diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml
index d7161b1..b0789b3 100644
--- a/.github/workflows/auto-assign.yml
+++ b/.github/workflows/auto-assign.yml
@@ -7,4 +7,4 @@ jobs:
add-reviews:
runs-on: ubuntu-latest
steps:
- - uses: kentaro-m/auto-assign-action@v1.2.1
+ - uses: kentaro-m/auto-assign-action@v1.2.2
diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml
index aba7780..c8b83c9 100644
--- a/.github/workflows/sync-ghes.yaml
+++ b/.github/workflows/sync-ghes.yaml
@@ -2,8 +2,7 @@ name: Sync workflows for GHES
on:
push:
- branches:
- - main
+ branches: [ $default-branch ]
jobs:
sync:
diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml
new file mode 100644
index 0000000..a249449
--- /dev/null
+++ b/ci/generator-generic-ossf-slsa3-publish.yml
@@ -0,0 +1,68 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you generate SLSA provenance file for your project.
+# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA generic generator
+on:
+ workflow_dispatch:
+ release:
+ types: [created]
+
+permissions: read-all
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ outputs:
+ digests: ${{ steps.hash.outputs.digests }}
+
+ steps:
+ - uses: actions/checkout@v3
+
+ # ========================================================
+ #
+ # Step 1: Build your artifacts.
+ #
+ # ========================================================
+ - name: Build artifacts
+ run: |
+ # These are some amazing artifacts.
+ echo "artifact1" > artifact1
+ echo "artifact2" > artifact2
+
+ # ========================================================
+ #
+ # Step 2: Add a step to generate the provenance subjects
+ # as shown below. Update the sha256 sum arguments
+ # to include all binaries that you generate
+ # provenance for.
+ #
+ # ========================================================
+ - name: Generate subject
+ id: hash
+ run: |
+ set -euo pipefail
+
+ # List the artifacts the provenance will refer to.
+ files=$(ls artifact*)
+ # Generate the subjects (base64 encoded).
+ echo "::set-output name=digests::$(sha256sum $files | base64 -w0)"
+
+ provenance:
+ needs: [build]
+ permissions:
+ actions: read # To read the workflow path.
+ id-token: write # To sign the provenance.
+ contents: write # To add assets to a release.
+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
+ with:
+ base64-subjects: "${{ needs.build.outputs.digests }}"
+ upload-assets: true # Optional: Upload to a new release
diff --git a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json
new file mode 100644
index 0000000..32cf63d
--- /dev/null
+++ b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SLSA Generic generator",
+ "creator": "Open Source Security Foundation (OpenSSF)",
+ "description": "Generate SLSA3 provenance for your existing release workflows",
+ "iconName": "generator-generic-ossf-slsa3-publish",
+ "categories": ["Continuous integration", "Go", "Elixir", "Erlang", "PHP", "Haskell", "Rust", "Java", "Scala", "Gradle", "Maven", "Python", "C", "C++", "TypeScript", "JavaScript", "npm", "Ruby", "HTML", "Composer", "Makefile", "Ada"]
+}
diff --git a/ci/ruby.yml b/ci/ruby.yml
index 81ea363..6340760 100644
--- a/ci/ruby.yml
+++ b/ci/ruby.yml
@@ -30,7 +30,7 @@ jobs:
# To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
# change this to (see https://github.com/ruby/setup-ruby#versioning):
# uses: ruby/setup-ruby@v1
- uses: ruby/setup-ruby@2b019609e2b0f1ea1a2bc8ca11cb82ab46ada124
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: ${{ matrix.ruby-version }}
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml
index 2ad891f..958a104 100644
--- a/ci/rubyonrails.yml
+++ b/ci/rubyonrails.yml
@@ -30,7 +30,7 @@ jobs:
uses: actions/checkout@v3
# Add or replace dependency steps here
- name: Install Ruby and gems
- uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
bundler-cache: true
# Add or replace database setup steps here
@@ -46,7 +46,7 @@ jobs:
- name: Checkout code
uses: actions/checkout@v3
- name: Install Ruby and gems
- uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
bundler-cache: true
# Add or replace any other lints here
diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml
index 155208f..b04cabf 100644
--- a/code-scanning/brakeman.yml
+++ b/code-scanning/brakeman.yml
@@ -34,7 +34,7 @@ jobs:
# Customize the ruby version depending on your needs
- name: Setup Ruby
- uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: '2.7'
diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml
index 56725f5..6dd4b0e 100644
--- a/code-scanning/frogbot-scan-and-fix.yml
+++ b/code-scanning/frogbot-scan-and-fix.yml
@@ -10,14 +10,11 @@
name: "Frogbot Scan and Fix"
on:
push:
- branches:
- # The scanning and creation of pull requests with fixes are triggered by pushing code to one of the these branches.
- # You can edit the list of branches you wish to open fix pull requests on.
