTSwgV_Pa^`Gch| z(z|2ied{qcC&4Hg!Fi+U-Gj7d{&;$Kgx1U#QSUyT!1Bh_y9da~%oA1bK8>`e$L*Y) z_S1T~k@fC9MPTHuv2}SjDbZ~T#FgYz6=5E0#@FRjW(i?3By@(FPRK_{M_=P$POF8jJM0%$t=-p*fcs4+%^-I zC61W8ymcC^N-R-#xrY`Qad){pC{zH3_N~hn@_O>d-sR1ti;n2Kys28)d}OVR%ymtN zrIjrLFK?Uy3le(_Ufw|7jwK2&uO}tCmPJyX;G2{VRza zm8*4-WcwOWu|dx0k~d!;IX^%PEE)yO)=dXCrzqFC}k8 z{~Du))Ymluwy=c4wJ$FglL4GJieI&e^eTTGzp9#4q)~Q^h z(tILb6HBTh1!hEFsw6dNYtRX49+?bg3s^Rnywu#de(@YK)9sP{;@Nf{iYrKMEr4!` z?iZJn`9c8J_DM@<}sFle?X{UjEMg{KNfoCE!ZHm4GV&R|2jCTnV@ma3$bMz?Fb20apU91c(G0;rIIb z797iu8`jr0*TRnxHnh|>Ho}kj^)0A7hTovHR)Qb)>st^xhF@*8R9Xh%{k|E;@;it1 zwRL#^zo0ZT%3kFrrCIr*`-)u&xDs$B;7Y)ifGYu40U}IgqYT1Q=U~GQSJjTz@^GT_zi&V@D2DfrBo5%Yxw6vj{=JO=Sskp zfGYu402WaU5QSKk%i?e^>-RCcwe3 zQ?Q50?f3(q&t6jmKO;bj&NYgr!%qm1nui5i6VRr^ZwHXFbIr0M_`v{Db&8^W_ToPk z!7l}nqDh{#dH47KQ3SsaK#I;bi{J+WNYNp)2!0uW6rDwBLB;9tlK`a2L%dej@X&Pl zJpfX6wxtYy1%Q-ITFT(ge^Pdq*7>{r_ZGpW|C|H@(HOZanJwb9B8^=vf?oh2SQ>A4 zKD7$t|3%6rjPjQ9gz^pLkIM7P{on(*Qh5n(0Q@c72=Ha)cDOI^Za{JWTnV@ma3$bM zz?Fb20apU91Y8NY5^yEpO2CzXD}nbc0g;DI{ZtXj4o@T5xe9#>(WfBErUE3Jgx?K- z3TMkCJ0y|pEFXRHQkY1xNw}I8FwcUkX|V!aO$*s1=i$K>a0ui7%(VB+yi359fGYu4 z0JC%*0KZL#r|8)Oc3Ahq)CE!ZHm4GV&R|2jCTnV@ma3$bMz?Hzi zLjsK+iD5Zr^_&t`U=OFGsrYziPkJ&D4G)i~={@m8Og&VaN$dGKb#P*sYZXYP4W!b! zTBQS#(ReJ9QNxf#3RLXlNyW(O5|(Etb6U$Opv~@07X(m#A{-&Re*=;|J1;+Z3mxS1 z^}2`(xtwi zdUecj;&j^U|)N-cC6{`thr!Sz*`ayvzLT3k-<^b z*>&f0P-AB2nzdUx^YlC@FQIbD5n@-YALP5Ub3^Bj%56Kky4UPDrE+uUDV1ybc5dzJ z0kYklJv)Ib_`h$pecuY-MYwI`^1z*CB&h?!;I(s@gdnnBD>C$~?4p%{v*v3vyV??bP*8AgdIFTKY)bWJp>rql7k_$YSK5UUf-F$Qz+%r096 zh!drEGM!P!3=ukuP?VKs?RO)~Ey-vE=jV>(!NMKTkvfv26Jv>7yr5i@UE%kZ48Xh^ zAoGfF8jU0pYN{g=9Z?5zS*Nqii5RfYGAFno9m||^)`78?+j@V^d3`dOaToTJ8Rx9! zeD>RCoD&S~>od*?vd)=fm~q+*&Bt@j$g#~h((cg*%zGOz`n0xoN+0hwZgfOr@ahFQ z^FRM2-#IxBT2j|kdK3E0+Zi8I)0xQFcz-1-kDXoJph-br;YbWi-jWqH?36-AqTVdh z8^A;_pp41dYwhdl+TLea9v#Q1WEoyMOzRlf7`=qD>`){IbeEb+!$ix`{8Nn2TT)ZQ zp0|>WL!B5UZ-0{PW6%z?j6fY=eM!eK^61Dg7^dAZ)ok5SwXEK*(bZ$AjIZoCueYQ# ztiLknKpxl@NvVm<0IF>#%$N85IkBu1EU(guh6{##)_FOYGs1$i0*>YETG3mw4>aGT zsrf9kP-{B3rbYi*(7jrJv?Y+U+EJ(-rEf>*M6t)ZEXrvXrIMdv@hA+NHIKqvKEcpIu3>D#iiGCGkWGd82EX_(|m-dj>% z!Di=?Y0|4^GV#PPnbX>Oo0bUn@sx{4h7nor(+Y(qZOt}LELpaUJ%x;%^nO^QsRLdeJi)2l7jaDMf|7NcWl zWv)J`T+>^*Hj=ij!MkG1D+^6v#P6Wvo}y3-j#W@i*ua^Q%Jn<8cIUKe&RkfJZ0#{0 zDVOFma=xuL4|{f$^}V(4oZTD}g#9zmtX#ZjaV2EiYK?9}KdimZjF@$4{~WIpvA3Bx zT|GUp3*7|!&KyY~=K5aP)|=SSnLKZ4m6abU63gsM4M$-rFLLJ z8hOn$l0!vn($K}+UvvJU>0|+W@iK>v#!6-dd@8oB%lq2n=Ofzuwb^NzQJHqs>aV%5Lh+U~HnNvm zyd`!?=aK2OLet%lN!~ecKyxSVG3;V>|A{_r^3AXO^IorU^ojP4U6xLH{%bXn*`0Ue z0yM;}4N#M}|J{v2Zz!_kthz{l7Z!@Bh*L|0|60w(@7? zb>(-;EAOd6x3Vh%R|2jCTnV@ma3$bMz?Fb20apU91Y8NY5^yE(zbFBLXIKv=0wz2r z9M3Znp8qfMeT-2q3_Tm#AF2wD1>O$a;s1yKTK`7*GjdXHmTr{xNb>>3{c|PYO2CzX zD*;ymt^`~O{Kq74W|7QrY+tsFVM^F3PK~uS4aJ%x;U-nB4>vWnwTIhdu~@i17Heu5 z8ftGHs&DT&ZqJ5|d(tD3Bz!+H3>Qi5flC5X88sC?m`v>(8ciNd@5y@~QzjivCWhj} zaB)&HL9R$@n7&8^H8{1ZL4n{s&8&+ZfPJN zYQc?FCn{RaIq$TlP9ZxpM7q8*TYStky5PE~p~%E&rWboWF%BOy>{X+g!}x8$eEfoS z{&A2eV``<|O68LANOWIhSS6jVnNLo*&(Fa5c0`R)YV(8gS$c)Gped4b-ty-y`(k z0>1Z1FK4XiJd-Jut>H9b&sohtQ~w@eo4q`CL7R1Sh7YlX)oc+;`K*7ng)`gBwQd;y zFH$aHlG}V&g31q=gDl+t{~P7MlBRQkH~ap@vyztkf&N+rI3`d;*X+jpn$VqenN z>udFudEfRv=Do{%p*P{}^|pD-#Mi{{iJua$77vTN#kJxR(d+r0=Sk1!JXd<+o=(p^ z;jhAz!kxl-LPR)TkoXt*uku&$5x#->cd6>`815{Com$ zd0h)9MW&UN#IeW$HBmdBf{;Nf1J?}_Z+N%w*`0TvaNaMkTYgAnHt1O4@rl9FczUED z_Tqygvx;EvgPZS1)q;qN4v5T3Kpc&vp!v~)c-0dk(++rh)qRtrh0*3`M5YnY;>mPD zQj5~G$&pBUpLzsZ)hXKKa4HfzLJz|GMWzdyq-aN#Ox3u^)FXPbAcKpORCvSc7?3-H zl&cezLp3!TNemaHS3Rbojm8hfQ-#q+DOxO3EE$;2yC^;jz7Nkj~TSSY%&e znJkKE)JBtgCsKv+7M`wA3rEKbzrBS66l)L$*uH{2n133bb#PBxL7YYXl&?r4mP*D8 zOJn{XjaDpDkXHF_ky!vTJ*W<1;^;i%b|H6QKOUqj9);FJ(h0JxQw?jf_TYkdj>@GY6`sCen7AbNfVQ837DVCKIVh zd^ByZxKpnDQ(~7cq8`Uj36^asu zpfAYVia2Mh$kYH68e#+ni4|PdBQjM4jKZ>mx)J0P%~?xc&I`ZVcKxg^B2$62M(orU zZl=R5If$X!_yIK>4Ihd^jMheY?j|bG#5n3jYJjXf)pm)@W}t3?hlk^tk%_^u7T~qN zfQpSGQ?20-PmJ1Gn!Q0}7VE&&grkq;>**-NI5OBt8=K{w6gHL~oQRLcY_QUGbQn=v zYh}K&gX#$a$=kh(wUk|){=}wQtCz2#jp}yP3M)I2zAMdkT0yf`(-(sF(pp}A0wt&0 zNGq&t6(y(HMJuT4c+I#GlbN>{#VbXo4CD&>+FG;XINCYG=2?Md?X*SB&e=e18i?99 z8>p3nG<#+RRkct)9X8B{(yXJ{?3NW}UK3RsHd|#yC~MR>p!UfMDrumTpV%ZTpt@eO zX}NaDidIsm)koW71S&#lbK`Xs&s2mT}`Dq7D>Qw z-Z%}4fwpiVB{muv%w2;TSW6a&%xWCEDHRq5iQ$};fq_{%pNfDo2i=i$hRUjNNLZDl z396){MdQ_4t8^ZvNBOftX3wQ+%H+ukt(rpzu`RS+I~f@pE!G*DGn?vpBS>lomsU7> zVpOaur?d%AU^FwSIIh*8c>|@gjOsLk5(e8ko}{DI#3;3545^U}u34-!=9W;UADPG` z!x8wAq2YuLUOkJxVGBGQPp2nf|6(OmT8#bhiN^6KuP%VaGc}6{S9A}g@LK$IW&nO{ zXnYiYNw0P+W+0Z&prcglFp@W5bElhJ4wzgT@R>!R^%$Q>L-u;pCDVW@MiSx2zSebj zLR&hZSb;$gfGu4eojtvsdU06@H~=a!b$m2AIi@BuX&p2t2n;}tj;%dAcXX}o+u7B# z!9uV!0Aq`Q*L7|^2`(G&)hkx`VE_S5w6@_i{!$T)YyjTd9a`TvO%|CV1jZ5lg;yKS zDV30rPegH#ksnOb36=V26SZJ+;Uy(gstzgkVsCsRLckd7#j`~idB77EM=~&c1}8GA z(V>MNIwg1Yo&+b>(qO<ULV2eI$_@dsCaHpu>*8Dil6zaK02Di%8M&^JOigeF2=p&7wn1n&!8 z5!@SG6)Xw77WhWs`amks1$%wJ|9AfH`|t5z?oYyAztvwR|4sfO?DVgf&yfe@wemvQ zEB!+Hwsep5era6VF11LU?*-q(>~DM@@TGj)ef2)S_f_ws-dnuqdt=@cy;WXD{JHo| z@sr}E;wbF$XL^3+`Ksp%Pt?=u2?;L=4+tL+b_)%HkN-LUS^grvpKs(j?pf|W?gDN% zw}SJsUt%v~qij3thtA-CRCSe%9Z z3HEE>#Gnd7D2%xz3wxGTfH?wNYO+r#_@WkPVef)Oq4`XF=m-OEX%@CHI7)^_BM0GE z72(JD3Ujb13)>hRdusY$9-i*-8-c z5_7nOeKMR<@rOMM6JL^roe)Ya3R{loNK?a+P+>bnP(gDad3-I(!p;a;MkT*LXBlL& zyeJD>A`LMTJ;F{yq{i?4ESwk>n`+ zx>;f5nk;Oma5lmZ>qYmCMN)?f<1Wd<1`EYCn1cNitg#BCE`wjPBGVD30gP{A6$@i8 z&cfCUM@|G@7--qTn6tC65yL&@p$PsK=o!?-fI5iSr;03W#&AD+KutyT&94D1&BB%p zoflvz4-kKW1q3@X0vf{U29NaH8$l2qM_{Oe7A!x@aR- zo`o$NX-OS}6*JlK8w3_)VY`NYLZaB=hb-|O6klWG?zY~ZNd$F!nWgz_wG z-H?aW1T~yiU}+Y%Z}=*WC85EdRKd*7W4_4HDa*nhj<{o}iM5iPlZ9Oz@#L6R)e4`L zg`FI6%77uY0$>GEL3jb%=>U~xVJC-dQgdmoH9HHNIpR1mETk1&o`wA!_FgxNR^Z$$ zZ0b;URy$}#D9OTp4xMep^jRULS=hoMN7UL`K~-7Ux8V?V7&t3Vc@}nT$d+!?tiXya zY}#;Q8fMH2EziQf4Xf&w%L<&6g`FD;-(sw+@UkrI-|)q0_Q?t>&%*8v3F{`w3M|XQ zz6~pCR>%rln1xLnMs#4G;4nN^w2Cb3;ILbUt+7L4^G2ZgWKs)%d)U# z(_m;stgzWx*skH|FztpFJSPj=G!&P`RM_FLS<~T~b+E!`XJL;<$QuU13a-e)HVyk^ z*Z?bZZWcCaIQpz=--=M4h5Z`75M9$-fs3-RXG1-uJEa{<9V3voC=0tdqR=!Cbs@xs zS=iIzYozY#LTJmfu(#_(G^_8r5ca|>?Dq&!;>a$9wjc{TKh%Z9t6d0dX%=>a9R$mC zaTh{fkcAB*B?L0U zxK!k+^t~$V_C4XdTUhVA);B3M`G$R+LZz?HH&dAA6TC0+|MWiP{kr#F@0H$jyr=QM z^={&~@F~9C+w7eQUW6C;XT>M@N5n7kUl#8YujKC%r^HjlRs5ymbk8fE?|L5a zT(8{fxfsq5?DDk3mkyufXL0`oZ^DDzz3jKx``N4EoWKCPnGI7ff+gi2Wc84MQ=;h^ zLN&|TOeAwlrLc-K%N$jhdzc^05Eiqn-FZ28p0L_l=BQP*V46^ca1xaV6)dlsEwmd2 z4(#q!sZg&2Z2^hn7YbcD0B7y}MbH*EoJbt88446IMP{Eo|V7q5``n_VQ9;1?#{w1}Y4fC@fWljq18=zqfJg)jpojy#89p9ZHEU=@NE z2!RWNLInU1rpeR%>B0h*v#wy6E2J`^k!2%!BJO*NTwM+a{AFcm@mI9>e`VLQ~z1v;q=(f0H( zUL9>O--!|x20V}?Y^^APSp@%fQj5XZWLbUGV+U&I2rJDJCw`PDZQBNb`3O@cfGw_=;QLk9i+gZ7ZJ7MAV!a`gqXh( zwUP_WB{OXftWg|ok~J)JKg7JXRM_t1h(L1*DP%ohZ*p(sKqR~u;ueJ1U&#Wa07fps z&_ZE@lQZpH1bVnA&A-$O15O65NV#N#mJZuY65;XBmJZvXxr71>U@@Xe4!tueIGm`a z!}#0laeYnoW}VQlvzG@am#9B1oKl!*cppT-l4IbZrM-XSIAMQb@)qpehU8^J-;o+h zj*TbNS~GuY6UL6zjE0-rh_po5dW1$GkTym;^2cUj_y{c!#9Z<|%aAkts@lw=bYEBK z8Ut1kxZ)_cjKG`T%307F=ky0LS1u4bfZ-!W2bgbwM1WE4q)QEz4?JNz z^XPgDo*W(SK8>s`;WX<69ONRnbBXD&o{U+d;m~uGNN)}?COVFjWq?~5N(*SL4GUTr28v+uV;-t%^a(Q<7R~?&WVBdLAOwU8 z0MK&>-Wfs-eK1cOh%)nW6sBme6sbr6F(d z_2AEfUkQFHcx~`dPz|=RSvU{ykH8-SF9yCBxG`{MpgXWE5b(d{f7<^Q|4ncz;4FW? zzYD$rSn8MLH{}=PZ^HinX7~CLcZ2T|-$CE0zAj(2FX;V)_kX-kdOrpG{)67Aw-fgJ3%#QFC-Fz( zBjRo1`^5v|E^(b$FNQp?d7k%t&vU2eTF;bc(9`2t;h8P`TKJ}Lt8keR6*dUfLJ|Kq z|2+Ra{yzRX{(L^k@8s9>ZR{=Vett20H}H4vRqngo=ee8Vzj5v~_rL+w61f zsUWap`eUDCO1N=2^P|G9Ogkg$XRjkW7aCE(w|Nb0_9fU(har+M6i$z(BaOx`9pP8c z5n4Hp;yXqVa}WCgxrg}?H$Iuyi^fbTJD7*q@j~Z%W|D=XNi@WAjuJm}4;gAEj@<1i zkg6(RgTQU0mkjl)8G0~`98zJ=)98_74`iKlHyO>^L5TDLvaWJ=u5w9(B$O}`Ij2I_ zbC&ZEgvwoHYiTJ(Nu5L%ca}nvYwb`3^Bmd3>A@W4PNJ0X5$o?FS~%}%3g&0iV2P}~ z1>}HzKbgAdmV`%n3nc_kNT{zIc9V#lqurS7OraXyrsjY}A+ZP9b8`z1u!qZp6$U2k z>fw~PhJH=~$N}~Y!lfCKVm?U*Pk|#H%(G;vix*_2N3`?cA(ka(!7RiM?If?sEOQ7J zG}$b&8qIaUqHs17#)b4R(XpFb+p=oC_;!!c1Ow?pYu_4Q!m4-ax#0g&n(RlDA+Ur@`UH+(F)gS%`0; zm%IhD%)u_$sGpF@h3jTGk&RV$5ZkG{ict#diKWy_93;9AgWpTy5UL*-hf|G_1ROp~ z!C5;(ayxNtSc8|$Cx|iCi?H2o#F*+Oj#hxtACqN;Gswx@4g&z1x10e&Vq3{#!&;h4 z@J9+bEjS}6%6xpb(9F^2T;yknRCLEUN~M!XMK5vG=%&-kjH@yqBRZTGAcs9$)z$W|>RA|x=|dEYWix%HH9DVa{zpgVIbnNE5U%At!)C%wecBuuBLi0mz2 zH=IZmfmVPNHj6oV$1X|AXbyLdA{!lGt-1Q97nIL%A~R3# ziX5+m5L|&(ISxYhvgN`_g%BK!b+eZcZD;$k=QyI;j3Q^1BvA|212xReWZdgTI5~k+rj>6iKZjYiCPgF105Vp@QSc{f#jB53q;G+TL<(hq;lA zUabVF9#8zvg-)I_j}x_J`KGCz5}+URB7v1;_!s!PH$khL-#xX_>a+l>A4jX_|LS*) zRM(sz_)fKrHvRY)tGAQt8iqq4-J@FE5kD0+z5zxuusw&3ndTcT^l|V$!m2iqv915L zFs3ZN55E7uVTQQF^N`rV-RON<_zKT>CZ(NXh4>Ti)xPiYQ^L)@2Rw1#Cxwf|Gd%s? zG(Q$NfjiH0hv#a~{(r*Hf zNZ$?IBz-z?NV+=EBOTy23kmLc&sJ|Ax0K&4?BpsuYrHL-kKf2$>z&2^iEr|G*#G7$ zg*NtaPrWb8euWPTbJ@E+3*_&xH;BWq%lG0vw38gtTTx zWsCS~&InK-!XiYl#ANZ2c-@I^U0A`lYhG)cgBxou2=En_fGl*w;fI9Zs4T*$tCyca z+*)v5gI)#Z81si9KgSX&$4=V<?E=M?uF++so!iE; z59wuQh>5w{E@@X#`9iEk?`u*8G9MK~gJ!^e#ebDaRMoB)z{2CtC=OH^5056Y;R58FN1ICU$E_{ENRGuE}ZoTu|O zNKUB$g*tCEX z;TyC0m4-%e0v{wQO#e6r`}7e~qT3BDxeiP0@ebsu;E9Is>fJ5yamvHKn-POXRCD54 z*y8JizRrV_=SR^Lpk>SR>CJbDC<`7Pctnme@=N$WshYIJg=m2#2xL{HI8`&WRXr#!dw|-E&ogi1*mgjvqnY`eX;k&V zKJn$@J9x`{M>@H zC}`ESHP)B|1&eemO$HYf6gyrLxtJu!r%{v#GdDKCPRm6juhuzslw3UHH9K)bIxbZa z*0YK@81&PNd5Z7~ z%%P`~D=d^+e!xM~IuD$j22B=hbHa%i2=n~~$7#->@VD~&3u0U5inA5DnIAhsy#gmB zB-ovl7o0=pVUL{F;3rRBC|s{_YwTSGYvtFw(9k5F6~Iw74<6vUrJTb7r{$OcK!=~;v(D4xsrE>4>)x-V=Y;PFpA&8o z&KJ_cp!XGFyYf+`LpjU)WMHH3H-QHKoBn6~pYmVgPp}_jv+VQiL+pO`elE&w4?YuE z$Tj-+a8;bgznOi*zly)yU&m+pL(=2YhxyYX9^dY-A=dsC_m4EpYuR>-gVZued(KNEOce#m=3zF#T|-s`)@yC<;IyHdU> z@UnNVe0lI>c~p7PccHvT{HNR%>I_$PxyZ0`@ZjMzI%l(@7*9? z^2h&z37L*!5U^tL6XR;u>fxQwcWGz&jkv$#UGFDVj3fBWKk*Hl$NyL1)*!!&I5mr} zcM^x8emw37bbmQKpMaYz{n^oY8V8!;DaUzo3oc%a5(hf-1Kc0j+~9NP@T)B)jtUEq z7cJ<5%ljF~vi58V!j$92iiTVOX&&w)>63%pLfqpLh&B9DW|mrlFQqu)aZRCpG|b$J z3va!^L6~_8rEbPpPDH8a52#GwhD-~mtj0ZRo?uGG$CuDR3C?ycPQo&{q|6r=DaIk7 z9r!_w(n@xRSv5E0v03TP|g#-DsD)~ zdYI&(C6=AWSF?s+8%mBtUUVll@^Z7a06TL6ie1NWG{`)O&K8Sf8Y$f5C_^HvaP@1! zbJBSNC1`r9nHw$7SpRrjKNfIRKaRaN{nYKGs>MrLUQ{`XGe}#}=>BJ*(1MD_QS1=XKH3Q0_eBhG8>QsD|EpR2 z4&y`5CZ%WtJ1Fj*$%pL&3OH#(Q5U!i<#~LKM>xat9L|t@XLNohS1A#^l z_Wih@%6|yvS)31rk5v2wM`od83_r$w{E?0&{HTm?&VL5s8RRJcd4Z=F@LflX^8XO^ zb%DV40iyDAB3k3K`Bmn$biAb`DlF|R(-u^%xrcQ?j+@bMWIcxiWt$f8o2_N}PTq8( zMj+>3v?~TTqKPmM!~mHMXavZ@o?a!m9-sB&7y$1??QfiESclr&ei{LAI4w1a1ojYeZC=y zZRjz#&M_?9YQ7?T?7@~D$7@RXdgmlU)Gef@c@_r6Y77}f*n|w|D*!C$!ai6JQt0Ly zfg4cT=1~Q#tFNLE+-X}nVaYnweA>s9j`73JM9pW7UE9B#Wd4C$+yZbXtr_`fX|X7n z3C!Q~(bC{fTGN9wv76?47PmN7KFEkT(a)DbDf#zm#MjSaF(0quH_$0lXnlJKb(8TL z9PJ+rKE}YsS(d?z9k|;uc(Lp*eemMLou&yu!C&JXM~HKKo>7A3#93{AiN}02_!u^? zl_0qmq;8zEWIkyh`$*#s>qy3ePoTpiSFbvH%bYup@31OV=f3Y8RQ zhew!K80CA)ZAwZxUYQOYsG{PBDx@8y2WJqf;m>$!6|mD|KE;}rHU?2p*5u(z@ov!m=bww0a73eX|P zU)dB~0k#0HMYL#l{o<+8DY*5k3Sg$9*FnWoaL-o-fV8t~diks=xYKJ6l{@Ji-3%8 zXiN}XrA0u-*EBk4))ZWxh0@o*zt;g}Q+Q(*0wUyIe5^^lK(91o3hu}% z!Ae&2@+r6(3tzwW1cF|rYzlA1LZEgFzD2U-Q*bF3si;TTEWpw!ywwpa8V5ymnk7?k zD;AC%<9mJ`QZWU0Vl7695qYzaESrKGu?R2bNfN#0>?ye27zcsnGh9p6*;8;amJT-0 zm*}-CrtoqstZhANqC-oj;BG9!uYT%8hm=pj#aJi->j4xUSTa>js~KleOvpkCA>L@~ zyI42{cVe{zLF%WrdG;;cDV~CBv2glpw+HBiE2iK^EbNEv+=>n@oq`*&@RgXM5gk-K z1@~bQg4EfqmzPb!Jy)fFawuA;ui!? zyT$34HB)de7E(36Nd<8iOu;2tjewiaQ)W;Z=@Q0~T(&WeV=hI>kUd`jsR) z&n;7Mn^wMx1y<4qYfbPgKTIFANC%%Du__QMGpf~3!S!2spQfW)?mm+>>NHHjtz6r4 z>X6kyK>@c+!3|y5F?&M=BWgx#?Ne}L*Fa81&Fe(M%mo{5nEL;459M(l$LUD~OiX-6QbyzuJP-~91cc*x0ta`P2+7U|CkQBLDN)OyR!U7w5JZ%x zkW?xuHKit&R!EsB90w{QmN6PlVx_xhXJ_{DU0L}nRo?x#)7>+@vorHe_jUgoV7#QJ zfgM>;=vxfXyr%gB;%|E>J-VRicNrjjE$v3MoBzW3FMK5f0I6cD1~GsU!)+9scq|tA`OE-xHRS3xmsPM=vIHEA0C^=( z2e`^Qf?Uo3Bn%Pc#DSm^%NU@71@Vb}!Ab^5VA!ubA5_s|1{h$7;plnNeYr9hpuPqG z!8-+1p;{N9y{__Uk&PeZ1t_mLUTIbPW7fEU=7q3d!R;d>JbccL!_9HFkzC>Jc05hVU>4|7{NP+UPN5l!NY)Vj;m8I5c% zRjFckDPMyEBSLejbqjLWy7T!Iz|!(yb_?>>yYo0=cL;O0 zpukYK89pOSgaW`@kh#X4%P%bgjkh4@aCeTWHDb3h(7Xku>fKvB?NQ2KQsE1V{Ngq4 zY)>H%w6|c_!`xY>)_@8jG`ou6TTmngcJhxCBQ)b0W28}L*kFZsC0hoOeR9nNe(5Ey2UaRxXE`_k+u*+1Gf+5Oq4vmJH@stSy@zQ}&lTwz|D?Vb5F z^HSz1>r`fgbtJPgGtv5O=88;d`b%qf`Yr2GKofi_{ZM*Cx;Z^AJ>1%o9+Xa`J~kgo z{WZ1M`eEv^)M{%EAPZcR8exr1on?JH`Jd$5*3jfD$sJaCavQ`l47W1ohGa)_j`=xM zBN&-1HcuuK_9x~W_MgmO+Xu~^=FX7Apy#n?2EOhyFigd-Ade?lkNQt3OlMd%b6lHkH=zq4ag4M<;QMM+D|5aWg>`@vA0Ov50}7$V2|0t}7h) z9j+&oCa+QaHxhoDqJd`(+M0fenxdlRP*J62?)+x%$!^yfwYIAGA9}m)#_+c3t73TD zbPj|NsMOR)Zzo6#zcy1Jy^Zp2d2Kvgb}J~mUf!FqZ8@b%uAB)45$3m`*GF%q7BIB& z-Kb?5r2zYPC}dhnNy;nQ`TsbV&_Mj=gw$L4Gu@EzxrGLnW)8M3rUX>awjtLVjkSn2 zjCyH8=7nCXyc}Wc0vd)RUgPt88b)4I@maqt4cW9_wO|F>NL;Xz#UX{3Xw1AtsNQJ+{(gL6zJkW(IxGKG>RJu?cKn+Q5XetXIYiDvr>9zFq1*xe*U^5l@3vEx!)G* z4>EN>q-4^-(&tsks%ZJkiWk}o1T|6MKChkT?6gK{K&lp47E8V3UhPH6P4S9ME855vNDNhNSqJ8uwWn*YWnA`UVh9qP~k?dYV8wpXO9lT2^ z=E~7S!h0y2TxpF8o}>hKaXgXK^R$LUQ&i*x|4cEa7KuMsmuM_1`bw6V*2UjDXn#>J zyZL(uDN$XHbM=)XD%!JL{X!<1)=4;7k<*n%-8Cf90J?`y-srf;(up!n=SB4T@VO6G zVbPx9b1z$?ogC#0%P-_Ri7)8bdI%b#QtP^3+ZRBx0PQQbD1vq;?Np?JD~*b$(aY_m zovJoRReA@03vm=#MFB)p69)qH6AUI>Ly`^JdQUyCg75@Sy_fU(m+d>fu6ML*gLVfU?&5Bxlj;Q@$YD4;;{)OzAtJt(UzWW=IG0lGcwEXjq^&Y06&X9sIyF=T&Eqz14Zt-so(#S2^pQA2`$OMa~$z z31aH6bE+Y3;G^uT*?rkZ?8~zEW>?zvXzSbM*^9GvS;N*KlHe8VOy;1OH>YJD$heuw zneSLfGySdCGTHQL>p=QQdUyI^YkPXN^-y|YdVKoo^vHDI)R(DFYh&sSs51DZ`Sa9$ zspVEX)Ed0pnw6?eWs?80#w6deE=j(a+zyuiw&WVCBDum`Vve>P^Zw-YXll957 z?a$0p_DTDQ`4@Yi`Fr~bbC0>_>u%=tynoLO^vuBjG6QgU)+_!A=_0{+Lxn&V&^8Ph zR~tizwf5u))X{b}M9_PlnGIAg8( z4}$9vkAMWuP+>!!(%*#1j{LoFQba@ORrHeZGRC(*fG3)|wnI|dsqi{Ssr_6^F8;98 z`v@W8?{%88O8kJrM2AkMpswOMEPoe%d*5Jh!byuY*R@TUo)oakq3g+*rVwZh_rH<) z7l!)4z*7Y-o>(LOyx@Munb?P4sIYl<4U&$EnqIV41+c@-YddFaUScBv0X@)}2l1c?k z@Xpwy4#jp=_iBh9g5lAQVg8V3dWX(N?Bp4mTzOuG#gEc55k~hUT9k1nx3&RciRe^? zZf``T=^@`9VaOYB)r6YE z19zyR(w-i#ipE>h+FDGE5Z#Au>2U~t5lakfum;aJj}!k#1Bzddt4C=Hi{$C@#c|$& zeJrI=#=^d9jFc<@`hIrsQl}ST{Qns9xR&e8y_kC(to)YT*xW@q!+9U-0Bm>ecUC(y zoKa4#(>MD$RQx-XeLTA<+nSw_y)fH1^F`)wnM0Y!GwU)fnX#FAu-?x=1%Ulf`L83r zAU!rcEL{xw0dJ*#1Ni~@)Get|sllmavMc#J$gJ;3-khvWnt=3w*xqcmoUHmCFvjjaIg9Svt~?At#N*%4SKTjhq|WGYnu z*~mA)SDc3o2}}zTUK@m!i(UJ(k~}0aa0>So z(Q9;CeSR@G4_OK$aaJ&jC43>-j$L;eN9qUXAuEBiMV&}Ih_SQi<<{{+(>)!Kz#j73rxL0~e9x@8908;$) z0BZ_g;@C$otv@#pc?4K>J2|$yAmBZ!olmc15au4y&Ldzn$95cqkUQ8ig#UKJ4Pg2$CqjXTk zAm*FXrF%!AmoSL(M#Z>4Mxj(Ni0MYfq&q~R7BdLo#*W-%xRDC~{>C zBD8VN6_=?o>%6W7 SzKIYnXQTPy;$v(mV*dpvnS6!- diff --git a/.vs/starter-workflows/v16/.suo b/.vs/starter-workflows/v16/.suo deleted file mode 100644 index 962942ea22fff9b452b61562d7bf63660eb5293e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34304 zcmeHQdvIJ;89$r0w53Hsuth{jp#`kj&E5B=FPdzU7NNE!AuTkey}Nri*=Do5-MiZ~ zG(|x`5Ffl>0tzbp!Hf>$=&0iiIx^0Hj({@?|2XRCAC8JMj{gBtf4}=kZZ^ByyN|Zn z^q!sXo^$VceCPR{@B7YU-+beOKR@^KC4UhmW{X%PK0L8poMZX!vbe?hLVN`8ZGaC? zoH#)*`orm%7OH_8MHat;Xcv7V13ND!*_5`;DzRj`&Dj^K8EGQ%!>8|g$Mq=$`uV5z zkh_2}D-Mb4fISIUpEz1Ai8+3&&;za2Jtsh!4=>;wy02z-iXuv#7AfE-jEDie%K$|T z39kr=FrJmoHKNV64BnRmn2*XKXZw7^c(sGyKRfEIH{h?i{ELvn<3=jX`~R#JXmN8~ ze;ocR0sMR(Yi|~)0sw0qyY7$?FARHig*3L{`?Y{>!+%AEaCULFa=6nu{?EVj?z^6J#y@(S5c6gH zn|*f)@o z{2%$g9CDHcKd1m^xG*zTc^mkrX%h2MKGf{53B0~;e5%HO^`Z{)v!l*=Gs{oDg_6_NkYQ1nuDWR*^u~*HQo9 z2JROP{CB{1=s#QT>@*JjuPpzc4fKBxC~5|DHY+B?4p7((fIL86ctjNQ0V#17v(q4+ zoFPbobCx+_gE9Y8hUW+}$VydfDSW9@pxHg0vRcB0^lJ287S|&;m3302f7BP4Itne( zlRPNTTxx_Fz`PO%W@@31plk`F?4|ReN1KCW_(u`4hJmUhm><@^90;};E{kY2<@Ct`!cC< zj6%~47f>4;#4y@W!Pi`gs~@GC@i~H&3R)=Q^c$EXz}N*XTc`%i>_4W->lxT4wgb6} zjLT@A9I``Io*OW#eWyw<5A^KVZgh3BnPVst8O{mB8%EQ|;U>d7jQB+WQz;;{t{g0& zGE{Vt5%I?6b%%elsx6cG<7?R;eDJ6DpL+Z5+ZX-l*5yyM_3ppuZ})1Fed%OkW_OM~ z_3ksT{%q*bQD5ib$&G#QaTuLe!6X7|VGR1V7nlT!Gbi?qr?ZfJ*oXshj5%Fk6$oQh{N>Tqr}H=gjQM@AUWOy!c%LLs-IvvXo%!ZYFbWb-4P zK1q@~5v+x)VS=9`Fxj9qubO77{51Yfa?J_0CoUA2iOU)mUF=JJ_Pq3 zz+S-3fLj3j0K)(oa4X;d;2?l$#9+q_w*or};B;!He+cd|60D#gD8F0w`awT(BqL{~ z`arb*EJmeV9!tNiz=xGK@DBkSnf5_oj$!nrz*-fwT1mhj#T&G=bt^mUqFp;jk2Uk;{I?jds{nTK??%{4 z^RF}ioBW3}|6Avu`K;KCLYtkR9{(le{xw7Qw}9=8aPjC z_9KKD(4=>HP&&XRxidjQO;E!|zG#LwF_B>XL&M$9G;QMlJiePu}By};f>PSvbIO5Ka_ zqZA&%^B6b^A8NV}QhESSFQob&&FzPatKGej?cE4PzizlB{JH^A$nz3n@)w27e;m4i z1bDXDc=i1&I#!lpqo}N@W<7BJc8RB5y&EL_j&=L``@(@fue&E4@VmX8^wVj|(+r(?8PS`dwO4w@lUA=`ER?nmQKg@kf04 zxkEn5$MNoUM{Zljh zU39_X1w}2WN}-U-jGRpM!swdb%j8S74>dl>i!>6Sd>7*ru2~%oJoeZ7uUNUa zs|T;P4E6A4d_6*LtF4GephokrA!nyED`7Dm|8WgWss&}-6V0a6O1zN5PB+gsC8Ok1 zaZhhb`yl5h5Bm1)GXf42@@TS-_Hi|y&8Jhbj`kr4_K3GR;F0+2Xpf?ui+N>pMkyBZ za=N2^S231O#jjT;2eV^JW^*hYmV@zN$lK))C{m9m&MWz4#5Rz+O@a1i*+bPT#i*RV!$morDomOQ9Q2;j8rrXk5z7r;S}dkx zK4z1hm8- zVMt8ew#$`q6_A9y)UK`Ls*swf&E>f!>LPiLD2wpqcD>Lc4nywKwYhms`s2<51z(4N zpSzj$z3$u!yaOrdU%k*(dXNHlNc**P{II!kn0v8#b}FHzA;fPML^ah1;dH97jQ)0t=`-JUlV3mFIUYNefEb zhnw|Dwe{X7#BUcwsZyAaI5UzS{9!?qNI!ZrhSuW#Q=QVaCgnE!nn~%X=S?r5mg4Cy zj;cILmBKDH_Q7`+L?2|y^5E{sFQz~R$tMcYnsku+DAFiH5@nj1bb$8_|6^IzBO=>O)&8bGOZ@96*L*BVV}`#AbP?k1dn^sTg=9Q~hu1LOQ}DM$a; z3TxGl{*OF%YwRnS-Bzbc|L4*)H}yztdK_~feZ47Ae&zit&DzFSYd#v4pLve{ee9iD z8xP6e5RP29l|az%4g`}icPtQ&;jBf_+ZFRmK{*_BiTmn0WTqV)QM2hHH=^a0v|LCX zQ8rXKZd2chmU)!1T8^&-;*oefaJ=`7Wq;28!IjjA9Nm$M=d)@yS?~;{RBVYGC=?T^ ztY^2rJ8m$WO{<>4R1S|~Dz{6HkI5t0&}VKL^oDHj8I=6VU^1NadJ{oO_RCAypEp;) zK8U@g)=GIroV5Aumkj{PYmop7<3=dKWQPf9J< zZv@1FGS}(~U9_S{hphO*awsO@uu>rC4)`JwcULHpbO#kV>F)|Cia*rlktBaO9GpT1 zW|@nHmMP0O9!y>f;3iS-Z`91}OCWi6%{)H`C$C;&1rXMAjkfx=ksfXFAXjT}Ucf;N z+j*|l`qNLk@=JA>H4fc0T+cgMeoL>p97Q&mk@}58{|)*d^U2|G68$w0i}~CEB@n?W zLT}QY^h)ud5|R==MVg27-z1>(`$XdmP1)GMST~(-<v!U95$EB*H*_jAi1_v00$%(5 zo;rX{DTek%0n7g>%~b4p0}uG zcz}m@D)AQiW?$mYLx|=k9$f(79fP&sSMNo?@S%4cz#TQ*VH?1&^q%}Ue1iC%M0pc% z&EVDK!KRh4wsET8b1>R8?6WV)FFoX`3pMrCF;C{q{3k$dV^P1gxRG1XTlW+^dlyC9 zdU;#t{-4&q|B3fGoBE4!xEm0U%HGd2eG|~k{XbnD-hh7n5B?&;#{ECbaKV;y{}1j8 zn~(SZIP!nVznWA~SvFbzFDsc~_||Ni#W~f+SCsOe^>I}p?S^6g{}9j9`fzed(l{sU z-=&1WZz=d5fj{r%_29%K|FNnU*Bw`-)A_N Sx>z-0_Wlj8R>`+f`S1TJ`3C6# diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg index 4e5d4d0..c2e2cf7 100644 --- a/icons/puppet-lint.svg +++ b/icons/puppet-lint.svg @@ -4,9 +4,9 @@ Date: Wed, 22 Jun 2022 18:02:42 -0700 Subject: [PATCH 107/234] fix image --- icons/puppet-lint.svg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg index c2e2cf7..4e5d4d0 100644 --- a/icons/puppet-lint.svg +++ b/icons/puppet-lint.svg @@ -4,9 +4,9 @@ Date: Thu, 23 Jun 2022 08:36:06 +0300 Subject: [PATCH 108/234] Update trivy-action to fix the performance issue This version of trivy-action fixed an issue reported by GitHub. The detail is in https://github.com/aquasecurity/trivy/issues/2357. --- code-scanning/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 06b5cae..63be947 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -33,7 +33,7 @@ jobs: docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'template' From beafd2dec2a4a449a4d7adf79bf9c087826bf851 Mon Sep 17 00:00:00 2001 From: divyansh42 Date: Mon, 28 Mar 2022 17:37:21 +0530 Subject: [PATCH 109/234] Add CRDA starter workflow and modify openshift workflow Signed-off-by: divyansh42 --- code-scanning/crda.yml | 126 ++++++++++++++++++ code-scanning/properties/crda.properties.json | 7 + deployments/openshift.yml | 19 ++- 3 files changed, 150 insertions(+), 2 deletions(-) create mode 100644 code-scanning/crda.yml create mode 100644 code-scanning/properties/crda.properties.json diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml new file mode 100644 index 0000000..d5bb88f --- /dev/null +++ b/code-scanning/crda.yml @@ -0,0 +1,126 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your source code using +# Red Hat CodeReady Dependency Analytics. + +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event + +# 💁 The CRDA Starter workflow will: +# - Checkout your repository +# - Setup the required tool stack +# - Install the CRDA command line tool +# - Auto detect the manifest file and install the project's dependencies +# - Perform the security scan using CRDA +# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab +# - Optionally upload the SARIF file as an artifact for the future reference + +# ℹ️ Configure your repository and the workflow with the following steps: +# 1. Setup the tool stack based on the project's requirement. +# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack +# 2. (Optional) CRDA action attempt to detect the language and install the +# required dependencies for your project. If your project doesn't aligns +# with the default dependency installation command mentioned here +# https://github.com/redhat-actions/crda/#3-installing-dependencies. +# Use the required inputs to setup the same +# 3. (Optional) CRDA action attempts to detect the manifest file if it is +# present in the root of the project and named as per the default mentioned +# here https://github.com/redhat-actions/crda/#3-installing-dependencies. +# If it deviates from the default, use the required inputs to setup the same +# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN. +# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication +# 5. (Optional) Upload SARIF file as an Artifact to download and view +# 6. Commit and push the workflow file to your default branch to trigger a workflow run. + +# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. + +name: CRDA Scan + +# Controls when the workflow will run +on: + # TODO: Customize trigger events based on your DevSecOps processes + # + # This workflow is made to run with OpenShift starter workflow + # https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml + # However, if you want to run this workflow as a standalone workflow, please + # uncomment the 'push' trigger below and configure it based on your requirements. + # + workflow_call: + secrets: + CRDA_KEY: + required: false + SNYK_TOKEN: + required: false + workflow_dispatch: + + # push: + # branches: [ $default-branch, $protected-branches ] + + # pull_request_target is used to securely share secret to the PR's workflow run. + # For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target + pull_request_target: + branches: [ $default-branch ] + types: [ assigned, opened, synchronize, reopened, labeled, edited ] + +permissions: + contents: read + +jobs: + crda-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for redhat-actions/crda to upload SARIF results + name: Scan project vulnerabilities with CRDA + runs-on: ubuntu-20.04 + steps: + + - name: Check out repository + uses: actions/checkout@v2 + + # ******************************************************************* + # Required: Instructions to setup project + # 1. Setup Go, Java, Node.js or Python depending on your project type + # 2. Setup Actions are listed below, choose one from them: + # - Go: https://github.com/actions/setup-go + # - Java: https://github.com/actions/setup-java + # - Node.js: https://github.com/actions/setup-node + # - Python: https://github.com/actions/setup-python + # + # Example: + # - name: Setup Node + # uses: actions/setup-node@v2 + # with: + # node-version: '14' + + # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md + - name: Install CRDA CLI + uses: redhat-actions/openshift-tools-installer@v1 + with: + source: github + github_pat: ${{ github.token }} + # Choose the desired version of the CRDA CLI + crda: "latest" + + ###################################################################################### + # https://github.com/redhat-actions/crda/blob/main/README.md + # + # By default, CRDA will detect the manifest file and install the required dependencies + # using the standard command for the project type. + # If your project doesn't aligns with the defaults mentioned in this action, you will + # need to set few inputs that are described here: + # https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies + # Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand + # process to get a SNYK_TOKEN or a CRDA_KEY + - name: CRDA Scan + id: scan + uses: redhat-actions/crda@v1 + with: + crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token + # snyk_token: ${{ secrets.SNYK_TOKEN }} + # upload_artifact: false # Set this to false to skip artifact upload diff --git a/code-scanning/properties/crda.properties.json b/code-scanning/properties/crda.properties.json new file mode 100644 index 0000000..9e1a7ac --- /dev/null +++ b/code-scanning/properties/crda.