From f263f7e886286af4c6edcb21f2fb4b2d45846a07 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Mon, 12 Feb 2024 06:56:37 -0600 Subject: [PATCH 001/104] Run ci/rubyonrails with bundle exec --- ci/rubyonrails.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 20ff014..dba16cb 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -51,8 +51,8 @@ jobs: bundler-cache: true # Add or replace any other lints here - name: Security audit dependencies - run: bin/bundler-audit --update + run: bundle exec bundler-audit --update - name: Security audit application code - run: bin/brakeman -q -w2 + run: bundle exec brakeman -q -w2 - name: Lint Ruby files - run: bin/rubocop --parallel + run: bundle exec rubocop --parallel From e4840c47d074b5cdaff1d1d3684b2fed38c548d7 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Mon, 12 Feb 2024 06:57:16 -0600 Subject: [PATCH 002/104] Spell bundle-audit without the r Usage as described in https://github.com/rubysec/bundler-audit#readme --- ci/rubyonrails.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index dba16cb..c9835fb 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -51,7 +51,7 @@ jobs: bundler-cache: true # Add or replace any other lints here - name: Security audit dependencies - run: bundle exec bundler-audit --update + run: bundle exec bundle-audit --update - name: Security audit application code run: bundle exec brakeman -q -w2 - name: Lint Ruby files From 4b8ca42dd9f838356c049899bc877fcda8bf6539 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Mon, 12 Feb 2024 06:59:39 -0600 Subject: [PATCH 003/104] Prefer ruby/setup-ruby@v1 As recommended in https://github.com/ruby/setup-ruby#setup-ruby --- ci/rubyonrails.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index c9835fb..d62b552 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + uses: ruby/setup-ruby@v1 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Install Ruby and gems - uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + uses: ruby/setup-ruby@v1 with: bundler-cache: true # Add or replace any other lints here From 469c22e7a4158aa9cf13543c2614ef2561b57e95 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 19 Mar 2024 12:45:34 -0400 Subject: [PATCH 004/104] ci/python-publish: bump, use trusted publishing Signed-off-by: William Woodruff --- ci/python-publish.yml | 58 +++++++++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 22 deletions(-) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index bdaab28..160b12f 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -1,4 +1,4 @@ -# This workflow will upload a Python Package using Twine when a release is created +# This workflow will upload a Python Package to PyPI when a release is created # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries # This workflow uses actions that are not certified by GitHub. @@ -12,28 +12,42 @@ on: release: types: [published] -permissions: - contents: read - jobs: - deploy: - + release-build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - name: Set up Python - uses: actions/setup-python@v3 - with: - python-version: '3.x' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install build - - name: Build package - run: python -m build - - name: Publish package - uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29 - with: - user: __token__ - password: ${{ secrets.PYPI_API_TOKEN }} + - uses: actions/checkout@v4 + + - uses: actions/setup-python@v5 + with: + python-version: "3.x" + + - name: build release distributions + run: | + # NOTE: put your own distribution build steps here. + python -m pip install build + python -m build + + - name: upload distributions + uses: actions/upload-artifact@v4 + with: + name: release-dists + path: dist/ + + pypi-publish: + runs-on: ubuntu-latest + needs: + - release-build + permissions: + id-token: write + + steps: + - name: Retrieve release distributions + uses: actions/download-artifact@v4 + with: + name: release-dists + path: dist/ + + - name: Publish release distributions to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 From f4c64fb836ab3e5b6e5c99f3fb47241e56178445 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 19 Mar 2024 15:40:07 -0400 Subject: [PATCH 005/104] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) --- ci/python-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 160b12f..ec73a48 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -23,13 +23,13 @@ jobs: with: python-version: "3.x" - - name: build release distributions + - name: Build release distributions run: | # NOTE: put your own distribution build steps here. python -m pip install build python -m build - - name: upload distributions + - name: Upload distributions uses: actions/upload-artifact@v4 with: name: release-dists From 231e6b5f6f635625f600d423d7fba591d99dfa47 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 19 Mar 2024 16:41:37 -0400 Subject: [PATCH 006/104] python-publish: contents: read at toplevel Signed-off-by: William Woodruff --- ci/python-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index ec73a48..51b96ca 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -12,6 +12,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: release-build: runs-on: ubuntu-latest From e23021529279bb3abf1f7253df1e3eb3bbe23a51 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 19 Mar 2024 16:42:35 -0400 Subject: [PATCH 007/104] python-publish: explanatory comment Signed-off-by: William Woodruff --- ci/python-publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 51b96ca..7675071 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -43,6 +43,7 @@ jobs: needs: - release-build permissions: + # IMPORTANT: this permission is mandatory for trusted publishing id-token: write steps: From 1fa8e1835028aa47cdb324027fc7c3bd8f93f875 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 19 Mar 2024 16:49:45 -0400 Subject: [PATCH 008/104] python-publish: copy gem-push.yml's pattern Signed-off-by: William Woodruff --- ci/python-publish.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 7675071..bb92010 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -54,4 +54,6 @@ jobs: path: dist/ - name: Publish release distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + # To automatically get updates, change this to: + # uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14 From e44c7b519f7b4a81d578eddc0fa12e6463d45271 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 19 Mar 2024 16:57:58 -0400 Subject: [PATCH 009/104] python-publish: environment Signed-off-by: William Woodruff --- ci/python-publish.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index bb92010..bf13220 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -46,6 +46,13 @@ jobs: # IMPORTANT: this permission is mandatory for trusted publishing id-token: write + # Dedicated environments with protections for publishing are strongly recommended. + # For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules + environment: + name: pypi + # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status: + # url: https://pypi.org/p/YOURPROJECT + steps: - name: Retrieve release distributions uses: actions/download-artifact@v4 From 7e9ab60c5f227c12ce1b4197e7bc9ef4447d2e18 Mon Sep 17 00:00:00 2001 From: Fabian Aguilar Gomez Date: Fri, 19 Apr 2024 16:26:10 -0500 Subject: [PATCH 010/104] remove pages for now --- script/sync-ghes/settings.json | 1 - 1 file changed, 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 41d6bcd..c848615 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -3,7 +3,6 @@ "../../ci", "../../automation", "../../code-scanning", - "../../pages" ], "enabledActions": [ "actions/cache", From 29b0a3e3a9e362bf782a2d3d4bd200a92b577704 Mon Sep 17 00:00:00 2001 From: Fabian Aguilar Gomez Date: Fri, 19 Apr 2024 16:30:57 -0500 Subject: [PATCH 011/104] Update settings.json --- script/sync-ghes/settings.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index c848615..0fd7319 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -10,7 +10,6 @@ "actions/configure-pages", "actions/create-release", "actions/delete-package-versions", - "actions/deploy-pages", "actions/download-artifact", "actions/jekyll-build-pages", "actions/setup-dotnet", @@ -21,7 +20,6 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", - "actions/upload-pages-artifact", "actions/upload-release-asset", "github/codeql-action" ], From 37d6de723e3afd1add9316fdfcdbe9413b8603f9 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 13:38:10 -0400 Subject: [PATCH 012/104] Setup-Java: Update all workflows to use Setup-Java V4 Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- ci/android.yml | 2 +- ci/ant.yml | 2 +- ci/maven-publish.yml | 2 +- ci/maven.yml | 2 +- ci/scala.yml | 2 +- code-scanning/endorlabs.yml | 2 +- code-scanning/fortify.yml | 2 +- code-scanning/pmd.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-functions-app-java-gradle.yml | 4 +++- deployments/azure-functions-app-java.yml | 4 +++- deployments/azure-webapps-java-jar-gradle.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- 14 files changed, 18 insertions(+), 14 deletions(-) diff --git a/ci/android.yml b/ci/android.yml index 80a33b4..fec1eb9 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/ant.yml b/ci/ant.yml index 517a37a..8cfe641 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -17,7 +17,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 954e6c8..64b848b 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -18,7 +18,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/maven.yml b/ci/maven.yml index 47816ee..7709373 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 17 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '17' distribution: 'temurin' diff --git a/ci/scala.yml b/ci/scala.yml index 83b09f7..49ca1e7 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 670fe62..46d1428 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -26,7 +26,7 @@ jobs: ### Use this section to define the build steps used by your software package. ### Endor Labs builds your software for you where possible but the required build tools must be made available. # - name: Setup Java - # uses: actions/setup-java@v3 + # uses: actions/setup-java@v4 # with: # distribution: 'microsoft' # java-version: '17' diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index c52b70e..8a94fca 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -44,7 +44,7 @@ jobs: # Java is required to run the various Fortify utilities. # When scanning a Java application, please use the appropriate Java version for building your application. - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: 8 distribution: 'temurin' diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index ed5eec9..d904a49 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -26,7 +26,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 379493f..df2f8b6 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -42,7 +42,7 @@ jobs: - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - run: unzip -o pipeline-scan-LATEST.zip - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: java-version: 8 distribution: 'temurin' diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 32c977e..3b323e9 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -62,7 +62,7 @@ jobs: # Set up the correct Java version for your project # Please comment out, if your project does not contain Java source code. - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: 11 distribution: 'temurin' diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml index 131e287..87d9ec0 100644 --- a/deployments/azure-functions-app-java-gradle.yml +++ b/deployments/azure-functions-app-java-gradle.yml @@ -28,6 +28,7 @@ permissions: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure BUILD_GRADLE_DIRECTORY: '.' # set this to the directory which contains build.gradle file + DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft') JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17') jobs: @@ -47,8 +48,9 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Java Sdk ${{ env.JAVA_VERSION }} - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: + distribution: ${{ env.DISTRIBUTION }} java-version: ${{ env.JAVA_VERSION }} # Build function project with functions gradle plugin diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml index e7b78c0..c487aff 100644 --- a/deployments/azure-functions-app-java.yml +++ b/deployments/azure-functions-app-java.yml @@ -25,6 +25,7 @@ on: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure POM_XML_DIRECTORY: '.' # set this to the directory which contains pom.xml file + DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft') JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17') jobs: @@ -42,8 +43,9 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Java Sdk ${{ env.JAVA_VERSION }} - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: + distribution: ${{ env.DISTRIBUTION }} java-version: ${{ env.JAVA_VERSION }} - name: 'Restore Project Dependencies Using Mvn' diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index 63a45cc..51817b5 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up Java version - uses: actions/setup-java@v3.0.0 + uses: actions/setup-java@v4 with: java-version: ${{ env.JAVA_VERSION }} distribution: ${{ env.DISTRIBUTION }} diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 608fb8e..c98baed 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up Java version - uses: actions/setup-java@v3.0.0 + uses: actions/setup-java@v4 with: java-version: ${{ env.JAVA_VERSION }} distribution: ${{ env.DISTRIBUTION }} From 545832af8bf577275404c16cbca83d07fd475543 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 14:23:34 -0400 Subject: [PATCH 013/104] Setup-Dotnet: Update all workflows to Setup-Dotnet V4 --- code-scanning/defender-for-devops.yml | 2 +- code-scanning/ossar.yml | 2 +- deployments/azure-functions-app-dotnet.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml index 07aa7d1..0b058ce 100644 --- a/code-scanning/defender-for-devops.yml +++ b/code-scanning/defender-for-devops.yml @@ -33,7 +33,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: actions/setup-dotnet@v3 + - uses: actions/setup-dotnet@v4 with: dotnet-version: | 5.0.x diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index ad46e1d..c1ecac1 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -40,7 +40,7 @@ jobs: # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: # - name: Install .NET - # uses: actions/setup-dotnet@v2 + # uses: actions/setup-dotnet@v4 # with: # dotnet-version: '3.1.x' diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml index bf1169b..99ad945 100644 --- a/deployments/azure-functions-app-dotnet.yml +++ b/deployments/azure-functions-app-dotnet.yml @@ -42,7 +42,7 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index b4bfafb..73b6380 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up .NET Core - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} From d51dfabea2a2164939745ecebe07826579c2626c Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 16:03:52 -0400 Subject: [PATCH 014/104] Artifacts: Update all workflows to use Artifacts V4 Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- ci/dotnet-desktop.yml | 4 ++-- code-scanning/msvc.yml | 2 +- code-scanning/scorecard.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 ++-- deployments/azure-webapps-java-jar-gradle.yml | 4 ++-- deployments/azure-webapps-java-jar.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- deployments/azure-webapps-php.yml | 4 ++-- deployments/azure-webapps-python.yml | 4 ++-- 10 files changed, 17 insertions(+), 17 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index ad99b56..400a721 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: - name: MSIX Package + name: MSIX Package ${{ matrix.configuration }} path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0700989..b905ef8 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -60,7 +60,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v3 + # uses: actions/upload-artifact@v4 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 162c788..729d741 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: SARIF file path: results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 32c977e..2fd110a 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -87,7 +87,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index b4bfafb..64124e5 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -59,7 +59,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -75,7 +75,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index 63a45cc..a066d89 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -50,7 +50,7 @@ jobs: run: gradle build - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/build/libs/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 608fb8e..f6c17a9 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -50,7 +50,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 147d4e6..891a7d6 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -49,7 +49,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: node-app path: . @@ -65,7 +65,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 1182c2a..3391c83 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -70,7 +70,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: php-app path: . @@ -86,7 +86,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 656f95c..e4868c4 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -55,7 +55,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: python-app path: | @@ -73,7 +73,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: python-app path: . From a072fdfb1ceba231fa8e1036cb88eac42ad10db9 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 17:10:59 -0400 Subject: [PATCH 015/104] Labeler: Update to v5 --- .github/workflows/labeler-triage.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml index 99fdbc5..2de6b88 100644 --- a/.github/workflows/labeler-triage.yml +++ b/.github/workflows/labeler-triage.yml @@ -5,12 +5,12 @@ permissions: pull-requests: write on: -- pull_request_target + pull_request_target: jobs: triage: runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4 + - uses: actions/labeler@v5 with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file + repo-token: "${{ secrets.GITHUB_TOKEN }}" From 1830845916d09bee7327d12cbf1e387edfdb9846 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 13:37:42 -0400 Subject: [PATCH 016/104] Setup-Node: Update all workflows to use Setup-Node V4 * Switch default node version to 20 * Update version set to 18.x, 20.x, 22.x Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- .github/workflows/sync-ghes.yaml | 4 ++-- .github/workflows/validate-data.yaml | 4 ++-- ci/node.js.yml | 4 ++-- ci/npm-grunt.yml | 4 ++-- ci/npm-gulp.yml | 4 ++-- ci/npm-publish-github-packages.yml | 8 ++++---- ci/npm-publish.yml | 8 ++++---- ci/webpack.yml | 4 ++-- code-scanning/crda.yml | 4 ++-- code-scanning/jscrambler-code-integrity.yml | 4 ++-- code-scanning/snyk-security.yml | 4 ++-- deployments/azure-functions-app-nodejs.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- 13 files changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 6a3da68..5d39d18 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -15,9 +15,9 @@ jobs: git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" git config user.name "GitHub Actions" - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: '16' + node-version: '20' cache: 'npm' cache-dependency-path: script/sync-ghes/package-lock.json - name: Check starter workflows for GHES compat diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 43f5578..52988aa 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -12,9 +12,9 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: '16' + node-version: '20' cache: 'npm' cache-dependency-path: script/validate-data/package-lock.json diff --git a/ci/node.js.yml b/ci/node.js.yml index 688a227..d5ccc14 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -16,13 +16,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} cache: 'npm' diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index 0039895..ccdabd8 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -12,13 +12,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 19bed27..3a4ec12 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -12,13 +12,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index 1899709..99531c0 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 - run: npm ci - run: npm test @@ -26,9 +26,9 @@ jobs: packages: write steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 registry-url: $registry-url(npm) - run: npm ci - run: npm publish diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 0049296..2a4766d 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 - run: npm ci - run: npm test @@ -23,9 +23,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 registry-url: https://registry.npmjs.org/ - run: npm ci - run: npm publish diff --git a/ci/webpack.yml b/ci/webpack.yml index 9e967c0..1013845 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -12,13 +12,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml index d5bb88f..82610ac 100644 --- a/code-scanning/crda.yml +++ b/code-scanning/crda.yml @@ -94,9 +94,9 @@ jobs: # # Example: # - name: Setup Node - # uses: actions/setup-node@v2 + # uses: actions/setup-node@v4 # with: - # node-version: '14' + # node-version: '20' # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md - name: Install CRDA CLI diff --git a/code-scanning/jscrambler-code-integrity.yml b/code-scanning/jscrambler-code-integrity.yml index 69d7c42..64a998a 100644 --- a/code-scanning/jscrambler-code-integrity.yml +++ b/code-scanning/jscrambler-code-integrity.yml @@ -28,9 +28,9 @@ jobs: contents: read steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 18 + node-version: 20 - run: npm ci - run: npm run build - name: Jscrambler Code Integrity diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml index 4941e00..bee888c 100644 --- a/code-scanning/snyk-security.yml +++ b/code-scanning/snyk-security.yml @@ -43,9 +43,9 @@ jobs: # For Snyk Open Source you must first set up the development environment for your application's dependencies # For example for Node - #- uses: actions/setup-node@v3 + #- uses: actions/setup-node@v4 # with: - # node-version: 16 + # node-version: 20 env: # This is where you will need to introduce the Snyk API token created with your Snyk account diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml index 6c2e45c..69d3d27 100644 --- a/deployments/azure-functions-app-nodejs.yml +++ b/deployments/azure-functions-app-nodejs.yml @@ -27,7 +27,7 @@ on: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root - NODE_VERSION: '16.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x') + NODE_VERSION: '20.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x') jobs: build-and-deploy: @@ -44,7 +44,7 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Node ${{ env.NODE_VERSION }} Environment - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 147d4e6..dfa9dbb 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -25,7 +25,7 @@ on: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '14.x' # set this to the node version to use + NODE_VERSION: '20.x' # set this to the node version to use permissions: contents: read @@ -37,7 +37,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' From 23a568e80a38bbe4a73f1b49a344ea50b3a50351 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 21:32:56 -0400 Subject: [PATCH 017/104] fix(openshift): comment out dangling dependency --- deployments/openshift.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 1c3fc43..d6785c2 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -67,11 +67,11 @@ jobs: # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab. # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows - crda-scan: - uses: ./.github/workflows/crda.yml - secrets: - CRDA_KEY: ${{ secrets.CRDA_KEY }} - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY + #crda-scan: + # uses: ./.github/workflows/crda.yml + # secrets: + # CRDA_KEY: ${{ secrets.CRDA_KEY }} + # # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY openshift-ci-cd: # 🖊️ Uncomment this if you are using CRDA scan step above From e656ded9f0017958db40fbd074f083d5b9c29c62 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Fri, 26 Apr 2024 07:16:34 -0400 Subject: [PATCH 018/104] Reference ruby/setup-ruby with latest commit hash As required in pull_request_template.md --- ci/rubyonrails.