Merge branch 'main' into soos-dast-update
This commit is contained in:
@@ -5,12 +5,12 @@
|
||||
|
||||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: "npm"
|
||||
- package-ecosystem: "npm"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
|
||||
- package-ecosystem: "github-actions"
|
||||
|
||||
- package-ecosystem: "github-actions"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
|
||||
@@ -26,7 +26,7 @@ It is not:
|
||||
- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
|
||||
- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
|
||||
- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
|
||||
- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
|
||||
- [ ] Should specify least privileged [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
|
||||
|
||||
**For _CI_ workflows, the workflow:**
|
||||
|
||||
|
||||
@@ -0,0 +1,31 @@
|
||||
name: Lint
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
|
||||
pre-commit:
|
||||
name: pre-commit
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- uses: actions/setup-python@v4
|
||||
with:
|
||||
python-version: 3.8
|
||||
|
||||
- name: Cache pre-commit
|
||||
uses: actions/cache@v3
|
||||
with:
|
||||
path: ~/.cache/pre-commit
|
||||
key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
|
||||
|
||||
- name: Install pre-commit
|
||||
run: pip3 install pre-commit
|
||||
|
||||
- name: Run pre-commit
|
||||
run: pre-commit run --all-files --show-diff-on-failure --color always
|
||||
@@ -0,0 +1,6 @@
|
||||
repos:
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v4.3.0
|
||||
hooks:
|
||||
- id: trailing-whitespace
|
||||
files: (automation/|ci/|code-scanning/|deployments/|pages/).*(yaml|yml|json)$
|
||||
@@ -50,3 +50,23 @@ These variables can be placed in the starter workflow and will be substituted as
|
||||
* `$default-branch`: will substitute the branch from the repository, for example `main` and `master`
|
||||
* `$protected-branches`: will substitute any protected branches from the repository
|
||||
* `$cron-daily`: will substitute a valid but random time within the day
|
||||
|
||||
## How to test templates before publishing
|
||||
|
||||
### Disable template for public
|
||||
The template author adds a `labels` array in the template's `properties.json` file with a label `preview`. This will hide the template from users, unless user uses query parameter `preview=true` in the URL.
|
||||
Example `properties.json` file:
|
||||
```json
|
||||
{
|
||||
"name": "Node.js",
|
||||
"description": "Build and test a Node.js project with npm.",
|
||||
"iconName": "nodejs",
|
||||
"categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"],
|
||||
"labels": ["preview"]
|
||||
}
|
||||
```
|
||||
|
||||
For viewing the templates with `preview` label, provide query parameter `preview=true` to the `new workflow` page URL. Eg. `https://github.com/<owner>/<repo_name>/actions/new?preview=true`.
|
||||
|
||||
### Enable template for public
|
||||
Remove the `labels` array from `properties.json` file to publish the template to public
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@ jobs:
|
||||
|
||||
- name: Set up GNAT toolchain
|
||||
run: >
|
||||
sudo apt-get update &&
|
||||
sudo apt-get update &&
|
||||
sudo apt-get install gnat gprbuild
|
||||
|
||||
- name: Build
|
||||
|
||||
+2
-2
@@ -31,7 +31,7 @@ jobs:
|
||||
|
||||
- name: Test
|
||||
working-directory: ${{github.workspace}}/build
|
||||
# Execute tests defined by the CMake configuration.
|
||||
# Execute tests defined by the CMake configuration.
|
||||
# See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail
|
||||
run: ctest -C ${{env.BUILD_TYPE}}
|
||||
|
||||
|
||||
|
||||
@@ -3,10 +3,10 @@
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow lets you compile your Go project using a SLSA3 compliant builder.
|
||||
# This workflow will generate a so-called "provenance" file describing the steps
|
||||
# This workflow lets you compile your Go project using a SLSA3 compliant builder.
|
||||
# This workflow will generate a so-called "provenance" file describing the steps
|
||||
# that were performed to generate the final binary.
|
||||
# The project is an initiative of the OpenSSF (openssf.org) and is developed at
|
||||
# The project is an initiative of the OpenSSF (openssf.org) and is developed at
|
||||
# https://github.com/slsa-framework/slsa-github-generator.
|
||||
# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
|
||||
# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
|
||||
@@ -21,7 +21,7 @@ permissions: read-all
|
||||
|
||||
jobs:
|
||||
# ========================================================================================================================================
|
||||
# Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
|
||||
# Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
|
||||
# See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file
|
||||
#=========================================================================================================================================
|
||||
build:
|
||||
|
||||
@@ -19,7 +19,7 @@ jobs:
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: 1.18
|
||||
go-version: 1.19
|
||||
|
||||
- name: Build
|
||||
run: go build -v ./...
|
||||
|
||||
+4
-4
@@ -13,15 +13,15 @@ jobs:
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
|
||||
- name: configure
|
||||
run: ./configure
|
||||
|
||||
|
||||
- name: Install dependencies
|
||||
run: make
|
||||
|
||||
|
||||
- name: Run check
|
||||
run: make check
|
||||
|
||||
|
||||
- name: Run distcheck
|
||||
run: make distcheck
|
||||
|
||||
+1
-1
@@ -13,7 +13,7 @@ jobs:
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
|
||||
+1
-1
@@ -13,7 +13,7 @@ jobs:
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
|
||||
+1
-1
@@ -13,7 +13,7 @@ jobs:
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# APIsec addresses the critical need to secure APIs before they reach production.
|
||||
# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.
|
||||
# APIsec addresses the critical need to secure APIs before they reach production.
|
||||
# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.
|
||||
# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.