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Red Hat CodeReady Dependency Analytics", + "creator": "Red Hat", + "description": "Scan your project's dependencies with CodeReady Dependency Analytics.", + "iconName": "openshift", + "categories": ["Code Scanning", "Go", "Python", "Node.js", "Java"] +} diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 5775cb0..8504059 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -54,15 +54,30 @@ env: on: # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + workflow_dispatch: push: # Edit to the branch(es) you want to build and deploy on each push. branches: [ $default-branch ] jobs: + # 🖊️ EDIT if you want to run vulnerability check on your project before deploying + # the application. Please uncomment the below CRDA scan job and configure to run it in + # your workflow. For details about CRDA action visit https://github.com/redhat-actions/crda/blob/main/README.md + # + # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab. + # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows + + crda-scan: + uses: ./.github/workflows/crda.yml + secrets: + CRDA_KEY: ${{ secrets.CRDA_KEY }} + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY + openshift-ci-cd: + # 🖊️ Uncomment this if you are using CRDA scan step above + # needs: crda-scan name: Build and deploy to OpenShift - # ubuntu-20.04 can also be used. - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 environment: production outputs: From 658980f080dea11eda60ca93a162b99239eebf8e Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Mon, 27 Jun 2022 20:51:38 -0700 Subject: [PATCH 110/234] Add lintr starter workflow --- code-scanning/lintr.yml | 54 ++ .../properties/lintr.properties.json | 6 + icons/lintr.svg | 679 ++++++++++++++++++ 3 files changed, 739 insertions(+) create mode 100644 code-scanning/lintr.yml create mode 100644 code-scanning/properties/lintr.properties.json create mode 100644 icons/lintr.svg diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml new file mode 100644 index 0000000..74a3b21 --- /dev/null +++ b/code-scanning/lintr.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# lintr provides static code analysis for R. +# It checks for adherence to a given style, +# identifying syntax errors and possible semantic issues, +# then reports them to you so you can take action. +# More details at https://lintr.r-lib.org/ + +name: lintr + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + lintr: + name: Run lintr scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup R + uses: r-lib/actions/setup-r@4e1feaf90520ec1215d1882fdddfe3411c08e492 + + - name: Setup lintr + uses: r-lib/actions/setup-r-dependencies@4e1feaf90520ec1215d1882fdddfe3411c08e492 + with: + extra-packages: lintr + + - name: Run lintr + run: lintr::sarif_output(lintr::lint_dir("."), "lintr-results.sarif") + shell: Rscript {0} + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: lintr-results.sarif + wait-for-processing: true diff --git a/code-scanning/properties/lintr.properties.json b/code-scanning/properties/lintr.properties.json new file mode 100644 index 0000000..07e9741 --- /dev/null +++ b/code-scanning/properties/lintr.properties.json @@ -0,0 +1,6 @@ +{ + "name": "lintr", + "description": "lintr provides static code analysis for R.", + "iconName": "lintr", + "categories": [ "Code Scanning", "R" ] +} \ No newline at end of file diff --git a/icons/lintr.svg b/icons/lintr.svg new file mode 100644 index 0000000..cdc40d8 --- /dev/null +++ b/icons/lintr.svg @@ -0,0 +1,679 @@ + + + + + + + + + + From 4235f787e51ef913ae2ae78052c2d771b01f515f Mon Sep 17 00:00:00 2001 From: James Moore Date: Tue, 28 Jun 2022 08:00:44 +0100 Subject: [PATCH 111/234] fix cosign command line args --- ci/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 71aff41..e88539d 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -90,4 +90,4 @@ jobs: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }} + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} From 948fdf226a354119fd08717925bc56caaf64c165 Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Tue, 28 Jun 2022 17:20:56 +0200 Subject: [PATCH 112/234] Update the sample version of the Dependency Review action. --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 8966511..fe461b4 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@v1 + uses: actions/dependency-review-action@v2 From 313d29fe98742126d16aed69a2e4e534180470d8 Mon Sep 17 00:00:00 2001 From: Andreas Nesheim Date: Tue, 5 Jul 2022 09:53:27 +0200 Subject: [PATCH 113/234] Update dotnet.yml --- ci/dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet.yml b/ci/dotnet.yml index 5974d4a..a8eccab 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -16,7 +16,7 @@ jobs: - name: Setup .NET uses: actions/setup-dotnet@v2 with: - dotnet-version: 5.0.x + dotnet-version: 6.0.x - name: Restore dependencies run: dotnet restore - name: Build From b8cd0487750ed06b0ca6a9e878f561ddaa3d6ab0 Mon Sep 17 00:00:00 2001 From: Andreas Nesheim Date: Tue, 5 Jul 2022 09:57:44 +0200 Subject: [PATCH 114/234] Update dotnet-desktop.yml --- ci/dotnet-desktop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 00a78c7..bd2cb2e 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -71,7 +71,7 @@ jobs: - name: Install .NET Core uses: actions/setup-dotnet@v2 with: - dotnet-version: 5.0.x + dotnet-version: 6.0.x # Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild - name: Setup MSBuild.exe From 4d31a0b2a19136fed4d8f8beb6745c43c9530d66 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 00:47:52 +0000 Subject: [PATCH 115/234] update --- ci/go-ossf-slsa3-publish.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml index 3f1b732..a738875 100644 --- a/ci/go-ossf-slsa3-publish.yml +++ b/ci/go-ossf-slsa3-publish.yml @@ -20,16 +20,19 @@ on: permissions: read-all jobs: + # ======================================================================================================================================== + # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. + # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file + #========================================================================================================================================= build: permissions: id-token: write # To sign. contents: write # To upload release assets. actions: read # To read workflow path. - # If you need more configuration options, such as ldflag examples, - # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.1.1 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0 with: - # By default, the config file is .slsa-goreleaser.yml in the root directory. - # The format of the config file is described in - # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file. go-version: 1.17 + # ============================================================================================================= + # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects + # ============================================================================================================= + From 157a5156d853fdfdef304b631876bf6b92526ed8 Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 26 Jul 2022 10:54:41 +0300 Subject: [PATCH 116/234] Adding JFrog Frogbot to GitHub starter workflows --- code-scanning/frogbot-fix.yml | 56 +++++++++ code-scanning/frogbot-scan-pr.yml | 112 ++++++++++++++++++ .../properties/frogbot-fix.properties.json | 15 +++ .../frogbot-scan-pr.properties.json | 15 +++ icons/frogbot.svg | 80 +++++++++++++ 5 files changed, 278 insertions(+) create mode 100644 code-scanning/frogbot-fix.yml create mode 100644 code-scanning/frogbot-scan-pr.yml create mode 100644 code-scanning/properties/frogbot-fix.properties.json create mode 100644 code-scanning/properties/frogbot-scan-pr.properties.json create mode 100644 icons/frogbot.svg diff --git a/code-scanning/frogbot-fix.yml b/code-scanning/frogbot-fix.yml new file mode 100644 index 0000000..278e8fa --- /dev/null +++ b/code-scanning/frogbot-fix.yml @@ -0,0 +1,56 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot + +name: "Frogbot Fix" +on: + push: + branches: + # The scanning and creation of pull requests with fixes are triggered by pushing code to one of the these branches. + # You can edit the list of branches you wish to open fix pull requests on. + - "main" + - "master" +permissions: + contents: write + pull-requests: write +jobs: + create-fix-pull-requests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + # Install prerequisites - uncomment the relevant one + + # - uses: actions/setup-go@v3 + # with: + # go-version: 1.17.x + + # - uses: actions/setup-java@v3 + # with: + # java-version: "11" + # distribution: "temurin" + + # - uses: actions/setup-node@v3 + # with: + # node-version: "16.x" + + + - uses: jfrog/frogbot@v2 + env: + # [Mandatory] + # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + JF_URL: ${{ secrets.FROGBOT_URL }} + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Mandatory if using npm] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "npm i" \ No newline at end of file diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml new file mode 100644 index 0000000..54304d3 --- /dev/null +++ b/code-scanning/frogbot-scan-pr.yml @@ -0,0 +1,112 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: "Frogbot Scan" +on: + pull_request_target: + types: [ opened, synchronize ] +permissions: + pull-requests: write +jobs: + scan-pull-request: + runs-on: ubuntu-latest + # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the + # "frogbot" GitHub environment can approve the pull request to be scanned. + environment: frogbot + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Install prerequisites - uncomment the relevant ones + + # - uses: actions/setup-go@v3 + # with: + # go-version: 1.17.x + + # - uses: actions/setup-java@v3 + # with: + # java-version: "11" + # distribution: "temurin" + + # - uses: actions/setup-node@v3 + # with: + # node-version: "16.x" + + # - uses: gradle/gradle-build-action@v2 + + # - uses: actions/setup-dotnet@v2 + # with: + # dotnet-version: "3.1.x" + + # - uses: nuget/setup-nuget@v1 + # with: + # nuget-version: "5.x" + + # - uses: actions/setup-python@v3 + # with: + # python-version: "3.x" + + # - run: pipx install pipenv + + - uses: jfrog/frogbot@v2 + env: + # [Mandatory] + # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + JF_URL: ${{ secrets.JF_URL }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # Uncomment the below options if you'd like to use them. + + # [Mandatory when using npm] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "npm i" + + # [Mandatory when using .NET] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "dotnet restore" + + # [Optional when using Nuget] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "nuget restore" + + # [Optional when using Pip] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "pip install" + + # [Optional when using Pipenv] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "pipenv install" + + # [Optional, default: https://api.github.com] + # API endpoint to GitHub + # JF_GIT_API_ENDPOINT: https://github.example.com + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + + # [Optional, default: "."] + # Relative path to the project in the git repository + # JF_WORKING_DIR: path/to/working/dir + + # [Optional] + # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches + # JF_WATCHES: ,... + + # [Optional] + # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects + # JF_PROJECT: \ No newline at end of file diff --git a/code-scanning/properties/frogbot-fix.properties.json b/code-scanning/properties/frogbot-fix.properties.json new file mode 100644 index 0000000..5d04487 --- /dev/null +++ b/code-scanning/properties/frogbot-fix.properties.json @@ -0,0 +1,15 @@ +{ + "name": "Frogbot Scan and Fix", + "description": "Automatically creates pull requests with fixes for vulnerable project dependencies. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.", + "iconName": "frogbot", + "categories": [ + "Code Scanning", + "Go Module", + "Maven POM", + "NPM Config", + "Gradle", + "C#", + "Python" + ], + "organization": "JFrog" +} \ No newline at end of file diff --git a/code-scanning/properties/frogbot-scan-pr.properties.json b/code-scanning/properties/frogbot-scan-pr.properties.json new file mode 100644 index 0000000..e0a93c8 --- /dev/null +++ b/code-scanning/properties/frogbot-scan-pr.properties.json @@ -0,0 +1,15 @@ +{ + "name": "Frogbot Scan Pull Requests", + "description": "Automatically scans new pull requests for security vulnerabilities. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.", + "iconName": "frogbot", + "categories": [ + "Code Scanning", + "Go Module", + "Maven POM", + "NPM Config", + "Gradle", + "C#", + "Python" + ], + "owner": "JFrog" +} \ No newline at end of file diff --git a/icons/frogbot.svg b/icons/frogbot.svg new file mode 100644 index 0000000..21100d9 --- /dev/null +++ b/icons/frogbot.svg @@ -0,0 +1,80 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 8d20e653093dd0b3a96d85d7eb4acfdf17538708 Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 26 Jul 2022 10:56:16 +0300 Subject: [PATCH 117/234] Adding JFrog Frogbot to GitHub starter workflows --- code-scanning/properties/frogbot-scan-pr.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/frogbot-scan-pr.properties.json b/code-scanning/properties/frogbot-scan-pr.properties.json index e0a93c8..8f9626c 100644 --- a/code-scanning/properties/frogbot-scan-pr.properties.json +++ b/code-scanning/properties/frogbot-scan-pr.properties.json @@ -11,5 +11,5 @@ "C#", "Python" ], - "owner": "JFrog" + "organization": "JFrog" } \ No newline at end of file From 3f209e2e12fe65ca78260e8b76979987a7d04d8e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Jul 2022 11:07:22 +0000 Subject: [PATCH 118/234] Bump pozil/auto-assign-issue from 1.4.0 to 1.8.0 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.4.0 to 1.8.0. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.4.0...v1.8.0) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index b8406e9..a30a190 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.4.0 + uses: pozil/auto-assign-issue@v1.8.0 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From d21062f26a40d2ecdff191dab5d946422d103194 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Jul 2022 12:06:19 +0000 Subject: [PATCH 119/234] Bump peter-evans/close-issue from 1 to 2 Bumps [peter-evans/close-issue](https://github.com/peter-evans/close-issue) from 1 to 2. - [Release notes](https://github.com/peter-evans/close-issue/releases) - [Commits](https://github.com/peter-evans/close-issue/compare/v1...v2) --- updated-dependencies: - dependency-name: peter-evans/close-issue dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/label-feature.yml | 2 +- .github/workflows/label-support.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/label-feature.yml b/.github/workflows/label-feature.yml index d13cf87..122caac 100644 --- a/.github/workflows/label-feature.yml +++ b/.github/workflows/label-feature.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close Issue - uses: peter-evans/close-issue@v1 + uses: peter-evans/close-issue@v2 if: contains(github.event.issue.labels.*.name, 'feature') with: comment: | diff --git a/.github/workflows/label-support.yml b/.github/workflows/label-support.yml index ea0f240..e762afc 100644 --- a/.github/workflows/label-support.yml +++ b/.github/workflows/label-support.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close Issue - uses: peter-evans/close-issue@v1 + uses: peter-evans/close-issue@v2 if: contains(github.event.issue.labels.*.name, 'support') with: comment: | From 4a8f18e34dd13d2b6ee4d8da2ba72629eafe1609 Mon Sep 17 00:00:00 2001 From: Jess Bees Date: Wed, 27 Jul 2022 09:15:54 -0400 Subject: [PATCH 120/234] Add starter workflows for Pages builds and deployments (#1645) * commit dummy workflow * Update nextjs.yml * renaming * actually do a node build * add jekyll build & deploy * add permissions * update jekyll to use composite upload action * update next to use composite upload action * update icon yml * change nexjs icon * Cleanup further the Jekyll template * add gatsby starter workflow * fix composite error * fix updated actions * Add Hugo * Apply suggestions from code review * Inital commit for nuxtjs starter workflow * Cleanup all templates * Add baseUrl through an action * Use `base_url` output for Hugo configuration * Create static.yml * Create static.properties.json * clarify path * alternative jekyll icon with only tube * use alternate jekyll icon * use original xvg with proper viewBox parameters * Add paper-spa/configure-pages to starter workflows Replaces paper-spa/setup-pages where appropriate. * use setup-ruby action instead of our container * Add starter workflow for GitHub Pages's legacy Jekyll build Named `jekyll-gh-pages` so that it connotes the familiar "hands off" build process of the Jekyll build as performed by github pages workers, without sounding deprecated by using the words "legacy" or "classic". * Use the static_site_generator input so we can modify the correct config * Update gatsby.yml * Update wording on the 'legacy' jekyll workflow * Fix filename: this should have a json extension * Fix filename: this should have a .properties.json extension * Update nextjs.properties.json * Update static.properties.json * Fix typo in name of Gatsby * Remove pull_request triggers * Update to latest versions of core Actions * Remove '--if-present' flag from 'npm run build' commands to prevent silent failure * Perform static HTML export for Next.js * Add '--no-install' flag to 'npx' usage * Update Nuxt starter workflow to run 'generate' * Default to using npm if not using yarn * Reword 'nuxt generate' step name * Update pages/gatsby.yml * Update description of Jekyll starter workflow * Add configure-pages step to static workflow * Add configuration step to enable Pages * Pages: Set `PREFIX_PATHS` env var for Gatsby build * Update Next.js starter workflow to cache builds See https://nextjs.org/docs/advanced-features/ci-build-caching#github-actions * Update NuxtJS starter workflow to cache builds Basically modeled after the Gatsby starter workflow * Call out node ssg getting started + setup * Update nuxt documentation * Retarget actions referencing `paper-spa` to `actions` Also point to newly published `v1` tags rather than `main` or `v0`. Co-authored-by: yimysty Co-authored-by: Tommy Byrd Co-authored-by: Yoann Chaudet Co-authored-by: Timothy Co-authored-by: Smitha Borkar <12040799+smithaborkar@users.noreply.github.com> Co-authored-by: James M. Greene --- icons/gatsby.svg | 7 ++ icons/hugo.svg | 9 ++ icons/jekyll-tube.svg | 1 + icons/nextjs.svg | 3 + icons/nuxtjs.svg | 4 + pages/gatsby.yml | 96 +++++++++++++++++++ pages/hugo.yml | 66 +++++++++++++ pages/jekyll-gh-pages.yml | 50 ++++++++++ pages/jekyll.yml | 53 ++++++++++ pages/nextjs.yml | 95 ++++++++++++++++++ pages/nuxtjs.yml | 90 +++++++++++++++++ pages/properties/gatsby.properties.json | 7 ++ pages/properties/hugo.properties.json | 7 ++ .../jekyll-gh-pages.properties.json | 7 ++ pages/properties/jekyll.properties.json | 7 ++ pages/properties/nextjs.properties.json | 7 ++ pages/properties/nuxtjs.properties.json | 7 ++ pages/properties/static.properties.json | 7 ++ pages/static.yml | 42 ++++++++ 19 files changed, 565 insertions(+) create mode 100644 icons/gatsby.svg create mode 100644 icons/hugo.svg create mode 100644 icons/jekyll-tube.svg create mode 100644 icons/nextjs.svg create mode 100644 icons/nuxtjs.svg create mode 100644 pages/gatsby.yml create mode 100644 pages/hugo.yml create mode 100644 pages/jekyll-gh-pages.yml create mode 100644 pages/jekyll.yml create mode 100644 pages/nextjs.yml create mode 100644 pages/nuxtjs.yml create mode 100644 pages/properties/gatsby.properties.json create mode 100644 pages/properties/hugo.properties.json create mode 100644 pages/properties/jekyll-gh-pages.properties.json create mode 100644 pages/properties/jekyll.properties.json create mode 100644 pages/properties/nextjs.properties.json create mode 100644 pages/properties/nuxtjs.properties.json create mode 100644 pages/properties/static.properties.json create mode 100644 pages/static.yml diff --git a/icons/gatsby.svg b/icons/gatsby.svg new file mode 100644 index 0000000..5578b06 --- /dev/null +++ b/icons/gatsby.svg @@ -0,0 +1,7 @@ + + + Gatsby + + + + diff --git a/icons/hugo.svg b/icons/hugo.svg new file mode 100644 index 0000000..ea72a6f --- /dev/null +++ b/icons/hugo.