diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml index eba05f0..99fdbc5 100644 --- a/.github/workflows/labeler-triage.yml +++ b/.github/workflows/labeler-triage.yml @@ -11,6 +11,6 @@ jobs: triage: runs-on: ubuntu-latest steps: - - uses: actions/labeler@v3 + - uses: actions/labeler@v4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 217078a..c319ce1 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v3 + - uses: actions/stale@v5 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync_ghes.yaml index 946218f..fb9c623 100644 --- a/.github/workflows/sync_ghes.yaml +++ b/.github/workflows/sync_ghes.yaml @@ -11,12 +11,12 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" git config user.name "GitHub Actions" - - uses: actions/setup-node@v2 + - uses: actions/setup-node@v3 with: node-version: '12' - name: Check starter workflows for GHES compat diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 7d5c1ee..d2ac9a5 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -10,9 +10,9 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - - uses: actions/setup-node@v2 + - uses: actions/setup-node@v3 with: node-version: "12" diff --git a/automation/label.yml b/automation/label.yml index 5cdc45e..a8a1bd7 100644 --- a/automation/label.yml +++ b/automation/label.yml @@ -17,6 +17,6 @@ jobs: pull-requests: write steps: - - uses: actions/labeler@v2 + - uses: actions/labeler@v4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/automation/stale.yml b/automation/stale.yml index ff88dc0..1322eaf 100644 --- a/automation/stale.yml +++ b/automation/stale.yml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v3 + - uses: actions/stale@v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'Stale issue message' diff --git a/ci/ada.yml b/ci/ada.yml index a27902a..7e94b38 100644 --- a/ci/ada.yml +++ b/ci/ada.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set up GNAT toolchain run: > diff --git a/ci/android.yml b/ci/android.yml index f289bd5..221fca5 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/ant.yml b/ci/ant.yml index 0205d40..1614664 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/blank.yml b/ci/blank.yml index 895e5d1..607e2cf 100644 --- a/ci/blank.yml +++ b/ci/blank.yml @@ -23,7 +23,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs a single command using the runners shell - name: Run a one-line script diff --git a/ci/c-cpp.yml b/ci/c-cpp.yml index 88d1497..14d2eb9 100644 --- a/ci/c-cpp.yml +++ b/ci/c-cpp.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: configure run: ./configure - name: make diff --git a/ci/clojure.yml b/ci/clojure.yml index 098918a..a76631a 100644 --- a/ci/clojure.yml +++ b/ci/clojure.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install dependencies run: lein deps - name: Run tests diff --git a/ci/cmake.yml b/ci/cmake.yml index 6c858b9..6f06f75 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. diff --git a/ci/crystal.yml b/ci/crystal.yml index 6552afa..18cc825 100644 --- a/ci/crystal.yml +++ b/ci/crystal.yml @@ -15,7 +15,7 @@ jobs: image: crystallang/crystal steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install dependencies run: shards install - name: Run tests diff --git a/ci/d.yml b/ci/d.yml index 6086681..350eeee 100644 --- a/ci/d.yml +++ b/ci/d.yml @@ -10,13 +10,16 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: dlang-community/setup-dlang@4c99aa991ce7d19dd3064de0a4f2f6b2f152e2d7 - name: 'Build & Test' diff --git a/ci/dart.yml b/ci/dart.yml index 7486577..7bf352f 100644 --- a/ci/dart.yml +++ b/ci/dart.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Note: This workflow uses the latest stable version of the Dart SDK. # You can specify other versions if desired, see documentation here: diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml new file mode 100644 index 0000000..7056f87 --- /dev/null +++ b/ci/datadog-synthetics.yml @@ -0,0 +1,38 @@ +# This workflow will trigger Datadog Synthetic tests within your Datadog organisation +# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# To get started: + +# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. +# 2. Start using the action within your workflow + +name: Run Datadog Synthetic tests + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + # Run Synthetic tests within your GitHub workflow. + # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci + - name: Run Datadog Synthetic tests + uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e + with: + api_key: ${{secrets.DD_API_KEY}} + app_key: ${{secrets.DD_APP_KEY}} + test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy + + diff --git a/ci/deno.yml b/ci/deno.yml index 25e9e2a..2234bf6 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -14,13 +14,16 @@ on: pull_request: branches: [$default-branch] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - name: Setup repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup Deno # uses: denoland/setup-deno@v1 diff --git a/ci/django.yml b/ci/django.yml index dbde266..79550cc 100644 --- a/ci/django.yml +++ b/ci/django.yml @@ -16,9 +16,9 @@ jobs: python-version: [3.7, 3.8, 3.9] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install Dependencies diff --git a/ci/docker-image.yml b/ci/docker-image.yml index 78532a3..cc9cd6e 100644 --- a/ci/docker-image.yml +++ b/ci/docker-image.yml @@ -13,6 +13,6 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 977635a..7b6add3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 06ce344..170b3f6 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -63,13 +63,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 # Install the .NET Core workload - name: Install .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: 5.0.x diff --git a/ci/dotnet.yml b/ci/dotnet.yml index c31cf68..5974d4a 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup .NET - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: 5.0.x - name: Restore dependencies diff --git a/ci/elixir.yml b/ci/elixir.yml index afe01be..6c76f54 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -1,31 +1,34 @@ -name: Elixir CI - -on: - push: - branches: [ $default-branch ] - pull_request: - branches: [ $default-branch ] - -jobs: - build: - - name: Build and test - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: Set up Elixir - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f - with: - elixir-version: '1.12.3' # Define the elixir version [required] - otp-version: '24.1' # Define the OTP version [required] - - name: Restore dependencies cache - uses: actions/cache@v2 - with: - path: deps - key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} - restore-keys: ${{ runner.os }}-mix- - - name: Install dependencies - run: mix deps.get - - name: Run tests - run: mix test +name: Elixir CI + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + build: + + name: Build and test + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - name: Set up Elixir + uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f + with: + elixir-version: '1.12.3' # Define the elixir version [required] + otp-version: '24.1' # Define the OTP version [required] + - name: Restore dependencies cache + uses: actions/cache@v3 + with: + path: deps + key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} + restore-keys: ${{ runner.os }}-mix- + - name: Install dependencies + run: mix deps.get + - name: Run tests + run: mix test diff --git a/ci/erlang.yml b/ci/erlang.yml index 25cb893..984b83a 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: @@ -16,7 +19,7 @@ jobs: image: erlang:22.0.7 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Compile run: rebar3 compile - name: Run tests diff --git a/ci/gem-push.yml b/ci/gem-push.yml index 3dc62be..8905272 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -15,7 +15,7 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Ruby 2.6 uses: actions/setup-ruby@v1 with: diff --git a/ci/go.yml b/ci/go.yml index afff652..6f498a6 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -11,10 +11,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v3 with: go-version: 1.17 diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 9fdc851..9aeb2b8 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -20,9 +20,9 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index fc8cf2f..8e0d1e4 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -19,13 +19,13 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: build diff --git a/ci/haskell.yml b/ci/haskell.yml index c1d7dc7..5693f90 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -6,20 +6,23 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: actions/setup-haskell@v1 with: ghc-version: '8.10.3' cabal-version: '3.2' - name: Cache - uses: actions/cache@v1 + uses: actions/cache@v3 env: cache-name: cache-cabal with: diff --git a/ci/ios.yml b/ci/ios.yml index ab92d32..5cec5e7 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/jekyll.yml b/ci/jekyll.yml index 71920c1..6a98dea 100644 --- a/ci/jekyll.yml +++ b/ci/jekyll.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the site in the jekyll/builder container run: | docker run \ diff --git a/ci/laravel.yml b/ci/laravel.yml index 5f4e6c9..e778d7b 100644 --- a/ci/laravel.yml +++ b/ci/laravel.yml @@ -15,7 +15,7 @@ jobs: - uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e with: php-version: '8.0' - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Copy .env run: php -r "file_exists('.env') || copy('.env.example', '.env');" - name: Install Dependencies diff --git a/ci/makefile.yml b/ci/makefile.yml index eafe622..0156944 100644 --- a/ci/makefile.yml +++ b/ci/makefile.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: configure run: ./configure diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 319f9a1..dab69fe 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -16,9 +16,9 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/maven.yml b/ci/maven.yml index f301fe0..65e0dff 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/msbuild.yml b/ci/msbuild.yml index e650e2a..3cd8f01 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -20,7 +20,7 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Add MSBuild to PATH uses: microsoft/setup-msbuild@v1.0.2 diff --git a/ci/node.js.yml b/ci/node.js.yml index 8d1b9c7..87ef0d8 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -20,9 +20,9 @@ jobs: # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} cache: 'npm' diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index 8c83cb6..eda97e1 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index cc5da13..504f22e 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index 09ff0b3..638ccf8 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -11,8 +11,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: npm ci @@ -25,8 +25,8 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 registry-url: $registry-url(npm) diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index ef8c690..c461c85 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -11,8 +11,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: npm ci @@ -22,8 +22,8 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 registry-url: https://registry.npmjs.org/ diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml index db009b0..1373878 100644 --- a/ci/objective-c-xcode.yml +++ b/ci/objective-c-xcode.