diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml new file mode 100644 index 0000000..696b4f8 --- /dev/null +++ b/.github/auto_assign.yml @@ -0,0 +1,17 @@ +# Set to true to add reviewers to pull requests +addReviewers: true + +# Set to true to add assignees to pull requests +addAssignees: false + +# A list of reviewers to be added to pull requests (GitHub user name) +reviewers: + - phantsure + - anuragc617 + - tiwarishub + - vsvipul + - bishal-pdmsft + +# A number of reviewers added to the pull request +# Set 0 to add all the reviewers (default: 0) +numberOfReviewers: 1 diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml new file mode 100644 index 0000000..b8406e9 --- /dev/null +++ b/.github/workflows/auto-assign-issues.yml @@ -0,0 +1,15 @@ +name: Issue assignment + +on: + issues: + types: [opened] + +jobs: + auto-assign: + runs-on: ubuntu-latest + steps: + - name: 'Auto-assign issue' + uses: pozil/auto-assign-issue@v1.4.0 + with: + assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft + numOfAssignee: 1 diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml new file mode 100644 index 0000000..4dcc612 --- /dev/null +++ b/.github/workflows/auto-assign.yml @@ -0,0 +1,10 @@ +name: 'Auto Assign' +on: + pull_request: + types: [opened, ready_for_review] + +jobs: + add-reviews: + runs-on: ubuntu-latest + steps: + - uses: kentaro-m/auto-assign-action@v1.2.1 diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync-ghes.yaml similarity index 100% rename from .github/workflows/sync_ghes.yaml rename to .github/workflows/sync-ghes.yaml diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index a9fd4b3..2f68e66 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -90,4 +90,4 @@ jobs: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} + run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }} diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 170b3f6..00a78c7 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -105,7 +105,7 @@ jobs: # Remove the pfx - name: Remove the pfx - run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate + run: Remove-Item -path $env:Wap_Project_Directory\GitHubActionsWorkflow.pfx # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 0e57f4b..a113b59 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -48,8 +48,11 @@ jobs: # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild @@ -58,13 +61,12 @@ jobs: # â„šī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # âœī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - #- run: | - # make bootstrap - # make release + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml new file mode 100644 index 0000000..2f554e4 --- /dev/null +++ b/code-scanning/hadolint.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +name: Hadolint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + hadolint: + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run hadolint + uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/hadolint.properties.json b/code-scanning/properties/hadolint.properties.json new file mode 100644 index 0000000..b4f7141 --- /dev/null +++ b/code-scanning/properties/hadolint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Haskell Dockerfile Linter", + "description": "A smarter Dockerfile linter that helps you build best practice Docker images.", + "iconName": "hadolint", + "categories": ["Code Scanning", "Dockerfile"] +} \ No newline at end of file diff --git a/icons/hadolint.svg b/icons/hadolint.svg new file mode 100644 index 0000000..048b86c --- /dev/null +++ b/icons/hadolint.svg @@ -0,0 +1,131 @@ + + + + diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 7dce3d1..4bd260d 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -1,7 +1,7 @@ #!/usr/bin/env npx ts-node import { promises as fs } from "fs"; import { safeLoad } from "js-yaml"; -import { basename, extname, join } from "path"; +import { basename, extname, join, dirname } from "path"; import { Validator as validator } from "jsonschema"; import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; @@ -14,6 +14,7 @@ interface WorkflowWithErrors { interface WorkflowProperties { name: string; description: string; + creator: string; iconName: string; categories: string[]; } @@ -40,7 +41,7 @@ const propertiesSchema = { } } -async function checkWorkflows(folders: string[], allowed_categories: string[]): Promise { +async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() for (const folder of folders) { @@ -69,7 +70,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[]): return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[]): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, @@ -104,9 +105,19 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow } } - if (!workflowPath.endsWith("blank.yml") && (!properties.categories || - !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) { - workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`) + var path = dirname(workflowPath) + var folder_categories = allowed_categories.find( category => category["path"] == path)["categories"] + if (!workflowPath.endsWith("blank.yml")) { + if(!properties.categories || properties.categories.length == 0) { + workflowErrors.errors.push(`Workflow categories cannot be null or empty`) + } + else if(!folder_categories.some(category => properties.categories[0].toLowerCase() == category.toLowerCase())) { + workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}. Either move the workflow to an appropriate directory or change the category."`) + } + } + + if(basename(path).toLowerCase() == 'deployments' && !properties.creator) { + workflowErrors.errors.push(`The "creator" in properties.json must be present.`) } } catch (e) { workflowErrors.errors.push(e.toString()) diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index ef8ee60..852f575 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -5,11 +5,22 @@ "../../deployments", "../../code-scanning" ], - "allowed_categories" : [ - "Continuous integration", - "Deployment", - "Code Scanning", - "Dependency review", - "Automation" + "allowed_categories": [ + { + "path": "../../ci", + "categories": ["Continuous integration"] + }, + { + "path": "../../automation", + "categories": ["Automation"] + }, + { + "path": "../../deployments", + "categories": ["Deployment"] + }, + { + "path": "../../code-scanning", + "categories": ["Code Scanning", "Dependency review"] + } ] }