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 17e08b4..b976f3f 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v4 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Install Ruby and gems - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1 with: bundler-cache: true # Add or replace any other lints here From 5902ad751bbf5a50ae17fe754e01046512540412 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 11:56:18 -0700 Subject: [PATCH 019/104] Update script/sync-ghes/settings.json --- script/sync-ghes/settings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 0fd7319..0dbea1e 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,7 @@ "folders": [ "../../ci", "../../automation", - "../../code-scanning", + "../../code-scanning" ], "enabledActions": [ "actions/cache", From d526113a1b61be86f4ba9aac4f765073a26cdd65 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 11:56:46 -0700 Subject: [PATCH 020/104] Update script/sync-ghes/settings.json --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 0dbea1e..fec0264 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -10,6 +10,7 @@ "actions/configure-pages", "actions/create-release", "actions/delete-package-versions", + "actions/deploy-pages", "actions/download-artifact", "actions/jekyll-build-pages", "actions/setup-dotnet", From 7d07997513aa76f3d0f2523a58b194c1c1b90b6d Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 11:57:05 -0700 Subject: [PATCH 021/104] Update script/sync-ghes/settings.json --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index fec0264..cb0197a 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -21,6 +21,7 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", + "actions/upload-pages-artifact", "actions/upload-release-asset", "github/codeql-action" ], From 264962401da5f1837581d623fbc211c84118ae07 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:03:21 -0700 Subject: [PATCH 022/104] ici --- script/sync-ghes/index.ts | 6 ++++++ script/sync-ghes/settings.json | 6 +++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index f53d220..2559b40 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -163,6 +163,9 @@ async function checkWorkflow( await exec("rm", ["-fr", ...settings.folders]); await exec("rm", ["-fr", "../../icons"]); + // Ignore read-only folders from compatible workflows list + result.compatibleWorkflows = result.compatibleWorkflows.filter(x => !settings.readOnlyFolders.includes(x.folder)); + console.log("Sync changes from main for compatible workflows"); await exec("git", [ "checkout", @@ -184,6 +187,9 @@ async function checkWorkflow( }) ), ]); + + // Add back Pages icons + } catch (e) { console.error("Unhandled error while syncing workflows", e); process.exitCode = 1; diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index cb0197a..ce18eb6 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,11 @@ "folders": [ "../../ci", "../../automation", - "../../code-scanning" + "../../code-scanning", + "../../pages" + ], + "readOnlyFolders": [ + "../../pages" ], "enabledActions": [ "actions/cache", From c7480532d0129274e25ccd09e2357377a228f56a Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:16:50 -0700 Subject: [PATCH 023/104] again --- script/sync-ghes/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 2559b40..7c07a36 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -153,7 +153,7 @@ async function checkWorkflow( console.groupEnd(); console.log("Switch to GHES branch"); - await exec("git", ["checkout", "ghes"]); + // await exec("git", ["checkout", "ghes"]); // In order to sync from main, we might need to remove some workflows, add some // and modify others. The lazy approach is to delete all workflows first, and then @@ -163,7 +163,7 @@ async function checkWorkflow( await exec("rm", ["-fr", ...settings.folders]); await exec("rm", ["-fr", "../../icons"]); - // Ignore read-only folders from compatible workflows list + // Ignore compatible workflows in a read-only folder result.compatibleWorkflows = result.compatibleWorkflows.filter(x => !settings.readOnlyFolders.includes(x.folder)); console.log("Sync changes from main for compatible workflows"); From 252e935e86952db9cad9b0f6c9ee1d543f91e12c Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:17:24 -0700 Subject: [PATCH 024/104] ghes --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 7c07a36..e7cb2b2 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -153,7 +153,7 @@ async function checkWorkflow( console.groupEnd(); console.log("Switch to GHES branch"); - // await exec("git", ["checkout", "ghes"]); + await exec("git", ["checkout", "ghes"]); // In order to sync from main, we might need to remove some workflows, add some // and modify others. The lazy approach is to delete all workflows first, and then From 1e15901e1c50134c3eb77f2b3c82b79d15a5f3e5 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:20:27 -0700 Subject: [PATCH 025/104] wip --- script/sync-ghes/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index e7cb2b2..03d04f0 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -156,11 +156,11 @@ async function checkWorkflow( await exec("git", ["checkout", "ghes"]); // In order to sync from main, we might need to remove some workflows, add some - // and modify others. The lazy approach is to delete all workflows first, and then + // and modify others. The lazy approach is to delete all workflows first (except from read-only folders), and then // just bring the compatible ones over from the main branch. We let git figure out // whether it's a deletion, add, or modify and commit the new state. console.log("Remove all workflows"); - await exec("rm", ["-fr", ...settings.folders]); + await exec("rm", ["-fr", ...(settings.folders.filter(x => !settings.readOnlyFolders.includes(x)))]); await exec("rm", ["-fr", "../../icons"]); // Ignore compatible workflows in a read-only folder From 138375ba29d0bac534217573f589a49ebb3d87d3 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:30:15 -0700 Subject: [PATCH 026/104] wip --- script/sync-ghes/index.ts | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 03d04f0..9105bb3 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -160,11 +160,17 @@ async function checkWorkflow( // just bring the compatible ones over from the main branch. We let git figure out // whether it's a deletion, add, or modify and commit the new state. console.log("Remove all workflows"); - await exec("rm", ["-fr", ...(settings.folders.filter(x => !settings.readOnlyFolders.includes(x)))]); + await exec("rm", ["-fr", ...settings.folders]); await exec("rm", ["-fr", "../../icons"]); - // Ignore compatible workflows in a read-only folder - result.compatibleWorkflows = result.compatibleWorkflows.filter(x => !settings.readOnlyFolders.includes(x.folder)); + // Bring back the read-only folders + console.log("Restore read-only folders"); + settings.readOnlyFolders.forEach(async (folder) => { + await exec("git", [ + "checkout", + folder + ]); + }); console.log("Sync changes from main for compatible workflows"); await exec("git", [ From 66e7ed44ca7256287ab489b0eda374250e41979c Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:31:34 -0700 Subject: [PATCH 027/104] wip --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 9105bb3..3b8aa93 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -165,7 +165,7 @@ async function checkWorkflow( // Bring back the read-only folders console.log("Restore read-only folders"); - settings.readOnlyFolders.forEach(async (folder) => { + await settings.readOnlyFolders.forEach(async (folder) => { await exec("git", [ "checkout", folder From ddca0a93277bce73784982a3a5e8ccb46f2bdac7 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:33:45 -0700 Subject: [PATCH 028/104] async --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 3b8aa93..9105bb3 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -165,7 +165,7 @@ async function checkWorkflow( // Bring back the read-only folders console.log("Restore read-only folders"); - await settings.readOnlyFolders.forEach(async (folder) => { + settings.readOnlyFolders.forEach(async (folder) => { await exec("git", [ "checkout", folder From 3fa8d369daa66974da30d33cc5df57d08ac1cc1d Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:37:57 -0700 Subject: [PATCH 029/104] async --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 9105bb3..3b8aa93 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -165,7 +165,7 @@ async function checkWorkflow( // Bring back the read-only folders console.log("Restore read-only folders"); - settings.readOnlyFolders.forEach(async (folder) => { + await settings.readOnlyFolders.forEach(async (folder) => { await exec("git", [ "checkout", folder From 9f6e4a9e7dbeddc1a36599c96b026a4e6afaf871 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:38:43 -0700 Subject: [PATCH 030/104] wip --- script/sync-ghes/index.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 3b8aa93..0b84733 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -172,6 +172,8 @@ async function checkWorkflow( ]); }); + throw 'x' + console.log("Sync changes from main for compatible workflows"); await exec("git", [ "checkout", From 00731369055d2c5f848a5542fbbe453fc4b5761f Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:40:32 -0700 Subject: [PATCH 031/104] wip --- script/sync-ghes/index.ts | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 0b84733..2f20fec 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -165,14 +165,12 @@ async function checkWorkflow( // Bring back the read-only folders console.log("Restore read-only folders"); - await settings.readOnlyFolders.forEach(async (folder) => { + for (let i = 0; i < settings.readOnlyFolders.length; i++) { await exec("git", [ "checkout", - folder + settings.readOnlyFolders[i] ]); - }); - - throw 'x' + } console.log("Sync changes from main for compatible workflows"); await exec("git", [ From dd92d3760d30c5eeaa21bbf35bfd83007e1e251b Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:43:22 -0700 Subject: [PATCH 032/104] wip --- script/sync-ghes/index.ts | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 2f20fec..2042946 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -180,10 +180,13 @@ async function checkWorkflow( ...Array.prototype.concat.apply( [], result.compatibleWorkflows.map((x) => { - const r = [ - join(x.folder, `${x.id}.yml`), - join(x.folder, "properties", `${x.id}.properties.json`), - ]; + const r = []; + + // Don't touch read-only folders + if (!settings.readOnlyFolders.includes(x.folder)) { + r.push(join(x.folder, `${x.id}.yml`)); + r.push(join(x.folder, "properties", `${x.id}.properties.json`)); + }; if (x.iconType === "svg") { r.push(join("../../icons", `${x.iconName}.svg`)); From 2c3a9cab039548b67470dbd9001f579b4dc39772 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:46:23 -0700 Subject: [PATCH 033/104] Update script/sync-ghes/index.ts --- script/sync-ghes/index.ts | 3 --- 1 file changed, 3 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 2042946..fcdaaad 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -196,9 +196,6 @@ async function checkWorkflow( }) ), ]); - - // Add back Pages icons - } catch (e) { console.error("Unhandled error while syncing workflows", e); process.exitCode = 1; From b30fbdf5f2c90750a667f9bf56ba7777f9dee6f6 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 2 May 2024 10:59:15 -0400 Subject: [PATCH 034/104] Specify bash shell so that it doesn't fail if switching to 'windows` --- code-scanning/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 6fdadb1..655fc59 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -76,6 +76,7 @@ jobs: # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - if: matrix.build-mode == 'manual' + shell: bash run: | echo 'If you are using a "manual" build mode for one or more of the' \ 'languages you are analyzing, replace this with the commands to build' \ From 6702f0d2e3cec8183954616cf7fd6f921b701302 Mon Sep 17 00:00:00 2001 From: Dylan Date: Mon, 6 May 2024 09:57:14 -0400 Subject: [PATCH 035/104] Fortify Starter Workflow to use new Fortify AST Action (#2245) * Update Fortify logo * Update fortify workflow Update positioning, Github action versions, Java version and add in Debricked packaging support * Update fortify.properties.json Update languages and creator * Update fortify.yml Update triggers based on latest starter workflow guidelines * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update code-scanning/properties/fortify.properties.json Co-authored-by: James M. Greene * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update fortify.yml * Update fortify.properties.json * Update fortify.yml Update starter workflow to use new unified Fortify AST Action * Update fortify.yml * Update fortify.yml * Update fortify.yml Refine workflow comments * Update fortify.yml Bump checkout action version * Update fortify.yml * Update fortify.yml * Update fortify.yml One final clean up * Update fortify.properties.json * Update fortify.yml * Update fortify.yml * Update fortify.properties.json Update with support for Bicep and Solidity * Update fortify.properties.json Uppercase "Solidity" for consistency * Change v1 to commit hash --------- Co-authored-by: James M. Greene Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> --- code-scanning/fortify.yml | 116 ++++++++---------- .../properties/fortify.properties.json | 8 +- icons/fortify.svg | 30 ++++- 3 files changed, 84 insertions(+), 70 deletions(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index c52b70e..01611e8 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -4,32 +4,31 @@ # documentation. ################################################################################################################################################ -# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# -# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # -# or contact our sales team, visit microfocus.com/appsecurity. # +# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # +# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # # # -# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# -# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # -# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # -# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # -# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # -# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # +# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # +# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # +# documentation. If you need additional assistance, please contact Fortify support. # ################################################################################################################################################ -name: Fortify on Demand Scan +name: Fortify AST Scan -# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +# Customize trigger events based on your DevSecOps process and/or policy on: - workflow_dispatch: push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly + workflow_dispatch: jobs: - FoD-SAST-Scan: - # Use the appropriate runner for building your source code. - # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + Fortify-AST-Scan: + # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). runs-on: ubuntu-latest permissions: actions: read @@ -41,58 +40,45 @@ jobs: - name: Check Out Source Code uses: actions/checkout@v4 - # Java is required to run the various Fortify utilities. - # When scanning a Java application, please use the appropriate Java version for building your application. + # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner. - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: - java-version: 8 + java-version: 17 distribution: 'temurin' - # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. - # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: - # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). - # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. - # ScanCentral has additional options that should be set for PHP and Python projects - # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. - # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ - - name: Download Fortify ScanCentral Client - uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 - - name: Package Code + Dependencies - run: scancentral package $PACKAGE_OPTS -o package.zip - env: - PACKAGE_OPTS: "-bt mvn" - - # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java - # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: - # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). - # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. - - name: Download Fortify on Demand Universal CI Tool - uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 - - name: Perform SAST Scan - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" - env: - FOD_URL: "https://ams.fortify.com/" - FOD_API_URL: "https://api.ams.fortify.com/" - FOD_TENANT: ${{ secrets.FOD_TENANT }} - FOD_USER: ${{ secrets.FOD_USER }} - FOD_PAT: ${{ secrets.FOD_PAT }} - FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} - FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" - FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' - - # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - - name: Export results to GitHub-optimized SARIF - uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b + # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then + # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is + # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools + # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for + # details. + - name: Run FoD SAST Scan + uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418 with: - fod_base_url: "https://ams.fortify.com/" - fod_tenant: ${{ secrets.FOD_TENANT }} - fod_user: ${{ secrets.FOD_USER }} - fod_password: ${{ secrets.FOD_PAT }} - fod_release_id: ${{ secrets.FOD_RELEASE_ID }} - - # Import Fortify on Demand results to GitHub Security Code Scanning - - name: Import Results - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ./gh-fortify-sast.sarif + sast-scan: true + env: + ### Required configuration when integrating with Fortify on Demand + FOD_URL: https://ams.fortify.com + FOD_TENANT: ${{secrets.FOD_TENANT}} + FOD_USER: ${{secrets.FOD_USER}} + FOD_PASSWORD: ${{secrets.FOD_PAT}} + ### Optional configuration when integrating with Fortify on Demand + # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if + # Debricked SCA scan is enabled on Fortify on Demand + # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /:; may + # replace app+release name with numeric release ID + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard + ### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # SSC_URL: ${{secrets.SSC_URL}} # SSC URL + # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken + # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token + # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan; + # usually defined as organization or repo variable + ### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options + # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: /: + # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard diff --git a/code-scanning/properties/fortify.properties.json b/code-scanning/properties/fortify.properties.json index 100b4bb..9a7511c 100644 --- a/code-scanning/properties/fortify.properties.json +++ b/code-scanning/properties/fortify.properties.json @@ -1,7 +1,7 @@ { - "name": "Fortify on Demand Scan", - "creator": "Micro Focus", - "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", + "name": "Fortify Scan", + "creator": "OpenText", + "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 33+ languages into your DevSecOps workflows.", "iconName": "fortify", - "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"] + "categories": ["Code Scanning", "ABAP", "ActionScript", "Bicep", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Dart", "Go", "HCL", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Solidity", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML", "YAML"] } diff --git a/icons/fortify.svg b/icons/fortify.svg index 45a0d77..7033960 100644 --- a/icons/fortify.svg +++ b/icons/fortify.svg @@ -1 +1,29 @@ - \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 7ea2dd7e0811dcfcc9dddffdce42b377a42ca745 Mon Sep 17 00:00:00 2001 From: Ross Rogers Date: Tue, 21 May 2024 14:32:42 -0700 Subject: [PATCH 036/104] Update Mayhem for API to reference new site --- code-scanning/mayhem-for-api.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 9e533fe..cac5f61 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -9,13 +9,11 @@ # # To use this workflow, you will need to: # -# 1. Create a Mayhem for API account at -# https://mayhem4api.forallsecure.com/signup +# 1. Create a Mayhem account at https://app.mayhem.security # -# 2. Create a service account token `mapi organization service-account create -# ` +# 2. Create an API token at https://app.mayhem.security/-/settings/user/api-tokens # -# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN" +# 3. Add the API token as a secret in GitHub called "MAYHEM_TOKEN" # # 4. Update the "Start your API" step to run your API in the background before # starting the Mayhem for API scan, and update the `api-url` & `api-spec` @@ -51,10 +49,10 @@ jobs: run: ./run_your_api.sh & # <- ✏️ update this - name: Mayhem for API - uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010 + uses: ForAllSecure/mapi-action@v1 continue-on-error: true with: - mapi-token: ${{ secrets.MAPI_TOKEN }} + mayhem-token: ${{ secrets.MAYHEM_TOKEN }} api-url: http://localhost:8080 # <- ✏️ update this api-spec: http://localhost:8080/openapi.json # <- ✏️ update this duration: 60 From 39131434ed4bd7dcf8071fc2faaaa0ef8a23c4eb Mon Sep 17 00:00:00 2001 From: Cory Miller <13227161+cory-miller@users.noreply.github.com> Date: Wed, 22 May 2024 10:25:41 -0400 Subject: [PATCH 037/104] Fix typo in grade starter workflow --- ci/gradle.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/gradle.yml b/ci/gradle.yml index 65a332b..74dffb5 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -28,7 +28,7 @@ jobs: java-version: '17' distribution: 'temurin' - # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. + # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 From 61d42c9d0c8d4a398799a581eb6ce48ca742a2bc Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 30 May 2024 09:34:08 -0700 Subject: [PATCH 038/104] Update cosign versions --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 8a042a5..f8e709f 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 with: - cosign-release: 'v2.1.1' + cosign-release: 'v2.2.4' # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache From de925c96d94d3e63cbeb7ff809d8ec64fc331c3b Mon Sep 17 00:00:00 2001 From: yahavi Date: Sat, 1 Jun 2024 18:57:06 +0300 Subject: [PATCH 039/104] Frogbot: Update to 2.21.0 --- code-scanning/frogbot-scan-and-fix.yml | 10 +++------- code-scanning/frogbot-scan-pr.yml | 14 +++++--------- 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 62eb9ec..549ef8c 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -5,9 +5,9 @@ # Frogbot Scan and Fix does the following: # Automatically creates pull requests with fixes for vulnerable project dependencies. # Uses JFrog Xray to scan the project. -# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot -# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration name: "Frogbot Scan and Fix" on: @@ -23,11 +23,7 @@ jobs: steps: - uses: actions/checkout@v4 - # IMPORTANT: - # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 + - uses: jfrog/frogbot@d01623d0fc8de585c21225f55842f2d2c45cf094 # v2.21.0 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index a2e29fa..465405c 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -5,9 +5,9 @@ # Frogbot Scan Pull Request does the following: # Automatically scans new pull requests for security vulnerabilities. # Uses JFrog Xray to scan the project. -# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot -# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration name: "Frogbot Scan Pull Request" on: @@ -21,18 +21,14 @@ jobs: runs-on: ubuntu-latest # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the # "frogbot" GitHub environment can approve the pull request to be scanned. - # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md + # Read more here (Install Frogbot Using GitHub Actions): https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions environment: frogbot steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - # IMPORTANT: - # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 + - uses: jfrog/frogbot@d01623d0fc8de585c21225f55842f2d2c45cf094 # v2.21.0 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies From 74366efdcd18a2e2f16bf04acdafd8c38625014e Mon Sep 17 00:00:00 2001 From: Antoine Do Nascimento Date: Mon, 3 Jun 2024 17:26:02 +0200 Subject: [PATCH 040/104] Update DataDog/synthetics-ci-github-action workflow --- ci/datadog-synthetics.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml index 7056f87..28a07c7 100644 --- a/ci/datadog-synthetics.yml +++ b/ci/datadog-synthetics.yml @@ -29,7 +29,7 @@ jobs: # Run Synthetic tests within your GitHub workflow. # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci - name: Run Datadog Synthetic tests - uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e + uses: DataDog/synthetics-ci-github-action@c36b031081c29b54513d7faba468ddd5b248baf3 # v1.4.0 with: api_key: ${{secrets.DD_API_KEY}} app_key: ${{secrets.DD_APP_KEY}} From 9f1db534549e072c20d5d1a79e0a4ff45a674caf Mon Sep 17 00:00:00 2001 From: Antoine Vinot Date: Mon, 3 Jun 2024 20:58:42 +0200 Subject: [PATCH 041/104] Update sonarcloud.yml after latest release of the action (#2405) Co-authored-by: Alexis Abril --- code-scanning/sonarcloud.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 41075e4..0e7f274 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -46,13 +46,12 @@ jobs: - name: Analyze with SonarCloud # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + # uses: SonarSource/sonarcloud-github-action@v2.2.0 + uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: - # Additional arguments for the sonarcloud scanner + # Additional arguments for the SonarScanner CLI args: # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) # mandatory @@ -60,9 +59,9 @@ jobs: -Dsonar.organization= # Comma-separated paths to directories containing main source files. #-Dsonar.sources= # optional, default is project base directory - # When you need the analysis to take place in a directory other than the one from which it was launched - #-Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. #-Dsonar.verbose= # optional, default is false + # When you need the analysis to take place in a directory other than the one from which it was launched, default is . + projectBaseDir: . From 5a11e5968cb905fe46c844bb8147628cfe226f40 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Sat, 8 Jun 2024 11:47:24 -0400 Subject: [PATCH 042/104] Reference latest ruby/setup-ruby (1.179.1) with commit hash Can build ruby 3.1.6 and 3.3.2 --- ci/rubyonrails.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index b976f3f..f3177e2 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v4 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1 + uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 with: bundler-cache: true # Add or replace database setup steps here @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Install Ruby and gems - uses: ruby/setup-ruby@1198b074305f9356bd56dd4b311757cc0dab2f1c # v1.175.1 + uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 with: bundler-cache: true # Add or replace any other lints here From 0321f5f585a59bc25d0a7885165edf7f63b2d2f2 Mon Sep 17 00:00:00 2001 From: Jamie McCarthy Date: Sat, 8 Jun 2024 12:19:48 -0400 Subject: [PATCH 043/104] Run lint with binstubs --- ci/rubyonrails.