From 69184c7484fdc04189ae93557415ca14959cd5a7 Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Tue, 17 Aug 2021 07:29:02 -0700 Subject: [PATCH 01/19] Added Cloudrail according to instructions and existing examples --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index cb9305a..f4db277 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,6 @@ { "name": "CodeQL Analysis", - "creator": "GitHub", + "creator": "Indeni", "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] From 188b52b51c31ac79b948c3b4a656b097920e9fe6 Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Tue, 17 Aug 2021 07:29:29 -0700 Subject: [PATCH 02/19] Adding Cloudrail according to documentation and examples --- code-scanning/cloudrail.yml | 58 +++++++++++++++++++ .../properties/cloudrail.properties.json | 7 +++ icons/cloudrail.svg | 53 +++++++++++++++++ 3 files changed, 118 insertions(+) create mode 100644 code-scanning/cloudrail.yml create mode 100644 code-scanning/properties/cloudrail.properties.json create mode 100644 icons/cloudrail.svg diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml new file mode 100644 index 0000000..474b97a --- /dev/null +++ b/code-scanning/cloudrail.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: cloudrail + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + cloudrail: + name: Run Indeni Cloudrail on Terraform code with SARIF output + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v2 + + # For Terraform, Cloudrail requires the plan as input. So we generate it using + # the Terraform core binary. + - uses: hashicorp/setup-terraform@v1 + with: + terraform_version: v0.13.2 + + - run: terraform init + + - run: terraform plan -out=plan.out + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # Confirm we have the plan file + - run: stat plan.out + + - name: Run Cloudrail + uses: indeni/cloudrail-run-ga@v1.3 + with: + tf-plan-file: plan.out # This was created in a "terraform plan" step + cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app + cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() + # is needed to ensure the SARIF file is uploaded + if: always() + with: + sarif_file: cloudrail_results.sarif diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json new file mode 100644 index 0000000..36181c2 --- /dev/null +++ b/code-scanning/properties/cloudrail.properties.json @@ -0,0 +1,7 @@ +{ + "name": "cloudrail", + "creator": "Indeni Cloudrail", + "description": "Cloudrail, by Indeni, can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues. Cloudrail's output uses the SARIF format, which will surface the scan's results directly inside your pull request.", + "iconName": "cloudrail", + "categories": ["Code Scanning", "HCL"] +} diff --git a/icons/cloudrail.svg b/icons/cloudrail.svg new file mode 100644 index 0000000..9aaf9c3 --- /dev/null +++ b/icons/cloudrail.svg @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + From 98bde3b31e53b969eeabcb5a94e5461d3fa0664c Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Tue, 17 Aug 2021 07:32:50 -0700 Subject: [PATCH 03/19] Oops --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index f4db277..cb9305a 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,6 @@ { "name": "CodeQL Analysis", - "creator": "Indeni", + "creator": "GitHub", "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] From 6dfa11d0c4c966b00c10cab65d484232008ec9cb Mon Sep 17 00:00:00 2001 From: Cadu Ribeiro Date: Fri, 17 Sep 2021 17:58:46 -0300 Subject: [PATCH 04/19] Add github/super-linter as starter workflow on CI (#1089) This commit adds github/super-linter as a starter workflow to execute several linters based on the user codebase on changed files. Co-authored-by: Josh Gross --- ci/properties/super-linter.properties.json | 6 +++++ ci/super-linter.yml | 29 ++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 ci/properties/super-linter.properties.json create mode 100644 ci/super-linter.yml diff --git a/ci/properties/super-linter.properties.json b/ci/properties/super-linter.properties.json new file mode 100644 index 0000000..e070300 --- /dev/null +++ b/ci/properties/super-linter.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Super Linter - Run Linters for several languages", + "description": "Run linters for several languages on your code base for changed files", + "iconName": "octicon check-circle", + "categories": ["code-quality", "code-review"] +} diff --git a/ci/super-linter.yml b/ci/super-linter.yml new file mode 100644 index 0000000..bebd82d --- /dev/null +++ b/ci/super-linter.yml @@ -0,0 +1,29 @@ +# This workflow executes several linters on changed files based on languages used in your code base whenever +# you push a code or open a pull request. +# +# You can adjust the behavior by modifying this file. +# For more information, see: +# https://github.com/github/super-linter +name: Lint Code Base + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] +jobs: + run-lint: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + - name: Lint Code Base + uses: github/super-linter@v4 + env: + VALIDATE_ALL_CODEBASE: false + DEFAULT_BRANCH: $default-branch + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From e4091f2f55dfbfcd692d8e6444562bf0bd7e4e06 Mon Sep 17 00:00:00 2001 From: Ninad Kavimandan Date: Tue, 21 Sep 2021 13:35:26 +0530 Subject: [PATCH 05/19] add `Vue` to nodejs props (#1109) --- ci/properties/node.js.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/node.js.properties.json b/ci/properties/node.js.properties.json index 32f5306..7f68d88 100644 --- a/ci/properties/node.js.properties.json +++ b/ci/properties/node.js.properties.json @@ -2,5 +2,5 @@ "name": "Node.js", "description": "Build and test a Node.js project with npm.", "iconName": "nodejs", - "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular"] + "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"] } From 55f65bcc15417680dcd248f288c788a0879a0db4 Mon Sep 17 00:00:00 2001 From: Fernando de Oliveira <5161098+fedeoliv@users.noreply.github.com> Date: Wed, 22 Sep 2021 08:07:22 -0300 Subject: [PATCH 06/19] Directory structure updated (#1112) Co-authored-by: Fernando de Oliveira <5161098+fernandoBRS@users.noreply.github.com> --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4b5b9f8..77506d4 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,8 @@ These are the workflow files for helping people get started with GitHub Actions. ### Directory structure -* [ci](ci): solutions for Continuous Integration and Deployments +* [ci](ci): solutions for Continuous Integration workflows. +* [deployments](deployments): solutions for Deployment workflows. * [automation](automation): solutions for automating workflows. * [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security) * [icons](icons): svg icons for the relevant template From 5a1343bb22091fcb394e257bbfd53a5be55cabd9 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Thu, 23 Sep 2021 10:29:50 +0530 Subject: [PATCH 07/19] Adding template - Build Xcode project (#1095) * adding build for xcode * renaming template Co-authored-by: Ashwin Sangem --- ci/objective-c-xcode.yml | 30 +++++++++++++++++++ .../objective-c-xcode.properties.json | 6 ++++ 2 files changed, 36 insertions(+) create mode 100644 ci/objective-c-xcode.yml create mode 100644 ci/properties/objective-c-xcode.properties.json diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml new file mode 100644 index 0000000..db009b0 --- /dev/null +++ b/ci/objective-c-xcode.yml @@ -0,0 +1,30 @@ +name: Xcode - Build and Analyze + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + name: Build and analyse default scheme using xcodebuild command + runs-on: macos-latest + + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Set Default Scheme + run: | + scheme_list=$(xcodebuild -list -json | tr -d "\n") + default=$(echo $scheme_list | ruby -e "require 'json'; puts JSON.parse(STDIN.gets)['project']['targets'][0]") + echo $default | cat >default + echo Using default scheme: $default + - name: Build + env: + scheme: ${{ 'default' }} + run: | + if [ $scheme = default ]; then scheme=$(cat default); fi + if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi + file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` + xcodebuild clean build analyze -scheme "$scheme" -"$filetype_parameter" "$file_to_build" | xcpretty && exit ${PIPESTATUS[0]} diff --git a/ci/properties/objective-c-xcode.properties.json b/ci/properties/objective-c-xcode.properties.json new file mode 100644 index 0000000..e6068fe --- /dev/null +++ b/ci/properties/objective-c-xcode.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Xcode - Build and Analyze", + "description": "Build Xcode project using xcodebuild", + "iconName": "xcode", + "categories": ["Continuous integration", "Xcode", "Objective-C"] +} From 4a9a1680df0712aead69b443e6f41ef5a3aaff80 Mon Sep 17 00:00:00 2001 From: Randy Kleinman <76182417+rkleinman-hpe@users.noreply.github.com> Date: Fri, 24 Sep 2021 17:05:34 -0500 Subject: [PATCH 08/19] Update README grammar (#1123) substitue -> substitute --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 77506d4..f39892f 100644 --- a/README.md +++ b/README.md @@ -45,5 +45,5 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. These variables can be placed in the starter workflow and will be substituted as detailed below: * `$default-branch`: will substitute the branch from the repository, for example `main` and `master` -* `$protected-branches`: will substitue any protected branches from the repository. +* `$protected-branches`: will substitute any protected branches from the repository * `$cron-daily`: will substitute a valid but random time within the day From b58a4e21c6a523516a4c6d5d108a28281e9b7814 Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Mon, 27 Sep 2021 20:32:30 +0100 Subject: [PATCH 09/19] start validating code-scanning workflows --- script/validate-data/index.ts | 2 +- script/validate-data/settings.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 8413653..8153936 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -49,7 +49,7 @@ async function checkWorkflows(folders: string[]): Promise }); for (const e of dir) { - if (e.isFile()) { + if (e.isFile() && extname(e.name) === ".yml") { const fileType = basename(e.name, extname(e.name)) const workflowFilePath = join(folder, e.name); diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index f7c08cf..01092cc 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -2,6 +2,7 @@ "folders": [ "../../ci", "../../automation", - "../../deployments" + "../../deployments", + "../../code-scanning" ] } \ No newline at end of file From 70655750b2798ee5171c044e10795b992e27ee6f Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Tue, 28 Sep 2021 09:37:43 +0100 Subject: [PATCH 10/19] check for yml and yaml extensions --- script/validate-data/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 8153936..84518d7 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -49,7 +49,7 @@ async function checkWorkflows(folders: string[]): Promise }); for (const e of dir) { - if (e.isFile() && extname(e.name) === ".yml") { + if (e.isFile() && [".yml", ".yaml"].includes(extname(e.name))) { const fileType = basename(e.name, extname(e.name)) const workflowFilePath = join(folder, e.name); From f0b8c8ad72c009ca3093b9919e70a6325b49aa44 Mon Sep 17 00:00:00 2001 From: Gary Houbre Date: Tue, 28 Sep 2021 11:41:17 +0200 Subject: [PATCH 11/19] Starter workflow Symfony (#1069) * Add Symfony to starter Workflow * Added Properties from Symfony * Update symfony.yml * Update symfony.yml * Update symfony.yml * Fix Wrong Configuration * Review and fixing * Update Symfony Properties Category Co-authored-by: Ashwin Sangem --- ci/properties/symfony.properties.json | 10 +++++++ ci/symfony.yml | 39 +++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 ci/properties/symfony.properties.json create mode 100644 ci/symfony.yml diff --git a/ci/properties/symfony.properties.json b/ci/properties/symfony.properties.json new file mode 100644 index 0000000..ea9a950 --- /dev/null +++ b/ci/properties/symfony.properties.json @@ -0,0 +1,10 @@ +{ + "name": "Symfony", + "description": "Test a Symfony project.", + "iconName": "php", + "categories": [ + "Continuous integration", + "PHP", + "Symfony" + ] +} \ No newline at end of file diff --git a/ci/symfony.yml b/ci/symfony.yml new file mode 100644 index 0000000..7d1ca74 --- /dev/null +++ b/ci/symfony.yml @@ -0,0 +1,39 @@ +name: Symfony + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + symfony-tests: + runs-on: ubuntu-latest + steps: + # To automatically get bug fixes and new Php versions for shivammathur/setup-php, + # change this to (see https://github.com/shivammathur/setup-php#bookmark-versioning): + # uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28 + with: + php-version: '8.0' + - uses: actions/checkout@v2 + - name: Copy .env.test.local + run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" + - name: Cache Composer packages + id: composer-cache + uses: actions/cache@v2 + with: + path: vendor + key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} + restore-keys: | + ${{ runner.os }}-php- + - name: Install Dependencies + run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist + - name: Create Database + run: | + mkdir -p data + touch data/database.sqlite + - name: Execute tests (Unit and Feature tests) via PHPUnit + env: + DATABASE_URL: sqlite:///%kernel.project_dir%/data/database.sqlite + run: vendor/bin/phpunit From 7f30309ccedb0e3dee186e0ee58c232752a78e24 Mon Sep 17 00:00:00 2001 From: Fernando de Oliveira <5161098+fedeoliv@users.noreply.github.com> Date: Wed, 29 Sep 2021 02:02:01 -0300 Subject: [PATCH 12/19] Azure Data Factory CI starter workflow (#1111) * Azure Data Factory CI starter workflow * fix: data factory starter categories * fix: checkout step formatting * fix: data-factory-export targeting latest version * feature: latest adf validate and export versions * feature: Azure Data Factory tech_stack category for CI starter Co-authored-by: Fernando de Oliveira <5161098+fernandoBRS@users.noreply.github.com> --- ci/azure-data-factory.yml | 47 +++++++++++++++++++ .../azure-data-factory.properties.json | 7 +++ icons/azure-data-factory.svg | 1 + 3 files changed, 55 insertions(+) create mode 100644 ci/azure-data-factory.yml create mode 100644 ci/properties/azure-data-factory.properties.json create mode 100644 icons/azure-data-factory.svg diff --git a/ci/azure-data-factory.yml b/ci/azure-data-factory.yml new file mode 100644 index 0000000..776e250 --- /dev/null +++ b/ci/azure-data-factory.yml @@ -0,0 +1,47 @@ +# Sample workflow to validate Azure Data Factory resources and export its ARM template as an artifact +# Note: Ensure you have the following package.json in the same directory of your ADF resources + +# { +# "scripts":{ +# "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index" +# }, +# "dependencies":{ +# "@microsoft/azure-data-factory-utilities":"^0.1.5" +# } +# } + +name: Data Factory CI + +on: + pull_request: + branches: [ $default-branch, $protected-branches ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Code checkout + uses: actions/checkout@v2 + + - name: Validate + uses: Azure/data-factory-validate-action@v1.1.3 + # with: + # path: # replace by the folder that contains the Data Factory resources and the package.json + + # Generate the ARM template into the destination folder, which is the same as selecting "Publish" from the UX. + # The ARM template generated isn't published to the live version of the factory. + - name: Export ARM Template + id: export + uses: Azure/data-factory-export-action@v1.1.0 + # with: + # path: # replace by the folder that contains the Data Factory resources and the package.json + + - name: Publish artifact + uses: actions/upload-artifact@v2 + with: + name: Data Factory package + path: ${{ steps.export.outputs.arm-template-directory }} + if-no-files-found: error diff --git a/ci/properties/azure-data-factory.properties.json b/ci/properties/azure-data-factory.properties.json new file mode 100644 index 0000000..f1e7f5b --- /dev/null +++ b/ci/properties/azure-data-factory.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Azure Data Factory", + "creator": "Microsoft Azure", + "description": "Build and validate Azure Data Factory resources", + "iconName": "azure-data-factory", + "categories": ["Continuous integration", "Azure Data Factory"] +} diff --git a/icons/azure-data-factory.svg b/icons/azure-data-factory.svg new file mode 100644 index 0000000..2237336 --- /dev/null +++ b/icons/azure-data-factory.svg @@ -0,0 +1 @@ +Icon-databases-126 \ No newline at end of file From 8c91a4c02f685e9ef8bf91b40cc51016d7b7e090 Mon Sep 17 00:00:00 2001 From: Sheldon Warkentin Date: Wed, 29 Sep 2021 13:45:57 -0600 Subject: [PATCH 13/19] Remoev mention of trial for Mayhem for API A free plan is now in place with a professional trial that may be opted into afterward. --- code-scanning/mayhem-for-api.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 0aab0b4..59d66a0 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -10,7 +10,7 @@ # To use this workflow, you will need to: # # 1. Create a Mayhem for API account at -# https://mayhem4api.forallsecure.com/signup (30-day free trial) +# https://mayhem4api.forallsecure.com/signup # # 2. Create a service account token `mapi organization service-account create # ` From 6b053712bee09ee0862f8768f1810139cc3a95c4 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Thu, 30 Sep 2021 07:31:43 +0530 Subject: [PATCH 14/19] Added dockerfile to relevant CD template categories. (#1136) * Added Dockerfile to Category for relevant CD templates. * Update terraform.properties.json --- deployments/properties/alibabacloud.properties.json | 2 +- deployments/properties/google.properties.json | 2 +- deployments/properties/ibm.properties.json | 2 +- deployments/properties/tencent.properties.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/deployments/properties/alibabacloud.properties.json b/deployments/properties/alibabacloud.properties.json index 1ce285f..d416d88 100644 --- a/deployments/properties/alibabacloud.properties.json +++ b/deployments/properties/alibabacloud.properties.json @@ -3,5 +3,5 @@ "description": "Deploy a container to Alibaba Cloud Container Service for Kubernetes (ACK).", "creator": "Alibaba Cloud", "iconName": "alibabacloud", - "categories": ["Deployment"] + "categories": ["Deployment", "Dockerfile"] } diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json index c7f216f..6318106 100644 --- a/deployments/properties/google.properties.json +++ b/deployments/properties/google.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", "iconName": "googlegke", - "categories": ["Deployment"] + "categories": ["Deployment", "Dockerfile"] } \ No newline at end of file diff --git a/deployments/properties/ibm.properties.json b/deployments/properties/ibm.properties.json index 4219690..8e5b047 100644 --- a/deployments/properties/ibm.properties.json +++ b/deployments/properties/ibm.properties.json @@ -3,5 +3,5 @@ "description": "Build a docker container, publish it to IBM Cloud Container Registry, and deploy to IBM Cloud Kubernetes Service.", "creator": "IBM", "iconName": "ibm", - "categories": ["Deployment"] + "categories": ["Deployment", "Dockerfile"] } \ No newline at end of file diff --git a/deployments/properties/tencent.properties.json b/deployments/properties/tencent.properties.json index 32d0da7..df18356 100644 --- a/deployments/properties/tencent.properties.json +++ b/deployments/properties/tencent.properties.json @@ -3,5 +3,5 @@ "description": "This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE).", "creator": "Tencent Cloud", "iconName": "tencentcloud", - "categories": ["Deployment"] + "categories": ["Deployment", "Dockerfile"] } \ No newline at end of file From 02d91c6ccfbd5c7bfe25e397dfe80882a725b364 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Thu, 30 Sep 2021 10:19:20 +0530 Subject: [PATCH 15/19] checking for allowed category in validate-data script (#1131) * checking for allowed category * Update index.ts --- ci/properties/super-linter.properties.json | 2 +- script/validate-data/index.ts | 13 ++++++++----- script/validate-data/settings.json | 6 ++++++ 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/ci/properties/super-linter.properties.json b/ci/properties/super-linter.properties.json index e070300..0be52e1 100644 --- a/ci/properties/super-linter.properties.json +++ b/ci/properties/super-linter.properties.json @@ -2,5 +2,5 @@ "name": "Super Linter - Run Linters for several languages", "description": "Run linters for several languages on your code base for changed files", "iconName": "octicon check-circle", - "categories": ["code-quality", "code-review"] + "categories": ["Continuous integration", "code-quality", "code-review"] } diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 84518d7..7dce3d1 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -40,7 +40,7 @@ const propertiesSchema = { } } -async function checkWorkflows(folders: string[]): Promise { +async function checkWorkflows(folders: string[], allowed_categories: string[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() for (const folder of folders) { @@ -55,7 +55,7 @@ async function checkWorkflows(folders: string[]): Promise const workflowFilePath = join(folder, e.name); const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) - const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath); + const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } @@ -69,13 +69,12 @@ async function checkWorkflows(folders: string[]): Promise return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, errors: [] } - try { const workflowFileContent = await fs.readFile(workflowPath, "utf8"); safeLoad(workflowFileContent); // Validate yaml parses without error @@ -105,6 +104,10 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom } } + if (!workflowPath.endsWith("blank.yml") && (!properties.categories || + !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) { + workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`) + } } catch (e) { workflowErrors.errors.push(e.toString()) } @@ -115,7 +118,7 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string): Prom try { const settings = require("./settings.json"); const erroredWorkflows = await checkWorkflows( - settings.folders + settings.folders, settings.allowed_categories ) if (erroredWorkflows.length > 0) { diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 01092cc..ce89e36 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -4,5 +4,11 @@ "../../automation", "../../deployments", "../../code-scanning" + ], + "allowed_categories" : [ + "Continuous integration", + "Deployment", + "Code Scanning", + "Automation" ] } \ No newline at end of file From 7b9e3b68582d04b65cb955fb75c48342450b7f3b Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 1 Oct 2021 18:50:08 +0530 Subject: [PATCH 16/19] Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. --- ci/azure-data-factory.yml | 47 ------------------- .../azure-data-factory.properties.json | 7 --- icons/azure-data-factory.svg | 1 - 3 files changed, 55 deletions(-) delete mode 100644 ci/azure-data-factory.yml delete mode 100644 ci/properties/azure-data-factory.properties.json delete mode 100644 icons/azure-data-factory.svg diff --git a/ci/azure-data-factory.yml b/ci/azure-data-factory.yml deleted file mode 100644 index 776e250..0000000 --- a/ci/azure-data-factory.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Sample workflow to validate Azure Data Factory resources and export its ARM template as an artifact -# Note: Ensure you have the following package.json in the same directory of your ADF resources - -# { -# "scripts":{ -# "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index" -# }, -# "dependencies":{ -# "@microsoft/azure-data-factory-utilities":"^0.1.5" -# } -# } - -name: Data Factory CI - -on: - pull_request: - branches: [ $default-branch, $protected-branches ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Code checkout - uses: actions/checkout@v2 - - - name: Validate - uses: Azure/data-factory-validate-action@v1.1.3 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - # Generate the ARM template into the destination folder, which is the same as selecting "Publish" from the UX. - # The ARM template generated isn't published to the live version of the factory. - - name: Export ARM Template - id: export - uses: Azure/data-factory-export-action@v1.1.0 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - - name: Publish artifact - uses: actions/upload-artifact@v2 - with: - name: Data Factory package - path: ${{ steps.export.outputs.arm-template-directory }} - if-no-files-found: error diff --git a/ci/properties/azure-data-factory.properties.json b/ci/properties/azure-data-factory.properties.json deleted file mode 100644 index f1e7f5b..0000000 --- a/ci/properties/azure-data-factory.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Azure Data Factory", - "creator": "Microsoft Azure", - "description": "Build and validate Azure Data Factory resources", - "iconName": "azure-data-factory", - "categories": ["Continuous integration", "Azure Data Factory"] -} diff --git a/icons/azure-data-factory.svg b/icons/azure-data-factory.svg deleted file mode 100644 index 2237336..0000000 --- a/icons/azure-data-factory.svg +++ /dev/null @@ -1 +0,0 @@ -Icon-databases-126 \ No newline at end of file From 596b345944af4fbcae1bdcfaca339abd10bd82ed Mon Sep 17 00:00:00 2001 From: Sarah Edwards Date: Fri, 1 Oct 2021 12:07:03 -0700 Subject: [PATCH 17/19] use env variables for user-set values (#1117) Co-authored-by: Josh Gross --- deployments/aws.yml | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/deployments/aws.yml b/deployments/aws.yml index 8b10116..6a6643c 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -5,29 +5,40 @@ # # 1. Create an ECR repository to store your images. # For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. -# Replace the value of `ECR_REPOSITORY` in the workflow below with your repository's name. -# Replace the value of `aws-region` in the workflow below with your repository's region. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. # # 2. Create an ECS task definition, an ECS cluster, and an ECS service. # For example, follow the Getting Started guide on the ECS console: # https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun -# Replace the values for `service` and `cluster` in the workflow below with your service and cluster names. +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. # # 3. Store your ECS task definition as a JSON file in your repository. # The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. -# Replace the value of `task-definition` in the workflow below with your JSON file's name. -# Replace the value of `container-name` in the workflow below with the name of the container +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container # in the `containerDefinitions` section of the task definition. # # 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. # See the documentation for each action used below for the recommended IAM policies for this IAM user, # and best practices on handling the access key credentials. +name: Deploy to Amazon ECS + on: release: types: [created] -name: Deploy to Amazon ECS +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition jobs: deploy: @@ -44,7 +55,7 @@ jobs: with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-2 + aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr @@ -54,7 +65,6 @@ jobs: id: build-image env: ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - ECR_REPOSITORY: my-ecr-repo IMAGE_TAG: ${{ github.sha }} run: | # Build a docker container and @@ -68,14 +78,14 @@ jobs: id: task-def uses: aws-actions/amazon-ecs-render-task-definition@v1 with: - task-definition: task-definition.json - container-name: sample-app + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} image: ${{ steps.build-image.outputs.image }} - name: Deploy Amazon ECS task definition uses: aws-actions/amazon-ecs-deploy-task-definition@v1 with: task-definition: ${{ steps.task-def.outputs.task-definition }} - service: sample-app-service - cluster: default + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} wait-for-service-stability: true From c705225b8f52e676371b168efc00b6f60347c22d Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Mon, 4 Oct 2021 09:48:47 -0700 Subject: [PATCH 18/19] Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson --- code-scanning/cloudrail.yml | 2 +- code-scanning/properties/cloudrail.properties.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 474b97a..9f95c5c 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -43,7 +43,7 @@ jobs: - run: stat plan.out - name: Run Cloudrail - uses: indeni/cloudrail-run-ga@v1.3 + uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622 with: tf-plan-file: plan.out # This was created in a "terraform plan" step cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json index 36181c2..830d966 100644 --- a/code-scanning/properties/cloudrail.properties.json +++ b/code-scanning/properties/cloudrail.properties.json @@ -1,7 +1,7 @@ { "name": "cloudrail", "creator": "Indeni Cloudrail", - "description": "Cloudrail, by Indeni, can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues. Cloudrail's output uses the SARIF format, which will surface the scan's results directly inside your pull request.", + "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.", "iconName": "cloudrail", "categories": ["Code Scanning", "HCL"] } From 85d2a866f0a645ca63143b55efeabd510673b5d4 Mon Sep 17 00:00:00 2001 From: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Date: Tue, 5 Oct 2021 11:22:46 +0530 Subject: [PATCH 19/19] removing "deployment" templates from sync-ghes (#1127) --- script/sync-ghes/settings.json | 1 - 1 file changed, 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index e4f50fa..9648ab4 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,6 @@ "folders": [ "../../ci", "../../automation", - "../../deployments", "../../code-scanning" ], "enabledActions": [