|
||||
|
||||
# How to Get Started with APIsec.ai
|
||||
@@ -50,7 +50,7 @@ jobs:
|
||||
Trigger_APIsec_scan:
|
||||
permissions:
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
||||
@@ -25,7 +25,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: Brakeman Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -29,7 +29,7 @@ jobs:
|
||||
issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
|
||||
pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
|
||||
|
||||
@@ -16,7 +16,7 @@ on:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
|
||||
jobs:
|
||||
clj-holmes:
|
||||
name: Run clj-holmes scanning
|
||||
@@ -24,7 +24,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
# seeking for vulnerable direct/transitive dependencies and
|
||||
# build a report with all the information needed to help you
|
||||
# understand how the vulnerability manifest in your software.
|
||||
# More details at https://github.com/clj-holmes/clj-watson
|
||||
# More details at https://github.com/clj-holmes/clj-watson
|
||||
|
||||
name: clj-watson
|
||||
|
||||
@@ -29,7 +29,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
@@ -40,7 +40,7 @@ jobs:
|
||||
clj-watson-sha: "65d928c"
|
||||
clj-watson-tag: "v4.0.1"
|
||||
database-strategy: github-advisory
|
||||
aliases: clojure-lsp,test
|
||||
aliases: clojure-lsp,test
|
||||
deps-edn-path: deps.edn
|
||||
suggest-fix: true
|
||||
output-type: sarif
|
||||
|
||||
@@ -9,7 +9,7 @@ on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
@@ -26,7 +26,7 @@ jobs:
|
||||
- name: Clone repo
|
||||
uses: actions/checkout@v3
|
||||
|
||||
# For Terraform, Cloudrail requires the plan as input. So we generate it using
|
||||
# For Terraform, Cloudrail requires the plan as input. So we generate it using
|
||||
# the Terraform core binary.
|
||||
- uses: hashicorp/setup-terraform@v1
|
||||
with:
|
||||
@@ -53,6 +53,6 @@ jobs:
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
|
||||
# is needed to ensure the SARIF file is uploaded
|
||||
if: always()
|
||||
if: always()
|
||||
with:
|
||||
sarif_file: cloudrail_results.sarif
|
||||
|
||||
@@ -30,7 +30,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: Codacy Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -48,11 +48,11 @@ jobs:
|
||||
# If you wish to specify custom queries, you can do so here or in a config file.
|
||||
# By default, queries listed here will override any specified in a config file.
|
||||
# Prefix the list here with "+" to use these queries and those in the config file.
|
||||
|
||||
|
||||
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
|
||||
# queries: security-extended,security-and-quality
|
||||
|
||||
|
||||
|
||||
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
|
||||
# If this step fails, then you should remove it and run the build manually (see below)
|
||||
- name: Autobuild
|
||||
@@ -61,7 +61,7 @@ jobs:
|
||||
# ℹ️ Command-line programs to run using the OS shell.
|
||||
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
|
||||
|
||||
# If the Autobuild fails above, remove it and uncomment the following three lines.
|
||||
# If the Autobuild fails above, remove it and uncomment the following three lines.
|
||||
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
|
||||
|
||||
# - run: |
|
||||
|
||||
@@ -25,7 +25,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
|
||||
@@ -8,7 +8,7 @@
|
||||
# Contrast Scan currently supports Java, JavaScript and .NET artifacts.
|
||||
# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action
|
||||
|
||||
# Pre-requisites:
|
||||
# Pre-requisites:
|
||||
# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action.
|
||||
# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER.
|
||||
|
||||
@@ -30,7 +30,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout
|
||||
security-events: write # for github/codeql-action/upload-sarif
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
# check out project
|
||||
steps:
|
||||
@@ -38,7 +38,7 @@ jobs:
|
||||
# Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here.
|
||||
# -name: Build Project
|
||||
# ...
|
||||
# Scan Artifact
|
||||
# Scan Artifact
|
||||
- name: Contrast Scan Action
|
||||
uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1
|
||||
with:
|
||||
@@ -46,7 +46,7 @@ jobs:
|
||||
apiKey: ${{ secrets.CONTRAST_API_KEY }}
|
||||
orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
|
||||
authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
|
||||
#Upload the results to GitHub
|
||||
#Upload the results to GitHub
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
|
||||
@@ -0,0 +1,47 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# A sample workflow which checks out your code and scans your desired k8s config files for misconfigurations using the Datree CLI.
|
||||
# The results are then uploaded to GitHub Security Code Scanning.
|
||||
#
|
||||
# For more information and configurations options, see https://github.com/datreeio/action-datree/
|
||||
|
||||
name: Datree
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
datree:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Run Datree policy check
|
||||
continue-on-error: true
|
||||
uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a
|
||||
env:
|
||||
# In order to use the Datree action you will need to have a Datree token.
|
||||
# See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token.
|
||||
DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
|
||||
with:
|
||||
# Add the path to the configuration file/s that you would like to test.
|
||||
# See https://github.com/datreeio/action-datree#usage for all available options.
|
||||
path: test-file.yaml
|
||||
# Setting a SARIF output will generate a file named "datree.sarif" containing your test results
|
||||
cliArguments: "-o sarif"
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: datree.sarif
|
||||
@@ -69,13 +69,13 @@ jobs:
|
||||
}
|
||||
}
|
||||
' 1> gh_response.json
|
||||
|
||||
|
||||
DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json)
|
||||
if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then
|
||||
echo "Release tag doesn't match expected commit SHA"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json)
|
||||
echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL"
|
||||
|
||||
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
|
||||
- name: Run DevSkim scanner
|
||||
uses: microsoft/DevSkim-Action@v1
|
||||
|
||||
|
||||
- name: Upload DevSkim scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
|
||||
@@ -25,7 +25,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
@@ -39,7 +39,7 @@ jobs:
|
||||
run: npx eslint .
|
||||
--config .eslintrc.js
|
||||
--ext .js,.jsx,.ts,.tsx
|
||||
--format @microsoft/eslint-formatter-sarif
|
||||
--format @microsoft/eslint-formatter-sarif
|
||||
--output-file eslint-results.sarif
|
||||
continue-on-error: true
|
||||
|
||||
|
||||
@@ -44,12 +44,12 @@ on:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
|
||||
jobs:
|
||||
Trigger_EthicalCheck:
|
||||
permissions:
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
@@ -61,9 +61,9 @@ jobs:
|
||||
# The email address to which the penetration test report will be sent.
|
||||
email: "xxx@apisec.ai"
|
||||
sarif-result-file: "ethicalcheck-results.sarif"
|
||||
|
||||
|
||||
- name: Upload sarif file to repository
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: ./ethicalcheck-results.sarif
|
||||
|
||||
|
||||
|
||||
@@ -37,7 +37,7 @@ jobs:
|
||||
# node-version: "16.x"
|
||||
|
||||
|
||||
- uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
|
||||
- uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694
|
||||
env:
|
||||
# [Mandatory]
|
||||
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
|
||||
|
||||
@@ -42,7 +42,7 @@ jobs:
|
||||
|
||||
# The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
|
||||
|
||||
- uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
|
||||
- uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694
|
||||
env:
|
||||
# [Mandatory]
|
||||
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
|
||||
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
@@ -29,7 +29,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
|
||||
@@ -9,7 +9,7 @@ on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
@@ -21,7 +21,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
||||
@@ -28,7 +28,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: Analyze
|
||||
runs-on: windows-latest
|
||||
|
||||
|
||||
@@ -50,7 +50,7 @@
|
||||
#
|
||||
# `restart_scan`
|
||||
#
|
||||
# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).<br> Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements.
|
||||
# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).<br> Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements.
|
||||
#
|
||||
# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)`
|
||||
#
|
||||
@@ -95,7 +95,7 @@
|
||||
#
|
||||
# `hosts_filter`
|
||||
#
|
||||
# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan.
|
||||
# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan.
|
||||
#
|
||||
# Outputs
|
||||
#
|
||||
|
||||
@@ -25,7 +25,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
name: njsscan code scanning
|
||||
steps:
|
||||
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: windows-latest
|
||||
|
||||
steps:
|
||||
|
||||
@@ -2,9 +2,9 @@
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# PHPMD is a spin-off project of PHP Depend and
|
||||
# PHPMD is a spin-off project of PHP Depend and
|
||||
# aims to be a PHP equivalent of the well known Java tool PMD.
|
||||
# What PHPMD does is: It takes a given PHP source code base
|
||||
# What PHPMD does is: It takes a given PHP source code base
|
||||
# and look for several potential problems within that source.
|
||||
# These problems can be things like:
|
||||
# Possible bugs
|
||||
@@ -34,7 +34,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
|
||||
@@ -21,7 +21,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
@@ -16,7 +16,7 @@ on:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
@@ -25,7 +25,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: PSScriptAnalyzer
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
@@ -37,11 +37,11 @@ jobs:
|
||||
# Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options.
|
||||
# The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules.
|
||||
path: .\
|
||||
recurse: true
|
||||
# Include your own basic security rules. Removing this option will run all the rules
|
||||
recurse: true
|
||||
# Include your own basic security rules. Removing this option will run all the rules
|
||||
includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"'
|
||||
output: results.sarif
|
||||
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF results file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
|
||||
@@ -29,7 +29,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
name: Run Prisma Cloud IaC Scan to check
|
||||
steps:
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Datree",
|
||||
"creator": "Datree",
|
||||
"description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning",
|
||||
"iconName": "datree",
|
||||
"categories": ["Code Scanning", "YAML"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "SonarQube",
|
||||
"creator": "Sonar",
|
||||
"description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!",
|
||||
"iconName": "sonarqube",
|
||||
"categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
|
||||
}
|
||||
@@ -29,7 +29,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
# documentation.
|
||||
# rust-clippy is a tool that runs a bunch of lints to catch common
|
||||
# mistakes in your Rust code and help improve your Rust code.
|
||||
# More details at https://github.com/rust-lang/rust-clippy
|
||||
# More details at https://github.com/rust-lang/rust-clippy
|
||||
# and https://rust-lang.github.io/rust-clippy/
|
||||
|
||||
name: rust-clippy analyze
|
||||
@@ -25,7 +25,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
@@ -41,11 +41,11 @@ jobs:
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
# (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
|
||||
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
|
||||
# - you want to enable the Branch-Protection check on a *public* repository, or
|
||||
# - you are installing Scorecards on a *private* repository
|
||||
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
|
||||
# repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
|
||||
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
|
||||
|
||||
# Public repositories:
|
||||
# - Publish results to OpenSSF REST API for easy access by consumers
|
||||
|
||||
@@ -24,11 +24,11 @@ jobs:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1
|
||||
- uses: microsoft/setup-msbuild@v1.0.2
|
||||
|
||||
|
||||
- name: Set up projects for analysis
|
||||
uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d
|
||||
|
||||
- name: Restore dependencies
|
||||
|
||||
- name: Restore dependencies
|
||||
run: dotnet restore
|
||||
|
||||
- name: Build
|
||||
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -30,7 +30,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
@@ -29,7 +29,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
@@ -16,7 +16,7 @@ on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
@@ -28,11 +28,11 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions/checkout@v3
|
||||
- id: run-action
|
||||
uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912
|
||||
- name: Upload report
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow helps you trigger a SonarCloud analysis of your code and populates