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index f3177e2..ad3ac88 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -49,10 +49,12 @@ jobs: uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 with: bundler-cache: true + - name: Generate binstubs + run: bundle binstubs bundler-audit brakeman rubocop # Add or replace any other lints here - name: Security audit dependencies - run: bundle exec bundle-audit --update + run: bin/bundler-audit --update - name: Security audit application code - run: bundle exec brakeman -q -w2 + run: bin/brakeman -q -w2 - name: Lint Ruby files - run: bundle exec rubocop --parallel + run: bin/rubocop --parallel From 647cac4f347894582e3fd841b84b0b2c6485b23d Mon Sep 17 00:00:00 2001 From: alankuo-aws <151653677+alankuo-aws@users.noreply.github.com> Date: Mon, 17 Jun 2024 16:32:21 -0400 Subject: [PATCH 044/104] Update policy validator starter workflows (#2433) * Update policy validator starter workflows * Fix reference policy argument --- code-scanning/policy-validator-cfn.yaml | 24 +++++++++++++++++++----- code-scanning/policy-validator-tf.yaml | 22 ++++++++++++++++++---- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/code-scanning/policy-validator-cfn.yaml b/code-scanning/policy-validator-cfn.yaml index b2cd163..8d32ce1 100644 --- a/code-scanning/policy-validator-cfn.yaml +++ b/code-scanning/policy-validator-cfn.yaml @@ -20,7 +20,8 @@ env: AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template. - ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. jobs: @@ -45,7 +46,7 @@ jobs: # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - name: Run AWS AccessAnalyzer ValidatePolicy check id: run-aws-validate-policy - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "VALIDATE_POLICY" template-path: ${{ env.TEMPLATE_PATH}} @@ -57,11 +58,12 @@ jobs: # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - name: Run AWS AccessAnalyzer CheckAccessNotGranted check id: run-aws-check-access-not-granted - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "CHECK_ACCESS_NOT_GRANTED" template-path: ${{ env.TEMPLATE_PATH}} actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} region: ${{ env.REGION }} # Print result from CHECK_ACCESS_NOT_GRANTED check - name: Print the result for CheckAccessNotGranted check @@ -71,14 +73,26 @@ jobs: # reference-policy is stored in GitHub secrets - name: Run AWS AccessAnalyzer CheckNoNewAccess check id: run-aws-check-no-new-access - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "CHECK_NO_NEW_ACCESS" template-path: ${{ env.TEMPLATE_PATH}} - reference-policy: ${{ env.REFERENCE }} + reference-policy: ${{ env.REFERENCE_POLICY }} reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} region: ${{env.REGION }} # Print result from CHECK_NO_NEW_ACCESS check - name: Print the result for CheckNoNewAccess check if: success() || failure() run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" diff --git a/code-scanning/policy-validator-tf.yaml b/code-scanning/policy-validator-tf.yaml index 1ca77b5..07f884f 100644 --- a/code-scanning/policy-validator-tf.yaml +++ b/code-scanning/policy-validator-tf.yaml @@ -21,7 +21,8 @@ env: AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON - ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. @@ -48,7 +49,7 @@ jobs: # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator - name: Run AWS AccessAnalyzer ValidatePolicy check id: run-aws-validate-policy - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "VALIDATE_POLICY" template-path: ${{ env.TEMPLATE_PATH }} @@ -60,11 +61,12 @@ jobs: # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator - name: Run AWS AccessAnalyzer CheckAccessNotGranted check id: run-aws-check-access-not-granted - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "CHECK_ACCESS_NOT_GRANTED" template-path: ${{ env.TEMPLATE_PATH }} actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} region: ${{ env.REGION }} # Print result from CHECK_ACCESS_NOT_GRANTED check - name: Print the result for CheckAccessNotGranted check @@ -74,7 +76,7 @@ jobs: # reference-policy is stored in GitHub secrets - name: Run AWS AccessAnalyzer CheckNoNewAccess check id: run-aws-check-no-new-access - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "CHECK_NO_NEW_ACCESS" template-path: ${{ env.TEMPLATE_PATH }} @@ -85,3 +87,15 @@ jobs: - name: Print the result CheckNoNewAccess check if: success() || failure() run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" From dc63c580c6738d293a9448f43221325cbe050570 Mon Sep 17 00:00:00 2001 From: Inaki Villar Date: Fri, 21 Jun 2024 11:33:35 -0700 Subject: [PATCH 045/104] Update for gradle/actions@v3.4.2 release --- ci/gradle-publish.yml | 2 +- ci/gradle.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 2af4616..4f36680 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,7 +30,7 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Setup Gradle - uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 - name: Build with Gradle run: ./gradlew build diff --git a/ci/gradle.yml b/ci/gradle.yml index 74dffb5..eb756d0 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -31,7 +31,7 @@ jobs: # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle - uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 - name: Build with Gradle Wrapper run: ./gradlew build @@ -40,7 +40,7 @@ jobs: # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. # # - name: Setup Gradle - # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + # uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 # with: # gradle-version: '8.5' # @@ -64,4 +64,4 @@ jobs: # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + uses: gradle/actions/dependency-submission@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 From eb0381de25dd68ef86956335a0f1edb9521591b7 Mon Sep 17 00:00:00 2001 From: yahavi Date: Fri, 28 Jun 2024 15:56:30 +0300 Subject: [PATCH 046/104] Update to 2.21.2 --- code-scanning/frogbot-scan-and-fix.yml | 2 +- code-scanning/frogbot-scan-pr.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 549ef8c..12f8011 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -23,7 +23,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: jfrog/frogbot@d01623d0fc8de585c21225f55842f2d2c45cf094 # v2.21.0 + - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 465405c..badcef0 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -28,7 +28,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - uses: jfrog/frogbot@d01623d0fc8de585c21225f55842f2d2c45cf094 # v2.21.0 + - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies From 46555797bbd57e663e8505f781c0c4576563c28a Mon Sep 17 00:00:00 2001 From: Antoine Do Nascimento <78449051+AntoineDona@users.noreply.github.com> Date: Fri, 28 Jun 2024 15:00:32 +0200 Subject: [PATCH 047/104] Fix wrong hash --- ci/datadog-synthetics.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml index 28a07c7..0ea0678 100644 --- a/ci/datadog-synthetics.yml +++ b/ci/datadog-synthetics.yml @@ -29,7 +29,7 @@ jobs: # Run Synthetic tests within your GitHub workflow. # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci - name: Run Datadog Synthetic tests - uses: DataDog/synthetics-ci-github-action@c36b031081c29b54513d7faba468ddd5b248baf3 # v1.4.0 + uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0 with: api_key: ${{secrets.DD_API_KEY}} app_key: ${{secrets.DD_APP_KEY}} From e6a84878775b73145774535516f255f521cfc68f Mon Sep 17 00:00:00 2001 From: Joe Mooring Date: Fri, 28 Jun 2024 13:52:35 -0700 Subject: [PATCH 048/104] pages: Update Hugo workflow - Bump version - Set cache directory - Remove outdated environment variable --- pages/hugo.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 141ad91..b4f316a 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -31,7 +31,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.124.1 + HUGO_VERSION: 0.128.0 steps: - name: Install Hugo CLI run: | @@ -50,9 +50,8 @@ jobs: run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Build with Hugo env: - # For maximum backward compatibility with Hugo modules + HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache HUGO_ENVIRONMENT: production - HUGO_ENV: production run: | hugo \ --minify \ From 763a1a60f8e6b874e2ebd4bbb9203789caaecd3a Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 25 Apr 2024 13:24:02 -0400 Subject: [PATCH 049/104] Upload-Sarif: Update all workflows to use Upload-Sarif V3 --- code-scanning/anchore.yml | 2 +- code-scanning/apisec-scan.yml | 2 +- code-scanning/bearer.yml | 2 +- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx-one.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/clj-holmes.yml | 2 +- code-scanning/clj-watson.yml | 2 +- code-scanning/cloudrail.yml | 2 +- code-scanning/codacy.yml | 2 +- code-scanning/codescan.yml | 2 +- code-scanning/contrast-scan.yml | 2 +- code-scanning/credo.yml | 2 +- code-scanning/datree.yml | 2 +- code-scanning/defender-for-devops.yml | 2 +- code-scanning/detekt.yml | 2 +- code-scanning/devskim.yml | 2 +- code-scanning/endorlabs.yml | 2 +- code-scanning/eslint.yml | 2 +- code-scanning/ethicalcheck.yml | 2 +- code-scanning/flawfinder.yml | 2 +- code-scanning/hadolint.yml | 2 +- code-scanning/kubesec.yml | 2 +- code-scanning/lintr.yml | 2 +- code-scanning/mayhem-for-api.yml | 2 +- code-scanning/mobsf.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/njsscan.yml | 2 +- code-scanning/nowsecure.yml | 2 +- code-scanning/ossar.yml | 2 +- code-scanning/phpmd.yml | 2 +- code-scanning/pmd.yml | 2 +- code-scanning/powershell.yml | 2 +- code-scanning/prisma.yml | 2 +- code-scanning/psalm.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/rubocop.yml | 2 +- code-scanning/rust-clippy.yml | 2 +- code-scanning/scorecard.yml | 2 +- code-scanning/securitycodescan.yml | 2 +- code-scanning/semgrep.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/snyk-security.yml | 2 +- code-scanning/sobelow.yml | 2 +- code-scanning/synopsys-io.yml | 2 +- code-scanning/sysdig-scan.yml | 2 +- code-scanning/tfsec.yml | 2 +- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- code-scanning/zscaler-iac-scan.yml | 2 +- code-scanning/zscan.yml | 2 +- 53 files changed, 53 insertions(+), 53 deletions(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 2bbc55e..8ada351 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -43,6 +43,6 @@ jobs: fail-build: true severity-cutoff: critical - name: Upload vulnerability report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 34defa9..f425ca8 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -66,6 +66,6 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - name: Import results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ./apisec-results.sarif diff --git a/code-scanning/bearer.yml b/code-scanning/bearer.yml index 7971be9..b384d82 100644 --- a/code-scanning/bearer.yml +++ b/code-scanning/bearer.yml @@ -38,6 +38,6 @@ jobs: exit-code: 0 # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index 0d1cb05..38e572c 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -53,6 +53,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index 7feeb25..ae326bd 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -49,7 +49,7 @@ jobs: cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One additional_params: --report-format sarif --output-path . - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: cx_result.sarif diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index b4a99f3..5406860 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -50,6 +50,6 @@ jobs: params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: cx.sarif diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 87f11cb..2d919a5 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -38,7 +38,7 @@ jobs: fail-on-result: 'false' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{github.workspace}}/clj-holmes-results.sarif wait-for-processing: true diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 59bfd41..b0a7443 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -48,7 +48,7 @@ jobs: fail-on-result: false - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{github.workspace}}/clj-watson-results.sarif wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 8273881..846c43d 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -50,7 +50,7 @@ jobs: cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() # is needed to ensure the SARIF file is uploaded if: always() diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index c3cd9f5..2f2acc3 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -56,6 +56,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index c4858c6..cb338df 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -44,6 +44,6 @@ jobs: organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: codescan.sarif diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 1950d3a..197779f 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -48,6 +48,6 @@ jobs: authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} #Upload the results to GitHub - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index 8c8c8be..5a322a4 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -55,7 +55,7 @@ jobs: - name: credo-scan run: mix credo --format=sarif > credo_output.sarif - name: upload sarif - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: credo_output.sarif diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index a892cf8..a98eabe 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -42,6 +42,6 @@ jobs: # Setting a SARIF output will generate a file named "datree.sarif" containing your test results cliArguments: "-o sarif" - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: datree.sarif diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml index 07aa7d1..59eaaa7 100644 --- a/code-scanning/defender-for-devops.yml +++ b/code-scanning/defender-for-devops.yml @@ -42,6 +42,6 @@ jobs: uses: microsoft/security-devops-action@v1.6.0 id: msdo - name: Upload results to Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 76a116b..2d6293b 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -111,7 +111,7 @@ jobs: )" > ${{ github.workspace }}/detekt.sarif.json # Uploads results to GitHub repository using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: ${{ github.workspace }}/detekt.sarif.json diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 98daab8..794986a 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -29,6 +29,6 @@ jobs: uses: microsoft/DevSkim-Action@v1 - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: devskim-results.sarif diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 670fe62..7f3951a 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -46,6 +46,6 @@ jobs: ci_run: "false" sarif_file: findings.sarif - name: Upload SARIF to github - uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd + uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 with: sarif_file: findings.sarif diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 876ea2b..7304e83 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -44,7 +44,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: eslint-results.sarif wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index a68d0a2..fac8a74 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -63,7 +63,7 @@ jobs: sarif-result-file: "ethicalcheck-results.sarif" - name: Upload sarif file to repository - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ./ethicalcheck-results.sarif diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index d564b68..d3898b6 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -33,6 +33,6 @@ jobs: output: 'flawfinder_results.sarif' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{github.workspace}}/flawfinder_results.sarif \ No newline at end of file diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 2d901a4..eacbabb 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -41,7 +41,7 @@ jobs: no-fail: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: hadolint-results.sarif wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 98fd8e0..750acc7 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -36,6 +36,6 @@ jobs: exit-code: "0" - name: Upload Kubesec scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 01ce719..7bb83e3 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: lintr-results.sarif wait-for-processing: true diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 9e533fe..93b0dd2 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -61,6 +61,6 @@ jobs: sarif-report: mapi.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: mapi.sarif diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 9f876ae..05e014e 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -38,6 +38,6 @@ jobs: args: . --sarif --output results.sarif || true - name: Upload mobsfscan report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0700989..b8469de 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -54,7 +54,7 @@ jobs: # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8062259..767b967 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -37,6 +37,6 @@ jobs: with: args: '. --sarif --output results.sarif || true' - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 324a533..5cb6c29 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -47,6 +47,6 @@ jobs: group_id: {{ groupId }} # Update this to your desired Platform group ID - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: NowSecure.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index ad46e1d..1c7a6d9 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -51,6 +51,6 @@ jobs: # Upload results to the Security tab - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 58ca4f8..5ceaabc 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -51,7 +51,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: phpmd-results.sarif wait-for-processing: true diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index ed5eec9..50524ae 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -38,6 +38,6 @@ jobs: sourcePath: 'src/main/java' analyzeModifiedFilesOnly: false - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: pmd-report.sarif diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 52f65a0..216f1dc 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -44,6 +44,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 4b84b21..5461f5c 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -49,7 +49,7 @@ jobs: # The service need to know the type of IaC being scanned template_type: 'CFT' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 # Results are generated only on a success or failure # this is required since GitHub by default won't run the next step # when the previous one has failed. diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index dddbfdd..a0563d9 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -33,6 +33,6 @@ jobs: uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 - name: Upload Security Analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index e039085..014b0a0 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: puppet-lint-results.sarif wait-for-processing: true diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index feef351..a3e7af8 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -47,6 +47,6 @@ jobs: " - name: Upload Sarif output - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: rubocop.sarif diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index 4f50c3e..e4b2508 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: rust-clippy-results.sarif wait-for-processing: true diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 162c788..d7474f9 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 with: sarif_file: results.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 5d5e87b..58cb9c6 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -38,4 +38,4 @@ jobs: uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 - name: Upload sarif - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index f21aa9a..bbf787a 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -43,7 +43,7 @@ jobs: # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: semgrep.sarif if: always() diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index edbea1d..c485691 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -50,6 +50,6 @@ jobs: image: your/image-to-test args: --file=Dockerfile - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index a5605a3..f1466b2 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -49,6 +49,6 @@ jobs: # or `main.tf` for a Terraform configuration file file: your-file-to-test.yaml - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml index 4941e00..8f23020 100644 --- a/code-scanning/snyk-security.yml +++ b/code-scanning/snyk-security.yml @@ -74,6 +74,6 @@ jobs: # Push the Snyk Code results into GitHub Code Scanning tab - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk-code.sarif diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 6dd4ffe..cfbf1f4 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -36,6 +36,6 @@ jobs: - id: run-action uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 - name: Upload report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index df50d9d..6e245d7 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -71,7 +71,7 @@ jobs: - name: Upload SARIF file if: ${{steps.prescription.outputs.sastScan == 'true' }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: workflowengine-results.sarif.json diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index c9a0edb..11fd8b7 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -55,7 +55,7 @@ jobs: # Sysdig inline scanner requires privileged rights run-as-user: root - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 #Upload SARIF file if: always() with: diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 388fc37..c8ef49c 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -32,7 +32,7 @@ jobs: sarif_file: tfsec.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index ec90221..7180f72 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -43,6 +43,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 379493f..c1b9b33 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -53,7 +53,7 @@ jobs: uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be with: pipeline-results-json: results.json - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: veracode-results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 32c977e..0f96c5a 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -95,6 +95,6 @@ jobs: *-Findings-List.sarif # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 with: sarif_file: Xanitizer-Findings-List.sarif diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index 7a2fc00..523c495 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -51,6 +51,6 @@ jobs: #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. - name: Upload SARIF file if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml index 018e473..9c9b303 100644 --- a/code-scanning/zscan.yml +++ b/code-scanning/zscan.yml @@ -55,6 +55,6 @@ jobs: app_file: app-release-unsigned.apk - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: Zimperium.sarif From 570cd926cd9d81217009010cf740cb6e18bf4267 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Mon, 29 Jul 2024 14:37:50 -0400 Subject: [PATCH 050/104] Switch github upload sarif to tag GitHub owed actions are allowed to use tags instead of SHAs Co-authored-by: Jacob Wallraff --- code-scanning/endorlabs.yml | 2 +- code-scanning/scorecard.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 7f3951a..cea041d 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -46,6 +46,6 @@ jobs: ci_run: "false" sarif_file: findings.sarif - name: Upload SARIF to github - uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: findings.sarif diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index d7474f9..b58ec1f 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif From 47f69d786f0bb6108917098d195cd3a9ff64ee00 Mon Sep 17 00:00:00 2001 From: Jacob Wallraff Date: Tue, 30 Jul 2024 10:17:07 -0700 Subject: [PATCH 051/104] Revert "Artifacts: Update all workflows to use Artifacts V4" --- ci/dotnet-desktop.yml | 4 ++-- code-scanning/msvc.yml | 2 +- code-scanning/scorecard.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 ++-- deployments/azure-webapps-java-jar-gradle.yml | 4 ++-- deployments/azure-webapps-java-jar.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- deployments/azure-webapps-php.yml | 4 ++-- deployments/azure-webapps-python.yml | 4 ++-- 10 files changed, 17 insertions(+), 17 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 400a721..ad99b56 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: - name: MSIX Package ${{ matrix.configuration }} + name: MSIX Package path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index b905ef8..0700989 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -60,7 +60,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v4 + # uses: actions/upload-artifact@v3 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 729d741..162c788 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 with: name: SARIF file path: results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 2fd110a..32c977e 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -87,7 +87,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v3 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 64124e5..b4bfafb 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -59,7 +59,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -75,7 +75,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index a066d89..63a45cc 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -50,7 +50,7 @@ jobs: run: gradle build - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: java-app path: '${{ github.workspace }}/build/libs/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: java-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index f6c17a9..608fb8e 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -50,7 +50,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 891a7d6..147d4e6 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -49,7 +49,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: node-app path: . @@ -65,7 +65,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 3391c83..1182c2a 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -70,7 +70,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: php-app path: . @@ -86,7 +86,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index e4868c4..656f95c 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -55,7 +55,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: python-app path: | @@ -73,7 +73,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v3 with: name: python-app path: . From a44a949b68865dda4900d885cfdf710a702ec3b5 Mon Sep 17 00:00:00 2001 From: Jacob Wallraff Date: Thu, 1 Aug 2024 15:19:04 -0700 Subject: [PATCH 052/104] Update labeler.yml for v5 --- .github/labeler.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 2d04e26..fb08863 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -1,3 +1,4 @@ # Add 'code-scanning' label to any changes within 'code-scanning' folder or any subfolders code-scanning: -- code-scanning/**/* +- changed-files: + - any-glob-to-any-file: code-scanning/**/* From 9512b1a781279d0e720561e0cbdba5f1ed397216 Mon Sep 17 00:00:00 2001 From: Jacob Wallraff Date: Thu, 1 Aug 2024 15:42:06 -0700 Subject: [PATCH 053/104] Update stale.yml to only use workflow_dispatch --- .github/workflows/stale.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index ecdf037..f9f361d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,8 +1,9 @@ name: Mark stale issues and pull requests on: - schedule: - - cron: "21 4 * * *" + workflow_dispatch: + # schedule: + # - cron: "21 4 * * *" jobs: stale: From a5047545ff35cae093b3c42b65804e6451fe615a Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Tue, 6 Aug 2024 01:11:49 -0400 Subject: [PATCH 054/104] Ubuntu-Latest: Update all workflows to use ubuntu-latest --- code-scanning/crda.yml | 2 +- code-scanning/devskim.yml | 2 +- code-scanning/kubesec.yml | 2 +- code-scanning/stackhawk.yml | 2 +- code-scanning/trivy.yml | 2 +- deployments/openshift.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml index 82610ac..011d80c 100644 --- a/code-scanning/crda.yml +++ b/code-scanning/crda.yml @@ -77,7 +77,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for redhat-actions/crda to upload SARIF results name: Scan project vulnerabilities with CRDA - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: Check out repository diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 794986a..69ae85e 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -16,7 +16,7 @@ on: jobs: lint: name: DevSkim - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: actions: read contents: read diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 750acc7..4f11399 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -17,7 +17,7 @@ on: jobs: lint: name: Kubesec - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: actions: read contents: read diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index cac0507..f1ceddb 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -46,7 +46,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info name: StackHawk - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 7180f72..ca2fe88 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -24,7 +24,7 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build - runs-on: "ubuntu-20.04" + runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/deployments/openshift.yml b/deployments/openshift.yml index d6785c2..eed3934 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -77,7 +77,7 @@ jobs: # 🖊️ Uncomment this if you are using CRDA scan step above # needs: crda-scan name: Build and deploy to OpenShift - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest environment: production outputs: From fdb3717e44c9c423a0acf005ee67c5ffaa043eb5 Mon Sep 17 00:00:00 2001 From: daz Date: Wed, 7 Aug 2024 11:04:34 -0600 Subject: [PATCH 055/104] Update for `gradle/actions@v4.0.0` release - Bump version hashes to use `gradle/actions/setup-gradle@v4.0.0` - Bump version hash to use `gradle/actions/dependency-submission@v4.0.0` --- ci/gradle-publish.yml | 2 +- ci/gradle.yml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 4f36680..20d17dc 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,7 +30,7 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Setup Gradle - uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 + uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 - name: Build with Gradle run: ./gradlew build diff --git a/ci/gradle.yml b/ci/gradle.yml index eb756d0..40a40c1 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -31,7 +31,7 @@ jobs: # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle - uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 + uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 - name: Build with Gradle Wrapper run: ./gradlew build @@ -40,11 +40,11 @@ jobs: # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. # # - name: Setup Gradle - # uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 + # uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 # with: - # gradle-version: '8.5' + # gradle-version: '8.9' # - # - name: Build with Gradle 8.5 + # - name: Build with Gradle 8.9 # run: gradle build dependency-submission: @@ -64,4 +64,4 @@ jobs: # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 + uses: gradle/actions/dependency-submission@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 From af1bbdc4308b034a9d854df319a91d57b7664b5d Mon Sep 17 00:00:00 2001 From: SOOS-GSteen Date: Fri, 16 Aug 2024 11:10:57 -0400 Subject: [PATCH 056/104] Update soos-dast-scan.yml hash (#2466) * Update soos-dast-scan.yml * Update soos-dast-scan.yml * Update soos-dast-scan.yml * Update soos-dast-scan.yml --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index b3e470e..0d42c92 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Analysis - uses: soos-io/soos-dast-github-action@a7f2cb2dfd143cb3224712d902ca0a1da0198ea9 + uses: soos-io/soos-dast-github-action@65d9878d77c8993f3db9e86a92bc2ad3a6e060af with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From 83b6e98d43fce23a60eb247f3c165b79b3c60ad2 Mon Sep 17 00:00:00 2001 From: Michael Chernov <4ernovm@gmail.com> Date: Fri, 16 Aug 2024 18:16:20 +0300 Subject: [PATCH 057/104] Add Debricked starter workflow (#2107) * Add Debricked starter workflow * Add permissions section * Remove schedule * Fix review comments --------- Co-authored-by: Alexis Abril --- code-scanning/debricked.yml | 43 +++++++++++++++++++ .../properties/debricked.properties.json | 19 ++++++++ icons/debricked.svg | 3 ++ 3 files changed, 65 insertions(+) create mode 100644 code-scanning/debricked.yml create mode 100644 code-scanning/properties/debricked.properties.json create mode 100644 icons/debricked.svg diff --git a/code-scanning/debricked.yml b/code-scanning/debricked.yml new file mode 100644 index 0000000..79b0a07 --- /dev/null +++ b/code-scanning/debricked.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +##################################################################################################################################################################### +# Use this workflow template as a basis for integrating Debricked into your GitHub workflows. # +# # +# If you need additional assistance with configuration feel free to contact us via chat or email at support@debricked.com # +# To learn more about Debricked or contact our team, visit https://debricked.com/ # +# # +# To run this workflow, complete the following set-up steps: # +# # +# 1. If you don’t have a Debricked account, create one by visiting https://debricked.com/app/en/register # +# 2. Generate your Debricked access token, by following the steps mentioned in https://portal.debricked.com/administration-47/how-do-i-generate-an-access-token-130 # +# 3. In GitHub, navigate to the repository # +# 4. Click on “Settings” (If you cannot see the “Settings” tab, select the dropdown menu, then click “Settings”) # +# 5. In the “Security” section click on “Secrets and variables”, then click “Actions” # +# 6. In the “Secrets” tab, click on “New repository secret” # +# 7. In the “Name” field, type the name of the secret # +# 8. In the “Secret” field, enter the value of the secret # +# 9. Click “Add secret” # +# 10. You should now be ready to use the workflow! # +##################################################################################################################################################################### + +name: Debricked Scan + +on: + push: + +permissions: + contents: read + +jobs: + vulnerabilities-scan: + name: Vulnerabilities scan + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - uses: debricked/actions@v3 + env: + DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }} diff --git a/code-scanning/properties/debricked.properties.json b/code-scanning/properties/debricked.properties.json new file mode 100644 index 0000000..f669f09 --- /dev/null +++ b/code-scanning/properties/debricked.properties.json @@ -0,0 +1,19 @@ +{ + "name": "Debricked Scan", + "creator": "OpenText", + "description": "Integrate with Debricked's state of the art AI-powered Software Composition Analysis to automate your security.", + "iconName": "debricked", + "categories": [ + "Code Scanning", + "Python", + "JavaScript", + "Java", + "PHP", + "Ruby", + "Go", + "Rust", + "Swift", + "C#", + "Objective-C" + ] +} diff --git a/icons/debricked.svg b/icons/debricked.svg new file mode 100644 index 0000000..cb8a3d5 --- /dev/null +++ b/icons/debricked.svg @@ -0,0 +1,3 @@ + + + From 5ad49471fe52633f0a7355d1a085bdc6e1d66bcf Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 16 Aug 2024 12:58:55 -0400 Subject: [PATCH 058/104] Update ci/python-publish.yml Co-authored-by: Gagan Deep --- ci/python-publish.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index bf13220..165ac0a 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -63,4 +63,5 @@ jobs: - name: Publish release distributions to PyPI # To automatically get updates, change this to: # uses: pypa/gh-action-pypi-publish@release/v1 - uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14 + uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0 + From ba125834f1f7cbe9a1e3d363b7b9c9f89e9f7413 Mon Sep 17 00:00:00 2001 From: Ian Lynagh Date: Tue, 20 Aug 2024 12:06:59 +0100 Subject: [PATCH 059/104] CodeQL: Remove Swift 2h timeout Spurious intermittent timeouts are no longer expected on Swift. --- code-scanning/codeql.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 655fc59..3e48389 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -28,7 +28,6 @@ jobs: # - https://gh.io/using-larger-runners (GitHub.com only) # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: # required for all workflows security-events: write From 26ad7a75496845c3b4e74d113ff8f6f645fa871b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 20 Aug 2024 13:39:26 -0400 Subject: [PATCH 060/104] Update ci/python-publish.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) --- ci/python-publish.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 165ac0a..72fdda2 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -52,6 +52,10 @@ jobs: name: pypi # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status: # url: https://pypi.org/p/YOURPROJECT + # + # ALTERNATIVE: if your GitHub Release name is the PyPI project version string + # ALTERNATIVE: exactly, uncomment the following line instead: + # url: https://pypi.org/project/YOURPROJECT/${{ github.event.release.name }} steps: - name: Retrieve release distributions From ae01bb2a2fa5733aaf305c4161350c9af10345b9 Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Wed, 21 Aug 2024 11:21:42 -0700 Subject: [PATCH 061/104] google: update workflow versions and instructions (#2478) * google: update workflow versions and instructions * Pin hashes --- deployments/google-cloudrun-docker.yml | 138 ++++++++++------------ deployments/google-cloudrun-source.yml | 112 ++++++++---------- deployments/google.yml | 157 ++++++++++++++----------- 3 files changed, 197 insertions(+), 210 deletions(-) diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml index bd748f8..70af95e 100644 --- a/deployments/google-cloudrun-docker.yml +++ b/deployments/google-cloudrun-docker.yml @@ -1,113 +1,95 @@ -# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch -# -# Overview: -# -# 1. Authenticate to Google Cloud -# 2. Authenticate Docker to Artifact Registry -# 3. Build a docker container -# 4. Publish it to Google Artifact Registry -# 5. Deploy it to Cloud Run +# This workflow build and push a Docker container to Google Artifact Registry +# and deploy it on Cloud Run when a commit is pushed to the $default-branch +# branch. # # To configure this workflow: # -# 1. Ensure the required Google Cloud APIs are enabled: +# 1. Enable the following Google Cloud APIs: # -# Cloud Run run.googleapis.com -# Artifact Registry artifactregistry.googleapis.com +# - Artifact Registry (artifactregistry.googleapis.com) +# - Cloud Run (run.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) # -# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. # -# 3. Ensure the required IAM permissions are granted +# 2. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. # -# Cloud Run -# roles/run.admin -# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: # -# Artifact Registry -# roles/artifactregistry.admin (project or repository level) +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Cloud Run Developer (roles/run.developer) # -# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources # -# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT -# -# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). -# -# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io -# -# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run -# -# Further reading: -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying -# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles -# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege +# 3. Change the values in the "env" block to match your values. -name: Build and Deploy to Cloud Run +name: 'Build and Deploy to Cloud Run' on: push: - branches: [ $default-branch ] + branches: + - '$default-branch' env: - PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id - GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location - SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name - REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + REGION: 'us-central1' # TODO: update to your region + SERVICE: 'my-service' # TODO: update to your service name + WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider jobs: deploy: - # Add 'id-token' with the intended permissions for workload identity federation + runs-on: 'ubuntu-latest' + permissions: contents: 'read' id-token: 'write' - runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v0' + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 with: - token_format: 'access_token' - workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider - service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}' - # NOTE: Alternative option - authentication via credentials json - # - name: Google Auth - # id: auth - # uses: 'google-github-actions/auth@v0' - # with: - # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' - - # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) - - # Authenticate Docker to Google Cloud Artifact Registry - - name: Docker Auth - id: docker-auth - uses: 'docker/login-action@v1' + # BEGIN - Docker auth and build + # + # If you already have a container image, you can omit these steps. + - name: 'Docker Auth' + uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3 with: username: 'oauth2accesstoken' - password: '${{ steps.auth.outputs.access_token }}' - registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + password: '${{ steps.auth.outputs.auth_token }}' + registry: '${{ env.REGION }}-docker.pkg.dev' - - name: Build and Push Container + - name: 'Build and Push Container' run: |- - docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./ - docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + DOCKER_TAG="$${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + docker build --tag "${DOCKER_TAG}" . + docker push "${DOCKER_TAG}" + - name: 'Deploy to Cloud Run' - # END - Docker auth and build + # END - Docker auth and build - - name: Deploy to Cloud Run - id: deploy - uses: google-github-actions/deploy-cloudrun@v0 + uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2 with: - service: ${{ env.SERVICE }} - region: ${{ env.REGION }} - # NOTE: If using a pre-built image, update the image name here - image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} + service: '${{ env.SERVICE }}' + region: '${{ env.REGION }}' + # NOTE: If using a pre-built image, update the image name below: - # If required, use the Cloud Run url output in later steps - - name: Show Output - run: echo ${{ steps.deploy.outputs.url }} + image: '${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}' + # If required, use the Cloud Run URL output in later steps + - name: 'Show output' + run: |2- + + echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml index e6fcb52..6a9a551 100644 --- a/deployments/google-cloudrun-source.yml +++ b/deployments/google-cloudrun-source.yml @@ -1,95 +1,75 @@ -# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch -# -# Overview: -# -# 1. Authenticate to Google Cloud -# 2. Deploy it to Cloud Run +# This workflow will deploy source code on Cloud Run when a commit is pushed to +# the $default-branch branch. # # To configure this workflow: # -# 1. Ensure the required Google Cloud APIs are enabled: +# 1. Enable the following Google Cloud APIs: # -# Cloud Run run.googleapis.com -# Cloud Build cloudbuild.googleapis.com -# Artifact Registry artifactregistry.googleapis.com +# - Artifact Registry (artifactregistry.googleapis.com) +# - Cloud Build (cloudbuild.googleapis.com) +# - Cloud Run (run.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) # -# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. # -# 3. Ensure the required IAM permissions are granted +# 2. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. # -# Cloud Run -# roles/run.admin -# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: # -# Cloud Build -# roles/cloudbuild.builds.editor +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Cloud Run Source Developer (roles/run.sourceDeveloper) # -# Cloud Storage -# roles/storage.objectAdmin +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources. # -# Artifact Registry -# roles/artifactregistry.admin (project or repository level) -# -# NOTE: You should always follow the principle of least privilege when assigning IAM roles -# -# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT -# -# 5. Change the values for the SERVICE and REGION environment variables (below). -# -# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run -# -# Further reading: -# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy -# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege +# 3. Change the values in the "env" block to match your values. -name: Deploy to Cloud Run from Source +name: 'Deploy to Cloud Run from Source' on: push: - branches: [ $default-branch ] + branches: + - '$default-branch' env: - PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id - SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name - REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + REGION: 'us-central1' # TODO: update to your region + SERVICE: 'my-service' # TODO: update to your service name jobs: deploy: - # Add 'id-token' with the intended permissions for workload identity federation + runs-on: 'ubuntu-latest' + permissions: contents: 'read' id-token: 'write' - runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v0' + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 with: - workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider - service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: replace with your workload identity provider - # NOTE: Alternative option - authentication via credentials json - # - name: Google Auth - # id: auth - # uses: 'google-github-actions/auth@v0' - # with: - # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' - - - name: Deploy to Cloud Run - id: deploy - uses: google-github-actions/deploy-cloudrun@v0 + - name: 'Deploy to Cloud Run' + uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2 with: - service: ${{ env.SERVICE }} - region: ${{ env.REGION }} - # NOTE: If required, update to the appropriate source folder - source: ./ + service: '${{ env.SERVICE }}' + region: '${{ env.REGION }}' + # NOTE: If using a different source folder, update the image name below: + source: './' - # If required, use the Cloud Run url output in later steps - - name: Show Output - run: echo ${{ steps.deploy.outputs.url }} + # If required, use the Cloud Run URL output in later steps + - name: 'Show output' + run: |- + echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google.yml b/deployments/google.yml index deb9877..4be4dc4 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -1,91 +1,116 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# This workflow will build a docker container, publish it to Google Container +# Registry, and deploy it to GKE when there is a push to the $default-branch +# branch. # # To configure this workflow: # -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# 1. Enable the following Google Cloud APIs: # -# 2. Create and configure a Workload Identity Provider for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# - Artifact Registry (artifactregistry.googleapis.com) +# - Google Kubernetes Engine (container.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) # -# 3. Change the values for the GAR_LOCATION, GKE_ZONE, GKE_CLUSTER, IMAGE, REPOSITORY and DEPLOYMENT_NAME environment variables (below). +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. # -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke-kustomize +# 2. Ensure that your repository contains the necessary configuration for your +# Google Kubernetes Engine cluster, including deployment.yml, +# kustomization.yml, service.yml, etc. +# +# 3. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. +# +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: +# +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Kubernetes Engine Developer (roles/container.developer) +# +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources +# +# 5. Change the values in the "env" block to match your values. -name: Build and Deploy to GKE +name: 'Build and Deploy to GKE' on: push: - branches: [ $default-branch ] + branches: + - '$default-branch' env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GAR_LOCATION: us-central1 # TODO: update region of the Artifact Registry - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - REPOSITORY: samples # TODO: update to Artifact Registry docker repository - IMAGE: static-site + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + GAR_LOCATION: 'us-central1' # TODO: update to your region + GKE_CLUSTER: 'cluster-1' # TODO: update to your cluster name + GKE_ZONE: 'us-central1-c' # TODO: update to your cluster zone + DEPLOYMENT_NAME: 'gke-test' # TODO: update to your deployment name + REPOSITORY: 'samples' # TODO: update to your Artifact Registry docker repository name + IMAGE: 'static-site' + WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider jobs: setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production + name: 'Setup, Build, Publish, and Deploy' + runs-on: 'ubuntu-latest' + environment: 'production' permissions: contents: 'read' id-token: 'write' steps: - - name: Checkout - uses: actions/checkout@v4 + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 - # Configure Workload Identity Federation and generate an access token. - - id: 'auth' - name: 'Authenticate to Google Cloud' - uses: 'google-github-actions/auth@v0' - with: - token_format: 'access_token' - workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' - service_account: 'my-service-account@my-project.iam.gserviceaccount.com' + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 + with: + workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}' - # Alternative option - authentication via credentials json - # - id: 'auth' - # uses: 'google-github-actions/auth@v0' - # with: - # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + # Authenticate Docker to Google Cloud Artifact Registry + - name: 'Docker Auth' + uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3 + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.auth_token }}' + registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' - - name: Docker configuration - run: |- - echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev - # Get the GKE credentials so we can deploy to the cluster - - name: Set up GKE credentials - uses: google-github-actions/get-gke-credentials@v0 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} + # Get the GKE credentials so we can deploy to the cluster + - name: 'Set up GKE credentials' + uses: 'google-github-actions/get-gke-credentials@6051de21ad50fbb1767bc93c11357a49082ad116' # google-github-actions/get-gke-credentials@v2 + with: + cluster_name: '${{ env.GKE_CLUSTER }}' + location: '${{ env.GKE_ZONE }}' - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - # Push the Docker image to Google Artifact Registry - - name: Publish - run: |- - docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - # replacing the image name in the k8s template - ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide + # Build the Docker image + - name: 'Build and push Docker container' + run: |- + DOCKER_TAG="${GAR_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${REPOSITORY}/${IMAGE}:${GITHUB_SHA}" + + docker build \ + --tag "${DOCKER_TAG}" \ + --build-arg GITHUB_SHA="${GITHUB_SHA}" \ + --build-arg GITHUB_REF="${GITHUB_REF}" \ + . + + docker push "${DOCKER_TAG}" + + # Set up kustomize + - name: 'Set up Kustomize' + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.4.3/kustomize_v5.4.3_linux_amd64.tar.gz + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: 'Deploy to GKE' + run: |- + # replacing the image name in the k8s template + ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide From 6ac176a96e50b319149785b0bf59c1c9c1116933 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Fri, 23 Aug 2024 10:49:57 -0400 Subject: [PATCH 062/104] CodeQL - Add unique name vs default setup --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 3e48389..7e46549 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -9,7 +9,7 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -name: "CodeQL" +name: "CodeQL Advanced" on: push: From bc709b6e00fad0ad44efb7d35eaa31778a651c41 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 4 Sep 2024 17:08:14 -0400 Subject: [PATCH 063/104] python-publish: bump commit/ref Signed-off-by: William Woodruff --- ci/python-publish.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 72fdda2..710ca30 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -67,5 +67,4 @@ jobs: - name: Publish release distributions to PyPI # To automatically get updates, change this to: # uses: pypa/gh-action-pypi-publish@release/v1 - uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0 - + uses: pypa/gh-action-pypi-publish@0ab0b79471669eb3a4d647e625009c62f9f3b241 # v1.10.1 From 9db23a2437ff17f6ad52e8b92dfc8197ed8314dd Mon Sep 17 00:00:00 2001 From: ginilpg Date: Tue, 10 Sep 2024 20:11:53 +0530 Subject: [PATCH 064/104] Add Appknox starter workflow (#2447) * Added appknox.yml for code scanning * Create appknox.json * Create appknox.svg * Update appknox.json * Update appknox.svg * Rename appknox.json to appknox.properties.json * Update appknox.yml * Update appknox.yml * Update appknox.properties.json * Formatting yml --- code-scanning/appknox.yml | 56 +++++++++++++++++++ .../properties/appknox.properties.json | 23 ++++++++ icons/appknox.svg | 10 ++++ 3 files changed, 89 insertions(+) create mode 100644 code-scanning/appknox.yml create mode 100644 code-scanning/properties/appknox.properties.json create mode 100644 icons/appknox.svg diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml new file mode 100644 index 0000000..0282b6c --- /dev/null +++ b/code-scanning/appknox.yml @@ -0,0 +1,56 @@ +# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support documentation. +# +# Appknox: Leader in Mobile Application Security Testing Solutions +# +# To use this workflow, you must be an existing Appknox customer with GitHub Advanced Security (GHAS) enabled for your +# repository. +# +# If you *are not* an existing customer, click here to contact us for licensing and pricing details: +# . +# +# Instructions: +# +# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the +# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token +# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings +# and create a token labeled GitHub +# +# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the +# action executes, check the 'Security' tab for results + +name: Appknox + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] +jobs: + appknox: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up JDK 1.8 + uses: actions/setup-java@v1 + with: + java-version: 1.8 + - name: Grant execute permission for gradlew + run: chmod +x gradlew + + - name: Build the app + run: ./gradlew build # Update this to build your Android or iOS application + + - name: Appknox GitHub action + uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 + with: + appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }} + file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here + risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] + sarif: Enable + + - name: Upload SARIF to GHAS + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: report.sarif diff --git a/code-scanning/properties/appknox.properties.json b/code-scanning/properties/appknox.properties.json new file mode 100644 index 0000000..4164291 --- /dev/null +++ b/code-scanning/properties/appknox.properties.json @@ -0,0 +1,23 @@ +{ + "name": "Appknox", + "creator": "Appknox", + "description": "Use Appknox action for faster and precise security assessments of your iOS and Android apps developed using any programming language", + "iconName": "appknox", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C", + "C", + "C++", + "C#", + "Rust", + "JavaScript", + "TypeScript", + "Node" + ], + "labels": ["preview"] + +} diff --git a/icons/appknox.svg b/icons/appknox.svg new file mode 100644 index 0000000..36148e7 --- /dev/null +++ b/icons/appknox.svg @@ -0,0 +1,10 @@ + + + + + + + + + + From 53980cb868e646a5e8c7881a33599f3287729eb7 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Tue, 10 Sep 2024 11:10:00 -0700 Subject: [PATCH 065/104] Update eslint.yml Ensure suppressed warnings don't make it into the SARIF. --- code-scanning/eslint.