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/php.yml b/ci/php.yml index 6acfdd1..a3bdfd7 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -6,20 +6,23 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Validate composer.json and composer.lock run: composer validate --strict - name: Cache Composer packages id: composer-cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: vendor key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json new file mode 100644 index 0000000..edbb086 --- /dev/null +++ b/ci/properties/datadog-synthetics.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Datadog Synthetics", + "description": "Run Datadog Synthetic tests within your GitHub Actions workflow", + "creator": "Datadog", + "iconName": "datadog", + "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"] +} diff --git a/ci/pylint.yml b/ci/pylint.yml index 7b555fe..383e65c 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -9,9 +9,9 @@ jobs: matrix: python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/ci/python-app.yml b/ci/python-app.yml index 2cfc2a3..4b7fa5f 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -9,15 +9,18 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.10 - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: "3.10" - name: Install dependencies diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 9bd6d2b..57940bd 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -9,9 +9,9 @@ jobs: max-parallel: 5 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.10 - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.10 - name: Add conda to system path diff --git a/ci/python-package.yml b/ci/python-package.yml index b0a63cf..583a366 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -19,9 +19,9 @@ jobs: python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 3bfabfc..f55528c 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -18,9 +18,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: '3.x' - name: Install dependencies diff --git a/ci/r.yml b/ci/r.yml index 305c2cf..68f02d7 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -14,6 +14,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: macos-latest @@ -22,7 +25,7 @@ jobs: r-version: ['3.6.3', '4.1.1'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up R ${{ matrix.r-version }} uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: diff --git a/ci/ruby.yml b/ci/ruby.yml index f6ae1e3..256aa14 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -13,6 +13,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: test: @@ -22,7 +25,7 @@ jobs: ruby-version: ['2.6', '2.7', '3.0'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Ruby # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index b7b3624..2ad891f 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -27,7 +27,7 @@ jobs: DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Install Ruby and gems uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 with: diff --git a/ci/rust.yml b/ci/rust.yml index 6c82c61..d51f1af 100644 --- a/ci/rust.yml +++ b/ci/rust.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build run: cargo build --verbose - name: Run tests diff --git a/ci/scala.yml b/ci/scala.yml index af6b2ed..c985f74 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -6,15 +6,18 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/super-linter.yml b/ci/super-linter.yml index bebd82d..275b34f 100644 --- a/ci/super-linter.yml +++ b/ci/super-linter.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 diff --git a/ci/swift.yml b/ci/swift.yml index df062b5..3668fc0 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -12,7 +12,7 @@ jobs: runs-on: macos-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build run: swift build -v - name: Run tests diff --git a/ci/symfony.yml b/ci/symfony.yml index 7d1ca74..d1ac71a 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: symfony-tests: runs-on: ubuntu-latest @@ -16,12 +19,12 @@ jobs: - uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28 with: php-version: '8.0' - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Copy .env.test.local run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" - name: Cache Composer packages id: composer-cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: vendor key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} diff --git a/ci/webpack.yml b/ci/webpack.yml index 8edb34f..6449fe7 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index fcca708..6f52d5d 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled @@ -40,6 +40,6 @@ jobs: image: "localbuild/testimage:latest" acs-report-enable: true - name: Upload Anchore Scan Report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 4737d06..5a9b751 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -64,6 +64,6 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - name: Import results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./apisec-results.sarif diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index d0b25ac..155208f 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -30,7 +30,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Customize the ruby version depending on your needs - name: Setup Ruby @@ -52,6 +52,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index d012bce..297cae0 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -34,7 +34,7 @@ jobs: # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 @@ -49,6 +49,6 @@ jobs: params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: cx.sarif diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml new file mode 100644 index 0000000..4150cbb --- /dev/null +++ b/code-scanning/clj-holmes.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: clj-holmes + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + clj-holmes: + name: Run clj-holmes scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Scan code + uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb + with: + rules-repository: 'git://org/private-rules-repo#main' + output-type: 'sarif' + output-file: 'clj-holmes-results.sarif' + fail-on-result: 'false' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{github.workspace}}/clj-holmes-results.sarif + ait-for-processing: true \ No newline at end of file diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 00e270a..4a0cd73 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 # For Terraform, Cloudrail requires the plan as input. So we generate it using # the Terraform core binary. @@ -50,7 +50,7 @@ jobs: cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() # is needed to ensure the SARIF file is uploaded if: always() diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 4892930..b74e449 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -35,7 +35,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI @@ -55,6 +55,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 57b4b69..37109ab 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -38,11 +38,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -53,7 +53,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # â„šī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -67,4 +67,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 5886843..3b24d9f 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -22,9 +22,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Cache files - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | ~/.sonar @@ -37,6 +37,6 @@ jobs: organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: codescan.sarif diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index e8e2447..07cd73a 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -43,7 +43,7 @@ jobs: security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: 42Crunch REST API Static Security Testing uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index a8610c3..0c65813 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -45,7 +45,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Gets the download URL associated with the $DETEKT_RELEASE_TAG - name: Get Detekt download URL @@ -111,7 +111,7 @@ jobs: )" > ${{ github.workspace }}/detekt.sarif.json # Uploads results to GitHub repository using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: ${{ github.workspace }}/detekt.sarif.json diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 3a5c45f..bf11261 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -23,12 +23,12 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run DevSkim scanner uses: microsoft/DevSkim-Action@v1 - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: devskim-results.sarif diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index 080953e..4ed8792 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: flawfinder_scan uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c @@ -33,6 +33,6 @@ jobs: output: 'flawfinder_results.sarif' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{github.workspace}}/flawfinder_results.sarif \ No newline at end of file diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index d67d194..5e7c422 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -39,14 +39,15 @@ jobs: steps: # Check out source code - name: Check Out Source Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Java is required to run the various Fortify utilities. # When scanning a Java application, please use the appropriate Java version for building your application. - name: Setup Java - uses: actions/setup-java@v1 + uses: actions/setup-java@v3 with: - java-version: 1.8 + java-version: 8 + distribution: 'temurin' # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: @@ -92,6 +93,6 @@ jobs: # Import Fortify on Demand results to GitHub Security Code Scanning - name: Import Results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./gh-fortify-sast.sarif diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 1cad70c..c432673 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run kubesec scanner uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 @@ -36,6 +36,6 @@ jobs: exit-code: "0" - name: Upload Kubesec scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 59d66a0..64fe71a 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -42,7 +42,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Run your API in the background. Ideally, the API would run in debug # mode & send stacktraces back on "500 Internal Server Error" responses @@ -61,6 +61,6 @@ jobs: sarif-report: mapi.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: mapi.sarif diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index d8eaa92..6d2bfb8 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -24,10 +24,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.8 @@ -37,6 +37,6 @@ jobs: args: . --sarif --output results.sarif || true - name: Upload mobsfscan report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0abb409..863fbcb 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Configure CMake run: cmake -B ${{ env.build }} @@ -53,7 +53,7 @@ jobs: # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index a6da087..8c359b8 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -29,13 +29,13 @@ jobs: name: njsscan code scanning steps: - name: Checkout the code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: nodejsscan scan id: njsscan uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 with: args: '. --sarif --output results.sarif || true' - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 92126bd..7b5ba8f 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build your application run: ./gradlew assembleDebug # Update this to build your Android or iOS application @@ -47,6 +47,6 @@ jobs: group_id: {{ groupId }} # Update this to your desired Platform group ID - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: NowSecure.