|
||||
# This workflow helps you trigger a SonarCloud analysis of your code and populates
|
||||
# GitHub Code Scanning alerts with the vulnerabilities found.
|
||||
# Free for open source project.
|
||||
|
||||
@@ -11,16 +11,16 @@
|
||||
|
||||
# 2. Import your project on SonarCloud
|
||||
# * Add your GitHub organization first, then add your repository as a new project.
|
||||
# * Please note that many languages are eligible for automatic analysis,
|
||||
# * Please note that many languages are eligible for automatic analysis,
|
||||
# which means that the analysis will start automatically without the need to set up GitHub Actions.
|
||||
# * This behavior can be changed in Administration > Analysis Method.
|
||||
#
|
||||
#
|
||||
# 3. Follow the SonarCloud in-product tutorial
|
||||
# * a. Copy/paste the Project Key and the Organization Key into the args parameter below
|
||||
# (You'll find this information in SonarCloud. Click on "Information" at the bottom left)
|
||||
#
|
||||
# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
|
||||
# (On SonarCloud, click on your avatar on top-right > My account > Security
|
||||
# (On SonarCloud, click on your avatar on top-right > My account > Security
|
||||
# or go directly to https://sonarcloud.io/account/security/)
|
||||
|
||||
# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
|
||||
@@ -41,9 +41,9 @@ permissions:
|
||||
jobs:
|
||||
Analysis:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
|
||||
steps:
|
||||
- name: Analyze with SonarCloud
|
||||
- name: Analyze with SonarCloud
|
||||
|
||||
# You can pin the exact commit or the version.
|
||||
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
|
||||
@@ -53,7 +53,7 @@ jobs:
|
||||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
|
||||
with:
|
||||
# Additional arguments for the sonarcloud scanner
|
||||
args:
|
||||
args:
|
||||
# Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
|
||||
# mandatory
|
||||
-Dsonar.projectKey=
|
||||
@@ -65,4 +65,4 @@ jobs:
|
||||
# Comma-separated paths to directories containing test source files.
|
||||
#-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
|
||||
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
|
||||
#-Dsonar.verbose= # optional, default is false
|
||||
#-Dsonar.verbose= # optional, default is false
|
||||
|
||||
@@ -0,0 +1,66 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow helps you trigger a SonarQube analysis of your code and populates
|
||||
# GitHub Code Scanning alerts with the vulnerabilities found.
|
||||
# (this feature is available starting from SonarQube 9.7, Developer Edition and above)
|
||||
|
||||
# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub)
|
||||
|
||||
# 2. Import your project on SonarQube
|
||||
# * Add your repository as a new project by clicking "Create project" from your homepage.
|
||||
#
|
||||
# 3. Select GitHub Actions as your CI and follow the tutorial
|
||||
# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN
|
||||
# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator)
|
||||
#
|
||||
# * b. Copy/paste your SonarQube host URL to your GitHub repository's secrets using the name SONAR_HOST_URL
|
||||
#
|
||||
# * c. Copy/paste the project Key into the args parameter below
|
||||
# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage)
|
||||
|
||||
# Feel free to take a look at our documentation (https://docs.sonarqube.org/latest/analysis/github-integration/)
|
||||
# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/sq/10)
|
||||
|
||||
name: SonarQube analysis
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
pull-requests: read # allows SonarQube to decorate PRs with analysis results
|
||||
|
||||
jobs:
|
||||
Analysis:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Analyze with SonarQube
|
||||
|
||||
# You can pin the exact commit or the version.
|
||||
# uses: SonarSource/sonarqube-scan-action@v1.1.0
|
||||
uses: SonarSource/sonarqube-scan-action@7295e71c9583053f5bf40e9d4068a0c974603ec8
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
|
||||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
|
||||
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret)
|
||||
with:
|
||||
# Additional arguments for the sonarcloud scanner
|
||||
args:
|
||||
# Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu)
|
||||
# mandatory
|
||||
-Dsonar.projectKey=
|
||||
# Comma-separated paths to directories containing main source files.
|
||||
#-Dsonar.sources= # optional, default is project base directory
|
||||
# When you need the analysis to take place in a directory other than the one from which it was launched
|
||||
#-Dsonar.projectBaseDir= # optional, default is .
|
||||
# Comma-separated paths to directories containing test source files.
|
||||
#-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
|
||||
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
|
||||
#-Dsonar.verbose= # optional, default is false
|
||||
@@ -12,7 +12,7 @@
|
||||
#
|
||||
# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here.
|
||||
#
|
||||
# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID.
|
||||
# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID.
|
||||
#
|
||||
# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token.