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 7304e83..4c34d46 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -36,6 +36,8 @@ jobs: npm install @microsoft/eslint-formatter-sarif@2.1.7 - name: Run ESLint + env: + SARIF_ESLINT_IGNORE_SUPPRESSED: "true" run: npx eslint . --config .eslintrc.js --ext .js,.jsx,.ts,.tsx @@ -47,4 +49,4 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: eslint-results.sarif - wait-for-processing: true \ No newline at end of file + wait-for-processing: true From ddb47be88806996b76adbe1a1cb77d51be4925d8 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Tue, 10 Sep 2024 11:46:17 -0700 Subject: [PATCH 066/104] Update appknox.yml Fix linting errors (remove whitespace). --- code-scanning/appknox.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml index 0282b6c..7c4b506 100644 --- a/code-scanning/appknox.yml +++ b/code-scanning/appknox.yml @@ -11,12 +11,12 @@ # # Instructions: # -# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the -# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token -# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings +# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the +# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token +# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings # and create a token labeled GitHub # -# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the +# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the # action executes, check the 'Security' tab for results name: Appknox @@ -37,10 +37,10 @@ jobs: java-version: 1.8 - name: Grant execute permission for gradlew run: chmod +x gradlew - + - name: Build the app run: ./gradlew build # Update this to build your Android or iOS application - + - name: Appknox GitHub action uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 with: @@ -48,7 +48,7 @@ jobs: file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] sarif: Enable - + - name: Upload SARIF to GHAS if: always() uses: github/codeql-action/upload-sarif@v3 From 9d2ae7c02812c6bcf7c52ea07edbd40ac70515a5 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Tue, 10 Sep 2024 11:50:28 -0700 Subject: [PATCH 067/104] Update appknox.yml Fix more whitespace issues. --- code-scanning/appknox.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml index 7c4b506..15d51e0 100644 --- a/code-scanning/appknox.yml +++ b/code-scanning/appknox.yml @@ -25,7 +25,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] jobs: appknox: runs-on: ubuntu-latest From dea60ba593828d8920e6169345ef3c469b80798d Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Wed, 11 Sep 2024 11:12:06 -0700 Subject: [PATCH 068/104] Update code-scanning/eslint.yml --- code-scanning/eslint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 4c34d46..b0aaeb3 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -33,7 +33,7 @@ jobs: - name: Install ESLint run: | npm install eslint@8.10.0 - npm install @microsoft/eslint-formatter-sarif@2.1.7 + npm install @microsoft/eslint-formatter-sarif@3.1.0 - name: Run ESLint env: From 666350e29b10d665a82d5c6d1501a29e50d63c29 Mon Sep 17 00:00:00 2001 From: ginilpg Date: Wed, 18 Sep 2024 00:20:21 +0530 Subject: [PATCH 069/104] Added appknox.yml for code scanning (#2498) Create appknox.json Create appknox.svg Update appknox.json Update appknox.svg Rename appknox.json to appknox.properties.json Update appknox.yml Update appknox.yml Update appknox.properties.json Formatting yml Removed preview mode from appknox scanner Removed preview mode from appknox scanner Add Appknox starter workflow (#2447) * Added appknox.yml for code scanning * Create appknox.json * Create appknox.svg * Update appknox.json * Update appknox.svg * Rename appknox.json to appknox.properties.json * Update appknox.yml * Update appknox.yml * Update appknox.properties.json * Formatting yml removed preview mode removed preview mode precommit lint --- code-scanning/appknox.yml | 8 +++----- code-scanning/properties/appknox.properties.json | 4 +--- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml index 15d51e0..68e4672 100644 --- a/code-scanning/appknox.yml +++ b/code-scanning/appknox.yml @@ -30,11 +30,9 @@ jobs: appknox: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 - with: - java-version: 1.8 + - name: Checkout Code + uses: actions/checkout@v2 + - name: Grant execute permission for gradlew run: chmod +x gradlew diff --git a/code-scanning/properties/appknox.properties.json b/code-scanning/properties/appknox.properties.json index 4164291..8e8b1f2 100644 --- a/code-scanning/properties/appknox.properties.json +++ b/code-scanning/properties/appknox.properties.json @@ -17,7 +17,5 @@ "JavaScript", "TypeScript", "Node" - ], - "labels": ["preview"] - + ] } From 09fa3b9723362634eb5877b2dd60fb884cb1f341 Mon Sep 17 00:00:00 2001 From: Ilya Khivrich Date: Mon, 21 Oct 2024 23:01:52 +0300 Subject: [PATCH 070/104] add jfrog-sast flow --- code-scanning/jfrog-sast.yml | 54 +++++++++++++++++++ .../properties/jfrog-sast.properties.json | 15 ++++++ 2 files changed, 69 insertions(+) create mode 100644 code-scanning/jfrog-sast.yml create mode 100644 code-scanning/properties/jfrog-sast.properties.json diff --git a/code-scanning/jfrog-sast.yml b/code-scanning/jfrog-sast.yml new file mode 100644 index 0000000..aba617d --- /dev/null +++ b/code-scanning/jfrog-sast.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# JFrog SAST performs 1st party source code security analysis +# For more information, see +# https://docs.jfrog-applications.jfrog.io/jfrog-security-features/sast + +name: "JFrog SAST Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch, $protected-branches ] + schedule: + - cron: $cron-weekly + +env: + # [Mandatory] + # JFrog platform URL and access token for + # a JFrog platform instance with active + # JFrog Advanced Security subscription + JF_URL: ${{ secrets.JF_URL }} + JF_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + + - name: Install and configure JFrog CLI + run: | + npm install -g jfrog-cli-v2-jf + jf c add --interactive=false --url=$JF_URL --access-token=$JF_TOKEN + + - name: Run JFrog SAST + run: | + jf audit --sast --format=sarif > jfrog_sast.sarif + + + - name: Upload output to generate autofix + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: jfrog_sast.sarif \ No newline at end of file diff --git a/code-scanning/properties/jfrog-sast.properties.json b/code-scanning/properties/jfrog-sast.properties.json new file mode 100644 index 0000000..093d9c2 --- /dev/null +++ b/code-scanning/properties/jfrog-sast.properties.json @@ -0,0 +1,15 @@ +{ + "name": "JFrog SAST", + "description": "Scan for security vulnerabilities in source code using JFrog SAST", + "iconName": "frogbot", + "categories": + [ + "Code Scanning", + "python", + "java", + "javascript", + "typescript", + "go" + ], + "creator": "JFrog" +} \ No newline at end of file From 7f50c702183846c848e2eb13df950a942ffd2374 Mon Sep 17 00:00:00 2001 From: Ilya Khivrich Date: Tue, 22 Oct 2024 11:53:35 +0300 Subject: [PATCH 071/104] pass token over stdin, add security to properties --- code-scanning/jfrog-sast.yml | 2 +- code-scanning/properties/jfrog-sast.properties.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/jfrog-sast.yml b/code-scanning/jfrog-sast.yml index aba617d..4ff7ef7 100644 --- a/code-scanning/jfrog-sast.yml +++ b/code-scanning/jfrog-sast.yml @@ -41,7 +41,7 @@ jobs: - name: Install and configure JFrog CLI run: | npm install -g jfrog-cli-v2-jf - jf c add --interactive=false --url=$JF_URL --access-token=$JF_TOKEN + echo $JF_TOKEN | jf c add --interactive=false --url=$JF_URL --access-token-stdin - name: Run JFrog SAST run: | diff --git a/code-scanning/properties/jfrog-sast.properties.json b/code-scanning/properties/jfrog-sast.properties.json index 093d9c2..7ffa897 100644 --- a/code-scanning/properties/jfrog-sast.properties.json +++ b/code-scanning/properties/jfrog-sast.properties.json @@ -5,6 +5,7 @@ "categories": [ "Code Scanning", + "security", "python", "java", "javascript", From 958eb203602c8c9a416f802e8464a0ce75b708fe Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 5 Nov 2024 12:50:41 -0500 Subject: [PATCH 072/104] Update ci/python-publish.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) --- ci/python-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 710ca30..0f5c53e 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -67,4 +67,4 @@ jobs: - name: Publish release distributions to PyPI # To automatically get updates, change this to: # uses: pypa/gh-action-pypi-publish@release/v1 - uses: pypa/gh-action-pypi-publish@0ab0b79471669eb3a4d647e625009c62f9f3b241 # v1.10.1 + uses: pypa/gh-action-pypi-publish@fb13cb306901256ace3dab689990e13a5550ffaa # v1.11.0 From 347784759f1270562584b69837c487fae1da0949 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 6 Nov 2024 17:10:48 -0500 Subject: [PATCH 073/104] Update ci/python-publish.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) --- ci/python-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 0f5c53e..43158c6 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -67,4 +67,4 @@ jobs: - name: Publish release distributions to PyPI # To automatically get updates, change this to: # uses: pypa/gh-action-pypi-publish@release/v1 - uses: pypa/gh-action-pypi-publish@fb13cb306901256ace3dab689990e13a5550ffaa # v1.11.0 + uses: pypa/gh-action-pypi-publish@1f5d4ec244f65dce93685ee3e98e77123f090866 # v1.12.1 From eb329790015fca7ee48f8b77ed44deb431544f23 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 6 Nov 2024 21:03:35 -0500 Subject: [PATCH 074/104] Update ci/python-publish.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) --- ci/python-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 43158c6..107d347 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -67,4 +67,4 @@ jobs: - name: Publish release distributions to PyPI # To automatically get updates, change this to: # uses: pypa/gh-action-pypi-publish@release/v1 - uses: pypa/gh-action-pypi-publish@1f5d4ec244f65dce93685ee3e98e77123f090866 # v1.12.1 + uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 From 4cbe5359f3a3d03c01f07a51274ad38b97997f22 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Wed, 6 Nov 2024 17:37:05 +0100 Subject: [PATCH 075/104] Update Fortify starter workflow --- code-scanning/fortify.yml | 120 ++++++++++++++++++++++++++------------ 1 file changed, 82 insertions(+), 38 deletions(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index 01611e8..10834bc 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -34,51 +34,95 @@ jobs: actions: read contents: read security-events: write + # pull-requests: write # Required if DO_PR_COMMENT is set to true steps: # Check out source code - name: Check Out Source Code uses: actions/checkout@v4 - # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner. - - name: Setup Java - uses: actions/setup-java@v4 - with: - java-version: 17 - distribution: 'temurin' - - # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then - # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is + # Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on + # configuration, the Fortify GitHub Action can optionally set up the application version/release, generate + # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard. + # The Fortify GitHub Action provides many customization capabilities, but in case further customization is # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools - # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for - # details. - - name: Run FoD SAST Scan - uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418 + # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action + # documentation at https://github.com/fortify/github-action#readme for more information on the various + # configuration options and available sub-actions. + - name: Run Fortify Scan + # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example + # uses the commit id corresponding to version 1.5.2. It is recommended to check whether any later releases + # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability + # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version + # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. + uses: fortify/github-action@afb2d9e467caf7c6ad273799fc1b65ac492b0de2 with: - sast-scan: true + sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run + debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan + # is disabled). For SSC, run a Debricked scan and import results into SSC. env: - ### Required configuration when integrating with Fortify on Demand - FOD_URL: https://ams.fortify.com - FOD_TENANT: ${{secrets.FOD_TENANT}} - FOD_USER: ${{secrets.FOD_USER}} + ############################################################# + ##### Fortify on Demand configuration + ##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below) + ### Required configuration + FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret + FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required; + FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets. FOD_PASSWORD: ${{secrets.FOD_PAT}} - ### Optional configuration when integrating with Fortify on Demand - # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if - # Debricked SCA scan is enabled on Fortify on Demand - # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options - # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /:; may - # replace app+release name with numeric release ID - # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' - # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard - ### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral - # SSC_URL: ${{secrets.SSC_URL}} # SSC URL - # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken - # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token - # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan; - # usually defined as organization or repo variable - ### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral - # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options - # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: /: - # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options - # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' - # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard + # FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}} + # FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}} + ### Optional configuration + # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /: + # DO_SETUP: true # Setup FoD application, release & static scan configuration + # SETUP_ACTION: # Customize setup action + # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action + # PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options + # FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options + # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) + # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL + # POLICY_CHECK_ACTION: # Customize security policy checks + # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action + # DO_JOB_SUMMARY: true # Generate workflow job summary + # JOB_SUMMARY_ACTION: # Customize job summary + # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action + # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers + # PR_COMMENT_ACTION: # Customize PR comments + # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action + # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard + # EXPORT_ACTION: # Customize export action + # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action + # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions + + ############################################################# + ##### Fortify Hosted / Software Security Center & ScanCentral + ##### Remove this section if you're integrating with Fortify on Demand (see above) + ### Required configuration + SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret + SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets + SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled + DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled + SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled + ### Optional configuration + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options + # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options + # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: /: + # DO_SETUP: true # Set up SSC application & version + # SETUP_ACTION: # Customize setup action + # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action + # PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options + # EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options + # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) + # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL + # POLICY_CHECK_ACTION: # Customize security policy checks + # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action + # DO_JOB_SUMMARY: true # Generate workflow job summary + # JOB_SUMMARY_ACTION: # Customize job summary + # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action + # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers + # PR_COMMENT_ACTION: # Customize PR comments + # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action + # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard + # EXPORT_ACTION: # Customize export action + # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action + # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions From 196973618e5cac03cab78ca8fbd2f4ebfda1e10c Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Fri, 8 Nov 2024 11:30:15 +0100 Subject: [PATCH 076/104] Remove trailing spaces --- code-scanning/fortify.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index 10834bc..e669499 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -43,17 +43,17 @@ jobs: # Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on # configuration, the Fortify GitHub Action can optionally set up the application version/release, generate - # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard. - # The Fortify GitHub Action provides many customization capabilities, but in case further customization is + # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard. + # The Fortify GitHub Action provides many customization capabilities, but in case further customization is # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools - # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action + # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action # documentation at https://github.com/fortify/github-action#readme for more information on the various # configuration options and available sub-actions. - name: Run Fortify Scan # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example # uses the commit id corresponding to version 1.5.2. It is recommended to check whether any later releases # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability - # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version + # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. uses: fortify/github-action@afb2d9e467caf7c6ad273799fc1b65ac492b0de2 with: @@ -103,7 +103,7 @@ jobs: SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled - ### Optional configuration + ### Optional configuration # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: /: From 1c6c18c8ea84422a9275646598301aed90209eb7 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Fri, 8 Nov 2024 11:31:30 +0100 Subject: [PATCH 077/104] Remove trailing spaces --- code-scanning/fortify.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index e669499..906eb3b 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -93,7 +93,7 @@ jobs: # EXPORT_ACTION: # Customize export action # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions - + ############################################################# ##### Fortify Hosted / Software Security Center & ScanCentral ##### Remove this section if you're integrating with Fortify on Demand (see above) From 0486897d48082c68d5b9570650593a60088b2144 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Fri, 22 Nov 2024 14:24:04 +0100 Subject: [PATCH 078/104] Update action version, update comment --- code-scanning/fortify.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index 906eb3b..a72ed11 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -51,11 +51,11 @@ jobs: # configuration options and available sub-actions. - name: Run Fortify Scan # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example - # uses the commit id corresponding to version 1.5.2. It is recommended to check whether any later releases + # uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. - uses: fortify/github-action@afb2d9e467caf7c6ad273799fc1b65ac492b0de2 + uses: fortify/github-action@d7cb5974c159fad242153f52f7c6fa4dda065b23 with: sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan @@ -76,7 +76,8 @@ jobs: # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /: # DO_SETUP: true # Setup FoD application, release & static scan configuration # SETUP_ACTION: # Customize setup action - # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action + # Pass extra options to setup action: + # SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}" # PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options # FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) From eee067e3cabfb03efe484a8dbbbed3cc5bd2130f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 22 Nov 2024 09:47:32 -0500 Subject: [PATCH 079/104] Apply suggestions from code review Co-authored-by: Zach Steindler --- ci/python-publish.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 107d347..3feb225 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -68,3 +68,5 @@ jobs: # To automatically get updates, change this to: # uses: pypa/gh-action-pypi-publish@release/v1 uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 + with: + packages-dir: dist/ From 00795b7feebceed43fe2510ccb976238441d9c07 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 22 Nov 2024 09:48:05 -0500 Subject: [PATCH 080/104] Apply suggestions from code review --- ci/python-publish.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 3feb225..82f8dbd 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -65,8 +65,6 @@ jobs: path: dist/ - name: Publish release distributions to PyPI - # To automatically get updates, change this to: - # uses: pypa/gh-action-pypi-publish@release/v1 - uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 + uses: pypa/gh-action-pypi-publish@release/v1 with: packages-dir: dist/ From f90b59f7cd6c78cb77ba8274dd8b01499074948b Mon Sep 17 00:00:00 2001 From: Rob E Date: Sat, 14 Dec 2024 02:54:28 +1000 Subject: [PATCH 081/104] Add Octopus Deploy release and deploy workflow (#2651) * Create Octopus Deploy workflow template * add properties file * Pin step versions * update some text * add octopus icon * added linebreak Co-authored-by: Alexis Abril * added linebreak Co-authored-by: Alexis Abril * update octopusdeploy icon name --------- Co-authored-by: Alexis Abril --- deployments/octopusdeploy.yml | 112 ++++++++++++++++++ .../properties/octopusdeploy.properties.json | 7 ++ icons/octopusdeploy.svg | 11 ++ 3 files changed, 130 insertions(+) create mode 100644 deployments/octopusdeploy.yml create mode 100644 deployments/properties/octopusdeploy.properties.json create mode 100644 icons/octopusdeploy.svg diff --git a/deployments/octopusdeploy.yml b/deployments/octopusdeploy.yml new file mode 100644 index 0000000..cc1f2f4 --- /dev/null +++ b/deployments/octopusdeploy.yml @@ -0,0 +1,112 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by separate terms of service, +# privacy policy, and support documentation. +# +# This workflow will build and publish a Docker container which is then deployed through Octopus Deploy. +# +# The build job in this workflow currently assumes that there is a Dockerfile that generates the relevant application image. +# If required, this job can be modified to generate whatever alternative build artifact is required for your deployment. +# +# This workflow assumes you have already created a Project in Octopus Deploy. +# For instructions see https://octopus.com/docs/projects/setting-up-projects +# +# To configure this workflow: +# +# 1. Decide where you are going to host your image. +# This template uses the GitHub Registry for simplicity but if required you can update the relevant DOCKER_REGISTRY variables below. +# +# 2. Create and configure an OIDC credential for a service account in Octopus. +# This allows for passwordless authentication to your Octopus instance through a trust relationship configured between Octopus, GitHub and your GitHub Repository. +# https://octopus.com/docs/octopus-rest-api/openid-connect/github-actions +# +# 3. Configure your Octopus project details below: +# OCTOPUS_URL: update to your Octopus Instance Url +# OCTOPUS_SERVICE_ACCOUNT: update to your service account Id +# OCTOPUS_SPACE: update to the name of the space your project is configured in +# OCTOPUS_PROJECT: update to the name of your Octopus project +# OCTOPUS_ENVIRONMENT: update to the name of the environment to recieve the first deployment + + +name: 'Build and Deploy to Octopus Deploy' + +on: + push: + branches: + - '$default-branch' + +jobs: + build: + name: Build + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + env: + DOCKER_REGISTRY: ghcr.io # TODO: Update to your docker registry uri + DOCKER_REGISTRY_USERNAME: ${{ github.actor }} # TODO: Update to your docker registry username + DOCKER_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} # TODO: Update to your docker registry password + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Log in to the Container registry + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.DOCKER_REGISTRY }} + username: ${{ env.DOCKER_REGISTRY_USERNAME }} + password: ${{ env.DOCKER_REGISTRY_PASSWORD }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.DOCKER_REGISTRY }}/${{ github.repository }} + tags: type=semver,pattern={{version}},value=v1.0.0-{{sha}} + + - name: Build and push Docker image + id: push + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + deploy: + name: Deploy + permissions: + id-token: write + runs-on: ubuntu-latest + needs: [ build ] + env: + OCTOPUS_URL: 'https://your-octopus-url' # TODO: update to your Octopus Instance url + OCTOPUS_SERVICE_ACCOUNT: 'your-service-account-id' # TODO: update to your service account Id + OCTOPUS_SPACE: 'your-space' # TODO: update to the name of the space your project is configured in + OCTOPUS_PROJECT: 'your-project' # TODO: update to the name of your Octopus project + OCTOPUS_ENVIRONMENT: 'your-environment' # TODO: update to the name of the environment to recieve the first deployment + + steps: + - name: Login to Octopus Deploy + uses: OctopusDeploy/login@34b6dcc1e86fa373c14e6a28c5507d221e4de629 #v1.0.2 + with: + server: '${{ env.OCTOPUS_URL }}' + service_account_id: '${{ env.OCTOPUS_SERVICE_ACCOUNT }}' + + - name: Create Release + id: create_release + uses: OctopusDeploy/create-release-action@fea7e7b45c38c021b6bc5a14bd7eaa2ed5269214 #v3.2.2 + with: + project: '${{ env.OCTOPUS_PROJECT }}' + space: '${{ env.OCTOPUS_SPACE }}' + packages: '*:${{ needs.build.outputs.image_tag }}' + + - name: Deploy Release + uses: OctopusDeploy/deploy-release-action@b10a606c903b0a5bce24102af9d066638ab429ac #v3.2.1 + with: + project: '${{ env.OCTOPUS_PROJECT }}' + space: '${{ env.OCTOPUS_SPACE }}' + release_number: '${{ steps.create_release.outputs.release_number }}' + environments: ${{ env.OCTOPUS_ENVIRONMENT }} diff --git a/deployments/properties/octopusdeploy.properties.json b/deployments/properties/octopusdeploy.properties.json new file mode 100644 index 0000000..3743ea7 --- /dev/null +++ b/deployments/properties/octopusdeploy.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Build and Deploy with Octopus Deploy", + "description": "Build a docker container, create a release in Octopus Deploy and deploy it to your environment.", + "creator": "Octopus Deploy", + "iconName": "octopusdeploy", + "categories": ["Deployment", "Containers", "Dockerfile"] +} diff --git a/icons/octopusdeploy.svg b/icons/octopusdeploy.svg new file mode 100644 index 0000000..28545cc --- /dev/null +++ b/icons/octopusdeploy.svg @@ -0,0 +1,11 @@ + + + + + From 1cc15629495895cfae7a6cc84033cefdb35a9b73 Mon Sep 17 00:00:00 2001 From: Sadman Anik Date: Wed, 18 Dec 2024 17:52:20 +0600 Subject: [PATCH 082/104] Added Black-Duck-Security-Scan logo --- icons/black-duck-icon.png | Bin 0 -> 25487 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 icons/black-duck-icon.png diff --git a/icons/black-duck-icon.png b/icons/black-duck-icon.png new file mode 100644 index 0000000000000000000000000000000000000000..b73482ce501f47c9e2daa7acf2f41aadd99b0e36 GIT binary patch literal 25487 zcmZ^~19)Z4(lEMX+upHl+cqb5GI1uhjfw4KV%ye)lT2(U6Pq{lp7Vd_-0%K(?Pu-o zRbAE9sOnW+)hj|tK@tHL7Zv~jAV^DzseGoRe{X2W&;Kf|>YUF6+(KAh7yzh?gL^fC z_8fPXLm@caq#KLP+;nE-$jLjZs$4FJG$$ZA*S`z#1H(~>rqmj}>% z=Ai))AgBPa&m73-4*-G-_*>g&4j==9_dj_R5UPLUfC2zvRsisS*e=n)e`!CJE zQm{Ob|J0ZV`ajsCd0_v^|0T0DQcC$uU>u~hodEziw7)k9AR`MK0014gQqywLl9%H# zvH!|oWNL40#^CGi9`Sv2n6yunVR#ch)MjL{PT&Q#L~sZfrpXN&CQL$jg`UP$%2uY zo12@FiG`7ch5i$R-r2*>#mJrB&YARImHeN2#LS#coU9yNtnBT8f9o|ews&>mCn5RE z=zp$%wbRAQ{6C!Rod4ae&ki#FEn#G4U}F5gk(s$${r`~tE%_JOKmGa_JHEe_@o1}< zIosR1{%w{3Ckx*{9R6Rx|FrL41pmQTx3h8)_&+573;e&SwEk26A2$CD{NDtMPF7~0 z1Nl$8nE&0Z|Aze+{@>p5C|S9i*=mVdeKoUl{@WK8CMG_{|7*$rrWCcewRci=FfuU{ z_+<1C$$x?VH}*e#wEutk{8!1pDft-x&h~%J{=Y=)ALyrS3Bd9({*Rmrz*c%~ZvX&7 z0BJE{HFuCdT`+kD;;w?e7Y~1Q_3z_@#gS1!Fvw|kPz$J}lxb45s+!9}emytnd~I_5 zF}tEs5$<|SG-F*Ap19SWAC9ahCb#sv)*dGQ?a%4MyI?M>vw7R*%UkzDz0mb__QSc` zR2KK)-}BvNx_bz6`Y?jRZwgt zF;U;yc$ws7qP|ylGRe+8Nhki4PHf~ItGDZ2w@PfbkY0r3mev6_w5mlDW$&igjjMbZ2snz-3RApMkw4}t!k2Ihu z1sQhvl)}ZvxHKJvAkYxHUq36yU}ChRE(cvT5%2I*(&R<>P!vukm&V}L2B3ars{2E zclS5r*kU$ZPIO}>qxRMzuqwZnw=n1v5vy?`TMpofgBD&YuF}?Y*4KHQb{@u<9n;P` zJtddrO-oiVb+omK=e!pd4vazPY&n=zjy{G7DD%#yg2p!G_KS~HZm5hLhfS$@7zXzb zf&)>QYvR;M3#R=ta^mOxlh8xN;=Vr52*O@RTo0 z$Hd5oHMM*jMf0$9XTl-EGpXnuA7}>Q$MdMf<8MDP1^lR{;krfnO3k-;g_{IUFa*W#pq&^`EnIjq67^WLPwo0ML!8`* zNiVDXTV?kF%CCnNSzy1WoyCgF5#gDaR#hV>7{ka=;glBe&V4dV{pTwI6k8JRa*Lvb zM5uP#(t`2C3{b#VFS!bQ(ixvEp}|FXA0Zf9hL}2jWDuVR{Ukm>E$k+kTU0!~fyIsw zcdGIS&ag<(wwAer_GPWa9Vn;Mz0{n#ayDILWGer;owj2b#@x5Pz=DgUP`+i;?+ro#yFu!V!& z`|I**PD^%UiFkT*7BY&E%rn4XZ;CtGgyj#BeIBg}T)xx7Z0Z-QyJlE^P16o#|nX zLx10-aoY8U5CaL%s>Rb`NXE_NS>aiF!xeg@#V&n4tk}HrW=8+k70Y|r%1p2|(zf{^ zGT$%cuKJ6KN#09HG{YNO{ZBS4PdlF1OPxqzR!lz?t}@KdB1!ub#TKoh11o)Y@g)jK z4;U>-9dww+IRGV1Jm3z1F(UzvX+W=IMJ_;6pC0}Q76>3KhU4)Ed$Gm0f5@EqQk)M@ z5@&E^Y4w`)t?N;M+`F`BXyf;*&x#NWUAolNU?=^e`|Fv7TTA0Zj5o4#9Z}ls^7`!R zNU3W_Y&E`L8%`QUjKUZ3}(og03^Rp}=_vHLUpsa<6v1fQT zc^ogaq6#wJAPmkferTb*H@P!*Y*imPM+){s+$w0K1rsCy>!KKPHUUS{U2%#ptqfln z*(DEb^a4!4K0ptw-q1wrd@k5c%2K(xW+bu!sq@@E_Jg=k9?lPc*yqZ*Tx487eCZIL z%(mUn>-ei=TxtX3H&+*WJX}JVVF}6FbJDMaMcwHMP7jM9!VvK1p)rW%_F9a=Gty)4J}+3$jU%?t zTh&BVm4$2R0Sz8u(|KjHdrKg(L0r3=Z=cIN*YPDfK&qk+G3b(9RszPL>-pYqh^7mv zrKy?H2dvARr;aWw88!7qNJR!hF=B7L z$4OG3NY9X0K8lADy8wd1!K5>A?n_B77=%)!Evc(XdVz2tCg8NP$?(KxR;klg?(sCv zI@^DNS2ZSJ1k|h^^tUh87IVKNZ|MfNx$0h7=e`*w=vs9wY=bA;2dwdcjn)iU;d^g^ z!lES;YSWM*7U{z!{CHAVcc|bU=RsVy#%sJKm|m)_`MUThS0OV0rP;-U<^v--qdvHmxX$x0jL)1Z!3}Zn7cq7< z?8w#GIvINE#uIf1ye)iiHf=rY>+Gj({QRpEmcmQFht87PNJBW6H!5{Ff3Hu=2#N7F zZg7V|7x84F;%pvL1F0aJunlj)L7(!l5VIt`sDwfdh45!sin*}IEPzz`5wv+&YQadL zfFNYE%YED3=-Biu%=a%m`kps7n+t@g#We-HKb+BWmJV71(3fl+a@J zkgOp5;BsKrjm4+Me`4Bp0f2du$v05t3Pprt(H*Woy6>hlBj7R z10Fi|=z|d8nD9)>jgVvlB-iymZJ^8CI#@13LKFDnk6O*4fvDEaY%<;`C}R=aMHrL+D~}#s z%M6ti>J0A;2(z%!vN39SR2u0M$`4X!Kw*eLn4>!wc0o7=Y?|4<-k;h+`xjR$ZlCqz z3;uUU)`=!Pf%#jf93IOWCgdq=y}PRlT&|7Q>zz!6zR8h?D<27)kF8#4mZh^_CK&kZ zYg)(e&Agppk@n?Lh@Ubcs|_&toCRa1GKU-?Akl4qz>Osm#3(X+IGB#q&C^YR{IEP1 zRX&MRu!aj62lQu?-QNK?#b{gnb@Dlm+AM*oQD;tHML`r^<{z>gV!ldqng8g^PHnd6 zS8NM#xchp|tj&=4ulOS%7_7m-!21TP z-D1+)P4VKJb&Np;d)hdTB^%%e8O*1sQaFm*Y|7cAGhl#n2p@{KG9e#M47M7GWn>LM zxn2SEqQS6F!5rT~6%;{FsF0Cyl#Ia=mAaLH43QczC@eC?uwXOXgc!xgGhs!J-ib3a z8;e8hS^`(4pEG4LSi|G2K5)G-^b*JHtJqOGDb$}{UeWD5;dWIujKk~MJcdhig!WXg z6O&|9hcX4VgJ-0ESP+zX>`>>)?p$~5ZO{!>?FR98W*05T+jx$$}&f(BgA=VqTjcYc2Tyi(JPdp|sX zJSJg>Pib6=E8A<%W3aZHciBo_a3D@jx|9CGjc3q;ktz~Z&2<S(6K6C3`-#Hx*KX zmvC|(E91Hl4aM5c2jB#PI10g83Ha$Z3Z+cCgD3)M!tzMGk!ub8m79Tz;9!w}+d;_4 z8$4vppcLvvP?TltjZ`+H%lBQ**Eg6N6Wd3jn6d|lEoshp+M3DBY$2ZesE>{xg>7}W zt5dPnCSK2OX?^YqsGr8V({5nAva)~Lk@<5bHj{EBg2Ymwe;!F^mn^15r#}!7WUA*G zx{CJns@-;?jk@dM`LiW)Hg(CLOlESY(9$e6K7fL>6BSQz%3eqdUZ+GUloEXuT(X^~ zJ@blxIwRBV^%?^|iVs8Lx(GKMcVtEV;oC#>ok0`m3z9V>0{O@Yf z#qM;pbur4&L^#mE$V&k@0ecW(fCLF?C(__kl$i|`l@UW+s7R4Vf{+9V%mEXKi4hG3 z3BEcR6|5LvTN;%Dn24${)iTlXS=#KH;LJ_fEJ0kS_tW@3sbX^ipA}@mup@VLp;6^U zdu;O*=`&=sqZ-YqHJpCJ1|LfqOGxmRn>!R&J_v=TvRw452J$iuXlLBDl0ST(|I++( zr&SZ2w=8B7Q|gG`Oq947G5|Z+8x(~lRR$faR_u`qnLIHnVux+Z5`SwRhM0~fFu{fW z0pYfi;KJjU{FA>JuSYP>YIdzw*B=e`==(1f!vSm=#fjmGk0y-ngRFa5F~-3!&Rmk@ z{+EfHFctvidzBevTK&3`dM*v(dO@ILy*jqfG;Sb>0MO7$LxD=iPhX9o{jEaGtHe-Et~(s0e?vl2 zR~UDOM;e3y@Wq8nZikd4GjIrp@pFfx(w+xKQn}_r%Y0AQbp?6=P=gc}e*}IiSD~%& zK{za%wv_FXmULGXsDeJ?>7_=X306C-G1i|)c~0KLh?`=Rkb%mo7;|U(!SuG8Q4!K(ObU*)>7KNb zqmdAqE)Jw({-SoLY%aJ)_1tHxMo+=2ZN);SzWcAF#Ce10k3kGk#Y~_rb72uMlk`Hr zJ_<&m@$Gg--Bh5`8zHMHaj_eYH6kNc`6~{KhJR-ZFnWitiJ5|6zKR3k)k%y!H%s-s zciW`Ihz?>zeXu0hFzKJ=EAbYc3eOD>cmbf3X`+oNG)3b- z)p!y`JPu$RwE(bD19*8m!w^mbu<|@^sgc51^hL4yH|7PRS2C!FgOnzF*ogTsb1|q5 z?z6&4LO|Ke@(F(^d2?a! z82-K*#hloIS11X|m{(BXAW|})W<_w5;ul)h+keZN)Bji2%1`FQkqcn&p|`<4Ei!4~ zYm;Nnpr|;Ec-;b6fpbo8V0}^@x%I%7;YH@h85rZseU1)9=PH7jVBzaRi=Dua;<_g% z{FT6+9WbA>WZ5C`78bYfG2bdS#3~w3+F6-DjeVT9YdCMAeNs?QC?0=P0p!E!C}=4P zhQfM}I%V7>3~}{*H#S5ik&BV1pD2)h0Jce#esKJ85CH-x;weclsT~`L!d5CnEoUn5 zi6sl1mv5J~DOcnZAKPZ9E+L^46Lx@a6#+-GS+w1*Z^ZjobAPxL@(7}w+6KgfSfllX zo8aFiApcrip=-qOz#ha>)GDO^Uaa;_SuMx(o{|O|;6jDdo6$Q<5AsQ63^{yn9S3ic z*j?-G;XoA{!IJtP9etg}gqZ;JCR8JXJh)K7Y?u;Rarg0qi?9bfBGh{^6Gro}{AWWU zq3( z8^A-h-~2U+6~VaT?*Cayx$;8Tas?T6fU@SD{*(Y|3kp(rRHTj~5K5brT1Fb9s{0i3 z1Ndesb{2=NQvOHPX!!c4y}bjB{HPnea5_i?8)Pi1{v*mrI91S3BRZ9I5@HM|zZ|Ok zRPTG7`}g7Px^3l7OM4`$)U^GqTsr2ZA15CT!g}Os&f1<~6;5XB` zI|pV)`th0`2W5K%iifa}63Rx((oQrMGB}X>%M1ug^D{#I?J!&#m=amO|0`P1R(=Lo zeoC^Zw>KRgF3uJTsJ7rYzcYfP{Wh}YUM0VQnb9rmI1@wHkueP`FI`H+dMkpF7)B6< z%X6x}!ynYsr@hiG*ZlA99&%ICY>ijXYkZ+(sr-Yo2fIKb)VS=8^P9gW0g z;7y$zrCr^1cN5M#X?b`}Qc)4LkJHL0-tjbEg=*|LfjhqQg;<#4ii09ld5q%~_NIqk zn-bySjn#^9dwJi4?ro0{$q~Bm<(R&`wUD>0y9J%-y#f0~lu!lUmnZ56khod6-M5XF zcOaljoh_ym>zMK4A{30g*@R3JJ@T|jc}DAKsHJ-UiV-*&EXiLnFR+1dcFae=)>!Be zi*$KnHg@U{%tKsR)mg!V429Hx820mAj%!lzq~?W^zo$@7oNxX3@XC9)?uDOM!7w5EgK-oiq;UCvZ?xQ}iO}9kOuHIj&pi zgW0-S+xf+jdM~1G+P33ZK?*^A=ZF(cpJwE-==*dSgb0h=D5)B%F(_K@D?Y{Sk^DP& zL&c*dvoIoem;1y+M%h@;XXo!hn1mTyFp+F?=p!T2Zj-Kk1$>$QqTE1C2I9ddOC&43 zQIsJG5S5{DJ!Mg5NW@XfIloc(W)>G+Ts*wfKAJ0wtgARi4`a7z$!|ZRLdFBUtnPJ& zy1HAdn!x7mz?$#EWlqLX4Z+quDuo1&9?LBLY6!XxmMTn|d)PyP=@`b(L_t&Fw`+4k2;i9oX?Wo{y?&wf~1@#S}7e|{Jm(X_+1RQ^Y zjWcm|6H7u5g2R4aN?BwDQ zfOX*Dx?}GwW{n$XCHn0ekJGoHqv56SnuTc$mO~qQPqLjAFh>itOl*TQW<&A9B3lJXHQ%WaT0da(%DP&#g$n=Er+PE1; z>OOO_hD*&h>uPz+kDH%@Po)_>1M*-`{(L+6GT7X$aB5%#fe6W(dv}3ebyN;$ELux zRz64duERZCW^SXlyont1A0z@{@jwM-u>rU*TL@q!zJl$y=U<*o-AdcFnr+MoV|JH+ zJ8<#eCl9_L+Ct%)Ekpc$RbXLmTK0bKb2_y_I9eG&Fb$EfVZcWtDfq%kgWwaxbVoG=ym6xtZ zE26*6yE45N@ocPWE3{%deWBS&b#hBmI#=7uwia$&e%}9G^FhU-`v_j@l3;o6<@B90 zl@$tn8EmSM9~~&l1VpqXu0BDiH~rp5ErJ^Xk&3Z4_bZXF+sx$YCDo7i>Aj{$JiC}J z`X?{ph`WDjhoce!GgOFoy|77M)luNjvyAV2&38uTz?ZF6f#j~sWk%UqcDc4H)DaGG z?N}LQex)ymI&1zdBAmimi4_+G_(~`y$Q<2)a$~a#C$^chzXX?Vra0ekCZ;!+Th3HD zkiS-Q*@OgcMvV6zMDx_v%cbnM=$r>2l@);6JmFV>Vef*W;fc!;)mo!M?u!p!&srxj zO$mu7YV494xTj(d_j5y0u6lA%iWc(qI9<50@*a#=YFunJ??3n~J75u~!3}-X+FOwQ&<)wkL)I&51;;ux++mzg?omGKh4e;SAxW44{dn_7x zdJ^Xua$c{9UfW@d5;^+j9l%&`h{wg9a!PDTYD{x*yu*6JG9^Qwx`qmgT&xL@*>`h? z=sbhny(F6qc#YTs)R;L?LFhq-`v++fjtF(u;WQ|aE*JMa_CyZ{XcxKIJ%Ef2(h*C@rS4W+Pzi?nnfQ(X;mk{>L+nCgmIS% zzTAB%`Tmrh-cmVDGUE(YD+~^(hb=cL+E9u#aR!(a`V+U51*TDLfIsTSN8z*5JZi~0 z>yoD2RQk+^rFQ$9iE}%v=^GPfxO{Io?{{U{y_=}1@gn-R7wQPV>lnG<<|2ofY6baK z2w8vuc=Ls6tfUmnmp1HnN*guV{+Eb|(vevN`6yMGroTW|jB2IubyX8{EEG`}qt}R} zqM{Z4jRgbhuHjHRgPlVWea{yk%$VIkXNr%2g`#sl z&66D(gZl*=bIRgHuUddT=HmNh5+(f1u@g63Afk(q93zId>7Fm>b0nUM814+#K4qka zZ&Z?a{csk)Bzv;a_xS=-p|rXs$9o81DUoa@>!Ae z#KZAiI2wANi1P3nA!s9z#i;V|XzPIdioC0{V7>KzN>Xf5j_8;;zF$l{4>%K=g#0Aa z;NDlb&T63)3xRZc?iuUG#rr{D{;-C-JVG@bc+5{J^^ifYpWbFNX3={mQzI{h8l)iNpMsWEs$f5^;nNeoHlr^yIu6EX1p1q>d@g>Iaa+pJr6Q!ankEuCv>)_ z9mMvap^LA6kWj)U3U@8SM1BfSef?$3QZK_4t86R8S!3^hwocaL5Q3wr>lmW{6H`n# zZh}Fp1DWx1)-!2kV$M75V!{OCIq?zxaPF2&<;xdaf6XjWZhvNBfFZI-t)4Fmnh19@)ZkF`(j58l6!w;%d4^}sbVw-mb2qeml{lKqi?VRmD|*guC} zy*Wqz^h5_f{;SOTfh=5e=CSQX)HGlzzO>a2g9)MxKxaY@g0LS^a&>k*p~-NXS%&fB z)7@{bi{v7=8B+tkIx_2-CnaH$NaJ?~5tm*=B_w8?gQ7r>i)AUK6j@qxeSBk3<4;LO zobVB~oE)M!V$Mfy-*G5`8%Bqh@0g}vNLF6-5+lgRk>=9$)6`?${_R$T;pa$NQQxF3 zcQW$KL^)(%zn5_#fd`PZU9d3`s@ODzZ$X{Z z0;U-K={4Nqx44u*{?X>YnS6nj!aK zSrw;+qDB7vDVkfNHM|8Yh!_d?p8C%r+gEBc1WpEilYl#&JvUIBiro@`)%nd|7gjKS zKD$wWY4oI>)|R0v@qs{&<@s0inB4B?N`pt?FEc{(E=gIil_VCbW6*fa%7OE0X9#6L zj_9Y?oo^PYZwFplmRwm=10AvLj@bNlUedd1>utcN>vF}C2Yx50l%l1p@P)1;)Y>(c zfdfC%w@m*w(G;;=xO4>hcYXC=aPsnI#Fd62OOepP$>>GwDQiI&(TvW79e4lA$e%Cj z2x8L}kbRpDMtHC^xic~$h{fRP;pH~|noeOVKm)d|?7*am?zwpjg*5|#*sEb~?vyZZ zmf|S0Q#XDG-EXss(~5`FdRewB-NM5J<1KPIvr<;5Y9pQ4AF7b*+tY zFt|wWP#ZT0f||>K$d@`y-I};WFziy|vtjdjFv|wwI=DgVMbnUO5g-~<76#ude>{6w zkg_$(#}zs7^eLmRoI;~A4PT=|H!s( zHq9}U73;mFj9vH3^BGc$en`NRu=Iz6qP`kG9j;Uz{ywv}qMy=rP(_dS^Uu3fi!!;_ zjioh-{8?O~O&(BBYKFrK3jkLz*%wc`R=3p6Mn(r zy05xjo>@38{2;z|t@mq~LHB_}d=?86RgflkqP98-`OL4c#8e7Oj|u&7`b-?d?$+q2 z@)Ygia;kNazqv$@eNDt^6OyfiBKH&Rd_^}nXEMKB-_%4z6L7WYM{i13g6V_((#znB zy@J+FWYoXDx;?n_qcfQ$B4j(uSn?8uRA+gkVd&PBDT>AoCCWpuMApU59~BBNpaEaH zt#34PXw8+*sXN)M$rZ8Annf^KwP z5X?toTmy}5EccWm$*bGZ9vUX`5zPk2d6Y;qt!xD3;ToCT$VG}ntf%VpLYme}&j-2z zzL?$9bqjn)SCAJ81nG!i?@>@dQSL?aPfbevG}{2s_6fX%-olf^EI?^}s7@WreuwEzBAPlA{{Z)yq0*IPmXewwy0D@aE6NugXyuWrD6z4|j7w7q!xi(frDK2O;tb%ijQV?JL zwON*+!DFcI$L6_gq%}P|aoPTqWxeJd<^7!kJmqkjyzpZ==pN?cQ2doybr3pHJw^l; zSysE3@drLiz1Ii>BKn{^*4+jq(oZMaFEW-KvxzoBC_6o|?JyXr61}N#CNB9kWBiQ- zPzOI6N|I)}-Uzyg2^8xYGU|d5*{gohXyMVCty&jw(p$XqM=;W>yR4}rZpfWeJ5U4% zk-{#I&@+P9?GFLUFK#33SrDLDnjfJ&KabVzf>EjsV@2%Ks|+$wiV+Ji)QN>WD(#PV zJhgjm@0GFtSRVJYWQwIY*=M?HnWCLDN5aw>=r}$=(XDpDt*+rmel_MIX`q*ir}Y;e zJ!BA>BLl^P;M0enhWN+riQxJ9?K=7!RXp1q8((wnxr?&hV~kKP zA}l>!54ZTfVoa;@D(P6zS7@eFZ-(sdqxCvaanSiYI@qPnIb0bq?rUr&#*cpBa9ocS zH!f;wQ?LM4kbMET)zC(u6#O$1jxva+!{;YRUpqgK#XRp18Lo3VaT-VVp;RuP5FJY& zOlhTMeRTOTetB)UVLg+NchpsD{MG7C3VXgz7JrV(BP6!)Ue`FTLcV`;#Aby}h_{24 zJfeRa!9G1aX+F&F!>()rTy3sG!`{^DO35s$Ga(U^(xz!}Dy!ixxR?|X%Ec*e>c$OG zGuM1G$&sRaA_+!<-V5Rg=@rFC%IyQ4IGcL0OMyOzQg`d92C*w`Z?iC|H#`s?i}Q1H zJVrC{uy^_>Je`ndLOtV%^KJXqW~<|wt2Y;!cVS=G@jJE})^NE=|Db44E<-IkCJ_`S zCC7zgf3{ALc)3}7HR}tsf3;M3gJzjJWn47;O?JGt4l3;8Aem%$RjshlZniYJ*1Xb2`Z?tw&4CdnyA*(R%si+g>-Y~0~r!u zH(}62!(7GU8$2&Xj2Zos?P?Rnxd6({gy^|GPdg1xZKXyo_X=w z8J_yC8th7|Wntz|R50x>&!$Jg=Q&r&pp!J>%C10G4Rq-$WAvwJARPpXHyM!T`!Ex; zl7hgyAlyOHH%gW>%HoQHqPi>RIqQ7#bGK@9pe)z@6z;zlBsYdjEao+y z#H9?_zV>x;vLJ7KgZA^BQncYJ2dmSF<*68V62vM83FoVmRQ>)>kwA)4)DicK#zfrc z15jd!Z74&z;c%eF5luKk)GLX?{EY;$h#35CtM-jaCK0(uBwD6JgOj`;up03^8Zx?@ z`)jw4p(;y{m!s34uRSzf7dL(h`i|>y6QToe=C+`-M<>s#yvi!*Q4^jN$ies>s58^t zF;14^VvU#)-CQS-nvcy*(VRU=e6rt*jq$FX2Z!|sG^X^&gfSUzMSsx=eW6+-`$O|X z3K}{}cmjPCJ(@Vh;8m%l$g1qEW=J;UNsb!Hhl_!9+m|Cw;3_Y8WaLW)_4f1h`2yhX zZ7^2y`&3H$SoGrZF@)fw+VOV-FTZc6KEG4BFZbIiZ>9z}^1QESyB1b!IN2rnKzL;G zZLqjlu2z;ckvgr4y%ql9Pe>)`y>f za8RpbJW>puUjeKJ!kv*z>d}WUg0VV|iQ=7O88xqBLstiNsDhPXC?OUch``JP|tvc$J4*U%s`H`Ky}2qR3c{M98t{4>Cfjb~N= z!tZp03aP2r8fY+GQoK+R!`#@+Mi?ZpyECi26EHDWv7(}cYxSoXIJ-j<48sHxP{3t& z>0MHsXGva!q)8jjCGdlba+-DJ!sk)JXq&Rw^E8R^a-P17m7kz~iwKb)m=Geup*1tj;L!=Ul?v^9OledjTx7-hY3tmrH zAon~^E)*v!TM}~Bcwb-U~9b6jOl{A=pR3NeHO+ge50zo;aMaWi)c7V zlKFP&ImiJ{u3TFJ&ug~cmUCXn7P1DOgF^LVxsQj^T-vTvR*NFd*DJ~WKR%g8RP=KN zqmP;hL*|U_Lm6h`)>_`;GG-3U>@oeyIDjndu%t&{ux3NOU8gK1S>)Yo6G;hfkD*wj zEGg{Cp*<=2%FojUE9eWNouAO=F}EiveSbf{Vc`4DYLKX-&FlKYZL43PB1*z;7-5!bD@@_92?B__fc zKW;0&joM;F?@Co(l{z{&7GOhp+@U_GXAsnC8axL|Q%`x@?B!gDb!d&SL z`p0<+Q3Jqr0bg%Df)!r2UdNG??h&Oc*|DrCu*8GV#oNrDN8@9kkGqoFxrv^f^^c=< zmcT<{!PlITXjM}-WQ;rw{%~k^WKGgOTyz_YVV?$;%HA~IH6>3TQZwgJ)QueHRN+5~ zWpqD^AV7ZjHKVp4A=f$%(*h^+3k>gs#AQ(^sB8BzkOT{NNwoxfSr-2kiD-Jk6hymz z8CFukDKz99xqaz*GSFY1$bF$)o{05P|8`VBs*+_M$|}dgjg|=JiMyDjr&iNQFiuR3 zJn`V31C0pahs{475@K5T*632nHWWS$zQ@^5>$pX_@!egD%KBe1Vp?T^S>TlaYjP=w zc|9)kgAf)nj@X+UiMY@21G5+c4nMYsF`LnM8GnBKuJiO7<_IsH!}nb_f`1KEMelK zPM@A0RY<2TPer?47R~Z3E1{;WY6BYqyBT*0Ppz9Ja47n>`55fxc;RX8#@kWV@%m<0 za;xnV?bKK-|IVZB)tab^_g%*IdI(W&yogpIQ4meIQaKkaJx0&1RGg`c)xzh;Bg_nf z;F7*d9PJk+?b5|0CX=>epd;>W!9bu|ynr5hG$=-$e#t%t$adUyl-~FGQ7+rg`rRnb zZ*^?gGUWqaRgkZLc62}egm~Nn368KFsM4Bm&;4^@Q+{60f`S5!UJkqbTIkDXw3QZ3 zcT>L-`e}r8x^m%9KkNd}6PSD2b4lRwDqE(<3InP$KKiW;TWxY zKz7rPS!~dHYasJ`(-k3(y*G$MlelrT+L)?f35$hJJ}IP1o1>#G>*t8h`SLv6#c;TJ=%!bs}F+71vNRUlx4N{267sA&&ie#TqK33Q_;Ft z1930g{-6cPw$JCQjDXu%*c`!|t_kVbLYU5wy2>ImPQb2B&B5?NXi=RDz&!2y(43eN zbxlR@(@GiYk!~p!3??Le-FKYJ@@T%APp&p7%ne^F#8Wx%vVA^9OO>gJQA0%VM*vzY>KvTF$!XIY!#M%! z&JCgmD3F;@3x%KALG9#}msIxLW8}WlW5ZyPn<}BSljx(QV1A+FCWBg?!|zlY*2zM+ z3Otz+r~ygO5u=`b1XGvTX#LHQvWWV;aDrV3%w&W!qTUC?b)@PAy&1&h7?7elrCSUx zha&4P7iQwvF{=eNnj3xNp@E_j{tQw??z5brPbYyL5|L0b)KzyJ7lJGj!7tY7Xmw-% z#GK+~8Zd=FY0ijctXPcjPQF18#!m(d(4Gm8UC^r&U?ZpD1G*0CYoXItg~Uw=GgH?q z1&lI3<|!SF!m*H+!Lo!av(u+J14BeSOq#vLe+jI=Ar+L|2P@nn$`#FymHxD2>0!1q z{`_19zmoNa$ZIvV;XHPk9RKc2A74VHP$(^z24$3I1kY0RfK9}><;jv|JEozB~w*X_VtTc)e&0*0zNWI|C$HJNpCsxjl zGBqW-L3Az|azyaG4m)&o0%-U^ZrcSuhhnw|`~EA(;|hbv=QE2QgOCR3RZ)nM&KGS< z$P#I781An;d=!*2e}3Y|ulingT9``m|5@6b8JdtBW{{``)K`Wql5VOGQj zBj4N zc&i;oAPbfd;CV6AoaQG8=h*Hgaaw7L2M@-;>(ZC7i~=Rdo4(AhtKqrJpWdl%=Ck{K zosTajamHARbpRo^j@C2u4^N#o4CeZH)KVjeqND8v&uI4TgjRY0fBkTsEto4@|5CkS z09q=GBO3Ux9+vwwo20^4UL9V%+Dt^qVT4_Gw*`L_PL{Ltbk`==(yvw7%hC7eMGakW zaF`u4L)MCTxOl}KtdaJd4!AXY4XxD+mE6kf5md};@r%szJdfXs=c`BDD7dr>kr57^ zF^f&nD|%4XQ49j&qp=Lt<Ukdv!1lA8i1Xv>K1X|mviG@NFMXyXDL?Z~MS60pHW8eYMsIyq|- z-NQyjby1=~HrC+hhx%>Ncj6Jg)iJe!@<_D4425N5lfF7)ha?0tU>})a9dN}aC?OO0 zGZV8)la9`D2%zXZF5>tl-lefXL(EBi*@jgralnypyT9uU(qBe*Kv8fMx=`p%WkVl^Kz;EkxbxoR96}2ZZm0yVWusSV+fPDmYqeY zzI&2sO?!hrd(K^?ICN&M~3oiPmk%hu2nHbl+@+_JuPdK8G zS@orK5Lw0}_*R$-1O_sCQGM!F5tY6c@(u_!bf)q}Y{&D^YIY^cZx4Ad-ft z%%F#K2^@FQHuGg6e$yNmQ5Alk8JhLVRF?83i(&}lIP}IPJFb)L3^$7I!S3;Ejn&}h zq1X0Yvq8nrH1BpzE88EfKq_Y`QF!)9nHm;CaQ*}k(uIA4M*I8Xdug)@N;J_rHq$@ zk49Kp8^MNSj%5=*09*}LgU0f}5TQj*)MbYq)@X&rWRLb&u>w_t*1&}@flC8T0#R0G za<{d$R8Z8r#x?5a^P=+f>~9@gv%z5)GM1;4E9P*bC}=OR&la`{HU{gFP!l50BUShJ z4XMC6wr3ut$g7N}3zufL^0`H_juw`%iKcPW0fEiEW zMsEIRBPN%s+-p0fN5UX%Kt=>;Arop;(f<>nAYR|NG`u}l2sSxVw9R0JNR5voJkmiH z&>5{+U2{txKI=Te&gzuUHVgB)uOkOX`(($$wd>cU8@4=@H8yhj9g7X;lw*Rmej`#1 z6f)F^)F}7?SSY0sIVmPXWNKxhlu0EnHUZn<1n=WoNwu{o6swt&$bw90JpC%p8J?pl zV9KF#K`&V&97YkwP$lG1j*0-EqS)dxIp**s>GD^eo$=_fIb8=tG}9?yR}G|VZ~ra6 zk>OyS&&Y{O7^yD`{I5U5cwRN+)cVPpk0@`)~amOWm=S+E=U zM8SXMNVP(!$%3L?X+YNNOaK5MlSxEDRBI$!X%x(ilVEbDK`SR0^trEyh!Gmfi}wNo z2*l`K@>`Mg;Q2>nTY4W$+M2oog6RYHV2OWc%dF%Fzx_t~*p^2!ejp{wxeJP@I;8LP zD1kh2M469_cqgE&}iC{&>_GT)Os--=GnZCuOBNtX6!4;dN*Q^d7(u zK#iT)SEj0zhCq#ip$exm3L`71Cq$Tf0?qK_u_W0t&|iL{bl~XtCdhxh)X-qQ1Diym zl}5p|l`+UifKrft7|MRdUPZr3Rs$AqhMs<5M)=2T}&L*lK%Ot&t_!CPdUv_ zjJ_KZaP70;_JJpo_NE!hcdj@;-L!oJ#v<4qL=>wV2Q+I?i?TO+`Y8UUJb9A*H zk@p8mHywPomOTSoW&5LVUH+wX^Nz>xUL@a&*pjMZ5DdV{sX-a&S9OL+jiQirQgW&$ zP!XYZId2ppAs-r;y`rJqNxT>cg13Z3m4XU#nnUG+UYtfaj3NS~V4R{IT@}F6sbLtZ z0%k?g&$+@VK05dnS<;Z6_OdsU1IyygURpW!eKtsqk7w8lsdXmHklwKVTDBs-Jb_{Y z(8o^%DN|KCL$J3QMVMW5qOjvAPOeJIw-Ij*B)ye0S*Uak-nz83^aH18pcKqeREbb( zA6;EQkRCzHszzbbQ+X!jI27#=22gZFokOw};fBbwX3Q)7%iF#vv37IhxFY3b?`uJB z`NQwjzj4`l>9(FtWp*jd#vM-8lP^+EhsBJ>B$Tv}re4caY#}7HIVN`cn}R-dhnG05@{EPD(cjC(jY4*M|TbNm{t zNVp$fGLQD-fXF6{Da$P0qC`9~^moIA9Fxj) z2m>fOqMkg`v{ayH9`cS|E$$nIZ%0ZiPXAEGJ#6RA;9K_T;xMB%xK#>s=@nl~dj_`S zgeE(qRj9*!xs6FEX+BoMH6sf-Y9jR^R+Gp@PBC#qE^Dw#<%Zu=%o<#!StrescOTgB z^xA=;eok-6H=2@;ra|91MF!PbQ4yVE@PMV8l2H`M)a0CCMMSiPNMV_*qNODn8%th% z%(C<)N1t5gSrju`r_0j#OeQ4ebRK|hfi|Xh+rqp{bOV4sI(wQ-L@$!EnmJ|45W8%`yJTf?tZNF#Bc-y zbuv5WB{|3ej;K0dX_cj_7L|a0;6k*E3XuV=mmMK%wiYp^4M9E)giFP-L?ivPSH6uA z8ILCB4A69OJp*Pl?;ri<;OzyUwWLIJwvSP)OQIzxAX0F%4>I=iGB@e2dM;Vf$U(oPL#HmBw zaG2Xma`wbrs&30%AX6wH!)`r^T9kq$;T>s73_3s-T$yVrutlClXhd z>Uk>5X8=id4M{FI=K>7K)65RgEmxNQ3bo`-sC{N!qQa^w0ZMdn00`q<0zY_{Gu}|S z%;&t3Ak=T&`;^>R?ts+TXpxU1zyl;(JnkvM59sO4XO9BP57XuaW8t5`#-Nxf$qEHq z$9Ei69f@-5`Z?Fdk zy_Iloh}5!3LsDr#NuSDNrE9>e6WJUYF!4}qHaa?zjEoFrL&Jl~z)&Bqe(b8zm!W@G z>Ko|A;^EN-oEVf2jtn4AsNy&)f?XNefD8gY6QHWuf36I_XDtbzG4Eg3hxVXGq;d)xK)`yz@Gz*FSd zYPB}CW!S#6y!NiE8+rWjbTN>jvHoN(X0+~j`1;a4kKSH>_S0V=8(X`FO0i0c)HEsF zUSt%S-!kf1+Ro>Z0p^UY~KEO^2C-6$%f4jCl5Y$cd}v21HSgzmy+NM zTdfdgzKUE(!xuGlddo!q!SjyD4w!Rb#^csz&zPHZcg-&2%(}FzqnlH;2|k2MIZexT zM`}DY7}Nd3&Z~0AC=%l2Kgc%GHVUmsx^>4UiL_^`FfY@>^$qt*Ij&gyqvVJKk6~A< zdMmOMCElY(!Te~Am>_Re$jVsFT|%Az!-{`Dc_ZI{;PM87T9I9N!P=%|MS?y<_VcEO z#wEjP2``Tt8aUm_)UjQCHaOIu?daPshJa5ulZQ6mm)!oq4WS_fH7k+x@7i$aBE+y_ zLW+5!Qy#im{B;Ghbx?{YPcAe9>|nV{i?GTdlH2F=tFQi%o`n5pT*4dtI9=dnUv|iX z!;=H%E>7mnT$s&*5zXkFm2|Xprd-`xYQ%vp%pZ&fM<&U@903s}zxbhn-Sf!p$$gLA zQJUE{Pd-2j(%R=iu3(li-*{Jc z7IGFQG>{~jHS0b>pxO8d_Obmax;&+xzOCggJ2oYcZGI$q;L*F2TkpF*dGHB&ZxR_o zd-DuFrKQVdj>Q^EMzE%7WDNe8Y<(GIX7_^9vSB4MwiT6CsvZ>{ zx1_kjgr(j;>)_{SPhWgwvKU82&!4p@!A>VQ)36(78McYhI0o4A{TtV3Utax5DL0LB zI=Z1zIjb;TbHioXVT+!{ErO!^JlQhuQNu9LtqHR-Nir)ZYeG*bX)HI0fy~-wUVSh! zQ~+W0HnP%Ro%)_T?tSFWBYt|f6M@9gl!N8!`cAw2kG$zIK}?t4aIi-XP)>T?6ix%RI= zbMgyN|IvZ5Ut5AC?B8c6o_Jy-B54#q!Sy~l@Ud++o+Di4I)l)c)bcUx>_9ytP{(S(LWqv0-#95O$9rluSv2@lB~9x zSqX5<2L^hx@htg1iNo#{!;yg?%ol{|ZTGLe4*t!!o?~(BW=(rXeT|L}$u;c@Tcd!S z;e$)ByKPN&;Jiao7t!aKQjMGv@uZu8DN3zTLPQy1<2Y8j5w9GsUUBZpcdlHCl_e|9 zG1$sn)VWln`L-nzZ7D0?_T%{T!vaqGz%r`IHOq@<>z z)?`r9nnaU{R6#yXnZ1JbUqtqW8!oJ92#O5EE;C8K10MFp`0l}rM4;}bvj)tq=8h+D z>Gjy$0j|pZCt5F(O~Or*T*>I~lB+HVA4fG{_NsRqW^H8ran1$jaQq#)A_HNIK}&i7 z*H3ZLsnM8F{dd}HfE&$m5@Xex3$VGv;C?yfsPj0t2n*o-s||%7FBM-TIZFdr1WdJ zNs`r&5JXK$Sk}PreXxtgS1Cc4TLsbttY#qE)LaItTXAt*Qg1~>W&6tyKd3TG;V-)U z3-~N|OR&K}&Gas zm|QIbVZ0i|mjQD-qp`udH{CTbINFO=WI^)B z^;f2kY`RaTeC^wISN(RmE^9sBWkI|f)r4_s7b~^X(&yiI-ts|yR$Hs}prnZmgfwap zp98F|$ZjbHh1cD_p#gq60GIv|XN%yIP%dJWYPid}*Sfsh1XZh=nQ1)+dp67%>tc^6 zDS9!O&&Fg7L|YNATKv2fP_tReCsGgZ>l#RtzLD*6w#d)__?`6e?HjTD1pE0;Fczs= zYBh>#b-5~IQG^OBiVJZmmbJGb&*`U@pLYUU4~#v6W$htl2v5d9NUyEPX92UjRUeB` zEBlSZJP#Hy+TA6wm~|bdIB}ZHRGil1sc}_FVamcdbJc|X7Ve$-&<+_YOf>e;gePkt z+KTW~x=&hWH5!#w_oulAb_{Nj68_-o|4VoDZ^Nh56SN{zuE(_$ICWvlfyyfjF7dVO zN0;M;;AF-gnv=;I2^n655`|3@o$YB`@M zH}&|vUITW@H@W8K%Vo+}cA3-~ss1jNLWNANY87#Dh6-=Hv7}^-hVp)st))|`^OKsz z3X98Dghs+uzCX0^q^%M3b+?aefK$G++UF;0?_QH`*!-X!tg{Ect4^!<-PPpxh20Jk(FMrOd8J^OzGbR@RPV88HrtYT1CB&t% z_LhzY?Be-OY({-8r*;3~+&53zKz61DVd-?h{-1!k1xRy%16X&{R|DK$c0B2Bo5Lce z>mR-qTgK|T)>@@zt({Ue7wSoKDWOSXw5_EbUkmp9;;+v=`5UXwT-C7R!X-O36xdk< zVK#KY{tl}ahE4V?qV7#!4fGA|kiuPk)6bK^p@EG1DpxFppIQ|cd2v0TK!3%=+-J85 z`#ujfW~H+ykT7BN&Kd{>vlU^>aTBhO;-cFrD>bb3-+f5~+;neN`vP>c)}@bZz8`~i z^t$EEdU36tsBFqL5uL=>CLV8V>EK)bcfb8}CqK-t72kbKN^Swst{4c#(ID8qei9eY zRiMGtjRZ>AAKWpE!K5J^F)_P8VLN^IwRK$_?)=q9C`hykcp7PaQ=~`)i zcGW*nH6_9>Dc>Ty%85`sXV?{i+@8TCH4}?s7fcT~o8n2nXpLj~syO zg}6p=?JoHcRd;)%2KZgbI8NFc85zl*|BMr`L3kri2SZlb^PYm6nnC0Rk9M|o;{crg zkDYVwDgR63*x6aDyx`r@f~ZU#2)z@CwYciz5!K8z_PMulciY_LmIwZjZrJkBq&~@Y z>Y!2R<&aYbIPPf1Zv8)paeTt8wOXRDA*L)W&#*fUghkaB<8^>J56G^U8Vb~mtE*nSFaP5WI9G6Fba*^%Xn4(vm9HJ( z?uff%+!1DRcN++0bMBAbtKZ=IYg}|Rklkk0BC-Cn*JwbO!4HoOrVl@HpDcryamemB z3R7k~$ieyb3Em36{_OvJ)g3EWu4-O3#f6BIQJ{8-CPOsDi%(ygWy+1YQ_Yw9N( z?ZS*z|8UP|vGLm%R-#+AyJoD4lHHRA5_YNn5{dr;SKUa8?!q*{ajJJ#`#hE;-LUBa zIrF~goyaa0b)=)Mn=@A5Jm<5o`A5!JeQf24dvp?LPZ|hy!Lf&St4;xYEv~weKnc^) z@q}YK9+!<%lF<{|oxQAVq_b@XjpIj{&gBDF+(i3YDc#Qcd)h#lFIu=73CALQnOHXx zC}Fy}!4d9Kn6E}7+0laV0lY`ulVKn%fDYO@ z1~~!OEx77N0wqi*He4TSljA!sZ1 z&w%g6^%Y!fT{x-E)xdSP4{3le4C%0UZ^|7F@s*!!d_BQCkrA%S#j$8*?A-W<73ZG% z1HK{WOTaz-o?{}_YUP}WZcoOuOU14hjrFUzmg3?j*))#&(iA9RUvlG_>0&*;?NPic z93PiKdzF!;t^D#m2aMy9Qkp)O#$mn&TsHPp8wd5iHy8->K^0Q79EV(u>sh$M{kH1k z5-4P!aMl>G`yy5qmTT3o@iKPU;$R%#b6h^!)$**r{_M%Oa#il0Tw66&9X{1vtbBgi zVzA}dfNKe^3viu-i>}_~GJ4o2e(_GE`VmxFGK!-Unz&U^|Gc{q6I8zvgcMYyiPbuq3N;nMEd-kNu0aX)svYq&!g zPw*T=-m8*XvzU%z>)s~rwvIJbKW}Mndh1{P$4Of_-T)rm>z&`+ZBJ@@Z?0r&2<&p* zhl|ToK89;0F6LXiV>|t-7BcE?H*27jHezaWELkvXaf!!8V;oXWvUI$ywXJDjcwnq| zpy$0SK6i>7qPaVFAKA^taN_pHE|$xj1+>dWL-;tZ=i|B&S2Hf+7+-gLi3S>AAavaw zvw3#NC_bVpb+&ai4Gs@niFYK=q;Z(Vh8a$J+PMv-pUk4}%`Hf%2kmmvC~m;TZ#qAO z>l3)x!f*zR#-d{vfOYp&Xh8Pp9ZSY$cFoPY+Gk>kdT$@PRR6HzbFblqOS1CJRn1sW zHIl4;DsngVH1`z)VaeF#Vz-KUra}BWu1j$J7p_0SMW?OJzR)t798a&`al8%ZK)h*Q z_W{Z1*vLiYfr0nG^ZYZO;9K#dZaXR!Vhr2%rM%4`Hf4DdEKjk6UVWJ!gc@2)d0Ix+O49|ybsqFTxt-!X}ozFuKT-J7tS!O zjvs>mc3k3Cp187+3k_|s?mdMX2)l~hO_|-Veq3r0bwlyGP@U|GpEnFXls<@yTRhRF zC!Tm>cux$r{`-__Am8m;h}?V@SKd%Ke%Y1Eu|M-tcO2)b4tP%GCveFY@9^o^o#MTy zyS-EcY|_I%FAaq)%4S@8V|kN#)yFAbC#svgPaUxZ4j(KJBFs+{X5ms-Hw@LpKH}#M zg-^Nn;<^)8SPAksKaAU-VHyN=6YAiP2%m+E)9vc&hM}6+NBz8^u=(e#*H3VT19LVr4U!&o*g zYiJbI#f`Y$k83e5b$qyR@LeBcs79u#&zr2%!&=0b0r(=W`*4NELYQ3*j#=`RC{MR9 zgjoh1gXQyk2jV`Bi#yJQj{4%Y-?{z$Nx)WxhQbP?j$MbB;Cd~tlW`r5D|CG7@}i^u zC}VHcBlD?708q*r=9TeWy7O~fKgM+(E_I}%QP7~Yyc)OP_@T1)n?hG9s6HXt+u0wH!vpNVm$BLGJimT4)>qQ2| z6V}SEaFMUPYLKMKJ8qVH4=%P6*WltT6uVLEGOD8-8U^#IdDXc6-Vbleey@xI1yDb% zfV@~~^Q{Zx55aXLF19r6jvayPU|c*4K;J9_+@p>&O`CAtkBbJty^n9j#n$05TzRLh zCCgMdioAA$aNR%xWlRDL4Tcq~S~sK>ar1F4!gZka*)>~$Yc4LnlbK Date: Wed, 18 Dec 2024 18:07:23 +0600 Subject: [PATCH 083/104] Added black duck security scan action template --- code-scanning/black-duck-security-scan-ci.yml | 34 +++++++++++++++++++ ...lack-duck-security-scan-ci.properties.json | 21 ++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 code-scanning/black-duck-security-scan-ci.yml create mode 100644 code-scanning/properties/black-duck-security-scan-ci.properties.json diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml new file mode 100644 index 0000000..ab8efe5 --- /dev/null +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -0,0 +1,34 @@ +name: CI-Black-Duck-Security-Scan +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout Source + uses: actions/checkout@v3 + - name: Black Duck SCA Scan + uses: blackduck-inc/black-duck-security-scan@v2.0.0 + with: + ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ---------- + blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }} + blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }} + + ### ---------- COVERITY SCANNING: REQUIRED FIELDS ---------- + coverity_url: ${{ vars.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + + ### ---------- POLARIS SCANNING: REQUIRED FIELDS ---------- + polaris_server_url: ${{ vars.POLARIS_SERVER_URL }} + polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_assessment_types: "SCA,SAST" + + ### ---------- SRM SCANNING: REQUIRED FIELDS ---------- + srm_url: ${{ vars.SRM_URL }} + srm_apikey: ${{ secrets.SRM_API_KEY }} + srm_assessment_types: "SCA,SAST" \ No newline at end of file diff --git a/code-scanning/properties/black-duck-security-scan-ci.properties.json b/code-scanning/properties/black-duck-security-scan-ci.properties.json new file mode 100644 index 0000000..8376dbb --- /dev/null +++ b/code-scanning/properties/black-duck-security-scan-ci.properties.json @@ -0,0 +1,21 @@ +{ + "name": "Black Duck Security Scan Workflow", + "description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results", + "iconName": "black-duck-icon.png", + "categories": [ + "Code Scanning", + "C", + "C++", + "C#", + "Go", + "Java", + "JavaScript", + "Ruby", + "PHP", + "Swift", + "Kotlin", + "Python", + "VB.NET", + "Objective C" + ] +} \ No newline at end of file From 84747ed35587c6e7075987c2c7e62744d8b381d2 Mon Sep 17 00:00:00 2001 From: Sadman Anik Date: Mon, 23 Dec 2024 16:49:39 +0600 Subject: [PATCH 084/104] Used hash instead of tag name --- code-scanning/black-duck-security-scan-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml index ab8efe5..2200b6a 100644 --- a/code-scanning/black-duck-security-scan-ci.yml +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -12,7 +12,7 @@ jobs: - name: Checkout Source uses: actions/checkout@v3 - name: Black Duck SCA Scan - uses: blackduck-inc/black-duck-security-scan@v2.0.0 + uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 with: ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ---------- blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }} From 9351ace4ef71e2c5e689d880ae088a78bb0300b0 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Mon, 6 Jan 2025 09:13:48 -0500 Subject: [PATCH 085/104] Remove trailing whitespace > trim trailing whitespace.................................................Failed > - hook id: trailing-whitespace > - exit code: 1 > - files were modified by this hook > > Fixing deployments/octopusdeploy.yml Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- deployments/octopusdeploy.