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/icons/jekyll-tube.svg b/icons/jekyll-tube.svg new file mode 100644 index 0000000..89dd55d --- /dev/null +++ b/icons/jekyll-tube.svg @@ -0,0 +1 @@ + diff --git a/icons/nextjs.svg b/icons/nextjs.svg new file mode 100644 index 0000000..c45d6e6 --- /dev/null +++ b/icons/nextjs.svg @@ -0,0 +1,3 @@ + + + diff --git a/icons/nuxtjs.svg b/icons/nuxtjs.svg new file mode 100644 index 0000000..bebded3 --- /dev/null +++ b/icons/nuxtjs.svg @@ -0,0 +1,4 @@ + + + + diff --git a/pages/gatsby.yml b/pages/gatsby.yml new file mode 100644 index 0000000..9cdf3fc --- /dev/null +++ b/pages/gatsby.yml @@ -0,0 +1,96 @@ +# Sample workflow for building and deploying a Gatsby site to GitHub Pages +# +# To get started with Gatsby see: https://www.gatsbyjs.com/docs/quick-start/ +# +name: Deploy Gatsby site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +# Default to bash +defaults: + run: + shell: bash + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "::set-output name=manager::yarn" + echo "::set-output name=command::install" + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "::set-output name=manager::npm" + echo "::set-output name=command::ci" + exit 0 + else + echo "Unable to determine packager manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v3 + with: + node-version: "16" + cache: ${{ steps.detect-package-manager.outputs.manager }} + - name: Setup Pages + id: pages + uses: actions/configure-pages@v1 + with: + # Automatically inject pathPrefix in your Gatsby configuration file. + # + # You may remove this line if you want to manage the configuration yourself. + static_site_generator: gatsby + - name: Restore cache + uses: actions/cache@v3 + with: + path: | + public + .cache + key: ${{ runner.os }}-gatsby-build-${{ hashFiles('public') }} + restore-keys: | + ${{ runner.os }}-gatsby-build- + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} + - name: Build with Gatsby + env: + PREFIX_PATHS: 'true' + run: ${{ steps.detect-package-manager.outputs.manager }} run build + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: ./public + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/hugo.yml b/pages/hugo.yml new file mode 100644 index 0000000..07b2b85 --- /dev/null +++ b/pages/hugo.yml @@ -0,0 +1,66 @@ +# Sample workflow for building and deploying a Hugo site to GitHub Pages +name: Deploy Hugo site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +# Default to bash +defaults: + run: + shell: bash + +jobs: + # Build job + build: + runs-on: ubuntu-latest + env: + HUGO_VERSION: 0.99.0 + steps: + - name: Install Hugo CLI + run: | + wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_Linux-64bit.deb \ + && sudo dpkg -i ${{ runner.temp }}/hugo.deb + - name: Checkout + uses: actions/checkout@v3 + with: + submodules: recursive + - name: Setup Pages + id: pages + uses: actions/configure-pages@v1 + - name: Build with Hugo + run: | + hugo \ + --minify \ + --baseURL ${{ steps.pages.outputs.base_url }} + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: ./public + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml new file mode 100644 index 0000000..7ee1e97 --- /dev/null +++ b/pages/jekyll-gh-pages.yml @@ -0,0 +1,50 @@ +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll with GitHub Pages dependencies preinstalled + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@v1 + with: + source: ./ + destination: ./_site + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/jekyll.yml b/pages/jekyll.yml new file mode 100644 index 0000000..05c8761 --- /dev/null +++ b/pages/jekyll.yml @@ -0,0 +1,53 @@ +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: '3.0' # Not needed with a .ruby-version file + bundler-cache: true # runs 'bundle install' and caches installed gems automatically + cache-version: 0 # Increment this number if you need to re-download cached gems + - name: Setup Pages + id: pages + uses: actions/configure-pages@v1 + - run: bundle exec jekyll build --baseurl ${{ steps.pages.outputs.base_path }} # defaults output to '/_site' + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 # This will automatically upload an artifact from the '/_site' directory + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/nextjs.yml b/pages/nextjs.yml new file mode 100644 index 0000000..79a1cc8 --- /dev/null +++ b/pages/nextjs.yml @@ -0,0 +1,95 @@ +# Sample workflow for building and deploying a Next.js site to GitHub Pages +# +# To get started with Next.js see: https://nextjs.org/docs/getting-started +# +name: Deploy Next.js site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "::set-output name=manager::yarn" + echo "::set-output name=command::install" + echo "::set-output name=runner::yarn" + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "::set-output name=manager::npm" + echo "::set-output name=command::ci" + echo "::set-output name=runner::npx --no-install" + exit 0 + else + echo "Unable to determine packager manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v3 + with: + node-version: "16" + cache: ${{ steps.detect-package-manager.outputs.manager }} + - name: Setup Pages + id: pages + uses: actions/configure-pages@v1 + with: + # Automatically inject basePath in your Next.js configuration file and disable + # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized). + # + # You may remove this line if you want to manage the configuration yourself. + static_site_generator: next + - name: Restore cache + uses: actions/cache@v3 + with: + path: | + .next/cache + # Generate a new cache whenever packages or source files change. + key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }} + # If source files changed but packages didn't, rebuild from a prior cache. + restore-keys: | + ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}- + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} + - name: Build with Next.js + run: ${{ steps.detect-package-manager.outputs.runner }} next build + - name: Static HTML export with Next.js + run: ${{ steps.detect-package-manager.outputs.runner }} next export + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: ./out + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml new file mode 100644 index 0000000..87c1201 --- /dev/null +++ b/pages/nuxtjs.yml @@ -0,0 +1,90 @@ +# Sample workflow for building and deploying a Nuxt site to GitHub Pages +# +# To get started with Nuxt see: https://nuxtjs.org/docs/get-started/installation +# +name: Deploy Nuxt site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "::set-output name=manager::yarn" + echo "::set-output name=command::install" + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "::set-output name=manager::npm" + echo "::set-output name=command::ci" + exit 0 + else + echo "Unable to determine packager manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v3 + with: + node-version: "16" + cache: ${{ steps.detect-package-manager.outputs.manager }} + - name: Setup Pages + id: pages + uses: actions/configure-pages@v1 + with: + # Automatically inject router.base in your Nuxt configuration file and set + # target to static (https://nuxtjs.org/docs/configuration-glossary/configuration-target/). + # + # You may remove this line if you want to manage the configuration yourself. + static_site_generator: nuxt + - name: Restore cache + uses: actions/cache@v3 + with: + path: | + dist + .nuxt + key: ${{ runner.os }}-nuxt-build-${{ hashFiles('dist') }} + restore-keys: | + ${{ runner.os }}-nuxt-build- + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} + - name: Static HTML export with Nuxt + run: ${{ steps.detect-package-manager.outputs.manager }} run generate + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: ./dist + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/pages/properties/gatsby.properties.json b/pages/properties/gatsby.properties.json new file mode 100644 index 0000000..7d82424 --- /dev/null +++ b/pages/properties/gatsby.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Gatsby", + "creator": "GitHub Actions", + "description": "Package a Gatsby site.", + "iconName": "gatsby", + "categories": ["Pages"] +} \ No newline at end of file diff --git a/pages/properties/hugo.properties.json b/pages/properties/hugo.properties.json new file mode 100644 index 0000000..1fa902c --- /dev/null +++ b/pages/properties/hugo.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Hugo", + "creator": "GitHub Actions", + "description": "Package a Hugo site.", + "iconName": "hugo", + "categories": ["Pages"] +} \ No newline at end of file diff --git a/pages/properties/jekyll-gh-pages.properties.json b/pages/properties/jekyll-gh-pages.properties.json new file mode 100644 index 0000000..6f278c8 --- /dev/null +++ b/pages/properties/jekyll-gh-pages.properties.json @@ -0,0 +1,7 @@ +{ + "name": "GitHub Pages Jekyll", + "creator": "GitHub Actions", + "description": "Package a Jekyll site with GitHub Pages dependencies preinstalled.", + "iconName": "jekyll-tube", + "categories": ["Pages"] +} diff --git a/pages/properties/jekyll.properties.json b/pages/properties/jekyll.properties.json new file mode 100644 index 0000000..a6c9d5c --- /dev/null +++ b/pages/properties/jekyll.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Jekyll", + "creator": "GitHub Actions", + "description": "Package a Jekyll site.", + "iconName": "jekyll-tube", + "categories": ["Pages"] +} diff --git a/pages/properties/nextjs.properties.json b/pages/properties/nextjs.properties.json new file mode 100644 index 0000000..0b9d3b4 --- /dev/null +++ b/pages/properties/nextjs.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Next.js", + "creator": "GitHub Actions", + "description": "Package a Next.js site.", + "iconName": "nextjs", + "categories": ["Pages"] +} diff --git a/pages/properties/nuxtjs.properties.json b/pages/properties/nuxtjs.properties.json new file mode 100644 index 0000000..b799074 --- /dev/null +++ b/pages/properties/nuxtjs.properties.json @@ -0,0 +1,7 @@ +{ + "name": "NuxtJS", + "creator": "GitHub Actions", + "description": "Package a NuxtJS site.", + "iconName": "nuxtjs", + "categories": ["Pages"] +} \ No newline at end of file diff --git a/pages/properties/static.properties.json b/pages/properties/static.properties.json new file mode 100644 index 0000000..5b727a8 --- /dev/null +++ b/pages/properties/static.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Static HTML", + "creator": "GitHub Actions", + "description": "Deploy static files in a repository without a build.", + "iconName": "html", + "categories": ["Pages"] +} diff --git a/pages/static.yml b/pages/static.yml new file mode 100644 index 0000000..bd753e9 --- /dev/null +++ b/pages/static.yml @@ -0,0 +1,42 @@ +# Simple workflow for deploying static content to GitHub Pages +name: Deploy static content to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + +jobs: + # Single deploy job since we're just deploying + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + # Upload entire repository + path: '.' + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@main From e262f54fe94550c841313843fbad17fb37e0cd2a Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Thu, 28 Jul 2022 18:39:43 -0700 Subject: [PATCH 121/234] Address feedback --- pages/properties/gatsby.properties.json | 3 +-- pages/properties/hugo.properties.json | 3 +-- pages/properties/jekyll-gh-pages.properties.json | 3 +-- pages/properties/jekyll.properties.json | 3 +-- pages/properties/nextjs.properties.json | 3 +-- pages/properties/nuxtjs.properties.json | 3 +-- pages/properties/static.properties.json | 1 - 7 files changed, 6 insertions(+), 13 deletions(-) diff --git a/pages/properties/gatsby.properties.json b/pages/properties/gatsby.properties.json index 7d82424..df260f8 100644 --- a/pages/properties/gatsby.properties.json +++ b/pages/properties/gatsby.properties.json @@ -1,7 +1,6 @@ { "name": "Gatsby", - "creator": "GitHub Actions", "description": "Package a Gatsby site.", "iconName": "gatsby", - "categories": ["Pages"] + "categories": ["Pages", "Gatsby"] } \ No newline at end of file diff --git a/pages/properties/hugo.properties.json b/pages/properties/hugo.properties.json index 1fa902c..b6f6dc7 100644 --- a/pages/properties/hugo.properties.json +++ b/pages/properties/hugo.properties.json @@ -1,7 +1,6 @@ { "name": "Hugo", - "creator": "GitHub Actions", "description": "Package a Hugo site.", "iconName": "hugo", - "categories": ["Pages"] + "categories": ["Pages", "Hugo"] } \ No newline at end of file diff --git a/pages/properties/jekyll-gh-pages.properties.json b/pages/properties/jekyll-gh-pages.properties.json index 6f278c8..3e38602 100644 --- a/pages/properties/jekyll-gh-pages.properties.json +++ b/pages/properties/jekyll-gh-pages.properties.json @@ -1,7 +1,6 @@ { "name": "GitHub Pages Jekyll", - "creator": "GitHub Actions", "description": "Package a Jekyll site with GitHub Pages dependencies preinstalled.", "iconName": "jekyll-tube", - "categories": ["Pages"] + "categories": ["Pages", "Jekyll"] } diff --git a/pages/properties/jekyll.properties.json b/pages/properties/jekyll.properties.json index a6c9d5c..8b4c1d2 100644 --- a/pages/properties/jekyll.properties.json +++ b/pages/properties/jekyll.properties.json @@ -1,7 +1,6 @@ { "name": "Jekyll", - "creator": "GitHub Actions", "description": "Package a Jekyll site.", "iconName": "jekyll-tube", - "categories": ["Pages"] + "categories": ["Pages", "Jekyll"] } diff --git a/pages/properties/nextjs.properties.json b/pages/properties/nextjs.properties.json index 0b9d3b4..4209908 100644 --- a/pages/properties/nextjs.properties.json +++ b/pages/properties/nextjs.properties.json @@ -1,7 +1,6 @@ { "name": "Next.js", - "creator": "GitHub Actions", "description": "Package a Next.js site.", "iconName": "nextjs", - "categories": ["Pages"] + "categories": ["Pages", "Next"] } diff --git a/pages/properties/nuxtjs.properties.json b/pages/properties/nuxtjs.properties.json index b799074..d79909e 100644 --- a/pages/properties/nuxtjs.properties.json +++ b/pages/properties/nuxtjs.properties.json @@ -1,7 +1,6 @@ { "name": "NuxtJS", - "creator": "GitHub Actions", "description": "Package a NuxtJS site.", "iconName": "nuxtjs", - "categories": ["Pages"] + "categories": ["Pages", "Nuxt"] } \ No newline at end of file diff --git a/pages/properties/static.properties.json b/pages/properties/static.properties.json index 5b727a8..7181b6e 100644 --- a/pages/properties/static.properties.json +++ b/pages/properties/static.properties.json @@ -1,6 +1,5 @@ { "name": "Static HTML", - "creator": "GitHub Actions", "description": "Deploy static files in a repository without a build.", "iconName": "html", "categories": ["Pages"] From 095efcc4ae6d78a141a5925360fec19a10d5fa45 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 1 Aug 2022 06:34:01 -0700 Subject: [PATCH 122/234] more metadata --- pages/properties/static.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/properties/static.properties.json b/pages/properties/static.properties.json index 7181b6e..372579c 100644 --- a/pages/properties/static.properties.json +++ b/pages/properties/static.properties.json @@ -2,5 +2,5 @@ "name": "Static HTML", "description": "Deploy static files in a repository without a build.", "iconName": "html", - "categories": ["Pages"] + "categories": ["Pages", "HTML", "JavaScript", "CSS"] } From e35bb09c200dd3bc2dccb7cf1e4f1aa5fce0a9a4 Mon Sep 17 00:00:00 2001 From: omerzi Date: Sun, 7 Aug 2022 09:32:25 +0300 Subject: [PATCH 123/234] Code review changes --- code-scanning/frogbot-fix.yml | 5 ++- code-scanning/frogbot-scan-pr.yml | 58 ++++++------------------------- 2 files changed, 14 insertions(+), 49 deletions(-) diff --git a/code-scanning/frogbot-fix.yml b/code-scanning/frogbot-fix.yml index 278e8fa..b51c269 100644 --- a/code-scanning/frogbot-fix.yml +++ b/code-scanning/frogbot-fix.yml @@ -2,6 +2,9 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# Frogbot Scan and Fix does the following: +# Automatically creates pull requests with fixes for vulnerable project dependencies. +# Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot name: "Frogbot Fix" @@ -37,7 +40,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@v2 + - uses: jfrog/frogbot@2291fc454e8aeea77386cfcb85a1ae36765bb1f4 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 54304d3..325cc24 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -2,6 +2,10 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# Frogbot Scan Pull Requests does the following: +# Automatically scans new pull requests for security vulnerabilities. +# Uses JFrog Xray to scan the project. +# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot name: "Frogbot Scan" on: @@ -35,23 +39,9 @@ jobs: # with: # node-version: "16.x" - # - uses: gradle/gradle-build-action@v2 + # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - # - uses: actions/setup-dotnet@v2 - # with: - # dotnet-version: "3.1.x" - - # - uses: nuget/setup-nuget@v1 - # with: - # nuget-version: "5.x" - - # - uses: actions/setup-python@v3 - # with: - # python-version: "3.x" - - # - run: pipx install pipenv - - - uses: jfrog/frogbot@v2 + - uses: jfrog/frogbot@2291fc454e8aeea77386cfcb85a1ae36765bb1f4 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) @@ -69,7 +59,9 @@ jobs: # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Uncomment the below options if you'd like to use them. + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory when using npm] # The command that installs the dependencies @@ -79,34 +71,4 @@ jobs: # The command that installs the dependencies # JF_INSTALL_DEPS_CMD: "dotnet restore" - # [Optional when using Nuget] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "nuget restore" - - # [Optional when using Pip] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "pip install" - - # [Optional when using Pipenv] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "pipenv install" - - # [Optional, default: https://api.github.com] - # API endpoint to GitHub - # JF_GIT_API_ENDPOINT: https://github.example.com - - # [Mandatory if JF_USER and JF_PASSWORD are not provided] - # JFrog access token with 'read' permissions on Xray service - # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - - # [Optional, default: "."] - # Relative path to the project in the git repository - # JF_WORKING_DIR: path/to/working/dir - - # [Optional] - # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches - # JF_WATCHES: ,... - - # [Optional] - # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects - # JF_PROJECT: \ No newline at end of file + # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request \ No newline at end of file From 552d98b770dc070aabb54827ef43ef6a8234969f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Aug 2022 13:23:06 +0000 Subject: [PATCH 124/234] Bump pozil/auto-assign-issue from 1.8.0 to 1.9.0 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index a30a190..ec278a6 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.8.0 + uses: pozil/auto-assign-issue@v1.9.0 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From aa797da6b2edcd9760ce0321c2e7b7f872d08c06 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 10 Aug 2022 18:19:19 +0530 Subject: [PATCH 125/234] Fix PR assign --- .github/workflows/auto-assign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml index 4dcc612..d7161b1 100644 --- a/.github/workflows/auto-assign.yml +++ b/.github/workflows/auto-assign.yml @@ -1,6 +1,6 @@ name: 'Auto Assign' on: - pull_request: + pull_request_target: types: [opened, ready_for_review] jobs: From 9bdc3e7253235498a505f21e37662dcfa54de969 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Thu, 11 Aug 2022 03:05:57 +0900 Subject: [PATCH 126/234] Refer actions/deploy-pages stable tag in pages/static --- pages/static.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/static.yml b/pages/static.yml index bd753e9..350b2c8 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -39,4 +39,4 @@ jobs: path: '.' - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@main + uses: actions/deploy-pages@v1 From 67805723f0bf3c53f17eaaea77e9cfd44d6a2417 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 00:59:05 +0000 Subject: [PATCH 127/234] update --- ci/generic-generator-ossf-slsa3-publish.yml | 63 +++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 ci/generic-generator-ossf-slsa3-publish.yml diff --git a/ci/generic-generator-ossf-slsa3-publish.yml b/ci/generic-generator-ossf-slsa3-publish.yml new file mode 100644 index 0000000..f843fd1 --- /dev/null +++ b/ci/generic-generator-ossf-slsa3-publish.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps +# that were performed to generate the final binary. +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA generic generator +on: + workflow_dispatch: + release: + types: [created] + +permissions: read-all + +jobs: + build: + outputs: + digests: ${{ steps.hash.outputs.digests }} + + steps: + # ======================================================== + # + # Step 1: Build your artifacts. + # + # ======================================================== + - name: Build artifacts + run: | + # These are some amazing artifacts. + echo "artifact1" > artifact1 + echo "artifact2" > artifact2 + + # ======================================================== + # + # Step 2: Add a step to generate the provenance subjects + # as shown below. Update the sha256 sum arguments + # to include all binaries that you generate + # provenance for. + # + # ======================================================== + - name: Generate subject + id: hash + run: | + set -euo pipefail + + echo "::set-output name=digests::$(sha256sum artifact1 artifact2 | base64 -w0)" + + provenance: + needs: [build] + permissions: + actions: read + id-token: write + contents: read + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" + upload-assets: true # Optional: Upload to a new release \ No newline at end of file From 0f26631ba6e9900520c570d1153140b812a9e870 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 01:04:52 +0000 Subject: [PATCH 128/234] update --- ...h.yml => generator-generic-ossf-slsa3-publish.yml} | 0 ...nerator-generic-ossf-slsa3-publish.properties.json | 7 +++++++ icons/generator-generic-ossf-slsa3-publish.svg | 11 +++++++++++ 3 files changed, 18 insertions(+) rename ci/{generic-generator-ossf-slsa3-publish.yml => generator-generic-ossf-slsa3-publish.yml} (100%) create mode 100644 ci/properties/generator-generic-ossf-slsa3-publish.properties.json create mode 100644 icons/generator-generic-ossf-slsa3-publish.svg diff --git a/ci/generic-generator-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml similarity index 100% rename from ci/generic-generator-ossf-slsa3-publish.yml rename to ci/generator-generic-ossf-slsa3-publish.yml diff --git a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json new file mode 100644 index 0000000..2861c3f --- /dev/null +++ b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SLSA Generic generator", + "creator": "Open Source Security Foundation (OpenSSF)", + "description": "Generate SLSA3 provenance for your existing release workflows", + "iconName": "go-ossf-slsa3-publish", + "categories": ["Continuous integration"] +} diff --git a/icons/generator-generic-ossf-slsa3-publish.svg b/icons/generator-generic-ossf-slsa3-publish.svg new file mode 100644 index 0000000..ea77468 --- /dev/null +++ b/icons/generator-generic-ossf-slsa3-publish.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + From c81201dd621f7167106925fcbb2db17b6381d430 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 01:06:11 +0000 Subject: [PATCH 129/234] update --- ci/generator-generic-ossf-slsa3-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index f843fd1..e37a3f3 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -60,4 +60,4 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 with: base64-subjects: "${{ needs.build.outputs.digests }}" - upload-assets: true # Optional: Upload to a new release \ No newline at end of file + upload-assets: true # Optional: Upload to a new release From 19e6b35e8432c1d2915cbc9d86b12e4fcb0d1838 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 01:14:33 +0000 Subject: [PATCH 130/234] update --- ci/generator-generic-ossf-slsa3-publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index e37a3f3..eae7431 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -21,6 +21,7 @@ permissions: read-all jobs: build: + runs-on: ubuntu-latest outputs: digests: ${{ steps.hash.outputs.digests }} From 026c540730dd5bafad6c468af4cb2176bd0327cb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 01:21:35 +0000 Subject: [PATCH 131/234] update --- ci/generator-generic-ossf-slsa3-publish.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index eae7431..54c110e 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -55,9 +55,9 @@ jobs: provenance: needs: [build] permissions: - actions: read - id-token: write - contents: read + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 with: base64-subjects: "${{ needs.build.outputs.digests }}" From 30f1eecad156ad2196177709d0d2fe8f20eb8e78 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 15:55:40 +0000 Subject: [PATCH 132/234] update --- ci/generator-generic-ossf-slsa3-publish.