- - "main"
- - "master"
+ branches: [ $default-branch ]
permissions:
contents: write
pull-requests: write
+ security-events: write
jobs:
create-fix-pull-requests:
runs-on: ubuntu-latest
@@ -40,7 +37,7 @@ jobs:
# node-version: "16.x"
- - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416
+ - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab
env:
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml
index bdc71b4..ec19d61 100644
--- a/code-scanning/frogbot-scan-pr.yml
+++ b/code-scanning/frogbot-scan-pr.yml
@@ -42,7 +42,7 @@ jobs:
# The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
- - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416
+ - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab
env:
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml
new file mode 100644
index 0000000..74a3b21
--- /dev/null
+++ b/code-scanning/lintr.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# lintr provides static code analysis for R.
+# It checks for adherence to a given style,
+# identifying syntax errors and possible semantic issues,
+# then reports them to you so you can take action.
+# More details at https://lintr.r-lib.org/
+
+name: lintr
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ lintr:
+ name: Run lintr scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Setup R
+ uses: r-lib/actions/setup-r@4e1feaf90520ec1215d1882fdddfe3411c08e492
+
+ - name: Setup lintr
+ uses: r-lib/actions/setup-r-dependencies@4e1feaf90520ec1215d1882fdddfe3411c08e492
+ with:
+ extra-packages: lintr
+
+ - name: Run lintr
+ run: lintr::sarif_output(lintr::lint_dir("."), "lintr-results.sarif")
+ shell: Rscript {0}
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: lintr-results.sarif
+ wait-for-processing: true
diff --git a/code-scanning/properties/lintr.properties.json b/code-scanning/properties/lintr.properties.json
new file mode 100644
index 0000000..07e9741
--- /dev/null
+++ b/code-scanning/properties/lintr.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "lintr",
+ "description": "lintr provides static code analysis for R.",
+ "iconName": "lintr",
+ "categories": [ "Code Scanning", "R" ]
+}
\ No newline at end of file
diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml
index 801b90b..d41b65b 100644
--- a/code-scanning/puppet-lint.yml
+++ b/code-scanning/puppet-lint.yml
@@ -35,7 +35,7 @@ jobs:
uses: actions/checkout@v3
- name: Setup Ruby
- uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: 2.7
bundler-cache: true
diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml
index ed458b2..8018ca1 100644
--- a/code-scanning/rubocop.yml
+++ b/code-scanning/rubocop.yml
@@ -28,7 +28,7 @@ jobs:
# If running on a self-hosted runner, check it meets the requirements
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
- name: Set up Ruby
- uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: 2.6
diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml
index 539794d..e4f1d0f 100644
--- a/code-scanning/scorecards.yml
+++ b/code-scanning/scorecards.yml
@@ -25,12 +25,12 @@ jobs:
steps:
- name: "Checkout code"
- uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
+ uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
with:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1
+ uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1
with:
results_file: results.sarif
results_format: sarif
@@ -49,7 +49,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
- uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
+ uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
with:
name: SARIF file
path: results.sarif
@@ -57,6 +57,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
+ uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
with:
sarif_file: results.sarif
diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml
index d7c27d9..9853b75 100644
--- a/deployments/alibabacloud.yml
+++ b/deployments/alibabacloud.yml
@@ -21,8 +21,7 @@ name: Build and Deploy to ACK
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
# Environment variables available to all jobs and steps in this workflow.
env:
diff --git a/deployments/aws.yml b/deployments/aws.yml
index 47253bf..9585844 100644
--- a/deployments/aws.yml
+++ b/deployments/aws.yml
@@ -28,8 +28,7 @@ name: Deploy to Amazon ECS
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
env:
AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1
diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml
index 8b69065..cc2e1dd 100644
--- a/deployments/azure-container-webapp.yml
+++ b/deployments/azure-container-webapp.yml
@@ -31,8 +31,7 @@ env:
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
permissions:
diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml
index a6a2f4e..83a9163 100644
--- a/deployments/azure-kubernetes-service-helm.yml
+++ b/deployments/azure-kubernetes-service-helm.yml
@@ -34,8 +34,7 @@ name: Build and deploy an app to AKS with Helm
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml
index 60fe536..0e76365 100644
--- a/deployments/azure-kubernetes-service-kompose.yml
+++ b/deployments/azure-kubernetes-service-kompose.yml
@@ -33,8 +33,7 @@ name: Build and deploy an app to AKS with Kompose