|
||||
#
|
||||
@@ -29,7 +29,7 @@ jobs:
|
||||
soos:
|
||||
permissions:
|
||||
security-events: write # for uploading code scanning alert info
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: SOOS DAST Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -22,11 +22,11 @@ jobs:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
|
||||
|
||||
- name: Synopsys Intelligent Security Scan
|
||||
id: prescription
|
||||
uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08
|
||||
@@ -36,7 +36,7 @@ jobs:
|
||||
workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}}
|
||||
additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}}
|
||||
stage: "IO"
|
||||
|
||||
|
||||
# Please note that the ID in previous step was set to prescription
|
||||
# in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN
|
||||
# is defined in settings
|
||||
@@ -48,7 +48,7 @@ jobs:
|
||||
wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip
|
||||
unzip -j polaris_cli-linux64.zip -d /tmp
|
||||
/tmp/polaris analyze -w
|
||||
|
||||
|
||||
# Please note that the ID in previous step was set to prescription
|
||||
# in order for this logic to work
|
||||
- name: Software Composition Analysis with Black Duck
|
||||
@@ -56,7 +56,7 @@ jobs:
|
||||
uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38
|
||||
with:
|
||||
args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"'
|
||||
|
||||
|
||||
- name: Synopsys Intelligent Security Scan
|
||||
if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }}
|
||||
uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08
|
||||
@@ -64,11 +64,11 @@ jobs:
|
||||
ioServerUrl: ${{secrets.IO_SERVER_URL}}
|
||||
ioServerToken: ${{secrets.IO_SERVER_TOKEN}}
|
||||
workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}}
|
||||
additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}}
|
||||
--polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}}
|
||||
additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}}
|
||||
--polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}}
|
||||
--blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}}
|
||||
stage: "WORKFLOW"
|
||||
|
||||
|
||||
- name: Upload SARIF file
|
||||
if: ${{steps.prescription.outputs.sastScan == 'true' }}
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
|
||||
@@ -24,7 +24,7 @@ jobs:
|
||||
checks: write # for sysdiglabs/scan-action to publish the checks
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
@@ -39,7 +39,7 @@ jobs:
|
||||
id: scan
|
||||
uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163
|
||||
with:
|
||||
# Tag of the image to analyse.
|
||||
# Tag of the image to analyse.
|
||||
# Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above
|
||||
image-tag: ${{ github.repository }}:latest
|
||||
# API token for Sysdig Scanning auth
|
||||
@@ -47,7 +47,7 @@ jobs:
|
||||
# Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/
|
||||
# US-East https://secure.sysdig.com
|
||||
# US-West https://us2.app.sysdig.com
|
||||
# EU https://eu1.app.sysdig.com
|
||||
# EU https://eu1.app.sysdig.com
|
||||
sysdig-secure-url: https://us2.app.sysdig.com
|
||||
dockerfile-path: ./Dockerfile
|
||||
input-type: docker-daemon
|
||||
|
||||
@@ -9,7 +9,7 @@ on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
@@ -29,10 +29,10 @@ jobs:
|
||||
- name: Run tfsec
|
||||
uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
|
||||
with:
|
||||
sarif_file: tfsec.sarif
|
||||
sarif_file: tfsec.sarif
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: tfsec.sarif
|
||||
sarif_file: tfsec.sarif
|
||||
|
||||
@@ -22,7 +22,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: Build
|
||||
runs-on: "ubuntu-18.04"
|
||||
steps:
|
||||
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
|
||||
@@ -51,7 +51,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
||||
@@ -3,16 +3,16 @@
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
#
|
||||
# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android)
|
||||
# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android)
|
||||
# and identifies security, privacy, and compliance-related vulnerabilities.
|
||||
#
|
||||
# Prerequisites:
|
||||
# Prerequisites:
|
||||
# * An active Zimperium zScan account is required. If you are not an existing Zimperium
|
||||
# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us.
|
||||
# * Either GitHub Advanced Security (GHAS) or a public repository is required to display
|
||||
# issues and view the remediation information inside of GitHub code scanning alerts.
|
||||
# * Either GitHub Advanced Security (GHAS) or a public repository is required to display
|
||||
# issues and view the remediation information inside of GitHub code scanning alerts.
|
||||
#
|
||||
# For additional information and setup instructions
|
||||
# For additional information and setup instructions
|
||||
# please visit: https://github.com/Zimperium/zScanMarketplace#readme
|
||||
|
||||
name: "Zimperium zScan"
|
||||
@@ -33,7 +33,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
@@ -58,4 +58,3 @@ jobs:
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: Zimperium.sarif
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
#
|
||||
# To use this workflow, you will need to complete the following set-up steps:
|
||||
#
|
||||
# 1. Create an ACR repository to store your container images.
|
||||
# 1. Create an ACR repository to store your container images.
|
||||
# You can use ACR EE instance for more security and better performance.
|
||||
# For instructions see https://www.alibabacloud.com/help/doc-detail/142168.htm
|
||||
#
|
||||
@@ -14,7 +14,7 @@
|
||||
# 3. Store your AccessKey pair in GitHub Actions secrets named `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET`.
|
||||
# For instructions on setting up secrets see: https://developer.github.com/actions/managing-workflows/storing-secrets/
|
||||
#
|
||||
# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME.
|
||||
# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME.
|
||||
#
|
||||
|
||||
name: Build and Deploy to ACK
|
||||
@@ -46,12 +46,12 @@ jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
environment: production
|
||||
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
|
||||
# 1.1 Login to ACR
|
||||
|
||||
# 1.1 Login to ACR
|
||||
- name: Login to ACR with the AccessKey pair
|
||||
uses: aliyun/acr-login@v1
|
||||
with:
|
||||
@@ -59,13 +59,13 @@ jobs:
|
||||
access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
|
||||
access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
|
||||
|
||||
# 1.2 Buid and push image to ACR
|
||||
- name: Build and push image to ACR
|
||||
# 1.2 Buid and push image to ACR
|
||||
- name: Build and push image to ACR
|
||||
run: |
|
||||
docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" .
|
||||
docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG"
|
||||
|
||||
# 1.3 Scan image in ACR
|
||||
docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" .
