diff --git a/.github/workflows/backstage-catalog-helper.yml b/.github/workflows/backstage-catalog-helper.yml new file mode 100644 index 00000000..1a551f24 --- /dev/null +++ b/.github/workflows/backstage-catalog-helper.yml @@ -0,0 +1,38 @@ +name: Backstage Catalog Info Helper +on: + workflow_dispatch: + schedule: + - cron: "0 0 * * *" + +jobs: + update-catalog-info: + runs-on: ubuntu-latest + steps: + - name: Checkout Actions + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + with: + fetch-depth: 0 + - name: Run Backstage Catalog Info Helper + uses: cds-snc/backstage-catalog-info-helper-action@v0.3.1 + with: + github_app_id: ${{ secrets.SRE_BOT_RW_APP_ID }} + github_app_private_key: ${{ secrets.SRE_BOT_RW_PRIVATE_KEY }} + github_organization: cds-snc + - name: impersonate Read/Write GH App + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + id: generate_token + with: + app_id: ${{ secrets.SRE_BOT_RW_APP_ID }} + private_key: ${{ secrets.SRE_BOT_RW_PRIVATE_KEY }} + - name: Create pull request + uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 # v7.0.3 + with: + token: ${{ steps.generate_token.outputs.token}} + sign-commits: true + commit-message: 'Add catalog-info.yaml' + branch: 'backstage/catalog-info' + title: 'Add catalog-info.yaml' + body: 'Adding a basic catalog-info.yaml to start populating the backstage catalog with your components.' + labels: 'backstage' + add-paths: | + catalog-info.yaml \ No newline at end of file diff --git a/.github/workflows/export_github_data.yml b/.github/workflows/export_github_data.yml new file mode 100644 index 00000000..2cd11121 --- /dev/null +++ b/.github/workflows/export_github_data.yml @@ -0,0 +1,25 @@ +name: GitHub repository metadata exporter +on: + workflow_dispatch: + schedule: + - cron: "20 7 * * *" + +jobs: + export-data: + runs-on: ubuntu-latest + steps: + - name: Audit DNS requests + uses: cds-snc/dns-proxy-action@main + env: + DNS_PROXY_FORWARDTOSENTINEL: "true" + DNS_PROXY_LOGANALYTICSWORKSPACEID: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }} + DNS_PROXY_LOGANALYTICSSHAREDKEY: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }} + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - name: Export Data + uses: cds-snc/github-repository-metadata-exporter@main + with: + github-app-id: ${{ secrets.SRE_BOT_RO_APP_ID }} + github-app-installation-id: ${{ secrets.SRE_BOT_RO_INSTALLATION_ID }} + github-app-private-key: ${{ secrets.SRE_BOT_RO_PRIVATE_KEY }} + log-analytics-workspace-id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }} + log-analytics-workspace-key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }} diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml new file mode 100644 index 00000000..556ccb91 --- /dev/null +++ b/.github/workflows/ossf-scorecard.yml @@ -0,0 +1,47 @@ +name: Scorecards supply-chain security +on: + workflow_dispatch: + schedule: + # Weekly on Saturdays. + - cron: "30 1 * * 6" + push: + branches: + - main + +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + + steps: + - name: "Checkout code" + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@72803a12483ed6f4f7c34f804818169f50162e37 + with: + results_file: ossf-results.json + results_format: json + publish_results: false + + - name: "Add metadata" + run: | + full_repo="${{ github.repository }}" + OWNER=${full_repo%/*} + REPO=${full_repo#*/} + jq -c '. + {"metadata_owner": "'$OWNER'", "metadata_repo": "'$REPO'", "metadata_query": "ossf"}' ossf-results.json > ossf-results-modified.json + + - name: "Post results to Sentinel" + uses: cds-snc/sentinel-forward-data-action@main + with: + file_name: ossf-results-modified.json + log_type: GitHubMetadata_OSSF_Scorecard + log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }} + log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }} diff --git a/.github/workflows/s3-backup.yml b/.github/workflows/s3-backup.yml index 3b69d78a..d850d5e0 100644 --- a/.github/workflows/s3-backup.yml +++ b/.github/workflows/s3-backup.yml @@ -10,12 +10,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 # retrieve all history - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: aws-access-key-id: ${{ secrets.AWS_S3_BACKUP_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_S3_BACKUP_SECRET_ACCESS_KEY }} @@ -30,4 +30,10 @@ jobs: - name: Upload to S3 bucket run: | - aws s3 sync . s3://${{ secrets.AWS_S3_BACKUP_BUCKET }} --exclude='*' --include='${{ github.repository }}/*' \ No newline at end of file + aws s3 sync . s3://${{ secrets.AWS_S3_BACKUP_BUCKET }} --exclude='*' --include='${{ github.repository }}/*' + + - name: Notify Slack channel if this job failed + if: ${{ failure() }} + run: | + json='{"text":"S3 backup failed in !"}' + curl -X POST -H 'Content-type: application/json' --data "$json" ${{ secrets.SLACK_NOTIFY_WEBHOOK }}