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml
index d46cadb..1a89f3c 100644
--- a/deployments/azure-kubernetes-service-kustomize.yml
+++ b/deployments/azure-kubernetes-service-kustomize.yml
@@ -33,8 +33,7 @@ name: Build and deploy an app to AKS with Kustomize
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml
index d04a2ac..3e49419 100644
--- a/deployments/azure-kubernetes-service.yml
+++ b/deployments/azure-kubernetes-service.yml
@@ -29,8 +29,7 @@ name: Build and deploy an app to AKS
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml
index a40ecc2..8fe07ce 100644
--- a/deployments/azure-staticwebapp.yml
+++ b/deployments/azure-staticwebapp.yml
@@ -14,12 +14,10 @@ name: Deploy web app to Azure Static Web Apps
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
pull_request:
types: [opened, synchronize, reopened, closed]
- branches:
- - $default-branch
+ branches: [ $default-branch ]
# Environment variables available to all jobs and steps in this workflow
env:
diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml
index 0b59686..9b21895 100644
--- a/deployments/azure-webapps-dotnet-core.yml
+++ b/deployments/azure-webapps-dotnet-core.yml
@@ -26,8 +26,7 @@ env:
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
permissions:
diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml
index 6e3df8d..60fa68c 100644
--- a/deployments/azure-webapps-java-jar.yml
+++ b/deployments/azure-webapps-java-jar.yml
@@ -26,8 +26,7 @@ env:
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
permissions:
diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml
index 1480c92..98e72c2 100644
--- a/deployments/azure-webapps-node.yml
+++ b/deployments/azure-webapps-node.yml
@@ -19,8 +19,7 @@
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml
index 98e8dc7..4d08dbd 100644
--- a/deployments/azure-webapps-php.yml
+++ b/deployments/azure-webapps-php.yml
@@ -21,8 +21,7 @@ name: Build and deploy PHP app to Azure Web App
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml
index 50f4823..d7aa802 100644
--- a/deployments/azure-webapps-python.yml
+++ b/deployments/azure-webapps-python.yml
@@ -25,8 +25,7 @@ env:
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
permissions:
diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml
index b8d0511..bd748f8 100644
--- a/deployments/google-cloudrun-docker.yml
+++ b/deployments/google-cloudrun-docker.yml
@@ -46,8 +46,7 @@ name: Build and Deploy to Cloud Run
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
env:
PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml
index 2916b45..e6fcb52 100644
--- a/deployments/google-cloudrun-source.yml
+++ b/deployments/google-cloudrun-source.yml
@@ -48,8 +48,7 @@ name: Deploy to Cloud Run from Source
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
env:
PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
diff --git a/deployments/google.yml b/deployments/google.yml
index 6150672..846452a 100644
--- a/deployments/google.yml
+++ b/deployments/google.yml
@@ -14,8 +14,7 @@ name: Build and Deploy to GKE
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
env:
PROJECT_ID: ${{ secrets.GKE_PROJECT }}
diff --git a/deployments/ibm.yml b/deployments/ibm.yml
index cb3080f..53a58c5 100644
--- a/deployments/ibm.yml
+++ b/deployments/ibm.yml
@@ -10,8 +10,7 @@ name: Build and Deploy to IKS
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
# Environment variables available to all jobs and steps in this workflow
env:
diff --git a/deployments/tencent.yml b/deployments/tencent.yml
index 4e9e9f6..ba65fe5 100644
--- a/deployments/tencent.yml
+++ b/deployments/tencent.yml
@@ -17,8 +17,7 @@ name: Tencent Kubernetes Engine
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
# Environment variables available to all jobs and steps in this workflow
env:
diff --git a/deployments/terraform.yml b/deployments/terraform.yml
index 53efe48..c06f685 100644
--- a/deployments/terraform.yml
+++ b/deployments/terraform.yml
@@ -46,8 +46,7 @@ name: 'Terraform'
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
pull_request:
permissions:
diff --git a/icons/generator-generic-ossf-slsa3-publish.svg b/icons/generator-generic-ossf-slsa3-publish.svg
new file mode 100644
index 0000000..ea77468
--- /dev/null
+++ b/icons/generator-generic-ossf-slsa3-publish.svg
@@ -0,0 +1,11 @@
+
+
diff --git a/icons/lintr.svg b/icons/lintr.svg
new file mode 100644
index 0000000..cdc40d8
--- /dev/null
+++ b/icons/lintr.svg
@@ -0,0 +1,679 @@
+
+
+
+
diff --git a/pages/hugo.yml b/pages/hugo.yml
index fb8c924..f273fb2 100644
--- a/pages/hugo.yml
+++ b/pages/hugo.yml
@@ -30,7 +30,7 @@ jobs:
build:
runs-on: ubuntu-latest
env:
- HUGO_VERSION: 0.99.0
+ HUGO_VERSION: 0.102.3
steps:
- name: Install Hugo CLI
run: |
diff --git a/pages/jekyll.yml b/pages/jekyll.yml
index 37ee818..d039d12 100644
--- a/pages/jekyll.yml
+++ b/pages/jekyll.yml
@@ -33,7 +33,7 @@ jobs:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Ruby
- uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: '3.0' # Not needed with a .ruby-version file
bundler-cache: true # runs 'bundle install' and caches installed gems automatically