|
||||
docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG"
|
||||
|
||||
# 1.3 Scan image in ACR
|
||||
- name: Scan image in ACR
|
||||
uses: aliyun/acr-scan@v1
|
||||
with:
|
||||
@@ -75,7 +75,7 @@ jobs:
|
||||
repository: "${{ env.NAMESPACE }}/${{ env.IMAGE }}"
|
||||
tag: "${{ env.TAG }}"
|
||||
|
||||
# 2.1 (Optional) Login to ACR EE
|
||||
# 2.1 (Optional) Login to ACR EE
|
||||
- uses: actions/checkout@v3
|
||||
- name: Login to ACR EE with the AccessKey pair
|
||||
uses: aliyun/acr-login@v1
|
||||
@@ -86,12 +86,12 @@ jobs:
|
||||
access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
|
||||
instance-id: "${{ env.ACR_EE_INSTANCE_ID }}"
|
||||
|
||||
# 2.2 (Optional) Build and push image ACR EE
|
||||
- name: Build and push image to ACR EE
|
||||
# 2.2 (Optional) Build and push image ACR EE
|
||||
- name: Build and push image to ACR EE
|
||||
run: |
|
||||
docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" .
|
||||
docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG"
|
||||
# 2.3 (Optional) Scan image in ACR EE
|
||||
# 2.3 (Optional) Scan image in ACR EE
|
||||
- name: Scan image in ACR EE
|
||||
uses: aliyun/acr-scan@v1
|
||||
with:
|
||||
@@ -102,7 +102,7 @@ jobs:
|
||||
repository: "${{ env.ACR_EE_NAMESPACE}}/${{ env.ACR_EE_IMAGE }}"
|
||||
tag: "${{ env.ACR_EE_TAG }}"
|
||||
|
||||
# 3.1 Set ACK context
|
||||
# 3.1 Set ACK context
|
||||
- name: Set K8s context
|
||||
uses: aliyun/ack-set-context@v1
|
||||
with:
|
||||
|
||||
+1
-1
@@ -75,7 +75,7 @@ jobs:
|
||||
# be deployed to ECS.
|
||||
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
|
||||
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
|
||||
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
|
||||
echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Fill in the new image ID in the Amazon ECS task definition
|
||||
id: task-def
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
|
||||
# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
|
||||
#
|
||||
# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions.
|
||||
# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions.
|
||||
#
|
||||
# 4. Create three app settings on your Azure Web app:
|
||||
# DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io"
|
||||
|
||||
@@ -43,7 +43,7 @@ jobs:
|
||||
uses: actions/setup-dotnet@v2
|
||||
with:
|
||||
dotnet-version: ${{ env.DOTNET_VERSION }}
|
||||
|
||||
|
||||
- name: Set up dependency caching for faster builds
|
||||
uses: actions/cache@v3
|
||||
with:
|
||||
|
||||
@@ -63,7 +63,7 @@ jobs:
|
||||
environment:
|
||||
name: 'Development'
|
||||
url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
|
||||
|
||||
|
||||
steps:
|
||||
- name: Download artifact from build job
|
||||
uses: actions/download-artifact@v3
|
||||
|
||||
@@ -70,7 +70,7 @@ jobs:
|
||||
name: node-app
|
||||
|
||||
- name: 'Deploy to Azure WebApp'
|
||||
id: deploy-to-webapp
|
||||
id: deploy-to-webapp
|
||||
uses: azure/webapps-deploy@v2
|
||||
with:
|
||||
app-name: ${{ env.AZURE_WEBAPP_NAME }}
|
||||
|
||||
@@ -51,15 +51,15 @@ jobs:
|
||||
|
||||
- name: Install dependencies
|
||||
run: pip install -r requirements.txt
|
||||
|
||||
|
||||
# Optional: Add step to run tests here (PyTest, Django test suites, etc.)
|
||||
|
||||
|
||||
- name: Upload artifact for deployment jobs
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: python-app
|
||||
path: |
|
||||
.
|
||||
.
|
||||
!venv/
|
||||
|
||||
deploy:
|
||||
@@ -77,7 +77,7 @@ jobs:
|
||||
with:
|
||||
name: python-app
|
||||
path: .
|
||||
|
||||
|
||||
- name: 'Deploy to Azure Web App'
|
||||
id: deploy-to-webapp
|
||||
uses: azure/webapps-deploy@v2
|
||||
|
||||
@@ -2,12 +2,12 @@
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster,
|
||||
# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster,
|
||||
# including deployment.yml, kustomization.yml, service.yml, etc.
|
||||
#
|
||||
# 2. Set up secrets in your workspace:
|
||||
# 2. Set up secrets in your workspace:
|
||||
# - TENCENT_CLOUD_SECRET_ID with Tencent Cloud secret id
|
||||
# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key
|
||||
# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key
|
||||
# - TENCENT_CLOUD_ACCOUNT_ID with Tencent Cloud account id
|
||||
# - TKE_REGISTRY_PASSWORD with TKE registry password
|
||||
#
|
||||
@@ -38,10 +38,10 @@ jobs:
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
|
||||
|
||||
# Build
|
||||
- name: Build Docker image
|
||||
run: |
|
||||
run: |
|
||||
docker build -t ${TKE_IMAGE_URL}:${GITHUB_SHA} .
|
||||
|
||||
- name: Login TKE Registry
|
||||
@@ -65,7 +65,7 @@ jobs:
|
||||
secret_key: ${{ secrets.TENCENT_CLOUD_SECRET_KEY }}
|
||||
tke_region: ${{ env.TKE_REGION }}
|
||||
cluster_id: ${{ env.TKE_CLUSTER_ID }}
|
||||
|
||||
|
||||
- name: Switch to TKE context
|
||||
run: |
|
||||
kubectl config use-context ${TKE_CLUSTER_ID}-context-default
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 85 100"><defs><style>.cls-1{fill:#05ccc2;}.cls-1,.cls-2{fill-rule:evenodd;}.cls-2{fill:#00141e;}</style></defs><path class="cls-1" d="M59.2,45.29,49,55.47a12.15,12.15,0,0,0-1.67,2.06,12.63,12.63,0,0,0-1.22,2.37,14.44,14.44,0,0,0-.71,2.56,15.69,15.69,0,0,0-.24,2.77V88.38h5.45V65.23a10,10,0,0,1,.14-1.76,8.39,8.39,0,0,1,.44-1.6,6.59,6.59,0,0,1,.7-1.34,7.22,7.22,0,0,1,1-1.19L63.07,49.16Z"/><path class="cls-1" d="M73.4,31.89a8,8,0,0,0-1.72-2.57l-16-16a7.95,7.95,0,0,0-11.24,0l-1.82,1.83L19.16,38.66,23,42.53,46.52,19.05l1.83-1.83a2.44,2.44,0,0,1,.79-.53,2.64,2.64,0,0,1,1-.19,2.6,2.6,0,0,1,.95.19,2.48,2.48,0,0,1,.8.53l16,16a2.59,2.59,0,0,1,.53.8,2.64,2.64,0,0,1,.19.95,2.5,2.5,0,0,1-.72,1.75L66,38.51l-.15.15L62,42.53l3.88,3.87,5.84-5.84A8,8,0,0,0,73.4,38a8.19,8.19,0,0,0,.6-3v-.1A8.19,8.19,0,0,0,73.4,31.89Z"/><path class="cls-1" d="M16.66,51.07a2.54,2.54,0,0,1-.19-.94v-.21h0a2.23,2.23,0,0,1,.15-.63h0l-4-4a7.81,7.81,0,0,0-1,1.78,8.16,8.16,0,0,0-.6,2.84h0v.21a7.89,7.89,0,0,0,2.31,5.61L30.54,73V65.21L17.2,51.87A2.46,2.46,0,0,1,16.66,51.07Z"/><path class="cls-2" d="M69.71,42.53l.15.15,1.82,1.83A7.9,7.9,0,0,1,74,49.92h0v.21a8,8,0,0,1-.6,3,7.67,7.67,0,0,1-1.71,2.56L54.48,73V65.21L67.81,51.87a2.46,2.46,0,0,0,.54-.8,2.36,2.36,0,0,0,.19-.94v-.21h0a2.29,2.29,0,0,0-.18-.74,2.33,2.33,0,0,0-.53-.8L66,46.55l-4.17-4.17L45.21,25.78l3.87-3.87,16.61,16.6.15.15h0ZM11,34.89V35a8.19,8.19,0,0,0,.6,3,8,8,0,0,0,1.72,2.57L32.1,59.34a7.22,7.22,0,0,1,1,1.19,6.59,6.59,0,0,1,.7,1.34,9.19,9.19,0,0,1,.44,1.6,10,10,0,0,1,.14,1.76V88.38H39.8V65.23a15.69,15.69,0,0,0-.24-2.77,14.44,14.44,0,0,0-.71-2.56,12.63,12.63,0,0,0-1.22-2.37A12.15,12.15,0,0,0,36,55.47L23.19,42.68,23,42.53l-3.87-3.87L19,38.51l-1.83-1.82a2.5,2.5,0,0,1-.72-1.75,2.64,2.64,0,0,1,.19-.95,2.59,2.59,0,0,1,.53-.8l16-16a2.48,2.48,0,0,1,.8-.53,2.6,2.6,0,0,1,.95-.19,2.64,2.64,0,0,1,1,.19,2.44,2.44,0,0,1,.79.53l1.83,1.83.15.15,4-4-.15.15-.15-.15-1.82-1.83a7.95,7.95,0,0,0-11.24,0l-16,16a8,8,0,0,0-1.72,2.57A8.19,8.19,0,0,0,11,34.89Z"/><path class="cls-2" d="M69.71,42.53l.15.15,1.82,1.83A7.9,7.9,0,0,1,74,49.92h0v.21a8,8,0,0,1-.6,3,7.67,7.67,0,0,1-1.71,2.56L54.48,73V65.21L67.81,51.87a2.46,2.46,0,0,0,.54-.8,2.36,2.36,0,0,0,.19-.94v-.21h0a2.29,2.29,0,0,0-.18-.74,2.33,2.33,0,0,0-.53-.8L66,46.55l-4.17-4.17L45.21,25.78l3.87-3.87,16.61,16.6.15.15h0Z"/></svg>
|
||||
|
After Width: | Height: | Size: 2.3 KiB |
@@ -0,0 +1 @@
|
||||
<svg id="Calque_1" data-name="Calque 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><defs><style>.cls-1{fill:#549dd0;}</style></defs><title>SonarQube icon</title><g id="Illustration_5" data-name="Illustration 5"><path class="cls-1" d="M408.78,448.09H386.5c0-179.36-148-325.28-329.91-325.28V100.53C250.79,100.53,408.78,256.44,408.78,448.09Z"/><path class="cls-1" d="M424.18,328.48C397.43,216,306.27,122,192,89.2l5.12-17.84C317.73,106,414,205.23,442.24,324.19Z"/><path class="cls-1" d="M441.31,222.87c-27.55-60.08-74.49-112.46-132.17-147.51l7.72-12.7c60.19,36.58,109.18,91.27,138,154Z"/></g></svg>
|
||||
|
After Width: | Height: | Size: 609 B |
+19
-8
@@ -38,14 +38,14 @@ jobs:
|
||||
id: detect-package-manager
|
||||
run: |
|
||||
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
|
||||
echo "::set-output name=manager::yarn"
|
||||
echo "::set-output name=command::install"
|
||||
echo "::set-output name=runner::yarn"
|
||||
echo "manager=yarn" >> $GITHUB_OUTPUT
|
||||
echo "command=install" >> $GITHUB_OUTPUT
|
||||
echo "runner=yarn" >> $GITHUB_OUTPUT
|
||||
exit 0
|
||||
elif [ -f "${{ github.workspace }}/package.json" ]; then
|
||||
echo "::set-output name=manager::npm"
|
||||
echo "::set-output name=command::ci"
|
||||
echo "::set-output name=runner::npx --no-install"
|
||||
echo "manager=npm" >> $GITHUB_OUTPUT
|
||||
echo "command=ci" >> $GITHUB_OUTPUT
|
||||
echo "runner=npx --no-install" >> $GITHUB_OUTPUT
|
||||
exit 0
|
||||
else
|
||||
echo "Unable to determine packager manager"
|
||||
@@ -57,9 +57,20 @@ jobs:
|
||||
node-version: "16"
|
||||
cache: ${{ steps.detect-package-manager.outputs.manager }}
|
||||
cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json
|
||||
- run: npm install && npm run build
|
||||
- name: Setup Pages
|
||||
id: pages
|
||||
uses: actions/configure-pages@v2
|
||||
- name: Install dependencies
|
||||
run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
|
||||
working-directory: ${{ env.BUILD_PATH }}
|
||||
- uses: actions/upload-pages-artifact@v1
|
||||
- name: Build with Astro
|
||||
run: |
|
||||
${{ steps.detect-package-manager.outputs.runner }} astro build \
|
||||
--site "${{ steps.pages.outputs.origin }}" \
|
||||
--base "${{ steps.pages.outputs.base_path }}"
|
||||
working-directory: ${{ env.BUILD_PATH }}
|
||||
- name: Upload artifact
|
||||
uses: actions/upload-pages-artifact@v1
|
||||
with:
|
||||
path: ${{ env.BUILD_PATH }}/dist
|
||||
|
||||
|
||||
+5
-5
@@ -39,12 +39,12 @@ jobs:
|
||||
id: detect-package-manager
|
||||
run: |
|
||||
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
|
||||
echo "::set-output name=manager::yarn"
|
||||
echo "::set-output name=command::install"
|
||||
echo "manager=yarn" >> $GITHUB_OUTPUT
|
||||
echo "command=install" >> $GITHUB_OUTPUT
|
||||
exit 0
|
||||
elif [ -f "${{ github.workspace }}/package.json" ]; then
|
||||
echo "::set-output name=manager::npm"
|
||||
echo "::set-output name=command::ci"
|
||||
echo "manager=npm" >> $GITHUB_OUTPUT
|
||||
echo "command=ci" >> $GITHUB_OUTPUT
|
||||
exit 0
|
||||
else
|
||||
echo "Unable to determine packager manager"
|
||||
@@ -53,7 +53,7 @@ jobs:
|
||||
- name: Setup Node
|
||||
uses: actions/setup-node@v3
|
||||
with:
|
||||
node-version: "16"
|
||||
node-version: "18"
|
||||
cache: ${{ steps.detect-package-manager.outputs.manager }}
|
||||
- name: Setup Pages
|
||||
id: pages
|
||||
|
||||
+6
-6
@@ -34,14 +34,14 @@ jobs:
|
||||
id: detect-package-manager
|
||||
run: |
|
||||
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
|
||||
echo "::set-output name=manager::yarn"
|
||||
echo "::set-output name=command::install"
|
||||
echo "::set-output name=runner::yarn"
|
||||
echo "manager=yarn" >> $GITHUB_OUTPUT
|
||||
echo "command=install" >> $GITHUB_OUTPUT
|
||||
echo "runner=yarn" >> $GITHUB_OUTPUT
|
||||
exit 0
|
||||
elif [ -f "${{ github.workspace }}/package.json" ]; then
|
||||
echo "::set-output name=manager::npm"
|
||||
echo "::set-output name=command::ci"
|
||||
echo "::set-output name=runner::npx --no-install"
|
||||
echo "manager=npm" >> $GITHUB_OUTPUT
|
||||
echo "command=ci" >> $GITHUB_OUTPUT
|
||||
echo "runner=npx --no-install" >> $GITHUB_OUTPUT
|
||||
exit 0
|
||||
else
|
||||
echo "Unable to determine packager manager"
|
||||
|
||||
+4
-4
@@ -34,12 +34,12 @@ jobs:
|
||||
id: detect-package-manager
|
||||
run: |
|
||||
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
|
||||
echo "::set-output name=manager::yarn"
|
||||
echo "::set-output name=command::install"
|
||||
echo "manager=yarn" >> $GITHUB_OUTPUT
|
||||
echo "command=install" >> $GITHUB_OUTPUT
|
||||
exit 0
|
||||
elif [ -f "${{ github.workspace }}/package.json" ]; then
|
||||
echo "::set-output name=manager::npm"
|
||||
echo "::set-output name=command::ci"
|
||||
echo "manager=npm" >> $GITHUB_OUTPUT
|
||||
echo "command=ci" >> $GITHUB_OUTPUT
|
||||
exit 0
|
||||
else
|
||||
echo "Unable to determine packager manager"
|
||||
|
||||
@@ -61,7 +61,7 @@ async function checkWorkflows(
|
||||
|
||||
const enabled =
|
||||
!isPartnerWorkflow &&
|
||||
(workflowProperties.enterprise === true || folder !== 'code-scanning') &&
|
||||
(workflowProperties.enterprise === true || basename(folder) !== 'code-scanning') &&
|
||||
(await checkWorkflow(workflowFilePath, enabledActions));
|
||||
|
||||
const workflowDesc: WorkflowDesc = {
|
||||
|
||||
Reference in New Issue
Block a user