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index b5aefa4..01af5af 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Ensure a compatible version of dotnet is installed. # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. @@ -33,7 +33,7 @@ jobs: # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: # - name: Install .NET - # uses: actions/setup-dotnet@v1 + # uses: actions/setup-dotnet@v2 # with: # dotnet-version: '3.1.x' @@ -44,6 +44,6 @@ jobs: # Upload results to the Security tab - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 0604734..0bc512c 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -17,9 +17,9 @@ jobs: pmd-code-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' @@ -31,6 +31,6 @@ jobs: sourcePath: 'src/main/java' analyzeModifiedFilesOnly: false - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: pmd-report.sarif diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index dfbf452..c50f268 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -22,7 +22,7 @@ jobs: name: PSScriptAnalyzer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Run PSScriptAnalyzer uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061 @@ -37,6 +37,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5b11482..6f2031b 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -33,7 +33,7 @@ jobs: name: Run Prisma Cloud IaC Scan to check steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - id: iac-scan name: Run Scan on CFT files in the repository uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 @@ -48,7 +48,7 @@ jobs: # The service need to know the type of IaC being scanned template_type: 'CFT' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 # Results are generated only on a success or failure # this is required since GitHub by default won't run the next step # when the previous one has failed. diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json new file mode 100644 index 0000000..71f29c0 --- /dev/null +++ b/code-scanning/properties/clj-holmes.properties.json @@ -0,0 +1,10 @@ +{ + "name": "clj-holmes", + "creator": "Matheus Bernardes", + "description": "A Static Application Security Testing tool to find vulnerable Clojure code via rules that use a simple pattern language.", + "iconName": "clj-holmes", + "categories": [ + "Code Scanning", + "clojure" + ] +} \ No newline at end of file diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index 373d5b6..ed458b2 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners @@ -47,6 +47,6 @@ jobs: " - name: Upload Sarif output - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: rubocop.sarif diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index d63b462..a6bde3a 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -22,7 +22,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 with: persist-credentials: false @@ -42,7 +42,7 @@ jobs: # Upload the results as artifacts (optional). - name: "Upload artifact" - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 with: name: SARIF file path: results.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 3063c7a..b6ee5ad 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -21,7 +21,7 @@ jobs: SCS: runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 - uses: microsoft/setup-msbuild@v1.0.2 @@ -38,4 +38,4 @@ jobs: uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 - name: Upload sarif - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index f99d441..fae9885 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: # Checkout project source - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Scan code using project's configuration on https://semgrep.dev/manage - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 @@ -42,7 +42,7 @@ jobs: # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: semgrep.sarif if: always() diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml index 48b86d3..b042670 100644 --- a/code-scanning/shiftleft.yml +++ b/code-scanning/shiftleft.yml @@ -22,7 +22,7 @@ jobs: # Scan runs on ubuntu, mac and windows runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Instructions # 1. Setup JDK, Node.js, Python etc depending on your project type # 2. Compile or build the project before invoking scan @@ -42,6 +42,6 @@ jobs: # type: python - name: Upload report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: reports diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 8ff2c9a..874f43b 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -26,7 +26,7 @@ jobs: snyk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build a Docker image run: docker build -t your/image-to-test . - name: Run Snyk to check Docker image for vulnerabilities @@ -43,6 +43,6 @@ jobs: image: your/image-to-test args: --file=Dockerfile - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index b79bf34..f4e9b8c 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -25,7 +25,7 @@ jobs: snyk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Run Snyk to check configuration files for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the issues to GitHub Code Scanning @@ -42,6 +42,6 @@ jobs: # or `main.tf` for a Terraform configuration file file: your-file-to-test.yaml - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index af220c0..64e9b9b 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Start your service run: ./your-service.sh & # âœī¸ Update this to run your own service to be scanned diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 0c1ff16..c32334c 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Synopsys Intelligent Security Scan id: prescription @@ -71,7 +71,7 @@ jobs: - name: Upload SARIF file if: ${{steps.prescription.outputs.sastScan == 'true' }} - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: workflowengine-results.sarif.json diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f9b29fc..f075a80 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the Docker image # Tag image to be built @@ -54,7 +54,7 @@ jobs: # Sysdig inline scanner requires privileged rights run-as-user: root - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 #Upload SARIF file if: always() with: diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 479f713..6536fbe 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run tfsec uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f @@ -32,7 +32,7 @@ jobs: sarif_file: tfsec.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 3d5373f..06b5cae 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -26,7 +26,7 @@ jobs: runs-on: "ubuntu-18.04" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build an image from Dockerfile run: | @@ -42,6 +42,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 073d1b6..b8a5b37 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -31,7 +31,7 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: repository: '' @@ -41,9 +41,10 @@ jobs: - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - run: unzip -o pipeline-scan-LATEST.zip - - uses: actions/setup-java@v1 + - uses: actions/setup-java@v3 with: - java-version: 1.8 + java-version: 8 + distribution: 'temurin' - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip continue-on-error: true - name: Convert pipeline scan output to SARIF format @@ -51,7 +52,7 @@ jobs: uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be with: pipeline-results-json: results.json - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: veracode-results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index dc3c9ce..48249fc 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -50,14 +50,15 @@ jobs: steps: # Check out the repository - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Set up the correct Java version for your project # Please comment out, if your project does not contain Java source code. - name: Set up JDK 11 - uses: actions/setup-java@v1 + uses: actions/setup-java@v3 with: java-version: 11 + distribution: 'temurin' # Compile the code for Java projects and get all libraries, e.g. via Maven # Please adapt, if your project uses another build system to compile Java source code. @@ -87,6 +88,6 @@ jobs: *-Findings-List.sarif # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: sarif_file: Xanitizer-Findings-List.sarif diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded9178..841a2fd 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # 1.1 Login to ACR - name: Login to ACR with the AccessKey pair @@ -74,7 +74,7 @@ jobs: tag: "${{ env.TAG }}" # 2.1 (Optional) Login to ACR EE - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Login to ACR EE with the AccessKey pair uses: aliyun/acr-login@v1 with: diff --git a/deployments/aws.yml b/deployments/aws.yml index dab851f..fe5e076 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -49,7 +49,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 57fe362..c882bde 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -40,7 +40,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 506819d..948e7db 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -57,7 +57,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 1d33fe3..7c25319 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 51b7d69..f6928d0 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -55,7 +55,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index e61e64e..bb513d4 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -52,7 +52,7 @@ jobs: runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index 8e1faf7..becfede 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest name: Build and Deploy Job steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - name: Build And Deploy diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index ed45e22..3357dc8 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -35,15 +35,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: ${{ env.DOTNET_VERSION }} - name: Set up dependency caching for faster builds - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.nuget/packages key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index c211a0f..d29b0c9 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -35,10 +35,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Java version - uses: actions/setup-java@v2.3.1 + uses: actions/setup-java@v3.0.0 with: java-version: ${{ env.JAVA_VERSION }} distribution: ${{ env.DISTRIBUTION }} diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b6089d4..c967bdb 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -32,10 +32,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Node.js - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index a2dd57b..04f55f4 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup PHP uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc @@ -55,7 +55,7 @@ jobs: echo "::set-output name=dir::$(composer config cache-files-dir)" - name: Set up dependency caching for faster installs - uses: actions/cache@v2 + uses: actions/cache@v3 if: steps.check_files.outputs.files_exists == 'true' with: path: ${{ steps.composer-cache.outputs.dir }} diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 8605e0a..af6a9dd 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -34,10 +34,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python version - uses: actions/setup-python@v2.2.2 + uses: actions/setup-python@v3.0.0 with: python-version: ${{ env.PYTHON_VERSION }} cache: 'pip' diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml new file mode 100644 index 0000000..b8d0511 --- /dev/null +++ b/deployments/google-cloudrun-docker.yml @@ -0,0 +1,114 @@ +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Authenticate Docker to Artifact Registry +# 3. Build a docker container +# 4. Publish it to Google Artifact Registry +# 5. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). +# +# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Build and Deploy to Cloud Run + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + token_format: 'access_token' + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' + + # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) + + # Authenticate Docker to Google Cloud Artifact Registry + - name: Docker Auth + id: docker-auth + uses: 'docker/login-action@v1' + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.access_token }}' + registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + + - name: Build and Push Container + run: |- + docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./ + docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + + # END - Docker auth and build + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If using a pre-built image, update the image name here + image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml new file mode 100644 index 0000000..2916b45 --- /dev/null +++ b/deployments/google-cloudrun-source.yml @@ -0,0 +1,96 @@ +# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Cloud Build cloudbuild.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Cloud Build +# roles/cloudbuild.builds.editor +# +# Cloud Storage +# roles/storage.objectAdmin +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the SERVICE and REGION environment variables (below). +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy +# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Deploy to Cloud Run from Source + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If required, update to the appropriate source folder + source: ./ + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google.yml b/deployments/google.yml index 003e53b..6150672 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Configure Workload Identity Federation and generate an access token. - id: 'auth' diff --git a/deployments/ibm.yml b/deployments/ibm.yml index 216b04d..cb3080f 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Download and Install IBM Cloud CLI - name: Install IBM Cloud CLI diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 46ff961..5775cb0 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -71,7 +71,7 @@ jobs: steps: - name: Check for required secrets - uses: actions/github-script@v4 + uses: actions/github-script@v6 with: script: | const secrets = { @@ -109,7 +109,7 @@ jobs: } - name: Check out repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Determine app name if: env.APP_NAME == '' diff --git a/deployments/properties/google-cloudrun-docker.properties.json b/deployments/properties/google-cloudrun-docker.properties.json new file mode 100644 index 0000000..b1a2b2b --- /dev/null +++ b/deployments/properties/google-cloudrun-docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Build and Deploy to Cloud Run", + "description": "Build a Docker container, publish it to Google Artifact Registry, and deploy to Google Cloud Run.", + "creator": "Google Cloud", + "iconName": "google-cloud", + "categories": ["Deployment", "Containers", "Dockerfile", "Cloud Run", "Serverless"] +} diff --git a/deployments/properties/google-cloudrun-source.properties.json b/deployments/properties/google-cloudrun-source.properties.json new file mode 100644 index 0000000..2735d80 --- /dev/null +++ b/deployments/properties/google-cloudrun-source.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Cloud Run from Source", + "description": "Deploy to Google Cloud Run directly from source.", + "creator": "Google Cloud", + "iconName": "google-cloud", + "categories": ["Deployment", "Containers", "Cloud Run", "Serverless", "Buildpacks"] +} diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json index f1bd883..e226385 100644 --- a/deployments/properties/google.properties.json +++ b/deployments/properties/google.properties.json @@ -2,6 +2,6 @@ "name": "Build and Deploy to GKE", "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", - "iconName": "googlegke", + "iconName": "google-cloud", "categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"] } \ No newline at end of file diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 83bde94..2bf2a68 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Build - name: Build Docker image diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 589f1f3..96e44e0 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -64,7 +64,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform diff --git a/icons/clj-holmes.svg b/icons/clj-holmes.svg new file mode 100644 index 0000000..74459e5 --- /dev/null +++ b/icons/clj-holmes.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/datadog.svg b/icons/datadog.svg new file mode 100644 index 0000000..91cb3b6 --- /dev/null +++ b/icons/datadog.svg @@ -0,0 +1,4 @@ + + + + diff --git a/icons/googlegke.svg b/icons/google-cloud.svg similarity index 100% rename from icons/googlegke.svg rename to icons/google-cloud.svg