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index 54c110e..feadcf2 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -3,10 +3,10 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow lets you compile your Go project using a SLSA3 compliant builder. -# This workflow will generate a so-called "provenance" file describing the steps +# This workflow lets you compile your Go project using a SLSA3 compliant builder +# This workflow will generate a so-called "provenance" file describing the steps # that were performed to generate the final binary. -# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# The project is an initiative of the OpenSSF (openssf.org) and is developed at # https://github.com/slsa-framework/slsa-github-generator. # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. # For more information about SLSA and how it improves the supply-chain, visit slsa.dev. @@ -26,11 +26,13 @@ jobs: digests: ${{ steps.hash.outputs.digests }} steps: + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 + # ======================================================== # # Step 1: Build your artifacts. # - # ======================================================== + # ======================================================== - name: Build artifacts run: | # These are some amazing artifacts. From aec987bfb55cb1003ba043fdd1a67426eba751e3 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 1 Aug 2022 15:00:08 +0000 Subject: [PATCH 133/234] comments --- ci/generator-generic-ossf-slsa3-publish.yml | 12 +++++++----- ...erator-generic-ossf-slsa3-publish.properties.json | 4 ++-- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index feadcf2..c8a3544 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -3,9 +3,8 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow lets you compile your Go project using a SLSA3 compliant builder -# This workflow will generate a so-called "provenance" file describing the steps -# that were performed to generate the final binary. +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements # The project is an initiative of the OpenSSF (openssf.org) and is developed at # https://github.com/slsa-framework/slsa-github-generator. # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. @@ -26,7 +25,7 @@ jobs: digests: ${{ steps.hash.outputs.digests }} steps: - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 + uses: actions/checkout@v3 # ======================================================== # @@ -52,7 +51,10 @@ jobs: run: | set -euo pipefail - echo "::set-output name=digests::$(sha256sum artifact1 artifact2 | base64 -w0)" + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "::set-output name=digests::$(sha256sum $files | base64 -w0)" provenance: needs: [build] diff --git a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json index 2861c3f..32cf63d 100644 --- a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json +++ b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json @@ -2,6 +2,6 @@ "name": "SLSA Generic generator", "creator": "Open Source Security Foundation (OpenSSF)", "description": "Generate SLSA3 provenance for your existing release workflows", - "iconName": "go-ossf-slsa3-publish", - "categories": ["Continuous integration"] + "iconName": "generator-generic-ossf-slsa3-publish", + "categories": ["Continuous integration", "Go", "Elixir", "Erlang", "PHP", "Haskell", "Rust", "Java", "Scala", "Gradle", "Maven", "Python", "C", "C++", "TypeScript", "JavaScript", "npm", "Ruby", "HTML", "Composer", "Makefile", "Ada"] } From 6f7030b18ad1da672b55b9ca4f6ec1abed29f7ed Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 11 Aug 2022 13:32:01 +0000 Subject: [PATCH 134/234] update --- ci/generator-generic-ossf-slsa3-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index c8a3544..a249449 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -25,7 +25,7 @@ jobs: digests: ${{ steps.hash.outputs.digests }} steps: - uses: actions/checkout@v3 + - uses: actions/checkout@v3 # ======================================================== # From b206471e4d771114db07fd56357db8f2ae20a8d2 Mon Sep 17 00:00:00 2001 From: Dylan Rinker Date: Tue, 16 Aug 2022 09:24:41 -0400 Subject: [PATCH 135/234] Update clj-holes.yml - Fixed a typo in the upload-sarif@v1 action - Commented out the rules-repository. The template will now default to rules in git://clj-holmes/clj-holmes-rules#main, but the format is preserved. --- code-scanning/clj-holmes.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 4150cbb..3cfde14 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -31,7 +31,7 @@ jobs: - name: Scan code uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb with: - rules-repository: 'git://org/private-rules-repo#main' + # rules-repository: 'git://org/private-rules-repo#main' output-type: 'sarif' output-file: 'clj-holmes-results.sarif' fail-on-result: 'false' @@ -40,4 +40,4 @@ jobs: uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ${{github.workspace}}/clj-holmes-results.sarif - ait-for-processing: true \ No newline at end of file + wait-for-processing: true From 65d796c94f140568865b90066331e52031cd8a8d Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 16 Aug 2022 12:47:02 -0400 Subject: [PATCH 136/234] Add Anchore Syft SBOM scan workflow --- code-scanning/anchore-syft.yml | 38 +++++++++++++++++++ .../properties/anchore-syft.properties.json | 7 ++++ 2 files changed, 45 insertions(+) create mode 100644 code-scanning/anchore-syft.yml create mode 100644 code-scanning/properties/anchore-syft.properties.json diff --git a/code-scanning/anchore-syft.yml b/code-scanning/anchore-syft.yml new file mode 100644 index 0000000..8180622 --- /dev/null +++ b/code-scanning/anchore-syft.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency +# submission API. + +# For more information on the Anchore sbom-action usage +# and parameters, see https://github.com/anchore/sbom-action. For more +# information about the Anchore SBOM tool, Syft, see +# https://github.com/anchore/syft +name: Anchore Syft SBOM scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + +permissions: + contents: write + +jobs: + Anchore-Build-Scan: + permissions: + contents: write # required to upload to the Dependency submission API + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v3 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Scan the image and upload dependency results + uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a + with: + image: "localbuild/testimage:latest" + artifact-name: image.spdx.json + dependency-snapshot: true diff --git a/code-scanning/properties/anchore-syft.properties.json b/code-scanning/properties/anchore-syft.properties.json new file mode 100644 index 0000000..815f8b2 --- /dev/null +++ b/code-scanning/properties/anchore-syft.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Anchore Syft SBOM Scan", + "organization": "Anchore", + "description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.", + "iconName": "anchore", + "categories": ["Code Scanning", "dockerfile", "dependency-management"] +} From a82c7d200aac56c398fd9b679da120d310965861 Mon Sep 17 00:00:00 2001 From: omerzi Date: Sun, 7 Aug 2022 09:32:25 +0300 Subject: [PATCH 137/234] Code review changes --- ...ogbot-fix.yml => frogbot-scan-and-fix.yml} | 7 ++- code-scanning/frogbot-scan-pr.yml | 60 ++++--------------- ...n => frogbot-scan-and-fix.properties.json} | 0 .../frogbot-scan-pr.properties.json | 2 +- 4 files changed, 17 insertions(+), 52 deletions(-) rename code-scanning/{frogbot-fix.yml => frogbot-scan-and-fix.yml} (86%) rename code-scanning/properties/{frogbot-fix.properties.json => frogbot-scan-and-fix.properties.json} (100%) diff --git a/code-scanning/frogbot-fix.yml b/code-scanning/frogbot-scan-and-fix.yml similarity index 86% rename from code-scanning/frogbot-fix.yml rename to code-scanning/frogbot-scan-and-fix.yml index 278e8fa..c9ce731 100644 --- a/code-scanning/frogbot-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -2,9 +2,12 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# Frogbot Scan and Fix does the following: +# Automatically creates pull requests with fixes for vulnerable project dependencies. +# Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot -name: "Frogbot Fix" +name: "Frogbot Scan and Fix" on: push: branches: @@ -37,7 +40,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@v2 + - uses: jfrog/frogbot@2291fc454e8aeea77386cfcb85a1ae36765bb1f4 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 54304d3..a72ae4c 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -2,8 +2,12 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. +# Frogbot Scan Pull Request does the following: +# Automatically scans new pull requests for security vulnerabilities. +# Uses JFrog Xray to scan the project. +# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot -name: "Frogbot Scan" +name: "Frogbot Scan Pull Request" on: pull_request_target: types: [ opened, synchronize ] @@ -35,23 +39,9 @@ jobs: # with: # node-version: "16.x" - # - uses: gradle/gradle-build-action@v2 + # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - # - uses: actions/setup-dotnet@v2 - # with: - # dotnet-version: "3.1.x" - - # - uses: nuget/setup-nuget@v1 - # with: - # nuget-version: "5.x" - - # - uses: actions/setup-python@v3 - # with: - # python-version: "3.x" - - # - run: pipx install pipenv - - - uses: jfrog/frogbot@v2 + - uses: jfrog/frogbot@2291fc454e8aeea77386cfcb85a1ae36765bb1f4 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) @@ -69,7 +59,9 @@ jobs: # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Uncomment the below options if you'd like to use them. + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory when using npm] # The command that installs the dependencies @@ -79,34 +71,4 @@ jobs: # The command that installs the dependencies # JF_INSTALL_DEPS_CMD: "dotnet restore" - # [Optional when using Nuget] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "nuget restore" - - # [Optional when using Pip] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "pip install" - - # [Optional when using Pipenv] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "pipenv install" - - # [Optional, default: https://api.github.com] - # API endpoint to GitHub - # JF_GIT_API_ENDPOINT: https://github.example.com - - # [Mandatory if JF_USER and JF_PASSWORD are not provided] - # JFrog access token with 'read' permissions on Xray service - # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - - # [Optional, default: "."] - # Relative path to the project in the git repository - # JF_WORKING_DIR: path/to/working/dir - - # [Optional] - # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches - # JF_WATCHES: ,... - - # [Optional] - # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects - # JF_PROJECT: \ No newline at end of file + # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request \ No newline at end of file diff --git a/code-scanning/properties/frogbot-fix.properties.json b/code-scanning/properties/frogbot-scan-and-fix.properties.json similarity index 100% rename from code-scanning/properties/frogbot-fix.properties.json rename to code-scanning/properties/frogbot-scan-and-fix.properties.json diff --git a/code-scanning/properties/frogbot-scan-pr.properties.json b/code-scanning/properties/frogbot-scan-pr.properties.json index 8f9626c..b74f3e6 100644 --- a/code-scanning/properties/frogbot-scan-pr.properties.json +++ b/code-scanning/properties/frogbot-scan-pr.properties.json @@ -1,5 +1,5 @@ { - "name": "Frogbot Scan Pull Requests", + "name": "Frogbot Scan Pull Request", "description": "Automatically scans new pull requests for security vulnerabilities. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.", "iconName": "frogbot", "categories": [ From dc77db1892c77df0137f5391f7fa318d7b26b283 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 18 Aug 2022 12:49:49 +0530 Subject: [PATCH 138/234] Update CODEOWNERS to have pages team --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) diff --git a/CODEOWNERS b/CODEOWNERS index 91153de..0a7c0a5 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,4 @@ * @actions/starter-workflows /code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows +/pages/ @actions/pages @actions/starter-workflows From 4a6ec1eed26d248486e437ab7f525efbd3cba6a1 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 19 Aug 2022 09:45:08 -0500 Subject: [PATCH 139/234] Update Pages starter workflows to use actions/configure-pages@v2 --- pages/gatsby.yml | 2 +- pages/hugo.yml | 2 +- pages/jekyll-gh-pages.yml | 2 +- pages/jekyll.yml | 4 ++-- pages/nextjs.yml | 2 +- pages/nuxtjs.yml | 2 +- pages/static.yml | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 9cdf3fc..4f2857d 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -57,7 +57,7 @@ jobs: cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages - uses: actions/configure-pages@v1 + uses: actions/configure-pages@v2 with: # Automatically inject pathPrefix in your Gatsby configuration file. # diff --git a/pages/hugo.yml b/pages/hugo.yml index 07b2b85..1978835 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -42,7 +42,7 @@ jobs: submodules: recursive - name: Setup Pages id: pages - uses: actions/configure-pages@v1 + uses: actions/configure-pages@v2 - name: Build with Hugo run: | hugo \ diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml index 7ee1e97..8c7a207 100644 --- a/pages/jekyll-gh-pages.yml +++ b/pages/jekyll-gh-pages.yml @@ -28,7 +28,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Pages - uses: actions/configure-pages@v1 + uses: actions/configure-pages@v2 - name: Build with Jekyll uses: actions/jekyll-build-pages@v1 with: diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 05c8761..adc80a7 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -35,8 +35,8 @@ jobs: cache-version: 0 # Increment this number if you need to re-download cached gems - name: Setup Pages id: pages - uses: actions/configure-pages@v1 - - run: bundle exec jekyll build --baseurl ${{ steps.pages.outputs.base_path }} # defaults output to '/_site' + uses: actions/configure-pages@v2 + - run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" # defaults output to '/_site' - name: Upload artifact uses: actions/upload-pages-artifact@v1 # This will automatically upload an artifact from the '/_site' directory diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 79a1cc8..2993770 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -54,7 +54,7 @@ jobs: cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages - uses: actions/configure-pages@v1 + uses: actions/configure-pages@v2 with: # Automatically inject basePath in your Next.js configuration file and disable # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized). diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 87c1201..4f5a4fd 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -52,7 +52,7 @@ jobs: cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages - uses: actions/configure-pages@v1 + uses: actions/configure-pages@v2 with: # Automatically inject router.base in your Nuxt configuration file and set # target to static (https://nuxtjs.org/docs/configuration-glossary/configuration-target/). diff --git a/pages/static.yml b/pages/static.yml index 350b2c8..9e0e871 100644 --- a/pages/static.yml +++ b/pages/static.yml @@ -31,7 +31,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Pages - uses: actions/configure-pages@v1 + uses: actions/configure-pages@v2 - name: Upload artifact uses: actions/upload-pages-artifact@v1 with: From a935168dbb30ef14da46efd208b4198a13477a6f Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 19 Aug 2022 10:15:25 -0500 Subject: [PATCH 140/234] Add a trailing slash back into the Hugo starter workflow for maximum backward compatibility with themes --- pages/hugo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 1978835..51164f1 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -47,7 +47,7 @@ jobs: run: | hugo \ --minify \ - --baseURL ${{ steps.pages.outputs.base_url }} + --baseURL ${{ steps.pages.outputs.base_url }}/ - name: Upload artifact uses: actions/upload-pages-artifact@v1 with: From 8e45e8f5fbfb87a387e3a04d415d3249406f56f0 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 19 Aug 2022 10:17:23 -0500 Subject: [PATCH 141/234] Remove unused step ID from a few Pages workflows --- pages/nextjs.yml | 1 - pages/nuxtjs.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 2993770..5c2bf67 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -53,7 +53,6 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages - id: pages uses: actions/configure-pages@v2 with: # Automatically inject basePath in your Next.js configuration file and disable diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 4f5a4fd..4178f18 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -51,7 +51,6 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages - id: pages uses: actions/configure-pages@v2 with: # Automatically inject router.base in your Nuxt configuration file and set From c7c674d47ef76ecbbd6d0c3a12934d31b2094be3 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 19 Aug 2022 11:28:44 -0500 Subject: [PATCH 142/234] Pages: Explicitly set Hugo environment as production --- pages/hugo.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/pages/hugo.yml b/pages/hugo.yml index 07b2b85..ea705f3 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -46,6 +46,7 @@ jobs: - name: Build with Hugo run: | hugo \ + --environment production --minify \ --baseURL ${{ steps.pages.outputs.base_url }} - name: Upload artifact From 6d0b6c7b277795626387ee24bdf45a62804c39f5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Aug 2022 13:27:01 +0000 Subject: [PATCH 143/234] Bump pozil/auto-assign-issue from 1.9.0 to 1.10.0 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index ec278a6..0cb9345 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.9.0 + uses: pozil/auto-assign-issue@v1.10.0 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From 467b0208ed901696ef31d79fe72a8e92a4b205da Mon Sep 17 00:00:00 2001 From: Milan Aryal <9361180+MilanAryal@users.noreply.github.com> Date: Mon, 22 Aug 2022 21:30:03 +0545 Subject: [PATCH 144/234] Pages: Set Jekyll environment as production --- pages/jekyll.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 05c8761..36e29c3 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -37,6 +37,8 @@ jobs: id: pages uses: actions/configure-pages@v1 - run: bundle exec jekyll build --baseurl ${{ steps.pages.outputs.base_path }} # defaults output to '/_site' + env: + JEKYLL_ENV: production - name: Upload artifact uses: actions/upload-pages-artifact@v1 # This will automatically upload an artifact from the '/_site' directory From 5ab15a73492cdce9e2d0ec3a7a77106325270e92 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Mon, 22 Aug 2022 12:13:18 -0700 Subject: [PATCH 145/234] Update scorecards.yml --- code-scanning/scorecards.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 539794d..e4f1d0f 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -25,12 +25,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1 + uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1 with: results_file: results.sarif results_format: sarif @@ -49,7 +49,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0 with: name: SARIF file path: results.sarif @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 + uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 with: sarif_file: results.sarif From 0d3c129311ae22b406e99c27395a9a450b04076d Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 22 Aug 2022 14:37:34 -0500 Subject: [PATCH 146/234] Add missing backslash for multi-line continuation Co-authored-by: Yoann Chaudet --- pages/hugo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index ea705f3..5ab13b0 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -46,7 +46,7 @@ jobs: - name: Build with Hugo run: | hugo \ - --environment production + --environment production \ --minify \ --baseURL ${{ steps.pages.outputs.base_url }} - name: Upload artifact From 709400e808d401c345db341aa93fa473f91c8f85 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 22 Aug 2022 16:13:12 -0500 Subject: [PATCH 147/234] Set HUGO_ENV* env vars instead of CLI flag Reverts https://github.com/actions/starter-workflows/pull/1689 Fixes https://github.com/actions/starter-workflows/issues/1683 --- pages/hugo.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 5ab13b0..da2f462 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -44,9 +44,12 @@ jobs: id: pages uses: actions/configure-pages@v1 - name: Build with Hugo + env: + # For maximum backward compatibility with Hugo modules + HUGO_ENVIRONMENT: production + HUGO_ENV: production run: | hugo \ - --environment production \ --minify \ --baseURL ${{ steps.pages.outputs.base_url }} - name: Upload artifact From bff759f503d37945684e33890eb21e671ab9f815 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Mon, 22 Aug 2022 16:39:05 -0500 Subject: [PATCH 148/234] Clarify './_site' directory usage --- pages/jekyll.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pages/jekyll.yml b/pages/jekyll.yml index adc80a7..5c7b90c 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -36,9 +36,12 @@ jobs: - name: Setup Pages id: pages uses: actions/configure-pages@v2 - - run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" # defaults output to '/_site' + - name: Build with Jekyll + # Outputs to the './_site' directory by default + run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" - name: Upload artifact - uses: actions/upload-pages-artifact@v1 # This will automatically upload an artifact from the '/_site' directory + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@v1 # Deployment job deploy: From 27a76bc269764e7bffc4b0f694969e96dc3c8358 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 23 Aug 2022 11:17:35 +0300 Subject: [PATCH 149/234] Update frogbot-scan-pr.yml --- code-scanning/frogbot-scan-pr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 5ef3b1c..b732a55 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@c8dfceda50ee19fee0cc19992c4a4aaffc95f4c6 + - uses: jfrog/frogbot@9678b9ea5bb1da478518345a454abaf1e7ecc637 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) @@ -72,4 +72,4 @@ jobs: # The command that installs the dependencies # JF_INSTALL_DEPS_CMD: "dotnet restore" - # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request \ No newline at end of file + # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request From f4c529ed9fdaf315db0e6b0fa7c2585b9ebc26e0 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 23 Aug 2022 11:17:52 +0300 Subject: [PATCH 150/234] Update frogbot-scan-and-fix.yml --- code-scanning/frogbot-scan-and-fix.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index c9ce731..e48a301 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -40,7 +40,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@2291fc454e8aeea77386cfcb85a1ae36765bb1f4 + - uses: jfrog/frogbot@9678b9ea5bb1da478518345a454abaf1e7ecc637 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) @@ -56,4 +56,4 @@ jobs: # [Mandatory if using npm] # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "npm i" \ No newline at end of file + # JF_INSTALL_DEPS_CMD: "npm i" From 77485a55d02fe7bc782d6b07e192b53c1f9b7345 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 23 Aug 2022 16:56:22 +0300 Subject: [PATCH 151/234] Update frogbot-scan-and-fix.yml --- code-scanning/frogbot-scan-and-fix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index e48a301..56725f5 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -40,7 +40,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@9678b9ea5bb1da478518345a454abaf1e7ecc637 + - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From 5fd9f566895bae9243a07fe73bd9c8cb53d9fc15 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 23 Aug 2022 16:56:36 +0300 Subject: [PATCH 152/234] Update frogbot-scan-pr.yml --- code-scanning/frogbot-scan-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index b732a55..bdc71b4 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@9678b9ea5bb1da478518345a454abaf1e7ecc637 + - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From cdcdda3a89148c23d9fc83a0a63ca7c8c65d083a Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Wed, 24 Aug 2022 15:41:50 +0300 Subject: [PATCH 153/234] Update frogbot-scan-and-fix.properties.json --- code-scanning/properties/frogbot-scan-and-fix.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/frogbot-scan-and-fix.properties.json b/code-scanning/properties/frogbot-scan-and-fix.properties.json index 5d04487..a072c5a 100644 --- a/code-scanning/properties/frogbot-scan-and-fix.properties.json +++ b/code-scanning/properties/frogbot-scan-and-fix.properties.json @@ -11,5 +11,5 @@ "C#", "Python" ], - "organization": "JFrog" -} \ No newline at end of file + "creator": "JFrog" +} From bb6277cf2af38fd4bff0b737f2cbdb3f59e7279b Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Wed, 24 Aug 2022 15:42:10 +0300 Subject: [PATCH 154/234] Update frogbot-scan-pr.properties.json --- code-scanning/properties/frogbot-scan-pr.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/frogbot-scan-pr.properties.json b/code-scanning/properties/frogbot-scan-pr.properties.json index b74f3e6..257f9d6 100644 --- a/code-scanning/properties/frogbot-scan-pr.properties.json +++ b/code-scanning/properties/frogbot-scan-pr.properties.json @@ -11,5 +11,5 @@ "C#", "Python" ], - "organization": "JFrog" -} \ No newline at end of file + "creator": "JFrog" +} From 5b0989e0424bb00942ebe8290af0c7d9f575317e Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 25 Aug 2022 10:24:32 -0500 Subject: [PATCH 155/234] Pages: Bring use of `ruby/setup-ruby` into compliance --- pages/jekyll.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 36e29c3..c3f7781 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + # Sample workflow for building and deploying a Jekyll site to GitHub Pages name: Deploy Jekyll site to Pages @@ -28,7 +33,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa with: ruby-version: '3.0' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 0d82602f17f0f783f926e660e9c567a96e3a8a69 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 25 Aug 2022 22:46:15 -0500 Subject: [PATCH 156/234] Add optional quotes to Hugo CLI baseURL --- pages/hugo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 0461b71..fb8c924 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -51,7 +51,7 @@ jobs: run: | hugo \ --minify \ - --baseURL ${{ steps.pages.outputs.base_url }}/ + --baseURL "${{ steps.pages.outputs.base_url }}/" - name: Upload artifact uses: actions/upload-pages-artifact@v1 with: From 9d734850ef2e1ed5d071ec980059f3a51aa46fcc Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Thu, 25 Aug 2022 23:42:31 -0500 Subject: [PATCH 157/234] Update all usages of ruby/setup-ruby to latest --- ci/ruby.yml | 2 +- ci/rubyonrails.yml | 4 ++-- code-scanning/brakeman.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/rubocop.yml | 2 +- pages/jekyll.yml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 81ea363..6340760 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@2b019609e2b0f1ea1a2bc8ca11cb82ab46ada124 + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 2ad891f..958a104 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Install Ruby and gems - uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: bundler-cache: true # Add or replace any other lints here diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index 155208f..b04cabf 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -34,7 +34,7 @@ jobs: # Customize the ruby version depending on your needs - name: Setup Ruby - uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: ruby-version: '2.7' diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 801b90b..d41b65b 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: ruby-version: 2.7 bundler-cache: true diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index ed458b2..8018ca1 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -28,7 +28,7 @@ jobs: # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners - name: Set up Ruby - uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: ruby-version: 2.6 diff --git a/pages/jekyll.yml b/pages/jekyll.yml index 37ee818..d039d12 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -33,7 +33,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Ruby - uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa + uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3 with: ruby-version: '3.0' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 2f880ea2a2c40752e91d1e0c645d3e997fef9397 Mon Sep 17 00:00:00 2001 From: omerzi Date: Sun, 28 Aug 2022 16:07:58 +0300 Subject: [PATCH 158/234] Update Frogbot permissions and Tag --- code-scanning/frogbot-scan-and-fix.yml | 3 ++- code-scanning/frogbot-scan-pr.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 56725f5..a4b1c89 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -18,6 +18,7 @@ on: permissions: contents: write pull-requests: write + security-events: write jobs: create-fix-pull-requests: runs-on: ubuntu-latest @@ -40,7 +41,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416 + - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index bdc71b4..ec19d61 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416 + - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From d13b97ea2931d2fcd9a5472cdd6dc838845a0f8a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Aug 2022 13:44:15 +0000 Subject: [PATCH 159/234] Bump kentaro-m/auto-assign-action from 1.2.1 to 1.2.2 Bumps [kentaro-m/auto-assign-action](https://github.com/kentaro-m/auto-assign-action) from 1.2.1 to 1.2.2. - [Release notes](https://github.com/kentaro-m/auto-assign-action/releases) - [Commits](https://github.com/kentaro-m/auto-assign-action/compare/v1.2.1...v1.2.2) --- updated-dependencies: - dependency-name: kentaro-m/auto-assign-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml index d7161b1..b0789b3 100644 --- a/.github/workflows/auto-assign.yml +++ b/.github/workflows/auto-assign.yml @@ -7,4 +7,4 @@ jobs: add-reviews: runs-on: ubuntu-latest steps: - - uses: kentaro-m/auto-assign-action@v1.2.1 + - uses: kentaro-m/auto-assign-action@v1.2.2 From a4af1b700b74cf840fba5cbc9502a1a3eb6a43c1 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Tue, 30 Aug 2022 10:13:31 -0400 Subject: [PATCH 160/234] branches --- .github/workflows/sync-ghes.yaml | 3 +-- code-scanning/frogbot-scan-and-fix.yml | 6 +----- deployments/alibabacloud.yml | 3 +-- deployments/aws.yml | 3 +-- deployments/azure-container-webapp.yml | 3 +-- deployments/azure-kubernetes-service-helm.yml | 3 +-- deployments/azure-kubernetes-service-kompose.yml | 3 +-- deployments/azure-kubernetes-service-kustomize.yml | 3 +-- deployments/azure-kubernetes-service.yml | 3 +-- deployments/azure-staticwebapp.yml | 6 ++---- deployments/azure-webapps-dotnet-core.yml | 3 +-- deployments/azure-webapps-java-jar.yml | 3 +-- deployments/azure-webapps-node.yml | 3 +-- deployments/azure-webapps-php.yml | 3 +-- deployments/azure-webapps-python.yml | 3 +-- deployments/google-cloudrun-docker.yml | 3 +-- deployments/google-cloudrun-source.yml | 3 +-- deployments/google.yml | 3 +-- deployments/ibm.yml | 3 +-- deployments/tencent.yml | 3 +-- deployments/terraform.yml | 3 +-- 21 files changed, 22 insertions(+), 47 deletions(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index aba7780..c8b83c9 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -2,8 +2,7 @@ name: Sync workflows for GHES on: push: - branches: - - main + branches: [ $default-branch ] jobs: sync: diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 56725f5..4829c8f 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -10,11 +10,7 @@ name: "Frogbot Scan and Fix" on: push: - branches: - # The scanning and creation of pull requests with fixes are triggered by pushing code to one of the these branches. - # You can edit the list of branches you wish to open fix pull requests on. - - "main" - - "master" + branches: [ $default-branch ] permissions: contents: write pull-requests: write diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index d7c27d9..9853b75 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -21,8 +21,7 @@ name: Build and Deploy to ACK on: push: - branches: - - $default-branch + branches: [ $default-branch ] # Environment variables available to all jobs and steps in this workflow. env: diff --git a/deployments/aws.yml b/deployments/aws.yml index 47253bf..9585844 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -28,8 +28,7 @@ name: Deploy to Amazon ECS on: push: - branches: - - $default-branch + branches: [ $default-branch ] env: AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 8b69065..cc2e1dd 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -31,8 +31,7 @@ env: on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: permissions: diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index a6a2f4e..83a9163 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -34,8 +34,7 @@ name: Build and deploy an app to AKS with Helm on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 60fe536..0e76365 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -33,8 +33,7 @@ name: Build and deploy an app to AKS with Kompose on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index d46cadb..1a89f3c 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -33,8 +33,7 @@ name: Build and deploy an app to AKS with Kustomize on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index d04a2ac..3e49419 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -29,8 +29,7 @@ name: Build and deploy an app to AKS on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index a40ecc2..8fe07ce 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -14,12 +14,10 @@ name: Deploy web app to Azure Static Web Apps on: push: - branches: - - $default-branch + branches: [ $default-branch ] pull_request: types: [opened, synchronize, reopened, closed] - branches: - - $default-branch + branches: [ $default-branch ] # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 0b59686..9b21895 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -26,8 +26,7 @@ env: on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: permissions: diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 6e3df8d..60fa68c 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -26,8 +26,7 @@ env: on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: permissions: diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 1480c92..98e72c2 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -19,8 +19,7 @@ on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 98e8dc7..4d08dbd 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -21,8 +21,7 @@ name: Build and deploy PHP app to Azure Web App on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 50f4823..d7aa802 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -25,8 +25,7 @@ env: on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: permissions: diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml index b8d0511..bd748f8 100644 --- a/deployments/google-cloudrun-docker.yml +++ b/deployments/google-cloudrun-docker.yml @@ -46,8 +46,7 @@ name: Build and Deploy to Cloud Run on: push: - branches: - - $default-branch + branches: [ $default-branch ] env: PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml index 2916b45..e6fcb52 100644 --- a/deployments/google-cloudrun-source.yml +++ b/deployments/google-cloudrun-source.yml @@ -48,8 +48,7 @@ name: Deploy to Cloud Run from Source on: push: - branches: - - $default-branch + branches: [ $default-branch ] env: PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id diff --git a/deployments/google.yml b/deployments/google.yml index 6150672..846452a 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -14,8 +14,7 @@ name: Build and Deploy to GKE on: push: - branches: - - $default-branch + branches: [ $default-branch ] env: PROJECT_ID: ${{ secrets.GKE_PROJECT }} diff --git a/deployments/ibm.yml b/deployments/ibm.yml index cb3080f..53a58c5 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -10,8 +10,7 @@ name: Build and Deploy to IKS on: push: - branches: - - $default-branch + branches: [ $default-branch ] # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 4e9e9f6..ba65fe5 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -17,8 +17,7 @@ name: Tencent Kubernetes Engine on: push: - branches: - - $default-branch + branches: [ $default-branch ] # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 53efe48..c06f685 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -46,8 +46,7 @@ name: 'Terraform' on: push: - branches: - - $default-branch + branches: [ $default-branch ] pull_request: permissions: From d14e8af6e3b15be640c45ec39df46968b03267a2 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Tue, 30 Aug 2022 21:45:04 +0530 Subject: [PATCH 161/234] Added EthicalCheck Action --- code-scanning/ethicalcheck.yml | 57 +++++++++++++++++++ .../properties/ethicalcheck.properties.json | 24 ++++++++ 2 files changed, 81 insertions(+) create mode 100644 code-scanning/ethicalcheck.yml create mode 100644 code-scanning/properties/ethicalcheck.properties.json diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml new file mode 100644 index 0000000..c089015 --- /dev/null +++ b/code-scanning/ethicalcheck.yml @@ -0,0 +1,57 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# EthicalCheck addresses the critical need to continuously security test APIs in development and in production. + +# EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. +# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. + +# You develop the application and API, we bring complete and continuous security testing to you, accelerating development. + +# Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service. + +# How EthicalCheck works? +# EthicalCheck functions in the following simple steps. +# 1. Security Testing. +# Provide your OpenAPI specification or start with a public Postman collection URL. +# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing. +# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc. + +# 2. Reporting. +# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities. +# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging. + + +# This is a starter workflow to help you get started with EthicalCheck Actions + +name: EthicalCheck-Workflow + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the $default-branch branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + +jobs: + Trigger_EthicalCheck: + runs-on: ubuntu-latest + + steps: + - name: EthicalCheck Free & Automated API Security Testing Service + uses: apisec-inc/ethicalcheck-action@latest + with: + # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL. + oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs" + # The email address to which the penetration test report will be sent. + email: "xxx@apisec.ai" \ No newline at end of file diff --git a/code-scanning/properties/ethicalcheck.properties.json b/code-scanning/properties/ethicalcheck.properties.json new file mode 100644 index 0000000..c0949be --- /dev/null +++ b/code-scanning/properties/ethicalcheck.properties.json @@ -0,0 +1,24 @@ +{ + "name": "EthicalCheck", + "creator": "APIsec", + "description": "EthicalCheck addresses the critical need to continuously security test APIs in development and in production. EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. You develop the application and API, we bring complete and continuous security testing to you, accelerating development.Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service.", + "iconName": "apisec", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} From b12833e6712790ba428240bfa1ee3a65d331e630 Mon Sep 17 00:00:00 2001 From: Christian Oliff Date: Tue, 30 Aug 2022 22:13:30 +0900 Subject: [PATCH 162/234] use latest version of Hugo --- pages/hugo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index fb8c924..3ddbb80 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -30,7 +30,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.99.0 + HUGO_VERSION: 0.102.1 steps: - name: Install Hugo CLI run: | From 4b48da22521e5e07c463fd96d7d4890f718ad4b7 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Fri, 2 Sep 2022 17:32:30 -0500 Subject: [PATCH 163/234] Update Hugo to truly latest --- pages/hugo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 3ddbb80..f273fb2 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -30,7 +30,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.102.1 + HUGO_VERSION: 0.102.3 steps: - name: Install Hugo CLI run: | From 2333616c7db48c45158cb0fa7eb2491a04cb3c59 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Thu, 8 Sep 2022 09:37:44 -0500 Subject: [PATCH 164/234] Upgraded scorecard action to v2.0.0 - Upgraded scorecard action to v2.0.0 https://github.com/ossf/scorecard-action/commit/13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index e4f1d0f..38db68f 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,7 +17,7 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write - # Used to receive a badge. (Upcoming feature) + # Used to receive a badge. id-token: write # Needs for private repositories. contents: read @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1 + uses: ossf/scorecard-action@13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f # tag=v2.0.0 with: results_file: results.sarif results_format: sarif From f539d4746910e16daa46883aa5e5c9f1295aa13e Mon Sep 17 00:00:00 2001 From: David Losert Date: Fri, 9 Sep 2022 17:57:59 +0200 Subject: [PATCH 165/234] Adds Node 18 and removes Node 12 --- ci/node.js.yml | 2 +- ci/npm-grunt.yml | 2 +- ci/npm-gulp.yml | 2 +- ci/webpack.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ci/node.js.yml b/ci/node.js.yml index 87ef0d8..a89108d 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -16,7 +16,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index eda97e1..e39ddbf 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] steps: - uses: actions/checkout@v3 diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 504f22e..7606dea 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] steps: - uses: actions/checkout@v3 diff --git a/ci/webpack.yml b/ci/webpack.yml index 6449fe7..0bc6406 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] steps: - uses: actions/checkout@v3 From 2426779103b940fa2d7d571c75be0c06171f04e6 Mon Sep 17 00:00:00 2001 From: Eric Allard <106756852+SOOS-EAllard@users.noreply.github.com> Date: Fri, 9 Sep 2022 15:00:01 -0400 Subject: [PATCH 166/234] Updated old instructions to add more detail --- code-scanning/soos-dast-scan.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index cf3b1b7..9b58e90 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -3,13 +3,18 @@ # separate terms of service, privacy policy, and support # documentation. # -# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/ +# SOOS is the easy-to-integrate and affordable software security solution for your whole team. +# Learn more at https://soos.io/ # -# To use this action you need to fill the following requirements: +# To use this action, perform the following steps: # -# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product). +# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA and DAST products. # -# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload) +# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here. +# +# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. +# +# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token. # name: "SOOS DAST Scan" From 1a784af20d0eddd7900eb9f63678660cc7e546b8 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 13 Sep 2022 17:54:12 +0530 Subject: [PATCH 167/234] Update settings.json --- script/sync-ghes/settings.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 9648ab4..31574dc 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,13 +2,17 @@ "folders": [ "../../ci", "../../automation", - "../../code-scanning" + "../../code-scanning", + "../../pages" ], "enabledActions": [ "actions/checkout", + "actions/configure-pages", "actions/create-release", "actions/delete-package-versions", + "actions/deploy-pages", "actions/download-artifact", + "actions/jekyll-build-pages", "actions/setup-dotnet", "actions/setup-go", "actions/setup-java", @@ -16,6 +20,7 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", + "actions/upload-pages-artifact". "actions/upload-release-asset", "github/codeql-action" ], From e5cdae6f10e23d66ee6189deeb636921904ae535 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 13 Sep 2022 17:56:10 +0530 Subject: [PATCH 168/234] Update settings.json --- script/sync-ghes/settings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 31574dc..ff4857b 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -20,7 +20,7 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", - "actions/upload-pages-artifact". + "actions/upload-pages-artifact", "actions/upload-release-asset", "github/codeql-action" ], From cf9b6844331ef5bb238a1103f9f9d8c0434d6eb3 Mon Sep 17 00:00:00 2001 From: A-Katopodis Date: Tue, 13 Sep 2022 13:14:35 -0500 Subject: [PATCH 169/234] Updated powershell to v1.1 commit --- code-scanning/powershell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 1d72a9b..d78a126 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -31,7 +31,7 @@ jobs: - uses: actions/checkout@v3 - name: Run PSScriptAnalyzer - uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061 + uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f with: # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. From 6763818232c8e655fbd26b92701537c5e6ecd9a5 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 11:52:08 +0530 Subject: [PATCH 170/234] Update sync-ghes.yaml --- .github/workflows/sync-ghes.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index c8b83c9..5e949bb 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -3,6 +3,7 @@ name: Sync workflows for GHES on: push: branches: [ $default-branch ] + workflow_dispatch: jobs: sync: From 864be6fc0f793382b5679b75a7b1f3ac7aaf7193 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 12:16:25 +0530 Subject: [PATCH 171/234] Add actions/cache to list of enabledActions --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index ff4857b..fe80c8a 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -6,6 +6,7 @@ "../../pages" ], "enabledActions": [ + "actions/cache", "actions/checkout", "actions/configure-pages", "actions/create-release", From 723f3e411d8038c90af3237d9fa76a4aad305ee5 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 12:18:02 +0530 Subject: [PATCH 172/234] Revert "Adding manual trigger to sync ghes script" --- .github/workflows/sync-ghes.