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/deployments/octopusdeploy.yml b/deployments/octopusdeploy.yml index cc1f2f4..188c4d0 100644 --- a/deployments/octopusdeploy.yml +++ b/deployments/octopusdeploy.yml @@ -1,5 +1,5 @@ # This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by separate terms of service, +# They are provided by a third-party and are governed by separate terms of service, # privacy policy, and support documentation. # # This workflow will build and publish a Docker container which is then deployed through Octopus Deploy. @@ -12,13 +12,13 @@ # # To configure this workflow: # -# 1. Decide where you are going to host your image. +# 1. Decide where you are going to host your image. # This template uses the GitHub Registry for simplicity but if required you can update the relevant DOCKER_REGISTRY variables below. # -# 2. Create and configure an OIDC credential for a service account in Octopus. +# 2. Create and configure an OIDC credential for a service account in Octopus. # This allows for passwordless authentication to your Octopus instance through a trust relationship configured between Octopus, GitHub and your GitHub Repository. -# https://octopus.com/docs/octopus-rest-api/openid-connect/github-actions -# +# https://octopus.com/docs/octopus-rest-api/openid-connect/github-actions +# # 3. Configure your Octopus project details below: # OCTOPUS_URL: update to your Octopus Instance Url # OCTOPUS_SERVICE_ACCOUNT: update to your service account Id @@ -42,14 +42,14 @@ jobs: packages: write contents: read env: - DOCKER_REGISTRY: ghcr.io # TODO: Update to your docker registry uri + DOCKER_REGISTRY: ghcr.io # TODO: Update to your docker registry uri DOCKER_REGISTRY_USERNAME: ${{ github.actor }} # TODO: Update to your docker registry username DOCKER_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} # TODO: Update to your docker registry password outputs: image_tag: ${{ steps.meta.outputs.version }} steps: - uses: actions/checkout@v4 - + - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 @@ -64,7 +64,7 @@ jobs: id: meta uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 with: - images: ${{ env.DOCKER_REGISTRY }}/${{ github.repository }} + images: ${{ env.DOCKER_REGISTRY }}/${{ github.repository }} tags: type=semver,pattern={{version}},value=v1.0.0-{{sha}} - name: Build and push Docker image @@ -74,7 +74,7 @@ jobs: context: . push: true tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + labels: ${{ steps.meta.outputs.labels }} deploy: name: Deploy permissions: @@ -89,9 +89,9 @@ jobs: OCTOPUS_ENVIRONMENT: 'your-environment' # TODO: update to the name of the environment to recieve the first deployment steps: - - name: Login to Octopus Deploy + - name: Login to Octopus Deploy uses: OctopusDeploy/login@34b6dcc1e86fa373c14e6a28c5507d221e4de629 #v1.0.2 - with: + with: server: '${{ env.OCTOPUS_URL }}' service_account_id: '${{ env.OCTOPUS_SERVICE_ACCOUNT }}' @@ -104,7 +104,7 @@ jobs: packages: '*:${{ needs.build.outputs.image_tag }}' - name: Deploy Release - uses: OctopusDeploy/deploy-release-action@b10a606c903b0a5bce24102af9d066638ab429ac #v3.2.1 + uses: OctopusDeploy/deploy-release-action@b10a606c903b0a5bce24102af9d066638ab429ac #v3.2.1 with: project: '${{ env.OCTOPUS_PROJECT }}' space: '${{ env.OCTOPUS_SPACE }}' From 17f0d2485e8a171372ba78d7775a1f8bd76a9fa1 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Mon, 6 Jan 2025 09:15:19 -0500 Subject: [PATCH 086/104] Use unix line endings Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- deployments/octopusdeploy.yml | 224 +++++++++++++++++----------------- 1 file changed, 112 insertions(+), 112 deletions(-) diff --git a/deployments/octopusdeploy.yml b/deployments/octopusdeploy.yml index 188c4d0..c8cd625 100644 --- a/deployments/octopusdeploy.yml +++ b/deployments/octopusdeploy.yml @@ -1,112 +1,112 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by separate terms of service, -# privacy policy, and support documentation. -# -# This workflow will build and publish a Docker container which is then deployed through Octopus Deploy. -# -# The build job in this workflow currently assumes that there is a Dockerfile that generates the relevant application image. -# If required, this job can be modified to generate whatever alternative build artifact is required for your deployment. -# -# This workflow assumes you have already created a Project in Octopus Deploy. -# For instructions see https://octopus.com/docs/projects/setting-up-projects -# -# To configure this workflow: -# -# 1. Decide where you are going to host your image. -# This template uses the GitHub Registry for simplicity but if required you can update the relevant DOCKER_REGISTRY variables below. -# -# 2. Create and configure an OIDC credential for a service account in Octopus. -# This allows for passwordless authentication to your Octopus instance through a trust relationship configured between Octopus, GitHub and your GitHub Repository. -# https://octopus.com/docs/octopus-rest-api/openid-connect/github-actions -# -# 3. Configure your Octopus project details below: -# OCTOPUS_URL: update to your Octopus Instance Url -# OCTOPUS_SERVICE_ACCOUNT: update to your service account Id -# OCTOPUS_SPACE: update to the name of the space your project is configured in -# OCTOPUS_PROJECT: update to the name of your Octopus project -# OCTOPUS_ENVIRONMENT: update to the name of the environment to recieve the first deployment - - -name: 'Build and Deploy to Octopus Deploy' - -on: - push: - branches: - - '$default-branch' - -jobs: - build: - name: Build - runs-on: ubuntu-latest - permissions: - packages: write - contents: read - env: - DOCKER_REGISTRY: ghcr.io # TODO: Update to your docker registry uri - DOCKER_REGISTRY_USERNAME: ${{ github.actor }} # TODO: Update to your docker registry username - DOCKER_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} # TODO: Update to your docker registry password - outputs: - image_tag: ${{ steps.meta.outputs.version }} - steps: - - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - - name: Log in to the Container registry - uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 - with: - registry: ${{ env.DOCKER_REGISTRY }} - username: ${{ env.DOCKER_REGISTRY_USERNAME }} - password: ${{ env.DOCKER_REGISTRY_PASSWORD }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 - with: - images: ${{ env.DOCKER_REGISTRY }}/${{ github.repository }} - tags: type=semver,pattern={{version}},value=v1.0.0-{{sha}} - - - name: Build and push Docker image - id: push - uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 - with: - context: . - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - deploy: - name: Deploy - permissions: - id-token: write - runs-on: ubuntu-latest - needs: [ build ] - env: - OCTOPUS_URL: 'https://your-octopus-url' # TODO: update to your Octopus Instance url - OCTOPUS_SERVICE_ACCOUNT: 'your-service-account-id' # TODO: update to your service account Id - OCTOPUS_SPACE: 'your-space' # TODO: update to the name of the space your project is configured in - OCTOPUS_PROJECT: 'your-project' # TODO: update to the name of your Octopus project - OCTOPUS_ENVIRONMENT: 'your-environment' # TODO: update to the name of the environment to recieve the first deployment - - steps: - - name: Login to Octopus Deploy - uses: OctopusDeploy/login@34b6dcc1e86fa373c14e6a28c5507d221e4de629 #v1.0.2 - with: - server: '${{ env.OCTOPUS_URL }}' - service_account_id: '${{ env.OCTOPUS_SERVICE_ACCOUNT }}' - - - name: Create Release - id: create_release - uses: OctopusDeploy/create-release-action@fea7e7b45c38c021b6bc5a14bd7eaa2ed5269214 #v3.2.2 - with: - project: '${{ env.OCTOPUS_PROJECT }}' - space: '${{ env.OCTOPUS_SPACE }}' - packages: '*:${{ needs.build.outputs.image_tag }}' - - - name: Deploy Release - uses: OctopusDeploy/deploy-release-action@b10a606c903b0a5bce24102af9d066638ab429ac #v3.2.1 - with: - project: '${{ env.OCTOPUS_PROJECT }}' - space: '${{ env.OCTOPUS_SPACE }}' - release_number: '${{ steps.create_release.outputs.release_number }}' - environments: ${{ env.OCTOPUS_ENVIRONMENT }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by separate terms of service, +# privacy policy, and support documentation. +# +# This workflow will build and publish a Docker container which is then deployed through Octopus Deploy. +# +# The build job in this workflow currently assumes that there is a Dockerfile that generates the relevant application image. +# If required, this job can be modified to generate whatever alternative build artifact is required for your deployment. +# +# This workflow assumes you have already created a Project in Octopus Deploy. +# For instructions see https://octopus.com/docs/projects/setting-up-projects +# +# To configure this workflow: +# +# 1. Decide where you are going to host your image. +# This template uses the GitHub Registry for simplicity but if required you can update the relevant DOCKER_REGISTRY variables below. +# +# 2. Create and configure an OIDC credential for a service account in Octopus. +# This allows for passwordless authentication to your Octopus instance through a trust relationship configured between Octopus, GitHub and your GitHub Repository. +# https://octopus.com/docs/octopus-rest-api/openid-connect/github-actions +# +# 3. Configure your Octopus project details below: +# OCTOPUS_URL: update to your Octopus Instance Url +# OCTOPUS_SERVICE_ACCOUNT: update to your service account Id +# OCTOPUS_SPACE: update to the name of the space your project is configured in +# OCTOPUS_PROJECT: update to the name of your Octopus project +# OCTOPUS_ENVIRONMENT: update to the name of the environment to recieve the first deployment + + +name: 'Build and Deploy to Octopus Deploy' + +on: + push: + branches: + - '$default-branch' + +jobs: + build: + name: Build + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + env: + DOCKER_REGISTRY: ghcr.io # TODO: Update to your docker registry uri + DOCKER_REGISTRY_USERNAME: ${{ github.actor }} # TODO: Update to your docker registry username + DOCKER_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} # TODO: Update to your docker registry password + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Log in to the Container registry + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.DOCKER_REGISTRY }} + username: ${{ env.DOCKER_REGISTRY_USERNAME }} + password: ${{ env.DOCKER_REGISTRY_PASSWORD }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.DOCKER_REGISTRY }}/${{ github.repository }} + tags: type=semver,pattern={{version}},value=v1.0.0-{{sha}} + + - name: Build and push Docker image + id: push + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + deploy: + name: Deploy + permissions: + id-token: write + runs-on: ubuntu-latest + needs: [ build ] + env: + OCTOPUS_URL: 'https://your-octopus-url' # TODO: update to your Octopus Instance url + OCTOPUS_SERVICE_ACCOUNT: 'your-service-account-id' # TODO: update to your service account Id + OCTOPUS_SPACE: 'your-space' # TODO: update to the name of the space your project is configured in + OCTOPUS_PROJECT: 'your-project' # TODO: update to the name of your Octopus project + OCTOPUS_ENVIRONMENT: 'your-environment' # TODO: update to the name of the environment to recieve the first deployment + + steps: + - name: Login to Octopus Deploy + uses: OctopusDeploy/login@34b6dcc1e86fa373c14e6a28c5507d221e4de629 #v1.0.2 + with: + server: '${{ env.OCTOPUS_URL }}' + service_account_id: '${{ env.OCTOPUS_SERVICE_ACCOUNT }}' + + - name: Create Release + id: create_release + uses: OctopusDeploy/create-release-action@fea7e7b45c38c021b6bc5a14bd7eaa2ed5269214 #v3.2.2 + with: + project: '${{ env.OCTOPUS_PROJECT }}' + space: '${{ env.OCTOPUS_SPACE }}' + packages: '*:${{ needs.build.outputs.image_tag }}' + + - name: Deploy Release + uses: OctopusDeploy/deploy-release-action@b10a606c903b0a5bce24102af9d066638ab429ac #v3.2.1 + with: + project: '${{ env.OCTOPUS_PROJECT }}' + space: '${{ env.OCTOPUS_SPACE }}' + release_number: '${{ steps.create_release.outputs.release_number }}' + environments: ${{ env.OCTOPUS_ENVIRONMENT }} From d9c5f62b74488662b960559f943550a084b81f08 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Mon, 6 Jan 2025 09:25:01 -0500 Subject: [PATCH 087/104] Fix sentence style Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- deployments/octopusdeploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/octopusdeploy.yml b/deployments/octopusdeploy.yml index c8cd625..686ebd5 100644 --- a/deployments/octopusdeploy.yml +++ b/deployments/octopusdeploy.yml @@ -89,7 +89,7 @@ jobs: OCTOPUS_ENVIRONMENT: 'your-environment' # TODO: update to the name of the environment to recieve the first deployment steps: - - name: Login to Octopus Deploy + - name: Log in to Octopus Deploy uses: OctopusDeploy/login@34b6dcc1e86fa373c14e6a28c5507d221e4de629 #v1.0.2 with: server: '${{ env.OCTOPUS_URL }}' From be1cddbe1dfcb88589ad5c2d8ca24aa30eff2e7c Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Tue, 6 Aug 2024 08:52:16 -0400 Subject: [PATCH 088/104] Checkout: Update all workflows to use Checkout V4 --- ci/datadog-synthetics.yml | 2 +- code-scanning/appknox.yml | 2 +- code-scanning/bandit.yml | 2 +- code-scanning/clj-holmes.yml | 2 +- code-scanning/clj-watson.yml | 2 +- code-scanning/crda.yml | 2 +- code-scanning/neuralegion.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml index 0ea0678..a034c39 100644 --- a/ci/datadog-synthetics.yml +++ b/ci/datadog-synthetics.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 # Run Synthetic tests within your GitHub workflow. # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml index 68e4672..8b8cb8a 100644 --- a/code-scanning/appknox.yml +++ b/code-scanning/appknox.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Grant execute permission for gradlew run: chmod +x gradlew diff --git a/code-scanning/bandit.yml b/code-scanning/bandit.yml index 1ee087c..1a33e8f 100644 --- a/code-scanning/bandit.yml +++ b/code-scanning/bandit.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Bandit Scan uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c with: # optional arguments diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 2d919a5..49bca52 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -27,7 +27,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Scan code uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index b0a7443..ce0b70e 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -32,7 +32,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Dependency scan uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml index 82610ac..a23a158 100644 --- a/code-scanning/crda.yml +++ b/code-scanning/crda.yml @@ -81,7 +81,7 @@ jobs: steps: - name: Check out repository - uses: actions/checkout@v2 + uses: actions/checkout@v4 # ******************************************************************* # Required: Instructions to setup project diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml index e9189d5..218d16a 100644 --- a/code-scanning/neuralegion.yml +++ b/code-scanning/neuralegion.yml @@ -162,7 +162,7 @@ jobs: runs-on: ubuntu-18.04 name: A job to run a Nexploit scan steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Start Nexploit Scan 🏁 id: start uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe From f8ea592ee64ab87ab49675e542203d09c0718b7d Mon Sep 17 00:00:00 2001 From: Fabian Aguilar Gomez Date: Mon, 13 Jan 2025 14:54:01 -0600 Subject: [PATCH 089/104] Update jekyll.yml --- pages/jekyll.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pages/jekyll.yml b/pages/jekyll.yml index f07bc39..4dd1c20 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -34,7 +34,8 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Setup Ruby - uses: ruby/setup-ruby@8575951200e472d5f2d95c625da0c7bec8217c42 # v1.161.0 + # https://github.com/ruby/setup-ruby/releases/tag/v1.207.0 + uses: ruby/setup-ruby@4a9ddd6f338a97768b8006bf671dfbad383215f4 with: ruby-version: '3.1' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 95a3224907f9382f93c0c43e351f2a04a6a8a04b Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Mon, 13 Jan 2025 20:52:25 -0500 Subject: [PATCH 090/104] Remove stray `-` Co-authored-by: Beth Brennan <34719884+elbrenn@users.noreply.github.com> --- code-scanning/appknox.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml index 8b8cb8a..a5f62d9 100644 --- a/code-scanning/appknox.yml +++ b/code-scanning/appknox.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - - uses: actions/checkout@v4 + uses: actions/checkout@v4 - name: Grant execute permission for gradlew run: chmod +x gradlew From 1e05f3c86d6d916a8c3aa3c073f5a0891e844652 Mon Sep 17 00:00:00 2001 From: Josh Gross Date: Tue, 21 Jan 2025 15:06:02 -0500 Subject: [PATCH 091/104] Update starter workflows to use the latest artifact actions (#2726) * Update starter workflows to use the latest artifact actions * Ensure incompatible artifact actions aren't synced to GHES --- ci/dotnet-desktop.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 ++-- deployments/azure-webapps-java-jar-gradle.yml | 4 ++-- deployments/azure-webapps-java-jar.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- deployments/azure-webapps-php.yml | 4 ++-- deployments/azure-webapps-python.yml | 4 ++-- script/sync-ghes/index.ts | 21 +++++++++++++++++++ 10 files changed, 36 insertions(+), 15 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index ad99b56..a7b9152 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: MSIX Package path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index b8469de..1d7b31f 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -60,7 +60,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v3 + # uses: actions/upload-artifact@v4 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 4e2b49b..834d71f 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -87,7 +87,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 73b6380..72eab26 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -59,7 +59,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -75,7 +75,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index 51817b5..9957493 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -50,7 +50,7 @@ jobs: run: gradle build - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/build/libs/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index c98baed..14580c6 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -50,7 +50,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index dfa9dbb..408c99e 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -49,7 +49,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: node-app path: . @@ -65,7 +65,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 1182c2a..3391c83 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -70,7 +70,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: php-app path: . @@ -86,7 +86,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 656f95c..e4868c4 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -55,7 +55,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: python-app path: | @@ -73,7 +73,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: python-app path: . diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index fcdaaad..99c746b 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -196,6 +196,27 @@ async function checkWorkflow( }) ), ]); + + // The v4 versions of upload and download artifact are not yet supported on GHES + console.group("Updating all compatible workflows to use v3 of the artifact actions"); + for (const workflow of result.compatibleWorkflows) { + const path = join(workflow.folder, `${workflow.id}.yml`); + console.log(`Updating ${path}`); + const contents = await fs.readFile(path, "utf8"); + + if (contents.includes("actions/upload-artifact@v4") || contents.includes("actions/download-artifact@v4")) { + console.log("Found v4 artifact actions, updating to v3"); + } else { + continue; + } + + let updatedContents = contents.replace(/actions\/upload-artifact@v4/g, "actions/upload-artifact@v3"); + updatedContents = updatedContents.replace(/actions\/download-artifact@v4/g, "actions/download-artifact@v3"); + + await fs.writeFile(path, updatedContents); + } + console.groupEnd(); + } catch (e) { console.error("Unhandled error while syncing workflows", e); process.exitCode = 1; From 90859767037601d0655bb14ed4cbcf9a22c7d3cf Mon Sep 17 00:00:00 2001 From: SOOS-GSteen Date: Thu, 23 Jan 2025 19:15:51 -0500 Subject: [PATCH 092/104] SOOS Dast Feature Update (#2733) * Update soos-dast-scan.yml * Update soos-dast-scan.yml * Update soos-dast-scan.yml --- code-scanning/soos-dast-scan.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 0d42c92..4853c4e 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -36,15 +36,25 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Analysis - uses: soos-io/soos-dast-github-action@65d9878d77c8993f3db9e86a92bc2ad3a6e060af + uses: soos-io/soos-dast-github-action@a7eb40b94c1c81eb76b178ba1befdc21823f86fa with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} project_name: "" scan_mode: "baseline" target_url: "https://www.example.com/" - output_format: "sarif" + export_format: "Sarif" + export_file_type: "Json" + - name: Find and rename SARIF file since it is unique + run: | + file=$(find . -name "*.sarif.json" | head -n 1) + if [ -n "$file" ]; then + mv "$file" output.sarif.json + echo "Renamed $file to output.sarif.json" + else + echo "No SARIF file found" && exit 1 + fi - name: Upload SOOS DAST SARIF Report uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: results.sarif + sarif_file: output.sarif.json From 2abfcee18db6e143e9da1f75f6d08283650266a7 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Wed, 29 Jan 2025 14:23:54 -0800 Subject: [PATCH 093/104] Update codeql.yml Explicitly suggest that users add their setup steps before calling init. --- code-scanning/codeql.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 7e46549..7cdb425 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -55,6 +55,12 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime + # uses: actions/setup-XXX@vXXX + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 From 7398b4eca4dc8d1aa3c84fcbcb7a31fa0f22bfe7 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Wed, 29 Jan 2025 15:39:32 -0800 Subject: [PATCH 094/104] Remove trailing whitespace --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 7cdb425..a0a86f3 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -56,7 +56,7 @@ jobs: uses: actions/checkout@v4 # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` + # This includes steps like installing compilers or runtimes (`actions/setup-node` # or others). This is typically only required for manual builds. # - name: Setup runtime # uses: actions/setup-XXX@vXXX From 1de3a149b31945bb5edb3d500d0cb16baaf7d2c3 Mon Sep 17 00:00:00 2001 From: Sadman Anik <36187489+sadmananik@users.noreply.github.com> Date: Thu, 30 Jan 2025 13:48:02 +0600 Subject: [PATCH 095/104] Update black-duck-security-scan-ci.yml --- code-scanning/black-duck-security-scan-ci.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml index 2200b6a..1766443 100644 --- a/code-scanning/black-duck-security-scan-ci.yml +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -1,3 +1,12 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines. +# For more information about configuring your workflow, +# read our documentation at https://github.com/blackduck-inc/black-duck-security-scan + name: CI-Black-Duck-Security-Scan on: push: @@ -31,4 +40,4 @@ jobs: ### ---------- SRM SCANNING: REQUIRED FIELDS ---------- srm_url: ${{ vars.SRM_URL }} srm_apikey: ${{ secrets.SRM_API_KEY }} - srm_assessment_types: "SCA,SAST" \ No newline at end of file + srm_assessment_types: "SCA,SAST" From adcb922ec209f8b3dd061a0901eeb325fec3edd1 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Thu, 30 Jan 2025 16:50:30 -0800 Subject: [PATCH 096/104] Make the example setup more explicit. --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index a0a86f3..eeb0dce 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -58,8 +58,8 @@ jobs: # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` # or others). This is typically only required for manual builds. - # - name: Setup runtime - # uses: actions/setup-XXX@vXXX + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From 7db00754dc1478099891cb586cb1f8fab5a68dbd Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Mon, 3 Feb 2025 15:12:05 -0500 Subject: [PATCH 097/104] Code Scanning: bandit to latest hash ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd --- code-scanning/bandit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/bandit.yml b/code-scanning/bandit.yml index 1a33e8f..a3858a3 100644 --- a/code-scanning/bandit.yml +++ b/code-scanning/bandit.yml @@ -31,7 +31,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Bandit Scan - uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c + uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd with: # optional arguments # exit with 0, even with results found exit_zero: true # optional, default is DEFAULT From 5969febe64ddd5e977901cd7fb785fb7a7de50f9 Mon Sep 17 00:00:00 2001 From: Sadman Anik Date: Wed, 5 Feb 2025 13:47:33 +0600 Subject: [PATCH 098/104] Resolved reviwed comments --- code-scanning/black-duck-security-scan-ci.yml | 19 +- ...lack-duck-security-scan-ci.properties.json | 5 +- icons/black-duck-icon.png | Bin 25487 -> 0 bytes icons/black-duck.svg | 219 ++++++++++++++++++ 4 files changed, 237 insertions(+), 6 deletions(-) delete mode 100644 icons/black-duck-icon.png create mode 100644 icons/black-duck.svg diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml index 1766443..a777a04 100644 --- a/code-scanning/black-duck-security-scan-ci.yml +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -7,20 +7,30 @@ # For more information about configuring your workflow, # read our documentation at https://github.com/blackduck-inc/black-duck-security-scan -name: CI-Black-Duck-Security-Scan +name: CI Black Duck security scan + on: push: - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] + schedule: + - cron: $cron-weekly jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + security-events: write + actions: read + steps: - - name: Checkout Source + - name: Checkout source uses: actions/checkout@v3 - - name: Black Duck SCA Scan + - name: Black Duck SCA scan uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 with: ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ---------- @@ -41,3 +51,4 @@ jobs: srm_url: ${{ vars.SRM_URL }} srm_apikey: ${{ secrets.SRM_API_KEY }} srm_assessment_types: "SCA,SAST" + diff --git a/code-scanning/properties/black-duck-security-scan-ci.properties.json b/code-scanning/properties/black-duck-security-scan-ci.properties.json index 8376dbb..277ca27 100644 --- a/code-scanning/properties/black-duck-security-scan-ci.properties.json +++ b/code-scanning/properties/black-duck-security-scan-ci.properties.json @@ -1,7 +1,8 @@ { "name": "Black Duck Security Scan Workflow", + "creator": "Black Duck Software, Inc.", "description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results", - "iconName": "black-duck-icon.png", + "iconName": "black-duck.svg", "categories": [ "Code Scanning", "C", @@ -18,4 +19,4 @@ "VB.NET", "Objective C" ] -} \ No newline at end of file +} diff --git a/icons/black-duck-icon.png b/icons/black-duck-icon.png deleted file mode 100644 index b73482ce501f47c9e2daa7acf2f41aadd99b0e36..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 25487 zcmZ^~19)Z4(lEMX+upHl+cqb5GI1uhjfw4KV%ye)lT2(U6Pq{lp7Vd_-0%K(?Pu-o zRbAE9sOnW+)hj|tK@tHL7Zv~jAV^DzseGoRe{X2W&;Kf|>YUF6+(KAh7yzh?gL^fC z_8fPXLm@caq#KLP+;nE-$jLjZs$4FJG$$ZA*S`z#1H(~>rqmj}>% z=Ai))AgBPa&m73-4*-G-_*>g&4j==9_dj_R5UPLUfC2zvRsisS*e=n)e`!CJE zQm{Ob|J0ZV`ajsCd0_v^|0T0DQcC$uU>u~hodEziw7)k9AR`MK0014gQqywLl9%H# zvH!|oWNL40#^CGi9`Sv2n6yunVR#ch)MjL{PT&Q#L~sZfrpXN&CQL$jg`UP$%2uY zo12@FiG`7ch5i$R-r2*>#mJrB&YARImHeN2#LS#coU9yNtnBT8f9o|ews&>mCn5RE z=zp$%wbRAQ{6C!Rod4ae&ki#FEn#G4U}F5gk(s$${r`~tE%_JOKmGa_JHEe_@o1}< zIosR1{%w{3Ckx*{9R6Rx|FrL41pmQTx3h8)_&+573;e&SwEk26A2$CD{NDtMPF7~0 z1Nl$8nE&0Z|Aze+{@>p5C|S9i*=mVdeKoUl{@WK8CMG_{|7*$rrWCcewRci=FfuU{ z_+<1C$$x?VH}*e#wEutk{8!1pDft-x&h~%J{=Y=)ALyrS3Bd9({*Rmrz*c%~ZvX&7 z0BJE{HFuCdT`+kD;;w?e7Y~1Q_3z_@#gS1!Fvw|kPz$J}lxb45s+!9}emytnd~I_5 zF}tEs5$<|SG-F*Ap19SWAC9ahCb#sv)*dGQ?a%4MyI?M>vw7R*%UkzDz0mb__QSc` zR2KK)-}BvNx_bz6`Y?jRZwgt zF;U;yc$ws7qP|ylGRe+8Nhki4PHf~ItGDZ2w@PfbkY0r3mev6_w5mlDW$&igjjMbZ2snz-3RApMkw4}t!k2Ihu z1sQhvl)}ZvxHKJvAkYxHUq36yU}ChRE(cvT5%2I*(&R<>P!vukm&V}L2B3ars{2E zclS5r*kU$ZPIO}>qxRMzuqwZnw=n1v5vy?`TMpofgBD&YuF}?Y*4KHQb{@u<9n;P` zJtddrO-oiVb+omK=e!pd4vazPY&n=zjy{G7DD%#yg2p!G_KS~HZm5hLhfS$@7zXzb zf&)>QYvR;M3#R=ta^mOxlh8xN;=Vr52*O@RTo0 z$Hd5oHMM*jMf0$9XTl-EGpXnuA7}>Q$MdMf<8MDP1^lR{;krfnO3k-;g_{IUFa*W#pq&^`EnIjq67^WLPwo0ML!8`* zNiVDXTV?kF%CCnNSzy1WoyCgF5#gDaR#hV>7{ka=;glBe&V4dV{pTwI6k8JRa*Lvb zM5uP#(t`2C3{b#VFS!bQ(ixvEp}|FXA0Zf9hL}2jWDuVR{Ukm>E$k+kTU0!~fyIsw zcdGIS&ag<(wwAer_GPWa9Vn;Mz0{n#ayDILWGer;owj2b#@x5Pz=DgUP`+i;?+ro#yFu!V!& z`|I**PD^%UiFkT*7BY&E%rn4XZ;CtGgyj#BeIBg}T)xx7Z0Z-QyJlE^P16o#|nX zLx10-aoY8U5CaL%s>Rb`NXE_NS>aiF!xeg@#V&n4tk}HrW=8+k70Y|r%1p2|(zf{^ zGT$%cuKJ6KN#09HG{YNO{ZBS4PdlF1OPxqzR!lz?t}@KdB1!ub#TKoh11o)Y@g)jK z4;U>-9dww+IRGV1Jm3z1F(UzvX+W=IMJ_;6pC0}Q76>3KhU4)Ed$Gm0f5@EqQk)M@ z5@&E^Y4w`)t?N;M+`F`BXyf;*&x#NWUAolNU?=^e`|Fv7TTA0Zj5o4#9Z}ls^7`!R zNU3W_Y&E`L8%`QUjKUZ3}(og03^Rp}=_vHLUpsa<6v1fQT zc^ogaq6#wJAPmkferTb*H@P!*Y*imPM+){s+$w0K1rsCy>!KKPHUUS{U2%#ptqfln z*(DEb^a4!4K0ptw-q1wrd@k5c%2K(xW+bu!sq@@E_Jg=k9?lPc*yqZ*Tx487eCZIL z%(mUn>-ei=TxtX3H&+*WJX}JVVF}6FbJDMaMcwHMP7jM9!VvK1p)rW%_F9a=Gty)4J}+3$jU%?t zTh&BVm4$2R0Sz8u(|KjHdrKg(L0r3=Z=cIN*YPDfK&qk+G3b(9RszPL>-pYqh^7mv zrKy?H2dvARr;aWw88!7qNJR!hF=B7L z$4OG3NY9X0K8lADy8wd1!K5>A?n_B77=%)!Evc(XdVz2tCg8NP$?(KxR;klg?(sCv zI@^DNS2ZSJ1k|h^^tUh87IVKNZ|MfNx$0h7=e`*w=vs9wY=bA;2dwdcjn)iU;d^g^ z!lES;YSWM*7U{z!{CHAVcc|bU=RsVy#%sJKm|m)_`MUThS0OV0rP;-U<^v--qdvHmxX$x0jL)1Z!3}Zn7cq7< z?8w#GIvINE#uIf1ye)iiHf=rY>+Gj({QRpEmcmQFht87PNJBW6H!5{Ff3Hu=2#N7F zZg7V|7x84F;%pvL1F0aJunlj)L7(!l5VIt`sDwfdh45!sin*}IEPzz`5wv+&YQadL zfFNYE%YED3=-Biu%=a%m`kps7n+t@g#We-HKb+BWmJV71(3fl+a@J zkgOp5;BsKrjm4+Me`4Bp0f2du$v05t3Pprt(H*Woy6>hlBj7R z10Fi|=z|d8nD9)>jgVvlB-iymZJ^8CI#@13LKFDnk6O*4fvDEaY%<;`C}R=aMHrL+D~}#s z%M6ti>J0A;2(z%!vN39SR2u0M$`4X!Kw*eLn4>!wc0o7=Y?|4<-k;h+`xjR$ZlCqz z3;uUU)`=!Pf%#jf93IOWCgdq=y}PRlT&|7Q>zz!6zR8h?D<27)kF8#4mZh^_CK&kZ zYg)(e&Agppk@n?Lh@Ubcs|_&toCRa1GKU-?Akl4qz>Osm#3(X+IGB#q&C^YR{IEP1 zRX&MRu!aj62lQu?-QNK?#b{gnb@Dlm+AM*oQD;tHML`r^<{z>gV!ldqng8g^PHnd6 zS8NM#xchp|tj&=4ulOS%7_7m-!21TP z-D1+)P4VKJb&Np;d)hdTB^%%e8O*1sQaFm*Y|7cAGhl#n2p@{KG9e#M47M7GWn>LM zxn2SEqQS6F!5rT~6%;{FsF0Cyl#Ia=mAaLH43QczC@eC?uwXOXgc!xgGhs!J-ib3a z8;e8hS^`(4pEG4LSi|G2K5)G-^b*JHtJqOGDb$}{UeWD5;dWIujKk~MJcdhig!WXg z6O&|9hcX4VgJ-0ESP+zX>`>>)?p$~5ZO{!>?FR98W*05T+jx$$}&f(BgA=VqTjcYc2Tyi(JPdp|sX zJSJg>Pib6=E8A<%W3aZHciBo_a3D@jx|9CGjc3q;ktz~Z&2<S(6K6C3`-#Hx*KX zmvC|(E91Hl4aM5c2jB#PI10g83Ha$Z3Z+cCgD3)M!tzMGk!ub8m79Tz;9!w}+d;_4 z8$4vppcLvvP?TltjZ`+H%lBQ**Eg6N6Wd3jn6d|lEoshp+M3DBY$2ZesE>{xg>7}W zt5dPnCSK2OX?^YqsGr8V({5nAva)~Lk@<5bHj{EBg2Ymwe;!F^mn^15r#}!7WUA*G zx{CJns@-;?jk@dM`LiW)Hg(CLOlESY(9$e6K7fL>6BSQz%3eqdUZ+GUloEXuT(X^~ zJ@blxIwRBV^%?^|iVs8Lx(GKMcVtEV;oC#>ok0`m3z9V>0{O@Yf z#qM;pbur4&L^#mE$V&k@0ecW(fCLF?C(__kl$i|`l@UW+s7R4Vf{+9V%mEXKi4hG3 z3BEcR6|5LvTN;%Dn24${)iTlXS=#KH;LJ_fEJ0kS_tW@3sbX^ipA}@mup@VLp;6^U zdu;O*=`&=sqZ-YqHJpCJ1|LfqOGxmRn>!R&J_v=TvRw452J$iuXlLBDl0ST(|I++( zr&SZ2w=8B7Q|gG`Oq947G5|Z+8x(~lRR$faR_u`qnLIHnVux+Z5`SwRhM0~fFu{fW z0pYfi;KJjU{FA>JuSYP>YIdzw*B=e`==(1f!vSm=#fjmGk0y-ngRFa5F~-3!&Rmk@ z{+EfHFctvidzBevTK&3`dM*v(dO@ILy*jqfG;Sb>0MO7$LxD=iPhX9o{jEaGtHe-Et~(s0e?vl2 zR~UDOM;e3y@Wq8nZikd4GjIrp@pFfx(w+xKQn}_r%Y0AQbp?6=P=gc}e*}IiSD~%& zK{za%wv_FXmULGXsDeJ?>7_=X306C-G1i|)c~0KLh?`=Rkb%mo7;|U(!SuG8Q4!K(ObU*)>7KNb zqmdAqE)Jw({-SoLY%aJ)_1tHxMo+=2ZN);SzWcAF#Ce10k3kGk#Y~_rb72uMlk`Hr zJ_<&m@$Gg--Bh5`8zHMHaj_eYH6kNc`6~{KhJR-ZFnWitiJ5|6zKR3k)k%y!H%s-s zciW`Ihz?>zeXu0hFzKJ=EAbYc3eOD>cmbf3X`+oNG)3b- z)p!y`JPu$RwE(bD19*8m!w^mbu<|@^sgc51^hL4yH|7PRS2C!FgOnzF*ogTsb1|q5 z?z6&4LO|Ke@(F(^d2?a! z82-K*#hloIS11X|m{(BXAW|})W<_w5;ul)h+keZN)Bji2%1`FQkqcn&p|`<4Ei!4~ zYm;Nnpr|;Ec-;b6fpbo8V0}^@x%I%7;YH@h85rZseU1)9=PH7jVBzaRi=Dua;<_g% z{FT6+9WbA>WZ5C`78bYfG2bdS#3~w3+F6-DjeVT9YdCMAeNs?QC?0=P0p!E!C}=4P zhQfM}I%V7>3~}{*H#S5ik&BV1pD2)h0Jce#esKJ85CH-x;weclsT~`L!d5CnEoUn5 zi6sl1mv5J~DOcnZAKPZ9E+L^46Lx@a6#+-GS+w1*Z^ZjobAPxL@(7}w+6KgfSfllX zo8aFiApcrip=-qOz#ha>)GDO^Uaa;_SuMx(o{|O|;6jDdo6$Q<5AsQ63^{yn9S3ic z*j?-G;XoA{!IJtP9etg}gqZ;JCR8JXJh)K7Y?u;Rarg0qi?9bfBGh{^6Gro}{AWWU zq3( z8^A-h-~2U+6~VaT?*Cayx$;8Tas?T6fU@SD{*(Y|3kp(rRHTj~5K5brT1Fb9s{0i3 z1Ndesb{2=NQvOHPX!!c4y}bjB{HPnea5_i?8)Pi1{v*mrI91S3BRZ9I5@HM|zZ|Ok zRPTG7`}g7Px^3l7OM4`$)U^GqTsr2ZA15CT!g}Os&f1<~6;5XB` zI|pV)`th0`2W5K%iifa}63Rx((oQrMGB}X>%M1ug^D{#I?J!&#m=amO|0`P1R(=Lo zeoC^Zw>KRgF3uJTsJ7rYzcYfP{Wh}YUM0VQnb9rmI1@wHkueP`FI`H+dMkpF7)B6< z%X6x}!ynYsr@hiG*ZlA99&%ICY>ijXYkZ+(sr-Yo2fIKb)VS=8^P9gW0g z;7y$zrCr^1cN5M#X?b`}Qc)4LkJHL0-tjbEg=*|LfjhqQg;<#4ii09ld5q%~_NIqk zn-bySjn#^9dwJi4?ro0{$q~Bm<(R&`wUD>0y9J%-y#f0~lu!lUmnZ56khod6-M5XF zcOaljoh_ym>zMK4A{30g*@R3JJ@T|jc}DAKsHJ-UiV-*&EXiLnFR+1dcFae=)>!Be zi*$KnHg@U{%tKsR)mg!V429Hx820mAj%!lzq~?W^zo$@7oNxX3@XC9)?uDOM!7w5EgK-oiq;UCvZ?xQ}iO}9kOuHIj&pi zgW0-S+xf+jdM~1G+P33ZK?*^A=ZF(cpJwE-==*dSgb0h=D5)B%F(_K@D?Y{Sk^DP& zL&c*dvoIoem;1y+M%h@;XXo!hn1mTyFp+F?=p!T2Zj-Kk1$>$QqTE1C2I9ddOC&43 zQIsJG5S5{DJ!Mg5NW@XfIloc(W)>G+Ts*wfKAJ0wtgARi4`a7z$!|ZRLdFBUtnPJ& zy1HAdn!x7mz?$#EWlqLX4Z+quDuo1&9?LBLY6!XxmMTn|d)PyP=@`b(L_t&Fw`+4k2;i9oX?Wo{y?&wf~1@#S}7e|{Jm(X_+1RQ^Y zjWcm|6H7u5g2R4aN?BwDQ zfOX*Dx?}GwW{n$XCHn0ekJGoHqv56SnuTc$mO~qQPqLjAFh>itOl*TQW<&A9B3lJXHQ%WaT0da(%DP&#g$n=Er+PE1; z>OOO_hD*&h>uPz+kDH%@Po)_>1M*-`{(L+6GT7X$aB5%#fe6W(dv}3ebyN;$ELux zRz64duERZCW^SXlyont1A0z@{@jwM-u>rU*TL@q!zJl$y=U<*o-AdcFnr+MoV|JH+ zJ8<#eCl9_L+Ct%)Ekpc$RbXLmTK0bKb2_y_I9eG&Fb$EfVZcWtDfq%kgWwaxbVoG=ym6xtZ zE26*6yE45N@ocPWE3{%deWBS&b#hBmI#=7uwia$&e%}9G^FhU-`v_j@l3;o6<@B90 zl@$tn8EmSM9~~&l1VpqXu0BDiH~rp5ErJ^Xk&3Z4_bZXF+sx$YCDo7i>Aj{$JiC}J z`X?{ph`WDjhoce!GgOFoy|77M)luNjvyAV2&38uTz?ZF6f#j~sWk%UqcDc4H)DaGG z?N}LQex)ymI&1zdBAmimi4_+G_(~`y$Q<2)a$~a#C$^chzXX?Vra0ekCZ;!+Th3HD zkiS-Q*@OgcMvV6zMDx_v%cbnM=$r>2l@);6JmFV>Vef*W;fc!;)mo!M?u!p!&srxj zO$mu7YV494xTj(d_j5y0u6lA%iWc(qI9<50@*a#=YFunJ??3n~J75u~!3}-X+FOwQ&<)wkL)I&51;;ux++mzg?omGKh4e;SAxW44{dn_7x zdJ^Xua$c{9UfW@d5;^+j9l%&`h{wg9a!PDTYD{x*yu*6JG9^Qwx`qmgT&xL@*>`h? z=sbhny(F6qc#YTs)R;L?LFhq-`v++fjtF(u;WQ|aE*JMa_CyZ{XcxKIJ%Ef2(h*C@rS4W+Pzi?nnfQ(X;mk{>L+nCgmIS% zzTAB%`Tmrh-cmVDGUE(YD+~^(hb=cL+E9u#aR!(a`V+U51*TDLfIsTSN8z*5JZi~0 z>yoD2RQk+^rFQ$9iE}%v=^GPfxO{Io?{{U{y_=}1@gn-R7wQPV>lnG<<|2ofY6baK z2w8vuc=Ls6tfUmnmp1HnN*guV{+Eb|(vevN`6yMGroTW|jB2IubyX8{EEG`}qt}R} zqM{Z4jRgbhuHjHRgPlVWea{yk%$VIkXNr%2g`#sl z&66D(gZl*=bIRgHuUddT=HmNh5+(f1u@g63Afk(q93zId>7Fm>b0nUM814+#K4qka zZ&Z?a{csk)Bzv;a_xS=-p|rXs$9o81DUoa@>!Ae z#KZAiI2wANi1P3nA!s9z#i;V|XzPIdioC0{V7>KzN>Xf5j_8;;zF$l{4>%K=g#0Aa z;NDlb&T63)3xRZc?iuUG#rr{D{;-C-JVG@bc+5{J^^ifYpWbFNX3={mQzI{h8l)iNpMsWEs$f5^;nNeoHlr^yIu6EX1p1q>d@g>Iaa+pJr6Q!ankEuCv>)_ z9mMvap^LA6kWj)U3U@8SM1BfSef?$3QZK_4t86R8S!3^hwocaL5Q3wr>lmW{6H`n# zZh}Fp1DWx1)-!2kV$M75V!{OCIq?zxaPF2&<;xdaf6XjWZhvNBfFZI-t)4Fmnh19@)ZkF`(j58l6!w;%d4^}sbVw-mb2qeml{lKqi?VRmD|*guC} zy*Wqz^h5_f{;SOTfh=5e=CSQX)HGlzzO>a2g9)MxKxaY@g0LS^a&>k*p~-NXS%&fB z)7@{bi{v7=8B+tkIx_2-CnaH$NaJ?~5tm*=B_w8?gQ7r>i)AUK6j@qxeSBk3<4;LO zobVB~oE)M!V$Mfy-*G5`8%Bqh@0g}vNLF6-5+lgRk>=9$)6`?${_R$T;pa$NQQxF3 zcQW$KL^)(%zn5_#fd`PZU9d3`s@ODzZ$X{Z z0;U-K={4Nqx44u*{?X>YnS6nj!aK zSrw;+qDB7vDVkfNHM|8Yh!_d?p8C%r+gEBc1WpEilYl#&JvUIBiro@`)%nd|7gjKS zKD$wWY4oI>)|R0v@qs{&<@s0inB4B?N`pt?FEc{(E=gIil_VCbW6*fa%7OE0X9#6L zj_9Y?oo^PYZwFplmRwm=10AvLj@bNlUedd1>utcN>vF}C2Yx50l%l1p@P)1;)Y>(c zfdfC%w@m*w(G;;=xO4>hcYXC=aPsnI#Fd62OOepP$>>GwDQiI&(TvW79e4lA$e%Cj z2x8L}kbRpDMtHC^xic~$h{fRP;pH~|noeOVKm)d|?7*am?zwpjg*5|#*sEb~?vyZZ zmf|S0Q#XDG-EXss(~5`FdRewB-NM5J<1KPIvr<;5Y9pQ4AF7b*+tY zFt|wWP#ZT0f||>K$d@`y-I};WFziy|vtjdjFv|wwI=DgVMbnUO5g-~<76#ude>{6w zkg_$(#}zs7^eLmRoI;~A4PT=|H!s( zHq9}U73;mFj9vH3^BGc$en`NRu=Iz6qP`kG9j;Uz{ywv}qMy=rP(_dS^Uu3fi!!;_ zjioh-{8?O~O&(BBYKFrK3jkLz*%wc`R=3p6Mn(r zy05xjo>@38{2;z|t@mq~LHB_}d=?86RgflkqP98-`OL4c#8e7Oj|u&7`b-?d?$+q2 z@)Ygia;kNazqv$@eNDt^6OyfiBKH&Rd_^}nXEMKB-_%4z6L7WYM{i13g6V_((#znB zy@J+FWYoXDx;?n_qcfQ$B4j(uSn?8uRA+gkVd&PBDT>AoCCWpuMApU59~BBNpaEaH zt#34PXw8+*sXN)M$rZ8Annf^KwP z5X?toTmy}5EccWm$*bGZ9vUX`5zPk2d6Y;qt!xD3;ToCT$VG}ntf%VpLYme}&j-2z zzL?$9bqjn)SCAJ81nG!i?@>@dQSL?aPfbevG}{2s_6fX%-olf^EI?^}s7@WreuwEzBAPlA{{Z)yq0*IPmXewwy0D@aE6NugXyuWrD6z4|j7w7q!xi(frDK2O;tb%ijQV?JL zwON*+!DFcI$L6_gq%}P|aoPTqWxeJd<^7!kJmqkjyzpZ==pN?cQ2doybr3pHJw^l; zSysE3@drLiz1Ii>BKn{^*4+jq(oZMaFEW-KvxzoBC_6o|?JyXr61}N#CNB9kWBiQ- zPzOI6N|I)}-Uzyg2^8xYGU|d5*{gohXyMVCty&jw(p$XqM=;W>yR4}rZpfWeJ5U4% zk-{#I&@+P9?GFLUFK#33SrDLDnjfJ&KabVzf>EjsV@2%Ks|+$wiV+Ji)QN>WD(#PV zJhgjm@0GFtSRVJYWQwIY*=M?HnWCLDN5aw>=r}$=(XDpDt*+rmel_MIX`q*ir}Y;e zJ!BA>BLl^P;M0enhWN+riQxJ9?K=7!RXp1q8((wnxr?&hV~kKP zA}l>!54ZTfVoa;@D(P6zS7@eFZ-(sdqxCvaanSiYI@qPnIb0bq?rUr&#*cpBa9ocS zH!f;wQ?LM4kbMET)zC(u6#O$1jxva+!{;YRUpqgK#XRp18Lo3VaT-VVp;RuP5FJY& zOlhTMeRTOTetB)UVLg+NchpsD{MG7C3VXgz7JrV(BP6!)Ue`FTLcV`;#Aby}h_{24 zJfeRa!9G1aX+F&F!>()rTy3sG!`{^DO35s$Ga(U^(xz!}Dy!ixxR?|X%Ec*e>c$OG zGuM1G$&sRaA_+!<-V5Rg=@rFC%IyQ4IGcL0OMyOzQg`d92C*w`Z?iC|H#`s?i}Q1H zJVrC{uy^_>Je`ndLOtV%^KJXqW~<|wt2Y;!cVS=G@jJE})^NE=|Db44E<-IkCJ_`S zCC7zgf3{ALc)3}7HR}tsf3;M3gJzjJWn47;O?JGt4l3;8Aem%$RjshlZniYJ*1Xb2`Z?tw&4CdnyA*(R%si+g>-Y~0~r!u zH(}62!(7GU8$2&Xj2Zos?P?Rnxd6({gy^|GPdg1xZKXyo_X=w z8J_yC8th7|Wntz|R50x>&!$Jg=Q&r&pp!J>%C10G4Rq-$WAvwJARPpXHyM!T`!Ex; zl7hgyAlyOHH%gW>%HoQHqPi>RIqQ7#bGK@9pe)z@6z;zlBsYdjEao+y z#H9?_zV>x;vLJ7KgZA^BQncYJ2dmSF<*68V62vM83FoVmRQ>)>kwA)4)DicK#zfrc z15jd!Z74&z;c%eF5luKk)GLX?{EY;$h#35CtM-jaCK0(uBwD6JgOj`;up03^8Zx?@ z`)jw4p(;y{m!s34uRSzf7dL(h`i|>y6QToe=C+`-M<>s#yvi!*Q4^jN$ies>s58^t zF;14^VvU#)-CQS-nvcy*(VRU=e6rt*jq$FX2Z!|sG^X^&gfSUzMSsx=eW6+-`$O|X z3K}{}cmjPCJ(@Vh;8m%l$g1qEW=J;UNsb!Hhl_!9+m|Cw;3_Y8WaLW)_4f1h`2yhX zZ7^2y`&3H$SoGrZF@)fw+VOV-FTZc6KEG4BFZbIiZ>9z}^1QESyB1b!IN2rnKzL;G zZLqjlu2z;ckvgr4y%ql9Pe>)`y>f za8RpbJW>puUjeKJ!kv*z>d}WUg0VV|iQ=7O88xqBLstiNsDhPXC?OUch``JP|tvc$J4*U%s`H`Ky}2qR3c{M98t{4>Cfjb~N= z!tZp03aP2r8fY+GQoK+R!`#@+Mi?ZpyECi26EHDWv7(}cYxSoXIJ-j<48sHxP{3t& z>0MHsXGva!q)8jjCGdlba+-DJ!sk)JXq&Rw^E8R^a-P17m7kz~iwKb)m=Geup*1tj;L!=Ul?v^9OledjTx7-hY3tmrH zAon~^E)*v!TM}~Bcwb-U~9b6jOl{A=pR3NeHO+ge50zo;aMaWi)c7V zlKFP&ImiJ{u3TFJ&ug~cmUCXn7P1DOgF^LVxsQj^T-vTvR*NFd*DJ~WKR%g8RP=KN zqmP;hL*|U_Lm6h`)>_`;GG-3U>@oeyIDjndu%t&{ux3NOU8gK1S>)Yo6G;hfkD*wj zEGg{Cp*<=2%FojUE9eWNouAO=F}EiveSbf{Vc`4DYLKX-&FlKYZL43PB1*z;7-5!bD@@_92?B__fc zKW;0&joM;F?@Co(l{z{&7GOhp+@U_GXAsnC8axL|Q%`x@?B!gDb!d&SL z`p0<+Q3Jqr0bg%Df)!r2UdNG??h&Oc*|DrCu*8GV#oNrDN8@9kkGqoFxrv^f^^c=< zmcT<{!PlITXjM}-WQ;rw{%~k^WKGgOTyz_YVV?$;%HA~IH6>3TQZwgJ)QueHRN+5~ zWpqD^AV7ZjHKVp4A=f$%(*h^+3k>gs#AQ(^sB8BzkOT{NNwoxfSr-2kiD-Jk6hymz z8CFukDKz99xqaz*GSFY1$bF$)o{05P|8`VBs*+_M$|}dgjg|=JiMyDjr&iNQFiuR3 zJn`V31C0pahs{475@K5T*632nHWWS$zQ@^5>$pX_@!egD%KBe1Vp?T^S>TlaYjP=w zc|9)kgAf)nj@X+UiMY@21G5+c4nMYsF`LnM8GnBKuJiO7<_IsH!}nb_f`1KEMelK zPM@A0RY<2TPer?47R~Z3E1{;WY6BYqyBT*0Ppz9Ja47n>`55fxc;RX8#@kWV@%m<0 za;xnV?bKK-|IVZB)tab^_g%*IdI(W&yogpIQ4meIQaKkaJx0&1RGg`c)xzh;Bg_nf z;F7*d9PJk+?b5|0CX=>epd;>W!9bu|ynr5hG$=-$e#t%t$adUyl-~FGQ7+rg`rRnb zZ*^?gGUWqaRgkZLc62}egm~Nn368KFsM4Bm&;4^@Q+{60f`S5!UJkqbTIkDXw3QZ3 zcT>L-`e}r8x^m%9KkNd}6PSD2b4lRwDqE(<3InP$KKiW;TWxY zKz7rPS!~dHYasJ`(-k3(y*G$MlelrT+L)?f35$hJJ}IP1o1>#G>*t8h`SLv6#c;TJ=%!bs}F+71vNRUlx4N{267sA&&ie#TqK33Q_;Ft z1930g{-6cPw$JCQjDXu%*c`!|t_kVbLYU5wy2>ImPQb2B&B5?NXi=RDz&!2y(43eN zbxlR@(@GiYk!~p!3??Le-FKYJ@@T%APp&p7%ne^F#8Wx%vVA^9OO>gJQA0%VM*vzY>KvTF$!XIY!#M%! z&JCgmD3F;@3x%KALG9#}msIxLW8}WlW5ZyPn<}BSljx(QV1A+FCWBg?!|zlY*2zM+ z3Otz+r~ygO5u=`b1XGvTX#LHQvWWV;aDrV3%w&W!qTUC?b)@PAy&1&h7?7elrCSUx zha&4P7iQwvF{=eNnj3xNp@E_j{tQw??z5brPbYyL5|L0b)KzyJ7lJGj!7tY7Xmw-% z#GK+~8Zd=FY0ijctXPcjPQF18#!m(d(4Gm8UC^r&U?ZpD1G*0CYoXItg~Uw=GgH?q z1&lI3<|!SF!m*H+!Lo!av(u+J14BeSOq#vLe+jI=Ar+L|2P@nn$`#FymHxD2>0!1q z{`_19zmoNa$ZIvV;XHPk9RKc2A74VHP$(^z24$3I1kY0RfK9}><;jv|JEozB~w*X_VtTc)e&0*0zNWI|C$HJNpCsxjl zGBqW-L3Az|azyaG4m)&o0%-U^ZrcSuhhnw|`~EA(;|hbv=QE2QgOCR3RZ)nM&KGS< z$P#I781An;d=!*2e}3Y|ulingT9``m|5@6b8JdtBW{{``)K`Wql5VOGQj zBj4N zc&i;oAPbfd;CV6AoaQG8=h*Hgaaw7L2M@-;>(ZC7i~=Rdo4(AhtKqrJpWdl%=Ck{K zosTajamHARbpRo^j@C2u4^N#o4CeZH)KVjeqND8v&uI4TgjRY0fBkTsEto4@|5CkS z09q=GBO3Ux9+vwwo20^4UL9V%+Dt^qVT4_Gw*`L_PL{Ltbk`==(yvw7%hC7eMGakW zaF`u4L)MCTxOl}KtdaJd4!AXY4XxD+mE6kf5md};@r%szJdfXs=c`BDD7dr>kr57^ zF^f&nD|%4XQ49j&qp=Lt<Ukdv!1lA8i1Xv>K1X|mviG@NFMXyXDL?Z~MS60pHW8eYMsIyq|- z-NQyjby1=~HrC+hhx%>Ncj6Jg)iJe!@<_D4425N5lfF7)ha?0tU>})a9dN}aC?OO0 zGZV8)la9`D2%zXZF5>tl-lefXL(EBi*@jgralnypyT9uU(qBe*Kv8fMx=`p%WkVl^Kz;EkxbxoR96}2ZZm0yVWusSV+fPDmYqeY zzI&2sO?!hrd(K^?ICN&M~3oiPmk%hu2nHbl+@+_JuPdK8G zS@orK5Lw0}_*R$-1O_sCQGM!F5tY6c@(u_!bf)q}Y{&D^YIY^cZx4Ad-ft z%%F#K2^@FQHuGg6e$yNmQ5Alk8JhLVRF?83i(&}lIP}IPJFb)L3^$7I!S3;Ejn&}h zq1X0Yvq8nrH1BpzE88EfKq_Y`QF!)9nHm;CaQ*}k(uIA4M*I8Xdug)@N;J_rHq$@ zk49Kp8^MNSj%5=*09*}LgU0f}5TQj*)MbYq)@X&rWRLb&u>w_t*1&}@flC8T0#R0G za<{d$R8Z8r#x?5a^P=+f>~9@gv%z5)GM1;4E9P*bC}=OR&la`{HU{gFP!l50BUShJ z4XMC6wr3ut$g7N}3zufL^0`H_juw`%iKcPW0fEiEW zMsEIRBPN%s+-p0fN5UX%Kt=>;Arop;(f<>nAYR|NG`u}l2sSxVw9R0JNR5voJkmiH z&>5{+U2{txKI=Te&gzuUHVgB)uOkOX`(($$wd>cU8@4=@H8yhj9g7X;lw*Rmej`#1 z6f)F^)F}7?SSY0sIVmPXWNKxhlu0EnHUZn<1n=WoNwu{o6swt&$bw90JpC%p8J?pl zV9KF#K`&V&97YkwP$lG1j*0-EqS)dxIp**s>GD^eo$=_fIb8=tG}9?yR}G|VZ~ra6 zk>OyS&&Y{O7^yD`{I5U5cwRN+)cVPpk0@`)~amOWm=S+E=U zM8SXMNVP(!$%3L?X+YNNOaK5MlSxEDRBI$!X%x(ilVEbDK`SR0^trEyh!Gmfi}wNo z2*l`K@>`Mg;Q2>nTY4W$+M2oog6RYHV2OWc%dF%Fzx_t~*p^2!ejp{wxeJP@I;8LP zD1kh2M469_cqgE&}iC{&>_GT)Os--=GnZCuOBNtX6!4;dN*Q^d7(u zK#iT)SEj0zhCq#ip$exm3L`71Cq$Tf0?qK_u_W0t&|iL{bl~XtCdhxh)X-qQ1Diym zl}5p|l`+UifKrft7|MRdUPZr3Rs$AqhMs<5M)=2T}&L*lK%Ot&t_!CPdUv_ zjJ_KZaP70;_JJpo_NE!hcdj@;-L!oJ#v<4qL=>wV2Q+I?i?TO+`Y8UUJb9A*H zk@p8mHywPomOTSoW&5LVUH+wX^Nz>xUL@a&*pjMZ5DdV{sX-a&S9OL+jiQirQgW&$ zP!XYZId2ppAs-r;y`rJqNxT>cg13Z3m4XU#nnUG+UYtfaj3NS~V4R{IT@}F6sbLtZ z0%k?g&$+@VK05dnS<;Z6_OdsU1IyygURpW!eKtsqk7w8lsdXmHklwKVTDBs-Jb_{Y z(8o^%DN|KCL$J3QMVMW5qOjvAPOeJIw-Ij*B)ye0S*Uak-nz83^aH18pcKqeREbb( zA6;EQkRCzHszzbbQ+X!jI27#=22gZFokOw};fBbwX3Q)7%iF#vv37IhxFY3b?`uJB z`NQwjzj4`l>9(FtWp*jd#vM-8lP^+EhsBJ>B$Tv}re4caY#}7HIVN`cn}R-dhnG05@{EPD(cjC(jY4*M|TbNm{t zNVp$fGLQD-fXF6{Da$P0qC`9~^moIA9Fxj) z2m>fOqMkg`v{ayH9`cS|E$$nIZ%0ZiPXAEGJ#6RA;9K_T;xMB%xK#>s=@nl~dj_`S zgeE(qRj9*!xs6FEX+BoMH6sf-Y9jR^R+Gp@PBC#qE^Dw#<%Zu=%o<#!StrescOTgB z^xA=;eok-6H=2@;ra|91MF!PbQ4yVE@PMV8l2H`M)a0CCMMSiPNMV_*qNODn8%th% z%(C<)N1t5gSrju`r_0j#OeQ4ebRK|hfi|Xh+rqp{bOV4sI(wQ-L@$!EnmJ|45W8%`yJTf?tZNF#Bc-y zbuv5WB{|3ej;K0dX_cj_7L|a0;6k*E3XuV=mmMK%wiYp^4M9E)giFP-L?ivPSH6uA z8ILCB4A69OJp*Pl?;ri<;OzyUwWLIJwvSP)OQIzxAX0F%4>I=iGB@e2dM;Vf$U(oPL#HmBw zaG2Xma`wbrs&30%AX6wH!)`r^T9kq$;T>s73_3s-T$yVrutlClXhd z>Uk>5X8=id4M{FI=K>7K)65RgEmxNQ3bo`-sC{N!qQa^w0ZMdn00`q<0zY_{Gu}|S z%;&t3Ak=T&`;^>R?ts+TXpxU1zyl;(JnkvM59sO4XO9BP57XuaW8t5`#-Nxf$qEHq z$9Ei69f@-5`Z?Fdk zy_Iloh}5!3LsDr#NuSDNrE9>e6WJUYF!4}qHaa?zjEoFrL&Jl~z)&Bqe(b8zm!W@G z>Ko|A;^EN-oEVf2jtn4AsNy&)f?XNefD8gY6QHWuf36I_XDtbzG4Eg3hxVXGq;d)xK)`yz@Gz*FSd zYPB}CW!S#6y!NiE8+rWjbTN>jvHoN(X0+~j`1;a4kKSH>_S0V=8(X`FO0i0c)HEsF zUSt%S-!kf1+Ro>Z0p^UY~KEO^2C-6$%f4jCl5Y$cd}v21HSgzmy+NM zTdfdgzKUE(!xuGlddo!q!SjyD4w!Rb#^csz&zPHZcg-&2%(}FzqnlH;2|k2MIZexT zM`}DY7}Nd3&Z~0AC=%l2Kgc%GHVUmsx^>4UiL_^`FfY@>^$qt*Ij&gyqvVJKk6~A< zdMmOMCElY(!Te~Am>_Re$jVsFT|%Az!-{`Dc_ZI{;PM87T9I9N!P=%|MS?y<_VcEO z#wEjP2``Tt8aUm_)UjQCHaOIu?daPshJa5ulZQ6mm)!oq4WS_fH7k+x@7i$aBE+y_ zLW+5!Qy#im{B;Ghbx?{YPcAe9>|nV{i?GTdlH2F=tFQi%o`n5pT*4dtI9=dnUv|iX z!;=H%E>7mnT$s&*5zXkFm2|Xprd-`xYQ%vp%pZ&fM<&U@903s}zxbhn-Sf!p$$gLA zQJUE{Pd-2j(%R=iu3(li-*{Jc z7IGFQG>{~jHS0b>pxO8d_Obmax;&+xzOCggJ2oYcZGI$q;L*F2TkpF*dGHB&ZxR_o zd-DuFrKQVdj>Q^EMzE%7WDNe8Y<(GIX7_^9vSB4MwiT6CsvZ>{ zx1_kjgr(j;>)_{SPhWgwvKU82&!4p@!A>VQ)36(78McYhI0o4A{TtV3Utax5DL0LB zI=Z1zIjb;TbHioXVT+!{ErO!^JlQhuQNu9LtqHR-Nir)ZYeG*bX)HI0fy~-wUVSh! zQ~+W0HnP%Ro%)_T?tSFWBYt|f6M@9gl!N8!`cAw2kG$zIK}?t4aIi-XP)>T?6ix%RI= zbMgyN|IvZ5Ut5AC?B8c6o_Jy-B54#q!Sy~l@Ud++o+Di4I)l)c)bcUx>_9ytP{(S(LWqv0-#95O$9rluSv2@lB~9x zSqX5<2L^hx@htg1iNo#{!;yg?%ol{|ZTGLe4*t!!o?~(BW=(rXeT|L}$u;c@Tcd!S z;e$)ByKPN&;Jiao7t!aKQjMGv@uZu8DN3zTLPQy1<2Y8j5w9GsUUBZpcdlHCl_e|9 zG1$sn)VWln`L-nzZ7D0?_T%{T!vaqGz%r`IHOq@<>z z)?`r9nnaU{R6#yXnZ1JbUqtqW8!oJ92#O5EE;C8K10MFp`0l}rM4;}bvj)tq=8h+D z>Gjy$0j|pZCt5F(O~Or*T*>I~lB+HVA4fG{_NsRqW^H8ran1$jaQq#)A_HNIK}&i7 z*H3ZLsnM8F{dd}HfE&$m5@Xex3$VGv;C?yfsPj0t2n*o-s||%7FBM-TIZFdr1WdJ zNs`r&5JXK$Sk}PreXxtgS1Cc4TLsbttY#qE)LaItTXAt*Qg1~>W&6tyKd3TG;V-)U z3-~N|OR&K}&Gas zm|QIbVZ0i|mjQD-qp`udH{CTbINFO=WI^)B z^;f2kY`RaTeC^wISN(RmE^9sBWkI|f)r4_s7b~^X(&yiI-ts|yR$Hs}prnZmgfwap zp98F|$ZjbHh1cD_p#gq60GIv|XN%yIP%dJWYPid}*Sfsh1XZh=nQ1)+dp67%>tc^6 zDS9!O&&Fg7L|YNATKv2fP_tReCsGgZ>l#RtzLD*6w#d)__?`6e?HjTD1pE0;Fczs= zYBh>#b-5~IQG^OBiVJZmmbJGb&*`U@pLYUU4~#v6W$htl2v5d9NUyEPX92UjRUeB` zEBlSZJP#Hy+TA6wm~|bdIB}ZHRGil1sc}_FVamcdbJc|X7Ve$-&<+_YOf>e;gePkt z+KTW~x=&hWH5!#w_oulAb_{Nj68_-o|4VoDZ^Nh56SN{zuE(_$ICWvlfyyfjF7dVO zN0;M;;AF-gnv=;I2^n655`|3@o$YB`@M zH}&|vUITW@H@W8K%Vo+}cA3-~ss1jNLWNANY87#Dh6-=Hv7}^-hVp)st))|`^OKsz z3X98Dghs+uzCX0^q^%M3b+?aefK$G++UF;0?_QH`*!-X!tg{Ect4^!<-PPpxh20Jk(FMrOd8J^OzGbR@RPV88HrtYT1CB&t% z_LhzY?Be-OY({-8r*;3~+&53zKz61DVd-?h{-1!k1xRy%16X&{R|DK$c0B2Bo5Lce z>mR-qTgK|T)>@@zt({Ue7wSoKDWOSXw5_EbUkmp9;;+v=`5UXwT-C7R!X-O36xdk< zVK#KY{tl}ahE4V?qV7#!4fGA|kiuPk)6bK^p@EG1DpxFppIQ|cd2v0TK!3%=+-J85 z`#ujfW~H+ykT7BN&Kd{>vlU^>aTBhO;-cFrD>bb3-+f5~+;neN`vP>c)}@bZz8`~i z^t$EEdU36tsBFqL5uL=>CLV8V>EK)bcfb8}CqK-t72kbKN^Swst{4c#(ID8qei9eY zRiMGtjRZ>AAKWpE!K5J^F)_P8VLN^IwRK$_?)=q9C`hykcp7PaQ=~`)i zcGW*nH6_9>Dc>Ty%85`sXV?{i+@8TCH4}?s7fcT~o8n2nXpLj~syO zg}6p=?JoHcRd;)%2KZgbI8NFc85zl*|BMr`L3kri2SZlb^PYm6nnC0Rk9M|o;{crg zkDYVwDgR63*x6aDyx`r@f~ZU#2)z@CwYciz5!K8z_PMulciY_LmIwZjZrJkBq&~@Y z>Y!2R<&aYbIPPf1Zv8)paeTt8wOXRDA*L)W&#*fUghkaB<8^>J56G^U8Vb~mtE*nSFaP5WI9G6Fba*^%Xn4(vm9HJ( z?uff%+!1DRcN++0bMBAbtKZ=IYg}|Rklkk0BC-Cn*JwbO!4HoOrVl@HpDcryamemB z3R7k~$ieyb3Em36{_OvJ)g3EWu4-O3#f6BIQJ{8-CPOsDi%(ygWy+1YQ_Yw9N( z?ZS*z|8UP|vGLm%R-#+AyJoD4lHHRA5_YNn5{dr;SKUa8?!q*{ajJJ#`#hE;-LUBa zIrF~goyaa0b)=)Mn=@A5Jm<5o`A5!JeQf24dvp?LPZ|hy!Lf&St4;xYEv~weKnc^) z@q}YK9+!<%lF<{|oxQAVq_b@XjpIj{&gBDF+(i3YDc#Qcd)h#lFIu=73CALQnOHXx zC}Fy}!4d9Kn6E}7+0laV0lY`ulVKn%fDYO@ z1~~!OEx77N0wqi*He4TSljA!sZ1 z&w%g6^%Y!fT{x-E)xdSP4{3le4C%0UZ^|7F@s*!!d_BQCkrA%S#j$8*?A-W<73ZG% z1HK{WOTaz-o?{}_YUP}WZcoOuOU14hjrFUzmg3?j*))#&(iA9RUvlG_>0&*;?NPic z93PiKdzF!;t^D#m2aMy9Qkp)O#$mn&TsHPp8wd5iHy8->K^0Q79EV(u>sh$M{kH1k z5-4P!aMl>G`yy5qmTT3o@iKPU;$R%#b6h^!)$**r{_M%Oa#il0Tw66&9X{1vtbBgi zVzA}dfNKe^3viu-i>}_~GJ4o2e(_GE`VmxFGK!-Unz&U^|Gc{q6I8zvgcMYyiPbuq3N;nMEd-kNu0aX)svYq&!g zPw*T=-m8*XvzU%z>)s~rwvIJbKW}Mndh1{P$4Of_-T)rm>z&`+ZBJ@@Z?0r&2<&p* zhl|ToK89;0F6LXiV>|t-7BcE?H*27jHezaWELkvXaf!!8V;oXWvUI$ywXJDjcwnq| zpy$0SK6i>7qPaVFAKA^taN_pHE|$xj1+>dWL-;tZ=i|B&S2Hf+7+-gLi3S>AAavaw zvw3#NC_bVpb+&ai4Gs@niFYK=q;Z(Vh8a$J+PMv-pUk4}%`Hf%2kmmvC~m;TZ#qAO z>l3)x!f*zR#-d{vfOYp&Xh8Pp9ZSY$cFoPY+Gk>kdT$@PRR6HzbFblqOS1CJRn1sW zHIl4;DsngVH1`z)VaeF#Vz-KUra}BWu1j$J7p_0SMW?OJzR)t798a&`al8%ZK)h*Q z_W{Z1*vLiYfr0nG^ZYZO;9K#dZaXR!Vhr2%rM%4`Hf4DdEKjk6UVWJ!gc@2)d0Ix+O49|ybsqFTxt-!X}ozFuKT-J7tS!O zjvs>mc3k3Cp187+3k_|s?mdMX2)l~hO_|-Veq3r0bwlyGP@U|GpEnFXls<@yTRhRF zC!Tm>cux$r{`-__Am8m;h}?V@SKd%Ke%Y1Eu|M-tcO2)b4tP%GCveFY@9^o^o#MTy zyS-EcY|_I%FAaq)%4S@8V|kN#)yFAbC#svgPaUxZ4j(KJBFs+{X5ms-Hw@LpKH}#M zg-^Nn;<^)8SPAksKaAU-VHyN=6YAiP2%m+E)9vc&hM}6+NBz8^u=(e#*H3VT19LVr4U!&o*g zYiJbI#f`Y$k83e5b$qyR@LeBcs79u#&zr2%!&=0b0r(=W`*4NELYQ3*j#=`RC{MR9 zgjoh1gXQyk2jV`Bi#yJQj{4%Y-?{z$Nx)WxhQbP?j$MbB;Cd~tlW`r5D|CG7@}i^u zC}VHcBlD?708q*r=9TeWy7O~fKgM+(E_I}%QP7~Yyc)OP_@T1)n?hG9s6HXt+u0wH!vpNVm$BLGJimT4)>qQ2| z6V}SEaFMUPYLKMKJ8qVH4=%P6*WltT6uVLEGOD8-8U^#IdDXc6-Vbleey@xI1yDb% zfV@~~^Q{Zx55aXLF19r6jvayPU|c*4K;J9_+@p>&O`CAtkBbJty^n9j#n$05TzRLh zCCgMdioAA$aNR%xWlRDL4Tcq~S~sK>ar1F4!gZka*)>~$Yc4LnlbK + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 345594d7f51cb7226562ed4a32ef962ce7a61188 Mon Sep 17 00:00:00 2001 From: Sadman Anik Date: Fri, 7 Feb 2025 14:47:21 +0600 Subject: [PATCH 099/104] Updated actions/checkout v3 to v4 --- code-scanning/black-duck-security-scan-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml index a777a04..2b47330 100644 --- a/code-scanning/black-duck-security-scan-ci.yml +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout source - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Black Duck SCA scan uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 with: From fcdc1287fc1cf0705620c88aebe7ed39f30648de Mon Sep 17 00:00:00 2001 From: Sadman Anik Date: Mon, 10 Feb 2025 11:43:15 +0600 Subject: [PATCH 100/104] Fixed Linting Issues --- code-scanning/black-duck-security-scan-ci.yml | 10 +++---- ...lack-duck-security-scan-ci.properties.json | 28 +++++++++---------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml index 2b47330..c6a132b 100644 --- a/code-scanning/black-duck-security-scan-ci.yml +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines. +# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines. # For more information about configuring your workflow, # read our documentation at https://github.com/blackduck-inc/black-duck-security-scan @@ -17,7 +17,7 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly - + jobs: build: runs-on: ubuntu-latest @@ -31,7 +31,7 @@ jobs: - name: Checkout source uses: actions/checkout@v4 - name: Black Duck SCA scan - uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 + uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 with: ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ---------- blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }} @@ -46,9 +46,9 @@ jobs: polaris_server_url: ${{ vars.POLARIS_SERVER_URL }} polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} polaris_assessment_types: "SCA,SAST" - + ### ---------- SRM SCANNING: REQUIRED FIELDS ---------- srm_url: ${{ vars.SRM_URL }} srm_apikey: ${{ secrets.SRM_API_KEY }} srm_assessment_types: "SCA,SAST" - + diff --git a/code-scanning/properties/black-duck-security-scan-ci.properties.json b/code-scanning/properties/black-duck-security-scan-ci.properties.json index 277ca27..3e196fd 100644 --- a/code-scanning/properties/black-duck-security-scan-ci.properties.json +++ b/code-scanning/properties/black-duck-security-scan-ci.properties.json @@ -2,21 +2,21 @@ "name": "Black Duck Security Scan Workflow", "creator": "Black Duck Software, Inc.", "description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results", - "iconName": "black-duck.svg", + "iconName": "black-duck", "categories": [ - "Code Scanning", - "C", - "C++", - "C#", - "Go", - "Java", - "JavaScript", - "Ruby", - "PHP", - "Swift", - "Kotlin", - "Python", - "VB.NET", + "Code Scanning", + "C", + "C++", + "C#", + "Go", + "Java", + "JavaScript", + "Ruby", + "PHP", + "Swift", + "Kotlin", + "Python", + "VB.NET", "Objective C" ] } From f70f9c8252eb9b8f08f52c35e28be7337259bd13 Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Mon, 24 Feb 2025 11:11:43 -0700 Subject: [PATCH 101/104] bump action versions to latest to resolve issues 1. Scorecard update v2.4.1 was released, which includes months of bug fixes and a new `file_mode` input to address a .gitattributes bug. 2. Bumped actions/upload-artifact to the v4 branch. This was previously kept at v3 as GHES doesn't support v4, but github.com no longer supports v3: as uploads return the following error "Create Artifact Container failed: The artifact name JSON file is not valid." Signed-off-by: Spencer Schrock --- code-scanning/scorecard.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index b58ec1f..9381468 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -32,12 +32,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif @@ -56,10 +56,13 @@ jobs: # of the value entered here. publish_results: true + # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore + # file_mode: git + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: name: SARIF file path: results.sarif From 41e00af395c8dace730165ef22d546e504b5c305 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Tue, 4 Feb 2025 15:54:05 -0500 Subject: [PATCH 102/104] Limit scorecard to default branch Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- code-scanning/scorecard.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 9381468..248c9f9 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -21,6 +21,8 @@ jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest + # This action only works when run from the default branch + if: github.event.repository.default_branch == github.ref_name permissions: # Needed to upload the results to code-scanning dashboard. security-events: write From 4a5b4939a642720a98cb0c99db033cf7722eeced Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Mon, 24 Feb 2025 11:19:07 -0700 Subject: [PATCH 103/104] add future looking pull_request event to conditional Scorecard currently has experimental support for the `pull_request` trigger, so we want to allow analysis to be run for it in the future. Signed-off-by: Spencer Schrock --- code-scanning/scorecard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 248c9f9..b5b838e 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -21,8 +21,8 @@ jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest - # This action only works when run from the default branch - if: github.event.repository.default_branch == github.ref_name + # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled. + if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' permissions: # Needed to upload the results to code-scanning dashboard. security-events: write From dd84e34b8d9a59b95268c894e46209dfd66e5c10 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Mon, 17 Mar 2025 22:57:43 +0100 Subject: [PATCH 104/104] Update to latest published action version --- code-scanning/fortify.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index a72ed11..fd7b723 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -55,7 +55,7 @@ jobs: # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. - uses: fortify/github-action@d7cb5974c159fad242153f52f7c6fa4dda065b23 + uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297 with: sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan