diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml
new file mode 100644
index 0000000..696b4f8
--- /dev/null
+++ b/.github/auto_assign.yml
@@ -0,0 +1,17 @@
+# Set to true to add reviewers to pull requests
+addReviewers: true
+
+# Set to true to add assignees to pull requests
+addAssignees: false
+
+# A list of reviewers to be added to pull requests (GitHub user name)
+reviewers:
+ - phantsure
+ - anuragc617
+ - tiwarishub
+ - vsvipul
+ - bishal-pdmsft
+
+# A number of reviewers added to the pull request
+# Set 0 to add all the reviewers (default: 0)
+numberOfReviewers: 1
diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml
new file mode 100644
index 0000000..b8406e9
--- /dev/null
+++ b/.github/workflows/auto-assign-issues.yml
@@ -0,0 +1,15 @@
+name: Issue assignment
+
+on:
+ issues:
+ types: [opened]
+
+jobs:
+ auto-assign:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Auto-assign issue'
+ uses: pozil/auto-assign-issue@v1.4.0
+ with:
+ assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft
+ numOfAssignee: 1
diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml
new file mode 100644
index 0000000..4dcc612
--- /dev/null
+++ b/.github/workflows/auto-assign.yml
@@ -0,0 +1,10 @@
+name: 'Auto Assign'
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+
+jobs:
+ add-reviews:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: kentaro-m/auto-assign-action@v1.2.1
diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync-ghes.yaml
similarity index 100%
rename from .github/workflows/sync_ghes.yaml
rename to .github/workflows/sync-ghes.yaml
diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml
index a9fd4b3..2f68e66 100644
--- a/ci/docker-publish.yml
+++ b/ci/docker-publish.yml
@@ -90,4 +90,4 @@ jobs:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
- run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+ run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }}
diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml
index 170b3f6..00a78c7 100644
--- a/ci/dotnet-desktop.yml
+++ b/ci/dotnet-desktop.yml
@@ -105,7 +105,7 @@ jobs:
# Remove the pfx
- name: Remove the pfx
- run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate
+ run: Remove-Item -path $env:Wap_Project_Directory\GitHubActionsWorkflow.pfx
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
- name: Upload build artifacts
diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index 0e57f4b..a113b59 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -48,8 +48,11 @@ jobs:
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
- # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+ # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+ # queries: security-extended,security-and-quality
+
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
@@ -58,13 +61,12 @@ jobs:
# âšī¸ Command-line programs to run using the OS shell.
# đ See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- # âī¸ If the Autobuild fails above, remove it and uncomment the following three lines
- # and modify them (or add more) to build your code if your project
- # uses a compiled language
+ # If the Autobuild fails above, remove it and uncomment the following three lines.
+ # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
- #- run: |
- # make bootstrap
- # make release
+ # - run: |
+ # echo "Run, Build Application using script"
+ # ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml
new file mode 100644
index 0000000..2f554e4
--- /dev/null
+++ b/code-scanning/hadolint.yml
@@ -0,0 +1,47 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# hadoint is a Dockerfile linter written in Haskell
+# that helps you build best practice Docker images.
+# More details at https://github.com/hadolint/hadolint
+
+name: Hadolint
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ hadolint:
+ name: Run hadolint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Run hadolint
+ uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183
+ with:
+ dockerfile: ./Dockerfile
+ format: sarif
+ output-file: hadolint-results.sarif
+ no-fail: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: hadolint-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/properties/hadolint.properties.json b/code-scanning/properties/hadolint.properties.json
new file mode 100644
index 0000000..b4f7141
--- /dev/null
+++ b/code-scanning/properties/hadolint.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Haskell Dockerfile Linter",
+ "description": "A smarter Dockerfile linter that helps you build best practice Docker images.",
+ "iconName": "hadolint",
+ "categories": ["Code Scanning", "Dockerfile"]
+}
\ No newline at end of file
diff --git a/icons/hadolint.svg b/icons/hadolint.svg
new file mode 100644
index 0000000..048b86c
--- /dev/null
+++ b/icons/hadolint.svg
@@ -0,0 +1,131 @@
+
+
+
diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts
index 7dce3d1..4bd260d 100755
--- a/script/validate-data/index.ts
+++ b/script/validate-data/index.ts
@@ -1,7 +1,7 @@
#!/usr/bin/env npx ts-node
import { promises as fs } from "fs";
import { safeLoad } from "js-yaml";
-import { basename, extname, join } from "path";
+import { basename, extname, join, dirname } from "path";
import { Validator as validator } from "jsonschema";
import { endGroup, error, info, setFailed, startGroup } from '@actions/core';
@@ -14,6 +14,7 @@ interface WorkflowWithErrors {
interface WorkflowProperties {
name: string;
description: string;
+ creator: string;
iconName: string;
categories: string[];
}
@@ -40,7 +41,7 @@ const propertiesSchema = {
}
}
-async function checkWorkflows(folders: string[], allowed_categories: string[]): Promise {
+async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise {
const result: WorkflowWithErrors[] = []
const workflow_template_names = new Set()
for (const folder of folders) {
@@ -69,7 +70,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[]):
return result;
}
-async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[]): Promise {
+async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise {
let workflowErrors: WorkflowWithErrors = {
id: workflowPath,
name: null,
@@ -104,9 +105,19 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow
}
}
- if (!workflowPath.endsWith("blank.yml") && (!properties.categories ||
- !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) {
- workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`)
+ var path = dirname(workflowPath)
+ var folder_categories = allowed_categories.find( category => category["path"] == path)["categories"]
+ if (!workflowPath.endsWith("blank.yml")) {
+ if(!properties.categories || properties.categories.length == 0) {
+ workflowErrors.errors.push(`Workflow categories cannot be null or empty`)
+ }
+ else if(!folder_categories.some(category => properties.categories[0].toLowerCase() == category.toLowerCase())) {
+ workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}. Either move the workflow to an appropriate directory or change the category."`)
+ }
+ }
+
+ if(basename(path).toLowerCase() == 'deployments' && !properties.creator) {
+ workflowErrors.errors.push(`The "creator" in properties.json must be present.`)
}
} catch (e) {
workflowErrors.errors.push(e.toString())
diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json
index ef8ee60..852f575 100644
--- a/script/validate-data/settings.json
+++ b/script/validate-data/settings.json
@@ -5,11 +5,22 @@
"../../deployments",
"../../code-scanning"
],
- "allowed_categories" : [
- "Continuous integration",
- "Deployment",
- "Code Scanning",
- "Dependency review",
- "Automation"
+ "allowed_categories": [
+ {
+ "path": "../../ci",
+ "categories": ["Continuous integration"]
+ },
+ {
+ "path": "../../automation",
+ "categories": ["Automation"]
+ },
+ {
+ "path": "../../deployments",
+ "categories": ["Deployment"]
+ },
+ {
+ "path": "../../code-scanning",
+ "categories": ["Code Scanning", "Dependency review"]
+ }
]
}