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 5e949bb..c8b83c9 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -3,7 +3,6 @@ name: Sync workflows for GHES on: push: branches: [ $default-branch ] - workflow_dispatch: jobs: sync: From 94ce275060ff31c5184c38b15269be673cb9deb0 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 15:55:59 +0530 Subject: [PATCH 173/234] Add setup-python to list of enabledActions for ghes --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index fe80c8a..41d6bcd 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -18,6 +18,7 @@ "actions/setup-go", "actions/setup-java", "actions/setup-node", + "actions/setup-python", "actions/stale", "actions/starter-workflows", "actions/upload-artifact", From 96389955e3b06980ccd373faec93c7e88bafe10c Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 16:53:35 +0530 Subject: [PATCH 174/234] Update pull_request_template.md --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 9b6c10f..0a98861 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -41,7 +41,7 @@ It is not: - [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning). - [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: - [ ] `name`: Name of the Code Scanning integration. - - [ ] `organization`: Name of the organization producing the Code Scanning integration. + - [ ] `creator`: Name of the organization/user producing the Code Scanning integration. - [ ] `description`: Short description of the Code Scanning integration. - [ ] `categories`: Array of languages supported by the Code Scanning integration. - [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons). From 81fe53796f8c719d680381815cbfd359119a8460 Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Wed, 14 Sep 2022 09:37:06 -0400 Subject: [PATCH 175/234] Update to scorecard-action:v2.0.3 Includes bug fixes --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 38db68f..8ca5094 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f # tag=v2.0.0 + uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3 with: results_file: results.sarif results_format: sarif From 568b096f39f842303134c2e9bc694f1298cd2b5f Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Wed, 14 Sep 2022 18:17:28 -0400 Subject: [PATCH 176/234] add actions: read to any job using upload-sarif --- code-scanning/apisec-scan.yml | 1 + code-scanning/brakeman.yml | 1 + code-scanning/checkmarx.yml | 1 + code-scanning/clj-holmes.yml | 1 + code-scanning/clj-watson.yml | 1 + code-scanning/codacy.yml | 1 + code-scanning/codescan.yml | 1 + code-scanning/contrast-scan.yml | 1 + code-scanning/eslint.yml | 1 + code-scanning/hadolint.yml | 2 +- code-scanning/lintr.yml | 1 + code-scanning/mobsf.yml | 1 + code-scanning/msvc.yml | 1 + code-scanning/njsscan.yml | 1 + code-scanning/ossar.yml | 1 + code-scanning/phpmd.yml | 1 + code-scanning/pmd.yml | 1 + code-scanning/powershell.yml | 1 + code-scanning/prisma.yml | 1 + code-scanning/puppet-lint.yml | 1 + code-scanning/rust-clippy.yml | 1 + code-scanning/semgrep.yml | 1 + code-scanning/snyk-container.yml | 1 + code-scanning/snyk-infrastructure.yml | 1 + code-scanning/sobelow.yml | 1 + code-scanning/sysdig-scan.yml | 1 + code-scanning/trivy.yml | 1 + code-scanning/veracode.yml | 1 + code-scanning/xanitizer.yml | 1 + 29 files changed, 29 insertions(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 5a9b751..a2dfbd2 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -49,6 +49,7 @@ jobs: Trigger APIsec scan: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index b04cabf..957343c 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Brakeman Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index e060654..9bdb136 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,6 +29,7 @@ jobs: issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 3cfde14..4487e23 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -24,6 +24,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 2e4ab3c..76903a9 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index b74e449..7b705bd 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Codacy Security Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 92707b1..a9f1053 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 61ffd7a..4e4deb7 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout security-events: write # for github/codeql-action/upload-sarif + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # check out project steps: diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 9067a7d..54b01c8 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 2f554e4..3153652 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 74a3b21..350df19 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 6d2bfb8..1013749 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -21,6 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 863fbcb..e8dac88 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Analyze runs-on: windows-latest diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8c359b8..d766a6f 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: njsscan code scanning steps: diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index cbef5a2..2bd91dd 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: windows-latest steps: diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 91f4b2d..d10ace1 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -34,6 +34,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index a1e32c4..8115116 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -21,6 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index d78a126..02e5de7 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: PSScriptAnalyzer runs-on: ubuntu-latest steps: diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 6f2031b..1a12b86 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index d41b65b..50b86db 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index e9c426a..c5f10ee 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index fae9885..b10a930 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 0fbbf87..a232c53 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index a685323..3ca1035 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 21cb6e7..7d38c77 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f075a80..f9b61b9 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -24,6 +24,7 @@ jobs: checks: write # for sysdiglabs/scan-action to publish the checks contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 63be947..f56d9e5 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -22,6 +22,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build runs-on: "ubuntu-18.04" steps: diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index b8a5b37..89d35df 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3462eaa..5724a97 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -51,6 +51,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: From cb341b59ed903d36aedd3012de4d5c1f58af194c Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Fri, 16 Sep 2022 09:25:07 +0200 Subject: [PATCH 177/234] Update CodeQL to include category by default Code Scanning can accept multiple uploads for the same tool and uses the concept of category to keep results separated. If not provided explicitly, the category is computed based on a few parameters like workflow path and matrix variables. The implicit computation of the category can create confusion if users change their workflow, as we start considering the new analyses as unrelated to existing results. By making the category explicit in the workflow we hope to make the concept more prominent and reduce accidental changes. --- code-scanning/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index a113b59..00ffcdb 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -70,3 +70,5 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" From 3bc0ad0b1d779b51875217d1f1c70bcdadff9bc3 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Fri, 16 Sep 2022 10:51:50 +0000 Subject: [PATCH 178/234] Add pages templates to validate script --- script/validate-data/settings.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 852f575..23c4790 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -3,7 +3,8 @@ "../../ci", "../../automation", "../../deployments", - "../../code-scanning" + "../../code-scanning", + "../../pages" ], "allowed_categories": [ { @@ -21,6 +22,10 @@ { "path": "../../code-scanning", "categories": ["Code Scanning", "Dependency review"] + }, + { + "path": "../../pages", + "categories": ["Pages"] } ] } From cd26daf9c2098b73c9c0640acd9b27c3e34e1d44 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Fri, 16 Sep 2022 15:05:57 -0700 Subject: [PATCH 179/234] Clear name conflict --- ci/{jekyll.yml => jekyll-docker.yml} | 0 .../{jekyll.properties.json => jekyll-docker.properties.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename ci/{jekyll.yml => jekyll-docker.yml} (100%) rename ci/properties/{jekyll.properties.json => jekyll-docker.properties.json} (100%) diff --git a/ci/jekyll.yml b/ci/jekyll-docker.yml similarity index 100% rename from ci/jekyll.yml rename to ci/jekyll-docker.yml diff --git a/ci/properties/jekyll.properties.json b/ci/properties/jekyll-docker.properties.json similarity index 100% rename from ci/properties/jekyll.properties.json rename to ci/properties/jekyll-docker.properties.json From 95057f2418925de42fda9e1fe02c8a3a0f5f5755 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Mon, 19 Sep 2022 11:45:31 +0000 Subject: [PATCH 180/234] Update logic from unique template name to filename --- script/validate-data/index.ts | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 4bd260d..b903c3f 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -7,7 +7,6 @@ import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; interface WorkflowWithErrors { id: string; - name: string; errors: string[]; } @@ -43,7 +42,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] - const workflow_template_names = new Set() + const workflow_template_paths = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -57,8 +56,8 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); - if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { - workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) + if(workflow_template_paths.size == workflow_template_paths.add(e.name).size) { + workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) @@ -73,7 +72,6 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, - name: null, errors: [] } try { @@ -82,9 +80,6 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow const propertiesFileContent = await fs.readFile(propertiesPath, "utf8") const properties: WorkflowProperties = JSON.parse(propertiesFileContent) - if(properties.name && properties.name.trim().length > 0) { - workflowErrors.name = properties.name - } let v = new validator(); const res = v.validate(properties, propertiesSchema) workflowErrors.errors = res.errors.map(e => e.toString()) From 4bb0cbfc9e46a125e1b0b39b77dd808cfee89fba Mon Sep 17 00:00:00 2001 From: Chris Patterson Date: Tue, 20 Sep 2022 10:25:45 +0530 Subject: [PATCH 181/234] Enable caching by default for docker builds. --- ci/docker-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index e88539d..41253c1 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -78,6 +78,9 @@ jobs: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker From 1a46538eaab360b6ee9226283a9a03cc4c1b73a9 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 20 Sep 2022 11:43:05 +0000 Subject: [PATCH 182/234] Keep both unique template name and filename logic --- ci/properties/jekyll-docker.properties.json | 2 +- script/validate-data/index.ts | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ci/properties/jekyll-docker.properties.json b/ci/properties/jekyll-docker.properties.json index bbe279c..7c66dba 100644 --- a/ci/properties/jekyll-docker.properties.json +++ b/ci/properties/jekyll-docker.properties.json @@ -1,5 +1,5 @@ { - "name": "Jekyll", + "name": "Jekyll using Docker image", "description": "Package a Jekyll site using the jekyll/builder Docker image.", "iconName": "jekyll", "categories": ["Continuous integration", "HTML"] diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index b903c3f..90f1760 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -7,6 +7,7 @@ import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; interface WorkflowWithErrors { id: string; + name: string; errors: string[]; } @@ -42,6 +43,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] + const workflow_template_names = new Set() const workflow_template_paths = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { @@ -56,8 +58,11 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); + if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { + workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) + } if(workflow_template_paths.size == workflow_template_paths.add(e.name).size) { - workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) + workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) @@ -72,6 +77,7 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, + name: null, errors: [] } try { @@ -80,6 +86,9 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow const propertiesFileContent = await fs.readFile(propertiesPath, "utf8") const properties: WorkflowProperties = JSON.parse(propertiesFileContent) + if(properties.name && properties.name.trim().length > 0) { + workflowErrors.name = properties.name + } let v = new validator(); const res = v.validate(properties, propertiesSchema) workflowErrors.errors = res.errors.map(e => e.toString()) From af733fded0b315861e891f5aa54cb6ec54fa8d2b Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 20 Sep 2022 12:51:33 +0000 Subject: [PATCH 183/234] Address comments --- script/validate-data/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 90f1760..abbdfbe 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -44,7 +44,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() - const workflow_template_paths = new Set() + const workflow_template_file_names = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -61,7 +61,7 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } - if(workflow_template_paths.size == workflow_template_paths.add(e.name).size) { + if(workflow_template_file_names.size == workflow_template_file_names.add(e.name).size) { workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { From e7e1dc203701c85e902a1122ed62af132af1c7bf Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 20 Sep 2022 16:36:24 +0300 Subject: [PATCH 184/234] Update Frogbot's version --- code-scanning/frogbot-scan-and-fix.yml | 2 +- code-scanning/frogbot-scan-pr.yml | 2 +- starter-workflows.iml | 9 +++++++++ 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 starter-workflows.iml diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 6dd4b0e..0089f10 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -37,7 +37,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab + - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index ec19d61..bd1a9c2 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab + - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/starter-workflows.iml b/starter-workflows.iml new file mode 100644 index 0000000..8021953 --- /dev/null +++ b/starter-workflows.iml @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file From bdee68f5716734c91c3783c2d70bd246abb23cc2 Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 20 Sep 2022 16:39:01 +0300 Subject: [PATCH 185/234] Update JFrog Frogbot's Version --- starter-workflows.iml | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 starter-workflows.iml diff --git a/starter-workflows.iml b/starter-workflows.iml deleted file mode 100644 index 8021953..0000000 --- a/starter-workflows.iml +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - \ No newline at end of file From a50f9361bc1283eb5191ada8a0878319ecd8919e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Tue, 20 Sep 2022 20:02:09 +0300 Subject: [PATCH 186/234] chore: upgrade cosign-installer version to latest MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index e88539d..d07a3f8 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 + uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 with: - cosign-release: 'v1.9.0' + cosign-release: 'v1.11.0' # Workaround: https://github.com/docker/build-push-action/issues/461 From 6b52b98767046e01d8c0543b30767b8214b85be4 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 12:46:14 +0100 Subject: [PATCH 187/234] Hide ESLint on GHES --- code-scanning/properties/eslint.properties.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json index a84646a..2a1271f 100644 --- a/code-scanning/properties/eslint.properties.json +++ b/code-scanning/properties/eslint.properties.json @@ -2,10 +2,11 @@ "name": "ESLint", "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", "iconName": "eslint", + "enterprise": false, "categories": [ "Code Scanning", "JavaScript", "EcmaScript", "TypeScript" ] -} \ No newline at end of file +} From 23737db30608c6a9c4175971df3a2d451278b955 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 15:45:41 +0100 Subject: [PATCH 188/234] Make enterprise opt-in instead of opt-out --- code-scanning/properties/codeql.properties.json | 1 + script/sync-ghes/index.ts | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index ddb4627..8ee80b4 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", + "enterprise": true, "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 608e73d..a816109 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - workflowProperties.enterprise !== false && + workflowProperties.enterprise === true && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From d75ca7ac2e1a53eb04fc809ac8affdf2cded060d Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Wed, 21 Sep 2022 16:04:36 +0100 Subject: [PATCH 189/234] fix trigger for ghes sync --- .github/workflows/sync-ghes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 5e949bb..26d2665 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -2,7 +2,7 @@ name: Sync workflows for GHES on: push: - branches: [ $default-branch ] + branches: [ main ] workflow_dispatch: jobs: From da2e9558af199abdd3140a07fde272cfdd257831 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 16:00:40 +0100 Subject: [PATCH 190/234] Only use enterprise check for code-scanning folder --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index a816109..a320d36 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - workflowProperties.enterprise === true && + (workflowProperties.enterprise === true || folder !== 'code-scanning') && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From e1512d3916167a26724d2861a9953390eb1ae2f7 Mon Sep 17 00:00:00 2001 From: mthibeau73 Date: Wed, 21 Sep 2022 14:04:45 -0500 Subject: [PATCH 191/234] Add Zimperium zScan starter workflow --- .../properties/zscan.properties.json | 14 +++++ code-scanning/zscan.yml | 61 +++++++++++++++++++ icons/zscan.svg | 11 ++++ 3 files changed, 86 insertions(+) create mode 100644 code-scanning/properties/zscan.properties.json create mode 100644 code-scanning/zscan.yml create mode 100644 icons/zscan.svg diff --git a/code-scanning/properties/zscan.properties.json b/code-scanning/properties/zscan.properties.json new file mode 100644 index 0000000..18c96d7 --- /dev/null +++ b/code-scanning/properties/zscan.properties.json @@ -0,0 +1,14 @@ +{ + "name": "zScan", + "creator": "Zimperium", + "description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ​", + "iconName": "zScan", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C" + ] +} diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml new file mode 100644 index 0000000..1ac6bbd --- /dev/null +++ b/code-scanning/zscan.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) +# and identifies security, privacy, and compliance-related vulnerabilities. ​ +# +# Prerequisites: ​ +# * An active Zimperium zScan account is required. If you are not an existing Zimperium +# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us. +# * Either GitHub Advanced Security (GHAS) or a public repository is required to display +# issues and view the remediation information inside of GitHub code scanning alerts. ​ +# +# For additional information and setup instructions +# please visit: https://github.com/Zimperium/zScanMarketplace#readme + +name: "Zimperium zScan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + zscan: + name: zScan + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Execute gradle build + run: ./gradlew build # Change this to build your mobile application + + - name: Run Zimperium zScan + uses: zimperium/zscanmarketplace@bfc6670f6648d796098c251ccefcfdb98983174d + timeout-minutes: 60 + with: + # REPLACE: Zimperium Client Environment Name + client_env: env_string + # REPLACE: Zimperium Client ID + client_id: id_string + # REPLACE: Zimperium Client Secret + client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }} + # REPLACE: The path to an .ipa or .apk + app_file: app-release-unsigned.apk + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: Zimperium.sarif + \ No newline at end of file diff --git a/icons/zscan.svg b/icons/zscan.svg new file mode 100644 index 0000000..1dff416 --- /dev/null +++ b/icons/zscan.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + From 6a3b2bbd2ec26fd76e5e1eca8365eedddf483835 Mon Sep 17 00:00:00 2001 From: Nick McCurdy Date: Thu, 22 Sep 2022 10:46:38 -0400 Subject: [PATCH 192/234] Add pages directory to readme --- README.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f39892f..9cf6833 100644 --- a/README.md +++ b/README.md @@ -12,10 +12,11 @@ These are the workflow files for helping people get started with GitHub Actions. ### Directory structure -* [ci](ci): solutions for Continuous Integration workflows. -* [deployments](deployments): solutions for Deployment workflows. -* [automation](automation): solutions for automating workflows. -* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security) +* [ci](ci): solutions for Continuous Integration workflows +* [deployments](deployments): solutions for Deployment workflows +* [automation](automation): solutions for automating workflows +* [code-scanning](code-scanning): solutions for [Code Scanning](https://github.com/features/security) +* [pages](pages): solutions for Pages workflows * [icons](icons): svg icons for the relevant template Each workflow must be written in YAML and have a `.yml` extension. They also need a corresponding `.properties.json` file that contains extra metadata about the workflow (this is displayed in the GitHub.com UI). @@ -40,6 +41,14 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * monitoring * Automation * utilities +* Pages +* Hugo +* Gatsby +* Next +* Nuxt +* HTML +* JavaScript +* CSS ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: From 13ad0bf0aef432c6577fcff3afcf10a492f2e907 Mon Sep 17 00:00:00 2001 From: mthibeau73 Date: Fri, 23 Sep 2022 10:32:47 -0500 Subject: [PATCH 193/234] lowercase iconName in properties file --- code-scanning/properties/zscan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/zscan.properties.json b/code-scanning/properties/zscan.properties.json index 18c96d7..6b55756 100644 --- a/code-scanning/properties/zscan.properties.json +++ b/code-scanning/properties/zscan.properties.json @@ -2,7 +2,7 @@ "name": "zScan", "creator": "Zimperium", "description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ​", - "iconName": "zScan", + "iconName": "zscan", "categories": [ "Code Scanning", "Java", From 3f6632a2aee5450e054cc12323ff30695875d46b Mon Sep 17 00:00:00 2001 From: Nick McCurdy Date: Fri, 23 Sep 2022 11:42:07 -0400 Subject: [PATCH 194/234] Remove redundant languages --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index 9cf6833..fa8d351 100644 --- a/README.md +++ b/README.md @@ -46,9 +46,6 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * Gatsby * Next * Nuxt -* HTML -* JavaScript -* CSS ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: From aa0375afbf5108c17eb280bc8e9045aa57c2e78c Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Fri, 23 Sep 2022 18:04:56 -0300 Subject: [PATCH 195/234] Remove trailing whitespaces --- code-scanning/scorecards.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 8ca5094..31a4fa1 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -22,7 +22,7 @@ jobs: # Needs for private repositories. contents: read actions: read - + steps: - name: "Checkout code" uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 @@ -41,8 +41,8 @@ jobs: # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless # of the value entered here. publish_results: true @@ -54,7 +54,7 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 From 5f2c1d104d691cc446a7c525b53476b9c4d5b333 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Sep 2022 13:32:49 +0000 Subject: [PATCH 196/234] Bump actions/stale from 5 to 6 Bumps [actions/stale](https://github.com/actions/stale) from 5 to 6. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index c319ce1..002f30d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v5 + - uses: actions/stale@v6 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' From 022ac9babb7d92b4ea5775cb0385fcc4101d2ad4 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 23 Sep 2022 08:51:24 -0400 Subject: [PATCH 197/234] Update Anchore Grype scan action workflow --- code-scanning/anchore.yml | 19 ++++++++++--------- .../properties/anchore-syft.properties.json | 2 +- .../properties/anchore.properties.json | 8 ++++---- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index a3d2eed..818fb70 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -9,7 +9,7 @@ # and parameters, see https://github.com/anchore/scan-action. For more # information on Anchore's container image scanning tool Grype, see # https://github.com/anchore/grype -name: Anchore Container Scan +name: Anchore Grype vulnerability scan on: push: @@ -28,20 +28,21 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - name: Checkout the code + - name: Check out the code uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled - uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd + - name: Run the Anchore Grype scan action + uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 + id: scan with: image: "localbuild/testimage:latest" - acs-report-enable: true - fail-build: false - - name: Upload Anchore Scan Report + fail-build: true + severity-cutoff: critical + - name: Upload vulnerability report uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: results.sarif + sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/code-scanning/properties/anchore-syft.properties.json b/code-scanning/properties/anchore-syft.properties.json index 815f8b2..aa4cb1e 100644 --- a/code-scanning/properties/anchore-syft.properties.json +++ b/code-scanning/properties/anchore-syft.properties.json @@ -1,6 +1,6 @@ { "name": "Anchore Syft SBOM Scan", - "organization": "Anchore", + "creator": "Anchore", "description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.", "iconName": "anchore", "categories": ["Code Scanning", "dockerfile", "dependency-management"] diff --git a/code-scanning/properties/anchore.properties.json b/code-scanning/properties/anchore.properties.json index d997da4..94634dd 100644 --- a/code-scanning/properties/anchore.properties.json +++ b/code-scanning/properties/anchore.properties.json @@ -1,7 +1,7 @@ { - "name": "Anchore Container Scan", - "creator": "Indeni Cloudrail", - "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.", + "name": "Anchore Grype Vulnerability Scan", + "creator": "Anchore", + "description": "Produce source and container vulnerability reports based on Anchore's open source Grype tool.", "iconName": "anchore", "categories": ["Code Scanning", "dockerfile"] -} \ No newline at end of file +} From 10798e7d81930be332a078bedadfb4d44a644016 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Tue, 27 Sep 2022 21:19:54 -0700 Subject: [PATCH 198/234] Add: Astro to starter workflows --- pages/astro.yml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 pages/astro.yml diff --git a/pages/astro.yml b/pages/astro.yml new file mode 100644 index 0000000..01873b7 --- /dev/null +++ b/pages/astro.yml @@ -0,0 +1,51 @@ +# Sample workflow for building and deploying an Astro site to GitHub Pages +# +# To get started with Astro see: https://docs.astro.build/en/getting-started/ +# + +name: Deploy Roadmap to Pages + +on: + push: + branches: [main] + paths: # only needed when project in subfolder + - "roadmap-priorities" + - ".github/workflows/deploy-roadmap.yml" + workflow_dispatch: + +permissions: + contents: read + pages: write + id-token: write + +env: + PAT: '.' # default value when not using subfolders + # PAT: subfolder + +jobs: + build: + name: Build & Deploy + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 16 + cache-dependency-path: ${{ env.PAT }}/package-lock.json + - run: npm install && npm run build + working-directory: ${{ env.PAT }} + - uses: actions/upload-pages-artifact@v1 + with: + path: ${{ env.PAT }}/dist + + deploy: + needs: build + name: Deploy + runs-on: ubuntu-latest + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 From 61aa8be81622eae19e5c240fb5e4bc9321265ce3 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Tue, 27 Sep 2022 21:22:38 -0700 Subject: [PATCH 199/234] Paths not enabled by default --- pages/astro.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 01873b7..3deef31 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -8,9 +8,10 @@ name: Deploy Roadmap to Pages on: push: branches: [main] - paths: # only needed when project in subfolder - - "roadmap-priorities" - - ".github/workflows/deploy-roadmap.yml" + # paths: + # only needed when project in subfolder + # - "subfolder" + # - ".github/workflows/astro.yml" workflow_dispatch: permissions: From 13ccf721fe833f11f32c6602733406915a5ed7f6 Mon Sep 17 00:00:00 2001 From: Keegan Saunders Date: Tue, 28 Jun 2022 22:02:19 -0400 Subject: [PATCH 200/234] Add NowSecure Mobile SBOM starter workflow --- code-scanning/nowsecure-mobile-sbom.yml | 55 +++++++++++++++++++ .../nowsecure-mobile-sbom.properties.json | 21 +++++++ 2 files changed, 76 insertions(+) create mode 100644 code-scanning/nowsecure-mobile-sbom.yml create mode 100644 code-scanning/properties/nowsecure-mobile-sbom.properties.json diff --git a/code-scanning/nowsecure-mobile-sbom.yml b/code-scanning/nowsecure-mobile-sbom.yml new file mode 100644 index 0000000..b9cf039 --- /dev/null +++ b/code-scanning/nowsecure-mobile-sbom.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# NowSecure: The Mobile Security Experts . +# +# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer, +# you can find it in NowSecure Platform. +# +# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access: +# . +# +# Instructions: +# +# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and +# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit +# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub". +# +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Dependency graph" tab in the "Insights" pane once the action has run. + +name: "NowSecure Mobile SBOM" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + nowsecure: + name: NowSecure Mobile SBOM + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build your application + run: ./gradlew assembleDebug # Update this to build your Android or iOS application + + - name: NowSecure upload app + uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c + with: + token: ${{ secrets.NS_TOKEN }} + app_file: app-debug.apk # Update this to a path to your .ipa or .apk + group_id: {{ groupId }} # Update this to your desired Platform group ID diff --git a/code-scanning/properties/nowsecure-mobile-sbom.properties.json b/code-scanning/properties/nowsecure-mobile-sbom.properties.json new file mode 100644 index 0000000..32a7964 --- /dev/null +++ b/code-scanning/properties/nowsecure-mobile-sbom.properties.json @@ -0,0 +1,21 @@ +{ + "name": "NowSecure Mobile SBOM", + "creator": "NowSecure", + "description": "Generate a Mobile SBOM for an application and submit to Dependency Graph", + "iconName": "nowsecure", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C", + "C", + "C++", + "C#", + "Rust", + "JavaScript", + "TypeScript", + "Node" + ] +} From 61b58c843faaf321af8150f75a667eae24e0e458 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Thu, 29 Sep 2022 15:22:03 -0700 Subject: [PATCH 201/234] Update pages/astro.yml Co-authored-by: Yoann Chaudet --- pages/astro.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/astro.yml b/pages/astro.yml index 3deef31..544b93d 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -3,7 +3,7 @@ # To get started with Astro see: https://docs.astro.build/en/getting-started/ # -name: Deploy Roadmap to Pages +name: Deploy Astro site to Pages on: push: From 3c68ea5b08cbdafc0df46651c977b6d07b94d2e8 Mon Sep 17 00:00:00 2001 From: Ivan <98037481+IvanZosimov@users.noreply.github.com> Date: Fri, 30 Sep 2022 10:32:25 +0200 Subject: [PATCH 202/234] Update dotnet-desktop.yml to use setup-dotnet@v3 --- ci/dotnet-desktop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index bd2cb2e..fd82a39 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -69,7 +69,7 @@ jobs: # Install the .NET Core workload - name: Install .NET Core - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v3 with: dotnet-version: 6.0.x From 94301453103b54c82be6c73f03dbbb377e95241d Mon Sep 17 00:00:00 2001 From: Ivan <98037481+IvanZosimov@users.noreply.github.com> Date: Fri, 30 Sep 2022 10:33:07 +0200 Subject: [PATCH 203/234] Update dotnet.yml to use setup-dotnet@v3 --- ci/dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet.yml b/ci/dotnet.yml index a8eccab..7465e23 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Setup .NET - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v3 with: dotnet-version: 6.0.x - name: Restore dependencies From c4a90daee92b84b29c81d86edf855a258363f5d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Sep 2022 12:29:54 +0000 Subject: [PATCH 204/234] Bump @actions/core from 1.2.6 to 1.9.1 in /script/validate-data Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.2.6 to 1.9.1. - [Release notes](https://github.com/actions/toolkit/releases) - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) --- updated-dependencies: - dependency-name: "@actions/core" dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- script/validate-data/package-lock.json | 64 +++++++++++++++++++++++--- script/validate-data/package.json | 2 +- 2 files changed, 58 insertions(+), 8 deletions(-) diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index e660b6a..358c661 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -9,7 +9,7 @@ "version": "1.0.0", "license": "MIT", "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.9.1", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" }, @@ -21,9 +21,21 @@ } }, "node_modules/@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz", + "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==", + "dependencies": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "node_modules/@actions/http-client": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz", + "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==", + "dependencies": { + "tunnel": "^0.0.6" + } }, "node_modules/@types/js-yaml": { "version": "3.12.4", @@ -153,6 +165,14 @@ "typescript": ">=2.7" } }, + "node_modules/tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", + "engines": { + "node": ">=0.6.11 <=0.7.0 || >=0.7.3" + } + }, "node_modules/typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", @@ -166,6 +186,14 @@ "node": ">=4.2.0" } }, + "node_modules/uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", + "bin": { + "uuid": "dist/bin/uuid" + } + }, "node_modules/yn": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", @@ -178,9 +206,21 @@ }, "dependencies": { "@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz", + "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==", + "requires": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "@actions/http-client": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz", + "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==", + "requires": { + "tunnel": "^0.0.6" + } }, "@types/js-yaml": { "version": "3.12.4", @@ -279,12 +319,22 @@ "yn": "3.1.1" } }, + "tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" + }, "typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==", "dev": true }, + "uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==" + }, "yn": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", diff --git a/script/validate-data/package.json b/script/validate-data/package.json index e6403ee..6811f19 100644 --- a/script/validate-data/package.json +++ b/script/validate-data/package.json @@ -14,7 +14,7 @@ "typescript": "^3.9.2" }, "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.9.1", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" } From d668c4cb8b5f3382c65ebcf1624bab95329b274c Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht <15221358+pnacht@users.noreply.github.com> Date: Fri, 7 Oct 2022 14:25:58 +0000 Subject: [PATCH 205/234] Clarify comments in scorecard.yml --- code-scanning/scorecards.yml | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 31a4fa1..1a9119f 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -1,7 +1,10 @@ name: Scorecards supply-chain security on: - # Only the default branch is supported. + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: $cron-weekly push: @@ -17,11 +20,11 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write - # Used to receive a badge. + # Needed to publish results and get a badge (see publish_results below). id-token: write - # Needs for private repositories. - contents: read - actions: read + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read steps: - name: "Checkout code" @@ -40,10 +43,13 @@ jobs: # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless - # of the value entered here. + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF From 493117b7055b853103d64a04bfe76998714e047f Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht <15221358+pnacht@users.noreply.github.com> Date: Fri, 7 Oct 2022 18:22:49 +0000 Subject: [PATCH 206/234] Add disclaimer requested in PR template --- code-scanning/scorecards.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 1a9119f..afd2b93 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + name: Scorecards supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See From 988cccd442c473a2a89d6793baf896c191a10002 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Mon, 10 Oct 2022 11:12:22 +0000 Subject: [PATCH 207/234] Update old documentation links --- ci/ant.yml | 2 +- ci/dotnet.yml | 3 +++ ci/go.yml | 3 +++ ci/gradle.yml | 2 +- ci/maven.yml | 2 +- ci/node.js.yml | 2 +- ci/npm-publish-github-packages.yml | 2 +- ci/npm-publish.yml | 2 +- ci/python-app.yml | 2 +- ci/python-package.yml | 2 +- ci/python-publish.yml | 2 +- ci/swift.yml | 3 +++ 12 files changed, 18 insertions(+), 9 deletions(-) diff --git a/ci/ant.yml b/ci/ant.yml index 1614664..e9dba01 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -1,5 +1,5 @@ # This workflow will build a Java project with Ant -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-ant +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-ant name: Java CI diff --git a/ci/dotnet.yml b/ci/dotnet.yml index 7465e23..f11f050 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -1,3 +1,6 @@ +# This workflow will build a .NET project +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net + name: .NET on: diff --git a/ci/go.yml b/ci/go.yml index bb3ec96..4d95674 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -1,3 +1,6 @@ +# This workflow will build a golang project +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go + name: Go on: diff --git a/ci/gradle.yml b/ci/gradle.yml index 0c0f12c..2be0b58 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. # This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-gradle name: Java CI with Gradle diff --git a/ci/maven.yml b/ci/maven.yml index 65e0dff..26bfc73 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -1,5 +1,5 @@ # This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven name: Java CI with Maven diff --git a/ci/node.js.yml b/ci/node.js.yml index a89108d..f230593 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -1,5 +1,5 @@ # This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs name: Node.js CI diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index 638ccf8..e790f4d 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -1,5 +1,5 @@ # This workflow will run tests using node and then publish a package to GitHub Packages when a release is created -# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages +# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages name: Node.js Package diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index c461c85..6cdebaf 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -1,5 +1,5 @@ # This workflow will run tests using node and then publish a package to GitHub Packages when a release is created -# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages +# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages name: Node.js Package diff --git a/ci/python-app.yml b/ci/python-app.yml index 4b7fa5f..9945382 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -1,5 +1,5 @@ # This workflow will install Python dependencies, run tests and lint with a single version of Python -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python name: Python application diff --git a/ci/python-package.yml b/ci/python-package.yml index 583a366..de579a3 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -1,5 +1,5 @@ # This workflow will install Python dependencies, run tests and lint with a variety of Python versions -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python name: Python package diff --git a/ci/python-publish.yml b/ci/python-publish.yml index ec70354..bdaab28 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -1,5 +1,5 @@ # This workflow will upload a Python Package using Twine when a release is created -# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by diff --git a/ci/swift.yml b/ci/swift.yml index 3668fc0..9d84f86 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -1,3 +1,6 @@ +# This workflow will build a golang project +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-swift + name: Swift on: From eaf0ed4a08ebf0cf7b2ef7ac29c1f18f0d5bf084 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Oct 2022 14:19:44 +0000 Subject: [PATCH 208/234] Bump pozil/auto-assign-issue from 1.10.0 to 1.10.1 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.10.0 to 1.10.1. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.10.0...v1.10.1) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index 0cb9345..98f071a 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.10.0 + uses: pozil/auto-assign-issue@v1.10.1 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From e9fd3bc4fbab5eb36f309948b4f2b1319ceb35a6 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Mon, 10 Oct 2022 15:48:40 +0000 Subject: [PATCH 209/234] Update versions/hashes --- code-scanning/scorecards.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index afd2b93..0e159aa 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -32,12 +32,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3 + uses: ossf/scorecard-action@e363bfca00e752f91de7b7d2a77340e2e523cb18 # v2.0.4 with: results_file: results.sarif results_format: sarif @@ -51,7 +51,7 @@ jobs: # - Publish results to OpenSSF REST API for easy access by consumers # - Allows the repository to include the Scorecard badge. # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: + # For private repositories: # - `publish_results` will always be set to `false`, regardless # of the value entered here. publish_results: true @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0 + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 with: name: SARIF file path: results.sarif @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 + uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27 with: sarif_file: results.sarif From 9a9cef713d58450916333470a1bd233e97c2f83e Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec <83706991+abdul-hai-apisec@users.noreply.github.com> Date: Wed, 12 Oct 2022 14:21:47 +0530 Subject: [PATCH 210/234] Update ethicalcheck.yml --- code-scanning/ethicalcheck.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index c089015..4a8ad3c 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -49,9 +49,16 @@ jobs: steps: - name: EthicalCheck Free & Automated API Security Testing Service - uses: apisec-inc/ethicalcheck-action@latest + uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641 with: # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL. oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs" # The email address to which the penetration test report will be sent. - email: "xxx@apisec.ai" \ No newline at end of file + email: "xxx@apisec.ai" + sarif-result-file: "ethicalcheck-results.sarif" + + - name: Upload sarif file to repository + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ./ethicalcheck-results.sarif + From d1768edd6c32f2b7ed1b94b93e98390da3e4e3d4 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 12 Oct 2022 13:05:05 +0000 Subject: [PATCH 211/234] Remove filename check --- script/validate-data/index.ts | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index abbdfbe..4bd260d 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -44,7 +44,6 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() - const workflow_template_file_names = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -59,10 +58,7 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { - workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) - } - if(workflow_template_file_names.size == workflow_template_file_names.add(e.name).size) { - workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) + workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) From 90fcb3f10e2f67fb9e90e866901f7e9173317ea3 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Wed, 12 Oct 2022 20:30:11 +0530 Subject: [PATCH 212/234] Added permissions --- code-scanning/ethicalcheck.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index 4a8ad3c..2818bc6 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -42,9 +42,14 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: - +permissions: + contents: read + jobs: Trigger_EthicalCheck: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: @@ -57,8 +62,8 @@ jobs: email: "xxx@apisec.ai" sarif-result-file: "ethicalcheck-results.sarif" - - name: Upload sarif file to repository - uses: github/codeql-action/upload-sarif@v2 - with: + - name: Upload sarif file to repository + uses: github/codeql-action/upload-sarif@v2 + with: sarif_file: ./ethicalcheck-results.sarif From 8048d62634872e937bf37f33028e4b4448a4d7d4 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 13 Oct 2022 13:01:48 -0700 Subject: [PATCH 213/234] Add dependency graph Scala builds do not automatically get support for the dependency graph. This addition will upload dependency information to the dependency graph so users get Dependabot alerts. --- ci/scala.