Some projects observed intermittent build timeouts with Swift.
In case this happens, and our CodeQL-level mitigations do not prevent the problem, we want to avoid using up 6h of the customer's billed macOS Actions minutes (which is the default timeout), so we suggest a reduced timeout of 2h.
This value is chosen to accommodate the total job time (build + CodeQL extraction + CodeQL analysis) we expect for large Swift projects. We may choose to adjust it in future.
CodeQL Swift analysis is best supported on macOS.
In preparation for CodeQL supporting Swift analysis in beta,
adjust the CodeQL starter workflow template to run the `swift` matrix job on `macos-latest`, and all other matrix jobs on
`ubuntu-latest`. This does not affect the matrix itself.
* Add starter workflow for Azure Function App with Gradle
* Mark as preview
* Fix properties for function gradle template
* Add workflow and job level permissions to function gradle template
---------
Co-authored-by: Sampark Sharma <phantsure@github.com>
* Add starter workflow for Azure Web App with Gradle
* Use gradle build instead of assemable and mark template as preview
---------
Co-authored-by: Sampark Sharma <phantsure@github.com>
* Create snyk-security.properties.json
* Create snyk-security.yml
* Update snyk-security.yml
* Fix mispelling
Co-authored-by: Sampark Sharma <phantsure@github.com>
* Apply comments from PR
- Moved documentation link to the top
- Made `|| true` optional
- Added commit SHA for the Snyk GitHub Action
* Remove empty space
Co-authored-by: Sampark Sharma <phantsure@github.com>
* Remove empty space in line end
Co-authored-by: Sampark Sharma <phantsure@github.com>
* Update Categories
* Updated after running pre-commit linting
---------
Co-authored-by: Sampark Sharma <phantsure@github.com>
* Created new workflow for defender for devops
* Create defender-for-devops.properties.json
* fixed pr comments
* fixed linting issues
* fixed linting issues
* removed trailing white space
* changed from preview to v1.6.0
upgrade cosign version
https://github.com/sigstore/cosign/releases/tag/v1.13.1
The current version is out of date and the following error occurs
```
getting signer: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key
```
Co-authored-by: Sampark Sharma <phantsure@github.com>
* update sw to use kubelogin
* modified set context to use kubelogin
* whitespace issue?
* Reverting bandit file
Co-authored-by: Bishal Prasad <bishal-pdmsft@github.com>
* Added Bandit starter workflow and properties file. Python security scanner, Action by a Hubber, wraps free tool
* Set icon name to one in the icons folder
* Switched to Bandit's own SVG icon
* Added workflow disclaimer
* Fixed author name
Co-authored-by: Sampark Sharma <phantsure@github.com>
Go 1.18 will be at end of life sometime within the coming months (Q1 2023). Go 1.19 will be around until Q3 2023, by which point 1.20 will have been released.
This updates the version of the denoland/setup-deno action used in ci/deno.yml starter workflow to a version that uses node16, to remove the warning about node12 workflows being deprecated.
The version updated to is the latest released version, v1.1.1: https://github.com/denoland/setup-deno/releases/tag/v1.1.1
Scala builds do not automatically get support for the dependency graph. This addition will upload dependency information to the dependency graph so users get Dependabot alerts.
Code Scanning can accept multiple uploads for the same tool and uses the concept of category to keep results separated.
If not provided explicitly, the category is computed based on a few parameters like workflow path and matrix variables. The implicit computation of the category can create confusion if users change their workflow, as we start considering the new analyses as unrelated to existing results.
By making the category explicit in the workflow we hope to make the concept more prominent and reduce accidental changes.
- Fixed a typo in the upload-sarif@v1 action
- Commented out the rules-repository. The template will now default to rules in git://clj-holmes/clj-holmes-rules#main, but the format is preserved.
* commit dummy workflow
* Update nextjs.yml
* renaming
* actually do a node build
* add jekyll build & deploy
* add permissions
* update jekyll to use composite upload action
* update next to use composite upload action
* update icon yml
* change nexjs icon
* Cleanup further the Jekyll template
* add gatsby starter workflow
* fix composite error
* fix updated actions
* Add Hugo
* Apply suggestions from code review
* Inital commit for nuxtjs starter workflow
* Cleanup all templates
* Add baseUrl through an action
* Use `base_url` output for Hugo configuration
* Create static.yml
* Create static.properties.json
* clarify path
* alternative jekyll icon with only tube
* use alternate jekyll icon
* use original xvg with proper viewBox parameters
* Add paper-spa/configure-pages to starter workflows
Replaces paper-spa/setup-pages where appropriate.
* use setup-ruby action instead of our container
* Add starter workflow for GitHub Pages's legacy Jekyll build
Named `jekyll-gh-pages` so that it connotes the familiar "hands off"
build process of the Jekyll build as performed by github pages workers,
without sounding deprecated by using the words "legacy" or "classic".
* Use the static_site_generator input so we can modify the correct config
* Update gatsby.yml
* Update wording on the 'legacy' jekyll workflow
* Fix filename: this should have a json extension
* Fix filename: this should have a .properties.json extension
* Update nextjs.properties.json
* Update static.properties.json
* Fix typo in name of Gatsby
* Remove pull_request triggers
* Update to latest versions of core Actions
* Remove '--if-present' flag from 'npm run build' commands to prevent silent failure
* Perform static HTML export for Next.js
* Add '--no-install' flag to 'npx' usage
* Update Nuxt starter workflow to run 'generate'
* Default to using npm if not using yarn
* Reword 'nuxt generate' step name
* Update pages/gatsby.yml
* Update description of Jekyll starter workflow
* Add configure-pages step to static workflow
* Add configuration step to enable Pages
* Pages: Set `PREFIX_PATHS` env var for Gatsby build
* Update Next.js starter workflow to cache builds
See https://nextjs.org/docs/advanced-features/ci-build-caching#github-actions
* Update NuxtJS starter workflow to cache builds
Basically modeled after the Gatsby starter workflow
* Call out node ssg getting started + setup
* Update nuxt documentation
* Retarget actions referencing `paper-spa` to `actions`
Also point to newly published `v1` tags rather than `main` or `v0`.
Co-authored-by: yimysty <yimysty@github.com>
Co-authored-by: Tommy Byrd <tcbyrd@github.com>
Co-authored-by: Yoann Chaudet <yoannchaudet@github.com>
Co-authored-by: Timothy <tjyung@github.com>
Co-authored-by: Smitha Borkar <12040799+smithaborkar@users.noreply.github.com>
Co-authored-by: James M. Greene <JamesMGreene@github.com>
Whenever a security issue is found the `scan action` fails the build and the step, which causes the workflow to fail before uploading the results to Code Scanning.
This change turns the error into a warning.
* Reworked AKS deployment workflows (#1403)
* rebased to partner_templates
* Renaming workflow
* Updated corresponding properties.json files for the new aks workflows under deployments.
* Updated properties.json titles for aks workflows
* Renamed SECRET_NAME to IMAGE_PULL_SECRET_NAME
* Moved permissions down to the job level
* Updated documentation links
* Updated permission for action to read
* Removing redundant permissions
* write -> read for actions
* Updated descriptions
* Less reference documentation in header
* Added comments to each AKS Starter Workflow step
Co-authored-by: Tommy Barnes <thbarnes@microsoft.com>
* Update AKS workflows to not use imagePullSecrets (#1494)
* removing old method of adding imagePullSecrets
* fixing step casing
* For testing: Dependency review starter workflow
* changed back to image pull secret, added mask, clarified website and pull secret instructions
* made changes to other aks files
* Added back imagepullsecrets param to deploy action, reordered env vars
* changing release version of deploy action
* restructured starter workflows to parallelize secret creation and image building
* renamed to buildImage and removed extra space
* cleaned up some random newlines
* removed extra space
* removing changes from partner branch
* removing changes from partner branch
* through mistake in changing PR, two files lost step for createSecret
Co-authored-by: Tommy Barnes <thomas.jonathan.barnes@gmail.com>
Co-authored-by: Tommy Barnes <thbarnes@microsoft.com>
Co-authored-by: Israel Miller <ismille@microsoft.com>
Co-authored-by: Bishal Prasad <bishal-pdmsft@github.com>
Co-authored-by: Jaiveer Katariya <jaiveerkatariya@Jaiveers-MacBook-Pro.local>
Co-authored-by: Jaiveer Katariya <jaiveerkatariya@rgoldshtein.middleeast.corp.microsoft.com>
Line 51 added the query packs by default but commented.
Lines 62-63: added better instructions
Lines 68-70 added an example which provides better detail
The workflows for Ruby, RubyGem, Jekyll, and similar are all just the name of the language, package, or framework. This name change brings Rails in line with the other starters.
* Update the cosign-install action and default version from 1.4.0 to 1.5.1.
Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
* Update to 1.7.1 and the latest cosign-installer action.
Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
Co-authored-by: Bishal Prasad <bishal-pdmsft@github.com>
My previous PR didn't properly handle uppercase usernames (or repository names) when signing container images with `cosign`.
It seems that the `docker buildx --push` doesn't like this either, but it's passed the output of the `docker/metadata-action` which seems to lowercase things.
Fixes: https://github.com/actions/starter-workflows/issues/1293
Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
* Upgrade Rails workflow to true CI
The existing Rails CI example only runs linters, which is not continuous
integration. This change brings the Rails example workflow up to par
with the other web framework CI flows, like Django.
This example is optimized for Rails 7, which does not include NodeJS,
webpack, or yarn by default. No Rails application code changes are
required for this flow to run the tests, and both minitest and rspec are
supported via the `test` rake task.
* add Rails icon
* use env vars, hopefully
* use the full hash for ruby/setup-ruby
* remove PORT since services cannot use it
* stop repeating identical step envs
* resolve env var declaration error
* update setup-ruby to the SHA of v1.92
* use setup-ruby SHA for lint job too
Co-authored-by: Bishal Prasad <bishal-pdmsft@github.com>
Now that cosign 1.4 is out, we can perform keyless signing without panicking on private images (and without `--force` uploading to Rekor).
Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
* Have the starter `docker-publish` action sign digests.
This change installs `sigstore/cosign` using the `cosign-installer` action,
and uses sigstore's "keyless" signing process to sign the resulting image
digest using the action's identity token (see: `id-token: write`).
Signed-off-by: Matt Moore <mattomata@gmail.com>
* Fully qualify the digest, add setup-buildx-action as workaround
* Drop --force, add public repo check
* Use built-in 'private' bit
The `gradle-build-action` provides enhanced execution and caching functionality for Gradle.
This change updates starter workflows to use `v2.0.0` of `gradle-build-action`.
Improvements over invoking Gradle directly include:
- Easier to run the workflow with a particular Gradle version
- More sophisticated and more efficient caching of Gradle User Home between invocations
- Detailed reporting of cache usage and cache configuration options
- Automatic capture of Build Scan links
Co-authored-by: Josh Gross <joshmgross@github.com>
Currently we suggest that folks dual publish to both npm + gpr.
There are a large number of edge cases related to doing this and IMHO it is
not the best practice. Let's make two separate workflows.
* Added Cloudrail according to instructions and existing examples
* Adding Cloudrail according to documentation and examples
* Oops
* Add original Fortify on Demand workflow
* Update Fortify on Demand workflow
* Update Fortify on Demand supported languages
* Add 3rd-party GitHub Actions disclaimer
* Sysdig Secure Inline Scan with SARIF report to starter workflows
* Added some extra comments, Github Actions V2 and changed env vars
* Reviews from PR #1110
* Adding 'Dockerfile' to category list
* Update according to PR review comments
* File renames as requested in PR comments
* Revert "Azure Data Factory CI starter workflow (#1111)" (#1146)
This reverts commit 7f30309cce.
* use env variables for user-set values (#1117)
Co-authored-by: Josh Gross <joshmgross@github.com>
* Apply suggestions from nickfyson's code review
Co-authored-by: Nick Fyson <nickfyson@github.com>
* removing "deployment" templates from sync-ghes (#1127)
* Update code-scanning/properties/sysdig-scan.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Update code-scanning/properties/sysdig-scan.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Changed svg logo
* Rename sysdig.svg to sysdig-scan.svg
* Switched svg logo (again) for a better fit
* Rename fortify.json to fortify.properties.json
* Correct character-case of "c" in Cloudrail
* AWS template also used Docker
* trigger on push instead of release (#1157)
Co-authored-by: Josh Gross <joshmgross@github.com>
* Adding MobSF starter workflow
* Adhering to pull request guidelines
* python: update to use python 3.10
Signed-off-by: Rui Chen <rui@chenrui.dev>
* Added new templates for 3 clouds.
* Revert "Added new templates for 3 clouds."
This reverts commit c765d6316f.
* Add ruby and update workflow
* Add workflow for Microsoft C++ Code Analysis
* Updated action to meet guidelines
* quote the version strings
* correct typo in msvc.properties.json
* Update codeql.properties.json
* Update code-scanning/properties/codeql.properties.json
Co-authored-by: Arthur Baars <arthur@semmle.com>
* Update codeql.properties.json
* Update codeql.properties.json
* Update code-scanning/mobsf.yml
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Update code-scanning/properties/mobsf.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Fixed typo in workflow that will cause every run to fail
* Update commit SHA
* r: use setup-r@1 and include r@4 for starter (#1169)
* r: use setup-r@1 and include r@4 for starter
Signed-off-by: Rui Chen <rui@chenrui.dev>
* use sha instead of tag for external action
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: Josh Gross <joshmgross@github.com>
* elixir: refresh dependencies (#1212)
- setup action got renamed into `setup-beam`
- update elixir and erlang versions
* Updated to main branch version.
Co-authored-by: Yoni Leitersdorf <y@indeni.com>
Co-authored-by: Ruud Senden <ruud.senden@microfocus.com>
Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Co-authored-by: Manuel Boira Cuevas <manuel.boira@MacBook-Pro.local>
Co-authored-by: manuelbcd <manuel.boira@sysdig.com>
Co-authored-by: Nick Fyson <nickfyson@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com>
Co-authored-by: manuelbcd <manuelbcd@gmail.com>
Co-authored-by: Abir Majumdar <abirismyname@github.com>
Co-authored-by: Rui Chen <rui@chenrui.dev>
Co-authored-by: David Verdeguer <daverlo@github.com>
Co-authored-by: Daniel Winsor <danwin@microsoft.com>
Co-authored-by: David Verdeguer <47184891+Daverlo@users.noreply.github.com>
Co-authored-by: Arthur Baars <arthur@semmle.com>
Co-authored-by: Abir Majumdar <83433840+abirismyname@users.noreply.github.com>
Co-authored-by: Marco Gario <marcogario@github.com>
Co-authored-by: Andy McKay <andymckay@github.com>
* Added Cloudrail according to instructions and existing examples
* Adding Cloudrail according to documentation and examples
* Oops
* Add original Fortify on Demand workflow
* Update Fortify on Demand workflow
* Update Fortify on Demand supported languages
* Add 3rd-party GitHub Actions disclaimer
* Sysdig Secure Inline Scan with SARIF report to starter workflows
* Added some extra comments, Github Actions V2 and changed env vars
* Reviews from PR #1110
* Adding 'Dockerfile' to category list
* Update according to PR review comments
* File renames as requested in PR comments
* Revert "Azure Data Factory CI starter workflow (#1111)" (#1146)
This reverts commit 7f30309cce.
* use env variables for user-set values (#1117)
Co-authored-by: Josh Gross <joshmgross@github.com>
* Apply suggestions from nickfyson's code review
Co-authored-by: Nick Fyson <nickfyson@github.com>
* removing "deployment" templates from sync-ghes (#1127)
* Update code-scanning/properties/sysdig-scan.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Update code-scanning/properties/sysdig-scan.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Changed svg logo
* Rename sysdig.svg to sysdig-scan.svg
* Switched svg logo (again) for a better fit
* Rename fortify.json to fortify.properties.json
* Correct character-case of "c" in Cloudrail
* AWS template also used Docker
* trigger on push instead of release (#1157)
Co-authored-by: Josh Gross <joshmgross@github.com>
* Adding MobSF starter workflow
* Adhering to pull request guidelines
* python: update to use python 3.10
Signed-off-by: Rui Chen <rui@chenrui.dev>
* Added new templates for 3 clouds.
* Revert "Added new templates for 3 clouds."
This reverts commit c765d6316f.
* Add ruby and update workflow
* Add workflow for Microsoft C++ Code Analysis
* Updated action to meet guidelines
* quote the version strings
* correct typo in msvc.properties.json
* Update codeql.properties.json
* Update code-scanning/properties/codeql.properties.json
Co-authored-by: Arthur Baars <arthur@semmle.com>
* Update codeql.properties.json
* Update codeql.properties.json
* Update code-scanning/mobsf.yml
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Update code-scanning/properties/mobsf.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Fixed typo in workflow that will cause every run to fail
* Update commit SHA
* r: use setup-r@1 and include r@4 for starter (#1169)
* r: use setup-r@1 and include r@4 for starter
Signed-off-by: Rui Chen <rui@chenrui.dev>
* use sha instead of tag for external action
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: Josh Gross <joshmgross@github.com>
* elixir: refresh dependencies (#1212)
- setup action got renamed into `setup-beam`
- update elixir and erlang versions
Co-authored-by: Yoni Leitersdorf <y@indeni.com>
Co-authored-by: Ruud Senden <ruud.senden@microfocus.com>
Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Co-authored-by: Manuel Boira Cuevas <manuel.boira@MacBook-Pro.local>
Co-authored-by: manuelbcd <manuel.boira@sysdig.com>
Co-authored-by: Nick Fyson <nickfyson@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com>
Co-authored-by: manuelbcd <manuelbcd@gmail.com>
Co-authored-by: Abir Majumdar <abirismyname@github.com>
Co-authored-by: Rui Chen <rui@chenrui.dev>
Co-authored-by: David Verdeguer <daverlo@github.com>
Co-authored-by: Daniel Winsor <danwin@microsoft.com>
Co-authored-by: David Verdeguer <47184891+Daverlo@users.noreply.github.com>
Co-authored-by: Arthur Baars <arthur@semmle.com>
Co-authored-by: Abir Majumdar <83433840+abirismyname@users.noreply.github.com>
Co-authored-by: Marco Gario <marcogario@github.com>
Co-authored-by: Andy McKay <andymckay@github.com>
* Rename "azure.yml" to Node-specific name
* Add templates and properties for other languages
* Add workflow for .NET Core
* Add workflow and properties file for PHP
* Updates from PR review
* Fix EOF
* Use latest versions
* Renamed the file appropriately.
* Put the azure file back.
* Added azure back.
* Revert "Dummy azure templates for showcasing the CD Ordering Behavior (#1194)"
This reverts commit 9ce2a5b56f.
Co-authored-by: Jason Freeberg <jafreebe@microsoft.com>
* Rename "azure.yml" to Node-specific name
* Add templates and properties for other languages
* Add workflow for .NET Core
* Add workflow and properties file for PHP
* Updates from PR review
* Fix EOF
* Use latest versions
* Renamed the file appropriately.
* Put the azure file back.
* Added azure back.
Co-authored-by: Jason Freeberg <jafreebe@microsoft.com>
* Rename "azure.yml" to Node-specific name
* Add templates and properties for other languages
* Add workflow for .NET Core
* Add workflow and properties file for PHP
* Updates from PR review
* Fix EOF
* Use latest versions
* Renamed the file appropriately.
Co-authored-by: Jason Freeberg <jafreebe@microsoft.com>
* Added Cloudrail according to instructions and existing examples
* Adding Cloudrail according to documentation and examples
* Oops
* Add original Fortify on Demand workflow
* Update Fortify on Demand workflow
* Update Fortify on Demand supported languages
* Add 3rd-party GitHub Actions disclaimer
* Sysdig Secure Inline Scan with SARIF report to starter workflows
* Added some extra comments, Github Actions V2 and changed env vars
* Reviews from PR #1110
* Adding 'Dockerfile' to category list
* Update according to PR review comments
* File renames as requested in PR comments
* Revert "Azure Data Factory CI starter workflow (#1111)" (#1146)
This reverts commit 7f30309cce.
* use env variables for user-set values (#1117)
Co-authored-by: Josh Gross <joshmgross@github.com>
* Apply suggestions from nickfyson's code review
Co-authored-by: Nick Fyson <nickfyson@github.com>
* removing "deployment" templates from sync-ghes (#1127)
* Update code-scanning/properties/sysdig-scan.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Update code-scanning/properties/sysdig-scan.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Changed svg logo
* Rename sysdig.svg to sysdig-scan.svg
* Switched svg logo (again) for a better fit
* Rename fortify.json to fortify.properties.json
* Correct character-case of "c" in Cloudrail
* AWS template also used Docker
* trigger on push instead of release (#1157)
Co-authored-by: Josh Gross <joshmgross@github.com>
* Added new templates for 3 clouds.
* Revert "Added new templates for 3 clouds."
This reverts commit c765d6316f.
* Add workflow for Microsoft C++ Code Analysis
* Updated action to meet guidelines
* correct typo in msvc.properties.json
* Removed the dummy templates used in bug_bash.
Co-authored-by: Yoni Leitersdorf <y@indeni.com>
Co-authored-by: Ruud Senden <ruud.senden@microfocus.com>
Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Co-authored-by: Manuel Boira Cuevas <manuel.boira@MacBook-Pro.local>
Co-authored-by: manuelbcd <manuel.boira@sysdig.com>
Co-authored-by: Nick Fyson <nickfyson@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com>
Co-authored-by: manuelbcd <manuelbcd@gmail.com>
Co-authored-by: Daniel Winsor <danwin@microsoft.com>
* Added Cloudrail according to instructions and existing examples
* Adding Cloudrail according to documentation and examples
* Oops
* Add original Fortify on Demand workflow
* Update Fortify on Demand workflow
* Update Fortify on Demand supported languages
* Add 3rd-party GitHub Actions disclaimer
* Sysdig Secure Inline Scan with SARIF report to starter workflows
* Added some extra comments, Github Actions V2 and changed env vars
* Reviews from PR #1110
* Adding 'Dockerfile' to category list
* Update according to PR review comments
* File renames as requested in PR comments
* Revert "Azure Data Factory CI starter workflow (#1111)" (#1146)
This reverts commit 7f30309cce.
* use env variables for user-set values (#1117)
Co-authored-by: Josh Gross <joshmgross@github.com>
* Apply suggestions from nickfyson's code review
Co-authored-by: Nick Fyson <nickfyson@github.com>
* removing "deployment" templates from sync-ghes (#1127)
* Update code-scanning/properties/sysdig-scan.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Update code-scanning/properties/sysdig-scan.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Changed svg logo
* Rename sysdig.svg to sysdig-scan.svg
* Switched svg logo (again) for a better fit
* Rename fortify.json to fortify.properties.json
* Correct character-case of "c" in Cloudrail
* AWS template also used Docker
* trigger on push instead of release (#1157)
Co-authored-by: Josh Gross <joshmgross@github.com>
* Added new templates for 3 clouds.
* Revert "Added new templates for 3 clouds."
This reverts commit c765d6316f.
* Add workflow for Microsoft C++ Code Analysis
* Updated action to meet guidelines
* correct typo in msvc.properties.json
Co-authored-by: Yoni Leitersdorf <y@indeni.com>
Co-authored-by: Ruud Senden <ruud.senden@microfocus.com>
Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Co-authored-by: Manuel Boira Cuevas <manuel.boira@MacBook-Pro.local>
Co-authored-by: manuelbcd <manuel.boira@sysdig.com>
Co-authored-by: Nick Fyson <nickfyson@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com>
Co-authored-by: manuelbcd <manuelbcd@gmail.com>
Co-authored-by: Daniel Winsor <danwin@microsoft.com>
* Added Cloudrail according to instructions and existing examples
* Adding Cloudrail according to documentation and examples
* Oops
* Add original Fortify on Demand workflow
* Update Fortify on Demand workflow
* Update Fortify on Demand supported languages
* Add 3rd-party GitHub Actions disclaimer
* Sysdig Secure Inline Scan with SARIF report to starter workflows
* Added some extra comments, Github Actions V2 and changed env vars
* Reviews from PR #1110
* Adding 'Dockerfile' to category list
* Update according to PR review comments
* File renames as requested in PR comments
* Revert "Azure Data Factory CI starter workflow (#1111)" (#1146)
This reverts commit 7f30309cce.
* use env variables for user-set values (#1117)
Co-authored-by: Josh Gross <joshmgross@github.com>
* Apply suggestions from nickfyson's code review
Co-authored-by: Nick Fyson <nickfyson@github.com>
* removing "deployment" templates from sync-ghes (#1127)
* Update code-scanning/properties/sysdig-scan.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Update code-scanning/properties/sysdig-scan.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
* Changed svg logo
* Rename sysdig.svg to sysdig-scan.svg
* Switched svg logo (again) for a better fit
* Rename fortify.json to fortify.properties.json
Co-authored-by: Yoni Leitersdorf <y@indeni.com>
Co-authored-by: Ruud Senden <ruud.senden@microfocus.com>
Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Co-authored-by: Manuel Boira Cuevas <manuel.boira@MacBook-Pro.local>
Co-authored-by: manuelbcd <manuel.boira@sysdig.com>
Co-authored-by: Nick Fyson <nickfyson@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com>
Co-authored-by: manuelbcd <manuelbcd@gmail.com>
- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
- [ ] Should specify least privileged [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
**For _CI_ workflows, the workflow:**
@@ -37,10 +38,10 @@ It is not:
**For _Code Scanning_ workflows, the workflow:**
- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci).
- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning).
- [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows:
- [ ]`name`: Name of the Code Scanning integration.
- [ ]`organization`: Name of the organization producing the Code Scanning integration.
- [ ]`creator`: Name of the organization/user producing the Code Scanning integration.
- [ ]`description`: Short description of the Code Scanning integration.
- [ ]`categories`: Array of languages supported by the Code Scanning integration.
- [ ]`iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons).
@@ -12,10 +12,11 @@ These are the workflow files for helping people get started with GitHub Actions.
### Directory structure
* [ci](ci): solutions for Continuous Integration workflows.
* [deployments](deployments): solutions for Deployment workflows.
* [automation](automation): solutions for automating workflows.
* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security)
* [ci](ci): solutions for Continuous Integration workflows
* [deployments](deployments): solutions for Deployment workflows
* [automation](automation): solutions for automating workflows
* [code-scanning](code-scanning): solutions for [Code Scanning](https://github.com/features/security)
* [pages](pages): solutions for Pages workflows
* [icons](icons): svg icons for the relevant template
Each workflow must be written in YAML and have a `.yml` extension. They also need a corresponding `.properties.json` file that contains extra metadata about the workflow (this is displayed in the GitHub.com UI).
@@ -28,7 +29,7 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`.
*`description`: the description shown in onboarding
*`iconName`: the icon name in the relevant folder, for example, `django` should have an icon `icons/django.svg`. Only SVG is supported at this time. Another option is to use [octicon](https://primer.style/octicons/). The format to use an octicon is `octicon <<icon name>>`. Example: `octicon person`
*`creator`: creator of the template shown in onboarding. All the workflow templates from an author will have the same `creator` field.
*`categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml). When a user views the available templates, those templates that match the same language will feature more prominently.
*`categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml) and the list of tech stacks available [here](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml). When a user views the available templates, those templates that match the language and tech stacks will feature more prominently.
### Categories
* continuous-integration
@@ -40,6 +41,8 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`.
* monitoring
* Automation
* utilities
* Pages
* Hugo
### Variables
These variables can be placed in the starter workflow and will be substituted as detailed below:
@@ -47,3 +50,23 @@ These variables can be placed in the starter workflow and will be substituted as
*`$default-branch`: will substitute the branch from the repository, for example `main` and `master`
*`$protected-branches`: will substitute any protected branches from the repository
*`$cron-daily`: will substitute a valid but random time within the day
## How to test templates before publishing
### Disable template for public
The template author adds a `labels` array in the template's `properties.json` file with a label `preview`. This will hide the template from users, unless user uses query parameter `preview=true` in the URL.
Example `properties.json` file:
```json
{
"name":"Node.js",
"description":"Build and test a Node.js project with npm.",
For viewing the templates with `preview` label, provide query parameter `preview=true` to the `new workflow` page URL. Eg. `https://github.com/<owner>/<repo_name>/actions/new?preview=true`.
### Enable template for public
Remove the `labels` array from `properties.json` file to publish the template to public
# This starter workflow is for a CMake project running on multiple platforms. There is a different starter workflow if you just want a single platform.
# Set fail-fast to false to ensure that feedback is delivered for all matrix combinations. Consider changing this to true when your workflow is stable.
fail-fast:false
# Set up a matrix to run the following 3 configurations:
# 1. <Windows, Release, latest MSVC compiler toolchain on the default runner image, default generator>
# 2. <Linux, Release, latest GCC compiler toolchain on the default runner image, default generator>
# 3. <Linux, Release, latest Clang compiler toolchain on the default runner image, default generator>
#
# To add more build types (Release, Debug, RelWithDebInfo, etc.) customize the build_type list.
matrix:
os:[ubuntu-latest, windows-latest]
build_type:[Release]
c_compiler:[gcc, clang, cl]
include:
- os:windows-latest
c_compiler:cl
cpp_compiler:cl
- os:ubuntu-latest
c_compiler:gcc
cpp_compiler:g++
- os:ubuntu-latest
c_compiler:clang
cpp_compiler:clang++
exclude:
- os:windows-latest
c_compiler:gcc
- os:windows-latest
c_compiler:clang
- os:ubuntu-latest
c_compiler:cl
steps:
- uses:actions/checkout@v3
- name:Set reusable strings
# Turn repeated input strings (such as the build output directory) into step outputs. These step outputs can be used throughout the workflow file.
# Build your program with the given configuration. Note that --config is needed because the default Windows generator is a multi-config generator (Visual Studio generator).
# Execute tests defined by the CMake configuration. Note that --build-config is needed because the default Windows generator is a multi-config generator (Visual Studio generator).
# See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail
# This starter workflow is for a CMake project running on a single platform. There is a different starter workflow if you need cross-platform coverage.
# This workflow will trigger Datadog Synthetic tests within your Datadog organisation
# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# To get started:
# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/.
# 2. Start using the action within your workflow
name:Run Datadog Synthetic tests
on:
push:
branches:[$default-branch ]
pull_request:
branches:[$default-branch ]
jobs:
build:
runs-on:ubuntu-latest
steps:
- uses:actions/checkout@v2
# Run Synthetic tests within your GitHub workflow.
# For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci
# xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959)
device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'`
device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"`
if [ $scheme = default ]; then scheme=$(cat default); fi
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
# xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959)
device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'`
device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"`
if [ $scheme = default ]; then scheme=$(cat default); fi
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
# This workflow will do a clean install of node dependencies, cache/restore them, build the source code and run tests across different versions of node
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs
name:Node.js CI
@@ -16,13 +16,13 @@ jobs:
strategy:
matrix:
node-version:[12.x, 14.x, 16.x]
node-version:[14.x, 16.x, 18.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
# This workflow will upload a Python Package using Twine when a release is created
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# Github token of the repository (automatically created by Github)
GITHUB_TOKEN:${{ secrets.GITHUB_TOKEN }}# Needed to get PR information.
# File or directory to run bandit on
# path: # optional, default is .
# Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
# level: # optional, default is UNDEFINED
# Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
# confidence: # optional, default is UNDEFINED
# comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
# excluded_paths: # optional, default is DEFAULT
# comma-separated list of test IDs to skip
# skips: # optional, default is DEFAULT
# path to a .bandit file that supplies command line arguments
base_uri:https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One
cx_client_id:${{ secrets.CX_CLIENT_ID }}# This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
cx_client_secret:${{ secrets.CX_CLIENT_SECRET }}# This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
cx_tenant:${{ secrets.CX_TENANT }}# This should be replaced by your tenant for Checkmarx One
# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action
permissions:
contents:read
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action
permissions:
contents:read# for actions/checkout to fetch code
issues:write# for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
pull-requests:write# for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
security-events:write# for github/codeql-action/upload-sarif to upload SARIF results
actions:read# only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
# If this step fails, then you should remove it and run the build manually (see below)
- name:Autobuild
uses:github/codeql-action/autobuild@v1
uses:github/codeql-action/autobuild@v2
# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.