From a76776b484009a5dc3accadfb53dbbc4d953d9e2 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Wed, 2 Feb 2022 23:49:53 +0530 Subject: [PATCH 01/22] Update codacy.yml --- code-scanning/codacy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 50185ad..4892930 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Codacy Security Scan runs-on: ubuntu-latest steps: From 14ce90e99f9db28d05cc0a81e2b63370e034db38 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:13:30 +0530 Subject: [PATCH 02/22] added github_token permissions --- code-scanning/semgrep.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index 827387b..f99d441 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -19,8 +19,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Scan runs-on: ubuntu-latest steps: From b90ea0582ae3866c2a11e47fc3708e4d97a5ad3f Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:43:26 +0530 Subject: [PATCH 03/22] Update veracode.yml --- code-scanning/veracode.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index e38fffd..073d1b6 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -17,10 +17,16 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + jobs: # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter build-and-pipeline-scan: # The type of runner that the job will run on + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: From d8a2673986720cf4f579448519c77a37d861d53e Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:59:51 +0530 Subject: [PATCH 04/22] Update prisma.yml --- code-scanning/prisma.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5323d1b..5b11482 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -21,8 +21,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: prisma_cloud_iac_scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: From 4333c79965dc3415883fbb3d4c4b2d4e6d6f2e3f Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:08:08 +0530 Subject: [PATCH 05/22] Update codacy.yml --- code-scanning/codacy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 50185ad..4892930 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Codacy Security Scan runs-on: ubuntu-latest steps: From b93e51dac62613e75ab7b232cead7c400368d461 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:11:47 +0530 Subject: [PATCH 06/22] Update msvc.yml --- code-scanning/msvc.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 1503319..83d4571 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -20,8 +20,14 @@ env: # Path to the CMake build directory. build: '${{ github.workspace }}/build' +permissions: + contents: read + jobs: analyze: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Analyze runs-on: windows-latest From ab9bdce2e320816516a6b28bf58c3f503daa0bb3 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Mon, 14 Feb 2022 15:19:56 +0530 Subject: [PATCH 07/22] Update apisec-scan.yml --- code-scanning/apisec-scan.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 3aa06ca..4737d06 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -42,8 +42,13 @@ on: workflow_dispatch: +permissions: + contents: read + jobs: Trigger APIsec scan: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -61,4 +66,4 @@ jobs: - name: Import results uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ./apisec-results.sarif \ No newline at end of file + sarif_file: ./apisec-results.sarif From f6474e2bfa207cc53531f4de21c1f9243ec7c46a Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Mon, 14 Feb 2022 15:23:03 +0530 Subject: [PATCH 08/22] Update brakeman.yml --- code-scanning/brakeman.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index ae5215a..d0b25ac 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: brakeman-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Brakeman Scan runs-on: ubuntu-latest steps: From aa4aa29543b6a72c397d9285abd94d91c41984fd Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Mon, 14 Feb 2022 15:51:06 +0530 Subject: [PATCH 09/22] Update stackhawk.yml --- code-scanning/stackhawk.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index 9701b1f..af220c0 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -37,8 +37,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: stackhawk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info name: StackHawk runs-on: ubuntu-20.04 steps: From 6706b36121ab6c4b497c145160f85b056fe12347 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Tue, 15 Feb 2022 16:04:39 +0530 Subject: [PATCH 10/22] Update njsscan.yml --- code-scanning/njsscan.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8077f76..a6da087 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: njsscan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: njsscan code scanning steps: From 3394a8e62f54f84b23c843b970d4ca143013db12 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Tue, 15 Feb 2022 16:38:05 +0530 Subject: [PATCH 11/22] Update mobsf.yml --- code-scanning/mobsf.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 689a1a0..d8eaa92 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: mobile-security: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -33,4 +39,4 @@ jobs: - name: Upload mobsfscan report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From 6a5dc3a7538ff504a39f33cc73855ad4dedcf3e0 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:50:23 +0530 Subject: [PATCH 12/22] Update sysdig-scan.yml --- code-scanning/sysdig-scan.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 49841d7..f9b29fc 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -13,10 +13,17 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + checks: write # for sysdiglabs/scan-action to publish the checks + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -51,4 +58,4 @@ jobs: #Upload SARIF file if: always() with: - sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file + sarif_file: ${{ steps.scan.outputs.sarifReport }} From ed9202263d2954cd84dc11e0068ea5744268e8ab Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 18 Feb 2022 01:00:27 +0000 Subject: [PATCH 13/22] Update hash for scorecard's v1.0.4 release --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 618ce28..d63b462 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2 + uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 with: results_file: results.sarif results_format: sarif From 300f303442f956de563b7f301f652d94acb60cde Mon Sep 17 00:00:00 2001 From: Atul Malaviya Date: Sun, 20 Feb 2022 02:18:18 -0600 Subject: [PATCH 14/22] Added PR trigger (#1448) --- ci/msbuild.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ci/msbuild.yml b/ci/msbuild.yml index 29b6ace..e650e2a 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -1,6 +1,10 @@ name: MSBuild -on: [push] +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] env: # Path to the solution file relative to the root of the project. From d3fb4810d7ded6721dd323f60d1b3c63d901b307 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 2 Mar 2022 10:53:29 -0800 Subject: [PATCH 15/22] Add clj-holmes starter workflow --- code-scanning/clj-holmes.yml | 40 +++++++++++++++++++ .../properties/clj-holmes.properties.json | 10 +++++ icons/clj-holmes.svg | 1 + 3 files changed, 51 insertions(+) create mode 100644 code-scanning/clj-holmes.yml create mode 100644 code-scanning/properties/clj-holmes.properties.json create mode 100644 icons/clj-holmes.svg diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml new file mode 100644 index 0000000..62364b3 --- /dev/null +++ b/code-scanning/clj-holmes.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: clj-holmes + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + clj-holmes: + name: Run clj-holmes scanning + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Scan code + uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb + with: + rules-repository: 'git://org/private-rules-repo#main' + output-type: 'sarif' + output-file: 'clj-holmes-results.sarif' + fail-on-result: 'false' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{github.workspace}}/clj-holmes-results.sarif \ No newline at end of file diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json new file mode 100644 index 0000000..41950bb --- /dev/null +++ b/code-scanning/properties/clj-holmes.properties.json @@ -0,0 +1,10 @@ +{ + "name": "clj-holmes", + "creator": "Matheus Bernardes", + "description": "A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language.", + "iconName": "clj-holmes", + "categories": [ + "Code Scanning", + "clojure" + ] +} \ No newline at end of file diff --git a/icons/clj-holmes.svg b/icons/clj-holmes.svg new file mode 100644 index 0000000..74459e5 --- /dev/null +++ b/icons/clj-holmes.svg @@ -0,0 +1 @@ + \ No newline at end of file From 0d462e1c6b547f7df41b16f6ef94d08d27f26176 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 3 Mar 2022 22:43:12 +0530 Subject: [PATCH 16/22] Port reworked AKS templates to main (#1450) --- deployments/azure-kubernetes-service-helm.yml | 122 +++++++++++++++++ .../azure-kubernetes-service-kompose.yml | 111 +++++++++++++++ .../azure-kubernetes-service-kustomize.yml | 117 ++++++++++++++++ deployments/azure-kubernetes-service.yml | 127 +++++++++++------- ...re-kubernetes-service-helm.properties.json | 7 + ...kubernetes-service-kompose.properties.json | 7 + ...bernetes-service-kustomize.properties.json | 7 + .../azure-kubernetes-service.properties.json | 6 +- 8 files changed, 450 insertions(+), 54 deletions(-) create mode 100644 deployments/azure-kubernetes-service-helm.yml create mode 100644 deployments/azure-kubernetes-service-kompose.yml create mode 100644 deployments/azure-kubernetes-service-kustomize.yml create mode 100644 deployments/properties/azure-kubernetes-service-helm.properties.json create mode 100644 deployments/properties/azure-kubernetes-service-kompose.properties.json create mode 100644 deployments/properties/azure-kubernetes-service-kustomize.properties.json diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml new file mode 100644 index 0000000..506819d --- /dev/null +++ b/deployments/azure-kubernetes-service-helm.yml @@ -0,0 +1,122 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. +# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. +# - CHART_PATH (path to your helm chart) +# - CHART_OVERRIDE_PATH (path to your helm chart with override values) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Helm + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + CHART_PATH: "your-chart-path" + CHART_OVERRIDE_PATH: "your-chart-override-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Helm to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'helm' + helmChart: ${{ env.CHART_PATH }} + overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} + overrides: | + replicas:2 + helm-version: 'latest' + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml new file mode 100644 index 0000000..1d33fe3 --- /dev/null +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -0,0 +1,111 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. +# Set your dockerComposeFile and kompose-version to suit your configuration. +# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kompose + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Kompose to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'kompose' + dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} + kompose-version: 'latest' + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml new file mode 100644 index 0000000..51b7d69 --- /dev/null +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -0,0 +1,117 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. +# Set your kustomizationPath and kubectl-version to suit your configuration. +# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kustomize + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + KUSTOMIZE_PATH: "your-kustomize-path" + +jobs: + build: + permissions: + actions: read + contents: read + id-token: write + + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@master + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Runs Kustomize to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.1 + with: + renderEngine: 'kustomize' + kustomizationPath: ${{ env.KUSTOMIZE_PATH }} + kubectl-version: latest + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v3.0 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index 08988ff..e61e64e 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -1,80 +1,105 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) -# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal -# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal -# https://github.com/Azure/aks-create-action +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository: -# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret) +# 1. Set the following secrets in your repository (instructions for getting these +# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): -# - AZURE_CONTAINER_REGISTRY (name of your container registry) -# - PROJECT_NAME +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# -# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set -# any needed environment variables such as: -# - CHART_PATH -# - CHART_OVERRIDE_PATH +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) # # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions # For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -# For more options with the actions used below please see the folllowing -# https://github.com/Azure/login -# https://github.com/Azure/aks-set-context -# https://github.com/marketplace/actions/azure-cli-action -# https://github.com/Azure/k8s-bake -# https://github.com/Azure/k8s-deploy +# For more options with the actions used below please refer to https://github.com/Azure/login -on: [push] +name: Build and deploy an app to AKS + +on: + push: + branches: + - $default-branch + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' jobs: build: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest steps: + # Checks out the repository this file is in - uses: actions/checkout@master - - name: Azure Login - uses: azure/login@v1 + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Build image on ACR - uses: azure/CLI@v1 - with: - azcliversion: 2.29.1 - inlineScript: | - az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }} - az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} - - - name: Gets K8s context - uses: azure/aks-set-context@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - id: login + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - name: Configure deployment - uses: azure/k8s-bake@v1 + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 with: - renderEngine: 'helm' - helmChart: ${{ env.CHART_PATH }} - overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} - overrides: | - replicas:2 - helm-version: 'latest' - id: bake + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::set-output name=username::${ACR_USERNAME}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v1.1 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + # Deploys application based on given manifest file - name: Deploys application - - uses: Azure/k8s-deploy@v1 + uses: Azure/k8s-deploy@v3.0 with: - manifests: ${{ steps.bake.outputs.manifestsBundle }} + action: deploy + manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }} + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.PROJECT_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/properties/azure-kubernetes-service-helm.properties.json b/deployments/properties/azure-kubernetes-service-helm.properties.json new file mode 100644 index 0000000..92478b3 --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-helm.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Helm", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Helm", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Helm", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service-kompose.properties.json b/deployments/properties/azure-kubernetes-service-kompose.properties.json new file mode 100644 index 0000000..de246c3 --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-kompose.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Kompose", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Kompose", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Kompose", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service-kustomize.properties.json b/deployments/properties/azure-kubernetes-service-kustomize.properties.json new file mode 100644 index 0000000..bfc71cc --- /dev/null +++ b/deployments/properties/azure-kubernetes-service-kustomize.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to AKS with Kustomize", + "description": "Deploy an application to an Azure Kubernetes Service cluster using Kustomize", + "creator": "Microsoft Azure", + "iconName": "azure", + "categories": ["Deployment", "Kustomize", "Kubernetes", "Dockerfile"] +} diff --git a/deployments/properties/azure-kubernetes-service.properties.json b/deployments/properties/azure-kubernetes-service.properties.json index 28f3725..45d4a69 100644 --- a/deployments/properties/azure-kubernetes-service.properties.json +++ b/deployments/properties/azure-kubernetes-service.properties.json @@ -1,7 +1,7 @@ { - "name": "Deploy to a AKS Cluster", - "description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials", + "name": "Deploy to AKS", + "description": "Deploy an application to an Azure Kubernetes Service cluster", "creator": "Microsoft Azure", "iconName": "azure", - "categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"] + "categories": ["Deployment", "Kubernetes", "Dockerfile"] } From 023a52c48804fd4e0a7b11ad54367e7d645d8e25 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 7 Mar 2022 09:26:30 -0800 Subject: [PATCH 17/22] remove specifying permissions Co-authored-by: Nick Fyson --- code-scanning/clj-holmes.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 62364b3..704a01e 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -13,6 +13,8 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly +permissions: + contents: read jobs: clj-holmes: From 90d3b1b63b0f9cbe985a3de257df4f43dd94b1a0 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 7 Mar 2022 09:27:40 -0800 Subject: [PATCH 18/22] Update tool description Co-authored-by: Nick Fyson --- code-scanning/properties/clj-holmes.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json index 41950bb..71f29c0 100644 --- a/code-scanning/properties/clj-holmes.properties.json +++ b/code-scanning/properties/clj-holmes.properties.json @@ -1,7 +1,7 @@ { "name": "clj-holmes", "creator": "Matheus Bernardes", - "description": "A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language.", + "description": "A Static Application Security Testing tool to find vulnerable Clojure code via rules that use a simple pattern language.", "iconName": "clj-holmes", "categories": [ "Code Scanning", From af777b030efdf58461a737904e9307ad3e652562 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Tue, 8 Mar 2022 14:19:19 -0800 Subject: [PATCH 19/22] update permissions setting --- code-scanning/clj-holmes.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 704a01e..ca53f99 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -13,15 +13,12 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly -permissions: - contents: read jobs: clj-holmes: name: Run clj-holmes scanning runs-on: ubuntu-latest permissions: - actions: read contents: read security-events: write steps: @@ -39,4 +36,5 @@ jobs: - name: Upload analysis results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ${{github.workspace}}/clj-holmes-results.sarif \ No newline at end of file + sarif_file: ${{github.workspace}}/clj-holmes-results.sarif + ait-for-processing: true \ No newline at end of file From 5665b8b5b8c5bbb0de5142879029ce57022e219c Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 9 Mar 2022 11:18:14 -0800 Subject: [PATCH 20/22] Update code-scanning/clj-holmes.yml Co-authored-by: Nick Fyson --- code-scanning/clj-holmes.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index ca53f99..4150cbb 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -14,6 +14,9 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: clj-holmes: name: Run clj-holmes scanning From 46017054a3c90b341c23f8cb09c6a6bfa9046cb8 Mon Sep 17 00:00:00 2001 From: Jonathan Tamsut Date: Mon, 14 Mar 2022 07:35:28 -0700 Subject: [PATCH 21/22] Update `download-artifact` and `upload-artifact` from `v2` to `v3` (#1465) * migrate to v3 * update download-artifact --- ci/dotnet-desktop.yml | 2 +- code-scanning/msvc.yml | 2 +- code-scanning/xanitizer.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 4 ++-- deployments/azure-webapps-java-jar.yml | 4 ++-- deployments/azure-webapps-node.yml | 4 ++-- deployments/azure-webapps-php.yml | 4 ++-- deployments/azure-webapps-python.yml | 4 ++-- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 0635779..06ce344 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: MSIX Package path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 83d4571..0abb409 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -59,7 +59,7 @@ jobs: # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v2 + # uses: actions/upload-artifact@v3 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3bfb9ed..dc3c9ce 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -79,7 +79,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v3 with: name: Xanitizer-Reports path: | diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 7a2a84f..ed45e22 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -57,7 +57,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -71,7 +71,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index f386250..210fd90 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -46,7 +46,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -60,7 +60,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b7cb51f..b6089d4 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -47,7 +47,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: node-app path: . @@ -61,7 +61,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 700f83a..a2dd57b 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -68,7 +68,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: php-app path: . @@ -82,7 +82,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index cb19cda..8605e0a 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -53,7 +53,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: python-app path: | @@ -69,7 +69,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: python-app path: . From c4cc28d92dcac4ba6ecd2d89ea90b5593363ef67 Mon Sep 17 00:00:00 2001 From: Mike Verbanic Date: Wed, 16 Mar 2022 15:00:00 -0400 Subject: [PATCH 22/22] feat: add google cloud run starter workflows (#1392) * feat: add google cloud run starter workflows * fix: pr comments * fix: pr comments * fix: properties naming * fix: docker registry path --- deployments/google-cloudrun-docker.yml | 114 ++++++++++++++++++ deployments/google-cloudrun-source.yml | 96 +++++++++++++++ .../google-cloudrun-docker.properties.json | 7 ++ .../google-cloudrun-source.properties.json | 7 ++ deployments/properties/google.properties.json | 2 +- icons/{googlegke.svg => google-cloud.svg} | 0 6 files changed, 225 insertions(+), 1 deletion(-) create mode 100644 deployments/google-cloudrun-docker.yml create mode 100644 deployments/google-cloudrun-source.yml create mode 100644 deployments/properties/google-cloudrun-docker.properties.json create mode 100644 deployments/properties/google-cloudrun-source.properties.json rename icons/{googlegke.svg => google-cloud.svg} (100%) diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml new file mode 100644 index 0000000..b8d0511 --- /dev/null +++ b/deployments/google-cloudrun-docker.yml @@ -0,0 +1,114 @@ +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Authenticate Docker to Artifact Registry +# 3. Build a docker container +# 4. Publish it to Google Artifact Registry +# 5. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). +# +# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Build and Deploy to Cloud Run + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + token_format: 'access_token' + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' + + # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) + + # Authenticate Docker to Google Cloud Artifact Registry + - name: Docker Auth + id: docker-auth + uses: 'docker/login-action@v1' + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.access_token }}' + registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + + - name: Build and Push Container + run: |- + docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./ + docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + + # END - Docker auth and build + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If using a pre-built image, update the image name here + image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml new file mode 100644 index 0000000..2916b45 --- /dev/null +++ b/deployments/google-cloudrun-source.yml @@ -0,0 +1,96 @@ +# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Cloud Build cloudbuild.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Cloud Build +# roles/cloudbuild.builds.editor +# +# Cloud Storage +# roles/storage.objectAdmin +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the SERVICE and REGION environment variables (below). +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy +# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Deploy to Cloud Run from Source + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If required, update to the appropriate source folder + source: ./ + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/properties/google-cloudrun-docker.properties.json b/deployments/properties/google-cloudrun-docker.properties.json new file mode 100644 index 0000000..b1a2b2b --- /dev/null +++ b/deployments/properties/google-cloudrun-docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Build and Deploy to Cloud Run", + "description": "Build a Docker container, publish it to Google Artifact Registry, and deploy to Google Cloud Run.", + "creator": "Google Cloud", + "iconName": "google-cloud", + "categories": ["Deployment", "Containers", "Dockerfile", "Cloud Run", "Serverless"] +} diff --git a/deployments/properties/google-cloudrun-source.properties.json b/deployments/properties/google-cloudrun-source.properties.json new file mode 100644 index 0000000..2735d80 --- /dev/null +++ b/deployments/properties/google-cloudrun-source.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Cloud Run from Source", + "description": "Deploy to Google Cloud Run directly from source.", + "creator": "Google Cloud", + "iconName": "google-cloud", + "categories": ["Deployment", "Containers", "Cloud Run", "Serverless", "Buildpacks"] +} diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json index f1bd883..e226385 100644 --- a/deployments/properties/google.properties.json +++ b/deployments/properties/google.properties.json @@ -2,6 +2,6 @@ "name": "Build and Deploy to GKE", "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", - "iconName": "googlegke", + "iconName": "google-cloud", "categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"] } \ No newline at end of file diff --git a/icons/googlegke.svg b/icons/google-cloud.svg similarity index 100% rename from icons/googlegke.svg rename to icons/google-cloud.svg