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/ci/scala.yml b/ci/scala.yml index 4a3c112..a88374f 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -6,17 +6,24 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' + cache: 'sbt' - name: Run tests run: sbt test + # This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository + - name: Upload dependency graph + uses: scalacenter/sbt-dependency-submission@v2 From 6686f7461a5ea356163d37ef11e325ab03a534bb Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 13 Oct 2022 13:08:31 -0700 Subject: [PATCH 214/234] Add disclaimer --- ci/scala.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ci/scala.yml b/ci/scala.yml index a88374f..9e78672 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Scala CI on: From 1be22cecc3906449c5014d187ad9c1e3bb1159cb Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 13 Oct 2022 13:24:08 -0700 Subject: [PATCH 215/234] Add dependency graph to Maven workflows --- ci/maven.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ci/maven.yml b/ci/maven.yml index 65e0dff..d762ee9 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -1,6 +1,11 @@ # This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Java CI with Maven on: @@ -24,3 +29,7 @@ jobs: cache: maven - name: Build with Maven run: mvn -B package --file pom.xml + + # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive + - name: Update dependency graph + uses: advanced-security/maven-dependency-submission-action@v1 From 9c49b9d11c5dd12f3732b4707fde87d4753c3873 Mon Sep 17 00:00:00 2001 From: Nick McCurdy Date: Mon, 17 Oct 2022 08:31:16 -0400 Subject: [PATCH 216/234] Delete Gatsby, Next, and Nuxt categories https://github.com/actions/starter-workflows/pull/1762#discussion_r996963757 --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index fa8d351..7ff406f 100644 --- a/README.md +++ b/README.md @@ -43,9 +43,6 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * utilities * Pages * Hugo -* Gatsby -* Next -* Nuxt ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: From e5b363612e747c2961857eef5c4d66d2824a1efc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Oct 2022 13:53:14 +0000 Subject: [PATCH 217/234] Bump pozil/auto-assign-issue from 1.10.1 to 1.11.0 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.10.1 to 1.11.0. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.10.1...v1.11.0) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index 98f071a..adaa8d6 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.10.1 + uses: pozil/auto-assign-issue@v1.11.0 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From 94ce36310999d6d76d8a1b23bdc1f09f5b38f6fe Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 18 Oct 2022 18:19:20 +0530 Subject: [PATCH 218/234] Update ci/swift.yml Co-authored-by: Scott Brenner --- ci/swift.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/swift.yml b/ci/swift.yml index 9d84f86..91276e3 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -1,4 +1,4 @@ -# This workflow will build a golang project +# This workflow will build a Swift project # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-swift name: Swift From 7482e30dc1cfa91d8f20b52fc6416d6dec435652 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Thu, 20 Oct 2022 11:11:54 +0530 Subject: [PATCH 219/234] Updated the description --- code-scanning/properties/ethicalcheck.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/ethicalcheck.properties.json b/code-scanning/properties/ethicalcheck.properties.json index c0949be..8728ca7 100644 --- a/code-scanning/properties/ethicalcheck.properties.json +++ b/code-scanning/properties/ethicalcheck.properties.json @@ -1,7 +1,7 @@ { "name": "EthicalCheck", "creator": "APIsec", - "description": "EthicalCheck addresses the critical need to continuously security test APIs in development and in production. EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. You develop the application and API, we bring complete and continuous security testing to you, accelerating development.Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service.", + "description": "EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.", "iconName": "apisec", "categories": [ "Code Scanning", From a95c4f68c84a608cd51d3e85b7516945d61cc69a Mon Sep 17 00:00:00 2001 From: Oliver King Date: Thu, 20 Oct 2022 15:06:21 -0400 Subject: [PATCH 220/234] update aks workflows to latest versions --- deployments/azure-kubernetes-service-helm.yml | 151 +++++++----------- .../azure-kubernetes-service-kompose.yml | 145 ++++++----------- .../azure-kubernetes-service-kustomize.yml | 141 ++++++---------- deployments/azure-kubernetes-service.yml | 129 +++++---------- 4 files changed, 197 insertions(+), 369 deletions(-) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 83a9163..86582e7 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -1,14 +1,16 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster # For instructions see: # - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters # - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these +# 1. Set the following secrets in your repository (instructions for getting these # https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID @@ -34,7 +36,7 @@ name: Build and deploy an app to AKS with Helm on: push: - branches: [ $default-branch ] + branches: [$default-branch] workflow_dispatch: env: @@ -42,7 +44,6 @@ env: CONTAINER_NAME: "your-container-name" RESOURCE_GROUP: "your-resource-group" CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" CHART_PATH: "your-chart-path" CHART_OVERRIDE_PATH: "your-chart-override-path" @@ -53,63 +54,21 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + # Checks out the repository this file is in + - uses: actions/checkout@v3 - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds - - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . deploy: permissions: @@ -117,45 +76,43 @@ jobs: contents: read id-token: write runs-on: ubuntu-latest - needs: [buildImage, createSecret] + needs: [buildImage] steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Runs Helm to create manifest files - - name: Bake deployment - uses: azure/k8s-bake@v2.1 - with: - renderEngine: 'helm' - helmChart: ${{ env.CHART_PATH }} - overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} - overrides: | - replicas:2 - helm-version: 'latest' - id: bake + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Deploys application based on manifest files from previous step - - name: Deploy application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ steps.bake.outputs.manifestsBundle }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Runs Helm to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2 + with: + renderEngine: "helm" + helmChart: ${{ env.CHART_PATH }} + overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} + overrides: | + replicas:2 + helm-version: "latest" + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 0e76365..a0e6bdd 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -1,14 +1,16 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster # For instructions see: # - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters # - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these +# 1. Set the following secrets in your repository (instructions for getting these # https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID @@ -33,7 +35,7 @@ name: Build and deploy an app to AKS with Kompose on: push: - branches: [ $default-branch ] + branches: [$default-branch] workflow_dispatch: env: @@ -41,7 +43,6 @@ env: CONTAINER_NAME: "your-container-name" RESOURCE_GROUP: "your-resource-group" CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" jobs: @@ -51,106 +52,62 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} - deploy: permissions: actions: read contents: read id-token: write runs-on: ubuntu-latest - needs: [buildImage, createSecret] + needs: [buildImage] steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Runs Kompose to create manifest files - - name: Bake deployment - uses: azure/k8s-bake@v2.1 - with: - renderEngine: 'kompose' - dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} - kompose-version: 'latest' - id: bake + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} - # Deploys application based on manifest files from previous step - - name: Deploy application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ steps.bake.outputs.manifestsBundle }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + # Runs Kompose to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2 + with: + renderEngine: "kompose" + dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} + kompose-version: "latest" + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 1a89f3c..6c87057 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -1,14 +1,16 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster # For instructions see: # - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters # - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these +# 1. Set the following secrets in your repository (instructions for getting these # https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID @@ -33,7 +35,7 @@ name: Build and deploy an app to AKS with Kustomize on: push: - branches: [ $default-branch ] + branches: [$default-branch] workflow_dispatch: env: @@ -41,7 +43,6 @@ env: CONTAINER_NAME: "your-container-name" RESOURCE_GROUP: "your-resource-group" CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" KUSTOMIZE_PATH: "your-kustomize-path" jobs: @@ -51,106 +52,62 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds - - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} - deploy: permissions: actions: read contents: read id-token: write runs-on: ubuntu-latest - needs: [buildImage, createSecret] + needs: [buildImage] steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} - # Runs Kustomize to create manifest files - - name: Bake deployment - uses: azure/k8s-bake@v2.1 - with: - renderEngine: 'kustomize' - kustomizationPath: ${{ env.KUSTOMIZE_PATH }} - kubectl-version: latest - id: bake + # Runs Kustomize to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2 + with: + renderEngine: "kustomize" + kustomizationPath: ${{ env.KUSTOMIZE_PATH }} + kubectl-version: latest + id: bake - # Deploys application based on manifest files from previous step - - name: Deploy application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ steps.bake.outputs.manifestsBundle }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index 3e49419..f0b2b38 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -1,9 +1,11 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster # For instructions see: # - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters # - https://github.com/Azure/aks-create-action # # To configure this workflow: @@ -29,7 +31,7 @@ name: Build and deploy an app to AKS on: push: - branches: [ $default-branch ] + branches: [$default-branch] workflow_dispatch: env: @@ -37,8 +39,7 @@ env: CONTAINER_NAME: "your-container-name" RESOURCE_GROUP: "your-resource-group" CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" - DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' + DEPLOYMENT_MANIFEST_PATH: "your-deployment-manifest-path" jobs: buildImage: @@ -47,63 +48,21 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + # Checks out the repository this file is in + - uses: actions/checkout@v3 - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds - - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . deploy: permissions: @@ -111,33 +70,31 @@ jobs: contents: read id-token: write runs-on: ubuntu-latest - needs: [buildImage, createSecret] + needs: [buildImage] steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Deploys application based on given manifest file - - name: Deploys application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Deploys application based on given manifest file + - name: Deploys application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} From 4367f77de0ebfc8e0bfd31a369320d5d57610c51 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Thu, 20 Oct 2022 16:06:10 -0700 Subject: [PATCH 221/234] add: concurrency and default branch ref --- pages/astro.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 544b93d..b3ef351 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -2,25 +2,29 @@ # # To get started with Astro see: https://docs.astro.build/en/getting-started/ # - name: Deploy Astro site to Pages on: + # Runs on pushes targeting the default branch push: - branches: [main] - # paths: - # only needed when project in subfolder - # - "subfolder" - # - ".github/workflows/astro.yml" + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages permissions: contents: read pages: write id-token: write +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + env: - PAT: '.' # default value when not using subfolders + PAT: "." # default value when not using subfolders # PAT: subfolder jobs: From a2272ea794367d19ee4866bc1620fc318693778a Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Thu, 20 Oct 2022 16:10:14 -0700 Subject: [PATCH 222/234] update: rename subfolder path to avoid confusion --- pages/astro.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index b3ef351..13d209b 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -24,24 +24,24 @@ concurrency: cancel-in-progress: true env: - PAT: "." # default value when not using subfolders - # PAT: subfolder + BUILD_PATH: "." # default value when not using subfolders + # BUILD_PATH: subfolder jobs: build: - name: Build & Deploy + name: Build runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: node-version: 16 - cache-dependency-path: ${{ env.PAT }}/package-lock.json + cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json - run: npm install && npm run build - working-directory: ${{ env.PAT }} + working-directory: ${{ env.BUILD_PATH }} - uses: actions/upload-pages-artifact@v1 with: - path: ${{ env.PAT }}/dist + path: ${{ env.BUILD_PATH }}/dist deploy: needs: build From e05fb5453707149f64da79b7755479a06dd6137a Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Thu, 20 Oct 2022 16:30:54 -0700 Subject: [PATCH 223/234] minor tweaks for consistency with other templates --- pages/astro.yml | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 13d209b..1d4ec5f 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -32,10 +32,30 @@ jobs: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - name: Checkout + uses: actions/checkout@v3 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "::set-output name=manager::yarn" + echo "::set-output name=command::install" + echo "::set-output name=runner::yarn" + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "::set-output name=manager::npm" + echo "::set-output name=command::ci" + echo "::set-output name=runner::npx --no-install" + exit 0 + else + echo "Unable to determine packager manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v3 with: - node-version: 16 + node-version: "16" + cache: ${{ steps.detect-package-manager.outputs.manager }} cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json - run: npm install && npm run build working-directory: ${{ env.BUILD_PATH }} @@ -44,12 +64,12 @@ jobs: path: ${{ env.BUILD_PATH }}/dist deploy: - needs: build - name: Deploy - runs-on: ubuntu-latest environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} + needs: build + runs-on: ubuntu-latest + name: Deploy steps: - name: Deploy to GitHub Pages id: deployment From 03afd8292058dd5860870efad5c27295dd1fc67d Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Mon, 24 Oct 2022 15:22:18 -0700 Subject: [PATCH 224/234] Update to latest commit sha --- ci/maven.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/maven.yml b/ci/maven.yml index d762ee9..4a8d107 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -32,4 +32,4 @@ jobs: # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive - name: Update dependency graph - uses: advanced-security/maven-dependency-submission-action@v1 + uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6 From cf8803940451b743087390d37a4bd1db62503efb Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Mon, 24 Oct 2022 15:22:49 -0700 Subject: [PATCH 225/234] Add optional marking --- ci/maven.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/maven.yml b/ci/maven.yml index 4a8d107..31fb19f 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -29,7 +29,7 @@ jobs: cache: maven - name: Build with Maven run: mvn -B package --file pom.xml - - # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive + + # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive - name: Update dependency graph uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6 From c1444385ea259d1d65245650e32286eb22ea1341 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Mon, 24 Oct 2022 15:24:40 -0700 Subject: [PATCH 226/234] Mark optional and use commit SHA --- ci/scala.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/scala.yml b/ci/scala.yml index 9e78672..14ba966 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -29,6 +29,6 @@ jobs: cache: 'sbt' - name: Run tests run: sbt test - # This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository + # Optional: This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository - name: Upload dependency graph - uses: scalacenter/sbt-dependency-submission@v2 + uses: scalacenter/sbt-dependency-submission@ab086b50c947c9774b70f39fc7f6e20ca2706c91 From ee5b05445ac5bdd8c014232489d3215d22e0ddf8 Mon Sep 17 00:00:00 2001 From: Jeevan Reddy Ragula Date: Tue, 25 Oct 2022 16:32:52 +0530 Subject: [PATCH 227/234] update zscaler iac scan version --- code-scanning/zscaler-iac-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index c6020a5..e880bdf 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,7 +7,7 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. -#Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. +#Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process. #Copy the client ID and client secret key generated during the onboarding process and configure. #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). @@ -36,12 +36,12 @@ jobs: - name : Code Checkout uses: actions/checkout@v3 - name : Zscaler IAC Scan - uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc + uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087 id : zscaler-iac-scan with: client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} - #This is the user region specified during the onboarding process within the ZWP Admin Portal. + #This is the user region specified during the onboarding process within the ZPC Admin Portal. region : 'US' iac_dir : #Enter the IaC directory path from root. iac_file : #Enter the IaC file path from root. From 65cfd09f0d556e4bcaf18ed7555c5af1cdce91d3 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Wed, 26 Oct 2022 16:05:53 -0300 Subject: [PATCH 228/234] update soos dast to latest version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 47f6c48..0b982d3 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 + uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From 81a4ed37489870ca8016e5d64aaee8aa1c0c2f03 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Wed, 26 Oct 2022 16:10:52 -0300 Subject: [PATCH 229/234] comment about latest version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 0b982d3..825f573 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db + uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db # Use latest version from https://github.com/marketplace/actions/soos-dast with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From c36348cbc69edcc1766b7c5927c5ceaa3a9d902c Mon Sep 17 00:00:00 2001 From: Angela P Wen Date: Wed, 26 Oct 2022 23:28:17 +0000 Subject: [PATCH 230/234] Add Go to code scanning autobuild comment --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 00ffcdb..34c5de7 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -53,7 +53,7 @@ jobs: # queries: security-extended,security-and-quality - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@v2 From ae7e197e30022cb4359c3d686798ca03f042a42b Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Wed, 26 Oct 2022 19:19:46 -0700 Subject: [PATCH 231/234] add: astro icon --- icons/astro.svg | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 icons/astro.svg diff --git a/icons/astro.svg b/icons/astro.svg new file mode 100644 index 0000000..ff9dd54 --- /dev/null +++ b/icons/astro.svg @@ -0,0 +1,20 @@ + + + + + + + + + + + + + + + + + + + + From 57f76cbb16a75bd7c17ce270e67a667e0d083676 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Wed, 26 Oct 2022 19:21:14 -0700 Subject: [PATCH 232/234] add: astro properties --- pages/properties/astro.properties.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 pages/properties/astro.properties.json diff --git a/pages/properties/astro.properties.json b/pages/properties/astro.properties.json new file mode 100644 index 0000000..bc7db05 --- /dev/null +++ b/pages/properties/astro.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Astro", + "description": "Deploy an Astro site.", + "iconName": "astro", + "categories": ["Pages", "Astro"] +} From 21885a7e846d33a4d2393c8916620a383e20a189 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Thu, 27 Oct 2022 13:22:19 +0000 Subject: [PATCH 233/234] Update scorecard-action to 2.0.6 --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 0e159aa..11e305f 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -37,7 +37,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e363bfca00e752f91de7b7d2a77340e2e523cb18 # v2.0.4 + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 with: results_file: results.sarif results_format: sarif From 7714a42d7a7f9901b9ea6589b98c906a544beb13 Mon Sep 17 00:00:00 2001 From: Luca Casonato Date: Mon, 31 Oct 2022 14:15:11 +0100 Subject: [PATCH 234/234] Update denoland/setup-deno workflow This updates the version of the denoland/setup-deno action used in ci/deno.yml starter workflow to a version that uses node16, to remove the warning about node12 workflows being deprecated. The version updated to is the latest released version, v1.1.1: https://github.com/denoland/setup-deno/releases/tag/v1.1.1 --- ci/deno.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/deno.yml b/ci/deno.yml index 2234bf6..5ee940d 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow will install Deno then run Deno lint and test. +# This workflow will install Deno then run `deno lint` and `deno test`. # For more information see: https://github.com/denoland/setup-deno name: Deno @@ -27,7 +27,7 @@ jobs: - name: Setup Deno # uses: denoland/setup-deno@v1 - uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e983317366 + uses: denoland/setup-deno@9db7f66e8e16b5699a514448ce994936c63f0d54 with: deno-version: v1.x @@ -39,4 +39,4 @@ jobs: run: deno lint - name: Run tests - run: deno test -A --unstable + run: deno test -A