From 864be6fc0f793382b5679b75a7b1f3ac7aaf7193 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 12:16:25 +0530 Subject: [PATCH 01/15] Add actions/cache to list of enabledActions --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index ff4857b..fe80c8a 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -6,6 +6,7 @@ "../../pages" ], "enabledActions": [ + "actions/cache", "actions/checkout", "actions/configure-pages", "actions/create-release", From 94ce275060ff31c5184c38b15269be673cb9deb0 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 15:55:59 +0530 Subject: [PATCH 02/15] Add setup-python to list of enabledActions for ghes --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index fe80c8a..41d6bcd 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -18,6 +18,7 @@ "actions/setup-go", "actions/setup-java", "actions/setup-node", + "actions/setup-python", "actions/stale", "actions/starter-workflows", "actions/upload-artifact", From 96389955e3b06980ccd373faec93c7e88bafe10c Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 16:53:35 +0530 Subject: [PATCH 03/15] Update pull_request_template.md --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 9b6c10f..0a98861 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -41,7 +41,7 @@ It is not: - [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning). - [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: - [ ] `name`: Name of the Code Scanning integration. - - [ ] `organization`: Name of the organization producing the Code Scanning integration. + - [ ] `creator`: Name of the organization/user producing the Code Scanning integration. - [ ] `description`: Short description of the Code Scanning integration. - [ ] `categories`: Array of languages supported by the Code Scanning integration. - [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons). From 81fe53796f8c719d680381815cbfd359119a8460 Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Wed, 14 Sep 2022 09:37:06 -0400 Subject: [PATCH 04/15] Update to scorecard-action:v2.0.3 Includes bug fixes --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 38db68f..8ca5094 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f # tag=v2.0.0 + uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3 with: results_file: results.sarif results_format: sarif From 568b096f39f842303134c2e9bc694f1298cd2b5f Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Wed, 14 Sep 2022 18:17:28 -0400 Subject: [PATCH 05/15] add actions: read to any job using upload-sarif --- code-scanning/apisec-scan.yml | 1 + code-scanning/brakeman.yml | 1 + code-scanning/checkmarx.yml | 1 + code-scanning/clj-holmes.yml | 1 + code-scanning/clj-watson.yml | 1 + code-scanning/codacy.yml | 1 + code-scanning/codescan.yml | 1 + code-scanning/contrast-scan.yml | 1 + code-scanning/eslint.yml | 1 + code-scanning/hadolint.yml | 2 +- code-scanning/lintr.yml | 1 + code-scanning/mobsf.yml | 1 + code-scanning/msvc.yml | 1 + code-scanning/njsscan.yml | 1 + code-scanning/ossar.yml | 1 + code-scanning/phpmd.yml | 1 + code-scanning/pmd.yml | 1 + code-scanning/powershell.yml | 1 + code-scanning/prisma.yml | 1 + code-scanning/puppet-lint.yml | 1 + code-scanning/rust-clippy.yml | 1 + code-scanning/semgrep.yml | 1 + code-scanning/snyk-container.yml | 1 + code-scanning/snyk-infrastructure.yml | 1 + code-scanning/sobelow.yml | 1 + code-scanning/sysdig-scan.yml | 1 + code-scanning/trivy.yml | 1 + code-scanning/veracode.yml | 1 + code-scanning/xanitizer.yml | 1 + 29 files changed, 29 insertions(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 5a9b751..a2dfbd2 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -49,6 +49,7 @@ jobs: Trigger APIsec scan: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index b04cabf..957343c 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Brakeman Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index e060654..9bdb136 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,6 +29,7 @@ jobs: issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 3cfde14..4487e23 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -24,6 +24,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 2e4ab3c..76903a9 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index b74e449..7b705bd 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Codacy Security Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 92707b1..a9f1053 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 61ffd7a..4e4deb7 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout security-events: write # for github/codeql-action/upload-sarif + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # check out project steps: diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 9067a7d..54b01c8 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 2f554e4..3153652 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 74a3b21..350df19 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 6d2bfb8..1013749 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -21,6 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 863fbcb..e8dac88 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Analyze runs-on: windows-latest diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8c359b8..d766a6f 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: njsscan code scanning steps: diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index cbef5a2..2bd91dd 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: windows-latest steps: diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 91f4b2d..d10ace1 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -34,6 +34,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index a1e32c4..8115116 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -21,6 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index d78a126..02e5de7 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: PSScriptAnalyzer runs-on: ubuntu-latest steps: diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 6f2031b..1a12b86 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index d41b65b..50b86db 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index e9c426a..c5f10ee 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index fae9885..b10a930 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 0fbbf87..a232c53 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index a685323..3ca1035 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 21cb6e7..7d38c77 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f075a80..f9b61b9 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -24,6 +24,7 @@ jobs: checks: write # for sysdiglabs/scan-action to publish the checks contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 63be947..f56d9e5 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -22,6 +22,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build runs-on: "ubuntu-18.04" steps: diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index b8a5b37..89d35df 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3462eaa..5724a97 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -51,6 +51,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: From cb341b59ed903d36aedd3012de4d5c1f58af194c Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Fri, 16 Sep 2022 09:25:07 +0200 Subject: [PATCH 06/15] Update CodeQL to include category by default Code Scanning can accept multiple uploads for the same tool and uses the concept of category to keep results separated. If not provided explicitly, the category is computed based on a few parameters like workflow path and matrix variables. The implicit computation of the category can create confusion if users change their workflow, as we start considering the new analyses as unrelated to existing results. By making the category explicit in the workflow we hope to make the concept more prominent and reduce accidental changes. --- code-scanning/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index a113b59..00ffcdb 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -70,3 +70,5 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" From cd26daf9c2098b73c9c0640acd9b27c3e34e1d44 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Fri, 16 Sep 2022 15:05:57 -0700 Subject: [PATCH 07/15] Clear name conflict --- ci/{jekyll.yml => jekyll-docker.yml} | 0 .../{jekyll.properties.json => jekyll-docker.properties.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename ci/{jekyll.yml => jekyll-docker.yml} (100%) rename ci/properties/{jekyll.properties.json => jekyll-docker.properties.json} (100%) diff --git a/ci/jekyll.yml b/ci/jekyll-docker.yml similarity index 100% rename from ci/jekyll.yml rename to ci/jekyll-docker.yml diff --git a/ci/properties/jekyll.properties.json b/ci/properties/jekyll-docker.properties.json similarity index 100% rename from ci/properties/jekyll.properties.json rename to ci/properties/jekyll-docker.properties.json From 4bb0cbfc9e46a125e1b0b39b77dd808cfee89fba Mon Sep 17 00:00:00 2001 From: Chris Patterson Date: Tue, 20 Sep 2022 10:25:45 +0530 Subject: [PATCH 08/15] Enable caching by default for docker builds. --- ci/docker-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index e88539d..41253c1 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -78,6 +78,9 @@ jobs: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker From e7e1dc203701c85e902a1122ed62af132af1c7bf Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 20 Sep 2022 16:36:24 +0300 Subject: [PATCH 09/15] Update Frogbot's version --- code-scanning/frogbot-scan-and-fix.yml | 2 +- code-scanning/frogbot-scan-pr.yml | 2 +- starter-workflows.iml | 9 +++++++++ 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 starter-workflows.iml diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 6dd4b0e..0089f10 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -37,7 +37,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab + - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index ec19d61..bd1a9c2 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab + - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/starter-workflows.iml b/starter-workflows.iml new file mode 100644 index 0000000..8021953 --- /dev/null +++ b/starter-workflows.iml @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file From bdee68f5716734c91c3783c2d70bd246abb23cc2 Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 20 Sep 2022 16:39:01 +0300 Subject: [PATCH 10/15] Update JFrog Frogbot's Version --- starter-workflows.iml | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 starter-workflows.iml diff --git a/starter-workflows.iml b/starter-workflows.iml deleted file mode 100644 index 8021953..0000000 --- a/starter-workflows.iml +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - \ No newline at end of file From a50f9361bc1283eb5191ada8a0878319ecd8919e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Tue, 20 Sep 2022 20:02:09 +0300 Subject: [PATCH 11/15] chore: upgrade cosign-installer version to latest MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index e88539d..d07a3f8 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 + uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 with: - cosign-release: 'v1.9.0' + cosign-release: 'v1.11.0' # Workaround: https://github.com/docker/build-push-action/issues/461 From 6b52b98767046e01d8c0543b30767b8214b85be4 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 12:46:14 +0100 Subject: [PATCH 12/15] Hide ESLint on GHES --- code-scanning/properties/eslint.properties.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json index a84646a..2a1271f 100644 --- a/code-scanning/properties/eslint.properties.json +++ b/code-scanning/properties/eslint.properties.json @@ -2,10 +2,11 @@ "name": "ESLint", "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", "iconName": "eslint", + "enterprise": false, "categories": [ "Code Scanning", "JavaScript", "EcmaScript", "TypeScript" ] -} \ No newline at end of file +} From 23737db30608c6a9c4175971df3a2d451278b955 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 15:45:41 +0100 Subject: [PATCH 13/15] Make enterprise opt-in instead of opt-out --- code-scanning/properties/codeql.properties.json | 1 + script/sync-ghes/index.ts | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index ddb4627..8ee80b4 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", + "enterprise": true, "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 608e73d..a816109 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - workflowProperties.enterprise !== false && + workflowProperties.enterprise === true && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From d75ca7ac2e1a53eb04fc809ac8affdf2cded060d Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Wed, 21 Sep 2022 16:04:36 +0100 Subject: [PATCH 14/15] fix trigger for ghes sync --- .github/workflows/sync-ghes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 5e949bb..26d2665 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -2,7 +2,7 @@ name: Sync workflows for GHES on: push: - branches: [ $default-branch ] + branches: [ main ] workflow_dispatch: jobs: From da2e9558af199abdd3140a07fde272cfdd257831 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 16:00:40 +0100 Subject: [PATCH 15/15] Only use enterprise check for code-scanning folder --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index a816109..a320d36 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - workflowProperties.enterprise === true && + (workflowProperties.enterprise === true || folder !== 'code-scanning') && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = {